Improved Generic Attacks against Hash-Based MACs and HAIFA

The security of HMAC (and more general hash-based MACs) against state-recovery and universal forgery attacks was very recently shown to be suboptimal, following a series of surprising results by Leurent et al. and Peyrin et al.. These results have shown that such powerful attacks require much less than 2l computations, contradicting the common belief (where l denotes the internal state size). In this work, we revisit and extend these results, with a focus on properties of concrete hash functions such as a limited message length, and special iteration modes.

[1]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[2]  John Kelsey,et al.  Herding Hash Functions and the Nostradamus Attack , 2006, EUROCRYPT.

[3]  Thomas Peyrin,et al.  Generic Universal Forgery Attack on Iterative Hash-Based MACs , 2014, EUROCRYPT.

[4]  Yu Sasaki,et al.  Generic State-Recovery and Forgery Attacks on ChopMD-MAC and on NMAC/HMAC , 2013, IWSEC.

[5]  Eli Biham,et al.  A Framework for Iterative Hash Functions - HAIFA , 2007, IACR Cryptol. ePrint Arch..

[6]  Gene Tsudik Message authentication with one-way hash functions , 1992, CCRV.

[7]  Thomas Peyrin,et al.  New Generic Attacks against Hash-Based MACs , 2013, ASIACRYPT.

[8]  Samuel Neves,et al.  BLAKE2: Simpler, Smaller, Fast as MD5 , 2013, ACNS.

[9]  Kan Yasuda,et al.  "Sandwich" Is Indeed Secure: How to Authenticate a Message with Just One Hashing , 2007, ACISP.

[10]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[11]  Juha Kortelainen,et al.  On Diamond Structures and Trojan Message Attacks , 2013, ASIACRYPT.

[12]  Thomas Peyrin,et al.  Generic Related-Key Attacks for HMAC , 2012, ASIACRYPT.

[13]  Stefan Lucks,et al.  The Skein Hash Function Family , 2009 .

[14]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[15]  Mihir Bellare,et al.  New Proofs for NMAC and HMAC: Security without Collision Resistance , 2006, Journal of Cryptology.

[16]  Vasily Dolmatov,et al.  GOST R 34.11-2012: Hash Function , 2013, RFC.

[17]  Paul C. van Oorschot,et al.  Parallel Collision Search with Cryptanalytic Applications , 2013, Journal of Cryptology.

[18]  Shuang Wu,et al.  Cryptanalysis of HMAC/NMAC-Whirlpool , 2013, ASIACRYPT.

[19]  Yu Sasaki,et al.  Equivalent Key Recovery Attacks Against HMAC and NMAC with Whirlpool Reduced to 7 Rounds , 2014, FSE.