Abstract
We prove a security theorem without collision resistance for a class of 1-key hash function-based MAC schemes that includes HMAC and Envelope MAC. The proof has some advantages over earlier proofs: it is in the uniform model, it uses a weaker related-key assumption, and it covers a broad class of MACs in a single theorem. However, we also explain why our theorem is of doubtful value in assessing the real-world security of these MAC schemes. In addition, we prove a theorem assuming collision resistance. From these two theorems, we conclude that from a provable security standpoint, there is little reason to prefer HMAC to Envelope MAC or similar schemes.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Fischlin [10] has a uniform proof of a security theorem for HMAC without collision resistance, but its usefulness is questionable because of the extremely large tightness gap in his result.
- 2.
The theorem’s query bound for the related-key property is 2q because A rka makes two queries for each query of A MAC.
- 3.
If \(A_{\tilde{f}h}\) fails to produce a guess about the oracle \(O_{\tilde{f}h}\) in time t, as can happen if the simulation is imperfect, then \(A_{\tilde{f}}\) guesses that \(O_{\tilde{f}}\) is a random function. Note that the simulation is perfect if \(O_{\tilde{f}}\) is \(\tilde{f}\) with hidden key.
- 4.
The term “over all possible coin tosses” means over all possible runs of the algorithm with each weighted by 2−s, where s is the number of random bits in a given run.
- 5.
The tightness gap in our theorem, bad as it is, is not nearly as extreme as the one in Fischlin’s theorem [10], which establishes the secure-MAC property for NMAC and HMAC based on assumptions that are slightly weaker than the prf property. The gap in success probabilities in that theorem is roughly qn 2. In [10] this gap is compared to the q 2 n gap in Bellare’s Theorem 3.3 in [2]. However, any comparison based solely on success probabilities is misleading, since the factor q 2 n in Bellare’s theorem is multiplied by the advantage of a very low-resource adversary A 2 with running time ≤ nT, much less than that of Fischlin’s adversary. One must always include running time comparisons when evaluating tightness gaps, and this is not done in [10].
- 6.
Note that the inner compression function needs to be strongly (ε 1, t, q)-secure for a quite small value of ε 1, since the theorem loses content if ε 1 > 1∕(2n).
- 7.
Note that A rka can verify that A MAC has a valid forgery using the same procedure that was used to respond to its queries. This means that A rka needs to be allowed two more queries of O rka, and for this reason, the query bound for A rka is 2q + 2 rather than 2q, and the time bounds have the term (q + 1)nT rather than qnT.
- 8.
In the prf test for f, the adversary gets the values f(K, M) (with K a c-bit hidden key and M a b-bit queried message); in the test for \(\tilde{f}\) in HMAC, he gets the values \(f(K,M\|p)\) (with M a c-bit message and p a fixed (b − c)-bit padding); and in the test for \(\tilde{f}\) in Envelope MAC, he gets the values \(f(M,K\|p)\). Thus, the only difference is whether the key occurs in the first c bits or in the next c bits.
- 9.
How can something be a necessary component, but play no role in the selection? By analogy, when one looks for an apartment, a functioning toilet is a requirement; however, one doesn’t normally choose which apartment to rent based on which has the nicest toilet.
References
M. Bellare, Practice-oriented provable-security, in Proceedings of First International Workshop on Information Security (ISW ’97). Lecture Notes in Computer Science, vol. 1396 (Springer, Berlin, 1998), pp. 221–231
M. Bellare, New proofs for NMAC and HMAC: security without collision resistance, in Advances in Cryptology—Crypto 2006. Lecture Notes in Computer Science, vol. 4117 (Springer, Heidelberg, 2006), pp. 602–619. Extended version available at http://cseweb.ucsd.edu/mihir/papers/hmac-new.pdf
M. Bellare, T. Kohno, A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications, in Advances in Cryptology—Eurocrypt 2003. Lecture Notes in Computer Science, vol. 2656 (Springer, Heidelberg, 2003), pp. 491–506
M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in Proceedings of First Annual Conference on Computer and Communications Security (ACM, New York, 1993), pp. 62–73
M. Bellare, R. Rogaway, Optimal asymmetric encryption—how to encrypt with RSA, in Advances in Cryptology—Eurocrypt ’94. Lecture Notes in Computer Science, vol. 950 (Springer, Heidelberg, 1994), pp. 92–111
M. Bellare, R. Canetti, H. Krawczyk, Keying hash functions for message authentication, in Advances in Cryptology—Crypto ’96. Lecture Notes in Computer Science, vol. 1109 (Springer, Heidelberg, 1996), pp. 1–15. Extended version available at http://cseweb.ucsd.edu/mihir/papers/kmd5.pdf
M. Bellare, R. Canetti, H. Krawczyk, HMAC: Keyed-hashing for message authentication, Internet RFC 2104 (1997)
D. Bernstein, T. Lange, Non-uniform cracks in the concrete: the power of free precomputation, in Advances in Cryptology—Asiacrypt 2013. Lecture Notes in Computer Science, vol. 8270 (Springer, Heidelberg, 2013), pp. 321–340
D. Boneh, Simplified OAEP for the RSA and Rabin functions, in Advances in Cryptology—Crypto 2001. Lecture Notes in Computer Science, vol. 2139 (Springer, Heidelberg, 2001), pp. 275–291
M. Fischlin, Security of NMAC and HMAC based on non-malleability, in Topics in Cryptology—CT-RSA 2008. Lecture Notes in Computer Science, vol. 4064 (Springer, Heidelberg, 2008), pp. 138–154
P. Gauravaram, L. Knudsen, K. Matusiewicz, F. Mendel, C. Rechberger, M. Schläffer, S. Thomsen, Grøstl—a SHA-3 candidate (2011). Available at http://www.groestl.info/Groestl.pdf
B. Kaliski, M. Robshaw, Message authentication with MD5. CryptoBytes 1(1), 5–8 (1995)
J. Katz, Y. Lindell, Introduction to Modern Cryptography (Chapman and Hall/CRC, Boca Raton, 2007)
N. Koblitz, A. Menezes. http://anotherlook.ca
N. Koblitz, A. Menezes, Another look at “provable security.” J. Cryptol. 20, 3–37 (2007)
N. Koblitz, A. Menezes, Another look at security definitions. Adv. Math. Commun. 7, 1–38 (2013)
N. Koblitz, A. Menezes, Another look at HMAC. J. Math. Cryptol. 7, 225–251 (2013)
N. Koblitz, A. Menezes, Another look at non-uniformity. Groups Complex. Cryptol. 5, 117–139 (2013)
A.H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: the serpentine course of a paradigm shift. J. Number Theory 131, 781–814 (2011)
H. Krawczyk, Koblitz’s arguments disingenuous. Not. Am. Math. Soc. 54(11), 1455 (2007)
National Institute of Standards and Technology, The keyed-hash message authentication code (HMAC). FIPS Publication 198 (2002)
National Institute of Standards and Technology, Third-round report of the SHA-3 cryptographic hash algorithm competition. Interagency Report 7896 (2012)
P. Piermont, W. Simpson, IP authentication using keyed MD5, IETF RFC 1828 (1995)
K. Pietrzak, A closer look at HMAC. Available at http://eprint.iacr.org/2013/212
B. Preneel, P. van Oorschot, MDx-MAC and building fast MACs from hash functions, in Advances in Cryptology—Crypto ’95. Lecture Notes in Computer Science, vol. 963 (Springer, Heidelberg, 1995), pp. 1–14
B. Preneel, P. van Oorschot, On the security of iterated message authentication codes. IEEE Trans. Inf. Theory 45, 188–199 (1999)
V. Shoup, OAEP reconsidered, in Advances in Cryptology—Crypto 2001. Lecture Notes in Computer Science, vol. 2139 (Springer, Heidelberg, 2001), pp. 239–259
G. Tsudik, Message authentication with one-way hash functions. ACM SIGCOMM Comput. Commun. Rev. 22(5), 29–38 (1992)
K. Yasuda, “Sandwich” is indeed secure: how to authenticate a message with just one hashing, in Information Security and Privacy—ACISP 2007. Lecture Notes in Computer Science, vol. 4586 (Springer, Heidelberg, 2007), pp. 355–369
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Koblitz, N., Menezes, A. (2014). Another Look at Security Theorems for 1-Key Nested MACs. In: Koç, Ç. (eds) Open Problems in Mathematics and Computational Science. Springer, Cham. https://doi.org/10.1007/978-3-319-10683-0_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-10683-0_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-10682-3
Online ISBN: 978-3-319-10683-0
eBook Packages: Computer ScienceComputer Science (R0)