# Improved Generic Attacks Against Hash-Based MACs and HAIFA

- 338 Downloads

## Abstract

The security of HMAC (and more general hash-based MACs) against state-recovery and universal forgery attacks was shown to be suboptimal, following a series of results by Leurent et al. and Peyrin et al. These results have shown that such powerful attacks require significantly less than \(2^{\ell }\) computations, contradicting the common belief (where \(\ell \) denotes the internal state size). In this work, we revisit and extend these results, with a focus on concrete hash functions that limit the message length, and apply special iteration modes. We begin by devising the first state-recovery attack on HMAC with a HAIFA hash function (using a block counter in every compression function call), with complexity \(2^{4\ell /5}\). Then, we describe improved tradeoffs between the message length and the complexity of a state-recovery attack on HMAC with a Merkle–Damgård hash function. Consequently, we obtain improved attacks on several HMAC constructions used in practice, in which the hash functions limits the maximal message length (e.g., SHA-1 and SHA-2). Finally, we present the first universal forgery attacks, which can be applied with short message queries to the MAC oracle. In particular, we devise the first universal forgery attacks applicable to SHA-1 and SHA-2. Despite their theoretical interest, our attacks do not seem to threaten the practical security of the analyzed concrete HMAC constructions.

## Keywords

Hash functions MAC HMAC Merkle–Damgård HAIFA State-recovery attack Universal forgery attack GOST Streebog SHA family## References

- 1.Aumasson, J.P., Henzen, L., Meier, W., Phan, R.C.W.: SHA-3 proposal BLAKE. Submission to NIST. http://131002.net/blake/blake.pdf (2008/2010)
- 2.Aumasson, J.P., Neves, S., Wilcox-O’Hearn, Z., Winnerlein, C.: BLAKE2: simpler, smaller, fast as MD5. In: Jacobson, M.J.J. Jr., Locasto, M.E., Mohassel, P., Safavi-Naini, R. (eds.) ACNS. Lecture Notes in Computer Science, vol. 7954, pp. 119–135. Springer (2013)Google Scholar
- 3.Bellare, M.: New proofs for NMAC and HMAC: security without collision-resistance. In: Dwork, C. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 4117, pp. 602–619. Springer (2006)Google Scholar
- 4.Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 1109, pp. 1–15. Springer (1996)Google Scholar
- 5.Biham, E., Dunkelman, O.: A framework for iterative hash functions—HAIFA. IACR Cryptology ePrint Archive, Report 2007/278 (2007)Google Scholar
- 6.Dinur, I., Leurent, G.: Improved generic attacks against hash-based MACs and HAIFA. In: Garay and Gennaro [10], pp. 149–168Google Scholar
- 7.Dolmatov, V., Degtyarev, A.: GOST R 34.11-2012: hash function. RFC 6986 (informational), Aug 2013. http://www.ietf.org/rfc/rfc6986.txt
- 8.Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The Skein hash function family. Submission to NIST. http://skein-hash.info (2008/2010)
- 9.Flajolet, P., Odlyzko, A.M.: Random mapping statistics. In: Quisquater, J., Vandewalle, J. (eds.) Advances in Cryptology—EUROCRYPT ’89, Workshop on the Theory and Application of Cryptographic Techniques, Houthalen, Belgium, 10–13 Apr 1989, Proceedings. Lecture Notes in Computer Science, vol. 434, pp. 329–354. Springer (1989)Google Scholar
- 10.Garay, J.A., Gennaro, R. (eds.): Advances in Cryptology—CRYPTO 2014—34th Annual Cryptology Conference, Santa Barbara, CA, USA, 17–21 Aug 2014, Proceedings, Part I, Lecture Notes in Computer Science, vol. 8616. Springer (2014)Google Scholar
- 11.Guo, J., Peyrin, T., Sasaki, Y., Wang, L.: Updates on generic attacks against HMAC and NMAC. In: Garay and Gennaro [10], pp. 131–148Google Scholar
- 12.Guo, J., Sasaki, Y., Wang, L., Wang, M., Wen, L.: Equivalent key recovery attacks against HMAC and NMAC with Whirlpool reduced to 7 rounds. In: Cid, C., Rechberger, C. (eds.) Fast Software Encryption—21st International Workshop, FSE 2014, London, UK, 3-5 Mar 2014. Revised Selected Papers. Lecture Notes in Computer Science, vol. 8540, pp. 571–590. Springer (2014)Google Scholar
- 13.Guo, J., Sasaki, Y., Wang, L., Wu, S.: Cryptanalysis of HMAC/NMAC-Whirlpool. In: Sako and Sarkar [24], pp. 21–40Google Scholar
- 14.Joux, A.: Multicollisions in iterated hash functions. Application to cascaded constructions. In: Franklin, M.K. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 3152, pp. 306–316. Springer (2004)Google Scholar
- 15.Kelsey, J., Kohno, T.: Herding hash functions and the Nostradamus attack. In: Vaudenay, S. (ed.) EUROCRYPT. Lecture Notes in Computer Science, vol. 4004, pp. 183–200. Springer (2006)Google Scholar
- 16.Kelsey, J., Schneier, B.: Second preimages on n-bit hash functions for much less than 2\(^{n}\) work. In: Cramer, R. (ed.) EUROCRYPT. Lecture Notes in Computer Science, vol. 3494, pp. 474–490. Springer (2005)Google Scholar
- 17.Kortelainen, T., Kortelainen, J.: On diamond structures and trojan message attacks. In: Sako and Sarkar [24] pp. 524–539Google Scholar
- 18.Leurent, G., Peyrin, T., Wang, L.: New generic attacks against hash-based MACs. IACR Cryptology ePrint Archive 2014, 406. http://eprint.iacr.org/2014/406 (2014)
- 19.Leurent, G., Peyrin, T., Wang, L.: New generic attacks against hash-based MACs. In: Sako and Sarkar [24], pp. 1–20Google Scholar
- 20.Love, E.R.: Some logarithm inequalities. Math. Gaz.
**64**(427), 55–57. http://www.jstor.org/stable/3615890 (1980) - 21.Naito, Y., Sasaki, Y., Wang, L., Yasuda, K.: Generic state-recovery and forgery attacks on ChopMD-MAC and on NMAC/HMAC. In: Sakiyama, K., Terada, M. (eds.) IWSEC. Lecture Notes in Computer Science, vol. 8231, pp. 83–98. Springer (2013)Google Scholar
- 22.Peyrin, T., Sasaki, Y., Wang, L.: Generic related-key attacks for HMAC. In: Wang, X., Sako, K. (eds.) ASIACRYPT. Lecture Notes in Computer Science, vol. 7658, pp. 580–597. Springer (2012)Google Scholar
- 23.Peyrin, T., Wang, L.: Generic universal forgery attack on iterative hash-based MACs. In: Nguyen, P.Q., Oswald, E. (eds.) Advances in Cryptology—EUROCRYPT 2014—33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, 11–15 May 2014. Proceedings. Lecture Notes in Computer Science, vol. 8441, pp. 147–164. Springer (2014)Google Scholar
- 24.Sako, K., Sarkar, P. (eds.): Advances in Cryptology—ASIACRYPT 2013—19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, 1–5 Dec 2013, Proceedings, Part II, Lecture Notes in Computer Science, vol. 8270. Springer (2013)Google Scholar
- 25.Tsudik, G.: Message authentication with one-way hash functions. SIGCOMM Comput. Commun. Rev.
**22**(5), 29–38 (1992)CrossRefGoogle Scholar - 26.van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol.
**12**(1), 1–28 (1999)MathSciNetCrossRefzbMATHGoogle Scholar - 27.Yasuda, K.: “Sandwich” is indeed secure: how to authenticate a message with just one hashing. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP. Lecture Notes in Computer Science, vol. 4586, pp. 355–369. Springer (2007)Google Scholar