ANOTHER LOOK AT SECURITY THEOREMS FOR 1-KEY NESTED MACS

Transcription

1 ANOTHER LOOK AT SECURITY THEOREMS FOR 1-KEY NESTED MACS NEAL KOBLITZ AND ALFRED MENEZES Abstract. We prove a security theorem without collision-resistance or a class o 1-key hash-unction-based MAC schemes that includes HMAC and Envelope MAC. The proo has some advantages over earlier proos: it is in the uniorm model, it uses a weaker related-key assumption, and it covers a broad class o MACs in a single theorem. However, we also explain why our theorem is o doubtul value in assessing the real-world security o these MAC schemes. In addition, we prove a theorem assuming collision-resistance. From these two theorems we conclude that rom a provable security standpoint there is little reason to preer HMAC to Envelope MAC or similar schemes. 1. Introduction A common method o constructing a message authentication code (MAC) is the nested construction(nmac).oneirstappliesakeyediteratedhashunctionh(k 1,M) (constructed rom a compression unction ) to the message M, and then one puts this hash value into a second keyed unction (K 2,h(K 1,M)) (where is also a compression unction). For eiciency and ease o implementation one usually wants the MAC to depend on a single key K, and so one sets K 1 = K 2 = K or, more generally, K 1 = g 1 (K), K 2 = g 2 (K) or some unctions g 1,g 2. Our main purpose is to prove a new security theorem without collision-resistance that covers arbitrary constructions o this type. The theorem says, roughly speaking, that the MAC is a pseudorandom unction (pr) provided that both and are pseudorandom unctions and the unctions,,g 1,g 2 satisy a certain rather weak related-key assumption. This theorem is a generalized 1-key version o our Theorem 10.1 in [14]. The two most important examples o this type o MAC are the Hash-based Message Authenication Code (HMAC) [2] (standardized in [3] and [16]) and Envelope MAC (also called Sandwich MAC, see [23] or a recent version). In these cases there are earlier security proos without collision resistance in [1] and [23], but unortunately those proos are not valid in the uniorm model o complexity. 1 In other words, they use unconstructible adversaries and so have to assume that the cryptographic primitives withstand attack even by unconstructible adversaries. For this reason, as we explained in [14] (see also [5]), they do not give useul concrete bounds on the resources a pradversary would need in order to deeat the MAC. In contrast, our theorem is proved in the uniorm model; this means that it needs much milder assumptions. Date: May 1, 2013; revised on December 24, Fischlin [6] has a uniorm proo o a security theorem or HMAC without collision-resistance, but its useulness is questionable because o the extremely large tightness gap in his result. 1

2 2 NEAL KOBLITZ AND ALFRED MENEZES One o the ive inalists in the NIST SHA-3 competition used Envelope MAC. The designers o the Grøstl construction wrote ( 6.1 o [7]): We propose this envelope construction as a dedicated MAC mode using Grøstl. This construction has been proved to be a secure MAC under similar assumptions as HMAC. Here the designers were reerring to the proo in [23], but they were apparently unaware that Yasuda s proo is not valid in the uniorm model and or that reason gives much weaker guarantees than one would expect. As we commented in [15], one o the drawbacks o results obtained in the non-uniorm model is the possibility that they will be used by other authors who are unaware o the extremely limited nature o such results rom a practice-oriented standpoint. In any case, in the present paper we remove this gap in the security argument in [7] by supplying a uniorm proo. There is a second respect in which our theorem makes a milder assumption than earlier theorems o this type: our related-key assumption is weaker than the one deined in [1, 4]. This not only gives us a stronger theorem, but also enables us to uniy HMAC and Envelope MAC in a single theory. Despite these advantages over earlier security theorems, the sad act is that our main theorem by itsel provides very little assurance about the real-world security o these MAC schemes. In 4 we recall some o the reasons or this. In 5 we prove a second theorem, this time assuming collision-resistance, that carries over the main result o [2] to 1-key nested MACs. Our two theorems together show that rom the standpoint o security reductions there is little dierence between HMAC, Envelope MAC, and other similar constructions. We conclude that security theorems are not o much use in deciding which o the competing schemes HMAC, Envelope MAC, or some other variant has better security in practice. 2. Statement o the Main Theorem Let : {0,1} c {0,1} b {0,1} c and : {0,1} c {0,1} c {0,1} c be two compression unctions. Here b 2c (typically b = 512 and c = 128 or 160), so that compresses by a actor o at least 3, whereas compresses by a actor o 2. Let g i : {0,1} c {0,1} c, i = 1,2. We suppose that all o these unctions are publicly and eiciently computable. By a (t,q)-adversary we mean an adversary that makes q queries and has running time t. Recall that is said to be an (ǫ,t,q)-secure pseudorandom unction (pr) i no (t, q)-adversary can distinguish between with a hidden key and a random unction with advantage ǫ. We say that is strongly (ǫ,t,q)-secure (see [14]) i such an adversary beore any query is permitted to reset the oracle, by which we mean that in response to the adversary s request the oracle chooses either a new random key (i it is (K,.)) or a new random unction (i it is a random unction r (.)). We now deine the related-key assumption that we shall use in our main theorem. Deinition 1. In the above setting, we say that (, ) is (ǫ,t,q)-secure against (g 1,g 2 )- related-key attacks i no (t,q)-adversary has an advantage greater than or equal to ǫ in the ollowing interaction with the oracle O rka. First, the oracle chooses a random bit; i it is 0, the oracle chooses two random keys K 1,K 2 {0,1} c ; i it is 1, the oracle chooses one random key K {0,1} c and sets K 1 = g 1 (K), K 2 = g 2 (K). Each query o

3 ANOTHER LOOK AT SECURITY THEOREMS FOR 1-KEY NESTED MACS 3 the adversary is a message M in either {0,1} b or {0,1} c, to which the oracle responds with either (K 1,M) or (K 2,M), respectively. At the end the adversary guesses the oracle s random bit. We recall that in this situation the advantage o the adversary is deined as Prob(adversary guesses 1 oracle chose 1) Prob(adversary guesses 1 oracle chose 0), where Prob(A B) denotes the conditional probability o event A given event B. This setting is general enough to include two o the best-known MAC constructions (see Figure 1): (1) For HMAC, let IV be a ixed (and publicly known) initiation vector, and let ipad and opad be two ixed elements o {0,1} b (also publicly known). We let a superscript 0 on a bitstring in {0,1} c indicate that we are appending b c zero bits to it. We set (K,M) = (K,M 0 ), g 1 (K) = (IV,K 0 ipad), g 2 (K) = (IV,K 0 opad). ( For Envelope MAC, let IV be a ixed (and publicly known) initiation vector; let (K,M) = (M,K 0 ), g 1 (K) = (IV,K 0 ), and g 2 (K) = K. Remark 1. The above related-key assumption is weaker than the related-key assumption in [1, 4]. In that assumption the oracle is required to simply give the adversary the two keys K 1,K 2. In that case the adversary can o course compute any number o desired values (K 1,M) or (K 2,M), limited only by the running time bound; in other words, the rka-adversary in our assumption is less powerul (because it has less inormation) than the rka-adversary in [1, 4]. Moreover, with the rka-assumption in [1, 4] we wouldn t have been able to include Envelope MAC in our theorem, because when g 2 (K) = K the adversary, i given K 1 and K 2, can trivially determine whether or not K 1 = g 1 (K 2 ). In the above setting let h : {0,1} c ({0,1} b ) {0,1} c denote the iterated hash unction that, given a key K {0,1} c and a message M = (M 1,M 2,...,M m ), M i {0,1} b, successively computes h 1 = (K,M 1 ), h i+1 = (h i,m i+1 ), i = 1,2,...,m 1 and sets h(k,m) = h m. We deine the message authentication code MAC,,g1,g 2 as ollows: MAC,,g1,g 2 (K,M) = (g 2 (K),h(g 1 (K),M)). Notice that when g 1 (K) = (IV,K 0 ipad) and g 2 (K) = (IV,K 0 opad) this deinition agrees with that o HMAC; and when g 1 (K) = (IV,K 0 ) and g 2 (K) = K it agrees with that o Envelope MAC (see Figure 1). By a (t,q,n)-adversary we mean an adversary that makes q queries o blocklength n and has running time t. We say that MAC,,g1,g 2 is an (ǫ,t,q,n)-secure pseudorandom unction i no (t,q,n)-adversary can distinguish between MAC,,g1,g 2 with hidden key and a random unction with advantage ǫ. Theorem 1. Suppose that is a strongly (ǫ 1,t,q)-secure pseudorandom unction, is an (ǫ 2,t,q)-secure pseudorandom unction, and (, ) is (ǫ 3,t,2q)-secure against (g 1,g 2 )- related-key attacks. Then MAC,,g1,g 2 is a (2n(ǫ 1 + ( q 2 c ) + ǫ 2 + 2ǫ 3,t (qnt + Cq log q), q, n)-secure pseudorandom unction. Here C is an absolute constant and T denotes the time or one evaluation o or.

4 4 NEAL KOBLITZ AND ALFRED MENEZES HMAC(K,M) K 0 ipad M 1 M 2 M m IV h m K 0 opad h 0 m IV tag K 0 ENVELOPE MAC(K,M) M 1 M 2 M m K 0 IV tag Figure 1. HMAC and Envelope MAC. Remark 2. In the statement o the theorem the expression 2n(ǫ 1 + ( q 2 c )+ǫ 2 +2ǫ 3 can be replaced by 2nǫ 1 + ǫ 2 + 2ǫ 3. The reason is that, as explained in Remark 10.2 o [14], the generic key-guessing attack on the strong pseudorandomness property has advantage roughly (qt/t)2 c ; since we need t > qnt or the theorem to have content, it ollows that ǫ 1 ( q 2 c. Beore proving Theorem 1, we give an inormal summary o the argument. The irst step is to show that a pr-adversary A MAC o MAC,,g1,g 2 is also a pr-adversary with almost the same advantage o the MAC obtained by replacing the (g 1,g 2 )- related keys by independent random keys. Here almost means that we can construct a related-key-attack A rka on (, ) whose advantage is equal to hal the dierence between the advantage o A MAC when the keys are (g 1 (K),g 2 (K)) and its advantage when the keys are independent. This step reduces the problem to the case when there are two independent keys, at which point we can essentially ollow the proo or NMAC in [14]. Namely, we show that a pr-adversary or the MAC succeeds only when either the pr-property o the outer shell (K2,.) is attacked (we call its adversary A ) or else a collision is produced in the iterated hash-unction that s inside this shell. In the latter case we use the collision to construct a pr-adversary o. Since there are two possible types o collisions that can occur and up to n iterations o the hash unction, this leads

5 ANOTHER LOOK AT SECURITY THEOREMS FOR 1-KEY NESTED MACS 5 to roughly 2n -adversaries. This intuitively explains why 2nǫ 1 + ǫ 2 +2ǫ 3 appears in the conclusion o the theorem. The term 2n ( q 2 c arises because o the possibility o random collisions between c-bit strings. We shall give the actual proo in the next section. The above plausibility argument shows that the basic ideas in the proo are simple. However, the organization is a little intricate because o the need to proceed careully with the reduction using all o the adversaries. We see no way to come up with a more concise sel-contained proo, and we apologize to the reader or that. 3. Proo o the Main Theorem Proo. We will prove the ollowing equivalent statement: i is a strongly (( ǫ ǫ 2 2ǫ 3 2n ( q ) 2 2 c ),t+(qnt +Cqlogq),q)-secure pseudorandom unction, is an (ǫ2,t+(qnt + Cqlogq),q)-secure pseudorandom unction, and (, ) is (ǫ 3,t + (qnt +Cqlogq),2q)- secureagainst(g 1,g 2 )-related-key attacks, then MAC,,g1,g 2 isan(ǫ,t,q,n)-secure pseudorandom unction. The proo starts by supposing that we have a (t, q, n)-adversary A MAC that has advantage ǫ in the pseudorandomness test or MAC,,g1,g 2, and then it proceeds to construct a (t + (qnt + Cqlogq),2q)-adversary A rka o the related-key property, a (t+(qnt +Cqlogq),q)-adversary A o the pseudorandom property o, and a (t + (qnt + Cqlogq),q)-adversary A o the pseudorandom property o such that at least one o the ollowing holds: (i) A rka has advantage ǫ 3 against the (g 1,g 2 )-related key property o (, ). (ii) A has advantage ǫ 2 in the pseudorandomness test or. (iii) A hasadvantange (ǫ ǫ 2 2ǫ 3 )/(2n) ( q 2 c inthestrongpseudorandomness test or. Note that i any o these three conditions holds, we have a contradiction that proves the theorem. For the i-th message query M i we use the notation Ml i to denote its l-th block, we let M i,[m] = (M1 i,...,mi m) be the truncation ater the m-th block, and we set M i,(m) = (Mm i,mi m+1,...), that is, Mi,(m) is the message with the irst m 1 blocks deleted. We say that a message is non-empty i its block length is at least 1. Let h be the corresponding iterated unction, and let h be the MAC that or a key (K 1,K 2 ) {0,1} c {0,1} c is deined as ollows: h(k1,k 2,M) = (K 2,h(K 1,M)), wherem = (M 1,...,M m )isanm-blockmessage, m n. NotethatMAC,,g1,g 2 (K,M) = h(g 1 (K),g 2 (K),M). Let r(m) denote a random unction o messages, and let r (M 1 ) denote a random unction o 1-block messages. In response to an input o suitable length, r or r outputs a random c-bit string, subject only to the condition that i the same input is given a second time (in the same run o the algorithm) the output will be the same. In the test or pseudorandomness the oracle is either a random unction or the unction being tested, as determined by a random bit (coin toss). Now suppose that we have a (t,q,n)-adversary A MAC that, interacting with its oracle O MAC, has advantage ǫ against the pr-test or MAC,,g1,g 2. We use A MAC to construct our adversaries A h, A rka, A, and A. The last three are the adversaries in the above conditions (i) (iii); the (t,q,n)-adversary A h attacks the pseudorandomness

6 6 NEAL KOBLITZ AND ALFRED MENEZES property o h. Each adversary makes at most the same number o queries as A MAC (except that the related-key adversary can make up to 2q queries) and has a comparable running time. More precisely, the bound t+(qnt +Cqlogq) on the running time o the adversaries A rka, A, and A comes rom the time required to run A MAC, make at most q computations o h-values, and store at most q values (coming rom oracle responses and h-computations) in lexicographical order and sort them looking or collisions. (An adversary does notin all cases perormall o these steps; rather, this is anupperbound.) The related-key adversary A rka runs A MAC and interacts with the related-key oracle O rka, which chooses a random bit u. Recall that A rka, ater querying the oracle O rka with at most 2q b-bit or c-bit messages, must guess whether the keys K 1 and K 2 that O rka is using are independent (i.e., u = 0) or are related by K i = g i (K), i = 1,2, or some K (i.e., u = 1). TheadversaryA rka randomlychoosesabitl, andasa MAC runs,a rka respondstoeach query M i as ollows. I l = 0, its response to each query is a random c-bit string (except in the case when a query is repeated, in which case the response is also repeated). I l = 1, then it irst queries O rka with M i 1 and computes H = h(o rka(m i 1 ),Mi,( ), where O rka (M i 1 ) denotes the oracle s response. (I Mi is just a 1-block message, then H is set equal to O rka (M i 1 ).) Now A rka makes a second query to O rka this time the c-bit query H and responds to A MAC s query with O rka (H). 2 At the end A rka guesses that the random bit u chosen by O rka is 1 i A MAC guesses that the random bit l chosen by A rka (which is simulating an oracle) is 1; otherwise, it guesses that u = 0. (Note that A rka guesses 0 i A MAC stops or reaches time t without producing a guess; this could happen i A rka is not properly simulating O MAC, which would imply that u = 0.) Let δ denote the advantage o A rka. We alsoconstructan adversary A h thatinteracts withits oracle O h andrunsa MAC. When A MAC makes a query M i, the adversary A h queries O h and sends A MAC the response O h (M i ). I A MAC guesses that the oracle simulated by A h is a random unction, then A h guesses that its oracle O h is a random unction; otherwise A h guesses that its oracle is h with hidden keys. In particular, note that i A MAC stops or ails to produceaguess in time t as may happen when A h is not property simulating O MAC then A h guesses that its oracle is h with hidden keys. (This makes sense, since i O h were a random unction, then the simulation o O MAC would be correct.) Let γ denote the advantage o A h. Returning to the description o A rka, we see that there are two cases, depending on whether the random bit u o the oracle O rka was (a) 1 (that is, its keys are related) or (b) 0 (that is, its keys are independent). In case (a) the interaction o A rka with A MAC precisely simulates O MAC, and in case (b) it precisely simulates O h. (As we noted, in case (b) our original adversary A MAC may stop or run or time t without producing a 2 The theorem s query bound or the related-key property is 2q because Arka makes two queries or each query o A MAC.

7 ANOTHER LOOK AT SECURITY THEOREMS FOR 1-KEY NESTED MACS 7 guess; in this case A rka makes the guess 0.) Let p 1 = Prob(A MAC guesses 1 l = 1 and u = 1); p 2 = Prob(A MAC guesses 1 l = 1 and u = 0); p 3 = Prob(A MAC guesses 1 l = 0). Note that when l = 0 there is no interaction with O rka, and so the guess that A MAC makes is independent o whether u = 0 or u = 1. By assumption, A MAC has advantage ǫ in a pr-test or MAC,,g1,g 2 ; in other words, p 1 p 3 ǫ. We also have p 2 p 3 = γ. Subtracting gives p 1 p 2 ǫ γ. Next, the advantage δ o the related-key adversary A rka is given by Prob(A rka guesses 1 u = 1) Prob(A rka guesses 1 u = 0) = Prob(A MAC guesses 1 u = 1) Prob(AMAC guesses 1 u = 0) = Prob(A MAC guesses 1 u = 1 and l = 0) Prob(l = 0) +Prob(A MAC guesses 1 u = 1 and l = 1) Prob(l = 1) Prob(A MAC guesses 1 u = 0 and l = 0) Prob(l = 0) Prob(A MAC guesses 1 u = 0 and l = 1) Prob(l = 1) = 1 2 (p 3 +p 1 p 3 p 2 ) = 1 2 (p 1 p 2 ) (ǫ γ)/2. I condition (i) in the irst paragraph o the proo does not hold, then δ < ǫ 3, in which case γ > ǫ 2ǫ 3. For the remainder o the proo we assume that the advantage o A h satsiies this inequality, since otherwise (i) holds and we re done. The rest o the proo closely ollows the proo o Theorem 10.1 o [14]. We shall give the details rather than simply citing [14] because the present setting is slightly more general (with two pseudorandom compression unctions and rather than just one) and because there is some beneit in having a sel-contained proo in one place. We now construct an -adversary A and consider its advantage. As beore, or any oracle O we let O(M) denote the response o O to the query M. The adversary A is given an oracle O and, using A h as a subroutine, has to decide whether O is (K 2,.) or a random unction r (.) o 1-block messages. She chooses a random K 1 and presents the adversary A h with an oracle that is either (K 2,h(K 1,.)) or else a random unction r(.); that is, she simulates O h (see below). In time t with q queries A h is able with advantage γ > ǫ 2ǫ 3 to guess whether O h is h with hidden keys or a random unction r. Here is how A simulates O h : in response to a query M i rom A h, she computes h(k 1,M i ), which she queries to O, and then gives A h the value O (h(k 1,M i )). Eventually (unless the simulation is imperect, see below) A h states whether it believes that its oracle O h is h or r, at which point A states the same thing or the oracle O that is, i A h said h, then she says that O must have been, whereas i A h said that O h is r, then she says that O is r. Notice that i the oracle O is (K 2,.), then the oracle O h that A simulates or A h is h (with random key K = (K 1,K 2 )); i the oracle O is r (.), then the oracle that A simulates

8 8 NEAL KOBLITZ AND ALFRED MENEZES or A h acts as r with the important dierence that i h(k 1,M i ) coincides with an earlier h(k 1,M j ) the oracle outputs the same value (even though M i M j ) rather than a second random value. 3 I the latter happens with negligible probability, then this algorithm A is as successul in distinguishing rom a random unction as A h is in distinguishing h rom a random unction. Otherwise, two sequences o -adversaries A (m) and B (m) come into the picture, as described below. The general idea o these adversaries is that they each use the oracle O in the pseudorandomness test or to look or collisions between h-values o two dierent messages M i,m j queried by A h. More precisely, the m-th adversary in a sequence works not with all o a queried message, but rather with the message with its irst m 1 blocks deleted. I a collision is produced, then with a certain probability O must be (K 2,.); however, one must also account or the possibility that O is r (.), and in the case o A (m) this brings in the next adversary in the sequence A (m+1). First we make a remark about probabilities, which are taken over all possible coin tosses o the adversary, all possible keys, the oracle s choice bit (which determines whether it is the unction being tested or a random unction), and the coin tosses o the oracle in the case when it outputs a random unction. 4 I the adversary s oracle is or h with hidden keys, then the adversary s queries in general depend on the keys (upon which the oracle s responses depend) as well as the adversary s coin tosses. However, i theadversary soracleisarandomunction whichisthesituation whena ails andthe sequences o adversaries A (m) and B (m) are needed then the oracle responses can be regarded simply as additional coin tosses, and the adversary s queries then depend only on the coin tosses and are independent o the keys. This is an important observation or understanding the success probabilities o the adversaries. We deine α 0 to be the probability, taken over all coin tosses o A h (including those coming rom random oracle responses)and all keys K 1, that the sequence o A h -queries M i satisies the ollowing property: there exist i and j, j < i, such that h(k 1,M i ) = h(k 1,M j ). For m 1 we deine α m to be the probability, taken over all coin tosses o A h and all q-tuples o keys (K 1,K 2,...,K q ), that the sequence o A h -queries M i satisies the ollowing property: (1 m ) there exist i and j, j < i, such that M i,(m+1), M j,(m+1), h(k li,m i,(m+1) ) = h(k lj,m j,(m+1) ), where or any index i or which M i,(m+1) we let l i denote the smallest index or which M l i,(m+1) and M i,[m] = M l i,[m]. 3 I A h ails to produce a guess about the oracle O h in time t, as can happen i the simulation is imperect, then A guesses that O is a random unction. Note that the simulation is perect i O is with hidden key. 4 The term over all possible coin tosses means over all possible runs o the algorithm with each weighted by 2 s, where s is the number o random bits in a given run.

9 ANOTHER LOOK AT SECURITY THEOREMS FOR 1-KEY NESTED MACS 9 Finally, or m 1 we deine β m to be the probability, taken over all coin tosses o A h and all q-tuples o keys (K 1,K 2,...,K q ), that the sequence o A h -queries M i satisies the ollowing property: (2 m ) there exist i and j such that M i,(m+1) =, M j,(m+1), M i,[m] = M j,[m], and h(k i,m j,(m+1) ) = K i. We now return to the situation where with non-negligible probability α 0 the queries made by A h lead to at least one collision h(k 1,M i ) = h(k 1,M j ). Note that the advantage o the adversary A is at least ǫ 2ǫ 3 α 0. I condition (ii) ails, i.e., i this advantage is < ǫ 2, it ollows that α 0 > ǫ ǫ 2 2ǫ 3. In the remainder o the proo, we shall assume that this is the case, since otherwise (ii) holds and we re done. is A, which is given the oracle O that is either (K 1,.) with a hidden random key K 1 or else r (.). As A runs A h, giving random responses to its queries, she queries O with the irst block M1 i o each A h - The irst adversary in the sequence A (m) query M i. I M i,( is non-empty, she then computes y i = h(o (M1 i),mi,( ); i M i,( is empty, she just takes y i = O (M1 i). I O is (K 1,.), then y i will be h(k 1,M i ), whereas i O is r (.), then y i will be h(l i,m i,( ) or a random key L i = O (M1 i) i Mi,( is non-empty and will be a random value L i i M i,( is empty. As the adversary A gets these values, she looks or a collision with the y j -values obtained rom earlier queries M j. I a collision occurs, she guesses that O is with hidden key; i not, she guesses that O is r (.). Itis, ocourse, conceivablethatevenwheno isr (.)thereisacollisionh(l i,m i,( ) = h(l j,m j,( ) with M i,( and M j,( non-empty. Note that L i = L j i M1 i = Mj 1, but L i and L j are independent random values i M1 i Mj 1. In other words, we have (1 1). Recall that the probability that this occurs is α 1. It is also possible that even when O is r (.) there is a collision involving one or both o the random values L i or L j that is produced when M i,( or M j,( is empty. I both are empty, then the probability that L i = L j is 2 c. I, say, M j,( is non-empty, then in the case M1 i Mj 1 we again have probability 2 c that L i = h(l j,m j,( ), whereas in the case M1 i = Mj 1 we have (2 1) with K i = L i. Bringing these considerations together, we see that the advantage o A is α 0 α 1 β 1 ( q 2 c. We next describe the sequence o adversaries A (m), m 2. Let O again denote the pr-test oracle or that A (m) can query. Like A, he runs A h once and gives random responses to its queries. As A h makes queries, he sorts their preixes (where we are using the word preix to denote the irst m 1 blocks o a query that has block-length at least m). I the i-th query has block-length at least m and i its preix coincides with that o an earlier query, he records the index l i o the irst query that has the same preix; i it has a dierent preix rom earlier queries he sets l i = i. Ater running A h, he goes back to the irst query M j 1 that has block-length at least m and or all i or which l i = j 1 (that is, or all queries that have the same preix as M j 1 ) he queries Mm i to O and computes y i = h(o (Mm),M i i,(m+1) ) i M i,(m+1) is non-empty

10 10 NEAL KOBLITZ AND ALFRED MENEZES and otherwise takes y i = O (Mm i ). Then he resets O and goes to the irst j 2 such that M j 2 has block-length at least m and a dierent preix rom M j 1. For all i or which l i = j 2 he queries Mm i to O and computes y i = h(o (Mm),M i i,(m+1) ) i M i,(m+1) is non-empty and otherwise takes y i = O (Mm). i He continues in this way until he s gone through all the queries. He then looks or two indices j < i such that y j = y i. I he inds a collision, he guesses that O is with hidden key; otherwise, he guesses that it is a random unction. The adversary A (m) takes advantage o the α m 1 probability o a collision o the orm (1 m 1 ), and i such a collision occurs he guesses that O is with hidden key. The possibility that O is really r (.) is due to two conceivable circumstances a collision o the orm (1 m ) or a collision among random values (either a collision between two random values L i and L j or between L i and h(l j,m j,(m+1) ), or else a collision o the orm (2 m ) with K i = L i here the probability o such a collision is bounded by ( ) q 2 2 c and by β m, respectively). Finally, the sequence o adversaries B (m), m 1, is deined as ollows. As usual, O denotes the pr-test oracle or that B (m) can query. She runs A h once and gives random responses to its queries. As A h makes queries, she sorts their preixes (where this time we are using the word preix to denote the irst m blocks o a query that has block-length at least m). She makes up a list o pairs (i,s(i)), where the i-th query has block-length exactly m and coincides with the preix o at least one other query; in that case S(i) denotes the set o indices j i such that M j,[m] = M i. Ater running A h, she chooses a message-block Y that is dierent rom all the blocks M j m+1 o all queries M j. She goes through all indices i with non-empty S(i). For each such i she queries Y to O and or each j S(i) she also queries M j m+1 to O and computes y j = h(o (M j m+1 ),Mj,(m+,Y). She looks or a collision between O (Y) and y j or j S(i). Beore going to the next i she resets O. I she inds a collision or any o the i, she guesses that O is with hidden key; otherwise, she guesses that it is a random unction. The advantage o this adversary is at least β m q2 c, because i O is (K i,.) and h(k i,m j,(m+1) ) = K i, then h(o (M j m+1 ),Mj,(m+,Y) = (K i,y) = O (Y), whereas i O is a random unction, then O (Y) has probability only 2 c o coinciding with this h-value. We thus have the ollowing lower bounds or the advantages o the adversaries: A : α 0 α 1 β 1 ( q 2 c ; A (m), m 2: α m 1 α m β m ( q 2 c ; B (m), m 1: β m q2 c. Trivially we have α n = β n = 0, and so the adversaries go no arther than A (n) and. The sum o all the advantages o the 2n 1 adversaries telescopes and is at B (n 1) least α 0 (2n 1) ( q 2 c. Since we have no way o knowing which o these adversaries has the greatest advantage, we make a random selection. That is, the adversary A we use to attack the pseudorandomness o consists o randomly choosing one o the 2n 1 adversaries A,

11 ANOTHER LOOK AT SECURITY THEOREMS FOR 1-KEY NESTED MACS 11 A (m) (2 m n), B (m) (1 m n 1) and running it. The advantage o the adversary A is the expectation obtained by summingthe advantages o the 2n 1adversaries with each one weighted by the probability 1/(2n 1) that we choose the corresponding 1 adversary. This advantage is at least 2n 1 (α 0 (2n 1) ( q) 2 2 c )) > ( ǫ ǫ 2 2ǫ 3 2n ( q 2 c ). Thus, returning to the irst paragraph o the proo, we have shown that i conditions (i) and (ii) do not hold, then condition (iii) holds. 4. Interpretation How useul is our theorem as a guarantee o real-world security? As in the case o Theorem 10.1 o [14], there are several reasons or skepticism concerning the practical assurance provided by Theorem 1: (1) In order to conclude that our MAC is an (ǫ,t,q,n)-secure pseudorandom unction, we need the inner compression unction to be a strongly (ǫ/(2n),t,q)- secure pseudorandom unction. In other words, we have a tightness gap o about 2n, which is large i, or example, we allow a block-length bound o 2 20 or ( Theorem 1 is in the single-user setting, and its security assurances could ail in the more realistic multi-user setting. (3) The three hypotheses in Theorem 1 pseudorandomness o the outer compression unction, strong pseudorandomness o the inner compression unction, 6 and the related-key property are in general extremely diicult to evaluate. When the assumptions in a theorem cannot be evaluated in any convincing manner, we should not be surprised i practitioners view the theorem as having little value. 5. Security Theorem with Collision-Resistance There are two types o security theorems that have been proved about nested MACs. Starting with Bellare s paper[1](see also[6, 14, 19]), some authors have proved theorems without assuming collision-resistance o the iterated hash unction. The idea is that conidence in security o a MAC scheme should not depend upon the rather strong assumption that an adversary cannot ind hash collisions. Our Theorem 1 continues this line o work. On the other hand, i one is using a hash unction that one strongly believes to be collision-resistant and one wants to know that an adversary cannot orge message tags, then one can go back to the much earlier and more easily proved security theorem in [2]. The purpose o this section is to carry over the main result o [2] to our class o 1-key nested MACs. 5 The tightness gap in our theorem, bad as it is, is not nearly as extreme as the one in Fischlin s theorem [6], which establishes the secure-mac property or NMAC and HMAC based on assumptions that are slightly weaker than the pr property. The gap in success probabilities in that theorem is roughly qn 2. In [6] this gap is compared to the q 2 n gap in Bellare s Theorem 3.3 in [1]. However, any comparison based solely on success probabilities is misleading, since the actor q 2 n in Bellare s theorem is multiplied by the advantage o a very low-resource adversary A 2 with running time nt, much less than that o Fischlin s adversary. One must always include running time comparisons when evaluating tightness gaps, and this is not done in [6]. 6 Note that the inner compression unction needs to be strongly (ǫ 1,t,q)-secure or a quite small value o ǫ 1, since the theorem loses content i ǫ 1 > 1/(2n).

12 12 NEAL KOBLITZ AND ALFRED MENEZES An iterated hash unction h is said to be (ǫ, t, q, n)-weakly-collision-resistant i no (t, q, n)-adversary that queries h(k,.) has success probability ǫ o producing a collision h(k,m ) = h(k,m), wherem andm are distinct messages o block-length n. (Here h(k,.) is regarded as an oracle, i.e., a black box, and K is a hidden key.) A MAC is said to be(ǫ,t,q,n)-secure against orgery i no(t,q,n)-adversary has success probability ǫ o producing a tag or an unqueried message o block-length n. Theorem 2. Suppose that the iterated hash unction h coming rom the compression unction is (ǫ 1,t,q,n)-weakly-collision-resistant, the compression unction is an (ǫ 2,t,q,1)-secure MAC, and (, ) is (ǫ 3,t,2q + -secure against (g 1,g 2 )-related key attacks. Then MAC,,g1,g 2 is an (ǫ 1 +ǫ 2 +ǫ 3,t (q+1)nt,q,n)-secure MAC, where T is the time required or one evaluation o or. Proo. The proo is quite simple. Suppose that we are given a (t (q +1)nT,q,n)- adversary A MAC that has probability ǫ 1 +ǫ 2 +ǫ 3 o orging a MAC,,g1,g 2 -tag. Then we construct three adversaries a (t,q)-adversary A, a (t,q,n)-adversary A wcr and a (t,2q +-adversary A rka such that at least one o the ollowing is true: (i) A has probability ǫ 2 o orging a -tag. (ii) A wcr has probability ǫ 1 o producing an h-collision. (iii) A rka has advantage ǫ 3 against the (g 1,g 2 )-related key property o (, ). (It does not matter which o (i), (ii), (iii) is true, since any one o the three would contradict the assumptions o the theorem.) We irst use A MAC to construct both an adversary A rka o the related-key property and an adversary A h that can orge an h-tag. (Recall that h denotes the MAC (K 2,h(K 1,M)) with independent keys.) The adversary A rka runs A MAC and interacts with the oracle O rka, which chooses a random bit u. Ater querying the oracle O rka with at most 2q + 2 b-bit or c-bit messages, A rka must guess whether O rka is using random keys (i.e., u = 0) or related keys (i.e., u = 1). As A MAC runs, or each o its queries M i the adversary A rka queries the irst block M i 1 to O rka, then computes H = h(o rka (M i 1 ),Mi,( ), and inally queries H to O rka ; it gives the value O rka (H) to A MAC as the tag o the queried message. I in time t (q + 1)nT the adversary A MAC orges a tag o an unqueried message, 7 then A rka guesses that u = 1; otherwise, it guesses that u = 0. Let α denote the advantage o A rka, where, by deinition (1) α = Prob ( A rka guesses 1 u = 1 ) Prob ( A rka guesses 1 u = 0 ). The time A rka needs to perorm these steps that is, computing the values H, waiting or A MAC, and veriying the orgery produced by A MAC is bounded by qnt + (t (q +1)nT)+nT = t. We construct A h as ollows. It has an h-oracle O h that has hidden keys K 1,K 2. The adversary A h runs A MAC, responding to each o its queries M i by querying O h and giving A MAC the response O h (M i ). I A MAC orges the h-tag o an unqueried 7 Note that Arka can veriy that A MAC has a valid orgery using the same procedure that was used to respond to its queries. This means that A rka needs to be allowed two more queries o O rka, and or this reason the query bound or A rka is 2q+2 rather than 2q and the time bounds have the term (q+1)nt rather than qnt.

13 ANOTHER LOOK AT SECURITY THEOREMS FOR 1-KEY NESTED MACS 13 message M (which A h can veriy with one urther query to its oracle), then A h has succeeded in orging the h-tag o M. Let β denote the success probability o this adversary A h. Note that the interaction o A h with A MAC is exactly the same as that o A rka with A MAC in the case u = 0. Thus, the second term on the right in the expression (1) or α is equal to β, whereas the irst term is the success probability o A MAC, which by assumption is at least ǫ 1 +ǫ 2 +ǫ 3. We hence have α+β ǫ 1 +ǫ 2 +ǫ 3, and this means that either α ǫ 3 (which is the alternative (iii) above) or else β ǫ 1 +ǫ 2. We now usea h to constructan -tag-orging adversary A andan h-collision-inding adversary A wcr. The ormer is constructed as ollows. Ater choosing a random key K 1, A runs A h. In response to each query M i rom A h, A computes H = h(k 1,M i ), queries this H-value to its oracle O = (K 2,.), and gives the value (K 2,H) to A h. With probability β in time t (q +1)nT the adversary A h inds a tag T = h( M), where M is dierent rom all o the queried messages. The bound on the time A needs toperormthesesteps thatis, computingthevaluesh(k 1,M i )andwaiting ora h is qnt+(t (q+1)nt)= t nt. Then A takes time nt to compute H = h(k 1, M), hoping that it is dierent rom all H-values that were queried to O, in which case it has succeeded in orging an -tag. Meanwhile, the adversary A wcr, which has an oracle O wcr that responds to queries with h(k 1,.) where K 1 is a hidden key, is constructed as ollows. It chooses a random key K 2 and runs A h, responding to its queries M i with (K 2,O wcr (M i )). A wcr looks or a collision between some O wcr (M i ) = h(k 1,M i ) and O wcr ( M) = h(k 1, M), where ( M, T) is the orgery produced by A h in the event that the latter adversary succeeds in its task. Note that the success probability β o A h is the sum o the success probability o A and that o A wcr. Since β ǫ 1 + ǫ 2 i alternative (iii) does not hold, it ollows that at least one o the above alternatives (i) (iii) must hold. This concludes the proo. This theorem, like Theorem 1, provides only a very limited type o security assurance. Two o the three reasons or skepticism listed in 4.2 also apply to Theorem 2: it assumes the (unrealistic) single-user setting, and one o its hypotheses the secure- MAC property or the compression unction is very diicult to evaluate in practice. On the positive side, at least Theorem 2 is tight, unlike Theorem 1. It s reasonable to regard Theorem 2 as providing a type o assurance that the domain-extender eature o the MAC scheme is not likely to be a source o security breaches, provided that h is weakly collision-resistant. The proo o Theorem 2 is short, straightorward, and in some sense tautological. Some people would even say that it is trivial, although we would preer not to use such a pejorative word in connection with the proo o Theorem 2. But in any case, it seemstousthatproosothissortmerelyconirmwhatismoreorlessintuitively obvious rom the beginning. Such proos cannot serve as a meaningul source o conidence in a protocol, and they certainly cannot be a substitute or extensive testing and concrete cryptanalysis.

14 14 NEAL KOBLITZ AND ALFRED MENEZES 6. HMAC vs. Envelope MAC comparison As discussed in [10], it oten happens that a type o cryptography enjoys nearly universal acceptance more or reasons o historical happenstance than because o its intrinsic advantages over the alternatives. At present HMAC is widely deployed, whereas Envelope MAC languishes in relative obscurity. But the reasons or this seem to lie in the peculiarities o the history o Envelope MAC, and one can argue that, despite this history, it deserves serious consideration as a secure and practical MAC scheme. An envelope MAC scheme was irst presented by Tsudik in [22]. His scheme used two independent c-bit keys, and he argued inormally that this would give it 2c bits o security. However, Preneel and van Oorschot [20] showed that the keys can be recovered in 2 c+1 steps i one knows approximately 2 c/2 message-tag pairs. That is, Tsudik was wrong, and two independent keys do not give signiicantly more security than one key. Soon ater, Kaliski and Robshaw [8] and Piermont and Simpson [18] presented a 1-key variant o Envelope MAC, but it had a law. To explain this, or concreteness we ll use MD5 as the underlying hash unction with c = 128, b = 512. Let p denote a 384-bit padding, used to extend a key to ill a 512-bit block. Given a 128-bit key K and a message M o arbitrary length, the tag is h(k p M K 0 ) (where the 0 superscript indicates that 0 s are appended to ill out the last message-block). Note that the second K may spill over into two blocks since thebitlength o M is not required to beamultiple o b. Preneel and van Oorschot[21] exploited this overlap to design a key-recovery attack that needs approximately 2 64 message-tag pairs and has running time Because a MAC based on MD5 would be expected to require exhaustive search that is, roughly steps or key recovery, this attack exposed a serious deect in the variant o Envelope MAC in [8, 18]. The Preneel-van Oorschot attack gave Envelope MAC a bad name. However, the attack was possible only because o poor ormatting o the second key block. This law can be removed simply by ensuring that each key lies in its own block. This was done by Yasuda [23]. Yasuda also gave a security proo, along the lines o Bellare s HMAC security proo in [1]; in act, he made crucial use o Bellare s Lemma 3.1. Like Bellare s proo, Yasuda s security theorem requires unconstructible adversaries and so is not valid in the uniorm model o complexity. Our Theorem 1 gives a uniorm proo or the version o 1-key Envelope MAC described by Yasuda. As pointed out in [23], Envelope MAC has a minor eiciency advantage over HMAC because the iterated hash unction needs to be applied just once. Generally, the accepted procedure when applying an iterated hash unction is to append a block at the end o the message that gives the block-length o the message. (With this modiication one can give a simple proo that collision-resistance o implies collision-resistance o h.) In Envelope MAC this is done just once, whereas in HMAC it needs to be done twice. Envelope MAC also has the advantage o simplicity no need or ipad and opad. In order to argue that HMAC is preerable, one thus has to make a persuasive case that it has better security. Our two theorems give the same security results in both cases, and the same building block (a compression unction ) can be used in both. From this standpoint the only grounds or preerring HMAC would be i one o the ollowing holds:

15 ANOTHER LOOK AT SECURITY THEOREMS FOR 1-KEY NESTED MACS 15 (1) Thepr-assumptionon intheorem1ismorecredibleorhmacthanorenvelope MAC. In the ormer case the assumption is weaker than the pr-assumption on and in act ollows rom it. In the latter case the assumption also seems to be weaker than the pr-assumption on in practice but not in the ormal sense; in Envelope MAC the pr-assumption on is an additional condition that is not a consequence o the pr-assumption on. 8 One could claim that the need or a separate -condition in Envelope MAC means that it is less secure than HMAC. ( The secure-mac assumption on in Theorem 2 is more credible or HMAC than or Envelope MAC. One would be claiming that it s harder to orge a tag i the key occurs in the irst c bits than i it occurs in the next c bits. (3) The dierent choices o the pair o unctions g 1, g 2 lead to a real dierence in strength o the related-key assumptions. There would be a strong reason to preer HMAC i one could argue that the choice g 2 (K) = K in Envelope MAC makes the related-key assumption less plausible. However, we know o no evidence or any o the above three claims. To the best o our knowledge, no provable security theorem justiies preerring one o these two MACs over the other. Nor does any such theorem preclude the possibility that one would want to choose some other MAC with entirely dierent unctions, g 1, g 2. Remark 3. Both HMAC and Envelope MAC oer the convenience o using only an o-the-shel hash unction with built-in IV. However, one can argue that or the outer compression unction which maps only rom {0,1} c {0,1} c rather than rom the much larger set {0,1} c {0,1} b it might be more eicient to use a specially chosen. One can even argue that the inner compression unction needs to have better security than because it is iterated. That is why Theorem 1 has a 2n tightness gap with respect to the advantage bound ǫ 1 o an -adversary but not with respect to the advantage bound ǫ 2 o an -adversary. I one believes that security proos should guide protocol design and that eiciency should not be sacriiced or security unless a provable security theorem gives grounds or doing so (in [9] Katz and Lindell argue orceully or this viewpoint), then it is natural to conclude that should be less secure than. Elsewhere (see [13]) we have raised doubts about this way o thinking, so our personal preerence would be not to use a weaker. But to someone who needs only short-term security this might be an acceptable risk in order to gain a slight edge in eiciency. 7. Conclusions 7.1. The importance o the right deinitions. In their highly-regarded textbook [9] on the oundations o cryptography, Katz and Lindell write that the ormulation o exact deinitions is Principle 1 in their list o basic principles o modern cryptography and that getting the deinitions right is the essential prerequisite or the...study o any cryptographic primitive or protocol. We agree with this statement, and in [13] we analyzed some o the diiculties and challenges that researchers in both symmetric and 8 In the pr-test or the adversary gets the values (K,M) (with K a c-bit hidden key and M a b-bit queried message); in the test or in HMAC he gets the values (K,M p) (with M a c-bit message and p a ixed (b c)-bit padding); and in the test or in Envelope MAC he gets the values (M,K p). Thus, the only dierence is whether the key occurs in the irst c bits or in the next c bits.

16 16 NEAL KOBLITZ AND ALFRED MENEZES asymmetric cryptography have aced in trying to search or a consensus on what the right deinitions are. In our study o 1-key nested MACs, we have encountered two instances where the standard accepted deinitions are not, in our opinion, the natural and useul ones. First, as weexplainedin 9 o[14], inthecontext oiterated hashunctionstheusualdeinition o pseudorandomness needs to be replaced by a stronger deinition in which the adversary is given the power to reset the oracle. In the second place, when analyzing the step rom NMAC to 1-key versions such as HMAC and Envelope MAC, we believe that our deinition o resistance to related-key attack is preerable to the one used by earlier authors. We have given arguments justiying our use o these new deinitions. Nevertheless, it would be arrogant in the extreme or us to claim that we have resolved the question or that our viewpoint is deinitive. Cryptography is as much an art as a science, and to some extent decisions about which are the right deinitions are matters o personal taste The role o mathematical proos. The NIST documents concerning the SHA-3 competition illustrate the limited role that provable security plays in evaluating realworld cryptosystems. The report [17] that explains the rationale or the selection o the winner devotes about 5% o the section on security to security proos. The report highlights the role o proos in showing a hash unction s security against generic attacks attacks that only exploit the domain extender and not the internals o the underlying building blocks (p. 11). It notes that all ive inalists have this sort o security proo. In other words, the security proos are useul as a minimal type o assurance that basically says that concrete cryptanalysis should ocus on the underlying building blocks rather thanontheextension procedure. Buttheinaldecision aboutwhattousemustbebased on extensive testing and concrete cryptanalysis. NIST makes it clear that provable security, although a necessary component in the security analysis, played no part in ranking the ive inalists. 9 In choosing a MAC scheme, provable security (which, as we argued in [11], is a misnomer) should play no greater role than it did in choosing SHA-3. All methods o the orm in Theorem 1 or constructing MACs rom compression unctions are good domain extenders i they satisy the hypothesis o that theorem o course, good only in the limited sense guaranteed by the conclusion o the theorem. As in the case o the SHA-3 competition, the inal choice has to be made through ad hoc testing rather than mathematical theorems. In particular, the relative merits o HMAC and Envelope MAC cannot be determined rom provable security considerations. The choice between the two (or a decision to go with a totally dierent,g 1,g 2 ) is a judgment call. Reerences [1] M. Bellare, New proos or NMAC and HMAC: Security without collision-resistance, Advances in Cryptology Crypto 2006, LNCS 4117, Springer-Verlag, 2006, pp ; extended version available at 9 How can something be a necessary component, but play no role in the selection? By analogy, when one looks or an apartment, a unctioning toilet is a requirement; however, one doesn t normally choose which apartment to rent based on which has the nicest toilet.

17 ANOTHER LOOK AT SECURITY THEOREMS FOR 1-KEY NESTED MACS 17 [2] M. Bellare, R. Canetti, and H. Krawczyk, Keying hash unctions or message authentication, Advances in Cryptology Crypto 96, LNCS 1109, Springer-Verlag, 1996, pp. 1-15; extended version available at [3] M. Bellare, R. Canetti, and H. Krawczyk, HMAC: Keyed-hashing or message authentication, Internet RFC 2104, [4] M. Bellare and T. Kohno, A theoretical treatment o related-key attacks: RKA-PRPs, RKA- PRFs, and applications, Advances in Cryptology Eurocrypt 2003, LNCS 2656, Springer-Verlag, 2003, pp [5] D. Bernstein and T. Lange, Non-uniorm cracks in the concrete: the power o ree precomputation, Advances in Cryptology Asiacrypt 2013, LNCS 8270, Springer-Verlag, 2013, pp [6] M. Fischlin, Security o NMAC and HMAC based on non-malleability, Topics in Cryptology CT-RSA 2008, LNCS 4064, Springer-Verlag, 2008, pp [7] P. Gauravaram, L. Knudsen, K. Matusiewicz, F. Mendel, C. Rechberger, M. Schläer, and S. Thomsen, Grøstl a SHA-3 candidate, available at [8] B. Kaliski and M. Robshaw, Message authentication with MD5, CryptoBytes, 1 (1995), No. 1, pp [9] J. Katz and Y. Lindell, Introduction to Modern Cryptography, Chapman and Hall/ CRC, 2007, [10] A. H. Koblitz, N. Koblitz, and A. Menezes, Elliptic curve cryptography: The serpentine course o a paradigm shit, J. Number Theory, 131 (2011), pp [11] N. Koblitz and A. Menezes, Another look at provable security, J. Cryptology 20, 2007, pp [12] N. Koblitz and A. Menezes, Another look at provable security. II, Progress in Cryptology Indocrypt 2006, LNCS 4329, Springer-Verlag, 2006, pp [13] N. Koblitz and A. Menezes, Another look at security deinitions, Advances in Mathematics o Communications, 7 (2013), pp [14] N. Koblitz and A. Menezes, Another look at HMAC, J. Mathematical Cryptology, 7 (2013), pp [15] N. Koblitz and A. Menezes, Another look at non-uniormity, Groups Complexity Cryptology, 5 (2013), pp [16] National Institute o Standards and Technology, The keyed-hash message authentication code (HMAC), FIPS Publication 198, [17] National Institute o Standards and Technology, Third-round report o the SHA-3 cryptographic hash algorithm competition, Interagency Report 7896, November [18] P. Piermont and W. Simpson, IP authentication using keyed MD5, IETF RFC 1828, August [19] K. Pietrzak, A closer look at HMAC, available at [20] B. Preneel and P. van Oorschot, MDx-MAC and building ast MACs rom hash unctions, Advances in Cryptology Crypto 95, LNCS 963, Springer-Verlag, 1995, pp [21] B. Preneel and P. van Oorschot, On the security o iterated message authentication codes, IEEE Transactions on Inormation Theory, 45 (1999), pp [22] G. Tsudik, Message authentication with one-way hash unctions, ACM SIGCOMM Computer Communication Review, 22 (199, No. 5, pp [23] K. Yasuda, Sandwich is indeed secure: How to authenticate a message with just one hashing, Inormation Security and Privacy ACISP 2007, LNCS 4586, Springer-Verlag, 2007, pp Department o Mathematics, Box , University o Washington, Seattle, WA U.S.A. address: koblitz@uw.edu Department o Combinatorics & Optimization, University o Waterloo, Waterloo, Ontario N2L 3G1 Canada address: ajmeneze@uwaterloo.ca