<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">Jason A. Donenfeld <span dir="ltr"><<a href="mailto:Jason@zx2c4.com" target="_blank">Jason@zx2c4.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span class="">On Fri, Apr 22, 2016 at 10:15 PM, Rhys Weatherley <span dir="ltr"><<a href="mailto:rhys.weatherley@gmail.com" target="_blank">rhys.weatherley@gmail.com</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span>On Sat, Apr 23, 2016 at 1:18 AM, Jason A. Donenfeld <span dir="ltr"><<a href="mailto:Jason@zx2c4.com" target="_blank">Jason@zx2c4.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
What precisely prevents you from using these?</blockquote></span><div>Embedded systems.<br></div></div></div></div></blockquote><div><br></div></span><div>Okay, sure. But I'm mainly interested in hearing cryptographic reasons here, following our previous discussions on this matter.</div></div>
</div></div>
</blockquote></div><div class="gmail_extra"><br></div><div class="gmail_extra">I was just skimming about this today:</div><div class="gmail_extra"><br></div>“Standards bodies should reexamine
— taking into account tightness gaps — the security of all standardized protocols that use
HMAC for non-MAC purposes such as key derivation or passwords.” [1]</div><div class="gmail_extra"><br></div><div class="gmail_extra">"To the best of our knowledge, the PRF-assumption has never
been seriously studied for the compression functions used in MD5, SHA1, or SHA256." (or SHA-512, IIUC.) [1]</div><div class="gmail_extra"><br></div><div class="gmail_extra">"Oops! Nobody knows
how to prove that SHA-256’s compression function is a PRF." (or SHA-512, IIUC). [2]</div><div class="gmail_extra"><br></div><div class="gmail_extra">I have only read [1] once, so I've no opinion on it other than I think it's worth considering its ideas.</div><div class="gmail_extra"><br></div><div class="gmail_extra">[1] <a href="https://eprint.iacr.org/2016/360.pdf">https://eprint.iacr.org/2016/360.pdf</a><br></div><div class="gmail_extra">[2] <a href="https://www.cs.princeton.edu/~appel/papers/verif-sha.pdf">https://www.cs.princeton.edu/~appel/papers/verif-sha.pdf</a></div><div class="gmail_extra"><br></div><div class="gmail_extra">Cheers,</div><div class="gmail_extra">Brian<br>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><a href="https://briansmith.org/" target="_blank">https://briansmith.org/</a></div></div></div></div></div></div></div>
</div></div>