Cryptanalyses on a Merkle-Damgård Based MAC - Almost Universal Forgery and Distinguishing-H Attacks

This paper presents two types of cryptanalysis on a Merkle-Damgard hash based MAC, which computes a MAC value of a message M by Hash(K||l||M) with a shared key K and the message length l. This construction is often called LPMAC. Firstly, we present a distinguishing-H attack against LPMAC instantiating any narrow-pipe Merkle-Damgard hash function with O(2n/2) queries, which indicates the incorrectness of the widely believed assumption that LPMAC instantiating a secure hash function should resist the distinguishing-H attack up to 2n queries. In fact, all of the previous distinguishing-H attacks considered dedicated attacks depending on the underlying hash algorithm, and most of the cases, reduced rounds were attacked with a complexity between 2n/2 and 2n. Because it works in generic, our attack updates these results, namely full rounds are attacked with O(2n/2) complexity. Secondly, we show that an even stronger attack, which is a powerful form of an almost universal forgery attack, can be performed on LPMAC. In this setting, attackers can modify the first several message-blocks of a given message and aim to recover an internal state and forge the MAC value. For any narrow-pipe Merkle-Damgard hash function, our attack can be performed with O(2n/2) queries. These results show that the length prepending scheme is not enough to achieve a secure MAC.

[1]  Antoine Joux,et al.  Advances in Cryptology - EUROCRYPT 2009 , 2009, Lecture Notes in Computer Science.

[2]  Wei Wang,et al.  New Distinguishing Attack on MAC Using Secret-Prefix Method , 2009, FSE.

[3]  Bart Preneel,et al.  MDx-MAC and Building Fast MACs from Hash Functions , 1995, CRYPTO.

[4]  Gaëtan Leurent,et al.  Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5 , 2007, CRYPTO.

[5]  Adi Shamir,et al.  ALRED Blues: New Attacks on AES-Based MAC's , 2011, IACR Cryptol. ePrint Arch..

[6]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[7]  G. Leopold The Federal Register. , 1979, Journal of clinical ultrasound : JCU.

[8]  Xiaoyun Wang,et al.  Distinguishing Attack on the Secret-Prefix MAC Based on the 39-Step SHA-256 , 2009, ACISP.

[9]  Keting Jia,et al.  Distinguishing and Second-Preimage Attacks on CBC-Like MACs , 2009, CANS.

[10]  Gaoli Wang Distinguishing Attacks on LPMAC Based on the Full RIPEMD and Reduced-Step RIPEMD-{256, 320} , 2010, Inscrypt.

[11]  Jongsung Kim,et al.  Second Preimage Attack on 3-Pass HAVAL and Partial Key-Recovery Attacks on HMAC/NMAC-3-Pass HAVAL , 2008, FSE.

[12]  John Kelsey,et al.  Herding Hash Functions and the Nostradamus Attack , 2006, EUROCRYPT.

[13]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[14]  Wei Wang,et al.  New Birthday Attacks on Some MACs Based on Block Ciphers , 2009, CRYPTO.

[15]  Gene Tsudik Message authentication with one-way hash functions , 1992, CCRV.

[16]  John Kelsey,et al.  Herding, Second Preimage and Trojan Message Attacks beyond Merkle-Damgård , 2009, Selected Areas in Cryptography.

[17]  Kan Yasuda,et al.  How to Fill Up Merkle-Damgård Hash Functions , 2008, ASIACRYPT.

[18]  Jongsung Kim,et al.  On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1 (Extended Abstract) , 2006, SCN.

[19]  Hugo Krawczyk,et al.  Pseudorandom functions revisited: the cascade construction and its concrete security , 1996, Proceedings of 37th Conference on Foundations of Computer Science.

[20]  Scott Contini,et al.  Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions , 2006, ASIACRYPT.

[21]  Wei Wang,et al.  Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC , 2009, EUROCRYPT.

[22]  Lei Wang,et al.  New Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5 , 2008, EUROCRYPT.

[23]  Andrew W. Appel,et al.  Formal aspects of mobile code security , 1999 .

[24]  Wei Wang,et al.  Distinguishing Attack on Secret Prefix MAC Instantiated with Reduced SHA-1 , 2009, ICISC.

[25]  Vincent Rijmen,et al.  New Results on NMAC/HMAC when Instantiated with Popular Hash Functions , 2008, J. Univers. Comput. Sci..

[26]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[27]  Vincent Rijmen,et al.  On Authentication with HMAC and Non-random Properties , 2007, Financial Cryptography.

[28]  Donghoon Chang,et al.  General Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity , 2006, IACR Cryptol. ePrint Arch..