New Generic Attacks against Hash-Based MACs

Leurent, Gaëtan; Peyrin, Thomas; Wang, Lei

doi:10.1007/978-3-642-42045-0_1

Cited by 28 publications

(81 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our universal forgery attack is based on recent advances in hash-based MACs cryptanalysis [17,15] and in this section we quickly recall these methods and explain how we extend them. First of all, we need to introduce the notion of functional graph and the various properties that can be observed from it.…”

Section: Previous Functional-graph-based Attacks For Hmacmentioning

confidence: 99%

“…Later, Leurent et al [15] extended the scope of cycle detection by providing a single-key utilization of this technique. Namely, they show how to craft two special long messages (mainly composed of identical message blocks), both following two separate cycle loops in the functional graph of the internal compression function.…”

Section: Previous Functional-graph-based Attacks For Hmacmentioning

confidence: 99%

“…Moreover, our techniques are novel as they show that one can extract much more meaningful secret information than by just analyzing the cycle structure or the collision probability of the functional graphs of the MAC algorithm, as was done previously [17,15]. Indeed, the distance of a node from the cycle of its components in the functional graph is a very valuable information to know for an attacker, and we expect even more complex types of information to be exploitable by attackers against iterative hash-based MACs.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Generic Universal Forgery Attack on Iterative Hash-Based MACs

Peyrin

Wang

2014

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. In this article, we study the security of iterative hash-based MACs, such as HMAC or NMAC, with regards to universal forgery attacks. Leveraging recent advances in the analysis of functional graphs built from the iteration of HMAC or NMAC, we exhibit the very first generic universal forgery attack against hash-based MACs. In particular, our work implies that the universal forgery resistance of an n-bit output HMAC construction is not 2 n queries as long believed by the community. The techniques we introduce extend the previous functional graphs-based attacks that only took in account the cycle structure or the collision probability: we show that one can extract much more meaningful secret information by also analyzing the distance of a node from the cycle of its component in the functional graph.

show abstract

Section: Previous Functional-graph-based Attacks For Hmacmentioning

confidence: 99%

Section: Previous Functional-graph-based Attacks For Hmacmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Generic Universal Forgery Attack on Iterative Hash-Based MACs

Peyrin

Wang

2014

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…First, from the security viewpoint, the justification comes from the rich line of research on generic attacks on hash-based MACs. Most recent attacks [20,16,21,11] exploit the so-called "functional graph" of the compression function f, i.e., the graph capturing the structure of f when repeatedly invoked with its b-bit input fixed to some constant (say 0 b ). Since our whitening denies the adversary the knowledge of b-bit inputs on which f is invoked during construction queries, intuitively it seems to be the right way to foil such attacks.…”

Section: Introductionmentioning

confidence: 99%

“…As mentioned above, the motivation for our work partially stems from the recent line of work on generic attacks against iterated hash-based MACs [20,18,16,21,11,6,23]. While our security bound for WNMAC does not exclude attacks of the complexity (in terms of numbers of queries and message lengths) considered in these papers, the design of WNMAC was partially guided by the structure of these attacks and seems to prevent them.…”

Section: Introductionmentioning

confidence: 99%

Generic Security of NMAC and HMAC with Input Whitening

Gaži

Pietrzak

Tessaro

2015

Advances in Cryptology – ASIACRYPT 2015

View full text Add to dashboard Cite

Abstract. HMAC and its variant NMAC are the most popular approaches to deriving a MAC (and more generally, a PRF) from a cryptographic hash function. Despite nearly two decades of research, their exact security still remains far from understood in many different contexts. Indeed, recent works have re-surfaced interest for generic attacks, i.e., attacks that treat the compression function of the underlying hash function as a black box. Generic security can be proved in a model where the underlying compression function is modeled as a random function -yet, to date, the question of proving tight, non-trivial bounds on the generic security of HMAC/NMAC even as a PRF remains a challenging open question. In this paper, we ask the question of whether a small modification to HMAC and NMAC can allow us to exactly characterize the security of the resulting constructions, while only incurring little penalty with respect to efficiency. To this end, we present simple variants of NMAC and HMAC, for which we prove tight bounds on the generic PRF security, expressed in terms of numbers of construction and compression function queries necessary to break the construction. All of our constructions are obtained via a (near) black-box modification of NMAC and HMAC, which can be interpreted as an initial step of key-dependent message pre-processing. While our focus is on PRF security, a further attractive feature of our new constructions is that they clearly defeat all recent generic attacks against properties such as state recovery and universal forgery. These exploit properties of the so-called "functional graph" which are not directly accessible in our new constructions.

show abstract

Universal Forgery Attack Against GCM-RUP

Li¹,

Leurent²,

Wang³

et al. 2020

Topics in Cryptology – CT-RSA 2020

Self Cite

View full text Add to dashboard Cite

Authenticated encryption (AE) schemes are widely used to secure communications because they can guarantee both confidentiality and authenticity of a message. In addition to the standard AE security notion, some recent schemes offer extra robustness, i.e. they maintain security in some misuse scenarios. In particular, Ashur, Dunkelman and Luykx proposed a generic AE construction at CRYPTO'17 that is secure even when releasing unverified plaintext (the RUP setting), and a concrete instantiation, GCM-RUP. The designers proved that GCM-RUP is secure up to the birthday bound in the nonce-respecting model. In this paper, we perform a birthday-bound universal forgery attack against GCM-RUP, matching the bound of the proof. While there are simple distinguishing attacks with birthday complexity on GCM-RUP, our attack is much stronger: we have a partial key recovery leading to universal forgeries. For reference, the best known universal forgery attack against GCM requires 2 2n/3 operations, and many schemes do not have any known universal forgery attacks faster than 2 n. This suggests that GCM-RUP offers a different security trade-off than GCM: stronger protection in the RUP setting, but more fragile when the data complexity reaches the birthday bound. In order to avoid this attack, we suggest a minor modification of GCM-RUP that seems to offer better robustness at the birthday bound.

show abstract

New Generic Attacks against Hash-Based MACs

Cited by 28 publications

References 31 publications

Generic Universal Forgery Attack on Iterative Hash-Based MACs

Generic Universal Forgery Attack on Iterative Hash-Based MACs

Generic Security of NMAC and HMAC with Input Whitening

Universal Forgery Attack Against GCM-RUP

Contact Info

Product

Resources

About