Join Log in
Score:4
Finlay Weber avatar Crypto

Is KMAC just SHA-3-256(KEY || message)

ng flag
Finlay Weber

According to keccak strengths you have:

Unlike SHA-1 and SHA-2, Keccak does not have the length-extension weakness, hence does not need the HMAC nested construction. Instead, MAC computation can be performed by simply prepending the message with the key.

Meaning I can get a MAC of a message by just computing $\operatorname{SHA-3-256}(KEY \mathbin\| message)$. If this is the case, why then does $\operatorname{KMAC}$ exist?

Is $\operatorname{KMAC}$ the same as just $\operatorname{SHA-3-256}(KEY \mathbin\| message)$? If not, then how is using $\operatorname{KMAC}$ to generate an authentication tag different from computing $\operatorname{SHA-3-256}(KEY \mathbin\| message)$?

300
0 + 0
mac
Score:5
kelalaka avatar Crypto
in flag
kelalaka

Standard KMAC is more than that thanks to domain separation prefixes; NIST SP 800-185

KMAC128(K, X, L, S):

Validity Conditions: $\text{len}(K) < 2^{2040}$ and $0 \le L < 2^{2040}$ and $\text{len}(S) < 2^{2040}$

  1. newX = bytepad(encode_string(K), 168) || X || right_encode(L).
  2. return cSHAKE128(newX, L, “KMAC”, S).

and

cSHAKE128(X, L, N, S):

Validity Conditions: $\text{len}(N) < 2^{2040}$ and $\text{len}(S) < 2^{2040}$

  1. If N = "" and S = "": return SHAKE128(X, L);
  2. Else: return KECCAK[256](bytepad(encode_string(N) || encode_string(S), 168) || X || 00, L)

and NIST FIPS 202

SHAKE128(M, d) = KECCAK[256] (M || 1111, d),

NIST's information about suffixes;

The suffix supports domain separation; i.e., it distinguishes the inputs to KECCAK[c] arising from the SHA-3 hash functions from the inputs arising from the SHA-3 XOFs defined in Sec. 6.2, as well as other domains that may be defined in the future.

I.e words, we have different random oracles per domain separation. SHA3 and Blake2 are more close to random oracles than SHA256 since they are free from the length-extension attack.

0 + 0
kelalaka avatar
in flag
kelalaka
The other functions (Keccak and Sponge) can be seen [here](https://crypto.stackexchange.com/a/89665/18298)
0
Reply
Finlay Weber avatar
ng flag
Finlay Weber
By "domain separation prefixes" you refer to the customizable string that cSHAKE takes?
0
Reply
kelalaka avatar
in flag
kelalaka
Exactly, With the [domain seperation](https://crypto.stackexchange.com/a/83307/18298) the core of the hash function can behave like different random oracles.
1
Reply
kelalaka avatar
in flag
kelalaka
By custom mean, they are fixed by NIST during the standardization. I've inserted the correct cSHAKE128, there are also, 256 versions, too.
0
Reply
Finlay Weber avatar
ng flag
Finlay Weber
Ok...Thanks! I am slowly digesting this. What comes next to mind is: if this custom string is actually fixed by NIST, what is the advantage of using KMAC vs just manually doing SHA-3-256(KEY || message)?
0
Reply
kelalaka avatar
in flag
kelalaka
SHA3 has a natural length attack resistance and you are clear to expect to ask that. You are using SHA-3-256 directly as the same random oracle. Over time we learned that we should not do this while we can separate the domains.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.