On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1 (Extended Abstract)

Kim, Jongsung; Biryukov, Alex; Preneel, Bart; Hong, Seokhie

doi:10.1007/11832072_17

Cited by 77 publications

(68 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Note that the notion of PRF-security is identical to the notion of distinguishing-R, first defined in [14] and often used in the cryptanalytic literature on hash-based MACs.…”

Section: Preliminariesmentioning

confidence: 99%

“…Distinguishing-H. A further security notion defined in [14] is the so-called distinguishing-H security. Here, the goal of the adversary is to distinguish the hash-based MAC construction C K [f] using its underlying compression function f (say SHA-1) and a random key K, from the same construction C K [g] built on top of an independent random compression function g. In the ideal compression function model, where we model already the initial compression function f as ideal, this corresponds to distinguishing a pair of oracles (…”

Section: Preliminariesmentioning

confidence: 99%

See 1 more Smart Citation

Generic Security of NMAC and HMAC with Input Whitening

Gaži

Pietrzak

Tessaro

2015

Advances in Cryptology – ASIACRYPT 2015

View full text Add to dashboard Cite

Abstract. HMAC and its variant NMAC are the most popular approaches to deriving a MAC (and more generally, a PRF) from a cryptographic hash function. Despite nearly two decades of research, their exact security still remains far from understood in many different contexts. Indeed, recent works have re-surfaced interest for generic attacks, i.e., attacks that treat the compression function of the underlying hash function as a black box. Generic security can be proved in a model where the underlying compression function is modeled as a random function -yet, to date, the question of proving tight, non-trivial bounds on the generic security of HMAC/NMAC even as a PRF remains a challenging open question. In this paper, we ask the question of whether a small modification to HMAC and NMAC can allow us to exactly characterize the security of the resulting constructions, while only incurring little penalty with respect to efficiency. To this end, we present simple variants of NMAC and HMAC, for which we prove tight bounds on the generic PRF security, expressed in terms of numbers of construction and compression function queries necessary to break the construction. All of our constructions are obtained via a (near) black-box modification of NMAC and HMAC, which can be interpreted as an initial step of key-dependent message pre-processing. While our focus is on PRF security, a further attractive feature of our new constructions is that they clearly defeat all recent generic attacks against properties such as state recovery and universal forgery. These exploit properties of the so-called "functional graph" which are not directly accessible in our new constructions.

show abstract

“…Note that the notion of PRF-security is identical to the notion of distinguishing-R, first defined in [14] and often used in the cryptanalytic literature on hash-based MACs.…”

Section: Preliminariesmentioning

confidence: 99%

Section: Preliminariesmentioning

confidence: 99%

Generic Security of NMAC and HMAC with Input Whitening

Gaži

Pietrzak

Tessaro

2015

Advances in Cryptology – ASIACRYPT 2015

View full text Add to dashboard Cite

show abstract

“…DC has become a general type of attack, and it has been adapted to stream ciphers [7], hash functions [8], and MAC algorithms [9].…”

Section: Differential Cryptanalysismentioning

confidence: 99%

Differential entropy analysis of the IDEA block cipher

Biryukov

Nakahara

Yıldırım

2014

Journal of Computational and Applied Mathematics

Self Cite

View full text Add to dashboard Cite

a b s t r a c tThis paper describes a new cryptanalytic technique that combines differential cryptanalysis with Shannon entropy. We call it differential entropy (DE). The objective is to exploit the non-uniform distribution of output differences from a given mapping as a distinguishing tool in cryptanalysis. Our preferred target is the IDEA block cipher, since we detected significantly low entropy at the output of its multiplication operation. We looked to further extend this entropy analysis to larger components and for a number of rounds. We present key-recovery attacks on up to 2.5-round IDEA in the single-key model and without weakkey assumptions.

show abstract

“…Recent work [2,3,15,16,17,19] discovered devastating collision attacks on hash functions from the MDx family. Such attacks have undermined the confidence in the most popular hash functions such as MD5 and SHA-1, and promoted the reevaluation of the actual security of the MAC algorithms based on them [4,6,8,11,12,14,18].…”

Section: Introductionmentioning

confidence: 99%

“…There are two kinds of distinguishing attacks on MACs, and they are respectively called distinguishing-R and distinguishing-H attacks [8]. Distinguishing-R attack means distinguishing a MAC from a random function, and distinguishing-H attack detects an instantiated MAC (by an underlying hash function or block cipher) from a MAC with a random function.…”

Section: Introductionmentioning

confidence: 99%

New Distinguishing Attack on MAC Using Secret-Prefix Method

Wang

Jia

et al. 2009

Fast Software Encryption

View full text Add to dashboard Cite

Abstract. This paper presents a new distinguisher which can be applied to secret-prefix MACs with the message length prepended to the message before hashing. The new distinguisher makes use of a special truncated differential path with high probability to distinguish an inner near-collision in the first round. Once the inner near-collision is detected, we can recognize an instantiated MAC from a MAC with a random function. The complexity for distinguishing the MAC with 43-step reduced SHA-1 is 2 124.5 queries. For the MAC with 61-step SHA-1, the complexity is 2 154.5 queries. The success probability is 0.70 for both.

show abstract

On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1 (Extended Abstract)

Cited by 77 publications

References 13 publications

Generic Security of NMAC and HMAC with Input Whitening

Generic Security of NMAC and HMAC with Input Whitening

Differential entropy analysis of the IDEA block cipher

New Distinguishing Attack on MAC Using Secret-Prefix Method

Contact Info

Product

Resources

About