Key-Recovery Attacks on Universal Hash Function Based MAC Algorithms

This paper discusses key recovery and universal forgery attacks on several MAC algorithms based on universal hash functions. The attacks use a substantial number of verification queries but eventually allow for universal forgeries instead of existential or multiple forgeries. This means that the security of the algorithms completely collapses once a few forgeries are found. Some of these attacks start off by exploiting a weak key property, but turn out to become full-fledged divide and conquer attacks because of the specific structure of the universal hash functions considered. Partial information on a secret key can be exploited too, in the sense that it renders some key recovery attacks practical as soon as a few key bits are known. These results show that while universal hash functions offer provable security, high speeds and parallelism, their simple combinatorial properties make them less robust than conventional message authentication primitives.

[1]  Kaoru Kurosawa,et al.  OMAC: One-Key CBC MAC , 2003, IACR Cryptol. ePrint Arch..

[2]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.

[3]  Berk Sunar,et al.  Energy scalable universal hashing , 2005, IEEE Transactions on Computers.

[4]  Gilles Brassard,et al.  On Computationally Secure Authentication Tags Requiring Short Secret Shared Keys , 1982, CRYPTO.

[5]  Thomas Johansson,et al.  On Families of Hash Functions via Geometric Codes and Concatenation , 1993, CRYPTO.

[6]  Gustavus J. Simmons,et al.  A survey of information authentication , 1988, Proc. IEEE.

[7]  Morris J. Dworkin,et al.  SP 800-38D. Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC , 2007 .

[8]  N. Ferguson Authentication weaknesses in GCM , 2005 .

[9]  Daniel J. Bernstein,et al.  The Poly1305-AES Message-Authentication Code , 2005, FSE.

[10]  Mihir Bellare,et al.  The Power of Verification Queries in Message Authentication and Authenticated Encryption , 2004, IACR Cryptol. ePrint Arch..

[11]  Hugo Krawczyk,et al.  UMAC: Fast and Secure Message Authentication , 1999, CRYPTO.

[12]  Larry Carter,et al.  Universal Classes of Hash Functions , 1979, J. Comput. Syst. Sci..

[13]  Mihir Bellare,et al.  The Security of Cipher Block Chaining , 1994, CRYPTO.

[14]  Thomas Johansson,et al.  On the cardinality of systematic authentication codes via error-correcting codes , 1996, IEEE Trans. Inf. Theory.

[15]  Joos Vandewalle,et al.  A Chosen Text Attack on The Modified Cryptographic Checksum Algorithm of Cohen and Huang , 1989, CRYPTO.

[16]  Ted Krovetz,et al.  Message Authentication on 64-Bit Architectures , 2006, Selected Areas in Cryptography.

[17]  A. Joux Authentication Failures in NIST version of GCM , 2006 .

[18]  Scott R. Fluhrer,et al.  Multiple forgery attacks against Message Authentication Codes , 2005, IACR Cryptol. ePrint Arch..

[19]  Ted Krovetz,et al.  UMAC: Message Authentication Code using Universal Hashing , 2006, RFC.

[20]  John Black,et al.  MAC Reforgeability , 2006, FSE.

[21]  Bert den Boer A Simple and Key-Economical Unconditional Authentication Scheme , 1993, J. Comput. Secur..

[22]  Gustavus J. Simmons,et al.  Contemporary Cryptology: The Science of Information Integrity , 1994 .

[23]  Larry Carter,et al.  New Hash Functions and Their Use in Authentication and Set Equality , 1981, J. Comput. Syst. Sci..

[24]  Yevgeniy Dodis,et al.  Improving the Security of MACs Via Randomized Message Preprocessing , 2007, FSE.

[25]  Thomas Johansson,et al.  Bucket Hashing with a Small Key Size , 1997, EUROCRYPT.

[26]  Douglas R. Stinson,et al.  Universal hashing and authentication codes , 1991, Des. Codes Cryptogr..

[27]  Sarvar Patel,et al.  SQUARE HASH: Fast Message Authenication via Optimized Universal Hash Functions , 1999, CRYPTO.

[28]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[29]  Lars R. Knudsen,et al.  Chosen-text attack on CBC-MAC , 1997 .

[30]  Tadayoshi Kohno,et al.  CWC: A High-Performance Conventional Authenticated Encryption Mode , 2004, FSE.

[31]  Hugo Krawczyk,et al.  LFSR-based Hashing and Authentication , 1994, CRYPTO.

[32]  Hugo Krawczyk,et al.  MMH: Software Message Authentication in the Gbit/Second Rates , 1997, FSE.

[33]  Bart Preneel,et al.  On the Security of Iterated Message Authentication Codes , 1999, IEEE Trans. Inf. Theory.