Cryptanalyses on a Merkle-Damgård Based MAC — Almost Universal Forgery and Distinguishing-H Attacks

  • Yu Sasaki
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7237)


This paper presents two types of cryptanalysis on a Merkle-Damgård hash based MAC, which computes a MAC value of a message M by Hash(K||ℓ||M) with a shared key K and the message length ℓ. This construction is often called LPMAC. Firstly, we present a distinguishing-H attack against LPMAC instantiating any narrow-pipe Merkle-Damgård hash function with O(2 n/2) queries, which indicates the incorrectness of the widely believed assumption that LPMAC instantiating a secure hash function should resist the distinguishing-H attack up to 2 n queries. In fact, all of the previous distinguishing-H attacks considered dedicated attacks depending on the underlying hash algorithm, and most of the cases, reduced rounds were attacked with a complexity between 2 n/2 and 2 n . Because it works in generic, our attack updates these results, namely full rounds are attacked with O(2 n/2) complexity. Secondly, we show that an even stronger attack, which is a powerful form of an almost universal forgery attack, can be performed on LPMAC. In this setting, attackers can modify the first several message-blocks of a given message and aim to recover an internal state and forge the MAC value. For any narrow-pipe Merkle-Damgård hash function, our attack can be performed with O(2 n/2) queries. These results show that the length prepending scheme is not enough to achieve a secure MAC.


LPMAC distinguishing-H attack almost universal forgery attack multi-collision diamond structure prefix freeness 


  1. 1.
    Tsudik, G.: Message authentication with one-way hash functions. ACM SIGCOMM Computer Communication Review 22(5), 29–38 (1992)CrossRefGoogle Scholar
  2. 2.
    U.S. Department of Commerce, National Institute of Standards and Technology: Federal Register 72(212) (November 2, 2007),
  3. 3.
    Wang, X., Wang, W., Jia, K., Wang, M.: New Distinguishing Attack on MAC Using Secret-Prefix Method. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 363–374. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Canetti, R., Krawczyk, H.: Pseudorandom functions revisited: The cascade construction and its concrete security. In: FOCS, pp. 514–523 (1996)Google Scholar
  5. 5.
    Dunkelman, O., Keller, N., Shamir, A.: ALRED blues: New attacks on AES-based MACs. Cryptology ePrint Archive, Report 2011/095 (2011),
  6. 6.
    Kim, J., Biryukov, A., Preneel, B., Hong, S.: On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1 (Extended Abstract). In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 242–256. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  7. 7.
    Preneel, B., van Oorschot, P.C.: MDx-MAC and Building Fast MACs from Hash Functions. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 1–14. Springer, Heidelberg (1995)Google Scholar
  8. 8.
    Chang, D., Nandi, M.: General distinguishing attacks on NMAC and HMAC with birthday attack complexity. Cryptology ePrint Archive, Report 2006/441 (2006),
  9. 9.
    Jia, K., Wang, X., Yuan, Z., Xu, G.: Distinguishing and Second-Preimage Attacks on CBC-Like MACs. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 349–361. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  10. 10.
    Yuan, Z., Wang, W., Jia, K., Xu, G., Wang, X.: New Birthday Attacks on Some MACs Based on Block Ciphers. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 209–230. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  11. 11.
    Contini, S., Yin, Y.L.: Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 37–53. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    Fouque, P.-A., Leurent, G., Nguyen, P.Q.: Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 13–30. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  13. 13.
    Lee, E., Chang, D., Kim, J., Sung, J., Hong, S.: Second Preimage Attack on 3-Pass HAVAL and Partial Key-Recovery Attacks on HMAC/NMAC-3-Pass HAVAL. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 189–206. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    Rechberger, C., Rijmen, V.: On Authentication with HMAC and Non-random Properties. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 119–133. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  15. 15.
    Rechberger, C., Rijmen, V.: New results on NMAC/HMAC when instantiated with popular hash functions. Journal of Universal Computer Science 14(3), 347–376 (2008)MathSciNetGoogle Scholar
  16. 16.
    Wang, L., Ohta, K., Kunihiro, N.: New Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 237–253. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  17. 17.
    Wang, X., Yu, H., Wang, W., Zhang, H., Zhan, T.: Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 121–133. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  18. 18.
    Qiao, S., Wang, W., Jia, K.: Distinguishing Attack on Secret Prefix MAC Instantiated with Reduced SHA-1. In: Lee, D., Hong, S. (eds.) ICISC 2009. LNCS, vol. 5984, pp. 349–361. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  19. 19.
    Wang, G.: Distinguishing Attacks on LPMAC Based on the Full RIPEMD and Reduced-Step RIPEMD-{256,320}. In: Lai, X., Yung, M., Lin, D. (eds.) Inscrypt 2010. LNCS, vol. 6584, pp. 199–217. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  20. 20.
    Yu, H., Wang, X.: Distinguishing Attack on the Secret-Prefix MAC Based on the 39-Step SHA-256. In: Boyd, C., González Nieto, J. (eds.) ACISP 2009. LNCS, vol. 5594, pp. 185–201. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  21. 21.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of applied cryptography. CRC Press (1997)Google Scholar
  22. 22.
    Kelsey, J., Kohno, T.: Herding Hash Functions and the Nostradamus Attack. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 183–200. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  23. 23.
    Yasuda, K.: How to Fill Up Merkle-Damgård Hash Functions. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 272–289. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  24. 24.
    Joux, A.: Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004)Google Scholar
  25. 25.
    Dean, R.D.: Formal aspects of mobile code security. Ph.D Dissertation, Princeton University (1999)Google Scholar
  26. 26.
    Kelsey, J., Schneier, B.: Second Preimages on n-Bit Hash Functions for Much Less than 2n Work. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 474–490. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  27. 27.
    Andreeva, E., Bouillaguet, C., Dunkelman, O., Kelsey, J.: Herding, Second Preimage and Trojan Message Attacks beyond Merkle-Damgård. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 393–414. Springer, Heidelberg (2009)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Yu Sasaki
    • 1
  1. 1.NTT Information Sharing Platform LaboratoriesNTT CorporationMusashino-shiJapan

Personalised recommendations