Another Look at Security Theorems for 1-Key Nested MACs

We prove a security theorem without collision resistance for a class of 1-key hash function-based MAC schemes that includes HMAC and Envelope MAC. The proof has some advantages over earlier proofs: it is in the uniform model, it uses a weaker related-key assumption, and it covers a broad class of MACs in a single theorem. However, we also explain why our theorem is of doubtful value in assessing the real-world security of these MAC schemes. In addition, we prove a theorem assuming collision resistance. From these two theorems, we conclude that from a provable security standpoint, there is little reason to prefer HMAC to Envelope MAC or similar schemes.

[1]  John Kelsey,et al.  Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition , 2012 .

[2]  Dan Boneh,et al.  Simplified OAEP for the RSA and Rabin Functions , 2001, CRYPTO.

[3]  Florian Mendel,et al.  Symmetric Cryptography , 2009 .

[4]  Marc Fischlin,et al.  Security of NMACand HMACBased on Non-malleability , 2008, CT-RSA.

[5]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[6]  Mihir Bellare,et al.  New Proofs for NMAC and HMAC: Security without Collision Resistance , 2006, Journal of Cryptology.

[7]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[8]  Perry Metzger,et al.  IP Authentication using Keyed MD5 , 1995, RFC.

[9]  Krzysztof Pietrzak A Closer Look at HMAC , 2013, IACR Cryptol. ePrint Arch..

[10]  Alfred Menezes,et al.  Another Look at "Provable Security". II , 2006, INDOCRYPT.

[11]  Bart Preneel,et al.  MDx-MAC and Building Fast MACs from Hash Functions , 1995, CRYPTO.

[12]  Alfred Menezes,et al.  Another look at security definitions , 2013, Adv. Math. Commun..

[13]  Alfred Menezes,et al.  Another look at non-uniformity , 2013, Groups Complex. Cryptol..

[14]  Kan Yasuda,et al.  "Sandwich" Is Indeed Secure: How to Authenticate a Message with Just One Hashing , 2007, ACISP.

[15]  Bart Preneel,et al.  On the Security of Iterated Message Authentication Codes , 1999, IEEE Trans. Inf. Theory.

[16]  Tanja Lange,et al.  Non-uniform cracks in the concrete: the power of free precomputation , 2012, IACR Cryptol. ePrint Arch..

[17]  Mihir Bellare,et al.  Practice-Oriented Provable-Security , 1997, ISW.

[18]  Yehuda Lindell,et al.  Introduction to Modern Cryptography (Chapman & Hall/Crc Cryptography and Network Security Series) , 2007 .

[19]  Alfred Menezes,et al.  Another look at HMAC , 2013, IACR Cryptol. ePrint Arch..

[20]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[21]  Alfred Menezes,et al.  Another Look at "Provable Security" , 2005, Journal of Cryptology.

[22]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[23]  Gene Tsudik Message authentication with one-way hash functions , 1992, CCRV.

[24]  Mihir Bellare,et al.  A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications , 2003, EUROCRYPT.

[25]  Alfred Menezes,et al.  Elliptic Curve Cryptography: The Serpentine Course of a Paradigm Shift , 2011, IACR Cryptol. ePrint Arch..