Keywords

1 Introduction

A Message Authentication Code (MAC) is a cryptographic primitive which produces authenticity and data integrity. It takes a message \(M\) and a secret key \(K\) as input and computes a tag \(\tau \). A secure MAC must resist forgery attacks.

A MAC is often constructed from a hash function such as MD5 [1] and SHA-2 [2] for its performance and availability in software libraries. There are three hash-based MAC constructions [3]. Let \(\mathcal {H}\) be a hash function. A secret-prefix method computes a tag of a message \(M\) by \(\mathcal {H}(K\Vert M)\). A secret-suffix method computes a tag by \(\mathcal {H}(M\Vert K)\). A hybrid method computes a tag by \(\mathcal {H}(K\Vert M\Vert K)\).

When \(\mathcal {H}\) processes \(M\) by iteratively applying a compression function \(h\), a generic existential forgery attack with a complexity of \(2^{n/2}\) exists for any of those three methods, where \(n\) is the size of the tag, \(\tau \), and the internal chaining variable [4]. Besides, each of the three types has its own features. The secret-prefix method is vulnerable when a finalization process is not performed. This is called length-extension attack [5, 6]. The secret-suffix method suffers from the collision attack on \(h\). Two distinct messages \((M, M^{\prime })\) such that \(h(M)=h(M^{\prime })\) cause forgery attacks. The hybrid method seems to hide the weakness of two methods at a short glance. Strictly speaking, the hybrid method in [3] computes a tag by \(\mathcal {H}(K\Vert \mathtt{pad}\Vert M\Vert K^{\prime })\) where \(K\) and \(K^{\prime }\) are two independent keys and pad denotes the padding string making the length of \(K\Vert \mathtt{pad}\) equal to the block length. The security of this construction can be proven by [7] up to \(O(2^{n/2})\) queries. The single-key version, where \(K=K^{\prime }\), is well-known as envelope MAC, and was standardized for IPsec version 1 [8, 9]. However, Preneel and van Oorschot showed that collisions of \(h\) can reveal the second key \(K\) or \(K^{\prime }\) of the hybrid method [10] when the padding is not performed between \(M\) and the second key.

Currently, the most widely used hash-based MAC is HMAC [7, 11] whose structure is a hybrid method with an appropriate padding before the second key. It computes a tag by \(\mathcal {H}((K\oplus \mathtt{opad})\Vert \mathcal {H}((K\oplus \mathtt{ipad})\Vert M))\) as shown in Fig. 1. HMAC was proven to be a secure PRF up to \(O(2^{n/2})\) queries [12]. Several researchers proposed improvement of HMAC from various viewpoints, e.g., security bound [13], performance [1416], and side-channel resistance [17].

Fig. 1.
figure 1

Description of HMAC

Full size image
Fig. 2.
figure 2

Description of Sandwich-MAC

Full size image

Comparison of HMAC and Sandwich-MAC. Sandwich-MAC [15] is another hybrid-type MAC with an appropriate padding before the second key. It computes a tag by \(\mathcal {H}(K\Vert \mathtt{pad1}\Vert M\Vert \mathtt{pad2}\Vert K)\) as shown in Fig. 2. As with HMAC, it can call current hash functions without modifying the Merkle-Damgård (MD) implementations. It was proven to have the same security as HMAC, i.e., it is a PRF up to \(O(2^{n/2})\) queries as long as the underlying compression function \(h\) is a PRF. Then, Sandwich-MAC has several advantages compared to HMAC.

Sandwich-MAC can be computed only with a single key \(K\), while HMAC creates an inner-key \(h({\mathrm {IV}},K\oplus \mathtt{ipad})\) and an outer-key \(h({\mathrm {IV}},K\oplus \mathtt{opad})\). This reduces the number of additional blocks, where the “additional” is defined to be the number of \(h\) invocations in the scheme minus that in the usual Merkle-Damgård. HMAC requires 3 additional blocks, while Sandwich-MAC requires 1 or 2. It also avoids a related-key attack on HMAC [18] which exploits two keys with difference \(\mathtt{ipad} \oplus \mathtt{opad}\). Another advantage is the number of hash function calls. HMAC requires 2 invocations of \(\mathcal {H}\), while Sandwich-MAC requires only 1.

As shown in [19], these drawbacks of HMAC are critical especially for short messages. Taking these features into account, though it is not widely used at present, Sandwich-MAC is potentially a good candidate for a future MAC use.

Cryptanalysis Against Hybrid MAC. If the padding is not applied before the second key, the key is recovered with \(O(2^{n/2})\) [10]. The attack was optimized when the underlying hash function is MD5 [2023] through attacks against APOP protocol [24]. In this paper, the IV Bridge technique [21] will be exploited. However, these analyses basically cannot be used if an appropriate padding is applied before the second key as HMAC and Sandwich-MAC.

For HMAC/NMAC, most of attacks have been proposed with specific underlying hash functions. Kim et al. [25] proposed the notion of distinguishing-\({ H }\) attack. Contini and Yin presented how to exploit a differential characteristic of an underlying compression function to recover an inner-key of HMAC/NMAC [26]. Since then, many attacks have developed for HMAC/NMAC instantiating the MD4-family [2731]. Regarding MD5, inner-key and outer-key recovery attacks were proposed only for NMAC only in the related-key model. Wang et al. presented a distinguishing-\({ H }\) attack on full HMAC-MD5 in the single-key model [32]. This is the only known result in the single-key model against hybrid MAC constructions with an appropriate padding instantiating full MD5.

Table 1. Summary and comparison of results. ISR stands for internal state recovery.
Full size table

Our Contributions. In this paper, we present key-recovery attacks against several hybrid MAC schemes with an appropriate padding when MD5 is instantiated as an underlying hash function. The summary of results is given in Table 1. The main contribution is an original-key recovery attack against Sandwich-MAC-MD5. This is the first result that recovers the original-key in the hybrid method. Even if the key-length is longer than the tag size \(n\), the key is recovered faster than \(2^n\) computations. Moreover, an attacker does not need to know the key length in advance. Given the specification of MD5, up to a 447-bit key is recovered with \(2^{89.04}\) queries, \(2^{89}\) table look-ups, and \(2^{89}\) memory.

For the first step, we improve the distinguishing-\({ H }\) attack against HMAC-MD5 in the single-key model presented by Wang et al. [32], which can be utilized to reveal an internal state value. This reduces the number of queries from \(2^{98}\) to \(2^{89.09}\). This can be achieved by combining the attack in [32] with the message modification technique presented by Contini and Yin [26].

We then explain our original-key recovery attack against Sandwich-MAC-MD5 and its variant with combining various techniques on MD5. Specifically, we generalize the idea in [31] as a tool exploiting conditional key-dependent distributions. Note that a similar idea can be seen in [33] against Phelix. In this paper our goal is generalizing and simplifying the technique so that it can be applied to other cases. In the below, let \(\alpha , \kappa \) and \(\beta \) be \(x\)-bit variables, and \(\alpha _i, \kappa _i\) and \(\beta _i\) be the \(i\)-th bit of \(\alpha , \kappa \) and \(\beta \), respectively, where \(0 \le i \le x-1\).

Let us consider a modular addition \(\alpha + \kappa = \beta \); \(\alpha \) is a partially known variable where 1 bit (MSB) of \(\alpha _{x-1}\) is known but \(\alpha _{i}\) is unknown for the other \(i\). \(\kappa \) is an unknown constant. \(\beta \) is a public variable computed by \(\alpha + \kappa \), and its value is known. Intuitively, \(\alpha , \kappa \), and \(\beta \) correspond to the internal state, the key, and the tag, respectively. Then, the attacker can recover all bits of \(\kappa \) by iteratively collecting many pairs \((\beta , \alpha _{x-1})\).

Experimental verification of this observation is shown in Appendix A.

Our attack on Sandwich-MAC-MD5 recovers the key with a complexity below \(2^n\), hence it also leads to a universal forgery attack on Sandwich-MAC-MD5.

MD5-MAC [4] generates three keys \(K_0, K_1,\) and \(K_2\). The previous attack [32] only recovers \(K_1\) with a cost of \(2^{97}\). Our improvement of HMAC-MD5 also reduces this complexity to \(2^{89.09}\). Moreover, by applying our techniques on Sandwich-MAC-MD5, we achieve the first attack that recovers both \(K_1\) and \(K_2\).

2 Preliminaries

2.1 HMAC

HMAC is a hash-based MAC proposed by Bellare et al. [7]. Denote a hash function by \(\mathcal {H}\). On an input message \(M\), HMAC based on \(\mathcal {H}\) is computed using a single secret key \(K\) as \(\mathrm{{HMAC}}\text{- }\mathcal {H}_K(M)=\mathcal {H}(\overline{K} \oplus \mathtt{opad} \Vert \mathcal {H}(\overline{K} \oplus \mathtt{ipad}\Vert M) ),\) where \(\overline{K}\) is \(K\) padded to a full block by adding ‘0’s, \(\mathtt{opad}\) and \(\mathtt{ipad}\) are two public constants, and ‘\(\Vert \)’ denotes the concatenation.

2.2 Sandwich-MAC

Sandwich-MAC [15] is another hash-based MAC proposed by Yasuda. Besides the main scheme called Basic, there exist three variants called variant A, B, and C. Inside variant B, one extension is proposed, which we call extended B. In this paper, we analyze Basic, variant B, and extended B. We assume that the length of the key after the padding, \(|K\Vert \mathtt{pad}|\), is shorter than the block length, \(b\).

Sandwich-MAC Basic. Sandwich-MAC Basic computes tag values as follows.

$$\begin{aligned} {\text {Sandwich-MAC-}}\mathcal {H}_K(M)=\mathcal {H}(K\Vert \mathtt{pad1}\Vert M\Vert \mathtt{pad2}\Vert K), \end{aligned}$$
(1)

where, pad1 appends \(b-|K|\) bits of ‘0’s so that \(|K\Vert \mathtt{pad1}|\) becomes equal to \(b\) and pad2 appends a single bit ‘1’ and \(b-((|M|+1) \ \mathtt{mod} \ b)\) bits of ‘0’s so that \(|M\Vert \mathtt{pad2}|\) becomes a multiple of \(b\). Note that the input message for the last block always becomes \(K\Vert \mathtt{pad3}\), where pad3 is the padding scheme defined in a hash function \(\mathcal {H}\). As long as MD5 is analyzed, \(\mathtt{pad3}\) is MD-strengthening.

Variant B and Extended B. Variant B is an optimized version when \(|M|\) is already a multiple of the block length. The computation is described in Eq. (2).

Extended B is another optimization when the input message \(M\) ends in the middle of the block. Intuitively, the meaningless bits of ‘0’ in pad3 in the last message block can be replaced with the message to be processed. For example, MD5 uses the MD-strengthening as pad3 and 65 bits are enough for it. Therefore, up to \(b-|K|-66\) bits in the last message block can be used to process the message. Let \(M\) consist of \(\ell \) blocks (\(M_0\Vert \cdots \Vert M_{\ell -1}\)), and \(|M_{\ell -1}|<b-|K|-66\). The computation of extended B is described in Eq. (3).

$$\begin{aligned} {\text {Sandwich-MAC}}_{\text {B}}\text {-}\mathcal {H}_K(M)&=\mathcal {H}(K\Vert \mathtt{pad1}\Vert M\Vert K\Vert 1). \end{aligned}$$
(2)
$$\begin{aligned} {\text {Sandwich-MAC}}_{\text {ExtB}}\text {-}\mathcal {H}_K(M)&=\mathcal {H}(K\Vert \mathtt{pad1}\Vert M_0\Vert \cdots \Vert M_{\ell -2}\Vert K\Vert 1\Vert M_{\ell -1}). \end{aligned}$$
(3)

2.3 MD5 Specification and Free-Start Collision Attack on MD5

MD5 [1] is a Merkle-Damgård based hash function. Its block length is 512 bits and the output size is 128 bits. At first, an input message \(M\) is padded by the MD strengthening. The padded message is divided into 512-bit blocks, \(M_i\) (\(i=0,1,\ldots ,N-1\)). First \(H_0\) is set to \(\mathrm {IV}\), which is the initial value defined in the specification. Then, \(H_{i+1} \leftarrow h(H_i, M_i)\) is computed for \(i=0,1,\ldots ,N-1\), where \(h\) is a compression function and \(H_N\) is the hash value of \(M\).

\(h\) takes a 128-bit value \(H_i\) and a 512-bit value \(M_i\) as input. \(M_i\) is divided into sixteen 32-bit values \(m_0\Vert m_1\Vert \cdots \Vert m_{15}\), and \(H_i\) is divided into four 32-bit values \(Q_{-3}\Vert Q_{0}\Vert Q_{-1}\Vert Q_{-2}\). Then, \(Q_{j+1} \leftarrow R_j (Q_{j-3}\Vert Q_{j}\Vert Q_{j-1}\Vert Q_{j-2}, m_{\pi (j)})\) is computed for \(j=0,\ldots ,63\) and \((Q_{61}+Q_{-3})\Vert (Q_{64}+Q_0)\Vert (Q_{63}+Q_{-1})\Vert (Q_{62}+Q_{-2})\) is the output of \(h\). \(R_j \) is the step function which computes \(Q_{j+1}\) as below.

$$\begin{aligned} Q_{j+1} \leftarrow Q_{j}+(Q_{j-3}+\varPhi _j(Q_{j},Q_{j-1},Q_{j-2})+m_{\pi (j)}+c_j)\lll s_j, \end{aligned}$$

where \(\varPhi _j, c_j\), and \(\lll s_j\) denote Boolean function, constant, and left rotation by \(s_j\)-bits, respectively. \(\pi (j)\) denotes a message expansion. Refer to [1] for details. Hereafter, we denote the \(B\)-th bit of variable \(X\) and \(Q_j\) by \(X_B\) and \(Q_{j,B}\).

den Boer and Bosselaers [34] generated paired values \((H_i,M_i)\) and \((H_i^{\prime },M_i)\) such that \(h(H_i,M_i)=h(H_i^{\prime },M_i)\), where \(H_i\) and \(H_i^{\prime }\) have the difference: \(H_i \oplus H_i^{\prime } = \mathtt{(80000000, 80000000, 80000000, 80000000)}.\) Moreover, the MSB of the second, third, and fourth variables of \(H_i\) must be equal. Hereafter, we denote this difference (including two conditions of \(H_i\)) by \(\varDelta ^{\mathrm {MSB}}\). To satisfy the characteristic, 46 conditions shown below must be satisfied: \(Q_{j-1,31} = Q_{j-2,31} ( 2\le j \le 15), Q_{j,31}\) \(= Q_{j-1,31} (16\le j \le 31), Q_{j,31} = Q_{j-2,31} (48\le j \le 63)\).

3 Improved Single-Key Attacks on HMAC-MD5

3.1 Previous Distinguishing-\({ H }\) Attack on HMAC-MD5 

Wang et al. presented the distinguishing-\({ H }\) attack on HMAC-MD5 [32], which can also recover the internal-state value. The attack aims to detect a 2-block message where \(\varDelta ^{\mathrm {MSB}}\) is generated by the birthday paradox in the first block and the second block forms the dBB-collision [34]. The procedure is as follows.

  1. 1.

    Prepare \(2^{89}\) distinct \(M_0\) and a single message block \(M_1\). Then, make queries of \(2^{89}\) two-block messages \(M_0\Vert M_1\), and collect collisions of tags.

  2. 2.

    For each collision \((M_0\Vert M_1, M^{\prime }_0\Vert M_1)\), replace \(M_1\) with different \(M^{\prime }_1\), and query \((M_0\Vert M^{\prime }_1, M^{\prime }_0\Vert M^{\prime }_1)\). If a collision of the tag is obtained, the pair is not a dBB-collision and is erased.

  3. 3.

    For the remaining collisions, choose up to \(2^{47}\) distinct values of \(M^{\prime }_1\), and query \((M_0\Vert M^{\prime }_1, M^{\prime }_0\Vert M^{\prime }_1)\). If a collision is obtained, the pair is a dBB-collision.

\(2^{2*89-1}=2^{177}\) pairs are generated at step 1. We expect a pair \((M_0\Vert M_1, M^{\prime }_0\Vert M_1)\) such that the internal state after the first block denoted by \(H_1\) and \(H_1^{\prime }\) satisfy \(\varDelta ^{\mathrm {MSB}}\) (with probability \(2^{-130}\); \(2^{-128}\) for the difference and \(2^{-2}\) for the MSB values) and the second block follows the dBB-differential characteristic (with probability \(2^{-46}\)). The other collisions are either collisions after the first block, i.e., \(H_1=H^{\prime }_1\) (\(2^{49}\) pairs), or random collisions after the second block, i.e., \(\varDelta H_1 \notin \{ 0, \varDelta ^{\mathrm {MSB}} \}\) (\(2^{50}\) pairs). At step 2, collisions of \(H_1=H^{\prime }_1\) are erased and at step 3, a dBB-collision can be identified. Step 1 requires \(2^{89}\) queries, table lookups, and memory. Step 2 requires \((1+2^{49}+2^{50})\cdot 2 \approx 2^{51.58}\) queries. Step 3 requires \((1+2^{50})\cdot 2^{47} \approx 2^{97}\) queries. Thus, step 3 dominates the entire cost.

Wang et al. also tweaked their attack to a chosen message attack. Firstly choose \(2^{66}\) distinct \(M_0\). Secondly build a structure of \(2^{66}\) two-block messages \(M_0\Vert M_1\) by choosing a random message \(M_1\). Then build \(2^{47}\) such structures by choosing \(2^{47}\) distinct \(M_1\). Thirdly, query each structure and collect collisions of the tag. Finally, for each collision \((M_0\Vert M_1, M^{\prime }_0\Vert M_1)\), check the situation for the other \(2^{47}-1\) \(M_1\). If there exists at least one \(M^{\prime }_1\) such that \((M_0\Vert M^{\prime }_1, M^{\prime }_0\Vert M^{\prime }_1)\) do not collide, which implies \(H_1 \ne H^{\prime }_1\), and exists another \(M^{\prime \prime }_1\) such that \((M_0\Vert M^{\prime \prime }_1, M^{\prime }_0\Vert M^{\prime \prime }_1)\) collides, then \((M_0\Vert M_1, M^{\prime }_0\Vert M_1)\) is a dBB-collision. The attack requires \(2^{66+47}=2^{113}\) queries, while the memory is reduced to \(2^{66}\).

Distinguishing- H Attack. Let MD5\(^r\) be a hash function where the compression function of MD5 is replaced with a random function with the same domain and range. This implies that the domain extension and the padding algorithm for MD5\(^r\) are the same as the ones of MD5. The distinguishing-\({ H }\) attack aims to decide whether a given oracle is HMAC-MD5 or HMAC-MD5\(^r\). Wang et al. applied their attack to the given oracle. If a dBB-collision is found, they decide that the given oracle is HMAC-MD5. Otherwise, the oracle is HMAC-MD5\(^r\).

Internal-State Recovery Attack. After a dBB-collision \((M_0\Vert M_1, M^{\prime }_0\Vert M_1)\) is obtained, Wang et al. apply the technique proposed by Contini and Yin [26] to recover the chaining variables \(Q_{7}\Vert Q_{8}\Vert Q_{9}\Vert Q_{10}\) of \(h(H_1, M_1)\). Then \(H_1\) will be recovered by an inverse computation. For a completed description we refer to [26]. The complexity of recovering \(H_1\) is only \(2^{44}\) queries and \(2^{60}\) computations. The procedure of recovering \(H_1\) is an adaptive chosen message attack. Thus the whole attack is an adaptive chosen message attack with a complexity of \(2^{97}\) queries.

3.2 Improved Attacks on HMAC-MD5

We observe that the complexity of the core part i.e., finding a dBB-collision can be improved by applying the technique in [26]. In order to verify whether a collision \((M_0\Vert M_1, M^{\prime }_0\Vert M_1)\) is a dBB-collision at step 3, Wang et al. chooses \(2^{47}\) completely different values as \(M^{\prime }_{1}\) to generate a second pair following the dBB-characteristic. Our idea is generating many \(M^{\prime }_1\) by modifying \(M_1\) only partially so that the differential characteristic for the first several steps remains satisfied.

We focus on the computations of \(h(H_1, M_1)\) and \(h(H^{\prime }_1, M_1)\). Recall the MD5 specification. \(M_1\) is divided into \(m_0\Vert m_1\Vert \cdots \Vert m_{15}\) and \(m_i\) is used at step \(i\) in the first 16 steps. Our strategy is only modifying message words that appear later. Note that one bit of \(m_{13}\) and the entire bits of \(m_{14}\) and \(m_{15}\) are fixed to the padding string and thus cannot be modified. So we modify \(m_{12}\) and 31 bits of \(m_{13}\) to generate distinct \(m^{\prime }_{12}\Vert m^{\prime }_{13}\). Therefore, if \((M_0\Vert M_1, M^{\prime }_0\Vert M_1)\) is a dBB-collision, the modified pair can always satisfy the conditions for the first 12 steps. Thus we only need to generate \(2^{35 (= 47-12)}\) pairs at step 3. The complexity of step 3 is now reduced to \((1+2^{50})\cdot 2^{35} \approx 2^{85}\) queries. Finally, the query complexity is improved from the previous \(2^{97}\) to the sum of \(2^{89}\) for step 1 and \(2^{85}\) for step 3, which is \(2^{89.09}\). Time and memory complexities remain unchanged (\(2^{89}\)). The success probability is around \(0.87\), following the similar evaluation in [32].

Our idea can also improve the previous non-adaptive chosen message attack. We prepare \(2^{66+x}\) (\(0 \le x \le 6\)) distinct values for \(M_{0}\). We can make \(2^{131+2x}\) pairs of \(M_0\Vert M_1\) for a fixed \(M_1\). \(\varDelta H_1\) satisfies \(\varDelta ^{\mathrm {MSB}}\) with probability \(2^{-130}\), and we need \(2^{131}\) pairs to observe this event with a good probability. Therefore, with \(2^{131+2x}\) pairs, one pair should satisfy \(\varDelta ^{\mathrm {MSB}}\) at \(H_1\) and conditions for the first \(2x\) steps in the second block. Then, \(M_1\) is partially modified. We choose \(2^{47-2x}\) distinct \(M_1\) differing in the words \(m_{2x}\) and \(m_{2x+1}\), and build \(2^{47-2x}\) structures. Then, the above conditions are satisfied in any structure. Finally we find about two collisions \((M_0\Vert M_1, M^{\prime }_0\Vert M_1)\) and \((M_0\Vert M^{\prime }_1, M^{\prime }_0\Vert M^{\prime }_1)\), where \(H_1 \ne H^{\prime }_1\) holds, i.e., there exists at least one \(M^{\prime \prime }_1\) such that \((M_0\Vert M^{\prime \prime }_1, M^{\prime }_0\Vert M^{\prime \prime }_1)\) do not collide. The complexity is \(2^{113-x}\) queries and the memory is \(2^{66+x}\), where \(0 \le x \le 6\).

4 Key Recovery Attacks on Sandwich-MAC-MD5

4.1 Attacks on Sandwich-MAC-MD5 Basic

We show the attack for a key \(K\) with \(|K|<447\), which indicates that \(K\Vert \mathtt{pad3}\) fits in one block. The attack can recover all bits of \(K\Vert \mathtt{pad3}\) and the value of pad3 depends on \(|K|\). Hence the attacker does not have to know \(|K|\) in advance. Also note that the value of pad3 is determined as the MD-strengthening defined in MD5, whereas the Sandwich-MAC can principally accept any padding scheme but the same padding as pad1. Our attack can be extended for any padding scheme as long as \(K\Vert \mathtt{pad3}\) fits in one block. Hereafter, we denote a 512-bit value \(K\Vert \mathtt{pad3}\) by sixteen 32-bit values \(k_0\Vert k_1\Vert \cdots \Vert k_{15}\), and aim to recover these values.

Overview. The attack is divided into 5 phases. The structure is shown in Fig. 3

Fig. 3.
figure 3

Attack structure for Sandwich-MAC-MD5

Full size image
Fig. 4.
figure 4

dBB-near-collisions

Full size image
  1. 1.

    Apply the internal state recovery attack in Sect. 3.2 to Sandwich-MAC to obtain the first message block \(M_0\) and the corresponding internal state \(H_1\).

  2. 2.

    For the second message block, search for \(2^{77}\) message pairs \((M_1, M_1^{\prime })\) such that \(\varDelta H_2 = h(H_1,M_1\Vert \mathtt{pad2})\oplus h(H_1,M_1^{\prime }\Vert \mathtt{pad2}) = \varDelta ^{\mathrm {MSB}}\). Because \(H_1\) is already recovered, the computation can be done offline.

  3. 3.

    Query \(2^{77}\) 2-block message pairs \((M_0\Vert M_1, M_0\Vert M_1^{\prime })\), and pick the ones which produce dBB-near-collisions at the tag \(\tau \). A pair forms a dBB-near-collision with a probability \(2^{-45}\). Hence, we will obtain \(2^{77-45}=2^{32}\) pairs.

  4. 4.

    From \(2^{32}\) pairs, recover the 32-bit subkey for the last step by exploiting a conditional key-dependent distribution.

  5. 5.

    As with phase 4, recover 512-bit key during the last 16 steps.

Phase 1: Internal State Recovery. The same procedure as the internal state recovery for HMAC-MD5 can be applied. Strictly speaking, the procedure can be optimized for Sandwich-MAC. Recall that our method in Sect. 3.2 could not modify \(m_{14}\) and \(m_{15}\) because they are fixed for the padding. In Sandwich-MAC, pad2 forces only 1 bit to be fixed, and thus we can modify \(m_{14}\) and 31 bits of \(m_{15}\). This reduces the number of queries from \(2^{89}+2^{85}\) to \(2^{89}+2^{84}\approx 2^{89.04}\).

Phase 2: Generating \(\mathbf{{(}}{{\varvec{M}}}_1, {{\varvec{M}}}_1^{\prime }\mathbf{{)}}\) Producing \(\varvec{\varDelta }^{\mathbf {MSB}}{\mathbf {.}}\) This phase is offline without queries. For any underlying hash function, \(2^{77}\) message pairs \((M_1, M_1^{\prime })\) can be found by the birthday attack with \(2^{104}\) computations and memory. For MD5, the attack can be optimized. With the help of the collision attack techniques [35, 36], Sasaki et al. proposed a tool called IV Bridge [21], which is a message difference producing the output difference \(\varDelta H_{i+1}=\varDelta ^{\mathrm {MSB}}\) from the input difference \(\varDelta H_i = 0\) with a complexity of \(2^{42}\). The complexity was later improved by Xie and Feng to \(2^{10}\) [37]. With the IV Bridge, message pairs can be found much faster than the birthday attack. Note that both characteristics in [21, 37] assume that \(H_i\) is MD5’s \(\mathrm {IV}\). Therefore, if \(\mathrm {IV}\) is replaced with another \(H_1\), the differential characteristic search must be performed again. Because the known automated differential characteristic search [3739] can deal with any \(\mathrm {IV}\), a new characteristic will be found in the same manner. Also note that if the padding string \(\mathtt{pad2}\) forces many bits to be fixed, the IV Bridge search becomes harder or impossible due to the hardness of applying the message modification [36]. Because pad2 forces only 1 bit to be fixed, this is not a problem. The complexity for this phase is one execution of the differential characteristic search and \(2^{10}\cdot 2^{77}=2^{87}\) computations. The memory can be saved by running phase 3 as soon as we obtain each pair.

Phase 3: Detecting dBB-Near-Collisions. For the last message block, the probability that a pair produces the dBB-collision is \(2^{-46}\). We observe that producing collisions is not necessary because the attacker can observe the output values as a tag \(\tau \). Hence, the dBB-collision can be relaxed to the dBB-near-collision, and this increases the probability of the differential characteristic.

Considering the details for phase 4, the pair must follow the dBB-collision characteristic up to step 62. The differential propagation for the last 2 steps is depicted in Fig. 4. One condition in step 63 is erased, and the probability of the characteristic becomes \(2^{-45}\). After examining \(2^{77}\) pairs, we obtain \(2^{77-45}=2^{32}\) pairs. This phase requires \(2^{77}\) queries, and the memory to store \(2^{32}\) pairs.

Note that false positives are unlikely. Our dBB-near-collisions do not produce any difference in the left most and right most words. Besides, the difference for the second right most word is limited to \(2\) patterns. The probability for randomly satisfying the dBB-near-collision is \(2^{-95}\), which is unlikely with \(2^{77}\) trials.

Phase 4: Recovering the Last Subkey. Because both tags and \(H_2\) are known, the attacker can compute \(Q_{61}\Vert Q_{64}\Vert Q_{63}\Vert Q_{62}\) for each dBB-near-collision. We then analyze the last step. The equation to compute \(Q_{64}\) is \(Q_{64} = Q_{63}+(Q_{60}+\varPhi _{63}(Q_{63},Q_{62},Q_{61})+k_{9}+c_{63})\lll 21\). The value of \((Q_{64}\ggg 21)-Q_{63}-\varPhi _{63}(Q_{63},Q_{62},Q_{61})-c_{63}\) can be computed with known values of \(Q_{61}\Vert Q_{64}\Vert Q_{63}\Vert Q_{62}\). We denote this value by \(Z_{63}\). Then, the equation becomes \(Z_{63}=Q_{60}+k_9\).

We then observe that the attacker can know the MSB of \(Q_{60}\) from the difference of \(Q_{63}\). The difference \(\varDelta Q_{63}=\pm 2^{31}\) indicates that \(\varDelta \varPhi _{62} = \pm 2^{31}\). This only occurs when \(Q_{62,31} = Q_{60,31}\). The difference \(\varDelta Q_{63}=\pm 2^{31} \pm 2^{14}\) indicates that \(\varDelta \varPhi _{62} = 0\). This only occurs when \(Q_{62,31} \ne Q_{60,31}\). Because the value of \(Q_{62}\) is known, the value of \(Q_{60,31}\) can be computed. In the following, we show how to recover \(k_9\) with exploiting a conditional key-dependent distribution.

Conditional Key-dependent Distribution Technique: Let us consider a modular addition \(\alpha + \kappa = \beta \); \(\alpha \) is a variable where 1 bit (MSB) is known but the other bits are unknown. \(\kappa \) is an unknown constant. \(\beta \) is a public variable computed by \(\alpha + \kappa \), and its value is known. Then, the attacker can recover all bits of  \(\kappa \) by collecting many pairs \((\beta , \alpha _{x-1})\).Footnote 1

The attacker separates the collected data into two groups depending on a condition on several bits of \(\beta \).  For each separated group, behavior of the other unconditioned bits is analyzed, i.e., conditional distribution is analyzed. If the conditional distribution differs depending on some bits of \(\kappa \), those bits can be recovered by observing the conditional distribution.

The details of the modular addition computation is shown in Fig. 5. We denote the carry value from bit position \(B\) to \(B+1\) by \(c^+_{B+1}\), e.g. the carry value to the MSB is \(c^+_{31}\). Because \(\alpha _{31}\) and \(\beta _{31}\) are known, the 1-bit relation of \(c^+_{31} \oplus \kappa _{31}\) denoted by \(R\) can be computed by \(R = \alpha _{31} \oplus \beta _{31}\).

Fig. 5.
figure 5

Recovering \(\kappa _{31}\) and \(\kappa _{30}\). Known bits are in bold squares.

Full size image
Fig. 6.
figure 6

Recovering \(\kappa _{29}\) to \(\kappa _{0}\). Known bits are in bold squares.

Full size image

At first, we recover \(\kappa _{31}\) and \(\kappa _{30}\). We separate the data into two groups by the condition \(\beta _{30}=0\) or \(1\), i.e., a group satisfying \(\beta _{30}=0\) and a group satisfying \(\beta _{30}=1\). For the group with \(\beta _{30}=0\), the distribution of other bits differs depending on the value of \(\kappa _{30}\).

-:

If \(\kappa _{30}=0\), \(c^+_{31}\) is 0 with probability 1/2 and is 1 with probability 1/2. This is because \(\beta _{30}=\kappa _{30}=0\) occurs only if \(\alpha _{30}=c^+_{30}=0\) (with \(c^+_{31}=0\)) or \(\alpha _{30}=c^+_{30}=1\) (with \(c^+_{31}=1\)).

-:

If \(\kappa _{30}=1\), \(c^+_{31}\) is 1 with probability 1.

 

To utilize this difference, for each data in the group with \(\beta _{30}=0\), we simulate the value of \(\kappa _{31}\) by assuming that \(c^+_{31}\) is 1. If \(\kappa _{30}=0\), the simulation returns the right value and wrong value of \(\kappa _{31}\) with a probability of 1/2. Therefore, we will obtain 2 possibilities of \(\kappa _{31}\). If \(\kappa _{30}=1\), the simulation always returns the right value of \(\kappa _{31}\). Therefore, we can obtain the unique (right) value of \(\kappa _{31}\). Due to the difference, we can recover \(\kappa _{30}\), and at the same time, recover \(\kappa _{31}\).

We can do the same for the group with \(\beta _{30}=1\).

-:

If \(\kappa _{30}=0\), \(c^+_{31}\) is 0 with probability 1.

-:

If \(\kappa _{30}=1\), \(c^+_{31}\) is 0 with probability 1/2 and is 1 with probability 1/2.

 

For each data in the group with \(\beta _{30}=1\), we simulate the value of \(\kappa _{31}\) by assuming that \(c^+_{31}\) is 0, and check the number of returned values of the simulation.

We then recover \(\kappa _{29}\) to \(\kappa _{0}\) in this order. In this time, we filter the data rather than separate it. In order to recover \(\kappa _{B}\), where \(29 \ge B \ge 0\), we set \((31-B)\)-bit conditions, and only pick the data satisfying all conditions. The conditions are \((\kappa _{30}=\beta _{30}), \ldots , (\kappa _{B+1}=\beta _{B+1})\), and \((c^+_{31}=\beta _{B})\). Note that \(\kappa _{31, 30, \ldots , B+1}\) are already recovered and \(c^+_{31}\) can be easily computed by \(\alpha _{31}\oplus \kappa _{31} \oplus \beta _{31}\). Let \(x\) be the value of \(c^+_{31}\), where \(x \in \{0, 1\}\). Then, we can deduce that the value of \(\kappa _{B}\) is \(x\). The proof is shown below, and is described in Fig. 6.

Proof

The value of \(\beta _{B}\) is \(x\) by the condition \(c^+_{31}=\beta _{B}\). From the condition \(\kappa _{30}=\beta _{30}\), the values of \(\alpha _{30}\) and \(c^+_{30}\) are also known to be \(x\). By iterating the same analysis from bit position 30 to \(B+1\), the values of \(\alpha _{B+1}\) and \(c^+_{B+1}\) are known to be \(x\). The event \(c^+_{B+1}=\beta _{B}=0\) only occurs when \(\kappa _B=0\). Similarly, the event \(c^+_{B+1}=\beta _{B}=1\) only occurs when \(\kappa _B=1\). \(\square \)

The number of necessary pairs to recover all bits of \(\kappa \) is dominated by the recovery for \(\kappa _{0}\), which is \(2^{31}\) pairs. To increase the success probability, we generate \(2^{32}\) pairs. Note that these pairs can also be used to analyze the other bits.

By replacing \((\alpha , \kappa , \beta )\) with \((Q_{60},k_9,Z_{63})\), \(k_9\) is recovered with \(2^{32}\) dBB-near-collisions. If a high success probability is required, more pairs than \(2^{32}\) should be collected. See Appendix A for more discussion.

Note that recovering \(\kappa \) with exhaustive search instead of the conditional key-dependent distribution is possible but inefficient. The attempt is as follows. Guess \(\kappa \), and then compute \(\alpha \) by \(\beta - \kappa \). The known 1-bit \(\alpha _{31}\) takes a role of the filtering function. During the computation of \(\beta - \kappa \), the probability that flipping \(\kappa _0\) changes the value of \(\alpha _{31}\) (through the carry effect) is \(2^{-31}\). If we collect \(2^{32}\) pairs of \((\beta , \alpha _{x-1})\) and guess 32 bits of \(\kappa \), all wrong guesses can be filtered out. However, this requires \(2^{64}\) additions, which is worse than our attack.

Phase 5: Recovering 512-Bit Key in the Last 16 Steps. This phase is basically the iteration of phase 4. After \(k_9\) is recovered, the tag value can be computed until step 63 in backward, and the same analysis as \(k_9\) can be applied to the second last step to recover \(k_2\). By iterating this for the last 16 steps, the original key \(K\) and the padding string pad3 are recovered. The number of dBB-near-collisions that we can use will increase as we recover more subkeys. This is because the probabilistic part of the differential characteristic will be shorter.

Attack Evaluation. Phase 1 requires \(2^{89.04}\) queries, \(2^{89}\) table look-ups, and a memory for \(2^{89}\) states. Phase 2 requires \(2^{10}\cdot 2^{77}=2^{87}\) compression function computations. Phase 3 queries \(2^{77}\) 2-block paired messages. It also requires to store \(2^{32}\) pairs of \(H_2\) and \(H_2^{\prime }\), which requires a memory for \(2^{33}\) states. Phase 4 requires \(2^{32}\cdot 1/64=2^{26}\) computations. Phase 5 requires \(15\cdot 2^{32}\cdot 16/64\) which is less than \(2^{34}\) computations. Hence, the dominant part is the internal state recovery attack for Phase 1. Our experiment in Appendix A suggests that generating more pairs at Phase 2 is better to obtain a high success probability. Then, the complexity for Phase 2 becomes \(2^{88}\) or \(2^{89}\) compression functions. The attack works without knowing \(|K|\) as long as \(|K|<447\). The length of the queried message can always be a multiple of the block size. Hence, the attack can be extended to Sandwich-MAC variant B.

4.2 Attacks on Sandwich-MAC-MD5 Extended B

For this variant, the last message block can contain several bits chosen by the attacker. This reduces the complexity of the key recovery phase. Although the bottleneck of the attack is the internal state recovery phase, we show the attacks from two viewpoints. (1) We show the security gap between extended B and Basic. Although they have the the same provable security, the attack is easier in extended B. (2) In practice, \(K\) may be stored in a tamper-resistant device to prevent the side-channel analysis. However, the internal state value may not be protected, and the bottleneck of the attack may become the key-recovery part.

The range of \(|K|\) in extended B is \(|K|<446\) because pad3 for MD5 is 65 bits minimum and one extra bit ‘1’ is appended right after \(K\). Although the attack strategy and the complexity depend on \(|K|\), the initial part of the attack is the same. Due to the message block structure \(K\Vert 1\Vert M_1\Vert \mathtt{pad3}\) and the MD5 message expansion \(\pi (\cdot )\), the first steps of the compression function are updated by \(K\). We call these steps keyed steps. The following steps are updated by the controlled message or the padding string until step 16. For example, if \(|K|\) is 128, the first 4 steps are the keyed steps. The initial part of the attack is as follows.

  1. 1.

    Recover the internal state value \(H_1\) by applying the internal state recovery attack in Sect. 3.2 or some side-channel analysis.

  2. 2.

    Searching for \(\#X\cdot 2^{45}\) message pairs \((M_1, M_1^{\prime })\) such that \(\varDelta H_2 = \varDelta ^{\mathrm {MSB}}\), where \(\#X\) depends on \(|K|\). Query them to obtain \(\#X\) dBB-near-collisions.

  3. 3.

    Recover the internal state value right after the keyed steps by using the freedom degrees of \(M_2\) with the approach by Contini and Yin [26].

Phase 2 requires about \(\#X \cdot 2^{45} \cdot 2^{10}\) computations and \(\#X \cdot 2^{45}\) queries. Phase 3 requires about \(\#X \cdot 2^{47}\) queries. We then recover \(K\) with the recovered internal state value right after the keyed steps. The attack strategy depends on \(|K|\).

Case Study for \({\varvec{|}}{\varvec{K}}{\varvec{|=128.}}\) Because the tag size is 128 bits, \(|K|=128\) is a natural choice. We choose \(\#X=1\) for this case. In the last block, the value of \(H_2=Q_{-3}\Vert Q_0\Vert Q_{-1}\Vert Q_{-2}\) is known. After phase 3, the value of \(Q_1\Vert Q_4\Vert Q_3\Vert Q_2\) becomes known. Then, all of \(k_0,k_1,k_2,\) and \(k_3\) are easily recovered by solving the equation of the step function, e.g. \(k_0\) is recovered by \(k_0=\bigl ( (Q_{1} - Q_0) \ggg 7 \bigr )- Q_{-3}-\varPhi _0(Q_{0},Q_{-1},Q_{-2})-c_0.\) Other keys are also recovered with 1 computation.

Case Study for \({\varvec{|}}{\varvec{K}}{\varvec{|=224.}}\) \(K\) is divided into 7 words \(k_0,\ldots ,k_6\). In the last block, the values for \(Q_{-3}\Vert Q_0\Vert Q_{-1}\Vert Q_{-2}\) and \(Q_4\Vert Q_7\Vert Q_6\Vert Q_5\) are known after phase 3. To recover \(k_0,\ldots ,k_6\), we use the meet-in-the-middle (MitM) attack [40, 41]. Particularly, all subkey recovery attacks [42] can be applied directly. The attack structure is depicted in Fig. 7. For each of the forward and backward chunks, the attacker guesses 64 key bits. The results from two chunks can match without computing 3 middle steps with the partial-matching [43]. To reduce the key space into a sufficiently small size, 4 pairs of \(Q_{-3}\Vert Q_0\Vert Q_{-1}\Vert Q_{-2}\) and \(Q_4\Vert Q_7\Vert Q_6\Vert Q_5\) are required. Hence, we set \(\#X=4\). The attack complexity is about \(4\cdot 2^{64}=2^{66}\).

Fig. 7.
figure 7

MitM procedure for \(|K|=224\).

Full size image
Fig. 8.
figure 8

MitM procedure for \(|K|=352\).

Full size image

Case Study for \({\varvec{|}}{\varvec{K}}{\varvec{|=352.}}\) \(K\) is divided into 11 words \(k_0,\ldots ,k_{10}\). The attack structure is depicted in Fig. 8. For each chunk, 16 key bits are additionally guessed (all bits of \(k_0,k_1,k_{9},k_{10}\) and 16 bits of \(k_2, k_8\)). This increases the number of skipped steps from 3 to 7 with the partial-fixing [44] or the indirect partial-matching [45]. To reduce the key space, we use 10 pairs of \(Q_{-3}\Vert Q_0\Vert Q_{-1}\Vert Q_{-2}\) and \(Q_8\Vert Q_{11}\Vert Q_{10}\Vert Q_9\), thus \(\#X=10\). The complexity for the attack is about \(10 \cdot 2^{80}<2^{84}\). After \(k_0,k_1,k_{9},k_{10}\) and 16 bits of \(k_2, k_8\) are recovered, the remaining 192 bits can be recovered by iterating the MitM attack. Note that if \(|K|>352\), the attack becomes worse than the one in Sect  4.1.

5 Discussion About HMAC and Sandwich-MAC

The compression function takes two information as input; previous chaining variable and message. For block-cipher based compression functions including the MD4-family, these correspond to the key input and plaintext input. Matyas-Meyer-Oseas (MMO) mode [46, Algorithm 9.41] takes the previous chaining variable as the key input and Davies-Meyer (DM) mode [46, Algorithm 9.42] takes it as the message input. The main difference between HMAC and Sandwich-MAC is the structure of the finalization (computation after \(M\) is processed by the MD structure). HMAC adopts the MMO mode while Sandwich-MAC adopts the Davies-Meyer DM mode. Our attack shows that the (outer-)key can be recovered if both modes in the MD structure and the finalization are the DM-mode and a differential characteristic \((\varDelta H_i \ne 0, \varDelta M=0, \varDelta H_{i+1}=0)\) exists in \(h\). The attack can also work if both modes are the MMO-mode. In summary, to minimize the risk, using different modes for the MD structure and the finalization is preferable. On the other hand, Okeya showed that, among 12 secure PGV modes [47], using the MMO-mode in the finalization is the only choice to protect the outer-key from the side-channel analysis [48, 49]. Taking into account our results, Okeya’s results, and the fact that most of hash functions in practice adopt the DM-mode, we can learn that the HMAC construction is best.

The padding rule can impact the attack complexity. If the MD-strengthening is adopted as pad2 of Sandwich-MAC, the number of attacker’s controlling bits decreases. This prevents the IV Bridge and makes the attack less efficient.

There are some gaps between the hardness of the attack and the provable security. From the provable security viewpoint, the choice of the padding scheme and the choice of HMAC, Sandwich-MAC Basic, variant B, and extended B are not very different. However, once the assumption for the proof (PRF of \(h\)) is broken, these choices make a significant difference. Hence, this is a trade-off between security and performance depending on how the assumption is trusted. These differences should be taken into account when a system is designed. We never conclude that Sandwich-MAC extended B is a bad idea. Reducing the amount of meaningless padding bits is very nice especially for tree hashing, where the hash value is computed with several hash function calls and thus the amount of the padding bits is bigger than the sequential hashing. Our point is that the damage of the scheme when the assumption is broken is usually not discussed, but it deserves the careful attention because industry continues using broken hash functions such as MD5 for long time.

In general, the impact of a differential attack on \(h\) for applications is unclear. Wang et al. showed the characteristic with \(\mathrm {Pr}[h(H_i, M)=h(H_i^{\prime }, M)]>2^{n/2}\) can mount the distinguishing-\({ H }\) attack against HMAC [32]. We extend it to the key-recovery on Sandwich-MAC. Finding such a conversion is an open problem.

6 Applications to MD5-MAC

MD5-MAC is an instantiation of the message authentication code MDx-MAC proposed by Preneel and van Oorschot [4] based on the hash function MD5. MD5-MAC takes a single 128-bit key \(K\) as input, which is expanded to three 128-bit subkeys \(K_0\), \(K_1\) and \(K_2\) as \(K_i = \overline{\mathrm{MD5}}(K\Vert U_i\Vert K), 0 \le i \le 2;\) where \(\overline{\mathrm{MD5}}\) is the MD5 algorithm without the padding, and \(U_i\) with \(0 \le i \le 2\) is a public constant. \(K_0\) is used to replace the public initial value (\(\mathrm {IV}\)) of MD5, and transforms the public function \(\mathrm{MD5}(\mathrm {IV}, M)\) into a keyed hash function \(\mathrm{MD5}(K_0, M)\). \(K_1\) is used inside the MD5 compression function. More precisely, \(K_1\) is split into four 32-bit substrings \(K_1[i]\) (\(0 \le i \le 3\)), and \(K_1[i]\) is added to the constants used in round \(i\) of the MD5 compression function in modulo \(2^{32}\). We denote MD5 with \(K_1\) inside the compression function and without the padding by \(\overline{\text {MD5}}_{K_1}\). Then \(K_2\) is expanded to a full block \(\overline{K_2}\), namely 512-bit long, as \(\overline{K_2}=K_2\Vert (K_2 \oplus T_0) \Vert (K_2 \oplus T_1) \Vert (K_2 \oplus T_2)\) where \(T_i\) with \(0 \le i \le 2\) is a public constant. Let \(M\) be an input message and \(\mathtt{pad}\) be the padding algorithm of MD5. Then, MD5-MAC is computed as below:

$$\begin{aligned} \text{ MD5-MAC }_K(M)=\overline{\text {MD5}}_{K_1}(K_0, \mathtt{pad}(M)\Vert \overline{K_2}). \end{aligned}$$

Previous Attacks. Wang et al. proposed a partial key-recovery attack on MD5-MAC [32], which recovers a 128-bit key \(K_1\) with about \(2^{97}\) MAC queries and \(2^{61.58}\) offline computations. Their attack [32] is divided into three phases.

  1. 1.

    Generate 3 dBB-collisions of the form \((M_0\Vert M_1)\) and \((M_0^{\prime }\Vert M_1)\).

  2. 2.

    Recover 95 bits of \(Q_{1},Q_{2},Q_{3},Q_{4},Q_{5}\) and 90 bits of \(Q_{6},Q_{7},Q_{8},Q_{9},Q_{10}\) with the method proposed by Contini and Yin [26].

  3. 3.

    Recover \(K_1[0]\). Then recover \(K_1[1], K_1[2]\), and \(K_1[3]\).

The first phase requires \(2^{97}\) queries. The second phase requires \((95+90)\cdot 2^{47} \approx 2^{54.53}\) queries. To recover \(K_1[0]\) in the third phase, the step function equation is solved by guessing unknown 65 bits of \((Q_{1},Q_{2},Q_{3},Q_{4},Q_{5})\). For each guess, the following 5 steps are computed and check the match with already recovered 90 bits of \((Q_{6},Q_{7},Q_{8},Q_{9},Q_{10})\). Hence, this requires \(2^{65}\cdot 6/64 \approx 2^{61.58}\) MD5 computations. \(K_1[1], K_1[2]\), and \(K_1[3]\) are recovered with the divide-and-conquer approach. Hence the cost to recover each key is several iterations of \(2^{32}\) guesses. Overall, the dominant part of the attack is finding dBB-collisions. Note that the attack cannot recover any information about \(K_0\) and \(K_2\).

Improved Key Recovery for \({{\varvec{K}}_1}.\) Because the dominant part of the attack is finding 3 dBB-collisions, the attack can be improved with our improved procedure on HMAC-MD5 in Sect. 3. The application is straight-forward and thus we omit the details. The attack cost becomes \(2^{89.09}\) queries and \(2^{89}\) table lookups.

Extended Key Recovery for \({{\varvec{K}}}_2.\) Once \(K_1\) is recovered, the MAC computation structure becomes essentially the same as the one for Sandwich-MAC Basic with MD5. Because our attack on Sandwich-MAC-MD5 can recover 512-bit secret information of the last message block faster than \(2^{128}\) queries and computations, a 512-bit key \(\overline{K_2}\) can be recovered with exactly the same procedure as the one for Sandwich-MAC-MD5. The bottleneck of the attack is still finding dBB-collisions, which requires \(2^{89.04}\) queries and \(2^{89}\) table lookups. We emphasize that this is the first result which can recover \(K_2\) of MD5-MAC.

7 Concluding Remarks

In this paper, we first improved the distinguishing-\({ H }\) attacks on HMAC-MD5. We then proposed the key-recovery attack on Sandwich-MAC-MD5 by combining various techniques. In particular, we generalized the key-recovery technique exploiting the conditional key-dependent distributions. As a result, we achieved the first results that can recover the original-key against a hybrid MAC with an appropriate padding. Our results also improved the previous key-recovery attack on MD5-MAC, and extended the recovered key to both of \(K_1\) and \(K_2\). We believe our results lead to a better understanding of the MAC construction.