Generic Security of NMAC and HMAC with Input Whitening

HMAC and its variant NMAC are the most popular approaches to deriving a MAC and more generally, a PRF from a cryptographic hash function. Despite nearly two decades of research, their exact security still remains far from understood in many different contexts. Indeed, recent works have re-surfaced interest for generic attacks, i.e., attacks that treat the compression function of the underlying hash function as a black box. Generic security can be proved in a model where the underlying compression function is modeled as a random function --- yet, to date, the question of proving tight, non-trivial bounds on the generic security of HMAC/NMAC even as a PRF remains a challenging open question. In this paper, we ask the question of whether a small modification to HMAC and NMAC can allow us to exactly characterize the security of the resulting constructions, while only incurring little penalty with respect to efficiency. To this end, we present simple variants of NMAC and HMAC, for which we prove tight bounds on the generic PRF security, expressed in terms of numbers of construction and compression function queries necessary to break the construction. All of our constructions are obtained via a near black-box modification of NMAC and HMAC, which can be interpreted as an initial step of key-dependent message pre-processing. While our focus is on PRF security, a further attractive feature of our new constructions is that they clearly defeat all recent generic attacks against properties such as state recovery and universal forgery. These exploit properties of the so-called "functional graph" which are not directly accessible in our new constructions.

[1]  Itai Dinur,et al.  Improved Generic Attacks Against Hash-Based MACs and HAIFA , 2016, Algorithmica.

[2]  Mihir Bellare,et al.  New Proofs for NMAC and HMAC: Security without Collision Resistance , 2006, Journal of Cryptology.

[3]  Thomas Peyrin,et al.  Updates on Generic Attacks against HMAC and NMAC , 2014, CRYPTO.

[4]  Bart Preneel,et al.  MDx-MAC and Building Fast MACs from Hash Functions , 1995, CRYPTO.

[5]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[6]  Jacques Patarin,et al.  The "Coefficients H" Technique , 2009, Selected Areas in Cryptography.

[7]  Silvio Micali,et al.  On the Cryptographic Applications of Random Functions , 1984, CRYPTO.

[8]  Thomas Peyrin,et al.  Generic Related-Key Attacks for HMAC , 2012, ASIACRYPT.

[9]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[10]  Yu Sasaki,et al.  Generic Attacks on Strengthened HMAC: n-bit Secure HMAC Requires Key in All Blocks , 2014, SCN.

[11]  D. R. Heath-Brown,et al.  An Introduction to the Theory of Numbers, Sixth Edition , 2008 .

[12]  John P. Steinberger,et al.  Tight Security Bounds for Key-Alternating Ciphers , 2014, EUROCRYPT.

[13]  Bruce Schneier One-way hash functions , 1991 .

[14]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[15]  Thomas Peyrin,et al.  Generic Universal Forgery Attack on Iterative Hash-Based MACs , 2014, EUROCRYPT.

[16]  Stefano Tessaro,et al.  The Exact PRF Security of Truncation: Tight Bounds for Keyed Sponges and Truncated CBC , 2015, CRYPTO.

[17]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[18]  John P. Steinberger,et al.  To Hash or Not to Hash Again? (In)differentiability Results for H2 and HMAC , 2012, IACR Cryptol. ePrint Arch..

[19]  Thomas Peyrin,et al.  New Generic Attacks against Hash-Based MACs , 2013, ASIACRYPT.

[20]  Mihir Bellare,et al.  Constructing VIL-MACsfrom FIL-MACs: Message Authentication under Weakened Assumptions , 1999, CRYPTO.

[21]  Jongsung Kim,et al.  On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1 (Extended Abstract) , 2006, SCN.

[22]  Yu Sasaki,et al.  Generic State-Recovery and Forgery Attacks on ChopMD-MAC and on NMAC/HMAC , 2013, IWSEC.

[23]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[24]  Krzysztof Pietrzak,et al.  The Exact PRF-Security of NMAC and HMAC , 2014, IACR Cryptol. ePrint Arch..

[25]  Kan Yasuda,et al.  "Sandwich" Is Indeed Secure: How to Authenticate a Message with Just One Hashing , 2007, ACISP.

[26]  E. Wright,et al.  An Introduction to the Theory of Numbers , 1939 .