New Proofs for NMAC and HMAC: Security Without Collision-Resistance

  • Mihir Bellare
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4117)


HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collision-resistant. However, recent attacks show that assumption (2) is false for MD5 and SHA-1, removing the proof-based support for HMAC in these cases. This paper proves that HMAC is a PRF under the sole assumption that the compression function is a PRF. This recovers a proof based guarantee since no known attacks compromise the pseudorandomness of the compression function, and it also helps explain the resistance-to-attack that HMAC has shown even when implemented with hash functions whose (weak) collision resistance is compromised. We also show that an even weaker-than-PRF condition on the compression function, namely that it is a privacy-preserving MAC, suffices to establish HMAC is a secure MAC as long as the hash function meets the very weak requirement of being computationally almost universal, where again the value lies in the fact that known attacks do not invalidate the assumptions made.


Hash Function Message Authentication Code Compression Function Security Proof Cryptographic Hash Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    American National Standards Institution. ANSI X9.71, Keyed hash message authentication code (2000)Google Scholar
  2. 2.
    Bellare, M.: New Proofs for NMAC and HMAC: Security without Collision-Resistance. Full version of this paper. Cryptology ePrint Archive: Report 2006/043 (2006)Google Scholar
  3. 3.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  4. 4.
    Bellare, M., Canetti, R., Krawczyk, H.: Pseudorandom functions revisited: The cascade construction and its concrete security (Preliminary version in Proceedings of the 37th Symposium on Foundations of Computer Science, IEEE, 1996),
  5. 5.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: Proceedings of the 38th Symposium on Foundations of Computer Science. IEEE, Los Alamitos (1997)Google Scholar
  6. 6.
    Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. Journal of Computer and System Sciences 61(3), 362–399 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Bellare, M., Kohno, T.: A theoretical treatment of related-key attacks: RKAPRPs, RKA-PRFs, and applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656. Springer, Heidelberg (2003)Google Scholar
  8. 8.
    Bellare, M., Namprempre, C., Kohno, T.: Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol. ACM Transactions on Information and System Security (TISSEC) 7(2), 206–241 (2004)CrossRefGoogle Scholar
  9. 9.
    Bellare, M., Goldreich, O., Mityagin, A.: The power of verification queries in message authentication and authenticated encryption. Cryptology ePrint Archive: Report 2004/309 (2004)Google Scholar
  10. 10.
    Bellare, M., Rogaway, P.: The game-playing technique and its application to triple encryption. Cryptology ePrint Archive: Report 2004/331 (2004)Google Scholar
  11. 11.
    Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC: Fast and secure message authentication. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, p. 216. Springer, Heidelberg (1999)Google Scholar
  12. 12.
    Black, J.A., Rogaway, P.: CBC mACs for arbitrary-length messages:The three-key constructions. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, p. 197. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  13. 13.
    Carter, L., Wegman, M.: Universal classes of hash functions. Journal of Computer and System Sciences 18(2), 143–154 (1979)zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  15. 15.
    den Boer, B., Bosselaers, A.: Collisions for the compression function of MD-5. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1994)Google Scholar
  16. 16.
    Dierks, T., Allen, C.: The TLS protocol. Internet RFC 2246 (1999)Google Scholar
  17. 17.
    Dobbertin, H., Bosselaers, A., Preneel, B.: RIPEMD-160: A strengthened version of RIPEMD. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039. Springer, Heidelberg (1996)Google Scholar
  18. 18.
    Dodis, Y., Gennaro, R., Håstad, J., Krawczyk, H., Rabin, T.: Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC Modes. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 494–510. Springer, Heidelberg (2004)Google Scholar
  19. 19.
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. Journal of the ACM 33(4), 210–217 (1986)CrossRefMathSciNetGoogle Scholar
  20. 20.
    Harkins, D., Carrel, D.: The Internet Key Exchange (IKE). Internet RFC 2409 (1998)Google Scholar
  21. 21.
    Hirose, S.: A note on the strength of weak collision resistance. IEICE Transactions on Fundamentals E87-A(5), 1092–1097 (2004)Google Scholar
  22. 22.
    Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-hashing for message authentication. Internet RFC 2104 (1997)Google Scholar
  23. 23.
    Merkle, R.C.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  24. 24.
    M‘ Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., Ranen, O.: HOTP: An MACbased one time password algorithm. Internet RFC 4226 (December 2005)Google Scholar
  25. 25.
    National Institute of Standards and Technology. The keyed-hash message authentication code (HMAC). FIPS PUB 198 (March 2002)Google Scholar
  26. 26.
    National Institute of Standards and Technology. Secure hash standard. FIPS PUB 180-2 (August 2000)Google Scholar
  27. 27.
    Preneel, B., van Oorschot, P.: On the security of iterated message authentication codes. IEEE Transactions on Information Theory 45(1), 188–199 (1999) (Preliminary version, entitled MD-x MAC and building fast MACs from hash functions, in CRYPTO 1995) zbMATHCrossRefGoogle Scholar
  28. 28.
    Rivest, R.: The MD5 message-digest algorithm. Internet RFC 1321 (April 1992)Google Scholar
  29. 29.
    V. Shoup. Sequences of games: A tool for taming complexity in security proofs.Cryptology ePrint Archive: Report 2004/332, 2004.Google Scholar
  30. 30.
    Stinson, D.: Universal hashing and authentication codes. Designs, Codes and Cryptography 4, 369–380 (1994)zbMATHCrossRefMathSciNetGoogle Scholar
  31. 31.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
  32. 32.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  33. 33.
    Wegman, M., Carter, L.: New hash functions and their use in authentication and set equality. Journal of Computer and System Sciences 22(3), 265–279 (1981)zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Mihir Bellare
    • 1
  1. 1.Dept. of Computer Science & Engineering 0404University of California San DiegoLa JollaUSA

Personalised recommendations