Improved SingleKey Distinguisher on HMACMD5 and Key Recovery Attacks on SandwichMACMD5
Abstract
This paper presents key recovery attacks on SandwichMAC instantiating MD5, where SandwichMAC is an improved variant of HMAC and achieves the same provable security level and better performance especially for short messages. The increased interest in lightweight cryptography motivates us to analyze such a MAC scheme. We first improve a distinguishing\({ H }\) attack on HMACMD5 proposed by Wang et al. We then propose key recovery attacks on SandwichMACMD5 by combining various techniques such as distinguishing\({ H }\) for HMACMD5, IV Bridge for APOP, dBBnearcollisions for relatedkey NMACMD5, meetinthemiddle attack etc. In particular, we generalize a previous keyrecovery technique as a new tool exploiting a conditional keydependent distribution. Our attack also improves the partialkey \((K_1)\) recovery on MD5MAC, and extends it to recover both \(K_1\) and \(K_2\).
Keywords
HMAC SandwichMAC MD5MAC MD5 Key recovery1 Introduction
A Message Authentication Code (MAC) is a cryptographic primitive which produces authenticity and data integrity. It takes a message \(M\) and a secret key \(K\) as input and computes a tag \(\tau \). A secure MAC must resist forgery attacks.
A MAC is often constructed from a hash function such as MD5 [1] and SHA2 [2] for its performance and availability in software libraries. There are three hashbased MAC constructions [3]. Let \(\mathcal {H}\) be a hash function. A secretprefix method computes a tag of a message \(M\) by \(\mathcal {H}(K\Vert M)\). A secretsuffix method computes a tag by \(\mathcal {H}(M\Vert K)\). A hybrid method computes a tag by \(\mathcal {H}(K\Vert M\Vert K)\).
When \(\mathcal {H}\) processes \(M\) by iteratively applying a compression function \(h\), a generic existential forgery attack with a complexity of \(2^{n/2}\) exists for any of those three methods, where \(n\) is the size of the tag, \(\tau \), and the internal chaining variable [4]. Besides, each of the three types has its own features. The secretprefix method is vulnerable when a finalization process is not performed. This is called lengthextension attack [5, 6]. The secretsuffix method suffers from the collision attack on \(h\). Two distinct messages \((M, M^{\prime })\) such that \(h(M)=h(M^{\prime })\) cause forgery attacks. The hybrid method seems to hide the weakness of two methods at a short glance. Strictly speaking, the hybrid method in [3] computes a tag by \(\mathcal {H}(K\Vert \mathtt{pad}\Vert M\Vert K^{\prime })\) where \(K\) and \(K^{\prime }\) are two independent keys and pad denotes the padding string making the length of \(K\Vert \mathtt{pad}\) equal to the block length. The security of this construction can be proven by [7] up to \(O(2^{n/2})\) queries. The singlekey version, where \(K=K^{\prime }\), is wellknown as envelope MAC, and was standardized for IPsec version 1 [8, 9]. However, Preneel and van Oorschot showed that collisions of \(h\) can reveal the second key \(K\) or \(K^{\prime }\) of the hybrid method [10] when the padding is not performed between \(M\) and the second key.
Comparison of HMAC and SandwichMAC. SandwichMAC [15] is another hybridtype MAC with an appropriate padding before the second key. It computes a tag by \(\mathcal {H}(K\Vert \mathtt{pad1}\Vert M\Vert \mathtt{pad2}\Vert K)\) as shown in Fig. 2. As with HMAC, it can call current hash functions without modifying the MerkleDamgård (MD) implementations. It was proven to have the same security as HMAC, i.e., it is a PRF up to \(O(2^{n/2})\) queries as long as the underlying compression function \(h\) is a PRF. Then, SandwichMAC has several advantages compared to HMAC.
SandwichMAC can be computed only with a single key \(K\), while HMAC creates an innerkey \(h({\mathrm {IV}},K\oplus \mathtt{ipad})\) and an outerkey \(h({\mathrm {IV}},K\oplus \mathtt{opad})\). This reduces the number of additional blocks, where the “additional” is defined to be the number of \(h\) invocations in the scheme minus that in the usual MerkleDamgård. HMAC requires 3 additional blocks, while SandwichMAC requires 1 or 2. It also avoids a relatedkey attack on HMAC [18] which exploits two keys with difference \(\mathtt{ipad} \oplus \mathtt{opad}\). Another advantage is the number of hash function calls. HMAC requires 2 invocations of \(\mathcal {H}\), while SandwichMAC requires only 1.
As shown in [19], these drawbacks of HMAC are critical especially for short messages. Taking these features into account, though it is not widely used at present, SandwichMAC is potentially a good candidate for a future MAC use.
Cryptanalysis Against Hybrid MAC. If the padding is not applied before the second key, the key is recovered with \(O(2^{n/2})\) [10]. The attack was optimized when the underlying hash function is MD5 [20, 21, 22, 23] through attacks against APOP protocol [24]. In this paper, the IV Bridge technique [21] will be exploited. However, these analyses basically cannot be used if an appropriate padding is applied before the second key as HMAC and SandwichMAC.
Summary and comparison of results. ISR stands for internal state recovery.
Target  Model  Attack goal  Data  Time  Memory  Ref.  Remarks 

HMACMD5  Adaptive  DistH/ISR  \(2^{97}\)  \(2^{97}\)  \(2^{89}\)  [32]  
Adaptive  DistH/ISR  \(2^{89.09}\)  \(2^{89}\)  \(2^{89}\)  Ours  
Nonadaptive  DistH/ISR  \(2^{113}\)  \(2^{113}\)  \(2^{66}\)  [32]  
Nonadaptive  DistH/ISR  \(2^{113x}\)  \(2^{113x}\)  \(2^{66+x}\)  Ours  \(0\le x\le 6\)  
MD5MAC  \(K_1\)recovery  \(2^{97}\)  \(2^{97}\)  \(2^{89}\)  [32]  
\(K_1\)recovery  \(2^{89.09}\)  \(2^{89}\)  \(2^{89}\)  Ours  
\((K_1,K_2)\)recovery  \(2^{89.04}\)  \(2^{89}\)  \(2^{89}\)  Ours  
Sandwich  Basic  Key recovery  \(2^{89.04}\)  \(2^{89}\)  \(2^{89}\)  Ours  
MACMD5  Variant B  Key recovery  \(2^{89.04}\)  \(2^{89}\)  \(2^{89}\)  Ours  
Extended B  Key recovery  \(2^{89.04}\)  \(2^{89}\)  \(2^{89}\)  Ours 
Our Contributions. In this paper, we present keyrecovery attacks against several hybrid MAC schemes with an appropriate padding when MD5 is instantiated as an underlying hash function. The summary of results is given in Table 1. The main contribution is an originalkey recovery attack against SandwichMACMD5. This is the first result that recovers the originalkey in the hybrid method. Even if the keylength is longer than the tag size \(n\), the key is recovered faster than \(2^n\) computations. Moreover, an attacker does not need to know the key length in advance. Given the specification of MD5, up to a 447bit key is recovered with \(2^{89.04}\) queries, \(2^{89}\) table lookups, and \(2^{89}\) memory.
For the first step, we improve the distinguishing\({ H }\) attack against HMACMD5 in the singlekey model presented by Wang et al. [32], which can be utilized to reveal an internal state value. This reduces the number of queries from \(2^{98}\) to \(2^{89.09}\). This can be achieved by combining the attack in [32] with the message modification technique presented by Contini and Yin [26].
We then explain our originalkey recovery attack against SandwichMACMD5 and its variant with combining various techniques on MD5. Specifically, we generalize the idea in [31] as a tool exploiting conditional keydependent distributions. Note that a similar idea can be seen in [33] against Phelix. In this paper our goal is generalizing and simplifying the technique so that it can be applied to other cases. In the below, let \(\alpha , \kappa \) and \(\beta \) be \(x\)bit variables, and \(\alpha _i, \kappa _i\) and \(\beta _i\) be the \(i\)th bit of \(\alpha , \kappa \) and \(\beta \), respectively, where \(0 \le i \le x1\).
Let us consider a modular addition \(\alpha + \kappa = \beta \); \(\alpha \) is a partially known variable where 1 bit (MSB) of \(\alpha _{x1}\) is known but \(\alpha _{i}\) is unknown for the other \(i\). \(\kappa \) is an unknown constant. \(\beta \) is a public variable computed by \(\alpha + \kappa \), and its value is known. Intuitively, \(\alpha , \kappa \), and \(\beta \) correspond to the internal state, the key, and the tag, respectively. Then, the attacker can recover all bits of \(\kappa \) by iteratively collecting many pairs \((\beta , \alpha _{x1})\).
Experimental verification of this observation is shown in Appendix A.
Our attack on SandwichMACMD5 recovers the key with a complexity below \(2^n\), hence it also leads to a universal forgery attack on SandwichMACMD5.
MD5MAC [4] generates three keys \(K_0, K_1,\) and \(K_2\). The previous attack [32] only recovers \(K_1\) with a cost of \(2^{97}\). Our improvement of HMACMD5 also reduces this complexity to \(2^{89.09}\). Moreover, by applying our techniques on SandwichMACMD5, we achieve the first attack that recovers both \(K_1\) and \(K_2\).
2 Preliminaries
2.1 HMAC
HMAC is a hashbased MAC proposed by Bellare et al. [7]. Denote a hash function by \(\mathcal {H}\). On an input message \(M\), HMAC based on \(\mathcal {H}\) is computed using a single secret key \(K\) as \(\mathrm{{HMAC}}\text{ }\mathcal {H}_K(M)=\mathcal {H}(\overline{K} \oplus \mathtt{opad} \Vert \mathcal {H}(\overline{K} \oplus \mathtt{ipad}\Vert M) ),\) where \(\overline{K}\) is \(K\) padded to a full block by adding ‘0’s, \(\mathtt{opad}\) and \(\mathtt{ipad}\) are two public constants, and ‘\(\Vert \)’ denotes the concatenation.
2.2 SandwichMAC
SandwichMAC [15] is another hashbased MAC proposed by Yasuda. Besides the main scheme called Basic, there exist three variants called variant A, B, and C. Inside variant B, one extension is proposed, which we call extended B. In this paper, we analyze Basic, variant B, and extended B. We assume that the length of the key after the padding, \(K\Vert \mathtt{pad}\), is shorter than the block length, \(b\).
Variant B and Extended B. Variant B is an optimized version when \(M\) is already a multiple of the block length. The computation is described in Eq. (2).
2.3 MD5 Specification and FreeStart Collision Attack on MD5
MD5 [1] is a MerkleDamgård based hash function. Its block length is 512 bits and the output size is 128 bits. At first, an input message \(M\) is padded by the MD strengthening. The padded message is divided into 512bit blocks, \(M_i\) (\(i=0,1,\ldots ,N1\)). First \(H_0\) is set to \(\mathrm {IV}\), which is the initial value defined in the specification. Then, \(H_{i+1} \leftarrow h(H_i, M_i)\) is computed for \(i=0,1,\ldots ,N1\), where \(h\) is a compression function and \(H_N\) is the hash value of \(M\).
den Boer and Bosselaers [34] generated paired values \((H_i,M_i)\) and \((H_i^{\prime },M_i)\) such that \(h(H_i,M_i)=h(H_i^{\prime },M_i)\), where \(H_i\) and \(H_i^{\prime }\) have the difference: \(H_i \oplus H_i^{\prime } = \mathtt{(80000000, 80000000, 80000000, 80000000)}.\) Moreover, the MSB of the second, third, and fourth variables of \(H_i\) must be equal. Hereafter, we denote this difference (including two conditions of \(H_i\)) by \(\varDelta ^{\mathrm {MSB}}\). To satisfy the characteristic, 46 conditions shown below must be satisfied: \(Q_{j1,31} = Q_{j2,31} ( 2\le j \le 15), Q_{j,31}\) \(= Q_{j1,31} (16\le j \le 31), Q_{j,31} = Q_{j2,31} (48\le j \le 63)\).
3 Improved SingleKey Attacks on HMACMD5
3.1 Previous Distinguishing\({ H }\) Attack on HMACMD5
 1.
Prepare \(2^{89}\) distinct \(M_0\) and a single message block \(M_1\). Then, make queries of \(2^{89}\) twoblock messages \(M_0\Vert M_1\), and collect collisions of tags.
 2.
For each collision \((M_0\Vert M_1, M^{\prime }_0\Vert M_1)\), replace \(M_1\) with different \(M^{\prime }_1\), and query \((M_0\Vert M^{\prime }_1, M^{\prime }_0\Vert M^{\prime }_1)\). If a collision of the tag is obtained, the pair is not a dBBcollision and is erased.
 3.
For the remaining collisions, choose up to \(2^{47}\) distinct values of \(M^{\prime }_1\), and query \((M_0\Vert M^{\prime }_1, M^{\prime }_0\Vert M^{\prime }_1)\). If a collision is obtained, the pair is a dBBcollision.
Wang et al. also tweaked their attack to a chosen message attack. Firstly choose \(2^{66}\) distinct \(M_0\). Secondly build a structure of \(2^{66}\) twoblock messages \(M_0\Vert M_1\) by choosing a random message \(M_1\). Then build \(2^{47}\) such structures by choosing \(2^{47}\) distinct \(M_1\). Thirdly, query each structure and collect collisions of the tag. Finally, for each collision \((M_0\Vert M_1, M^{\prime }_0\Vert M_1)\), check the situation for the other \(2^{47}1\) \(M_1\). If there exists at least one \(M^{\prime }_1\) such that \((M_0\Vert M^{\prime }_1, M^{\prime }_0\Vert M^{\prime }_1)\) do not collide, which implies \(H_1 \ne H^{\prime }_1\), and exists another \(M^{\prime \prime }_1\) such that \((M_0\Vert M^{\prime \prime }_1, M^{\prime }_0\Vert M^{\prime \prime }_1)\) collides, then \((M_0\Vert M_1, M^{\prime }_0\Vert M_1)\) is a dBBcollision. The attack requires \(2^{66+47}=2^{113}\) queries, while the memory is reduced to \(2^{66}\).
Distinguishing H Attack. Let MD5\(^r\) be a hash function where the compression function of MD5 is replaced with a random function with the same domain and range. This implies that the domain extension and the padding algorithm for MD5\(^r\) are the same as the ones of MD5. The distinguishing\({ H }\) attack aims to decide whether a given oracle is HMACMD5 or HMACMD5\(^r\). Wang et al. applied their attack to the given oracle. If a dBBcollision is found, they decide that the given oracle is HMACMD5. Otherwise, the oracle is HMACMD5\(^r\).
InternalState Recovery Attack. After a dBBcollision \((M_0\Vert M_1, M^{\prime }_0\Vert M_1)\) is obtained, Wang et al. apply the technique proposed by Contini and Yin [26] to recover the chaining variables \(Q_{7}\Vert Q_{8}\Vert Q_{9}\Vert Q_{10}\) of \(h(H_1, M_1)\). Then \(H_1\) will be recovered by an inverse computation. For a completed description we refer to [26]. The complexity of recovering \(H_1\) is only \(2^{44}\) queries and \(2^{60}\) computations. The procedure of recovering \(H_1\) is an adaptive chosen message attack. Thus the whole attack is an adaptive chosen message attack with a complexity of \(2^{97}\) queries.
3.2 Improved Attacks on HMACMD5
We observe that the complexity of the core part i.e., finding a dBBcollision can be improved by applying the technique in [26]. In order to verify whether a collision \((M_0\Vert M_1, M^{\prime }_0\Vert M_1)\) is a dBBcollision at step 3, Wang et al. chooses \(2^{47}\) completely different values as \(M^{\prime }_{1}\) to generate a second pair following the dBBcharacteristic. Our idea is generating many \(M^{\prime }_1\) by modifying \(M_1\) only partially so that the differential characteristic for the first several steps remains satisfied.
We focus on the computations of \(h(H_1, M_1)\) and \(h(H^{\prime }_1, M_1)\). Recall the MD5 specification. \(M_1\) is divided into \(m_0\Vert m_1\Vert \cdots \Vert m_{15}\) and \(m_i\) is used at step \(i\) in the first 16 steps. Our strategy is only modifying message words that appear later. Note that one bit of \(m_{13}\) and the entire bits of \(m_{14}\) and \(m_{15}\) are fixed to the padding string and thus cannot be modified. So we modify \(m_{12}\) and 31 bits of \(m_{13}\) to generate distinct \(m^{\prime }_{12}\Vert m^{\prime }_{13}\). Therefore, if \((M_0\Vert M_1, M^{\prime }_0\Vert M_1)\) is a dBBcollision, the modified pair can always satisfy the conditions for the first 12 steps. Thus we only need to generate \(2^{35 (= 4712)}\) pairs at step 3. The complexity of step 3 is now reduced to \((1+2^{50})\cdot 2^{35} \approx 2^{85}\) queries. Finally, the query complexity is improved from the previous \(2^{97}\) to the sum of \(2^{89}\) for step 1 and \(2^{85}\) for step 3, which is \(2^{89.09}\). Time and memory complexities remain unchanged (\(2^{89}\)). The success probability is around \(0.87\), following the similar evaluation in [32].
Our idea can also improve the previous nonadaptive chosen message attack. We prepare \(2^{66+x}\) (\(0 \le x \le 6\)) distinct values for \(M_{0}\). We can make \(2^{131+2x}\) pairs of \(M_0\Vert M_1\) for a fixed \(M_1\). \(\varDelta H_1\) satisfies \(\varDelta ^{\mathrm {MSB}}\) with probability \(2^{130}\), and we need \(2^{131}\) pairs to observe this event with a good probability. Therefore, with \(2^{131+2x}\) pairs, one pair should satisfy \(\varDelta ^{\mathrm {MSB}}\) at \(H_1\) and conditions for the first \(2x\) steps in the second block. Then, \(M_1\) is partially modified. We choose \(2^{472x}\) distinct \(M_1\) differing in the words \(m_{2x}\) and \(m_{2x+1}\), and build \(2^{472x}\) structures. Then, the above conditions are satisfied in any structure. Finally we find about two collisions \((M_0\Vert M_1, M^{\prime }_0\Vert M_1)\) and \((M_0\Vert M^{\prime }_1, M^{\prime }_0\Vert M^{\prime }_1)\), where \(H_1 \ne H^{\prime }_1\) holds, i.e., there exists at least one \(M^{\prime \prime }_1\) such that \((M_0\Vert M^{\prime \prime }_1, M^{\prime }_0\Vert M^{\prime \prime }_1)\) do not collide. The complexity is \(2^{113x}\) queries and the memory is \(2^{66+x}\), where \(0 \le x \le 6\).
4 Key Recovery Attacks on SandwichMACMD5
4.1 Attacks on SandwichMACMD5 Basic
We show the attack for a key \(K\) with \(K<447\), which indicates that \(K\Vert \mathtt{pad3}\) fits in one block. The attack can recover all bits of \(K\Vert \mathtt{pad3}\) and the value of pad3 depends on \(K\). Hence the attacker does not have to know \(K\) in advance. Also note that the value of pad3 is determined as the MDstrengthening defined in MD5, whereas the SandwichMAC can principally accept any padding scheme but the same padding as pad1. Our attack can be extended for any padding scheme as long as \(K\Vert \mathtt{pad3}\) fits in one block. Hereafter, we denote a 512bit value \(K\Vert \mathtt{pad3}\) by sixteen 32bit values \(k_0\Vert k_1\Vert \cdots \Vert k_{15}\), and aim to recover these values.
 1.
Apply the internal state recovery attack in Sect. 3.2 to SandwichMAC to obtain the first message block \(M_0\) and the corresponding internal state \(H_1\).
 2.
For the second message block, search for \(2^{77}\) message pairs \((M_1, M_1^{\prime })\) such that \(\varDelta H_2 = h(H_1,M_1\Vert \mathtt{pad2})\oplus h(H_1,M_1^{\prime }\Vert \mathtt{pad2}) = \varDelta ^{\mathrm {MSB}}\). Because \(H_1\) is already recovered, the computation can be done offline.
 3.
Query \(2^{77}\) 2block message pairs \((M_0\Vert M_1, M_0\Vert M_1^{\prime })\), and pick the ones which produce dBBnearcollisions at the tag \(\tau \). A pair forms a dBBnearcollision with a probability \(2^{45}\). Hence, we will obtain \(2^{7745}=2^{32}\) pairs.
 4.
From \(2^{32}\) pairs, recover the 32bit subkey for the last step by exploiting a conditional keydependent distribution.
 5.
As with phase 4, recover 512bit key during the last 16 steps.
Phase 2: Generating \(\mathbf{{(}}{{\varvec{M}}}_1, {{\varvec{M}}}_1^{\prime }\mathbf{{)}}\) Producing \(\varvec{\varDelta }^{\mathbf {MSB}}{\mathbf {.}}\) This phase is offline without queries. For any underlying hash function, \(2^{77}\) message pairs \((M_1, M_1^{\prime })\) can be found by the birthday attack with \(2^{104}\) computations and memory. For MD5, the attack can be optimized. With the help of the collision attack techniques [35, 36], Sasaki et al. proposed a tool called IV Bridge [21], which is a message difference producing the output difference \(\varDelta H_{i+1}=\varDelta ^{\mathrm {MSB}}\) from the input difference \(\varDelta H_i = 0\) with a complexity of \(2^{42}\). The complexity was later improved by Xie and Feng to \(2^{10}\) [37]. With the IV Bridge, message pairs can be found much faster than the birthday attack. Note that both characteristics in [21, 37] assume that \(H_i\) is MD5’s \(\mathrm {IV}\). Therefore, if \(\mathrm {IV}\) is replaced with another \(H_1\), the differential characteristic search must be performed again. Because the known automated differential characteristic search [37, 38, 39] can deal with any \(\mathrm {IV}\), a new characteristic will be found in the same manner. Also note that if the padding string \(\mathtt{pad2}\) forces many bits to be fixed, the IV Bridge search becomes harder or impossible due to the hardness of applying the message modification [36]. Because pad2 forces only 1 bit to be fixed, this is not a problem. The complexity for this phase is one execution of the differential characteristic search and \(2^{10}\cdot 2^{77}=2^{87}\) computations. The memory can be saved by running phase 3 as soon as we obtain each pair.
Phase 3: Detecting dBBNearCollisions. For the last message block, the probability that a pair produces the dBBcollision is \(2^{46}\). We observe that producing collisions is not necessary because the attacker can observe the output values as a tag \(\tau \). Hence, the dBBcollision can be relaxed to the dBBnearcollision, and this increases the probability of the differential characteristic.
Considering the details for phase 4, the pair must follow the dBBcollision characteristic up to step 62. The differential propagation for the last 2 steps is depicted in Fig. 4. One condition in step 63 is erased, and the probability of the characteristic becomes \(2^{45}\). After examining \(2^{77}\) pairs, we obtain \(2^{7745}=2^{32}\) pairs. This phase requires \(2^{77}\) queries, and the memory to store \(2^{32}\) pairs.
Note that false positives are unlikely. Our dBBnearcollisions do not produce any difference in the left most and right most words. Besides, the difference for the second right most word is limited to \(2\) patterns. The probability for randomly satisfying the dBBnearcollision is \(2^{95}\), which is unlikely with \(2^{77}\) trials.
Phase 4: Recovering the Last Subkey. Because both tags and \(H_2\) are known, the attacker can compute \(Q_{61}\Vert Q_{64}\Vert Q_{63}\Vert Q_{62}\) for each dBBnearcollision. We then analyze the last step. The equation to compute \(Q_{64}\) is \(Q_{64} = Q_{63}+(Q_{60}+\varPhi _{63}(Q_{63},Q_{62},Q_{61})+k_{9}+c_{63})\lll 21\). The value of \((Q_{64}\ggg 21)Q_{63}\varPhi _{63}(Q_{63},Q_{62},Q_{61})c_{63}\) can be computed with known values of \(Q_{61}\Vert Q_{64}\Vert Q_{63}\Vert Q_{62}\). We denote this value by \(Z_{63}\). Then, the equation becomes \(Z_{63}=Q_{60}+k_9\).
We then observe that the attacker can know the MSB of \(Q_{60}\) from the difference of \(Q_{63}\). The difference \(\varDelta Q_{63}=\pm 2^{31}\) indicates that \(\varDelta \varPhi _{62} = \pm 2^{31}\). This only occurs when \(Q_{62,31} = Q_{60,31}\). The difference \(\varDelta Q_{63}=\pm 2^{31} \pm 2^{14}\) indicates that \(\varDelta \varPhi _{62} = 0\). This only occurs when \(Q_{62,31} \ne Q_{60,31}\). Because the value of \(Q_{62}\) is known, the value of \(Q_{60,31}\) can be computed. In the following, we show how to recover \(k_9\) with exploiting a conditional keydependent distribution.
Conditional Keydependent Distribution Technique: Let us consider a modular addition \(\alpha + \kappa = \beta \); \(\alpha \) is a variable where 1 bit (MSB) is known but the other bits are unknown. \(\kappa \) is an unknown constant. \(\beta \) is a public variable computed by \(\alpha + \kappa \), and its value is known. Then, the attacker can recover all bits of \(\kappa \) by collecting many pairs \((\beta , \alpha _{x1})\).^{1}
The attacker separates the collected data into two groups depending on a condition on several bits of \(\beta \). For each separated group, behavior of the other unconditioned bits is analyzed, i.e., conditional distribution is analyzed. If the conditional distribution differs depending on some bits of \(\kappa \), those bits can be recovered by observing the conditional distribution.
 

If \(\kappa _{30}=0\), \(c^+_{31}\) is 0 with probability 1/2 and is 1 with probability 1/2. This is because \(\beta _{30}=\kappa _{30}=0\) occurs only if \(\alpha _{30}=c^+_{30}=0\) (with \(c^+_{31}=0\)) or \(\alpha _{30}=c^+_{30}=1\) (with \(c^+_{31}=1\)).
 

If \(\kappa _{30}=1\), \(c^+_{31}\) is 1 with probability 1.
To utilize this difference, for each data in the group with \(\beta _{30}=0\), we simulate the value of \(\kappa _{31}\) by assuming that \(c^+_{31}\) is 1. If \(\kappa _{30}=0\), the simulation returns the right value and wrong value of \(\kappa _{31}\) with a probability of 1/2. Therefore, we will obtain 2 possibilities of \(\kappa _{31}\). If \(\kappa _{30}=1\), the simulation always returns the right value of \(\kappa _{31}\). Therefore, we can obtain the unique (right) value of \(\kappa _{31}\). Due to the difference, we can recover \(\kappa _{30}\), and at the same time, recover \(\kappa _{31}\).
 

If \(\kappa _{30}=0\), \(c^+_{31}\) is 0 with probability 1.
 

If \(\kappa _{30}=1\), \(c^+_{31}\) is 0 with probability 1/2 and is 1 with probability 1/2.
For each data in the group with \(\beta _{30}=1\), we simulate the value of \(\kappa _{31}\) by assuming that \(c^+_{31}\) is 0, and check the number of returned values of the simulation.
We then recover \(\kappa _{29}\) to \(\kappa _{0}\) in this order. In this time, we filter the data rather than separate it. In order to recover \(\kappa _{B}\), where \(29 \ge B \ge 0\), we set \((31B)\)bit conditions, and only pick the data satisfying all conditions. The conditions are \((\kappa _{30}=\beta _{30}), \ldots , (\kappa _{B+1}=\beta _{B+1})\), and \((c^+_{31}=\beta _{B})\). Note that \(\kappa _{31, 30, \ldots , B+1}\) are already recovered and \(c^+_{31}\) can be easily computed by \(\alpha _{31}\oplus \kappa _{31} \oplus \beta _{31}\). Let \(x\) be the value of \(c^+_{31}\), where \(x \in \{0, 1\}\). Then, we can deduce that the value of \(\kappa _{B}\) is \(x\). The proof is shown below, and is described in Fig. 6.
Proof
The value of \(\beta _{B}\) is \(x\) by the condition \(c^+_{31}=\beta _{B}\). From the condition \(\kappa _{30}=\beta _{30}\), the values of \(\alpha _{30}\) and \(c^+_{30}\) are also known to be \(x\). By iterating the same analysis from bit position 30 to \(B+1\), the values of \(\alpha _{B+1}\) and \(c^+_{B+1}\) are known to be \(x\). The event \(c^+_{B+1}=\beta _{B}=0\) only occurs when \(\kappa _B=0\). Similarly, the event \(c^+_{B+1}=\beta _{B}=1\) only occurs when \(\kappa _B=1\). \(\square \)
The number of necessary pairs to recover all bits of \(\kappa \) is dominated by the recovery for \(\kappa _{0}\), which is \(2^{31}\) pairs. To increase the success probability, we generate \(2^{32}\) pairs. Note that these pairs can also be used to analyze the other bits.
By replacing \((\alpha , \kappa , \beta )\) with \((Q_{60},k_9,Z_{63})\), \(k_9\) is recovered with \(2^{32}\) dBBnearcollisions. If a high success probability is required, more pairs than \(2^{32}\) should be collected. See Appendix A for more discussion.
Note that recovering \(\kappa \) with exhaustive search instead of the conditional keydependent distribution is possible but inefficient. The attempt is as follows. Guess \(\kappa \), and then compute \(\alpha \) by \(\beta  \kappa \). The known 1bit \(\alpha _{31}\) takes a role of the filtering function. During the computation of \(\beta  \kappa \), the probability that flipping \(\kappa _0\) changes the value of \(\alpha _{31}\) (through the carry effect) is \(2^{31}\). If we collect \(2^{32}\) pairs of \((\beta , \alpha _{x1})\) and guess 32 bits of \(\kappa \), all wrong guesses can be filtered out. However, this requires \(2^{64}\) additions, which is worse than our attack.
Phase 5: Recovering 512Bit Key in the Last 16 Steps. This phase is basically the iteration of phase 4. After \(k_9\) is recovered, the tag value can be computed until step 63 in backward, and the same analysis as \(k_9\) can be applied to the second last step to recover \(k_2\). By iterating this for the last 16 steps, the original key \(K\) and the padding string pad3 are recovered. The number of dBBnearcollisions that we can use will increase as we recover more subkeys. This is because the probabilistic part of the differential characteristic will be shorter.
Attack Evaluation. Phase 1 requires \(2^{89.04}\) queries, \(2^{89}\) table lookups, and a memory for \(2^{89}\) states. Phase 2 requires \(2^{10}\cdot 2^{77}=2^{87}\) compression function computations. Phase 3 queries \(2^{77}\) 2block paired messages. It also requires to store \(2^{32}\) pairs of \(H_2\) and \(H_2^{\prime }\), which requires a memory for \(2^{33}\) states. Phase 4 requires \(2^{32}\cdot 1/64=2^{26}\) computations. Phase 5 requires \(15\cdot 2^{32}\cdot 16/64\) which is less than \(2^{34}\) computations. Hence, the dominant part is the internal state recovery attack for Phase 1. Our experiment in Appendix A suggests that generating more pairs at Phase 2 is better to obtain a high success probability. Then, the complexity for Phase 2 becomes \(2^{88}\) or \(2^{89}\) compression functions. The attack works without knowing \(K\) as long as \(K<447\). The length of the queried message can always be a multiple of the block size. Hence, the attack can be extended to SandwichMAC variant B.
4.2 Attacks on SandwichMACMD5 Extended B
For this variant, the last message block can contain several bits chosen by the attacker. This reduces the complexity of the key recovery phase. Although the bottleneck of the attack is the internal state recovery phase, we show the attacks from two viewpoints. (1) We show the security gap between extended B and Basic. Although they have the the same provable security, the attack is easier in extended B. (2) In practice, \(K\) may be stored in a tamperresistant device to prevent the sidechannel analysis. However, the internal state value may not be protected, and the bottleneck of the attack may become the keyrecovery part.
 1.
Recover the internal state value \(H_1\) by applying the internal state recovery attack in Sect. 3.2 or some sidechannel analysis.
 2.
Searching for \(\#X\cdot 2^{45}\) message pairs \((M_1, M_1^{\prime })\) such that \(\varDelta H_2 = \varDelta ^{\mathrm {MSB}}\), where \(\#X\) depends on \(K\). Query them to obtain \(\#X\) dBBnearcollisions.
 3.
Recover the internal state value right after the keyed steps by using the freedom degrees of \(M_2\) with the approach by Contini and Yin [26].
Case Study for \({\varvec{}}{\varvec{K}}{\varvec{=128.}}\) Because the tag size is 128 bits, \(K=128\) is a natural choice. We choose \(\#X=1\) for this case. In the last block, the value of \(H_2=Q_{3}\Vert Q_0\Vert Q_{1}\Vert Q_{2}\) is known. After phase 3, the value of \(Q_1\Vert Q_4\Vert Q_3\Vert Q_2\) becomes known. Then, all of \(k_0,k_1,k_2,\) and \(k_3\) are easily recovered by solving the equation of the step function, e.g. \(k_0\) is recovered by \(k_0=\bigl ( (Q_{1}  Q_0) \ggg 7 \bigr ) Q_{3}\varPhi _0(Q_{0},Q_{1},Q_{2})c_0.\) Other keys are also recovered with 1 computation.
Case Study for \({\varvec{}}{\varvec{K}}{\varvec{=352.}}\) \(K\) is divided into 11 words \(k_0,\ldots ,k_{10}\). The attack structure is depicted in Fig. 8. For each chunk, 16 key bits are additionally guessed (all bits of \(k_0,k_1,k_{9},k_{10}\) and 16 bits of \(k_2, k_8\)). This increases the number of skipped steps from 3 to 7 with the partialfixing [44] or the indirect partialmatching [45]. To reduce the key space, we use 10 pairs of \(Q_{3}\Vert Q_0\Vert Q_{1}\Vert Q_{2}\) and \(Q_8\Vert Q_{11}\Vert Q_{10}\Vert Q_9\), thus \(\#X=10\). The complexity for the attack is about \(10 \cdot 2^{80}<2^{84}\). After \(k_0,k_1,k_{9},k_{10}\) and 16 bits of \(k_2, k_8\) are recovered, the remaining 192 bits can be recovered by iterating the MitM attack. Note that if \(K>352\), the attack becomes worse than the one in Sect 4.1.
5 Discussion About HMAC and SandwichMAC
The compression function takes two information as input; previous chaining variable and message. For blockcipher based compression functions including the MD4family, these correspond to the key input and plaintext input. MatyasMeyerOseas (MMO) mode [46, Algorithm 9.41] takes the previous chaining variable as the key input and DaviesMeyer (DM) mode [46, Algorithm 9.42] takes it as the message input. The main difference between HMAC and SandwichMAC is the structure of the finalization (computation after \(M\) is processed by the MD structure). HMAC adopts the MMO mode while SandwichMAC adopts the DaviesMeyer DM mode. Our attack shows that the (outer)key can be recovered if both modes in the MD structure and the finalization are the DMmode and a differential characteristic \((\varDelta H_i \ne 0, \varDelta M=0, \varDelta H_{i+1}=0)\) exists in \(h\). The attack can also work if both modes are the MMOmode. In summary, to minimize the risk, using different modes for the MD structure and the finalization is preferable. On the other hand, Okeya showed that, among 12 secure PGV modes [47], using the MMOmode in the finalization is the only choice to protect the outerkey from the sidechannel analysis [48, 49]. Taking into account our results, Okeya’s results, and the fact that most of hash functions in practice adopt the DMmode, we can learn that the HMAC construction is best.
The padding rule can impact the attack complexity. If the MDstrengthening is adopted as pad2 of SandwichMAC, the number of attacker’s controlling bits decreases. This prevents the IV Bridge and makes the attack less efficient.
There are some gaps between the hardness of the attack and the provable security. From the provable security viewpoint, the choice of the padding scheme and the choice of HMAC, SandwichMAC Basic, variant B, and extended B are not very different. However, once the assumption for the proof (PRF of \(h\)) is broken, these choices make a significant difference. Hence, this is a tradeoff between security and performance depending on how the assumption is trusted. These differences should be taken into account when a system is designed. We never conclude that SandwichMAC extended B is a bad idea. Reducing the amount of meaningless padding bits is very nice especially for tree hashing, where the hash value is computed with several hash function calls and thus the amount of the padding bits is bigger than the sequential hashing. Our point is that the damage of the scheme when the assumption is broken is usually not discussed, but it deserves the careful attention because industry continues using broken hash functions such as MD5 for long time.
In general, the impact of a differential attack on \(h\) for applications is unclear. Wang et al. showed the characteristic with \(\mathrm {Pr}[h(H_i, M)=h(H_i^{\prime }, M)]>2^{n/2}\) can mount the distinguishing\({ H }\) attack against HMAC [32]. We extend it to the keyrecovery on SandwichMAC. Finding such a conversion is an open problem.
6 Applications to MD5MAC
 1.
Generate 3 dBBcollisions of the form \((M_0\Vert M_1)\) and \((M_0^{\prime }\Vert M_1)\).
 2.
Recover 95 bits of \(Q_{1},Q_{2},Q_{3},Q_{4},Q_{5}\) and 90 bits of \(Q_{6},Q_{7},Q_{8},Q_{9},Q_{10}\) with the method proposed by Contini and Yin [26].
 3.
Recover \(K_1[0]\). Then recover \(K_1[1], K_1[2]\), and \(K_1[3]\).
Improved Key Recovery for \({{\varvec{K}}_1}.\) Because the dominant part of the attack is finding 3 dBBcollisions, the attack can be improved with our improved procedure on HMACMD5 in Sect. 3. The application is straightforward and thus we omit the details. The attack cost becomes \(2^{89.09}\) queries and \(2^{89}\) table lookups.
Extended Key Recovery for \({{\varvec{K}}}_2.\) Once \(K_1\) is recovered, the MAC computation structure becomes essentially the same as the one for SandwichMAC Basic with MD5. Because our attack on SandwichMACMD5 can recover 512bit secret information of the last message block faster than \(2^{128}\) queries and computations, a 512bit key \(\overline{K_2}\) can be recovered with exactly the same procedure as the one for SandwichMACMD5. The bottleneck of the attack is still finding dBBcollisions, which requires \(2^{89.04}\) queries and \(2^{89}\) table lookups. We emphasize that this is the first result which can recover \(K_2\) of MD5MAC.
7 Concluding Remarks
In this paper, we first improved the distinguishing\({ H }\) attacks on HMACMD5. We then proposed the keyrecovery attack on SandwichMACMD5 by combining various techniques. In particular, we generalized the keyrecovery technique exploiting the conditional keydependent distributions. As a result, we achieved the first results that can recover the originalkey against a hybrid MAC with an appropriate padding. Our results also improved the previous keyrecovery attack on MD5MAC, and extended the recovered key to both of \(K_1\) and \(K_2\). We believe our results lead to a better understanding of the MAC construction.
Footnotes
 1.
As a tool, the technique can be generalized more. If the \(B\)th bit of \(\alpha \) is known instead of the MSB, from the LSB to the \(B\)th bit of \(\kappa \) can be recovered.
References
 1.Rivest, R.L.: Request for Comments 1321: The MD5 Message Digest Algorithm. The Internet Engineering Task Force (1992). http://www.ietf.org/rfc/rfc1321.txt
 2.U.S. Department of Commerce, National Institute of Standards and Technology: Secure Hash Standard (SHS) (Federal Information Processing Standards Publication 180–3) (2008). http://csrc.nist.gov/publications/fips/fips1803/fips1803_final.pdf
 3.Tsudik, G.: Message authentication with oneway hash functions. ACM SIGCOMM Comput. Commun. Rev. 22(5), 29–38 (1992)CrossRefGoogle Scholar
 4.Preneel, B., van Oorschot, P.C.: MDxMAC and building fast MACs from hash functions. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 1–14. Springer, Heidelberg (1995) Google Scholar
 5.Coron, J.S., Dodis, Y., Malinaud, C., Puniya, P.: MerkleDamgård revisited: how to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005) CrossRefGoogle Scholar
 6.U.S. Department of Commerce, National Institute of Standards and Technology: Federal Register, vol. 72, no. 212, November 2, 2007/Notices (2007). http://csrc.nist.gov/groups/ST/hash/documents/FR_Notice_Nov07.pdf
 7.Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996) Google Scholar
 8.Kaliski Jr., B.S., Robshaw, M.J.B.: Message authentication with MD5. Technical report, CryptoBytes (1995)Google Scholar
 9.Metzger, P., Simpson, W.A.: Request for Comments 1852: IP Authentication using Keyed SHA. The Internet Engineering Task Force (1995). http://www.ietf.org/rfc/rfc1852.txt
 10.Preneel, B., van Oorschot, P.C.: On the security of two MAC algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 19–32. Springer, Heidelberg (1996) Google Scholar
 11.U.S. Department of Commerce, National Institute of Standards and Technology: The KeyedHash Message Authentication Code (HMAC) (Federal Information Processing Standards Publication 198), July 2008. http://csrc.nist.gov/publications/fips/fips1981/FIPS1981_final.pdf
 12.Bellare, M.: New proofs for NMAC and HMAC: security without collisionresistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006)CrossRefGoogle Scholar
 13.Yasuda, K.: Multilane HMAC— security beyond the birthday limit. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 18–32. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 14.Yasuda, K.: Boosting MerkleDamgård hashing for message authentication. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 216–231. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 15.Yasuda, K.: “Sandwich” is indeed secure: how to authenticate a message with just one hashing. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 355–369. Springer, Heidelberg (2007) Google Scholar
 16.Yasuda, K.: HMAC without the “second” key. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 443–458. Springer, Heidelberg (2009) Google Scholar
 17.Gauravaram, P., Okeya, K.: An update on the side channel cryptanalysis of MACs based on cryptographic hash functions. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 393–403. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 18.Peyrin, T., Sasaki, Y., Wang, L.: Generic relatedkey attacks for HMAC. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 580–597. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 19.Patel, S.: An efficient MAC for short messages. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 353–368. Springer, Heidelberg (2003)Google Scholar
 20.Leurent, G.: Message freedom in MD4 and MD5 collisions: application to APOP. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 309–328. Springer, Heidelberg (2007) Google Scholar
 21.Sasaki, Y., Wang, L., Ohta, K., Kunihiro, N.: Security of MD5 challenge and response: extension of APOP password recovery attack. In: Malkin, T. (ed.) CTRSA 2008. LNCS, vol. 4964, pp. 1–18. Springer, Heidelberg (2008) Google Scholar
 22.Sasaki, Y., Yamamoto, G., Aoki, K.: Practical password recovery on an MD5 challenge and response. Cryptology ePrint Archive, Report 2007/101 (2007). http://eprint.iacr.org/2007/101
 23.Wang, L., Sasaki, Y., Sakiyama, K., Ohta, K.: Bitfree collision: application to APOP attack. In: Takagi, T., Mambo, M. (eds.) IWSEC 2009. LNCS, vol. 5824, pp. 3–21. Springer, Heidelberg (2009) Google Scholar
 24.Myers, J., Rose, M.: Post office protocol  version 3. RFC 1939 (Standard), May 1996. Updated by RFCs 1957, 2449. http://www.ietf.org/rfc/rfc1939.txt
 25.Kim, J.S., Biryukov, A., Preneel, B., Hong, S.H.: On the security of HMAC and NMAC based on HAVAL, MD4, MD5, SHA0 and SHA1 (extended abstract). In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 242–256. Springer, Heidelberg (2006) Google Scholar
 26.Contini, S., Yin, Y.L.: Forgery and partial keyrecovery attacks on HMAC and NMAC using hash collisions. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 37–53. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 27.Fouque, P.A., Leurent, G., Nguyen, P.Q.: Full keyrecovery attacks on HMAC/NMACMD4 and NMACMD5. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 13–30. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 28.Lee, E., Chang, D., Kim, J.S., Sung, J., Hong, S.H.: Second preimage attack on 3Pass HAVAL and partial keyrecovery attacks on HMAC/NMAC3pass HAVAL. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 189–206. Springer, Heidelberg (2008) Google Scholar
 29.Rechberger, C., Rijmen, V.: On authentication with HMAC and Nonrandom properties. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 119–133. Springer, Heidelberg (2007) Google Scholar
 30.Rechberger, C., Rijmen, V.: New results on NMAC/HMAC when instantiated with popular hash functions. J. Univ. Comput. Sci. 14(3), 347–376 (2008)MathSciNetGoogle Scholar
 31.Wang, L., Ohta, K., Kunihiro, N.: New keyrecovery attacks on HMAC/NMACMD4 and NMACMD5. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 237–253. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 32.Wang, X., Yu, H., Wang, W., Zhang, H., Zhan, T.: Cryptanalysis on HMAC/NMACMD5 and MD5MAC. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 121–133. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 33.Wu, H., Preneel, B.: Differentiallinear attacks against the stream cipher phelix. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 87–100. Springer, Heidelberg (2007) Google Scholar
 34.den Boer, B., Bosselaers, A.: Collisions for the compression function of MD5. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1994)Google Scholar
 35.Klima, V.: Tunnels in hash functions: MD5 collisions within a minute. IACR Cryptology ePrint Archive: Report 2006/105 (2006). http://eprint.iacr.org/2006/105.pdf
 36.Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005) CrossRefGoogle Scholar
 37.Xie, T., Feng, D.: How to find weak input differences for MD5 collision attacks. Cryptology ePrint Archive, Report 2009/223 (2009) Version 20090530:102049. http://eprint.iacr.org/2009/223
 38.De Cannière, C., Rechberger, C.: Finding SHA1 characteristics: general results and applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 39.Mendel, F., Rechberger, C., Schläffer, M.: MD5 Is weaker than weak: attacks on concatenated combiners. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 144–161. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 40.Diffie, W., Hellman, M.E.: Exhaustive cryptanalysis of the NBS data encryption standard. Computer 10(6), 74–84 (1977)CrossRefGoogle Scholar
 41.Bogdanov, A., Rechberger, C.: A 3subset meetinthemiddle attack: cryptanalysis of the lightweight block cipher KTANTAN. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 229–240. Springer, Heidelberg (2011) Google Scholar
 42.Isobe, T., Shibutani, K.: All subkeys recovery attack on block ciphers: extending meetinthemiddle approach. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 202–221. Springer, Heidelberg (2013) Google Scholar
 43.Aoki, K., Sasaki, Y.: Preimage attacks on oneblock MD4, 63step MD5 and more. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 103–119. Springer, Heidelberg (2009) Google Scholar
 44.Sasaki, Y., Aoki, K.: Finding preimages in full MD5 faster than exhaustive search. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 134–152. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 45.Aoki, K., Guo, J., Matusiewicz, K., Sasaki, Y., Wang, L.: Preimages for stepreduced SHA2. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 578–597. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 46.Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997)zbMATHGoogle Scholar
 47.Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: a synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)Google Scholar
 48.Okeya, K.: Side channel attacks against HMACs based on blockcipher based hash functions. In: Batten, L.M., SafaviNaini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 432–443. Springer, Heidelberg (2006) Google Scholar
 49.Okeya, K.: Side channel attacks against hashbased MACs with PGV compression functions. IEICE Transactions 91–A(1), 168–175 (2008)CrossRefGoogle Scholar