Generic Universal Forgery Attack on Iterative Hash-Based MACs
In this article, we study the security of iterative hash-based MACs, such as HMAC or NMAC, with regards to universal forgery attacks. Leveraging recent advances in the analysis of functional graphs built from the iteration of HMAC or NMAC, we exhibit the very first generic universal forgery attack against hash-based MACs. In particular, our work implies that the universal forgery resistance of an n-bit output HMAC construction is not 2 n queries as long believed by the community. The techniques we introduce extend the previous functional graphs-based attacks that only took in account the cycle structure or the collision probability: we show that one can extract much more meaningful secret information by also analyzing the distance of a node from the cycle of its component in the functional graph.
KeywordsHMAC NMAC hash function universal forgery
- 2.Bellare, M., Canetti, R., Krawczyk, H.: Keying Hash Functions for Message Authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
- 7.Flajolet, P., Sedgewick, R.: Analytic Combinatorics. Cambridge University Press (2009)Google Scholar
- 18.Proskurin, G.V.: On the Distribution of the Number of Vertices in Strata of a Random Mapping. Theory Probab. Appl., 803–808 (1973)Google Scholar
- 21.Rivest, R.L.: The md5 message-digest algorithm. RFC 1321 (Informational) (April 1992)Google Scholar
- 22.Sasaki, Y., Wang, L.: Improved Single-Key Distinguisher on HMAC-MD5 and Key Recovery Attacks on Sandwich-MAC-MD5. In: Selected Areas in Cryptography (2013)Google Scholar