Skip to main content
SpringerLink
Log in

Another Look at Security Theorems for 1-Key Nested MACs

  • Chapter
  • First Online:
Open Problems in Mathematics and Computational Science

Abstract

We prove a security theorem without collision resistance for a class of 1-key hash function-based MAC schemes that includes HMAC and Envelope MAC. The proof has some advantages over earlier proofs: it is in the uniform model, it uses a weaker related-key assumption, and it covers a broad class of MACs in a single theorem. However, we also explain why our theorem is of doubtful value in assessing the real-world security of these MAC schemes. In addition, we prove a theorem assuming collision resistance. From these two theorems, we conclude that from a provable security standpoint, there is little reason to prefer HMAC to Envelope MAC or similar schemes.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 54.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Fischlin [10] has a uniform proof of a security theorem for HMAC without collision resistance, but its usefulness is questionable because of the extremely large tightness gap in his result.

  2. 2.

    The theorem’s query bound for the related-key property is 2q because A rka makes two queries for each query of A MAC.

  3. 3.

    If \(A_{\tilde{f}h}\) fails to produce a guess about the oracle \(O_{\tilde{f}h}\) in time t, as can happen if the simulation is imperfect, then \(A_{\tilde{f}}\) guesses that \(O_{\tilde{f}}\) is a random function. Note that the simulation is perfect if \(O_{\tilde{f}}\) is \(\tilde{f}\) with hidden key.

  4. 4.

    The term “over all possible coin tosses” means over all possible runs of the algorithm with each weighted by 2s, where s is the number of random bits in a given run.

  5. 5.

    The tightness gap in our theorem, bad as it is, is not nearly as extreme as the one in Fischlin’s theorem [10], which establishes the secure-MAC property for NMAC and HMAC based on assumptions that are slightly weaker than the prf property. The gap in success probabilities in that theorem is roughly qn 2. In [10] this gap is compared to the q 2 n gap in Bellare’s Theorem 3.3 in [2]. However, any comparison based solely on success probabilities is misleading, since the factor q 2 n in Bellare’s theorem is multiplied by the advantage of a very low-resource adversary A 2 with running time ≤ nT, much less than that of Fischlin’s adversary. One must always include running time comparisons when evaluating tightness gaps, and this is not done in [10].

  6. 6.

    Note that the inner compression function needs to be strongly (ε 1, t, q)-secure for a quite small value of ε 1, since the theorem loses content if ε 1 > 1∕(2n).

  7. 7.

    Note that A rka can verify that A MAC has a valid forgery using the same procedure that was used to respond to its queries. This means that A rka needs to be allowed two more queries of O rka, and for this reason, the query bound for A rka is 2q + 2 rather than 2q, and the time bounds have the term (q + 1)nT rather than qnT.

  8. 8.

    In the prf test for f, the adversary gets the values f(K, M) (with K a c-bit hidden key and M a b-bit queried message); in the test for \(\tilde{f}\) in HMAC, he gets the values \(f(K,M\|p)\) (with M a c-bit message and p a fixed (bc)-bit padding); and in the test for \(\tilde{f}\) in Envelope MAC, he gets the values \(f(M,K\|p)\). Thus, the only difference is whether the key occurs in the first c bits or in the next c bits.

  9. 9.

    How can something be a necessary component, but play no role in the selection? By analogy, when one looks for an apartment, a functioning toilet is a requirement; however, one doesn’t normally choose which apartment to rent based on which has the nicest toilet.

References

  1. M. Bellare, Practice-oriented provable-security, in Proceedings of First International Workshop on Information Security (ISW ’97). Lecture Notes in Computer Science, vol. 1396 (Springer, Berlin, 1998), pp. 221–231

    Google Scholar 

  2. M. Bellare, New proofs for NMAC and HMAC: security without collision resistance, in Advances in Cryptology—Crypto 2006. Lecture Notes in Computer Science, vol. 4117 (Springer, Heidelberg, 2006), pp. 602–619. Extended version available at http://cseweb.ucsd.edu/mihir/papers/hmac-new.pdf

  3. M. Bellare, T. Kohno, A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications, in Advances in Cryptology—Eurocrypt 2003. Lecture Notes in Computer Science, vol. 2656 (Springer, Heidelberg, 2003), pp. 491–506

    Google Scholar 

  4. M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in Proceedings of First Annual Conference on Computer and Communications Security (ACM, New York, 1993), pp. 62–73

    Google Scholar 

  5. M. Bellare, R. Rogaway, Optimal asymmetric encryption—how to encrypt with RSA, in Advances in Cryptology—Eurocrypt ’94. Lecture Notes in Computer Science, vol. 950 (Springer, Heidelberg, 1994), pp. 92–111

    Google Scholar 

  6. M. Bellare, R. Canetti, H. Krawczyk, Keying hash functions for message authentication, in Advances in Cryptology—Crypto ’96. Lecture Notes in Computer Science, vol. 1109 (Springer, Heidelberg, 1996), pp. 1–15. Extended version available at http://cseweb.ucsd.edu/mihir/papers/kmd5.pdf

  7. M. Bellare, R. Canetti, H. Krawczyk, HMAC: Keyed-hashing for message authentication, Internet RFC 2104 (1997)

    Google Scholar 

  8. D. Bernstein, T. Lange, Non-uniform cracks in the concrete: the power of free precomputation, in Advances in Cryptology—Asiacrypt 2013. Lecture Notes in Computer Science, vol. 8270 (Springer, Heidelberg, 2013), pp. 321–340

    Google Scholar 

  9. D. Boneh, Simplified OAEP for the RSA and Rabin functions, in Advances in Cryptology—Crypto 2001. Lecture Notes in Computer Science, vol. 2139 (Springer, Heidelberg, 2001), pp. 275–291

    Google Scholar 

  10. M. Fischlin, Security of NMAC and HMAC based on non-malleability, in Topics in Cryptology—CT-RSA 2008. Lecture Notes in Computer Science, vol. 4064 (Springer, Heidelberg, 2008), pp. 138–154

    Google Scholar 

  11. P. Gauravaram, L. Knudsen, K. Matusiewicz, F. Mendel, C. Rechberger, M. Schläffer, S. Thomsen, Grøstl—a SHA-3 candidate (2011). Available at http://www.groestl.info/Groestl.pdf

    Google Scholar 

  12. B. Kaliski, M. Robshaw, Message authentication with MD5. CryptoBytes 1(1), 5–8 (1995)

    Google Scholar 

  13. J. Katz, Y. Lindell, Introduction to Modern Cryptography (Chapman and Hall/CRC, Boca Raton, 2007)

    Google Scholar 

  14. N. Koblitz, A. Menezes. http://anotherlook.ca

  15. N. Koblitz, A. Menezes, Another look at “provable security.” J. Cryptol. 20, 3–37 (2007)

    Article  MATH  MathSciNet  Google Scholar 

  16. N. Koblitz, A. Menezes, Another look at security definitions. Adv. Math. Commun. 7, 1–38 (2013)

    Article  MATH  MathSciNet  Google Scholar 

  17. N. Koblitz, A. Menezes, Another look at HMAC. J. Math. Cryptol. 7, 225–251 (2013)

    Article  MATH  MathSciNet  Google Scholar 

  18. N. Koblitz, A. Menezes, Another look at non-uniformity. Groups Complex. Cryptol. 5, 117–139 (2013)

    Article  MATH  MathSciNet  Google Scholar 

  19. A.H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: the serpentine course of a paradigm shift. J. Number Theory 131, 781–814 (2011)

    Article  MATH  MathSciNet  Google Scholar 

  20. H. Krawczyk, Koblitz’s arguments disingenuous. Not. Am. Math. Soc. 54(11), 1455 (2007)

    Google Scholar 

  21. National Institute of Standards and Technology, The keyed-hash message authentication code (HMAC). FIPS Publication 198 (2002)

    Google Scholar 

  22. National Institute of Standards and Technology, Third-round report of the SHA-3 cryptographic hash algorithm competition. Interagency Report 7896 (2012)

    Google Scholar 

  23. P. Piermont, W. Simpson, IP authentication using keyed MD5, IETF RFC 1828 (1995)

    Google Scholar 

  24. K. Pietrzak, A closer look at HMAC. Available at http://eprint.iacr.org/2013/212

  25. B. Preneel, P. van Oorschot, MDx-MAC and building fast MACs from hash functions, in Advances in Cryptology—Crypto ’95. Lecture Notes in Computer Science, vol. 963 (Springer, Heidelberg, 1995), pp. 1–14

    Google Scholar 

  26. B. Preneel, P. van Oorschot, On the security of iterated message authentication codes. IEEE Trans. Inf. Theory 45, 188–199 (1999)

    Article  MATH  Google Scholar 

  27. V. Shoup, OAEP reconsidered, in Advances in Cryptology—Crypto 2001. Lecture Notes in Computer Science, vol. 2139 (Springer, Heidelberg, 2001), pp. 239–259

    Google Scholar 

  28. G. Tsudik, Message authentication with one-way hash functions. ACM SIGCOMM Comput. Commun. Rev. 22(5), 29–38 (1992)

    Article  Google Scholar 

  29. K. Yasuda, “Sandwich” is indeed secure: how to authenticate a message with just one hashing, in Information Security and Privacy—ACISP 2007. Lecture Notes in Computer Science, vol. 4586 (Springer, Heidelberg, 2007), pp. 355–369

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Mathematics, University of Washington, Box 354350, Seattle, WA, 98195, USA

    Neal Koblitz

  2. Department of Combinatorics & Optimization, University of Waterloo, Waterloo, ON, Canada, N2L 3G1

    Alfred Menezes

Authors
  1. Neal Koblitz
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alfred Menezes
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alfred Menezes .

Editor information

Editors and Affiliations

  1. Dept. of Computer Science, University of California, Santa Barbara, Santa Barbara, California, USA

    Çetin Kaya Koç

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Koblitz, N., Menezes, A. (2014). Another Look at Security Theorems for 1-Key Nested MACs. In: Koç, Ç. (eds) Open Problems in Mathematics and Computational Science. Springer, Cham. https://doi.org/10.1007/978-3-319-10683-0_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-10683-0_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-10682-3

  • Online ISBN: 978-3-319-10683-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation