2

For use use in Encrypt then MAC scheme i am considering using HMAC-SHA256 with 256 bit key, i am wondering if i should use HMAC-SHA512 to be post quantum secure, will simply using HMAC with 256 bit key alone irrespective of hash function will be post quantum secure?

ANISH M 18CS006
  • 51
  • 13
  • 2
    Does this answer to your question Which MAC scheme is quantum resistant?? – kelalaka Aug 27 '22 at 12:40
  • HMAC-SHA-256 is fine. You don't need a tag greater than 256 bits because that already gives you 256-bit security if you ignore generic attacks that are impractical. However, you shouldn't use HMAC-MD5 or HMAC-SHA1 nowadays. – samuel-lucas6 Aug 27 '22 at 12:47
  • @kelalaka i referred that link but since it was 9 years old , i thought if those stuff were still valid today. It mentions HMAC of any keylength can be used for any hash algorithm and it will be secure , i wonder if a broken hash is used for hmac will it be still secure? From samuel-lucas6 sir's comment i guess broken hash shouldn't be used for hmac , just wondering if sha256 gets obsolete or broken in quantum age will hmac-sha256 will still be secure. – ANISH M 18CS006 Aug 27 '22 at 13:05
  • That is really depend on your applications – kelalaka Aug 27 '22 at 13:17
  • 1
    @kelalaka: Grover's algorithm is essentially optimal, assuming that you attack the crypto (HMAC in this case) as a black box; you may be able to do better (if you have insight into how the crypto operates internally). As for Brassard's attack, that doesn't apply - it's trying to find collisions, and collisions don't apply to HMAC. – poncho Aug 28 '22 at 21:38
  • Yeah, I was wondering about that. We cannot even prove that any attack is optimal in the classic sense (which, by extension, automatically means that may not be optimal for quantum computers, as those can run classic algorithms as well, even if any advantage over classic computation is lost)... – Maarten Bodewes Aug 28 '22 at 21:47
  • Yeap, @poncho you are right. That comment is mixed there, deleting... – kelalaka Aug 28 '22 at 23:11
  • I'm closing this question as a duplicate because, despite being 9 years old, the answer is still perfectly valid and answers this question. – forest Aug 29 '22 at 00:39

0 Answers0