Another Look at Security Theorems for 1-Key Nested MACs

Chapter

Abstract

We prove a security theorem without collision resistance for a class of 1-key hash function-based MAC schemes that includes HMAC and Envelope MAC. The proof has some advantages over earlier proofs: it is in the uniform model, it uses a weaker related-key assumption, and it covers a broad class of MACs in a single theorem. However, we also explain why our theorem is of doubtful value in assessing the real-world security of these MAC schemes. In addition, we prove a theorem assuming collision resistance. From these two theorems, we conclude that from a provable security standpoint, there is little reason to prefer HMAC to Envelope MAC or similar schemes.

References

  1. 1.
    M. Bellare, Practice-oriented provable-security, in Proceedings of First International Workshop on Information Security (ISW ’97). Lecture Notes in Computer Science, vol. 1396 (Springer, Berlin, 1998), pp. 221–231Google Scholar
  2. 2.
    M. Bellare, New proofs for NMAC and HMAC: security without collision resistance, in Advances in Cryptology—Crypto 2006. Lecture Notes in Computer Science, vol. 4117 (Springer, Heidelberg, 2006), pp. 602–619. Extended version available at http://cseweb.ucsd.edu/mihir/papers/hmac-new.pdf
  3. 3.
    M. Bellare, T. Kohno, A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications, in Advances in Cryptology—Eurocrypt 2003. Lecture Notes in Computer Science, vol. 2656 (Springer, Heidelberg, 2003), pp. 491–506Google Scholar
  4. 4.
    M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in Proceedings of First Annual Conference on Computer and Communications Security (ACM, New York, 1993), pp. 62–73Google Scholar
  5. 5.
    M. Bellare, R. Rogaway, Optimal asymmetric encryption—how to encrypt with RSA, in Advances in Cryptology—Eurocrypt ’94. Lecture Notes in Computer Science, vol. 950 (Springer, Heidelberg, 1994), pp. 92–111Google Scholar
  6. 6.
    M. Bellare, R. Canetti, H. Krawczyk, Keying hash functions for message authentication, in Advances in Cryptology—Crypto ’96. Lecture Notes in Computer Science, vol. 1109 (Springer, Heidelberg, 1996), pp. 1–15. Extended version available at http://cseweb.ucsd.edu/mihir/papers/kmd5.pdf
  7. 7.
    M. Bellare, R. Canetti, H. Krawczyk, HMAC: Keyed-hashing for message authentication, Internet RFC 2104 (1997)Google Scholar
  8. 8.
    D. Bernstein, T. Lange, Non-uniform cracks in the concrete: the power of free precomputation, in Advances in Cryptology—Asiacrypt 2013. Lecture Notes in Computer Science, vol. 8270 (Springer, Heidelberg, 2013), pp. 321–340Google Scholar
  9. 9.
    D. Boneh, Simplified OAEP for the RSA and Rabin functions, in Advances in Cryptology—Crypto 2001. Lecture Notes in Computer Science, vol. 2139 (Springer, Heidelberg, 2001), pp. 275–291Google Scholar
  10. 10.
    M. Fischlin, Security of NMAC and HMAC based on non-malleability, in Topics in Cryptology—CT-RSA 2008. Lecture Notes in Computer Science, vol. 4064 (Springer, Heidelberg, 2008), pp. 138–154Google Scholar
  11. 11.
    P. Gauravaram, L. Knudsen, K. Matusiewicz, F. Mendel, C. Rechberger, M. Schläffer, S. Thomsen, Grøstl—a SHA-3 candidate (2011). Available at http://www.groestl.info/Groestl.pdf Google Scholar
  12. 12.
    B. Kaliski, M. Robshaw, Message authentication with MD5. CryptoBytes 1(1), 5–8 (1995)Google Scholar
  13. 13.
    J. Katz, Y. Lindell, Introduction to Modern Cryptography (Chapman and Hall/CRC, Boca Raton, 2007)Google Scholar
  14. 14.
    N. Koblitz, A. Menezes. http://anotherlook.ca
  15. 15.
    N. Koblitz, A. Menezes, Another look at “provable security.” J. Cryptol. 20, 3–37 (2007)CrossRefMATHMathSciNetGoogle Scholar
  16. 16.
    N. Koblitz, A. Menezes, Another look at security definitions. Adv. Math. Commun. 7, 1–38 (2013)CrossRefMATHMathSciNetGoogle Scholar
  17. 17.
    N. Koblitz, A. Menezes, Another look at HMAC. J. Math. Cryptol. 7, 225–251 (2013)CrossRefMATHMathSciNetGoogle Scholar
  18. 18.
    N. Koblitz, A. Menezes, Another look at non-uniformity. Groups Complex. Cryptol. 5, 117–139 (2013)CrossRefMATHMathSciNetGoogle Scholar
  19. 19.
    A.H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: the serpentine course of a paradigm shift. J. Number Theory 131, 781–814 (2011)CrossRefMATHMathSciNetGoogle Scholar
  20. 20.
    H. Krawczyk, Koblitz’s arguments disingenuous. Not. Am. Math. Soc. 54(11), 1455 (2007)Google Scholar
  21. 21.
    National Institute of Standards and Technology, The keyed-hash message authentication code (HMAC). FIPS Publication 198 (2002)Google Scholar
  22. 22.
    National Institute of Standards and Technology, Third-round report of the SHA-3 cryptographic hash algorithm competition. Interagency Report 7896 (2012)Google Scholar
  23. 23.
    P. Piermont, W. Simpson, IP authentication using keyed MD5, IETF RFC 1828 (1995)Google Scholar
  24. 24.
    K. Pietrzak, A closer look at HMAC. Available at http://eprint.iacr.org/2013/212
  25. 25.
    B. Preneel, P. van Oorschot, MDx-MAC and building fast MACs from hash functions, in Advances in Cryptology—Crypto ’95. Lecture Notes in Computer Science, vol. 963 (Springer, Heidelberg, 1995), pp. 1–14Google Scholar
  26. 26.
    B. Preneel, P. van Oorschot, On the security of iterated message authentication codes. IEEE Trans. Inf. Theory 45, 188–199 (1999)CrossRefMATHGoogle Scholar
  27. 27.
    V. Shoup, OAEP reconsidered, in Advances in Cryptology—Crypto 2001. Lecture Notes in Computer Science, vol. 2139 (Springer, Heidelberg, 2001), pp. 239–259Google Scholar
  28. 28.
    G. Tsudik, Message authentication with one-way hash functions. ACM SIGCOMM Comput. Commun. Rev. 22(5), 29–38 (1992)CrossRefGoogle Scholar
  29. 29.
    K. Yasuda, “Sandwich” is indeed secure: how to authenticate a message with just one hashing, in Information Security and Privacy—ACISP 2007. Lecture Notes in Computer Science, vol. 4586 (Springer, Heidelberg, 2007), pp. 355–369Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Department of MathematicsUniversity of WashingtonSeattleUSA
  2. 2.Department of Combinatorics & OptimizationUniversity of WaterlooWaterlooCanada

Personalised recommendations