To Hash or Not to Hash Again? (In)Differentiability Results for $$H^2$$ and HMAC

Dodis, Yevgeniy; Ristenpart, Thomas; Steinberger, John P.; Tessaro, Stefano

doi:10.1007/978-3-642-32009-5_21

Cited by 39 publications

(35 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In their analysis, in addition to several proof results, two types of weak keys called colliding key pairs and ambiguous key pairs were introduced for HMAC, which are closely related to our work. Indeed, regarding the colliding key pairs, exactly the same distinguisher is mentioned in both [13,12] and our article. The details of the distinguisher is shown in the last paragraph of Section 7.…”

Section: Introductionmentioning

confidence: 58%

“…After the publication of the conference version of this paper, we realized that the indifferentiability of HMAC was independently and at almost the same time studied by Dodis et al [13,12]. Their purpose is to study whether or not HMAC is indifferentiable from a keyed random oracle for distinguishers that can choose arbitrary keys.…”

Section: Introductionmentioning

confidence: 93%

“…The details of the distinguisher is shown in the last paragraph of Section 7. The ambiguous key pairs in [13,12] are the same as the key relation analyzed in this work, and both papers use the special computation structure that happens when using these key pairs. However, the analytic approach and the results are very different.…”

Section: Introductionmentioning

confidence: 99%

“…However, the analytic approach and the results are very different. [13,12] are under the indifferentiability framework where the key value is chosen and thus known by the adversary. Therefore, the adversary can know the internal state value and can observe that the computation chains followed by the two keys are shifted by exactly one invocation of the underlying hash function.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Generic Related-Key Attacks for HMAC

Peyrin

Sasaki

Wang

2012

Advances in Cryptology – ASIACRYPT 2012

View full text Add to dashboard Cite

Abstract. In this article we describe new generic distinguishing and forgery attacks in the related-key scenario (using only a single related-key) for the HMAC construction. When HMAC uses a k-bit key, outputs an n-bit MAC, and is instantiated with an l-bit inner iterative hash function processing m-bit message blocks where m = k, our distinguishing-R attack requires about 2 n/2 queries which improves over the currently best known generic attack complexity 2 l/2 as soon as l > n. This means that contrary to the general belief, using wide-pipe hash functions as internal primitive will not increase the overall security of HMAC in the related-key model when the key size is equal to the message block size. We also present generic relatedkey distinguishing-H, internal state recovery and forgery attacks. Our method is new and elegant, and uses a simple cycle-size detection criterion. The issue in the HMAC construction (not present in the NMAC construction) comes from the non-independence of the two inner hash layers and we provide a simple patch in order to avoid this generic attack. Our work finally shows that the choice of the opad and ipad constants value in HMAC is important.

show abstract

Section: Introductionmentioning

confidence: 58%

Section: Introductionmentioning

confidence: 93%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Generic Related-Key Attacks for HMAC

Peyrin

Sasaki

Wang

2012

Advances in Cryptology – ASIACRYPT 2012

View full text Add to dashboard Cite

show abstract

“…While obtaining a non-tight birthday-type bound for NMAC/HMAC is feasible (for most key-length values, a bound follow directly from the indifferentiability analysis of [7]), proving tight bounds in terms of compression function and construction queries on the generic PRF security of NMAC/HMAC is a challenging open problem, on which little progress has been made. The main challenge is to understand how partial information in form of f-queries can help the attacker to break security (i.e., distinguish) in settings with q C 2 c/2 / √ , when the attack from [8] does not apply.…”

Section: Introductionmentioning

confidence: 99%

Generic Security of NMAC and HMAC with Input Whitening

Gaži

Pietrzak

Tessaro

2015

Advances in Cryptology – ASIACRYPT 2015

Self Cite

View full text Add to dashboard Cite

Abstract. HMAC and its variant NMAC are the most popular approaches to deriving a MAC (and more generally, a PRF) from a cryptographic hash function. Despite nearly two decades of research, their exact security still remains far from understood in many different contexts. Indeed, recent works have re-surfaced interest for generic attacks, i.e., attacks that treat the compression function of the underlying hash function as a black box. Generic security can be proved in a model where the underlying compression function is modeled as a random function -yet, to date, the question of proving tight, non-trivial bounds on the generic security of HMAC/NMAC even as a PRF remains a challenging open question. In this paper, we ask the question of whether a small modification to HMAC and NMAC can allow us to exactly characterize the security of the resulting constructions, while only incurring little penalty with respect to efficiency. To this end, we present simple variants of NMAC and HMAC, for which we prove tight bounds on the generic PRF security, expressed in terms of numbers of construction and compression function queries necessary to break the construction. All of our constructions are obtained via a (near) black-box modification of NMAC and HMAC, which can be interpreted as an initial step of key-dependent message pre-processing. While our focus is on PRF security, a further attractive feature of our new constructions is that they clearly defeat all recent generic attacks against properties such as state recovery and universal forgery. These exploit properties of the so-called "functional graph" which are not directly accessible in our new constructions.

show abstract

An Analysis of NIST SP 800-90A

Woodage

Shumow

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

To Hash or Not to Hash Again? (In)Differentiability Results for $$H^2$$ and HMAC

Cited by 39 publications

References 32 publications

Generic Related-Key Attacks for HMAC

Generic Related-Key Attacks for HMAC

Generic Security of NMAC and HMAC with Input Whitening

An Analysis of NIST SP 800-90A

Contact Info

Product

Resources

About