Is HMAC-SHA512 with 512 bit key Quantum Safe?

Question

is HMAC-SHA512 quantum safe , I am planning to use it for encrypt-then-mac scheme with aes256-cfb mode for a post quantum safe PGP like protocol.

I am using CFB to avoid using padding and it is generally faster than CBC, i found gnupg program using CFB mode so thought to use it. — ANISH M 18CS006, Jul 19 '22 at 16:07
Avoiding padding makes sense, but there's a lot wrong with GPG, so I would recommend not basing design decisions on it. AES-CTR is likely the most used AES mode currently because it's used within AES-GCM, AES-CCM, AES-EAX, and so on. If you're looking for maximum performance, you'd be best off with something like AES-OCB or AEGIS, but those are AEADs, so you wouldn't need Encrypt-then-MAC. They're post-quantum secure, but AES-OCB is not key committing and AEGIS has not been officially looked at regarding key commitment. — samuel-lucas6, Jul 19 '22 at 16:42
Thanks @samuel-lucas6 , i am planning to use AES-OCB , is not key committing cause any security issue for PGP like application , going to use AES-OCB in hybrid cryptography — ANISH M 18CS006, Jul 20 '22 at 05:46
It really depends how your application will be used and what functionality it will support. — samuel-lucas6, Jul 20 '22 at 18:39

score 2 · Answer 1 · answered Jul 19 '22 at 10:32

Yes, HMAC-SHA512 offers at least a 256-bit security level assuming a 256-bit+ key. Specifically, 256-bit collision resistance and 512-bit preimage/second preimage resistance, which is more important for MACs.

A 512-bit key is unnecessary as 512-bit preimage/second preimage resistance is excessive. However, it can be good for domain separation, and a key as long as the output length is often recommended so you don't get a security reduction.

Just make sure you derive a separate encryption key and MAC key using a KDF with the same input keying material. That's good practice and makes Encrypt-then-MAC committing.

Is HMAC-SHA512 with 512 bit key Quantum Safe?

1 Answers1