General Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity

Transcription

1 General Distinguishing Attacks on MAC and HMAC with Birthday Attack Complexity Donghoon Chang 1 and Mridul andi 2 1 Center or Inormation Security Technologies(CIST), Korea University, Korea dhchang@cist.korea.ac.kr 2 David R. Cheriton School o Computer Science, University o Waterloo, Canada m2nandi@cs.uwaterloo.ca Abstract. Kim et al. [4] and Contini et al. [3] studied on the security o HMAC and MAC based on HAVAL, MD4, MD5, SHA-0 and SHA-1. Especially, they considered the distinguishing attacks. However, they did not describe generic distinguishing attacks on MAC and HMAC. In this paper, we describe the generic distinguishers to distinguish MAC and HMAC with the birthday attack complexity and we prove the security bound when the underlying compression unction is the random oracle. Keywords : MAC, HMAC, Distinguishing Attack, Birthday Attack. 1 Introduction. Since MD4-style hash unctions were broken, evaluations on the security o HMAC and MAC have been reuired. Kim et al. [4] and Contini et al. [3] showed the security analyses on them. However, Kim et al. distinguishing attack complexity is ar rom the birthday attack complexity. Contini et al. also suggested 2 84 as the distinguishing attack complexity o MAC and HMAC on the reduced SHA-1, which is bigger than the birthday attack complexity. In this paper, we describe the generic distinguishers to distinguish MAC and HMAC with the birthday attack complexity and we prove the security bound when the underlying compression unction is the random oracle. 2 MAC and HMAC Fig. 1 and 2 show MAC and HMAC based on a compression unction rom {0, 1} n {0, 1} b to {0, 1} n. K 1 and K 2 are n bits. K = K 0 b n where K is n bits. opad is ormed by repeating the byte 0x36 as many times as needed to get a b-bit block, and ipad is deined similarly using the byte 0x5c. H : {IV } ({0, 1} b ) {0, 1} n is the iterated hash unction. H is deined as ollows : H(IV, x 1 x 2 x t ) = ( ((IV, x 1 ), x 2 ), x t ) where x i is b bits. Let g be a padding method. g(x) = x 10 t bin 64 (x) where t is smallest nonnegative integer such that g(x) is a multiple o b and bin i (x) is the i-bit binary representation o x. Then, MAC and HMAC are deined as ollows.

2 MAC K1,K 2 (M) = H(K 2, g(h(k 1, g(m)))) HMAC K (M) = H(IV, g(k opad H(IV, g(k ipad M)))). M 1 M 2 M t K 1 h 1 h 2 h t-1 h t padding K 2 h t+1 Fig.1. MAC ( g(m) = M 1 M 2 M t) K M1 M2 Mt IV h1 h2 ht-1 K ht padding IV ht+1 Fig.2. HMAC ( g(k ipad M) = K ipad M 1 M 2 M t) 3 General Distinguishing Attack On MAC and HMAC Here, we describe three types o distinguishers A 1, A 2 and A 3. In case o A 1 and A 2, we will prove the lower bound o A 1 s advantage. On the other hand, A 3 distinguishes heuristically without proving exact proo o security bound. Practically, A 3 is reasonable. For all distinguishers, ueries are same as ollows. Let is the number o ueries such that t is a ixed value (t 2) in Fig. 1 and 2. Since g is applied two times in MAC and HMAC, t 2 means that the added inormation o the irst padding is dierent rom that o the secoond padding.

3 Each block is b bits and c = log 2 t. In MAC, A = K 1 and B = K 2 in Fig. 3. In HMAC, A = (IV, K ipad) and B = (IV, K opad) in Fig. 3. For MAC and HMAC, i-th uery is X i 0 64 bin c (1) 0 b c bin c (t 2) 0 b c bin c (t 1) where each X i is b 64 bits and X i X j or any i j and X i 0 64 bin c (j) 0 b c or any i and j such that 1 j t 2. These kinds o messages enable us to prove the security bound in the random oracle model. When we prove the security bound, we will explain in detail. MAC : M t =bin c (t-1) 10 b-c-65 bin 64 (bt-b+c) X i 0 64 bin c (1) 0 b-c bin c (t-2) 0 b-c HMAC : M t =bin c (t-1) 10 b-c-65 bin 64 (bt+c) M 1 M 2 M t-1 M t A h 0 h 1 h 2 h t-2 h t-1 h t padding B h t h t+1 Fig.3. Attack Strategy. In MAC, A = K 1 and B = K 2. In HMAC, A = (IV, K ipad) and B = (IV,K opad). In Fig. 3, or i-uery, we denote the values o h 1 h t+1 by h 1,i h t+1,i. Then we deine Pr[C m ] denotes the probability that there exist h m,i = h m,j such that 1 i j. ote that i C i occurs, then C j (i + 1 j t + 1) also occurs. Thereore, Pr[C t+1 ] = Pr[C 1 C 1 C t+1 ]. In other words, Pr[ C t+1 ] = Pr[ C 1 C 1 C t+1 ]. And Pr[C t+1 ] = 1 Pr[ C 1 C 1 C t+1 ]. Distinguisher A 1 A 1 has an access to oracle O which is MAC (or HMAC) or the random unction rom {0, 1} {0, 1} n. A 1 makes ueries as described above. Then A 1 outputs 1 i there is a collision among ueries, otherwise outputs 0. We want to compute the bound o the advantage o A 1. For this, we compute the probability that there is a collision or both MAC (or HMAC) and the random unction. In case o the random unction, we denote Pr r [C] by the probability that there exist a collsion o the random unction. Let = 2 n. Let x i,j = h i 1 M i in Fig. 3. Then Pr[ C 1 ] = ( 1) ( +1) because all X i (1 i ) are dierent. When C 1 does not occur, x 1,i x 2,j or all i and j. So, Pr[ C 2 C 1 ] = Pr[ C 2 ] = Pr[ C 1 ] = ( 1) ( +1). So, Pr[ C 1 C 2 ] = (Pr[ C 1 ]) 2 = ( ( 1) ( +1) ) 2. Similarly, we can know Pr[ C 1

4 C t+1 ] = (Pr[ C 1 ]) t+1 = ( ( 1) ( +1) ) t+1. Thereore, Pr[C t+1 ] = 1 ( ( 1) ( +1) ) t+1. On the other hand, in case o the random unction, Pr r [C] = 1 ( 1) ( +1). HMAC or MAC Adv A1 () = Pr[A1 = 1] Pr[A Rand 1 = 1] ( 1) ( + 1) ( 1) ( + 1) = ( ) t+1 With using 1 x e x or x 1, ( 1) ( +1) = (1 1 )(1 2 ) (1 1 ) e = e ( 1) 2. I 2 then ( 1) 2 1. With using e x 1 (1 e 1 )x or x 1 [1], we know that e ( 1) 2 1 (1 e 1 ) ( 1) Since 1 e 1 > 0.632, e ( 1) 2 1 ( 1) ( 1) 2 < ( 1) 2 by the result o [1]. Thereore, 1 ( 1) 2. Finally, 2.. And ( 1) ( +1) ( 1) ( +1) < Adv A1 () (1 ) ( )t+1 In case o =, Adv A1 () t+1. When t = 11, Adv A1 () Distinguisher A 2 A 2 has an access to oracle O which is MAC (or HMAC) or the random unction rom {0, 1} {0, 1} n. A 2 makes ueries as described above. I there is no collision among outputs o ueries, return 0. I there is a collision (M, M ) among ueries, When comparing with MAC, A 2 makes new ueries T and T such that T = M 10 b c 65 bin 64 (bt b+c) and T = M 10 b c 65 bin 64 (bt b+c). When comparing with HMAC, A 2 makes new ueries T and T such that T = M 10 b c 65 bin 64 (bt + c) and T = M 10 b c 65 bin 64 (bt + c). I O(T) = O(T ), then return 1 otherwise 0. We know that Pr[C t ] = 1 ( ( 1) ( +1) ) t. We want to compute Pr[ {h t,i } i = {h t+1,j } j C t ]. This probability means that there is no collision which do not collide in h t. Since the size o {h t,i } i is at most and {h t,i x t+1 } i {h j,i x j+1 } i,jt 1 =, Pr[ {h t,i } i = {h t+1,j } j C t ] ( 1) ( +1) Thereore, Pr[ {h t,i } i = {h t+1,j } j C t ] ( ( 1) ( +1). )(1 ( ( 1) ( +1) ) t ).

5 HMAC or MAC Adv A2 () = Pr[A2 = 1] Pr[A Rand 2 = 1] Pr[ {h t,i } i = {h t+1,j } j C t ] 1 ( 1) ( + 1) ( (1 ( 1) ( + 1) ) t+1 1 ) ( )t+1 1 In case o =, Adv A2 () t+1. When t = 11, Adv A2 () Distinguisher A 3 See Fig. 3. We know that there is an internal collision pair in h 1 with about the ollowing probability. ( ) 2 n/2 2 n = (2 n)/2 Then automatically the pair becomes also an internal collision pair in rom h 2 to h t+1 in Fig. 3. Except the pair, we also know that there exist an internal collision pair which is collided in h 2 with above probability. By this logic, we can get t internal collision pairs in h t. In case o MAC and HMAC, since the value in h t is applied to once more, we can get (t + 1) ( 1 2 2(2 n)/2 ) collision pairs o MAC and HMAC on average. On the other hand, in case o random unction, we can get about ( 1 2 2(2 n)/2 ) collision pairs. MAC or HMAC Random Function Average (t + 1) ( 1 2 2(2 n)/2 ) t+1 2 ( 1 2 2(2 n)/2 ) 1 2 Standard Deviation 2/2 2 (t + 1)/2 Then, distinguisher A 3 says 1 (MAC or HMAC) i there are t+1 2 2(t + 1) collision pairs at least. Otherwise A 3 says 0 (random unction). So, with high probability A 3 can distinguish MAC and HMAC rom the random unction. In case t = 31, Advantage o A 3 is Adv A3 (2 n/2 MAC or HMAC ) = Pr[A3 = 1] Pr[A Rand 3 = 1] = Conclusion In this paper, we described generic distinguishing attacks on MAC and HMAC where a compression unction is used iteratively and the size o the internal state is same as that o the hash output. Thereore, we can know that the security bound o MAC and HMAC is the birthday attack complexity in case that the size o the internal state is same as that o the hash output.

6 Reerences 1. M. Bellare, J. Kilian, and P. Rogaway, The Security o the Cipher Block Chaining Message Authentication Code, Appears in Journal o Computer and System Sciences, Vol. 61, o. 3, Dec 2000, pp M. Bellare, ew Proos or MAC and HMAC: Security without Collision- Resistance, Advances in Cryptology - CRYPTO 06, LCS??, Springer-Verlag, pp.??-??,??. 3. S. Contini and Y. L. Yin, Forgery and Partial Key-Recovery Attacks on HMAC and MAC Using Hash Collisions, Advances in Cryptology - Asiacrypt 06, LCS 4284, Springer-Verlag, pp , J. Kim, A. Biryukov, B. Preneel, and S. Hong, On the Security o HMAC and MAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1, SC 06, to appear. (