Equivalent Inner Key Recovery Attack to NMAC

  • Fanbao Liu
  • Changxiang Shen
  • Tao Xie
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 189)


We propose a general equivalent inner key recovery attack to the NMAC (Nested Message Authentication Code) instantiated with secure hash function in a related key setting, by applying a generalized birthday attack with two groups. We can recover the equivalent inner key of NMAC in about 2 n/2 + 1 on-line MAC queries. The assumption of that the underlying hash function must be collision resistant is dropped in the security proof of NMAC. However, our result shows that NMAC, even instantiated with a collision resistant Merkle-Damgård hash function, is not secure as its designer claimed.


NMAC Equivalent Key Recovery Verifiable Forgery Birthday Attack 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M.: New Proofs for NMAC and HMAC: Security Without Collision-Resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying Hash Functions for Message Authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  3. 3.
    Contini, S., Yin, Y.L.: Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 37–53. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Damgård, I.: A Design Principle for Hash Functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  5. 5.
    Eastlake, D.E., Jones, P.: US secure hash algorithm 1 (SHA1). RFC 3174, Internet Engineering Task Force (September 2001),
  6. 6.
    Fouque, P.-A., Leurent, G., Nguyen, P.Q.: Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 13–30. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  7. 7.
    Girault, M., Cohen, R., Campana, M.: A Generalized Birthday Attack. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 129–156. Springer, Heidelberg (1988)Google Scholar
  8. 8.
    Leurent, G.: MD4 is Not One-Way. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 412–428. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  9. 9.
    Liu, F., Shen, C., Xie, T., Feng, D.: Cryptanalysis of HMAC and Its Variants (2011) (unpublished)Google Scholar
  10. 10.
    Liu, F., Xie, T., Shen, C.: Equivalent Key Recovery Attack to H 2-MAC. International Journal of Security and Its Applications 6(2), 331–336 (2012)Google Scholar
  11. 11.
    Menezes, A.J., Vanstone, S.A., Oorschot, P.C.V.: Handbook of Applied Cryptography, 1st edn. CRC Press, Inc., Boca Raton (1996)CrossRefGoogle Scholar
  12. 12.
    Merkle, R.C.: One Way Hash Functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  13. 13.
    Preneel, B.: Cryptographic Primitives for Information Authentication - State of the Art. In: Preneel, B., Rijmen, V. (eds.) State of the Art in Applied Cryptography. LNCS, vol. 1528, pp. 49–104. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  14. 14.
    Preneel, B., van Oorschot, P.C.: On the Security of Two MAC Algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 19–32. Springer, Heidelberg (1996)Google Scholar
  15. 15.
    Rivest, R.: The MD4 Message-Digest algorithm. RFC 1320, Internet Engineering Task Force (April 1992),
  16. 16.
    Rivest, R.: The MD5 Message-Digest algorithm. RFC 1321, Internet Engineering Task Force (April 1992),
  17. 17.
    Tsudik, G.: Message authentication with one-way hash functions. SIGCOMM Comput. Commun. Rev. 22, 29–38 (1992)CrossRefGoogle Scholar
  18. 18.
    Wagner, D.: A Generalized Birthday Problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–304. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  19. 19.
    Wang, L., Ohta, K., Kunihiro, N.: New Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 237–253. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  20. 20.
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the Hash Functions MD4 and RIPEMD. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  21. 21.
    Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
  22. 22.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  23. 23.
    Wang, X., Yu, H., Wang, W., Zhang, H., Zhan, T.: Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 121–133. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  24. 24.
    Xie, T., Liu, F., Feng, D.: Could The 1-MSB Input Difference Be The Fastest Collision Attack For MD5? In: Eurocrypt 2009, Poster Session, Cryptology ePrint Archive, Report 2008/391 (2008),
  25. 25.
    Yasuda, K.: HMAC without the “Second” Key. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 443–458. Springer, Heidelberg (2009)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  1. 1.School of ComputerNational University of Defense TechnologyChangshaP.R. China
  2. 2.School of ComputerBeijing University of TechnologyBeijingP.R. China
  3. 3.The Center for Soft-Computing and CryptologyNational University of Defense TechnologyChangshaP.R. China

Personalised recommendations