Advertisement

Algorithmica

, Volume 79, Issue 4, pp 1161–1195 | Cite as

Improved Generic Attacks Against Hash-Based MACs and HAIFA

  • Itai DinurEmail author
  • Gaëtan Leurent
Article
  • 338 Downloads

Abstract

The security of HMAC (and more general hash-based MACs) against state-recovery and universal forgery attacks was shown to be suboptimal, following a series of results by Leurent et al. and Peyrin et al. These results have shown that such powerful attacks require significantly less than \(2^{\ell }\) computations, contradicting the common belief (where \(\ell \) denotes the internal state size). In this work, we revisit and extend these results, with a focus on concrete hash functions that limit the message length, and apply special iteration modes. We begin by devising the first state-recovery attack on HMAC with a HAIFA hash function (using a block counter in every compression function call), with complexity \(2^{4\ell /5}\). Then, we describe improved tradeoffs between the message length and the complexity of a state-recovery attack on HMAC with a Merkle–Damgård hash function. Consequently, we obtain improved attacks on several HMAC constructions used in practice, in which the hash functions limits the maximal message length (e.g., SHA-1 and SHA-2). Finally, we present the first universal forgery attacks, which can be applied with short message queries to the MAC oracle. In particular, we devise the first universal forgery attacks applicable to SHA-1 and SHA-2. Despite their theoretical interest, our attacks do not seem to threaten the practical security of the analyzed concrete HMAC constructions.

Keywords

Hash functions MAC HMAC Merkle–Damgård HAIFA State-recovery attack Universal forgery attack GOST Streebog SHA family 

References

  1. 1.
    Aumasson, J.P., Henzen, L., Meier, W., Phan, R.C.W.: SHA-3 proposal BLAKE. Submission to NIST. http://131002.net/blake/blake.pdf (2008/2010)
  2. 2.
    Aumasson, J.P., Neves, S., Wilcox-O’Hearn, Z., Winnerlein, C.: BLAKE2: simpler, smaller, fast as MD5. In: Jacobson, M.J.J. Jr., Locasto, M.E., Mohassel, P., Safavi-Naini, R. (eds.) ACNS. Lecture Notes in Computer Science, vol. 7954, pp. 119–135. Springer (2013)Google Scholar
  3. 3.
    Bellare, M.: New proofs for NMAC and HMAC: security without collision-resistance. In: Dwork, C. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 4117, pp. 602–619. Springer (2006)Google Scholar
  4. 4.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 1109, pp. 1–15. Springer (1996)Google Scholar
  5. 5.
    Biham, E., Dunkelman, O.: A framework for iterative hash functions—HAIFA. IACR Cryptology ePrint Archive, Report 2007/278 (2007)Google Scholar
  6. 6.
    Dinur, I., Leurent, G.: Improved generic attacks against hash-based MACs and HAIFA. In: Garay and Gennaro [10], pp. 149–168Google Scholar
  7. 7.
    Dolmatov, V., Degtyarev, A.: GOST R 34.11-2012: hash function. RFC 6986 (informational), Aug 2013. http://www.ietf.org/rfc/rfc6986.txt
  8. 8.
    Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The Skein hash function family. Submission to NIST. http://skein-hash.info (2008/2010)
  9. 9.
    Flajolet, P., Odlyzko, A.M.: Random mapping statistics. In: Quisquater, J., Vandewalle, J. (eds.) Advances in Cryptology—EUROCRYPT ’89, Workshop on the Theory and Application of Cryptographic Techniques, Houthalen, Belgium, 10–13 Apr 1989, Proceedings. Lecture Notes in Computer Science, vol. 434, pp. 329–354. Springer (1989)Google Scholar
  10. 10.
    Garay, J.A., Gennaro, R. (eds.): Advances in Cryptology—CRYPTO 2014—34th Annual Cryptology Conference, Santa Barbara, CA, USA, 17–21 Aug 2014, Proceedings, Part I, Lecture Notes in Computer Science, vol. 8616. Springer (2014)Google Scholar
  11. 11.
    Guo, J., Peyrin, T., Sasaki, Y., Wang, L.: Updates on generic attacks against HMAC and NMAC. In: Garay and Gennaro [10], pp. 131–148Google Scholar
  12. 12.
    Guo, J., Sasaki, Y., Wang, L., Wang, M., Wen, L.: Equivalent key recovery attacks against HMAC and NMAC with Whirlpool reduced to 7 rounds. In: Cid, C., Rechberger, C. (eds.) Fast Software Encryption—21st International Workshop, FSE 2014, London, UK, 3-5 Mar 2014. Revised Selected Papers. Lecture Notes in Computer Science, vol. 8540, pp. 571–590. Springer (2014)Google Scholar
  13. 13.
    Guo, J., Sasaki, Y., Wang, L., Wu, S.: Cryptanalysis of HMAC/NMAC-Whirlpool. In: Sako and Sarkar [24], pp. 21–40Google Scholar
  14. 14.
    Joux, A.: Multicollisions in iterated hash functions. Application to cascaded constructions. In: Franklin, M.K. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 3152, pp. 306–316. Springer (2004)Google Scholar
  15. 15.
    Kelsey, J., Kohno, T.: Herding hash functions and the Nostradamus attack. In: Vaudenay, S. (ed.) EUROCRYPT. Lecture Notes in Computer Science, vol. 4004, pp. 183–200. Springer (2006)Google Scholar
  16. 16.
    Kelsey, J., Schneier, B.: Second preimages on n-bit hash functions for much less than 2\(^{n}\) work. In: Cramer, R. (ed.) EUROCRYPT. Lecture Notes in Computer Science, vol. 3494, pp. 474–490. Springer (2005)Google Scholar
  17. 17.
    Kortelainen, T., Kortelainen, J.: On diamond structures and trojan message attacks. In: Sako and Sarkar [24] pp. 524–539Google Scholar
  18. 18.
    Leurent, G., Peyrin, T., Wang, L.: New generic attacks against hash-based MACs. IACR Cryptology ePrint Archive 2014, 406. http://eprint.iacr.org/2014/406 (2014)
  19. 19.
    Leurent, G., Peyrin, T., Wang, L.: New generic attacks against hash-based MACs. In: Sako and Sarkar [24], pp. 1–20Google Scholar
  20. 20.
    Love, E.R.: Some logarithm inequalities. Math. Gaz. 64(427), 55–57. http://www.jstor.org/stable/3615890 (1980)
  21. 21.
    Naito, Y., Sasaki, Y., Wang, L., Yasuda, K.: Generic state-recovery and forgery attacks on ChopMD-MAC and on NMAC/HMAC. In: Sakiyama, K., Terada, M. (eds.) IWSEC. Lecture Notes in Computer Science, vol. 8231, pp. 83–98. Springer (2013)Google Scholar
  22. 22.
    Peyrin, T., Sasaki, Y., Wang, L.: Generic related-key attacks for HMAC. In: Wang, X., Sako, K. (eds.) ASIACRYPT. Lecture Notes in Computer Science, vol. 7658, pp. 580–597. Springer (2012)Google Scholar
  23. 23.
    Peyrin, T., Wang, L.: Generic universal forgery attack on iterative hash-based MACs. In: Nguyen, P.Q., Oswald, E. (eds.) Advances in Cryptology—EUROCRYPT 2014—33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, 11–15 May 2014. Proceedings. Lecture Notes in Computer Science, vol. 8441, pp. 147–164. Springer (2014)Google Scholar
  24. 24.
    Sako, K., Sarkar, P. (eds.): Advances in Cryptology—ASIACRYPT 2013—19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, 1–5 Dec 2013, Proceedings, Part II, Lecture Notes in Computer Science, vol. 8270. Springer (2013)Google Scholar
  25. 25.
    Tsudik, G.: Message authentication with one-way hash functions. SIGCOMM Comput. Commun. Rev. 22(5), 29–38 (1992)CrossRefGoogle Scholar
  26. 26.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Yasuda, K.: “Sandwich” is indeed secure: how to authenticate a message with just one hashing. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP. Lecture Notes in Computer Science, vol. 4586, pp. 355–369. Springer (2007)Google Scholar

Copyright information

© Springer Science+Business Media New York 2016

Authors and Affiliations

  1. 1.Department of Computer ScienceBen-Gurion UniversityBeershebaIsrael
  2. 2.Inria, EPI SECRETParisFrance

Personalised recommendations