"the security of a reduced-length SHA256 has not been investigated, yet" (p5 of http://eprint.iacr.org/2014/904.pdf)
It was, implicitly, for any attack on "reduced-length" (collision, [second-]preimage, distinguisher, etc.) implies an attach on SHA-256. I wouldn't call UKS attacks "serious". As Trevor suggests, a good reference is Krawczyk's HMQV paper http://eprint.iacr.org/2005/176.pdf (see the UKS attack on MQV in appendix). On Sat, Nov 1, 2014 at 5:56 AM, David Leon Gil <[email protected]> wrote: > A new paper by Frosch et al. here: http://eprint.iacr.org/2014/904 > > -- > > They present an unknown key-share attack on TextSecure; this is rather > serious, to say the least. > > Rather puzzling, however: > > 1. They claim that HMAC(key=constant, message=secret) is not provably > a PRF. The security reduction of, e.g., [nested_macs] seems > symmetrical if the hash functions is one-way; am I missing something > here? > > (HMAC is insecure if *both* inputs can be controlled by the attacker; > this manifestly isn't the case here.) > > 2. They also claim that the security of truncated SHA2-256, as used in > TextSecure tags, is unknown. (This is likely true for non-generic > attacks: there are good distinguishers on reduced round SHA2-256.) > > But the story is very different for non-generic attacks; the > "how-to-hash" indifferentiability proof works here. > > More concerning re tags: TextSecure is only using an 8 byte tag. > 64-bit authenticity is plainly insufficient. (This really should be > 128 bits of SHA2-256's output, or, preferably 160-256 bits of > SHA2-512's.) > > -- > > [nested_macs]: > http://cacr.uwaterloo.ca/~ajmeneze/anotherlook/papers/nestedMACs.pdf > _______________________________________________ > Messaging mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/messaging _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
