MDx-MAC and Building Fast MACs from Hash Functions

  • Bart Preneel
  • Paul C. van Oorschot
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 963)


We consider the security of message authentication code (MAC) algorithms, and the construction of MACs from fast hash functions. A new forgery attack applicable to all iterated MAC algorithms is described, the first known such attack requiring fewer operations than exhaustive key search. Existing methods for constructing MACs from hash functions, including the secret prefix, secret suffix, and envelope methods, are shown to be unsatisfactory. Motivated by the absence of a secure, fast MAC algorithm not based on encryption, a new generic construction (MDx-MAC) is proposed for transforming any secure hash function of the MD4-family into a secure MAC of equal or smaller bitlength and comparable speed.


  1. 1.
    M. Bellare, J. Kilian, P. Rogaway, “The security of cipher block chaining,” Proc. Crypto’94, LNCS 839, Springer-Verlag, 1994, pp. 341–358.Google Scholar
  2. 2.
    M. Bellare, R. Guérin, P. Rogaway, “XOR MACs: new methods for message authentication using block ciphers,” Proc. Crypto’95 (this volume).Google Scholar
  3. 3.
    F. Cohen, “A cryptographic checksum for integrity protection,” Computers & Security, Vol. 6, No. 5, 1987, pp. 505–510.CrossRefGoogle Scholar
  4. 4.
    I.B. Damgård, “A design principle for hash functions,” Proc. Crypto’89, LNCS 435, Springer-Verlag, 1990, pp. 416–427.Google Scholar
  5. 5.
    D. Davies, “A message authenticator algorithm suitable for a mainframe computer,” Proc. Crypto’84, LNCS 196, Springer-Verlag, 1985, pp. 393–400.Google Scholar
  6. 6.
    D. Davies, D.O. Clayden, “The message authenticator algorithm (MAA) and its implementation,” NPL Report DITC 109/88, Feb. 1988.Google Scholar
  7. 7.
    D. Davies, W. Price, Security for Computer Networks, 2nd ed., Wiley, 1989.Google Scholar
  8. 8.
    B. den Boer, A. Bosselaers, “An attack on the last two rounds of MD4,” Proc. Crypto’91, LNCS 576, Springer-Verlag, 1992, pp. 194–203.Google Scholar
  9. 9.
    B. den Boer, A. Bosselaers, “Collisions for the compression function of MD5,” Proc. Eurocrypt’93, LNCS 765, Springer-Verlag, 1994, pp. 293–304.Google Scholar
  10. 10.
    FIPS 46, Data encryption standard, NBS, U.S. Department of Commerce, Washington D.C., Jan. 1977.Google Scholar
  11. 11.
    FIPS 81, DES modes of operation, NBS, US Department of Commerce, Washington D.C., Dec. 1980.Google Scholar
  12. 12.
    FIPS 180-1, Secure hash standard, NIST, US Department of Commerce, Washington D.C., April 1995.Google Scholar
  13. 13.
    J.M. Galvin, K. McCloghrie, J.R. Davin, “Secure management of SNMP networks,” Integrated Network Management, II, North Holland, 1991, pp. 703–714.Google Scholar
  14. 14.
    ISO 8731:1987, Banking-approved algorithms for message authentication, Part 1, DEA, IS 8731-1, Part 2, Message Authentication Algorithm (MAA), IS 8731-2.Google Scholar
  15. 15.
    ISO/IEC 9797:1993, Information technology-Data cryptographic techniques-Data integrity mechanisms using a cryptographic check function employing a block cipher algorithm.Google Scholar
  16. 16.
    T. Johansson, G. Kabatianskii, B. Smeets, “On the relation between A-codes and codes correcting independent errors,” Proc. Eurocrypt’93, LNCS 765, Springer-Verlag, 1994, pp. 1–11.Google Scholar
  17. 17.
    R.R. Jueneman, S.M. Matyas, C.H. Meyer, “Message authentication with Manipulation Detection Codes,” Proc. 1983 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, 1983, pp. 33–54.Google Scholar
  18. 18.
    B. Kaliski, M. Robshaw, “Message authentication with MD5,” CryptoBytes (RSA Laboratories Technical Newsletter), Vol. 1, No. 1, Spring 1995, pp. 5–8.Google Scholar
  19. 19.
    H. Krawczyk, “LFSR-based hashing and authentication,” Proc. Crypto’94, LNCS 839, Springer-Verlag, 1994, pp. 129–139.Google Scholar
  20. 20.
    J. Linn, “The Kerberos Version 5 GSS-API Mechanism,” Internet Draft, Feb. 1995.Google Scholar
  21. 21.
    C. Mitchell, M. Walker, “Solutions to the multidestination secure electronic mail problem,” Computers & Security, Vol. 7, No. 5, 1988, pp. 483–488.CrossRefGoogle Scholar
  22. 22.
    B. Preneel, Cryptographic Hash Functions, Kluwer Academic Publishers, 1995 (to appear).Google Scholar
  23. 23.
    RIPE, Race Integrity Primitives Evaluation (RIPE-RACE 1040): Final Report, LNCS, Springer-Verlag, 1995 (to appear).Google Scholar
  24. 24.
    R.L. Rivest, “The MD4 message digest algorithm,” Proc. Crypto’90, LNCS 537, Springer-Verlag, 1991, pp. 303–311.Google Scholar
  25. 25.
    R.L. Rivest, “The MD5 message-digest algorithm,” Request for Comments (RFC) 1321, Internet Activities Board, Internet Privacy Task Force, April 1992.Google Scholar
  26. 26.
    G. Tsudik, “Message authentication with one-way hash functions,” ACM Computer Communications Review, Vol. 22, No. 5, 1992, pp. 29–38.CrossRefGoogle Scholar
  27. 27.
    S. Vaudenay, “On the need for multipermutations: cryptanalysis of MD4 and SAFER,” Fast Software Encryption, LNCS, Springer-Verlag, 1995 (to appear).Google Scholar
  28. 28.
    M.N. Wegman, J.L. Carter, “New hash functions and their use in authentication and set equality,” J. Computer Sys. Sciences, Vol. 22, No. 3, 1981, pp. 265–279.MATHCrossRefMathSciNetGoogle Scholar
  29. 29.
    M.J. Wiener, “Efficient DES key search,” Technical Report TR-244, School of Computer Science, Carleton University, Ottawa, Canada, May 1994. Presented at the rump session of Crypto’93.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1995

Authors and Affiliations

  • Bart Preneel
    • 1
  • Paul C. van Oorschot
    • 2
  1. 1.Dept. Electrical Engineering-ESATKatholieke Universiteit LeuvenHeverleeBelgium
  2. 2.Bell-Northern ResearchOttawaCanada

Personalised recommendations