Cryptanalyses on a merkle-damgård based MAC -- almost universal forgery and distinguishing- h attacks
Yu Sasaki
- pp 411-427
Reads0
Chats0
TLDR
Two types of cryptanalysis are presented on a Merkle-Damgard hash based MAC, which computes a MAC value of a message M by Hash(K||l||M) with a shared key K and the message length l, and it is shown that the length prepending scheme is not enough to achieve a secure MAC.Abstract:
This paper presents two types of cryptanalysis on a Merkle-Damgard hash based MAC, which computes a MAC value of a message M by Hash(K||l||M) with a shared key K and the message length l. This construction is often called LPMAC. Firstly, we present a distinguishing-H attack against LPMAC instantiating any narrow-pipe Merkle-Damgard hash function with O(2n/2) queries, which indicates the incorrectness of the widely believed assumption that LPMAC instantiating a secure hash function should resist the distinguishing-H attack up to 2n queries. In fact, all of the previous distinguishing-H attacks considered dedicated attacks depending on the underlying hash algorithm, and most of the cases, reduced rounds were attacked with a complexity between 2n/2 and 2n. Because it works in generic, our attack updates these results, namely full rounds are attacked with O(2n/2) complexity. Secondly, we show that an even stronger attack, which is a powerful form of an almost universal forgery attack, can be performed on LPMAC. In this setting, attackers can modify the first several message-blocks of a given message and aim to recover an internal state and forge the MAC value. For any narrow-pipe Merkle-Damgard hash function, our attack can be performed with O(2n/2) queries. These results show that the length prepending scheme is not enough to achieve a secure MAC.read more
Citations
More filters
Book ChapterDOI
Cryptanalysis Against Symmetric-Key Schemes with Online Classical Queries and Offline Quantum Computations
Akinori Hosoyamada,Yu Sasaki +1 more
TL;DR: In this article, quantum attacks against symmetric-key schemes are presented, in which adversaries only make classical queries but use quantum computers for offline computations, and the attack cost depends on the number of available qubits and the way to realize the quantum hardware.
Journal Article
Cryptanalysis against Symmetric-Key Schemes with Online Classical Queries and Offline Quantum Computations.
Akinori Hosoyamada,Yu Sasaki +1 more
TL;DR: In this article, quantum attacks against symmetric-key schemes are presented, in which adversaries only make classical queries but use quantum computers for offline computations, and the attack cost depends on the number of available qubits and the way to realize the quantum hardware.
Book ChapterDOI
Generic State-Recovery and Forgery Attacks on ChopMD-MAC and on NMAC/HMAC
TL;DR: This paper presents new attacks on message authentication codes (MACs), generic and applicable to (secret-prefix) ChopMD-MAC and to NMAC/HMAC, all of which are based on a Merkle-Damgard hash function, and shows that an internal state value of these MACs can be recovered with time/queries less than O(2 n )—roughly, with an O( 2 n /n) complexity.
Book ChapterDOI
Cryptanalysis of HMAC/NMAC-Whirlpool
TL;DR: In this article, the authors presented universal forgery and key recovery attacks on the most popular hash-based MAC constructions, e.g., HMAC and NMAC, instantiated with an AES-like hash function Whirlpool.
Posted Content
Cryptanalysis of HMAC/NMAC-Whirlpool.
TL;DR: This paper presents universal forgery and key recovery attacks on the most popular hash-based MAC constructions, e.g., HMAC and NMAC, instantiated with an AES-like hash function Whirlpool.
References
More filters
Book
Handbook of Applied Cryptography
TL;DR: A valuable reference for the novice as well as for the expert who needs a wider scope of coverage within the area of cryptography, this book provides easy and rapid access of information and includes more than 200 algorithms and protocols.
Book ChapterDOI
Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions
TL;DR: It is shown that finding multicollisions, i.e. r-tuples of messages that all hash to the same value, is not much harder than finding ordinary collisions, even for extremely large values of r, and it is proved that concatenating the results of several iterated hash functions in order to build a larger one does not yield a secure construction.
Book ChapterDOI
Second preimages on n -bit hash functions for much less than 2 n work
John Kelsey,Bruce Schneier +1 more
TL;DR: In this article, the Damgard-Merkle construction is used to construct expandable messages for any n-bit iterated hash function, which requires only a small multiple of the work done to find a single collision in the hash function.
Journal ArticleDOI
Message authentication with one-way hash functions
TL;DR: This brief paper introduces encryption-free message authentication based entirely on fast one-way hash functions and two methods are presented and their strength is analyzed.
Proceedings ArticleDOI
Pseudorandom functions revisited: the cascade construction and its concrete security
TL;DR: The authors investigate new ways of designing pseudorandom function families, and propose the cascade construction, and provide a concrete security analysis which relates the strength of the cascade to that of the underlying finite pseudOrandom function family in a precise and quantitative way.