General Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity

Similar documents
Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

On High-Rate Cryptographic Compression Functions

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Introduction to Cryptography Lecture 4

Lecture 10: NMAC, HMAC and Number Theory

Second Preimages for Iterated Hash Functions and their Implications on MACs

Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding

Breaking H 2 -MAC Using Birthday Paradox

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding

Foundations of Network and Computer Security

Provably Secure Double-Block-Length Hash Functions in a Black-Box Model

Foundations of Network and Computer Security

A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model

Attacks on hash functions. Birthday attacks and Multicollisions

New Proofs for NMAC and HMAC: Security without Collision-Resistance

Leftovers from Lecture 3

Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Improved Generic Attacks Against Hash-based MACs and HAIFA

Lecture 10: NMAC, HMAC and Number Theory

Cryptography CS 555. Topic 13: HMACs and Generic Attacks

Introduction to Cryptography

New Proofs for NMAC and HMAC: Security without Collision-Resistance

SPCS Cryptography Homework 13

Higher Order Universal One-Way Hash Functions

Introduction to Information Security

A new Design Criteria for Hash-Functions

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

New Attacks against Standardized MACs

Online Cryptography Course. Collision resistance. Introduc3on. Dan Boneh

Cryptanalysis of the GOST Hash Function

Full-Round Differential Attack on the Original Version of the Hash Function Proposed at PKC 98

Security without Collision-Resistance

The Impact of Carries on the Complexity of Collision Attacks on SHA-1

Improved indifferentiability security analysis of chopmd Hash Function

3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function

Week 12: Hash Functions and MAC

Provable Seconde Preimage Resistance Revisited

Foundations of Network and Computer Security

Lecture 14: Cryptographic Hash Functions

ZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls

Preimage Attacks on Reduced Tiger and SHA-2

Message Authentication Codes (MACs) and Hashes

Cryptanalysis of Tweaked Versions of SMASH and Reparation

On the Security of Hash Functions Employing Blockcipher Post-processing

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

SMASH - A Cryptographic Hash Function

Improved Collision and Preimage Resistance Bounds on PGV Schemes

CBC MAC for Real-Time Data Sources. Abstract. The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

Improved security analysis of OMAC

Fast and Secure CBC-Type MAC Algorithms

Design Paradigms for Building Multi-Property Hash Functions

Chapter 5. Hash Functions. 5.1 The hash function SHA1

2 n 2 n 2 n/2. Bart Preneel Generic Constructions for Iterated Hash Functions. Generic Constructions for Iterated Hash Functions.

Generic Universal Forgery Attack on Iterative Hash-based MACs

CPSC 467: Cryptography and Computer Security

SMASH - A Cryptographic Hash Function

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

An introduction to Hash functions

CPSC 467: Cryptography and Computer Security

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Perfectly-Crafted Swiss Army Knives in Theory

Message Authentication. Adam O Neill Based on

Notes for Lecture 9. 1 Combining Encryption and Authentication

Weaknesses in the HAS-V Compression Function

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

Functional Graphs and Their Applications in Generic Attacks on Iterated Hash Constructions

1 Cryptographic hash functions

TheImpactofCarriesontheComplexityof Collision Attacks on SHA-1

CIS 6930/4930 Computer and Network Security. Topic 4. Cryptographic Hash Functions

Provable Security of Cryptographic Hash Functions

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

1 Cryptographic hash functions

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Preimage Attacks on 3, 4, and 5-Pass HAVAL

Lecture 10 - MAC s continued, hash & MAC

ANOTHER LOOK AT SECURITY THEOREMS FOR 1-KEY NESTED MACS

Beyond the MD5 Collisions

The Hash Function Fugue

Online Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh

Generic Security of NMAC and HMAC with Input Whitening

The Security of Abreast-DM in the Ideal Cipher Model

Preimage Attack on ARIRANG

Avoiding collisions Cryptographic hash functions. Table of contents

EME : extending EME to handle arbitrary-length messages with associated data

Avoiding collisions Cryptographic hash functions. Table of contents

A Composition Theorem for Universal One-Way Hash Functions

The Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function

Analysis of Underlying Assumptions in NIST DRBGs

Breaking Symmetric Cryptosystems Using Quantum Algorithms

Cryptographic Hash Functions

A (Second) Preimage Attack on the GOST Hash Function

Transcription:

General Distinguishing Attacks on MAC and HMAC with Birthday Attack Complexity Donghoon Chang 1 and Mridul andi 2 1 Center or Inormation Security Technologies(CIST), Korea University, Korea dhchang@cist.korea.ac.kr 2 David R. Cheriton School o Computer Science, University o Waterloo, Canada m2nandi@cs.uwaterloo.ca Abstract. Kim et al. [4] and Contini et al. [3] studied on the security o HMAC and MAC based on HAVAL, MD4, MD5, SHA-0 and SHA-1. Especially, they considered the distinguishing attacks. However, they did not describe generic distinguishing attacks on MAC and HMAC. In this paper, we describe the generic distinguishers to distinguish MAC and HMAC with the birthday attack complexity and we prove the security bound when the underlying compression unction is the random oracle. Keywords : MAC, HMAC, Distinguishing Attack, Birthday Attack. 1 Introduction. Since MD4-style hash unctions were broken, evaluations on the security o HMAC and MAC have been reuired. Kim et al. [4] and Contini et al. [3] showed the security analyses on them. However, Kim et al. distinguishing attack complexity is ar rom the birthday attack complexity. Contini et al. also suggested 2 84 as the distinguishing attack complexity o MAC and HMAC on the reduced SHA-1, which is bigger than the birthday attack complexity. In this paper, we describe the generic distinguishers to distinguish MAC and HMAC with the birthday attack complexity and we prove the security bound when the underlying compression unction is the random oracle. 2 MAC and HMAC Fig. 1 and 2 show MAC and HMAC based on a compression unction rom {0, 1} n {0, 1} b to {0, 1} n. K 1 and K 2 are n bits. K = K 0 b n where K is n bits. opad is ormed by repeating the byte 0x36 as many times as needed to get a b-bit block, and ipad is deined similarly using the byte 0x5c. H : {IV } ({0, 1} b ) {0, 1} n is the iterated hash unction. H is deined as ollows : H(IV, x 1 x 2 x t ) = ( ((IV, x 1 ), x 2 ), x t ) where x i is b bits. Let g be a padding method. g(x) = x 10 t bin 64 (x) where t is smallest nonnegative integer such that g(x) is a multiple o b and bin i (x) is the i-bit binary representation o x. Then, MAC and HMAC are deined as ollows.

MAC K1,K 2 (M) = H(K 2, g(h(k 1, g(m)))) HMAC K (M) = H(IV, g(k opad H(IV, g(k ipad M)))). M 1 M 2 M t K 1 h 1 h 2 h t-1 h t padding K 2 h t+1 Fig.1. MAC ( g(m) = M 1 M 2 M t) K M1 M2 Mt IV h1 h2 ht-1 K ht padding IV ht+1 Fig.2. HMAC ( g(k ipad M) = K ipad M 1 M 2 M t) 3 General Distinguishing Attack On MAC and HMAC Here, we describe three types o distinguishers A 1, A 2 and A 3. In case o A 1 and A 2, we will prove the lower bound o A 1 s advantage. On the other hand, A 3 distinguishes heuristically without proving exact proo o security bound. Practically, A 3 is reasonable. For all distinguishers, ueries are same as ollows. Let is the number o ueries such that t is a ixed value (t 2) in Fig. 1 and 2. Since g is applied two times in MAC and HMAC, t 2 means that the added inormation o the irst padding is dierent rom that o the secoond padding.

Each block is b bits and c = log 2 t. In MAC, A = K 1 and B = K 2 in Fig. 3. In HMAC, A = (IV, K ipad) and B = (IV, K opad) in Fig. 3. For MAC and HMAC, i-th uery is X i 0 64 bin c (1) 0 b c bin c (t 2) 0 b c bin c (t 1) where each X i is b 64 bits and X i X j or any i j and X i 0 64 bin c (j) 0 b c or any i and j such that 1 j t 2. These kinds o messages enable us to prove the security bound in the random oracle model. When we prove the security bound, we will explain in detail. MAC : M t =bin c (t-1) 10 b-c-65 bin 64 (bt-b+c) X i 0 64 bin c (1) 0 b-c bin c (t-2) 0 b-c HMAC : M t =bin c (t-1) 10 b-c-65 bin 64 (bt+c) M 1 M 2 M t-1 M t A h 0 h 1 h 2 h t-2 h t-1 h t padding B h t h t+1 Fig.3. Attack Strategy. In MAC, A = K 1 and B = K 2. In HMAC, A = (IV, K ipad) and B = (IV,K opad). In Fig. 3, or i-uery, we denote the values o h 1 h t+1 by h 1,i h t+1,i. Then we deine Pr[C m ] denotes the probability that there exist h m,i = h m,j such that 1 i j. ote that i C i occurs, then C j (i + 1 j t + 1) also occurs. Thereore, Pr[C t+1 ] = Pr[C 1 C 1 C t+1 ]. In other words, Pr[ C t+1 ] = Pr[ C 1 C 1 C t+1 ]. And Pr[C t+1 ] = 1 Pr[ C 1 C 1 C t+1 ]. Distinguisher A 1 A 1 has an access to oracle O which is MAC (or HMAC) or the random unction rom {0, 1} {0, 1} n. A 1 makes ueries as described above. Then A 1 outputs 1 i there is a collision among ueries, otherwise outputs 0. We want to compute the bound o the advantage o A 1. For this, we compute the probability that there is a collision or both MAC (or HMAC) and the random unction. In case o the random unction, we denote Pr r [C] by the probability that there exist a collsion o the random unction. Let = 2 n. Let x i,j = h i 1 M i in Fig. 3. Then Pr[ C 1 ] = ( 1) ( +1) because all X i (1 i ) are dierent. When C 1 does not occur, x 1,i x 2,j or all i and j. So, Pr[ C 2 C 1 ] = Pr[ C 2 ] = Pr[ C 1 ] = ( 1) ( +1). So, Pr[ C 1 C 2 ] = (Pr[ C 1 ]) 2 = ( ( 1) ( +1) ) 2. Similarly, we can know Pr[ C 1

C t+1 ] = (Pr[ C 1 ]) t+1 = ( ( 1) ( +1) ) t+1. Thereore, Pr[C t+1 ] = 1 ( ( 1) ( +1) ) t+1. On the other hand, in case o the random unction, Pr r [C] = 1 ( 1) ( +1). HMAC or MAC Adv A1 () = Pr[A1 = 1] Pr[A Rand 1 = 1] ( 1) ( + 1) ( 1) ( + 1) = ( ) t+1 With using 1 x e x or x 1, ( 1) ( +1) = (1 1 )(1 2 ) (1 1 ) e 1 + 2 1 + + = e ( 1) 2. I 2 then ( 1) 2 1. With using e x 1 (1 e 1 )x or x 1 [1], we know that e ( 1) 2 1 (1 e 1 ) ( 1) Since 1 e 1 > 0.632, e ( 1) 2 1 ( 1) 2 1 0.632 ( 1) 2 < 1 0.632 ( 1) 2 by the result o [1]. Thereore, 1 ( 1) 2. Finally, 2.. And ( 1) ( +1) ( 1) ( +1) < Adv A1 () (1 ) (1 0.632 2 2 )t+1 In case o =, Adv A1 () 1 2 0.684t+1. When t = 11, Adv A1 () 0.49. Distinguisher A 2 A 2 has an access to oracle O which is MAC (or HMAC) or the random unction rom {0, 1} {0, 1} n. A 2 makes ueries as described above. I there is no collision among outputs o ueries, return 0. I there is a collision (M, M ) among ueries, When comparing with MAC, A 2 makes new ueries T and T such that T = M 10 b c 65 bin 64 (bt b+c) and T = M 10 b c 65 bin 64 (bt b+c). When comparing with HMAC, A 2 makes new ueries T and T such that T = M 10 b c 65 bin 64 (bt + c) and T = M 10 b c 65 bin 64 (bt + c). I O(T) = O(T ), then return 1 otherwise 0. We know that Pr[C t ] = 1 ( ( 1) ( +1) ) t. We want to compute Pr[ {h t,i } i = {h t+1,j } j C t ]. This probability means that there is no collision which do not collide in h t. Since the size o {h t,i } i is at most and {h t,i x t+1 } i {h j,i x j+1 } i,jt 1 =, Pr[ {h t,i } i = {h t+1,j } j C t ] ( 1) ( +1) Thereore, Pr[ {h t,i } i = {h t+1,j } j C t ] ( ( 1) ( +1). )(1 ( ( 1) ( +1) ) t ).

HMAC or MAC Adv A2 () = Pr[A2 = 1] Pr[A Rand 2 = 1] Pr[ {h t,i } i = {h t+1,j } j C t ] 1 ( 1) ( + 1) ( (1 ( 1) ( + 1) ) t+1 1 ) (1 0.632 2 2 )t+1 1 In case o =, Adv A2 () 1 2 0.684t+1. When t = 11, Adv A2 () 0.49. Distinguisher A 3 See Fig. 3. We know that there is an internal collision pair in h 1 with about the ollowing probability. ( ) 2 n/2 2 n = 1 2 2 2(2 n)/2 Then automatically the pair becomes also an internal collision pair in rom h 2 to h t+1 in Fig. 3. Except the pair, we also know that there exist an internal collision pair which is collided in h 2 with above probability. By this logic, we can get t internal collision pairs in h t. In case o MAC and HMAC, since the value in h t is applied to once more, we can get (t + 1) ( 1 2 2(2 n)/2 ) collision pairs o MAC and HMAC on average. On the other hand, in case o random unction, we can get about ( 1 2 2(2 n)/2 ) collision pairs. MAC or HMAC Random Function Average (t + 1) ( 1 2 2(2 n)/2 ) t+1 2 ( 1 2 2(2 n)/2 ) 1 2 Standard Deviation 2/2 2 (t + 1)/2 Then, distinguisher A 3 says 1 (MAC or HMAC) i there are t+1 2 2(t + 1) collision pairs at least. Otherwise A 3 says 0 (random unction). So, with high probability A 3 can distinguish MAC and HMAC rom the random unction. In case t = 31, Advantage o A 3 is Adv A3 (2 n/2 MAC or HMAC ) = Pr[A3 = 1] Pr[A Rand 3 = 1] 0.977 0 = 0.977. 4 Conclusion In this paper, we described generic distinguishing attacks on MAC and HMAC where a compression unction is used iteratively and the size o the internal state is same as that o the hash output. Thereore, we can know that the security bound o MAC and HMAC is the birthday attack complexity in case that the size o the internal state is same as that o the hash output.

Reerences 1. M. Bellare, J. Kilian, and P. Rogaway, The Security o the Cipher Block Chaining Message Authentication Code, Appears in Journal o Computer and System Sciences, Vol. 61, o. 3, Dec 2000, pp. 362-399. 2. M. Bellare, ew Proos or MAC and HMAC: Security without Collision- Resistance, Advances in Cryptology - CRYPTO 06, LCS??, Springer-Verlag, pp.??-??,??. 3. S. Contini and Y. L. Yin, Forgery and Partial Key-Recovery Attacks on HMAC and MAC Using Hash Collisions, Advances in Cryptology - Asiacrypt 06, LCS 4284, Springer-Verlag, pp. 37-53, 2006. 4. J. Kim, A. Biryukov, B. Preneel, and S. Hong, On the Security o HMAC and MAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1, SC 06, to appear. (http://eprint.iacr.org/2006/187).

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback