Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bitsize of the MAC output of blake3 #396

Open
elichai opened this issue May 28, 2024 · 0 comments
Open

Bitsize of the MAC output of blake3 #396

elichai opened this issue May 28, 2024 · 0 comments
Labels
question Further information is requested

Comments

@elichai
Copy link
Contributor

elichai commented May 28, 2024
edited
Loading

The crate provides https://docs.rs/blake3/latest/blake3/fn.keyed_hash.html as a MAC function, which returns 256 bits.
while:

  • siphash is considered a somewhat secure MAC, even though outputting 64 bits.
  • The HMAC RFC(2104) says:

5. Truncated output
A well-known practice with message authentication codes is to
truncate the output of the MAC and output only part of the bits
..... We recommend that
the output length t be not less than half the length of the hash
output (to match the birthday attack bound) and not less than 80 bits
(a suitable lower bound on the number of bits that need to be
predicted by an attacker).

So, is 256 bits necessary under the MAC security game? (where the attacker doesn't know the key, so he needs to attack not not blake3 but all family of blake3_key, so it sounds like some birthday attack between key space and output space) but I'm really not a crypt-analyst :)
@BurningEnlightenment BurningEnlightenment added the question Further information is requested label Jul 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@elichai @BurningEnlightenment