# Improved Single-Key Distinguisher on HMAC-MD5 and Key Recovery Attacks on Sandwich-MAC-MD5

## Abstract

This paper presents key recovery attacks on Sandwich-MAC instantiating MD5, where Sandwich-MAC is an improved variant of HMAC and achieves the same provable security level and better performance especially for short messages. The increased interest in lightweight cryptography motivates us to analyze such a MAC scheme. We first improve a distinguishing-\({ H }\) attack on HMAC-MD5 proposed by Wang *et al*. We then propose key recovery attacks on Sandwich-MAC-MD5 by combining various techniques such as distinguishing-\({ H }\) for HMAC-MD5, IV Bridge for APOP, dBB-near-collisions for related-key NMAC-MD5, meet-in-the-middle attack *etc*. In particular, we generalize a previous key-recovery technique as a new tool exploiting a conditional key-dependent distribution. Our attack also improves the partial-key \((K_1)\) recovery on MD5-MAC, and extends it to recover both \(K_1\) and \(K_2\).

### Keywords

HMAC Sandwich-MAC MD5-MAC MD5 Key recovery## 1 Introduction

A Message Authentication Code (MAC) is a cryptographic primitive which produces authenticity and data integrity. It takes a message \(M\) and a secret key \(K\) as input and computes a tag \(\tau \). A secure MAC must resist forgery attacks.

A MAC is often constructed from a hash function such as MD5 [1] and SHA-2 [2] for its performance and availability in software libraries. There are three hash-based MAC constructions [3]. Let \(\mathcal {H}\) be a hash function. A *secret-prefix* method computes a tag of a message \(M\) by \(\mathcal {H}(K\Vert M)\). A *secret-suffix* method computes a tag by \(\mathcal {H}(M\Vert K)\). A *hybrid* method computes a tag by \(\mathcal {H}(K\Vert M\Vert K)\).

When \(\mathcal {H}\) processes \(M\) by iteratively applying a compression function \(h\), a generic existential forgery attack with a complexity of \(2^{n/2}\) exists for any of those three methods, where \(n\) is the size of the tag, \(\tau \), and the internal chaining variable [4]. Besides, each of the three types has its own features. The secret-prefix method is vulnerable when a finalization process is not performed. This is called *length-extension attack* [5, 6]. The secret-suffix method suffers from the collision attack on \(h\). Two distinct messages \((M, M^{\prime })\) such that \(h(M)=h(M^{\prime })\) cause forgery attacks. The hybrid method seems to hide the weakness of two methods at a short glance. Strictly speaking, the hybrid method in [3] computes a tag by \(\mathcal {H}(K\Vert \mathtt{pad}\Vert M\Vert K^{\prime })\) where \(K\) and \(K^{\prime }\) are two independent keys and pad denotes the padding string making the length of \(K\Vert \mathtt{pad}\) equal to the block length. The security of this construction can be proven by [7] up to \(O(2^{n/2})\) queries. The single-key version, where \(K=K^{\prime }\), is well-known as *envelope MAC*, and was standardized for IPsec version 1 [8, 9]. However, Preneel and van Oorschot showed that collisions of \(h\) can reveal the second key \(K\) or \(K^{\prime }\) of the hybrid method [10] when the padding is not performed between \(M\) and the second key.

**Comparison of HMAC and Sandwich-MAC.** Sandwich-MAC [15] is another hybrid-type MAC with an appropriate padding before the second key. It computes a tag by \(\mathcal {H}(K\Vert \mathtt{pad1}\Vert M\Vert \mathtt{pad2}\Vert K)\) as shown in Fig. 2. As with HMAC, it can call current hash functions without modifying the Merkle-Damgård (MD) implementations. It was proven to have the same security as HMAC, i.e., it is a PRF up to \(O(2^{n/2})\) queries as long as the underlying compression function \(h\) is a PRF. Then, Sandwich-MAC has several advantages compared to HMAC.

Sandwich-MAC can be computed only with a single key \(K\), while HMAC creates an inner-key \(h({\mathrm {IV}},K\oplus \mathtt{ipad})\) and an outer-key \(h({\mathrm {IV}},K\oplus \mathtt{opad})\). This reduces the number of additional blocks, where the “additional” is defined to be the number of \(h\) invocations in the scheme minus that in the usual Merkle-Damgård. HMAC requires 3 additional blocks, while Sandwich-MAC requires 1 or 2. It also avoids a related-key attack on HMAC [18] which exploits two keys with difference \(\mathtt{ipad} \oplus \mathtt{opad}\). Another advantage is the number of hash function calls. HMAC requires 2 invocations of \(\mathcal {H}\), while Sandwich-MAC requires only 1.

As shown in [19], these drawbacks of HMAC are critical especially for short messages. Taking these features into account, though it is not widely used at present, Sandwich-MAC is potentially a good candidate for a future MAC use.

**Cryptanalysis Against Hybrid MAC.** If the padding is not applied before the second key, the key is recovered with \(O(2^{n/2})\) [10]. The attack was optimized when the underlying hash function is MD5 [20, 21, 22, 23] through attacks against APOP protocol [24]. In this paper, the *IV Bridge* technique [21] will be exploited. However, these analyses basically cannot be used if an appropriate padding is applied before the second key as HMAC and Sandwich-MAC.

*et al.*[25] proposed the notion of distinguishing-\({ H }\) attack. Contini and Yin presented how to exploit a differential characteristic of an underlying compression function to recover an inner-key of HMAC/NMAC [26]. Since then, many attacks have developed for HMAC/NMAC instantiating the MD4-family [27, 28, 29, 30, 31]. Regarding MD5, inner-key and outer-key recovery attacks were proposed only for NMAC only in the related-key model. Wang

*et al.*presented a distinguishing-\({ H }\) attack on full HMAC-MD5 in the single-key model [32]. This is the only known result in the single-key model against hybrid MAC constructions with an appropriate padding instantiating full MD5.

Summary and comparison of results. ISR stands for internal state recovery.

Target | Model | Attack goal | Data | Time | Memory | Ref. | Remarks |
---|---|---|---|---|---|---|---|

HMAC-MD5 | Adaptive | Dist-H/ISR | \(2^{97}\) | \(2^{97}\) | \(2^{89}\) | [32] | |

Adaptive | Dist-H/ISR | \(2^{89.09}\) | \(2^{89}\) | \(2^{89}\) | Ours | ||

Non-adaptive | Dist-H/ISR | \(2^{113}\) | \(2^{113}\) | \(2^{66}\) | [32] | ||

Non-adaptive | Dist-H/ISR | \(2^{113-x}\) | \(2^{113-x}\) | \(2^{66+x}\) | Ours | \(0\le x\le 6\) | |

MD5-MAC | \(K_1\)-recovery | \(2^{97}\) | \(2^{97}\) | \(2^{89}\) | [32] | ||

\(K_1\)-recovery | \(2^{89.09}\) | \(2^{89}\) | \(2^{89}\) | Ours | |||

\((K_1,K_2)\)-recovery | \(2^{89.04}\) | \(2^{89}\) | \(2^{89}\) | Ours | |||

Sandwich- | Basic | Key recovery | \(2^{89.04}\) | \(2^{89}\) | \(2^{89}\) | Ours | |

MAC-MD5 | Variant B | Key recovery | \(2^{89.04}\) | \(2^{89}\) | \(2^{89}\) | Ours | |

Extended B | Key recovery | \(2^{89.04}\) | \(2^{89}\) | \(2^{89}\) | Ours |

**Our Contributions.** In this paper, we present key-recovery attacks against several hybrid MAC schemes with an appropriate padding when MD5 is instantiated as an underlying hash function. The summary of results is given in Table 1. The main contribution is an original-key recovery attack against Sandwich-MAC-MD5. This is the first result that recovers the original-key in the hybrid method. Even if the key-length is longer than the tag size \(n\), the key is recovered faster than \(2^n\) computations. Moreover, an attacker does not need to know the key length in advance. Given the specification of MD5, up to a 447-bit key is recovered with \(2^{89.04}\) queries, \(2^{89}\) table look-ups, and \(2^{89}\) memory.

For the first step, we improve the distinguishing-\({ H }\) attack against HMAC-MD5 in the single-key model presented by Wang *et al.* [32], which can be utilized to reveal an internal state value. This reduces the number of queries from \(2^{98}\) to \(2^{89.09}\). This can be achieved by combining the attack in [32] with the message modification technique presented by Contini and Yin [26].

We then explain our original-key recovery attack against Sandwich-MAC-MD5 and its variant with combining various techniques on MD5. Specifically, we generalize the idea in [31] as a tool exploiting conditional key-dependent distributions. Note that a similar idea can be seen in [33] against Phelix. In this paper our goal is generalizing and simplifying the technique so that it can be applied to other cases. In the below, let \(\alpha , \kappa \) and \(\beta \) be \(x\)-bit variables, and \(\alpha _i, \kappa _i\) and \(\beta _i\) be the \(i\)-th bit of \(\alpha , \kappa \) and \(\beta \), respectively, where \(0 \le i \le x-1\).

Let us consider a modular addition\(\alpha + \kappa = \beta \); \(\alpha \)is a partially known variable where 1 bit (MSB) of\(\alpha _{x-1}\)is known but\(\alpha _{i}\)is unknown for the other\(i\). \(\kappa \)is an unknown constant.\(\beta \)is a public variable computed by\(\alpha + \kappa \),and its value is known. Intuitively,\(\alpha , \kappa \),and\(\beta \)correspond to the internal state, the key, and the tag, respectively. Then, the attacker can recover all bits of\(\kappa \)by iteratively collecting many pairs\((\beta , \alpha _{x-1})\).

Experimental verification of this observation is shown in Appendix A.

Our attack on Sandwich-MAC-MD5 recovers the key with a complexity below \(2^n\), hence it also leads to a universal forgery attack on Sandwich-MAC-MD5.

MD5-MAC [4] generates three keys \(K_0, K_1,\) and \(K_2\). The previous attack [32] only recovers \(K_1\) with a cost of \(2^{97}\). Our improvement of HMAC-MD5 also reduces this complexity to \(2^{89.09}\). Moreover, by applying our techniques on Sandwich-MAC-MD5, we achieve the first attack that recovers both \(K_1\) and \(K_2\).

## 2 Preliminaries

### 2.1 HMAC

HMAC is a hash-based MAC proposed by Bellare *et al.* [7]. Denote a hash function by \(\mathcal {H}\). On an input message \(M\), HMAC based on \(\mathcal {H}\) is computed using a single secret key \(K\) as \(\mathrm{{HMAC}}\text{- }\mathcal {H}_K(M)=\mathcal {H}(\overline{K} \oplus \mathtt{opad} \Vert \mathcal {H}(\overline{K} \oplus \mathtt{ipad}\Vert M) ),\) where \(\overline{K}\) is \(K\) padded to a full block by adding ‘0’s, \(\mathtt{opad}\) and \(\mathtt{ipad}\) are two public constants, and ‘\(\Vert \)’ denotes the concatenation.

### 2.2 Sandwich-MAC

*Sandwich-MAC* [15] is another hash-based MAC proposed by Yasuda. Besides the main scheme called *Basic*, there exist three variants called *variant A*, *B*, and *C*. Inside variant B, one extension is proposed, which we call *extended B*. In this paper, we analyze Basic, variant B, and extended B. We assume that the length of the key after the padding, \(|K\Vert \mathtt{pad}|\), is shorter than the block length, \(b\).

**Sandwich-MAC Basic.**Sandwich-MAC Basic computes tag values as follows.

**Variant B and Extended B.** Variant B is an optimized version when \(|M|\) is already a multiple of the block length. The computation is described in Eq. (2).

### 2.3 MD5 Specification and Free-Start Collision Attack on MD5

MD5 [1] is a Merkle-Damgård based hash function. Its block length is 512 bits and the output size is 128 bits. At first, an input message \(M\) is padded by the MD strengthening. The padded message is divided into 512-bit blocks, \(M_i\) (\(i=0,1,\ldots ,N-1\)). First \(H_0\) is set to \(\mathrm {IV}\), which is the initial value defined in the specification. Then, \(H_{i+1} \leftarrow h(H_i, M_i)\) is computed for \(i=0,1,\ldots ,N-1\), where \(h\) is a compression function and \(H_N\) is the hash value of \(M\).

den Boer and Bosselaers [34] generated paired values \((H_i,M_i)\) and \((H_i^{\prime },M_i)\) such that \(h(H_i,M_i)=h(H_i^{\prime },M_i)\), where \(H_i\) and \(H_i^{\prime }\) have the difference: \(H_i \oplus H_i^{\prime } = \mathtt{(80000000, 80000000, 80000000, 80000000)}.\) Moreover, the MSB of the second, third, and fourth variables of \(H_i\) must be equal. Hereafter, we denote this difference (including two conditions of \(H_i\)) by \(\varDelta ^{\mathrm {MSB}}\). To satisfy the characteristic, 46 conditions shown below must be satisfied: \(Q_{j-1,31} = Q_{j-2,31} ( 2\le j \le 15), Q_{j,31}\)\(= Q_{j-1,31} (16\le j \le 31), Q_{j,31} = Q_{j-2,31} (48\le j \le 63)\).

## 3 Improved Single-Key Attacks on HMAC-MD5

### 3.1 Previous Distinguishing-\({ H }\) Attack on HMAC-MD5

*et al.*presented the distinguishing-\({ H }\) attack on HMAC-MD5 [32], which can also recover the internal-state value. The attack aims to detect a 2-block message where \(\varDelta ^{\mathrm {MSB}}\) is generated by the birthday paradox in the first block and the second block forms the dBB-collision [34]. The procedure is as follows.

- 1.
Prepare \(2^{89}\) distinct \(M_0\) and a single message block \(M_1\). Then, make queries of \(2^{89}\) two-block messages \(M_0\Vert M_1\), and collect collisions of tags.

- 2.
For each collision \((M_0\Vert M_1, M^{\prime }_0\Vert M_1)\), replace \(M_1\) with different \(M^{\prime }_1\), and query \((M_0\Vert M^{\prime }_1, M^{\prime }_0\Vert M^{\prime }_1)\). If a collision of the tag is obtained, the pair is not a dBB-collision and is erased.

- 3.
For the remaining collisions, choose up to \(2^{47}\) distinct values of \(M^{\prime }_1\), and query \((M_0\Vert M^{\prime }_1, M^{\prime }_0\Vert M^{\prime }_1)\). If a collision is obtained, the pair is a dBB-collision.

Wang *et al.* also tweaked their attack to a chosen message attack. Firstly choose \(2^{66}\) distinct \(M_0\). Secondly build a structure of \(2^{66}\) two-block messages \(M_0\Vert M_1\) by choosing a random message \(M_1\). Then build \(2^{47}\) such structures by choosing \(2^{47}\) distinct \(M_1\). Thirdly, query each structure and collect collisions of the tag. Finally, for each collision \((M_0\Vert M_1, M^{\prime }_0\Vert M_1)\), check the situation for the other \(2^{47}-1\)\(M_1\). If there exists at least one \(M^{\prime }_1\) such that \((M_0\Vert M^{\prime }_1, M^{\prime }_0\Vert M^{\prime }_1)\) do not collide, which implies \(H_1 \ne H^{\prime }_1\), and exists another \(M^{\prime \prime }_1\) such that \((M_0\Vert M^{\prime \prime }_1, M^{\prime }_0\Vert M^{\prime \prime }_1)\) collides, then \((M_0\Vert M_1, M^{\prime }_0\Vert M_1)\) is a dBB-collision. The attack requires \(2^{66+47}=2^{113}\) queries, while the memory is reduced to \(2^{66}\).

**Distinguishing-****H****Attack.** Let MD5\(^r\) be a hash function where the compression function of MD5 is replaced with a random function with the same domain and range. This implies that the domain extension and the padding algorithm for MD5\(^r\) are the same as the ones of MD5. The distinguishing-\({ H }\) attack aims to decide whether a given oracle is HMAC-MD5 or HMAC-MD5\(^r\). Wang *et al.* applied their attack to the given oracle. If a dBB-collision is found, they decide that the given oracle is HMAC-MD5. Otherwise, the oracle is HMAC-MD5\(^r\).

**Internal-State Recovery Attack.** After a dBB-collision \((M_0\Vert M_1, M^{\prime }_0\Vert M_1)\) is obtained, Wang *et al.* apply the technique proposed by Contini and Yin [26] to recover the chaining variables \(Q_{7}\Vert Q_{8}\Vert Q_{9}\Vert Q_{10}\) of \(h(H_1, M_1)\). Then \(H_1\) will be recovered by an inverse computation. For a completed description we refer to [26]. The complexity of recovering \(H_1\) is only \(2^{44}\) queries and \(2^{60}\) computations. The procedure of recovering \(H_1\) is an adaptive chosen message attack. Thus the whole attack is an adaptive chosen message attack with a complexity of \(2^{97}\) queries.

### 3.2 Improved Attacks on HMAC-MD5

We observe that the complexity of the core part i.e., finding a dBB-collision can be improved by applying the technique in [26]. In order to verify whether a collision \((M_0\Vert M_1, M^{\prime }_0\Vert M_1)\) is a dBB-collision at step 3, Wang *et al.* chooses \(2^{47}\)*completely* different values as \(M^{\prime }_{1}\) to generate a second pair following the dBB-characteristic. Our idea is generating many \(M^{\prime }_1\) by modifying \(M_1\) only *partially* so that the differential characteristic for the first several steps remains satisfied.

We focus on the computations of \(h(H_1, M_1)\) and \(h(H^{\prime }_1, M_1)\). Recall the MD5 specification. \(M_1\) is divided into \(m_0\Vert m_1\Vert \cdots \Vert m_{15}\) and \(m_i\) is used at step \(i\) in the first 16 steps. Our strategy is only modifying message words that appear later. Note that one bit of \(m_{13}\) and the entire bits of \(m_{14}\) and \(m_{15}\) are fixed to the padding string and thus cannot be modified. So we modify \(m_{12}\) and 31 bits of \(m_{13}\) to generate distinct \(m^{\prime }_{12}\Vert m^{\prime }_{13}\). Therefore, if \((M_0\Vert M_1, M^{\prime }_0\Vert M_1)\) is a dBB-collision, the modified pair can always satisfy the conditions for the first 12 steps. Thus we only need to generate \(2^{35 (= 47-12)}\) pairs at step 3. The complexity of step 3 is now reduced to \((1+2^{50})\cdot 2^{35} \approx 2^{85}\) queries. Finally, the query complexity is improved from the previous \(2^{97}\) to the sum of \(2^{89}\) for step 1 and \(2^{85}\) for step 3, which is \(2^{89.09}\). Time and memory complexities remain unchanged (\(2^{89}\)). The success probability is around \(0.87\), following the similar evaluation in [32].

Our idea can also improve the previous non-adaptive chosen message attack. We prepare \(2^{66+x}\) (\(0 \le x \le 6\)) distinct values for \(M_{0}\). We can make \(2^{131+2x}\) pairs of \(M_0\Vert M_1\) for a fixed \(M_1\). \(\varDelta H_1\) satisfies \(\varDelta ^{\mathrm {MSB}}\) with probability \(2^{-130}\), and we need \(2^{131}\) pairs to observe this event with a good probability. Therefore, with \(2^{131+2x}\) pairs, one pair should satisfy \(\varDelta ^{\mathrm {MSB}}\) at \(H_1\) and conditions for the first \(2x\) steps in the second block. Then, \(M_1\) is partially modified. We choose \(2^{47-2x}\) distinct \(M_1\) differing in the words \(m_{2x}\) and \(m_{2x+1}\), and build \(2^{47-2x}\) structures. Then, the above conditions are satisfied in any structure. Finally we find about two collisions \((M_0\Vert M_1, M^{\prime }_0\Vert M_1)\) and \((M_0\Vert M^{\prime }_1, M^{\prime }_0\Vert M^{\prime }_1)\), where \(H_1 \ne H^{\prime }_1\) holds, i.e., there exists at least one \(M^{\prime \prime }_1\) such that \((M_0\Vert M^{\prime \prime }_1, M^{\prime }_0\Vert M^{\prime \prime }_1)\) do not collide. The complexity is \(2^{113-x}\) queries and the memory is \(2^{66+x}\), where \(0 \le x \le 6\).

## 4 Key Recovery Attacks on Sandwich-MAC-MD5

### 4.1 Attacks on Sandwich-MAC-MD5 Basic

We show the attack for a key \(K\) with \(|K|<447\), which indicates that \(K\Vert \mathtt{pad3}\) fits in one block. The attack can recover all bits of \(K\Vert \mathtt{pad3}\) and the value of pad3 depends on \(|K|\). Hence the attacker does not have to know \(|K|\) in advance. Also note that the value of pad3 is determined as the MD-strengthening defined in MD5, whereas the Sandwich-MAC can principally accept any padding scheme but the same padding as pad1. Our attack can be extended for any padding scheme as long as \(K\Vert \mathtt{pad3}\) fits in one block. Hereafter, we denote a 512-bit value \(K\Vert \mathtt{pad3}\) by sixteen 32-bit values \(k_0\Vert k_1\Vert \cdots \Vert k_{15}\), and aim to recover these values.

**Overview.**The attack is divided into 5 phases. The structure is shown in Fig. 3

- 1.
Apply the internal state recovery attack in Sect. 3.2 to Sandwich-MAC to obtain the first message block \(M_0\) and the corresponding internal state \(H_1\).

- 2.
For the second message block, search for \(2^{77}\) message pairs \((M_1, M_1^{\prime })\) such that \(\varDelta H_2 = h(H_1,M_1\Vert \mathtt{pad2})\oplus h(H_1,M_1^{\prime }\Vert \mathtt{pad2}) = \varDelta ^{\mathrm {MSB}}\). Because \(H_1\) is already recovered, the computation can be done offline.

- 3.
Query \(2^{77}\) 2-block message pairs \((M_0\Vert M_1, M_0\Vert M_1^{\prime })\), and pick the ones which produce dBB-near-collisions at the tag \(\tau \). A pair forms a dBB-near-collision with a probability \(2^{-45}\). Hence, we will obtain \(2^{77-45}=2^{32}\) pairs.

- 4.
From \(2^{32}\) pairs, recover the 32-bit subkey for the last step by exploiting a conditional key-dependent distribution.

- 5.
As with phase 4, recover 512-bit key during the last 16 steps.

**Phase 1: Internal State Recovery.**The same procedure as the internal state recovery for HMAC-MD5 can be applied. Strictly speaking, the procedure can be optimized for Sandwich-MAC. Recall that our method in Sect. 3.2 could not modify \(m_{14}\) and \(m_{15}\) because they are fixed for the padding. In Sandwich-MAC, pad2 forces only 1 bit to be fixed, and thus we can modify \(m_{14}\) and 31 bits of \(m_{15}\). This reduces the number of queries from \(2^{89}+2^{85}\) to \(2^{89}+2^{84}\approx 2^{89.04}\).

**Phase 2: Generating**\(\mathbf{{(}}{{\varvec{M}}}_1, {{\varvec{M}}}_1^{\prime }\mathbf{{)}}\)**Producing**\(\varvec{\varDelta }^{\mathbf {MSB}}{\mathbf {.}}\) This phase is offline without queries. For any underlying hash function, \(2^{77}\) message pairs \((M_1, M_1^{\prime })\) can be found by the birthday attack with \(2^{104}\) computations and memory. For MD5, the attack can be optimized. With the help of the collision attack techniques [35, 36], Sasaki *et al.* proposed a tool called IV Bridge [21], which is a message difference producing the output difference \(\varDelta H_{i+1}=\varDelta ^{\mathrm {MSB}}\) from the input difference \(\varDelta H_i = 0\) with a complexity of \(2^{42}\). The complexity was later improved by Xie and Feng to \(2^{10}\) [37]. With the IV Bridge, message pairs can be found much faster than the birthday attack. Note that both characteristics in [21, 37] assume that \(H_i\) is MD5’s \(\mathrm {IV}\). Therefore, if \(\mathrm {IV}\) is replaced with another \(H_1\), the differential characteristic search must be performed again. Because the known automated differential characteristic search [37, 38, 39] can deal with any \(\mathrm {IV}\), a new characteristic will be found in the same manner. Also note that if the padding string \(\mathtt{pad2}\) forces many bits to be fixed, the IV Bridge search becomes harder or impossible due to the hardness of applying the message modification [36]. Because pad2 forces only 1 bit to be fixed, this is not a problem. The complexity for this phase is one execution of the differential characteristic search and \(2^{10}\cdot 2^{77}=2^{87}\) computations. The memory can be saved by running phase 3 as soon as we obtain each pair.

**Phase 3: Detecting dBB-Near-Collisions.** For the last message block, the probability that a pair produces the dBB-collision is \(2^{-46}\). We observe that producing collisions is not necessary because the attacker can observe the output values as a tag \(\tau \). Hence, the dBB-collision can be relaxed to the dBB-near-collision, and this increases the probability of the differential characteristic.

Considering the details for phase 4, the pair must follow the dBB-collision characteristic up to step 62. The differential propagation for the last 2 steps is depicted in Fig. 4. One condition in step 63 is erased, and the probability of the characteristic becomes \(2^{-45}\). After examining \(2^{77}\) pairs, we obtain \(2^{77-45}=2^{32}\) pairs. This phase requires \(2^{77}\) queries, and the memory to store \(2^{32}\) pairs.

Note that false positives are unlikely. Our dBB-near-collisions do not produce any difference in the left most and right most words. Besides, the difference for the second right most word is limited to \(2\) patterns. The probability for randomly satisfying the dBB-near-collision is \(2^{-95}\), which is unlikely with \(2^{77}\) trials.

**Phase 4: Recovering the Last Subkey.** Because both tags and \(H_2\) are known, the attacker can compute \(Q_{61}\Vert Q_{64}\Vert Q_{63}\Vert Q_{62}\) for each dBB-near-collision. We then analyze the last step. The equation to compute \(Q_{64}\) is \(Q_{64} = Q_{63}+(Q_{60}+\varPhi _{63}(Q_{63},Q_{62},Q_{61})+k_{9}+c_{63})\lll 21\). The value of \((Q_{64}\ggg 21)-Q_{63}-\varPhi _{63}(Q_{63},Q_{62},Q_{61})-c_{63}\) can be computed with known values of \(Q_{61}\Vert Q_{64}\Vert Q_{63}\Vert Q_{62}\). We denote this value by \(Z_{63}\). Then, the equation becomes \(Z_{63}=Q_{60}+k_9\).

We then observe that the attacker can know the MSB of \(Q_{60}\) from the difference of \(Q_{63}\). The difference \(\varDelta Q_{63}=\pm 2^{31}\) indicates that \(\varDelta \varPhi _{62} = \pm 2^{31}\). This only occurs when \(Q_{62,31} = Q_{60,31}\). The difference \(\varDelta Q_{63}=\pm 2^{31} \pm 2^{14}\) indicates that \(\varDelta \varPhi _{62} = 0\). This only occurs when \(Q_{62,31} \ne Q_{60,31}\). Because the value of \(Q_{62}\) is known, the value of \(Q_{60,31}\) can be computed. In the following, we show how to recover \(k_9\) with exploiting a conditional key-dependent distribution.

Conditional Key-dependent Distribution Technique:Let us consider a modular addition\(\alpha + \kappa = \beta \); \(\alpha \)is a variable where 1 bit (MSB) is known but the other bits are unknown.\(\kappa \)is an unknown constant.\(\beta \)is a public variable computed by\(\alpha + \kappa \),and its value is known. Then, the attacker can recover all bits of\(\kappa \)by collecting many pairs\((\beta , \alpha _{x-1})\).^{1}

The attacker separates the collected data into two groups depending on a condition on several bits of\(\beta \).For each separated group, behavior of the other unconditioned bits is analyzed, i.e., conditional distribution is analyzed. If the conditional distribution differs depending on some bits of\(\kappa \),those bits can be recovered by observing the conditional distribution.

- -
If \(\kappa _{30}=0\), \(c^+_{31}\) is 0 with probability 1/2 and is 1 with probability 1/2. This is because \(\beta _{30}=\kappa _{30}=0\) occurs only if \(\alpha _{30}=c^+_{30}=0\) (with \(c^+_{31}=0\)) or \(\alpha _{30}=c^+_{30}=1\) (with \(c^+_{31}=1\)).

- -
If \(\kappa _{30}=1\), \(c^+_{31}\) is 1 with probability 1.

To utilize this difference, for each data in the group with \(\beta _{30}=0\), we simulate the value of \(\kappa _{31}\) by assuming that \(c^+_{31}\) is 1. If \(\kappa _{30}=0\), the simulation returns the right value and wrong value of \(\kappa _{31}\) with a probability of 1/2. Therefore, we will obtain 2 possibilities of \(\kappa _{31}\). If \(\kappa _{30}=1\), the simulation always returns the right value of \(\kappa _{31}\). Therefore, we can obtain the unique (right) value of \(\kappa _{31}\). Due to the difference, we can recover \(\kappa _{30}\), and at the same time, recover \(\kappa _{31}\).

- -
If \(\kappa _{30}=0\), \(c^+_{31}\) is 0 with probability 1.

- -
If \(\kappa _{30}=1\), \(c^+_{31}\) is 0 with probability 1/2 and is 1 with probability 1/2.

For each data in the group with \(\beta _{30}=1\), we simulate the value of \(\kappa _{31}\) by assuming that \(c^+_{31}\) is 0, and check the number of returned values of the simulation.

We then recover \(\kappa _{29}\) to \(\kappa _{0}\) in this order. In this time, we filter the data rather than separate it. In order to recover \(\kappa _{B}\), where \(29 \ge B \ge 0\), we set \((31-B)\)-bit conditions, and only pick the data satisfying all conditions. The conditions are \((\kappa _{30}=\beta _{30}), \ldots , (\kappa _{B+1}=\beta _{B+1})\), and \((c^+_{31}=\beta _{B})\). Note that \(\kappa _{31, 30, \ldots , B+1}\) are already recovered and \(c^+_{31}\) can be easily computed by \(\alpha _{31}\oplus \kappa _{31} \oplus \beta _{31}\). Let \(x\) be the value of \(c^+_{31}\), where \(x \in \{0, 1\}\). Then, we can deduce that the value of \(\kappa _{B}\) is \(x\). The proof is shown below, and is described in Fig. 6.

*Proof*

The value of \(\beta _{B}\) is \(x\) by the condition \(c^+_{31}=\beta _{B}\). From the condition \(\kappa _{30}=\beta _{30}\), the values of \(\alpha _{30}\) and \(c^+_{30}\) are also known to be \(x\). By iterating the same analysis from bit position 30 to \(B+1\), the values of \(\alpha _{B+1}\) and \(c^+_{B+1}\) are known to be \(x\). The event \(c^+_{B+1}=\beta _{B}=0\) only occurs when \(\kappa _B=0\). Similarly, the event \(c^+_{B+1}=\beta _{B}=1\) only occurs when \(\kappa _B=1\). \(\square \)

The number of necessary pairs to recover all bits of \(\kappa \) is dominated by the recovery for \(\kappa _{0}\), which is \(2^{31}\) pairs. To increase the success probability, we generate \(2^{32}\) pairs. Note that these pairs can also be used to analyze the other bits.

By replacing \((\alpha , \kappa , \beta )\) with \((Q_{60},k_9,Z_{63})\), \(k_9\) is recovered with \(2^{32}\) dBB-near-collisions. If a high success probability is required, more pairs than \(2^{32}\) should be collected. See Appendix A for more discussion.

Note that recovering \(\kappa \) with exhaustive search instead of the conditional key-dependent distribution is possible but inefficient. The attempt is as follows. *Guess*\(\kappa \), *and then compute*\(\alpha \)*by*\(\beta - \kappa \). *The known 1-bit*\(\alpha _{31}\)*takes a role of the filtering function.* During the computation of \(\beta - \kappa \), the probability that flipping \(\kappa _0\) changes the value of \(\alpha _{31}\) (through the carry effect) is \(2^{-31}\). If we collect \(2^{32}\) pairs of \((\beta , \alpha _{x-1})\) and guess 32 bits of \(\kappa \), all wrong guesses can be filtered out. However, this requires \(2^{64}\) additions, which is worse than our attack.

**Phase 5: Recovering 512-Bit Key in the Last 16 Steps.** This phase is basically the iteration of phase 4. After \(k_9\) is recovered, the tag value can be computed until step 63 in backward, and the same analysis as \(k_9\) can be applied to the second last step to recover \(k_2\). By iterating this for the last 16 steps, the original key \(K\) and the padding string pad3 are recovered. The number of dBB-near-collisions that we can use will increase as we recover more subkeys. This is because the probabilistic part of the differential characteristic will be shorter.

**Attack Evaluation.** Phase 1 requires \(2^{89.04}\) queries, \(2^{89}\) table look-ups, and a memory for \(2^{89}\) states. Phase 2 requires \(2^{10}\cdot 2^{77}=2^{87}\) compression function computations. Phase 3 queries \(2^{77}\) 2-block paired messages. It also requires to store \(2^{32}\) pairs of \(H_2\) and \(H_2^{\prime }\), which requires a memory for \(2^{33}\) states. Phase 4 requires \(2^{32}\cdot 1/64=2^{26}\) computations. Phase 5 requires \(15\cdot 2^{32}\cdot 16/64\) which is less than \(2^{34}\) computations. Hence, the dominant part is the internal state recovery attack for Phase 1. Our experiment in Appendix A suggests that generating more pairs at Phase 2 is better to obtain a high success probability. Then, the complexity for Phase 2 becomes \(2^{88}\) or \(2^{89}\) compression functions. The attack works without knowing \(|K|\) as long as \(|K|<447\). The length of the queried message can always be a multiple of the block size. Hence, the attack can be extended to Sandwich-MAC variant B.

### 4.2 Attacks on Sandwich-MAC-MD5 Extended B

For this variant, the last message block can contain several bits chosen by the attacker. This reduces the complexity of the key recovery phase. Although the bottleneck of the attack is the internal state recovery phase, we show the attacks from two viewpoints. (1) We show the security gap between extended B and Basic. Although they have the the same provable security, the attack is easier in extended B. (2) In practice, \(K\) may be stored in a tamper-resistant device to prevent the side-channel analysis. However, the internal state value may not be protected, and the bottleneck of the attack may become the key-recovery part.

*keyed steps*. The following steps are updated by the controlled message or the padding string until step 16. For example, if \(|K|\) is 128, the first 4 steps are the keyed steps. The initial part of the attack is as follows.

- 1.
Recover the internal state value \(H_1\) by applying the internal state recovery attack in Sect. 3.2 or some side-channel analysis.

- 2.
Searching for \(\#X\cdot 2^{45}\) message pairs \((M_1, M_1^{\prime })\) such that \(\varDelta H_2 = \varDelta ^{\mathrm {MSB}}\), where \(\#X\) depends on \(|K|\). Query them to obtain \(\#X\) dBB-near-collisions.

- 3.
Recover the internal state value right after the keyed steps by using the freedom degrees of \(M_2\) with the approach by Contini and Yin [26].

**Case Study for**\({\varvec{|}}{\varvec{K}}{\varvec{|=128.}}\) Because the tag size is 128 bits, \(|K|=128\) is a natural choice. We choose \(\#X=1\) for this case. In the last block, the value of \(H_2=Q_{-3}\Vert Q_0\Vert Q_{-1}\Vert Q_{-2}\) is known. After phase 3, the value of \(Q_1\Vert Q_4\Vert Q_3\Vert Q_2\) becomes known. Then, all of \(k_0,k_1,k_2,\) and \(k_3\) are easily recovered by solving the equation of the step function, e.g. \(k_0\) is recovered by \(k_0=\bigl ( (Q_{1} - Q_0) \ggg 7 \bigr )- Q_{-3}-\varPhi _0(Q_{0},Q_{-1},Q_{-2})-c_0.\) Other keys are also recovered with 1 computation.

**Case Study for**\({\varvec{|}}{\varvec{K}}{\varvec{|=224.}}\)\(K\) is divided into 7 words \(k_0,\ldots ,k_6\). In the last block, the values for \(Q_{-3}\Vert Q_0\Vert Q_{-1}\Vert Q_{-2}\) and \(Q_4\Vert Q_7\Vert Q_6\Vert Q_5\) are known after phase 3. To recover \(k_0,\ldots ,k_6\), we use the meet-in-the-middle (MitM) attack [40, 41]. Particularly,

*all subkey recovery attacks*[42] can be applied directly. The attack structure is depicted in Fig. 7. For each of the forward and backward chunks, the attacker guesses 64 key bits. The results from two chunks can match without computing 3 middle steps with the

*partial-matching*[43]. To reduce the key space into a sufficiently small size, 4 pairs of \(Q_{-3}\Vert Q_0\Vert Q_{-1}\Vert Q_{-2}\) and \(Q_4\Vert Q_7\Vert Q_6\Vert Q_5\) are required. Hence, we set \(\#X=4\). The attack complexity is about \(4\cdot 2^{64}=2^{66}\).

**Case Study for**\({\varvec{|}}{\varvec{K}}{\varvec{|=352.}}\)\(K\) is divided into 11 words \(k_0,\ldots ,k_{10}\). The attack structure is depicted in Fig. 8. For each chunk, 16 key bits are additionally guessed (all bits of \(k_0,k_1,k_{9},k_{10}\) and 16 bits of \(k_2, k_8\)). This increases the number of skipped steps from 3 to 7 with the *partial-fixing* [44] or the *indirect partial-matching* [45]. To reduce the key space, we use 10 pairs of \(Q_{-3}\Vert Q_0\Vert Q_{-1}\Vert Q_{-2}\) and \(Q_8\Vert Q_{11}\Vert Q_{10}\Vert Q_9\), thus \(\#X=10\). The complexity for the attack is about \(10 \cdot 2^{80}<2^{84}\). After \(k_0,k_1,k_{9},k_{10}\) and 16 bits of \(k_2, k_8\) are recovered, the remaining 192 bits can be recovered by iterating the MitM attack. Note that if \(|K|>352\), the attack becomes worse than the one in Sect 4.1.

## 5 Discussion About HMAC and Sandwich-MAC

The compression function takes two information as input; previous chaining variable and message. For block-cipher based compression functions including the MD4-family, these correspond to the key input and plaintext input. Matyas-Meyer-Oseas (MMO) mode [46, Algorithm 9.41] takes the previous chaining variable as the key input and Davies-Meyer (DM) mode [46, Algorithm 9.42] takes it as the message input. The main difference between HMAC and Sandwich-MAC is the structure of the finalization (computation after \(M\) is processed by the MD structure). HMAC adopts the MMO mode while Sandwich-MAC adopts the Davies-Meyer DM mode. Our attack shows that the (outer-)key can be recovered if both modes in the MD structure and the finalization are the DM-mode and a differential characteristic \((\varDelta H_i \ne 0, \varDelta M=0, \varDelta H_{i+1}=0)\) exists in \(h\). The attack can also work if both modes are the MMO-mode. In summary, to minimize the risk, using different modes for the MD structure and the finalization is preferable. On the other hand, Okeya showed that, among 12 secure PGV modes [47], using the MMO-mode in the finalization is the only choice to protect the outer-key from the side-channel analysis [48, 49]. Taking into account our results, Okeya’s results, and the fact that most of hash functions in practice adopt the DM-mode, we can learn that the HMAC construction is best.

The padding rule can impact the attack complexity. If the MD-strengthening is adopted as pad2 of Sandwich-MAC, the number of attacker’s controlling bits decreases. This prevents the IV Bridge and makes the attack less efficient.

There are some gaps between the hardness of the attack and the provable security. From the provable security viewpoint, the choice of the padding scheme and the choice of HMAC, Sandwich-MAC Basic, variant B, and extended B are not very different. However, once the assumption for the proof (PRF of \(h\)) is broken, these choices make a significant difference. Hence, this is a trade-off between security and performance depending on how the assumption is trusted. These differences should be taken into account when a system is designed. We never conclude that Sandwich-MAC extended B is a bad idea. Reducing the amount of meaningless padding bits is very nice especially for tree hashing, where the hash value is computed with several hash function calls and thus the amount of the padding bits is bigger than the sequential hashing. Our point is that the damage of the scheme when the assumption is broken is usually not discussed, but it deserves the careful attention because industry continues using broken hash functions such as MD5 for long time.

In general, the impact of a differential attack on \(h\) for applications is unclear. Wang *et al.* showed the characteristic with \(\mathrm {Pr}[h(H_i, M)=h(H_i^{\prime }, M)]>2^{n/2}\) can mount the distinguishing-\({ H }\) attack against HMAC [32]. We extend it to the key-recovery on Sandwich-MAC. Finding such a conversion is an open problem.

## 6 Applications to MD5-MAC

**Previous Attacks.**Wang

*et al.*proposed a partial key-recovery attack on MD5-MAC [32], which recovers a 128-bit key \(K_1\) with about \(2^{97}\) MAC queries and \(2^{61.58}\) offline computations. Their attack [32] is divided into three phases.

- 1.
Generate 3 dBB-collisions of the form \((M_0\Vert M_1)\) and \((M_0^{\prime }\Vert M_1)\).

- 2.
Recover 95 bits of \(Q_{1},Q_{2},Q_{3},Q_{4},Q_{5}\) and 90 bits of \(Q_{6},Q_{7},Q_{8},Q_{9},Q_{10}\) with the method proposed by Contini and Yin [26].

- 3.
Recover \(K_1[0]\). Then recover \(K_1[1], K_1[2]\), and \(K_1[3]\).

**Improved Key Recovery for**\({{\varvec{K}}_1}.\) Because the dominant part of the attack is finding 3 dBB-collisions, the attack can be improved with our improved procedure on HMAC-MD5 in Sect. 3. The application is straight-forward and thus we omit the details. The attack cost becomes \(2^{89.09}\) queries and \(2^{89}\) table lookups.

**Extended Key Recovery for**\({{\varvec{K}}}_2.\) Once \(K_1\) is recovered, the MAC computation structure becomes essentially the same as the one for Sandwich-MAC Basic with MD5. Because our attack on Sandwich-MAC-MD5 can recover 512-bit secret information of the last message block faster than \(2^{128}\) queries and computations, a 512-bit key \(\overline{K_2}\) can be recovered with exactly the same procedure as the one for Sandwich-MAC-MD5. The bottleneck of the attack is still finding dBB-collisions, which requires \(2^{89.04}\) queries and \(2^{89}\) table lookups. We emphasize that this is the first result which can recover \(K_2\) of MD5-MAC.

## 7 Concluding Remarks

In this paper, we first improved the distinguishing-\({ H }\) attacks on HMAC-MD5. We then proposed the key-recovery attack on Sandwich-MAC-MD5 by combining various techniques. In particular, we generalized the key-recovery technique exploiting the conditional key-dependent distributions. As a result, we achieved the first results that can recover the original-key against a hybrid MAC with an appropriate padding. Our results also improved the previous key-recovery attack on MD5-MAC, and extended the recovered key to both of \(K_1\) and \(K_2\). We believe our results lead to a better understanding of the MAC construction.

## Footnotes

- 1.
As a tool, the technique can be generalized more. If the \(B\)-th bit of \(\alpha \) is known instead of the MSB, from the LSB to the \(B\)-th bit of \(\kappa \) can be recovered.

### References

- 1.Rivest, R.L.: Request for Comments 1321: The MD5 Message Digest Algorithm. The Internet Engineering Task Force (1992). http://www.ietf.org/rfc/rfc1321.txt
- 2.U.S. Department of Commerce, National Institute of Standards and Technology: Secure Hash Standard (SHS) (Federal Information Processing Standards Publication 180–3) (2008). http://csrc.nist.gov/publications/fips/fips180-3/fips180-3_final.pdf
- 3.Tsudik, G.: Message authentication with one-way hash functions. ACM SIGCOMM Comput. Commun. Rev.
**22**(5), 29–38 (1992)CrossRefGoogle Scholar - 4.Preneel, B., van Oorschot, P.C.: MDx-MAC and building fast MACs from hash functions. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 1–14. Springer, Heidelberg (1995) Google Scholar
- 5.Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård revisited: how to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005) CrossRefGoogle Scholar
- 6.U.S. Department of Commerce, National Institute of Standards and Technology: Federal Register, vol. 72, no. 212, November 2, 2007/Notices (2007). http://csrc.nist.gov/groups/ST/hash/documents/FR_Notice_Nov07.pdf
- 7.Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996) Google Scholar
- 8.Kaliski Jr., B.S., Robshaw, M.J.B.: Message authentication with MD5. Technical report, CryptoBytes (1995)Google Scholar
- 9.Metzger, P., Simpson, W.A.: Request for Comments 1852: IP Authentication using Keyed SHA. The Internet Engineering Task Force (1995). http://www.ietf.org/rfc/rfc1852.txt
- 10.Preneel, B., van Oorschot, P.C.: On the security of two MAC algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 19–32. Springer, Heidelberg (1996) Google Scholar
- 11.U.S. Department of Commerce, National Institute of Standards and Technology: The Keyed-Hash Message Authentication Code (HMAC) (Federal Information Processing Standards Publication 198), July 2008. http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf
- 12.Bellare, M.: New proofs for NMAC and HMAC: security without collision-resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006)CrossRefGoogle Scholar
- 13.Yasuda, K.: Multilane HMAC— security beyond the birthday limit. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 18–32. Springer, Heidelberg (2007) CrossRefGoogle Scholar
- 14.Yasuda, K.: Boosting Merkle-Damgård hashing for message authentication. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 216–231. Springer, Heidelberg (2007) CrossRefGoogle Scholar
- 15.Yasuda, K.: “Sandwich” is indeed secure: how to authenticate a message with just one hashing. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 355–369. Springer, Heidelberg (2007) Google Scholar
- 16.Yasuda, K.: HMAC without the “second” key. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 443–458. Springer, Heidelberg (2009) Google Scholar
- 17.Gauravaram, P., Okeya, K.: An update on the side channel cryptanalysis of MACs based on cryptographic hash functions. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 393–403. Springer, Heidelberg (2007) CrossRefGoogle Scholar
- 18.Peyrin, T., Sasaki, Y., Wang, L.: Generic related-key attacks for HMAC. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 580–597. Springer, Heidelberg (2012) CrossRefGoogle Scholar
- 19.Patel, S.: An efficient MAC for short messages. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 353–368. Springer, Heidelberg (2003)Google Scholar
- 20.Leurent, G.: Message freedom in MD4 and MD5 collisions: application to APOP. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 309–328. Springer, Heidelberg (2007) Google Scholar
- 21.Sasaki, Y., Wang, L., Ohta, K., Kunihiro, N.: Security of MD5 challenge and response: extension of APOP password recovery attack. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 1–18. Springer, Heidelberg (2008) Google Scholar
- 22.Sasaki, Y., Yamamoto, G., Aoki, K.: Practical password recovery on an MD5 challenge and response. Cryptology ePrint Archive, Report 2007/101 (2007). http://eprint.iacr.org/2007/101
- 23.Wang, L., Sasaki, Y., Sakiyama, K., Ohta, K.: Bit-free collision: application to APOP attack. In: Takagi, T., Mambo, M. (eds.) IWSEC 2009. LNCS, vol. 5824, pp. 3–21. Springer, Heidelberg (2009) Google Scholar
- 24.Myers, J., Rose, M.: Post office protocol - version 3. RFC 1939 (Standard), May 1996. Updated by RFCs 1957, 2449. http://www.ietf.org/rfc/rfc1939.txt
- 25.Kim, J.-S., Biryukov, A., Preneel, B., Hong, S.H.: On the security of HMAC and NMAC based on HAVAL, MD4, MD5, SHA-0 and SHA-1 (extended abstract). In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 242–256. Springer, Heidelberg (2006) Google Scholar
- 26.Contini, S., Yin, Y.L.: Forgery and partial key-recovery attacks on HMAC and NMAC using hash collisions. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 37–53. Springer, Heidelberg (2006) CrossRefGoogle Scholar
- 27.Fouque, P.-A., Leurent, G., Nguyen, P.Q.: Full key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 13–30. Springer, Heidelberg (2007) CrossRefGoogle Scholar
- 28.Lee, E., Chang, D., Kim, J.-S., Sung, J., Hong, S.H.: Second preimage attack on 3-Pass HAVAL and partial key-recovery attacks on HMAC/NMAC-3-pass HAVAL. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 189–206. Springer, Heidelberg (2008) Google Scholar
- 29.Rechberger, C., Rijmen, V.: On authentication with HMAC and Non-random properties. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 119–133. Springer, Heidelberg (2007) Google Scholar
- 30.Rechberger, C., Rijmen, V.: New results on NMAC/HMAC when instantiated with popular hash functions. J. Univ. Comput. Sci.
**14**(3), 347–376 (2008)MathSciNetGoogle Scholar - 31.Wang, L., Ohta, K., Kunihiro, N.: New key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 237–253. Springer, Heidelberg (2008) CrossRefGoogle Scholar
- 32.Wang, X., Yu, H., Wang, W., Zhang, H., Zhan, T.: Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 121–133. Springer, Heidelberg (2009) CrossRefGoogle Scholar
- 33.Wu, H., Preneel, B.: Differential-linear attacks against the stream cipher phelix. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 87–100. Springer, Heidelberg (2007) Google Scholar
- 34.den Boer, B., Bosselaers, A.: Collisions for the compression function of MD-5. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1994)Google Scholar
- 35.Klima, V.: Tunnels in hash functions: MD5 collisions within a minute. IACR Cryptology ePrint Archive: Report 2006/105 (2006). http://eprint.iacr.org/2006/105.pdf
- 36.Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005) CrossRefGoogle Scholar
- 37.Xie, T., Feng, D.: How to find weak input differences for MD5 collision attacks. Cryptology ePrint Archive, Report 2009/223 (2009) Version 20090530:102049. http://eprint.iacr.org/2009/223
- 38.De Cannière, C., Rechberger, C.: Finding SHA-1 characteristics: general results and applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006) CrossRefGoogle Scholar
- 39.Mendel, F., Rechberger, C., Schläffer, M.: MD5 Is weaker than weak: attacks on concatenated combiners. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 144–161. Springer, Heidelberg (2009) CrossRefGoogle Scholar
- 40.Diffie, W., Hellman, M.E.: Exhaustive cryptanalysis of the NBS data encryption standard. Computer
**10**(6), 74–84 (1977)CrossRefGoogle Scholar - 41.Bogdanov, A., Rechberger, C.: A 3-subset meet-in-the-middle attack: cryptanalysis of the lightweight block cipher KTANTAN. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 229–240. Springer, Heidelberg (2011) Google Scholar
- 42.Isobe, T., Shibutani, K.: All subkeys recovery attack on block ciphers: extending meet-in-the-middle approach. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 202–221. Springer, Heidelberg (2013) Google Scholar
- 43.Aoki, K., Sasaki, Y.: Preimage attacks on one-block MD4, 63-step MD5 and more. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 103–119. Springer, Heidelberg (2009) Google Scholar
- 44.Sasaki, Y., Aoki, K.: Finding preimages in full MD5 faster than exhaustive search. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 134–152. Springer, Heidelberg (2009) CrossRefGoogle Scholar
- 45.Aoki, K., Guo, J., Matusiewicz, K., Sasaki, Y., Wang, L.: Preimages for step-reduced SHA-2. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 578–597. Springer, Heidelberg (2009) CrossRefGoogle Scholar
- 46.Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997)MATHGoogle Scholar
- 47.Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: a synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)Google Scholar
- 48.Okeya, K.: Side channel attacks against HMACs based on block-cipher based hash functions. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 432–443. Springer, Heidelberg (2006) Google Scholar
- 49.Okeya, K.: Side channel attacks against hash-based MACs with PGV compression functions. IEICE Transactions
**91–A**(1), 168–175 (2008)CrossRefGoogle Scholar