Open Problems in Mathematics and Computational Science

pp 69-89


Another Look at Security Theorems for 1-Key Nested MACs

  • Neal KoblitzAffiliated withDepartment of Mathematics, University of Washington
  • , Alfred MenezesAffiliated withDepartment of Combinatorics & Optimization, University of Waterloo Email author 

* Final gross prices may vary according to local VAT.

Get Access


We prove a security theorem without collision resistance for a class of 1-key hash function-based MAC schemes that includes HMAC and Envelope MAC. The proof has some advantages over earlier proofs: it is in the uniform model, it uses a weaker related-key assumption, and it covers a broad class of MACs in a single theorem. However, we also explain why our theorem is of doubtful value in assessing the real-world security of these MAC schemes. In addition, we prove a theorem assuming collision resistance. From these two theorems, we conclude that from a provable security standpoint, there is little reason to prefer HMAC to Envelope MAC or similar schemes.