Equivalent Key Recovery Attacks Against HMAC and NMAC with Whirlpool Reduced to 7 Rounds

  • Jian Guo
  • Yu Sasaki
  • Lei Wang
  • Meiqin Wang
  • Long Wen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8540)


A main contribution of this paper is an improved analysis against HMAC instantiating with reduced Whirlpool. It recovers equivalent keys, which are often denoted as \(K_{in}\) and \(K_{out}\), of HMAC with 7-round Whirlpool, while the previous best attack can work only for 6 rounds. Our approach is applying the meet-in-the-middle (MITM) attack on AES to recover MAC keys of Whirlpool. Several techniques are proposed to bypass different attack scenarios between a block cipher and a MAC, e.g., the chosen plaintext model of the MITM attacks on AES cannot be used for HMAC-Whirlpool. Besides, a larger state size and different key schedule designs of Whirlpool leave us a lot of room to study. As a result, equivalent keys of HMAC with 7-round Whirlpool are recovered with a complexity of \((\mathrm {Data},\mathrm {Time},\mathrm {Memory})=(2^{481.7},2^{482.3},2^{481})\).


HMAC NMAC Whirlpool Universal forgery Key recovery 



We would like to thank the organizers, Meiqin Wang and Hongbo Yu, of ASK 2013 workshop in China, without which the collaboration in this work could not be possible. Jian Guo and Lei Wang were supported by the Singapore National Research Foundation Fellowship 2012 (NRF-NRFF2012-06).


  1. 1.
    Rijmen, V., Barreto, P.S.L.M.: The WHIRLPOOL Hashing Function. Submitted to NISSIE, September 2000Google Scholar
  2. 2.
    NESSIE: New European Schemes for Signatures, Integrity, and Encryption. IST-1999-12324.
  3. 3.
    Dai, W.: Crypto++ library.
  4. 4.
    Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  5. 5.
    Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: Rebound Distinguishers: Results on the Full Whirlpool Compression Function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 126–143. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  6. 6.
    Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: The Rebound Attack and Subspace Distinguishers: Application to Whirlpool. J. Cryptol. 28(2), 257–296 (2009)CrossRefGoogle Scholar
  7. 7.
    Sasaki, Y.: Meet-in-the-Middle Preimage Attacks on AES Hashing Modes and an Application to Whirlpool. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 378–396. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  8. 8.
    Wu, S., Feng, D., Wu, W., Guo, J., Dong, L., Zou, J.: (Pseudo) Preimage Attack on Round-Reduced Grøstl Hash Function and Others. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 127–145. Springer, Heidelberg (2012) Google Scholar
  9. 9.
    Sasaki, Y., Wang, L., Wu, S., Wu, W.: Investigating Fundamental Security Requirements on Whirlpool: Improved Preimage and Collision Attacks. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 562–579. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  10. 10.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying Hash Functions for Message Authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996) Google Scholar
  11. 11.
    Preneel, B., van Oorschot, P.C.: On the Security of Two MAC Algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 19–32. Springer, Heidelberg (1996) CrossRefGoogle Scholar
  12. 12.
    Peyrin, T., Sasaki, Y., Wang, L.: Generic Related-Key Attacks for HMAC. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 580–597. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  13. 13.
    Naito, Y., Sasaki, Y., Wang, L., Yasuda, K.: Generic State-Recovery and Forgery Attacks on ChopMD-MAC and on NMAC/HMAC. In: Sakiyama, K., Terada, M. (eds.) IWSEC 2013. LNCS, vol. 8231, pp. 83–98. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  14. 14.
    Leurent, G., Peyrin, T., Wang, L.: New Generic Attacks Against Hash-based MACs. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 1–20. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  15. 15.
    Contini, S., Yin, Y.L.: Forgery and Partial Key-recovery Attacks on HMAC and NMAC Using Hash Collisions. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 37–53. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  16. 16.
    Fouque, P.-A., Leurent, G., Nguyen, P.Q.: Full Key-recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 13–30. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  17. 17.
    Rechberger, C., Rijmen, V.: On Authentication with HMAC and Non-random Properties. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 119–133. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  18. 18.
    Rechberger, C., Rijmen, V.: New Results on NMAC/HMAC When Instantiated With Popular Hash Functions. J. UCS 14, 347–376 (2008)MathSciNetGoogle Scholar
  19. 19.
    Lee, E., Chang, D., Kim, J.-S., Sung, J., Hong, S.H.: Second Preimage Attack on 3-Pass HAVAL and Partial Key-recovery Attacks on HMAC/NMAC-3-Pass HAVAL. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 189–206. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  20. 20.
    Yu, H., Wang, X.: Full Key-recovery Attack on the HMAC/NMAC Based on 3 and 4-Pass HAVAL. In: Bao, F., Li, H., Wang, G. (eds.) ISPEC 2009. LNCS, vol. 5451, pp. 285–297. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  21. 21.
    Sasaki, Y., Wang, L.: Improved Single-key Distinguisher on HMAC-MD5 and Key Recovery Attacks on Sandwich-MAC-MD5. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 493–512. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  22. 22.
    European Union Agency for Network and Information Security: Algorithms, key sizes and parameters report, October 2013.
  23. 23.
    Guo, J., Sasaki, Y., Wang, L., Wu, S.: Cryptanalysis of HMAC/NMAC-Whirlpool. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 21–40. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  24. 24.
    Derbez, P., Fouque, P.-A., Jean, J.: Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 371–387. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  25. 25.
    Dunkelman, O., Keller, N., Shamir, A.: Improved Single-Key Attacks on 8-Round AES-192 and AES-256 [43]. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 158–176. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  26. 26.
    Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  27. 27.
    Knellwolf, S., Khovratovich, D.: New Preimage Attacks Against Reduced SHA-1. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 367–383. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  28. 28.
    Krawczyk, H.: RFC: HMAC-Based Extract-and-Expand Key Derivation Function (HKDF), May 2010.
  29. 29.
    U.S. Department of Commerce, National Institute of Standards and Technology: The Keyed-hash Message Authentication Code (HMAC) (Federal Information Processing Standards Publication 198), July 2008.
  30. 30.
    Bellare, M.: New Proofs for NMAC and HMAC: Security Without Collision-Resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  31. 31.
    Tsudik, G.: Message Authentication with One-Way Hash Functions. SIGCOMM Comput. Commun. Rev. 22(5), 29–38 (1992)CrossRefGoogle Scholar
  32. 32.
    Aoki, K., Guo, J., Matusiewicz, K., Sasaki, Y., Wang, L.: Preimages for Step-Reduced SHA-2. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 578–597. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  33. 33.
    Guo, J., Ling, S., Rechberger, C., Wang, H.: Advanced Meet-in-the-middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2 [43]. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 56–75. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  34. 34.
    Wei, L., Rechberger, C., Guo, J., Wu, H., Wang, H., Ling, S.: Improved Meet-in-the-middle Cryptanalysis of KTANTAN (Poster). In: Parampalli, U., Hawkes, P. (eds.) ACISP 2011. LNCS, vol. 6812, pp. 433–438. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  35. 35.
    Chaum, D., Evertse, J.-H.: Cryptanalysis of DES with a Reduced Number of Rounds. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 192–211. Springer, Heidelberg (1986) Google Scholar
  36. 36.
    Demirci, H., Selçuk, A.A.: A Meet-in-the-Middle Attack on 8-Round AES. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 116–126. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  37. 37.
    Gilbert, H., Minier, M.: A Collision Attack on 7 Rounds Rijndael. In: Third AES Candidate Conference (AES3), New York, pp. 230–241 (2000)Google Scholar
  38. 38.
    Daemen, J., Rijmen, V.: AES Proposal: Rijndael (1998)Google Scholar
  39. 39.
    Knudsen, L.R., Rijmen, V.: Known-Key Distinguishers for Some Block Ciphers. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 315–324. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  40. 40.
    Wei, Y., Lu, J., Hu, Y.: Meet-in-the-Middle Attack on 8 Rounds of the AES Block Cipher Under 192 Key Bits. In: Bao, F., Weng, J. (eds.) ISPEC 2011. LNCS, vol. 6672, pp. 222–232. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  41. 41.
    Yasuda, K.: Sandwich Is Indeed Secure: How to Authenticate a Message with Just One Hashing. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 355–369. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  42. 42.
    Kaliski Jr., B.S., Robshaw, M.J.B.: Message Authentication with MD5. Technical report, CryptoBytes (1995)Google Scholar
  43. 43.
    Abe, M. (ed.): ASIACRYPT 2010. LNCS, vol. 6477. Springer, Heidelberg (2010) zbMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Jian Guo
    • 1
  • Yu Sasaki
    • 2
  • Lei Wang
    • 1
  • Meiqin Wang
    • 3
  • Long Wen
    • 3
  1. 1.Nanyang Technological UniversitySingaporeSingapore
  2. 2.NTT Secure Platform LaboratoriesTokyoJapan
  3. 3.Key Laboratory of Cryptologic Technology and Information Security, Ministry of EducationShandong UniversityJinanChina

Personalised recommendations