Key-Recovery Attacks on Universal Hash Function Based MAC Algorithms

  • Helena Handschuh
  • Bart Preneel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5157)


This paper discusses key recovery and universal forgery attacks on several MAC algorithms based on universal hash functions. The attacks use a substantial number of verification queries but eventually allow for universal forgeries instead of existential or multiple forgeries. This means that the security of the algorithms completely collapses once a few forgeries are found. Some of these attacks start off by exploiting a weak key property, but turn out to become full-fledged divide and conquer attacks because of the specific structure of the universal hash functions considered. Partial information on a secret key can be exploited too, in the sense that it renders some key recovery attacks practical as soon as a few key bits are known. These results show that while universal hash functions offer provable security, high speeds and parallelism, their simple combinatorial properties make them less robust than conventional message authentication primitives.


Hash Function Block Cipher Message Authentication Code Message Authentication Side Channel Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    3GPP TS 35.216, Specification of the 3GPP Confidentiality and Integrity Algorithms UEA2 & UIA2; Document 2: SNOW 3G specification (March 2006)Google Scholar
  2. 2.
    Bellare, M.: New Proofs for NMAC and HMAC: Security without Collision-Resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying Hash Functions for Message Authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  4. 4.
    Bellare, M., Goldreich, O., Mityagin, A.: The Power of Verification Queries in Message Authentication and Authenticated Encryption. November 18 (2004),
  5. 5.
    Bellare, M., Kilian, J., Rogaway, P.: The Security of Cipher Block Chaining. In: Desmedt, Y.G. (ed.) CRYPTO 1994, vol. 839, pp. 341–358. Springer, Heidelberg (1994)Google Scholar
  6. 6.
    Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005), Google Scholar
  7. 7.
    Bernstein, D.J.: Polynomial Evaluation and Message Authentication, October 22 (2007)
  8. 8.
    Bierbrauer, J., Johansson, T., Kabatianskii, G., Smeets, B.: On Families of Hash Functions via Geometric Codes and Concatenation. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 331–342. Springer, Heidelberg (1994)Google Scholar
  9. 9.
    Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC: Fast and Secure Message Authentication. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 216–233. Springer, Heidelberg (1999)Google Scholar
  10. 10.
    Black, J., Cochran, M.: MAC Reforgeability, November 27 (2007),
  11. 11.
    Brassard, G.: On Computationally Secure Authentication Tags Requiring Short Secret Shared Keys. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Crypto 1982, pp. 79–86. Plenum Press, New York (1983)Google Scholar
  12. 12.
    Carter, J.L., Wegman, M.N.: Universal classes of hash functions. Journal of Computer and System Sciences 18, 143–154 (1979)zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    den Boer, B.: A Simple and Key-Economical Unconditional Authentication Scheme. Journal of Computer Security 2, 65–71 (1993)Google Scholar
  14. 14.
    Dodis, Y., Pietrzak, K.: Improving the Security of MACs via Randomized Message Preprocessing. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 414–433. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  15. 15.
    Etzel, M., Patel, S., Ramzan, Z.: Square Hash: Fast Message Authentication via Optimized Universal Hash Functions. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 234–251. Springer, Heidelberg (1999)Google Scholar
  16. 16.
    Ferguson, N.: Authentication Weaknesses in GCM (May 20, 2005),
  17. 17.
    Halevi, S., Krawczyk, H.: MMH: Software Message Authentication in the Gbit/second Rates. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 172–189. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  18. 18.
    ISO/IEC 9797, Information Technology – Security Techniques – Message Authentication Codes (MACs) – Part 1: Mechanisms using a Block Cipher, ISO/IEC (1999)Google Scholar
  19. 19.
    Iwata, T., Kurosawa, K.: OMAC: One-Key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003)Google Scholar
  20. 20.
    Johansson, T.: Bucket Hashing with a Small Key Size. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 149–162. Springer, Heidelberg (1997)Google Scholar
  21. 21.
    Joux, A.: Authentication Failures in NIST Version of GCM (2006),
  22. 22.
    Kabatianskii, G.A., Johansson, T., Smeets, B.: On the Cardinality of Systematic A-codes via Error Correcting Codes. IEEE Trans. on Information Theory IT42(2), 566–578 (1996)CrossRefMathSciNetGoogle Scholar
  23. 23.
    Kaps, J.-P., Yüksel, K., Sunar, B.: Energy Scalable Universal Hashing. IEEE Trans. on Computers 54(12), 1484–1495 (2005)CrossRefGoogle Scholar
  24. 24.
    Knudsen, L.: Chosen-text Attack on CBC-MAC. Electronics Letters 33(1), 48–49 (1997)CrossRefGoogle Scholar
  25. 25.
    Kohno, T., Viega, J., Whiting, D.: CWC: A High-Performance Conventional Authenticated Encryption Mode. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 408–426. Springer, Heidelberg (2004)Google Scholar
  26. 26.
    Krawczyk, H.: LFSR-based Hashing and Authentication. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 129–139. Springer, Heidelberg (1994)Google Scholar
  27. 27.
    Krovetz, T.: UMAC: Message Authentication Code using Universal Hashing. IETF, RFC 4418 (informational) (March 2006)Google Scholar
  28. 28.
    Krovetz, T.: Message Authentication on 64-bit Architectures. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 327–341. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  29. 29.
    McGrew, D.A., Fluhrer, S.: Multiple Forgery Attacks against Message Authentication Codes,
  30. 30.
    McGrew, D.A., Viega, J.: The Security and Performance of the Galois/Counter Mode (GCM) of Operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004)Google Scholar
  31. 31.
    National Institute of Standards and Technology (NIST), SP 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, November 2007 (earlier drafts published in May 2005, April 2006, June 2007)Google Scholar
  32. 32.
    Petrank, E., Rackoff, C.: CBC MAC for Real-time Data Sources. Journal of Cryptology 13(3), 315–338 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  33. 33.
    Preneel, B., Bosselaers, A., Govaerts, R., Vandewalle, J.: A Chosen Text Attack on The Modified Cryptographic Checksum Algorithm of Cohen and Huang. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 154–163. Springer, Heidelberg (1990)Google Scholar
  34. 34.
    Preneel, B., van Oorschot, P.C.: On the Security of Iterated Message Authentication Codes. IEEE Trans. on Information Theory IT-45(1), 188–199 (1999)CrossRefGoogle Scholar
  35. 35.
    Simmons, G.J.: A Survey of Information Authentication. In: Simmons, G.J. (ed.) Contemporary Cryptology: The Science of Information Integrity, pp. 381–419. IEEE Press, Los Alamitos (1991)Google Scholar
  36. 36.
    Stinson, D.R.: Universal Hashing and Authentication Codes. Designs, Codes, and Cryptography 4(4), 369–380 (1994)zbMATHCrossRefMathSciNetGoogle Scholar
  37. 37.
    Wegman, M.N., Carter, J.L.: New Hash Functions and their Use in Authentication and Set Equality. Journal of Computer and System Sciences 22(3), 265–279 (1981)zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Helena Handschuh
    • 1
  • Bart Preneel
    • 2
    • 3
  1. 1.SpansionLevallois-Perret CedexFrance
  2. 2.Dept. Electrical Engineering-ESAT/COSICKatholieke Universiteit LeuvenLeuvenBelgium
  3. 3.IBBT, Van CrommenlaanGent

Personalised recommendations