Abstract
HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collision-resistant. However, recent attacks show that assumption (2) is false for MD5 and SHA-1, removing the proof-based support for HMAC in these cases. This paper proves that HMAC is a PRF under the sole assumption that the compression function is a PRF. This recovers a proof based guarantee since no known attacks compromise the pseudorandomness of the compression function, and it also helps explain the resistance-to-attack that HMAC has shown even when implemented with hash functions whose (weak) collision resistance is compromised. We also show that an even weaker-than-PRF condition on the compression function, namely that it is a privacy-preserving MAC, suffices to establish HMAC is a secure MAC as long as the hash function meets the very weak requirement of being computationally almost universal, where again the value lies in the fact that known attacks do not invalidate the assumptions made.
Chapter PDF
Similar content being viewed by others
Keywords
- Hash Function
- Message Authentication Code
- Compression Function
- Security Proof
- Cryptographic Hash Function
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
American National Standards Institution. ANSI X9.71, Keyed hash message authentication code (2000)
Bellare, M.: New Proofs for NMAC and HMAC: Security without Collision-Resistance. Full version of this paper. Cryptology ePrint Archive: Report 2006/043 (2006)
Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)
Bellare, M., Canetti, R., Krawczyk, H.: Pseudorandom functions revisited: The cascade construction and its concrete security (Preliminary version in Proceedings of the 37th Symposium on Foundations of Computer Science, IEEE, 1996), http://www-cse.ucsd.edu/users/mihir
Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: Proceedings of the 38th Symposium on Foundations of Computer Science. IEEE, Los Alamitos (1997)
Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. Journal of Computer and System Sciences 61(3), 362–399 (2000)
Bellare, M., Kohno, T.: A theoretical treatment of related-key attacks: RKAPRPs, RKA-PRFs, and applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656. Springer, Heidelberg (2003)
Bellare, M., Namprempre, C., Kohno, T.: Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol. ACM Transactions on Information and System Security (TISSEC) 7(2), 206–241 (2004)
Bellare, M., Goldreich, O., Mityagin, A.: The power of verification queries in message authentication and authenticated encryption. Cryptology ePrint Archive: Report 2004/309 (2004)
Bellare, M., Rogaway, P.: The game-playing technique and its application to triple encryption. Cryptology ePrint Archive: Report 2004/331 (2004)
Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC: Fast and secure message authentication. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, p. 216. Springer, Heidelberg (1999)
Black, J.A., Rogaway, P.: CBC mACs for arbitrary-length messages:The three-key constructions. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, p. 197. Springer, Heidelberg (2000)
Carter, L., Wegman, M.: Universal classes of hash functions. Journal of Computer and System Sciences 18(2), 143–154 (1979)
Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)
den Boer, B., Bosselaers, A.: Collisions for the compression function of MD-5. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1994)
Dierks, T., Allen, C.: The TLS protocol. Internet RFC 2246 (1999)
Dobbertin, H., Bosselaers, A., Preneel, B.: RIPEMD-160: A strengthened version of RIPEMD. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039. Springer, Heidelberg (1996)
Dodis, Y., Gennaro, R., Håstad, J., Krawczyk, H., Rabin, T.: Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC Modes. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 494–510. Springer, Heidelberg (2004)
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. Journal of the ACM 33(4), 210–217 (1986)
Harkins, D., Carrel, D.: The Internet Key Exchange (IKE). Internet RFC 2409 (1998)
Hirose, S.: A note on the strength of weak collision resistance. IEICE Transactions on Fundamentals E87-A(5), 1092–1097 (2004)
Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-hashing for message authentication. Internet RFC 2104 (1997)
Merkle, R.C.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)
M‘ Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., Ranen, O.: HOTP: An MACbased one time password algorithm. Internet RFC 4226 (December 2005)
National Institute of Standards and Technology. The keyed-hash message authentication code (HMAC). FIPS PUB 198 (March 2002)
National Institute of Standards and Technology. Secure hash standard. FIPS PUB 180-2 (August 2000)
Preneel, B., van Oorschot, P.: On the security of iterated message authentication codes. IEEE Transactions on Information Theory 45(1), 188–199 (1999) (Preliminary version, entitled MD-x MAC and building fast MACs from hash functions, in CRYPTO 1995)
Rivest, R.: The MD5 message-digest algorithm. Internet RFC 1321 (April 1992)
V. Shoup. Sequences of games: A tool for taming complexity in security proofs.Cryptology ePrint Archive: Report 2004/332, 2004.
Stinson, D.: Universal hashing and authentication codes. Designs, Codes and Cryptography 4, 369–380 (1994)
Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)
Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)
Wegman, M., Carter, L.: New hash functions and their use in authentication and set equality. Journal of Computer and System Sciences 22(3), 265–279 (1981)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bellare, M. (2006). New Proofs for NMAC and HMAC: Security Without Collision-Resistance. In: Dwork, C. (eds) Advances in Cryptology - CRYPTO 2006. CRYPTO 2006. Lecture Notes in Computer Science, vol 4117. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11818175_36
Download citation
DOI: https://doi.org/10.1007/11818175_36
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-37432-9
Online ISBN: 978-3-540-37433-6
eBook Packages: Computer ScienceComputer Science (R0)