# Interesting papers on HMAC and NMAC

Steve Bellovin forwarded me the following links (which he got from
Eric Rescorla). Note the bit at the end about a path to second
preimage attacks:

http://eprint.iacr.org/2006/187

On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1

Jongsung Kim and Alex Biryukov and Bart Preneel and Seokhie Hong

Abstract. HMAC is a widely used message authentication code and a
pseudorandom function generator based on cryptographic hash functions
such as MD5 and SHA-1. It has been standardized by ANSI, IETF, ISO and
NIST. HMAC is proved to be secure as long as the compression function
of the underlying hash function is a pseudorandom function. In this
paper we devise two new distinguishers of the structure of HMAC,
called {\em differential} and {\em rectangle distinguishers}, and use
them to discuss the security of HMAC based on HAVAL, MD4, MD5, SHA-0
and SHA-1. We show how to distinguish HMAC with reduced or full
versions of these cryptographic hash functions from a random function
or from HMAC with a random function. We also show how to use our
differential distinguisher to devise a forgery attack on HMAC. Our
distinguishing and forgery attacks can also be mounted on NMAC based
on HAVAL, MD4, MD5, SHA-0 and SHA-1. Furthermore, we show that our
differential and rectangle distinguishers can lead to second-preimage
attacks on HMAC and NMAC.

Also of interest, this somewhat earlier paper, which shows that HMAC
can be secure if the underlying hash is merely a pseudorandom function
even if it is not collision resistant:

http://eprint.iacr.org/2006/043

New Proofs for NMAC and HMAC: Security Without Collision-Resistance

Mihir Bellare

Abstract. HMAC was proved by Bellare, Canetti and Krawczyk [2] to be a
PRF assuming that (1) the underlying compression function is a PRF,
and (2) the iterated hash function is weakly
collision-resistant. However, recent attacks show that assumption (2)
is false for MD5 and SHA-1, removing the proof-based support for HMAC
in these cases. This paper proves that HMAC is a PRF under the sole
assumption that the compression function is a PRF. This recovers a
proof based guarantee since no known attacks compromise the
pseudorandomness of the compression function, and it also helps
explain the resistance-to-attack that HMAC has shown even when
implemented with hash functions whose (weak) collision resistance is
compromised. We also show that an even weaker-than-PRF condition on
the compression function, namely that it is a privacy-preserving MAC,
suffices to establish HMAC is a MAC as long as the hash function meets
the very weak requirement of being computationally almost universal,
where again the value lies in the fact that known attacks do not
invalidate the assumptions made.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]