I know that NMAC is mathematically proved with two different keys with length $L$.
But, if I choose to implement a MAC this way: $$H(k \operatorname\| H(k \operatorname\| msg))$$ with a key $k$ of length $2L$, am I vulnerable to some attacks?
Asked
Active
Viewed 94 times
2
-
But you'd still use the same key both times in there? – SEJPM Dec 06 '16 at 09:44
-
Yes, I think this way i'm vulnerable to length extension attack (if implemented with markle-damgard), Am I right? – Abmen Dec 06 '16 at 15:37
-
1Length-extension attacks don't apply here, given that the outer layer has constant input length. This construction is equivalent to the $\text{NMAC}_3$ construction studied in https://eprint.iacr.org/2011/649. Its exact security is unknown. – Samuel Neves Dec 06 '16 at 19:14
-
@SamuelNeves In that case it's an answer :) We're not supposed to do original research to get to an answer here. – Maarten Bodewes Dec 06 '16 at 22:22