PRNG for hash-based authentication

Question

I'm trying to implement hash-based authentication using the 'tree-chaining' structure described in http://www.springer.com/us/book/9783540887010 or https://www.imperialviolet.org/2013/07/18/hashsig.html

For this I'd need a (deterministic) PRNG capable of producing a huge amount of private keys from a seed/key and an index into the private key list. I was thinking to simply Hash(secretkey + index) to generate the keys but after reading some NIST recommendations for PRNGs I wonder if there's a better/more secure way? Are there any serious issues with this Hash(secretkey + index) approach assuming sha-3 as the hashing function?

Thanks

Any block cipher in CTR mode would do the job. – Phylogenesis Mar 03 '16 at 14:43 — Phylogenesis, Mar 03 '16 at 14:43

score 0 · Answer 1 · answered Mar 03 '16 at 14:39

0

One potential issue is that hash("100" + "10") == hash("1001" + "0"). Possibly better is to hash one of the arguments separately:

hash(key + hash(index))

answered Mar 03 '16 at 14:39

pkalinow

1,619
1
17
43

I probably should've mentioned this in the question but secretkey is assumed to always be an n-bit number with full entropy and the '+' sign integer addition rather than string concatenation... – Kris Mar 03 '16 at 14:53
...with 2^n >= max(index) – Kris Mar 03 '16 at 16:39
@Kris Some hashing algorithms are weak when working with concatenated data (see http://security.stackexchange.com/questions/79577/whats-the-difference-between-hmac-sha256key-data-and-sha256key-data). I don't know how it works with integer addition - is it also insecure or not. – pkalinow Mar 03 '16 at 16:56

PRNG for hash-based authentication

1 Answers1