Journal of Cryptology

, Volume 28, Issue 4, pp 844–878 | Cite as

New Proofs for NMAC and HMAC: Security without Collision Resistance

  • Mihir Bellare


HMAC was proved in Bellare et al. (Advances in Cryptology–CRYPTO’96, Springer, Berlin, Heidelberg, 1996) to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collision resistant. However, subsequent attacks showed that assumption (2) is false for MD5 and SHA-1, removing the proof-based support for HMAC in these cases. This paper proves that HMAC is a PRF under the sole assumption that the compression function is a PRF. This recovers a proof-based guarantee since no known attacks compromise the pseudorandomness of the compression function, and it also helps explain the resistance to attack that HMAC has shown even when implemented with hash functions whose (weak) collision resistance is compromised. We also show that an even weaker than PRF condition on the compression function, namely that it is a privacy-preserving MAC, suffices to establish HMAC is a secure MAC as long as the hash function meets the very weak requirement of being computationally almost universal, where again the value lies in the fact that known attacks do not invalidate the assumptions made.


Message authentication Hash functions Pseudorandom functions  Carter–Wegman 



Thanks to Ran Canetti, Hugo Krawczyk, Mridul Nandi, Vincent Rijmen, Phillip Rogaway, Victor Shoup, Paul Van Oorschot, the Crypto 2006 PC and the referees of the Journal of Cryptology for comments and references. Author supported in part by NSF Grants ANR-0129617, CCR-0208842 and CNS-0524765 and by an IBM Faculty Partnership Development Award.


  1. 1.
    American National Standards Institution. ANSI X9.71, Keyed hash message authentication code (ABA, Washington, D.C., 2000)Google Scholar
  2. 2.
    E. Barkan, E. Biham, A. Shamir, Rigorous bounds on cryptanalytic time/memory tradeoffs, in C. Dwork ed., Advances in Cryptology–CRYPTO’06. LNCS, vol. 4117 (Springer, Berlin, Heidelberg, 2006)Google Scholar
  3. 3.
    M. Bellare, New proofs for NMAC and HMAC: security without collision-resistance. Preliminary version of this paper, in C. Dwork ed., Advances in Cryptology–CRYPTO’06. LNCS, vol. 4117 (Springer, Berlin, Heidelberg, 2006)Google Scholar
  4. 4.
    M. Bellare, R. Canetti, H. Krawczyk, Keying hash functions for message authentication, in N. Koblitz ed., Advances in Cryptology–CRYPTO’96. LNCS, vol. 1109 (Springer, Berlin, Heidelberg, 1996)Google Scholar
  5. 5.
    M. Bellare, R. Canetti, H. Krawczyk, Pseudorandom functions revisited: the cascade construction and its concrete security. (Preliminary version in Proceedings of the 37th Symposium on Foundations of Computer Science (IEEE, 1996)
  6. 6.
    M. Bellare, A. Desai, E. Jokipii, P. Rogaway, A concrete security treatment of symmetric encryption, in Proceedings of the 38th Symposium on Foundations of Computer Science (IEEE, 1997)Google Scholar
  7. 7.
    M. Bellare, J. Kilian, P. Rogaway, The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci. 61(3), 362–399 (2000).MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    M. Bellare, T. Kohno, A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications, in E. Biham ed., Advances in Cryptology–EUROCRYPT’03. LNCS, vol. 2656 (Springer, Berlin, Heidelberg, 2003)Google Scholar
  9. 9.
    M. Bellare, C. Namprempre, T. Kohno, Authenticated encryption in SSH: provably fixing the SSH binary packet protocol. ACM Trans. Inf. Syst. Secur. (TISSEC) 7(2), 206–241 (2004).CrossRefzbMATHGoogle Scholar
  10. 10.
    M. Bellare, O. Goldreich, A. Mityagin, The power of verification queries in message authentication and authenticated encryption. Cryptology ePrint Archive. Report 2004/309 (2004)Google Scholar
  11. 11.
    M. Bellare, P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, in S. Vaudenay ed., Advances in Cryptology–EUROCRYPT’06. LNCS, vol. 4004 (Springer, Berlin, Heidelberg, 2006)Google Scholar
  12. 12.
    J. Black, S. Halevi, H. Krawczyk, T. Krovetz, P. Rogaway, UMAC: fast and secure message authentication, in M. Wiener ed., Advances in Cryptology–CRYPTO’99. LNCS, vol. 1666 (Springer, Berlin, Heidelberg, 1999)Google Scholar
  13. 13.
    J. Black, P. Rogaway, CBC MACs for arbitrary-length messages: The three-key constructions, in M. Bellare ed., Advances in Cryptology–CRYPTO’00. LNCS, vol. 1880 (Springer, Berlin, Heidelberg, 2000)Google Scholar
  14. 14.
    L. Carter, M. Wegman, Universal classes of hash functions. J. Comput. Syst. Sci. 18(2), 143–154 (1979).MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    I. Damgard, A design principle for hash functions, in G. Brassard ed., Advances in Cryptology–CRYPTO’89. LNCS, vol. 435, (Springer, New York, 1989)Google Scholar
  16. 16.
    B. den Boer, A. Bosselaers, Collisions for the compression function of MD5, in T. Helleseth ed., Advances in Cryptology–EUROCRYPT’93. LNCS, vol. 765 (Springer, Berlin Heidelberg, 1993)Google Scholar
  17. 17.
    A. De, L. Trevisan, M. Tulsiani, Time space tradeoffs for attacks against one-way functions and PRGs, in T. Rabin ed., Advances in Cryptology–CRYPTO’10. LNCS, vol. 6223 (Springer, Berlin, Heidelberg, 2010)Google Scholar
  18. 18.
    T. Dierks, C. Allen, The TLS protocol. Internet RFC 2246 (1999)Google Scholar
  19. 19.
    H. Dobbertin, A. Bosselaers, B. Preneel. RIPEMD-160: A strengthened version of RIPEMD, in D. Gollmann ed., Fast Software Encryption’96. LNCS, vol. 1039 (Springer, Berlin, Heidelberg, 1996)Google Scholar
  20. 20.
    Y. Dodis, R. Gennaro, J. Hastad, H. Krawczyk, T. Rabin, Randomness extraction and key derivation using the CBC, Cascade, and HMAC modes, in M. Franklin ed., Advances in Cryptology–CRYPTO’04. LNCS, vol. 3152 (Springer, Berlin, Heidelberg, 2004)Google Scholar
  21. 21.
    O. Goldreich, S. Goldwasser, S. Micali, How to construct random functions. J. ACM 33(4), 210–217 (1986).MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    A. Fiat, M. Naor, Rigorous time/space tradeoffs for inverting functions. SIAM J. Comput. 29(3), 790–803 (1999).MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    D. Harkins, D. Carrel, The internet key exchange (IKE). Internet RFC 2409 (1998)Google Scholar
  24. 24.
    M. Hellman, A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406 (1980).MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    S. Hirose, A note on the strength of weak collision resistance. IEICE Trans. Fundam. E87-A(5), 1092–1097 (2004)Google Scholar
  26. 26.
    N. Koblitz, A. Menezes, Another look at HMAC. Cryptology ePrint Archive. Report 2012/074 (2012)Google Scholar
  27. 27.
    H. Krawczyk, M. Bellare, R. Canetti. HMAC: Keyed-hashing for message authentication. Internet RFC 2104 (1997)Google Scholar
  28. 28.
    R. Merkle, One-way hash functions and DES, in G. Brassard ed., Advances in Cryptology–CRYPTO’89. LNCS, vol. 435 (Springer, New York, 1989). (Based on an unpublished paper from 1979 and the author’s Ph.D. Thesis, Stanford, 1979)Google Scholar
  29. 29.
    D. M’Raihi, M. Bellare, F. Hoornaert, D. Naccache, O. Ranen, HOTP: An HMAC-based one time password algorithm. Internet RFC 4226, December 2005Google Scholar
  30. 30.
    National Institute of Standards and Technology, The keyed-hash message authentication code (HMAC). FIPS PUB 198–1, July 2008Google Scholar
  31. 31.
    National Institute of Standards and Technology, Secure hash standard. FIPS PUB 180–2, August 2000Google Scholar
  32. 32.
    K. Pietrzak, A closer look at HMAC. Cryptology ePrint Archive. Report 2013/212 (2013)Google Scholar
  33. 33.
    B. Preneel, P. van Oorschot, On the security of iterated message authentication codes. IEEE Trans. Inf. Theory 45(1), 188–199 (1999). (Preliminary version, entitled "MD-x MAC and building fast MACs from hash functions," in CRYPTO 95.)Google Scholar
  34. 34.
    R. Rivest, The MD5 message-digest algorithm. Internet RFC 1321, April 1992Google Scholar
  35. 35.
    V. Shoup, Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive. Report 2004/332 (2004)Google Scholar
  36. 36.
    D. Stinson, Universal hashing and authentication codes. Des. Codes Cryptogr. 4, 369–380 (1994).MathSciNetCrossRefzbMATHGoogle Scholar
  37. 37.
    X. Wang, Y. L. Yin, H. Yu, Finding collisions in the full SHA-1, in V. Shoup ed., Advances in Cryptology–CRYPTO’05. LNCS, vol. 3621 (Springer, Berlin, Heidelberg, 2005)Google Scholar
  38. 38.
    X. Wang, H. Yu, How to break MD5 and other hash functions, in R. Cramer ed., Advances in Cryptology–EU-ROCRYPT’05. LNCS, vol. 3494 (Springer, Berlin, Heidelberg, 2005)Google Scholar
  39. 39.
    M. Wegman, L. Carter, New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)Google Scholar

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  1. 1.Department of Computer Science & Engineering 0404University of California San DiegoLa JollaUSA

Personalised recommendations