Replacing SHA-2 with SHA-3 enhances generic security of HMAC

Abstract

In this paper, we study the MAC-and the PRF-security of HMAC in the sense of generic security when replacing SHA-2 with SHA-3. We first consider the generic security of the SHA-3-based HMAC construction: Sponge-based HMAC. We provide (nearly) tight upper-bounds on the MAC- and the PRF-security of Sponge-based HMAC, which are O(nq/2n) and O(q2/2n),respectively.Here,qisthenumberofqueriestoHMACandnis the output length of the hash function. We then compare the MAC-and the PRF-security of Sponge-based HMAC with those of the SHA-2-based HMAC constructions: MD- (Merkle-Damgård) or ChopMD-based HMAC. It was proven that the upper-bounds on the MAC- and the PRF-security of MD-based HMAC are both O(ℓq2/2n), and those for ChopMD-based HMAC are both O(q2/2n+ℓq2/2n+t).Here,qisthe number of queries to HMAC, ℓ is the maximum query length, n is the output length of the hash function, and t is the number of truncated bits in ChopMD. Hence, replacing SHA-2 with SHA-3 enhances the MAC- security of HMAC. Replacing SHA-2 having the MD construction with SHA-3 enhances the PRF-security of HMAC, and if ℓ > 2t then replacing SHA-2 having the ChopMD construction with SHA-3 enhances the PRF-security of HMAC.