Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

  • Pierre-Alain Fouque
  • Gaëtan Leurent
  • Phong Q. Nguyen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4622)


At Crypto ’06, Bellare presented new security proofs for HMAC and NMAC, under the assumption that the underlying compression function is a pseudo-random function family. Conversely, at Asiacrypt ’06, Contini and Yin used collision techniques to obtain forgery and partial key-recovery attacks on HMAC and NMAC instantiated with MD4, MD5, SHA-0 and reduced SHA-1. In this paper, we present the first full key-recovery attacks on NMAC and HMAC instantiated with a real-life hash function, namely MD4. Our main result is an attack on HMAC/NMAC-MD4 which recovers the full MAC secret key after roughly 288 MAC queries and 295 MD4 computations. We also extend the partial key-recovery Contini-Yin attack on NMAC-MD5 (in the related-key setting) to a full key-recovery attack. The attacks are based on generalizations of collision attacks to recover a secret IV, using new differential paths for MD4.


NMAC HMAC key-recovery MD4 MD5 collisions differential path 


  1. 1.
    Amirazizi, H.R., Hellman, M.E.: Time-memory-processor trade-offs. IEEE Transactions on Information Theory 34(3), 505–512 (1988)zbMATHCrossRefGoogle Scholar
  2. 2.
    Bellare, M.: New Proofs for NMAC and HMAC: Security Without Collision Resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying Hash Functions for Message Authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  4. 4.
    Contini, S., Yin, Y.L.: Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Cramer, R.J.F. (ed.): EUROCRYPT 2005. LNCS, vol. 3494, pp. 22–26. Springer, Heidelberg (2005)zbMATHGoogle Scholar
  6. 6.
    Daum, M.: Cryptanalysis of Hash Functions of the MD4-Family. PhD thesis, Ruhr-University of Bochum (2005)Google Scholar
  7. 7.
    den Boer, B., Bosselaers, A.: Collisions for the Compression Function of MD5. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1994)Google Scholar
  8. 8.
    Fouque, P.A., Leurent, G., Nguyen, P.: Automatic Search of Differential Path in MD4. ECRYPT Hash Worshop – Cryptology ePrint Archive, Report, 2007/206 (2007),
  9. 9.
    Kim, J., Biryukov, A., Preneel, B., Hong, S.: On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 242–256. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. 10.
    Leurent, G.: Message Freedom in MD4 and MD5: Application to APOP Security. In: Biryukov, A. (ed.) FSE. LNCS, Springer, Heidelberg (2007)Google Scholar
  11. 11.
    Preneel, B., van Oorschot, P.C.: MDx-MAC and Building Fast MACs from Hash Functions. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 1–14. Springer, Heidelberg (1995)Google Scholar
  12. 12.
    Preneel, B., van Oorschot, P.C.: On the Security of Two MAC Algorithms. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 19–32. Springer, Heidelberg (1993)Google Scholar
  13. 13.
    Preneel, B., van Oorschot, P.C.: On the Security of Iterated Message Authentication Codes. IEEE Transactions on Information Theory 45(1), 188–199 (1999)zbMATHCrossRefGoogle Scholar
  14. 14.
    Rechberger, C., Rijmen, V.: Note on Distinguishing, Forgery, and Second Preimage Attacks on HMAC-SHA-1 and a Method to Reduce the Key Entropy of NMAC. Cryptology ePrint Archive, Report, 2006/290 (2006),
  15. 15.
    Rechberger, C., Rijmen, V.: On Authentication with HMAC and Non-Random Properties. In: Dietrich, S. (ed.) Financial Cryptography. LNCS, Springer, Heidelberg (2007)Google Scholar
  16. 16.
    Shoup, V. (ed.): CRYPTO 2005. LNCS, vol. 3621, pp. 14–18. Springer, Heidelberg (2005)zbMATHGoogle Scholar
  17. 17.
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the Hash Functions MD4 and RIPEMD. [5] pp. 1–18Google Scholar
  18. 18.
    Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. [16] pp. 17–36Google Scholar
  19. 19.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. [5] pp. 19–35Google Scholar
  20. 20.
    Wang, X., Yu, H., Yin, Y.L.: Efficient Collision Search Attacks on SHA-0. [16] pp. 1–16Google Scholar
  21. 21.
    Yu, H., Wang, G., Zhang, G., Wang, X.: The Second-Preimage Attack on MD4. In: Desmedt, Y.G., Wang, H., Mu, Y., Li, Y. (eds.) CANS 2005. LNCS, vol. 3810, pp. 1–12. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Pierre-Alain Fouque
    • 1
  • Gaëtan Leurent
    • 1
  • Phong Q. Nguyen
    • 1
  1. 1.École Normale Supérieure – Département d’Informatique, 45 rue d’Ulm, 75230 Paris Cedex 05France

Personalised recommendations