Improved Generic Attacks Against Hash-Based MACs and HAIFA

The security of HMAC (and more general hash-based MACs) against state-recovery and universal forgery attacks was shown to be suboptimal, following a series of results by Leurent et al. and Peyrin et al. These results have shown that such powerful attacks require significantly less than 2 ℓ computati...

Full description

Saved in:
Bibliographic Details
Published inAlgorithmica Vol. 79; no. 4; pp. 1161 - 1195
Main Authors Dinur, Itai, Leurent, Gaëtan
Format Journal Article
LanguageEnglish
Published New York Springer US 01.12.2017
Springer Nature B.V
Springer Verlag
SeriesSpecial Issue: Algorithmic Tools in Cryptography
Subjects
Algorithm Analysis and Problem Complexity
Algorithms
Complexity
Computer Science
Computer Systems Organization and Communication Networks
Cryptography and Security
Data Structures and Information Theory
Forgery
Hash based algorithms
Iterative methods
Mathematics of Computing
Recovery
Security
Theory of Computation
Hash functions
Merkle–Damgård
Streebog
SHA family
Universal forgery attack
HMAC
GOST
HAIFA
State-recovery attack
state-recovery attack
universal forgery attack
Merkle-Damgård
MAC
Online AccessGet full text

Cover

More Information
Summary:The security of HMAC (and more general hash-based MACs) against state-recovery and universal forgery attacks was shown to be suboptimal, following a series of results by Leurent et al. and Peyrin et al. These results have shown that such powerful attacks require significantly less than 2 ℓ computations, contradicting the common belief (where ℓ denotes the internal state size). In this work, we revisit and extend these results, with a focus on concrete hash functions that limit the message length, and apply special iteration modes. We begin by devising the first state-recovery attack on HMAC with a HAIFA hash function (using a block counter in every compression function call), with complexity 2 4 ℓ / 5 . Then, we describe improved tradeoffs between the message length and the complexity of a state-recovery attack on HMAC with a Merkle–Damgård hash function. Consequently, we obtain improved attacks on several HMAC constructions used in practice, in which the hash functions limits the maximal message length (e.g., SHA-1 and SHA-2). Finally, we present the first universal forgery attacks, which can be applied with short message queries to the MAC oracle. In particular, we devise the first universal forgery attacks applicable to SHA-1 and SHA-2. Despite their theoretical interest, our attacks do not seem to threaten the practical security of the analyzed concrete HMAC constructions.
ISSN:0178-4617
1432-0541
DOI:10.1007/s00453-016-0236-6