HMAC data and key swap

Question

In some contexts (HKDF (RFC-5869 sec 2.2) and Bitcoin's BIP32 (master key generation)), I have seen the key and the data swapped for HMAC. E.g., let HMAC be a function $h:\{0,1\}^c \times \{0,1\}^b \to \{0,1\}^c$ (usual notation) defined for a key $k$ and data $m$ as $h(k, m)$. Well, some people let $k$ be a fixed public value (for instance, Bitcoin seed), and encode secret bytes in $m$.

I understand why they would want to do this, for instance, the input material (that can be a secret key) can have any prescribed length $c$. I assume they do not expect integrity, they only want randomness.

I would expect security (or at least integrity) to depend on the secrecy of $k$ and properties on the underlying hash function. Indeed, using the results of Bellare's "New Proofs for NMAC and HMAC" 1, we do have a PRF as soon as the compression function of the hash function is a PRF, and if implementors did the right thing, this actually does not depend on the secrecy of $k$.

But it looks to me that the proof assumes a uniformly random, secret key. Does the PRF proof still hold if we reveal $k$ to the attacker?

(Note: This would be obvious if $k$ and $m$ played symmetrical roles in the HMAC construction - this is also not the case.)

score 1 · Accepted Answer · answered May 31 '22 at 09:42

I will only address the HKDF part.

HKDF was introduced in the following paper: https://eprint.iacr.org/2010/264.pdf

In this context, HMAC is used for two somewhat distinct purposes: 1) randomness extraction and 2) variable (input/output) length PRF.

The key-swap happens for randomness extraction. The situation here is that we are given a keying material $IKM$ that is not (pseudo)uniform random and want to create a key $PRK$ that is pseudorandom (i.e., computationally indistinguishable from random).

As you noted, HMAC is also shown to be a PRF. However, we cannot rely on PRF security to argue the security of $PRK$. But the paper argues that this use of HMAC is suitable for providing a computation randomness extractor (see section 6).

Speaking of PRFs, an interesting thing to note is that some security proofs, like TLS, actually rely on the so-called PRF-ODH assumption(https://eprint.iacr.org/2017/517.pdf). When applied to the use of HKDF in TLS: recall that the two parties exchange DH shares $(g^x, g^y)$; the (on variant of the) assumption roughly says that: the function $F(K, X) = HMAC (X, K) $ is a PRF under the assumption that the underlying compression function is a random oracle; even if the attacker was given access to an oracle $\mathcal{O}(T,v) = F (T^x, v) $. (Omitted here: restrictions on values of $(T,x)$ and the maximal number of queries).

Note here that the function $F$ above has keyspace $\langle G \rangle$, the group used for the DH exchange. So we are dealing with a uniform random key on the keyspace in the context of PRF-ODH.

P.S: consider reading this answer as well https://crypto.stackexchange.com/a/30461/58690

HMAC data and key swap

1 Answers1