Xiaoyun Wang,Hongbo Yu,Wei Wang,Haina Zhang,Tao Zhan

DOI: https://doi.org/10.1007/978-3-642-01001-9_7

2009-01-01

Abstract:In this paper, we present the first distinguishing attack on HMAC and NMAC based on MD5 without related keys, which distinguishes the HMAC/NMAC-MD5 from HMAC/NMAC with a random function. The attack needs 2(97) queries, with a success probability 0.87, while the previous distinguishing attack on HMAC-MD5 reduced to 33 rounds takes 2(126.1) messages with a success rate of 0.92. Furthermore, we give distinguishing and partial key recovery attacks on MDx-MAC based on MD5. The MDx-MAC was proposed by Preneel and van Oorschot in Crypto'95 which uses three subkeys derived from the initial key. We are able to recover one 128-bit subkey with 2(97) queries.

Lei Wang,Kazuo Ohta,Noboru Kunihiro

DOI: https://doi.org/10.1007/978-3-540-78967-3_14

2008-01-01

Abstract:At Crypto '07, Fouque, Leurent and Nguyen presented full key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5, by extending the partial key-recovery attacks of Contini and Yin from Asi-acrypt '06. Such attacks are based on collision attacks on the underlying hash function, and the most expensive stage is he recovery of the so-called outer key. In this paper, we show that the outer key can be recovered with near-collisions instead of collisions: near-collisions can be easier to find and can disclose more information. This improves the complexity of the FLN attack on HMAC/NMAC-MD4: the number of MAC queries decreases from 288 to 2 72, and the number of MD4 computations decreases from 2(95) to 2(77). We also improved the total complexity of the related-key attack on NMAC-MD5. Moreover, our attack on NMAC-MD5 can partially recover the outer key without the knowledge of the inner key, which might be of independent interes.

Yu Sasaki,Gaoli Wang,Lei Wang

DOI: https://doi.org/10.1587/transfun.e98.a.26

2015-01-01

Abstract:This paper presents key recovery attacks on SandwichMAC instantiating MD5, where Sandwich-MAC is an improved variant of HMAC and achieves the same provable security level and better performance especially for short messages. The increased interest in lightweight cryptography motivates us to analyze such a MAC scheme. Our attacks are based on a distinguishing-H attack on HMAC-MD5 proposed by Wang et al. We first improve its complexity from 2(97) to 2(89.04). With this improvement, we then propose key recovery attacks on Sandwich-MAC-MD5 by combining various techniques such as distinguishing-H for HMAC-MD5, IV Bridge for APOP, dBB-near-collisions for related-key NMAC-MD5, meet-in-the-middle attack etc. In particular, we generalize a previous keyrecovery technique as a new tool exploiting a conditional key-dependent distribution. Surprisingly, a key which is even longer than the tag size can be recovered without the knowledge of the key size. Finally, our attack also improves the previous partial-key (K1) recovery on MD5-MAC, and extends it to recover both of K-1 and K-2.

Hongbo Yu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-02620-1_13

2009-01-01

Abstract:In this paper, we present the first distinguishing attack on the LPMAC based on step-reduced SHA-256. The LPMAC is the abbreviation of the secret-prefix MAC with the length prepended to the message before hashing and it's a more secure version of the secret-prefix MAC. In [19], Wang e t al. give the first distinguishing attack on HMAC/NMAC-MD5 without the related key, then they improve the techniques to give a distinguishing attack on the LPMAC based on 61-step SHA-1 in [23]. In this paper, we utilize the techniques in [23] combined with our differential path on step-reduced SHA-256 to distinguishing the LPMAC based on 39-step SHA-256 from the LPMAC with a random function. The complexity of our attack is about 2184.5 MAC queries.

Xiaoyun Wang,Wei Wang,Keting Jia,Meiqin Wang

DOI: https://doi.org/10.1007/978-3-642-03317-9_22

2009-01-01

Abstract:This paper presents a new distinguisher which can be applied to secret-prefix MACs with the message length prepended to the message before hashing. The new distinguisher makes use of a special truncated differential path with high probability to distinguish an inner near-collision in the first round. Once the inner near-collision is detected, we can recognize an instantiated MAC from a MAC with a random function. The complexity for distinguishing the MAC with 43-step reduced SHA-1 is 2124.5 queries. For the MAC with 61-step SHA-1, the complexity is 2154.5 queries. The success probability is 0.70 for both.

Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1007/978-3-662-43414-7_25

2014-01-01

Abstract:This paper presents key recovery attacks on Sandwich-MAC instantiating MD5, where Sandwich-MAC is an improved variant of HMAC and achieves the same provable security level and better performance especially for short messages. The increased interest in lightweight cryptography motivates us to analyze such a MAC scheme. We first improve a distinguishing-H attack on HMAC-MD5 proposed by Wang et al. We then propose key recovery attacks on Sandwich-MAC-MD5 by combining various techniques such as distinguishing-H for HMAC-MD5, IV Bridge for APOP, dBB-near-collisions for related-key NMAC-MD5, meet-in-the-middle attack etc. In particular, we generalize a previous key-recovery technique as a new tool exploiting a conditional key-dependent distribution. Our attack also improves the partial-key (K-1) recovery on MD5-MAC, and extends it to recover both K-1 and K-2.

Siyuan Qiao,Wei Wang,Keting Jia

DOI: https://doi.org/10.1007/978-3-642-14423-3_23

2010-01-01

Abstract:In this paper, we present a new distinguishing attack which works for secret prefix MAC based on 65-step (12-76) SHA-1. By birthday paradox, we first guarantee the existence of an internal collision at the output of the first iteration, then identify it by choosing the second message block smartly, and finally distinguish the specific MAC from a random function by making use of a near-collision differential path. The complexity of our new distinguisher is 2(80.9) queries with success probability 0.51. In comparison, we also present a distinguisher on secret prefix MAC instantiated with 63-step (8-70) SHA-1 according to Wang's method introduced at FSE 2009 [21], which needs about 2(157) queries with success probability 0.70.

Hongbo Yu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-00843-6_25

2009-01-01

Abstract:In this paper, we give the full key-recovery attacks on the HMAC/NMAC instantiated with 3 and 4-Pass HAVAL using our new differential paths. The complexity to recover the inner key is about 2103 MAC queries for the 3-Pass HAVAL and 2123 MAC queries for the 4-Pass HAVAL. The complexity to recover the outer key is about 269 MAC queries and 2198 offline computations for the 3-Pass HAVAL based HMAC/NMAC. For the 4-Pass HAVAL case, the number of MAC queries for outer key-recovery is about 2103 and the offline work is about 2180 4-Pass HAVAL computations.

Jian Guo,Yu Sasaki,Lei Wang,Meiqin Wang,Long Wen

DOI: https://doi.org/10.1007/978-3-662-46706-0_29

2015-01-01

Abstract:A main contribution of this paper is an improved analysis against HMAC instantiating with reduced Whirlpool. It recovers equivalent keys, which are often denoted as K-in and K-out, of HMAC with 7-round Whirlpool, while the previous best attack can work only for 6 rounds. Our approach is applying the meet-in-the-middle (MITM) attack on AES to recover MAC keys of Whirlpool. Several techniques are proposed to bypass different attack scenarios between a block cipher and a MAC, e.g., the chosen plaintext model of the MITM attacks on AES cannot be used for HMAC-Whirlpool. Besides, a larger state size and different key schedule designs of Whirlpool leave us a lot of room to study. As a result, equivalent keys of HMAC with 7-round Whirlpool are recovered with a complexity of (Data, Time, Memory) = (2(481.7), 2(482.3), 2(481)).

Yusuke Naito,Yu Sasaki,Lei Wang,Kan Yasuda

DOI: https://doi.org/10.1007/978-3-642-41383-4_6

2013-01-01

Abstract:This paper presents new attacks on message authentication codes (MACs). Our attacks are generic and applicable to (secret-prefix) ChopMD-MAC and to NMAC/HMAC, all of which are based on a Merkle-Damgård hash function. We show that an internal state value of these MACs can be recovered with time/queries less than O(2 n )—roughly, with an O(2 n /n) complexity, where ChopMD has 2n-bit state and NMAC/HMAC n-bit. We also show that state-recovery can be extended to MAC-security compromise, such as almost universal forgeries and distinguishing-H attacks. While our results remain to be of theoretical interest due to the high attack complexity, they lead to profound consequences. Namely, our analyses provide us with proper understanding of these MAC constructions, for in the literature the complexity has been implicitly and explicitly assumed to be O(2 n ). Since the complexity is very close to 2 n , we make a precise calculation of attack complexities and of success probabilities in order to show that the total complexity is indeed less than 2 n . Moreover, we perform an experiment by computer simulation to demonstrate that our calculation is correct.

Jian Guo,Yu Sasaki,Lei Wang,Shuang Wu

DOI: https://doi.org/10.1007/978-3-642-42045-0_2

2015-01-01

Abstract:In this paper, we present universal forgery and key recovery attacks on the most popular hash-based MAC constructions, e.g., HMAC and NMAC, instantiated with an AES-like hash function Whirlpool. These attacks work with Whirlpool reduced to 6 out of 10 rounds in single-key setting. To the best of our knowledge, this is the first result on "original" key recovery for HMAC ( previous works only succeeded in recovering the equivalent keys). Interestingly, the number of attacked rounds is comparable with that for collision and preimage attacks on Whirlpool hash function itself. Lastly, we present a distinguishing-H attack against the full HMAC- and NMAC-Whirlpool.

Gaetan Leurent,Thomas Peyrin,Lei Wang

DOI: https://doi.org/10.1007/978-3-642-42045-0_1

2013-01-01

Abstract:In this paper we study the security of hash-based MAC algorithms (such as HMAC and NMAC) above the birthday bound. Up to the birthday bound, HMAC and NMAC are proven to be secure under reasonable assumptions on the hash function. On the other hand, if an n-bit MAC is built from a hash function with a l-bit state (l >= n), there is a well-known existential forgery attack with complexity 2(l/2). However, the remaining security after 2(l/2) computations is not well understood. In particular it is widely assumed that if the underlying hash function is sound, then a generic universal forgery attack should require 2(n) computations and some distinguishing (e.g. distinguishing-H but not distinguishing-R) and state-recovery attacks should also require 2(l) computations (or 2(k) if k < l).In this work, we show that above the birthday bound, hash-based MACs offer significantly less security than previously believed. Our main result is a generic distinguishing-H and state-recovery attack against hash-based MACs with a complexity of only <(O)over tilde> (2(l/2)). In addition, we show a key-recovery attack with complexity (O) over tilde (2(3l/4)) against HMAC used with a hash functions with an internal checksum, such as GOST. This surprising result shows that the use of a checksum might actually weaken a hash function when used in a MAC. We stress that our attacks are generic, and they are in fact more efficient than some previous attacks proposed on MACs instanciated with concrete hash functions. We use techniques similar to the cycle-detection technique proposed by Peyrin et al. at Asiacrypt 2012 to attack HMAC in the related-key model. However, our attacks works in the single-key model for both HMAC and NMAC, and without restriction on the key size.

Gaoli Wang,Shaohui Wang

DOI: https://doi.org/10.1007/978-3-642-02384-2_1

2009-01-01

Abstract:HAVAL is a cryptographic hash function with variable hash value sizes proposed by Zheng, Pieprzyk and Seberry in 1992. It has 3, 4, or 5 passes, and each pass contains 32 steps. There was a collision attack on 5-pass HAVAL, but no second preimage attack. In this paper, we present a second preimage differential path for 5-pass HAVAL with probability 2*** 227 and exploit it to devise a second preimage attack on 5-pass HAVAL . Furthermore, we utilize the path to recover the partial key of HMAC/NMAC-5-pass HAVAL with 2235 oracle queries and 235 memory bytes.

Zheng Yuan,Wei Wang,Keting Jia,Guangwu Xu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-03356-8_13

2009-01-01

Abstract:This paper develops several new techniques of cryptanalyzing MACs based on block ciphers, and is divided into two parts.The first part presents new distinguishers of the MAC construction Alred and its specific instance Alpha-MAC based on AES. For the Alred construction, we first describe a general distinguishing attack which leads to a forgery attack directly with the complexity of the birthday attack. A 2-round collision differential path of Alpha-MAC is adopted to construct a new distinguisher with about 265.5 chosen messages and 265.5 queries. One of the most important results is to use this new distinguisher to recover the internal state, which is an equivalent subkey of Alpha-MAC. Moreover, our distinguisher on Alred construction can be applied to the MACs based on CBC and CFB encryption modes.The second part describes the first impossible differential attack on MACs-Pelican, MT-MAC-AES and PC-MAC-AES. Using the birthday attack, enough message pairs that produce the inner near-collision with some specific differences are detected, then the impossible differential attack on 4-round AES to the above mentioned MACs is performed. For Pelican, our attack recovers its internal state, which is an equivalent subkey. For MT-MAC-AES, the attack turns out to be a subkey recovery attack directly. The complexity of the two attacks is 285.5 chosen messages and 285.5 queries. For PC-MAC-AES, we recover its 256-bit key with 285.5 chosen messages and 2128 queries.

Thomas Peyrin,Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1007/978-3-642-34961-4_35

2012-01-01

Abstract:In this article we describe new generic distinguishing and forgery attacks in the related-key scenario (using only a single relatedkey) for the HMAC construction. When HMAC uses a k-bit key, outputs an n-bit MAC, and is instantiated with an l-bit inner iterative hash function processing m-bit message blocks where m = k, our distinguishing-R attack requires about 2(n/2) queries which improves over the currently best known generic attack complexity 2(l/2) as soon as l > n. This means that contrary to the general belief, using wide-pipe hash functions as internal primitive will not increase the overall security of HMAC in the related-key model when the key size is equal to the message block size. We also present generic related-key distinguishing-H, internal state recovery and forgery attacks. Our method is new and elegant, and uses a simple cyclesize detection criterion. The issue in the HMAC construction (not present in the NMAC construction) comes from the non-independence of the two inner hash layers and we provide a simple patch in order to avoid this generic attack. Our work finally shows that the choice of the opad and ipad constants value in HMAC is important.

Hong-Wei Sun,Bin-Bin Cai,Su-Juan Qin,Qiao-Yan Wen,Fei Gao

DOI: https://doi.org/10.1016/j.physa.2023.129047

2023-07-18

Abstract:In this paper, we investigate the security of several recent MAC constructions with provable security beyond the birthday bound (called BBB MACs) in the quantum setting. On the one hand, we give periodic functions corresponding to targeted MACs (including PMACX, PMAC with parity, HPxHP, and HPxNP), and we can recover secret states using Simon algorithm, leading to forgery attacks with complexity O(n) . This implies our results realize an exponential speedup compared with the classical algorithm. Note that our attacks can even break some optimally secure MACs, such as mPMAC+-f, mPMAC+-p1, mPMAC+-p2, mLightMAC+-f, etc. On the other hand, we construct new hidden periodic functions based on SUM-ECBC-like MACs: SUM-ECBC, PolyMAC, GCM-SIV2, and 2K-ECBC − Plus, where periods reveal the information of the secret key. Then, by applying Grover-meets-Simon algorithm to specially constructed functions, we can recover full keys with O(2n/2n) or O(2m/2n) quantum queries, where n is the message block size and m is the length of the key. Considering the previous best quantum attack, our key-recovery attacks achieve a quadratic speedup.

physics, multidisciplinary

Gaoli Wang

DOI: https://doi.org/10.1007/978-3-642-21518-6_15

2010-01-01

Abstract:This paper presents the first distinguishing attack on the LPMAC based on RIPEMD, 58-step reduced RIPEMD-256 and 48-step reduced RIPEMD-320, and the LPMAC is the secret-prefix MAC with the message length prepended to the message before hashing. Wang et al. presented the first distinguishing attack on HMAC/NMAC-MD5 without the related-key setting in [27], then they extended this technique to give a distinguishing attack on the LPMAC based on 61-step SHA-1 in [24]. In this paper, we utilize the techniques in [24,27] combined with our pseudo-near-collision differential path on the full RIPEMD, 58-step reduced RIPEMD-256 and 48-step reduced RIPEMD-320 to distinguish the LPMAC based on the full RIPEMD, 58-step reduced RIPEMD-256 and 48-step reduced RIPEMD-320 from the LPMAC based on a random function respectively. Because RIPEMD and RIPEMD-{256,320} all contain two different and independent parallel lines of operations, the difficulty of our attack is to choose proper message differences and to find proper near-collision differential paths of the two parallel lines of operations. The complexity of distinguishing the LPMAC based on the full RIPEMD is about 266 MAC queries. For the LPMAC based on 58-step reduced RIPEMD-256 and 48-step reduced RIPEMD-320, the complexities are about 2163.5 MAC queries and 2208.5 MAC queries respectively.

Jiehui Nan,Honggang Hu,Ping Zhang,Yiyuan Luo

DOI: https://doi.org/10.1007/s11128-022-03774-5

IF: 1.965

2022-01-01

Quantum Information Processing

Abstract:Since the seminal work of Chen et al. to construct pseudorandom functions (PRFs) from the public random permutations, a series of designs of beyond-birthday-bound secure PRFs or message authentication codes(MACs) have been proposed, like $$\textsf{pEDM}$$ , $$\textsf{pPMAC}$$ _ $$\textsf{Plus}$$ , $$\textsf{PDM}\text {* }\textsf{MAC}$$ , and $$\textsf{1K}\text {-}\textsf{PDM}\text {* }\textsf{MAC}$$ , etc. These constructions were classically proved to be secure at least up to $$O(2^{2n/3})$$ queries. In this paper, we consider to attack these constructions in the quantum setting. In particular, we show the key-recovery attack against $$\textsf{pEDM}$$ and $$\textsf{pPMAC}$$ _ $$\textsf{Plus}$$ with $$O(n\cdot 2^{n/2})$$ quantum queries by using Grover-meets-Simon algorithm. Moreover, a forgery attack is given against the constructions $$\textsf{PDM}\text {* }\textsf{MAC}$$ and $$\textsf{nEHtM}_p$$ with O(n) quantum complexity, and under the same query complexity, we can even recover the key of $$\textsf{1K}\text {-}\textsf{PDM}\text {* }\textsf{MAC}$$ .

Lei Wang,Kazuo Ohta,Yu Sasaki,Kazuo Sakiyama,Noboru Kunihiro

DOI: https://doi.org/10.1587/transinf.e93.d.1087

2010-01-01

IEICE Transactions on Information and Systems

Abstract:Many hash-based authentication protocols have been proposed, and proven secure assuming that underlying hash functions are secure. On the other hand, if a hash function compromises, the security of authentication protocols based on this hash function becomes unclear. Therefore, it is significantly important to verify the security of hash-based protocols when a hash function is broken.In this paper, we will re-evaluate the security of two MD5-based authentication protocols based on a fact that MD5 cannot satisfy a required fundamental property named collision resistance. The target protocols are APOP (Authenticated Post Office Protocol) and NMAC (Nested Message Authentication Code), since they or their variants are widely used in real world. For security evaluation of APOP, we will propose a modified password recovery attack procedure, which is twice as fast as previous attacks. Moreover, our attack is more realistic, as the probability of being detected is lower than that of previous attacks. For security evaluation of MD5-based NMAC, we will propose a new key-recovery attack procedure, which has a complexity lower than that of previous attack. The complexity of our attack is 2(76), while that of previous attack is 2(100).**Moreover, our attack has another interesting point. NMAC has two keys: the inner key and the outer key. Our attack can recover the outer key partially without the knowledge of the inner key.