Message authentication with one-way hash functions
ACM SIGCOMM Computer Communication Review
Handbook of Applied Cryptography
Handbook of Applied Cryptography
MDx-MAC and Building Fast MACs from Hash Functions
CRYPTO '95 Proceedings of the 15th Annual International Cryptology Conference on Advances in Cryptology
Pseudorandom functions revisited: the cascade construction and its concrete security
FOCS '96 Proceedings of the 37th Annual Symposium on Foundations of Computer Science
Formal aspects of mobile code security
Formal aspects of mobile code security
Second Preimage Attack on 3-Pass HAVAL and Partial Key-Recovery Attacks on HMAC/NMAC-3-Pass HAVAL
Fast Software Encryption
How to Fill Up Merkle-Damgård Hash Functions
ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
Distinguishing Attack on the Secret-Prefix MAC Based on the 39-Step SHA-256
ACISP '09 Proceedings of the 14th Australasian Conference on Information Security and Privacy
New Distinguishing Attack on MAC Using Secret-Prefix Method
Fast Software Encryption
New Birthday Attacks on Some MACs Based on Block Ciphers
CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
Herding, Second Preimage and Trojan Message Attacks beyond Merkle-Damgård
Selected Areas in Cryptography
Distinguishing and Second-Preimage Attacks on CBC-Like MACs
CANS '09 Proceedings of the 8th International Conference on Cryptology and Network Security
Full key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
On authentication with HMAC and non-random properties
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
New key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5
EUROCRYPT'08 Proceedings of the theory and applications of cryptographic techniques 27th annual international conference on Advances in cryptology
Distinguishing attack on secret prefix MAC instantiated with reduced SHA-1
ICISC'09 Proceedings of the 12th international conference on Information security and cryptology
Distinguishing attacks on LPMAC based on the full RIPEMD and reduced-step RIPEMD-{256, 320}
Inscrypt'10 Proceedings of the 6th international conference on Information security and cryptology
Forgery and partial key-recovery attacks on HMAC and NMAC using hash collisions
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Second preimages on n-bit hash functions for much less than 2n work
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
On the security of HMAC and NMAC based on HAVAL, MD4, MD5, SHA-0 and SHA-1 (extended abstract)
SCN'06 Proceedings of the 5th international conference on Security and Cryptography for Networks
Herding hash functions and the nostradamus attack
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
| Hi-index | 0.00 |
This paper presents two types of cryptanalysis on a Merkle-Damgård hash based MAC, which computes a MAC value of a message M by Hash(K||ℓ||M) with a shared key K and the message length ℓ. This construction is often called LPMAC. Firstly, we present a distinguishing-H attack against LPMAC instantiating any narrow-pipe Merkle-Damgård hash function with O(2n/2) queries, which indicates the incorrectness of the widely believed assumption that LPMAC instantiating a secure hash function should resist the distinguishing-H attack up to 2n queries. In fact, all of the previous distinguishing-H attacks considered dedicated attacks depending on the underlying hash algorithm, and most of the cases, reduced rounds were attacked with a complexity between 2n/2 and 2n. Because it works in generic, our attack updates these results, namely full rounds are attacked with O(2n/2) complexity. Secondly, we show that an even stronger attack, which is a powerful form of an almost universal forgery attack, can be performed on LPMAC. In this setting, attackers can modify the first several message-blocks of a given message and aim to recover an internal state and forge the MAC value. For any narrow-pipe Merkle-Damgård hash function, our attack can be performed with O(2n/2) queries. These results show that the length prepending scheme is not enough to achieve a secure MAC.