“Sandwich” Is Indeed Secure: How to Authenticate a Message with Just One Hashing

  • Kan Yasuda
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4586)


This paper shows that the classical “Sandwich” method, which prepends and appends a key to a message and then hashes the data using Merkle-Damgård iteration, does indeed provide a secure Message Authentication Code (MAC). The Sandwich construction offers a single-key MAC which can use the existing Merkle-Damgård implementation of hash functions as is, without direct access to the compression function. Hence the Sandwich approach gives us an alternative for HMAC particularly in a situation where message size is small and high performance is required, because the Sandwich scheme is more efficient than HMAC: it consumes only two blocks of “waste” rather than three as in HMAC, and it calls the hash function only once, whereas HMAC requires two invocations of hash function. The security result of the Sandwich method is similar to that of HMAC; namely, we prove that the Sandwich construction yields a PRF(Pseudo-Random Functions)-based MAC, provided that the underlying compression function satisfies PRF properties. In theory, the security reduction of the Sandwich scheme is roughly equivalent to that of HMAC, but in practice the requirements on the underlying compression function look quite different. Also, the security of the Sandwich construction heavily relies on the filling and padding methods to the data, and we show several ways of optimizing them without losing a formal proof of security.


Message Authentication Code MAC Hash Function  Compression Function Merkle-Damgård Envelope MAC RFC1828  HMAC 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    NIST: Secure hash standard, FIPS PUB 180-2 (2002)Google Scholar
  2. 2.
    Kaliski, B., Robshaw, M.: Message authentication with MD5. CryptoBytes (The Technical Newsletter of RSA Laboratories) 1(1), 5–8 (1995)Google Scholar
  3. 3.
    Rogaway, P.: Formalizing human ignorance: Collision-resistant hashing without the keys. In: Nguyen, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 211–228. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Tsudik, G.: Message authentication with one-way hash functions. ACM Computer Communication Review 22(5), 29–38 (1992)CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Canetti, R., Krawczyk, H.: Pseudorandom functions revisited: The cascade construction and its concrete security. In: IEEE Symposium on Foundations of Computer Science, pp. 514–523 (1996)Google Scholar
  6. 6.
    Metzger, P., Simpson, W.A.: IP authentication using keyed MD5. IETF, RFC 1828 (1995)Google Scholar
  7. 7.
    Metzger, P., Simpson, W.A.: IP authentication using keyed SHA. IETF, RFC 1852 (1995)Google Scholar
  8. 8.
    Preneel, B., van Oorschot, P.C.: On the security of two MAC algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 19–32. Springer, Heidelberg (1996)Google Scholar
  9. 9.
    Metzger, P., Simpson, W.A.: IP authentication using keyed SHA1 with interleaved padding (IP-MAC). IETF, RFC 2841 (2000)Google Scholar
  10. 10.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  11. 11.
    Bellare, M.: New proofs for NMAC and HMAC: Security without collision-resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    Patel, S.: An efficient MAC for short messages. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 353–368. Springer, Heidelberg (2003)Google Scholar
  13. 13.
    TR45.AHAG: Enhanced cryptographic algorithms, revision B. TIA (2002)Google Scholar
  14. 14.
    Kim, J., Biryukov, A., Preneel, B., Hong, S.: On the security of HMAC and NMAC based on HAVAL, MD4, MD5, SHA-0 and SHA-1. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 242–256. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Contini, S., Yin, Y.L.: Forgery and partial key-recovery attacks on HMAC and NMAC using hash collisions. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 37–53. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  16. 16.
    Preneel, B., van Oorschot, P.C.: On the security of iterated message authentication codes. IEEE Transactions on Information Theory 45(1), 188–199 (1999)zbMATHCrossRefGoogle Scholar
  17. 17.
    Bellare, M., Goldreich, O., Mityagin, A.: The power of verification queries in message authentication and authenticated encryption. Cryptology ePrint Archive: Report 2004/304 (2004)Google Scholar
  18. 18.
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006)CrossRefGoogle Scholar

Copyright information

© Springer Berlin Heidelberg 2007

Authors and Affiliations

  • Kan Yasuda
    • 1
  1. 1.NTT Information Sharing Platform Laboratories, NTT Corporation, 1-1 Hikarinooka Yokosuka-shi, Kanagawa-ken 239-0847Japan

Personalised recommendations