Recommended HMAC key length for ecdsa-sd-2023?

[filip26]

Hi,
I've not found any mention about a recommended HMAC key length. Test vector Example 49 says 32 bytes. Is it the only allowed length?

[Wind4Greg]

Agree @filip26 need to give either a recommendation or requirement here. Was just looking over my test vector code the other day and was wondering about this same issue.

[Wind4Greg]

Did some digging @filip26 . The specification cites RFC6234: US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF) but this is an open source implementation without advice on key lengths. FIPS PUB 198-1: The Keyed-Hash Message Authentication Code (HMAC) gives a nice description of the algorithm that can take any key size (in bytes), but doesn't give any advice. Finally there is RFC2104 HMAC: Keyed-Hashing for Message Authenticatio which does offer the following advice on HMAC key sizes:

The key for HMAC can be of any length (keys longer than B bytes are
first hashed using H). However, less than L bytes is strongly
discouraged as it would decrease the security strength of the
function. Keys longer than L bytes are acceptable but the extra
length would not significantly increase the function strength. (A
longer key may be advisable if the randomness of the key is
considered weak.)

We are using SHA-256 so L = 32 bytes (256 bits) and B = 64 bytes (512). Hence I would be inclined to cite RFC2104 and recommend a key size of 32 bytes.

[filip26]

I've been looking for this, and I agree there is not much info around. MS (.NET) recommends 64 bytes but then they say if the key length is greater than 64 hash it to get 32.
https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.hmacsha256.-ctor?view=net-8.0

there is also a post on crypto.stackexchange.com
https://crypto.stackexchange.com/questions/31473/what-size-should-the-hmac-key-be-with-sha-256

+1 to recommend hmac key size of 32 bytes

[msporny]

PR #60 has been merged to address this issue; closing.