Abstract:In this paper we study the security of hash-based MAC algorithms (such as HMAC and NMAC) above the birthday bound. Up to the birthday bound, HMAC and NMAC are proven to be secure under reasonable assumptions on the hash function. On the other hand, if an n-bit MAC is built from a hash function with a l-bit state (l >= n), there is a well-known existential forgery attack with complexity 2(l/2). However, the remaining security after 2(l/2) computations is not well understood. In particular it is widely assumed that if the underlying hash function is sound, then a generic universal forgery attack should require 2(n) computations and some distinguishing (e.g. distinguishing-H but not distinguishing-R) and state-recovery attacks should also require 2(l) computations (or 2(k) if k < l).In this work, we show that above the birthday bound, hash-based MACs offer significantly less security than previously believed. Our main result is a generic distinguishing-H and state-recovery attack against hash-based MACs with a complexity of only <(O)over tilde> (2(l/2)). In addition, we show a key-recovery attack with complexity (O) over tilde (2(3l/4)) against HMAC used with a hash functions with an internal checksum, such as GOST. This surprising result shows that the use of a checksum might actually weaken a hash function when used in a MAC. We stress that our attacks are generic, and they are in fact more efficient than some previous attacks proposed on MACs instanciated with concrete hash functions. We use techniques similar to the cycle-detection technique proposed by Peyrin et al. at Asiacrypt 2012 to attack HMAC in the related-key model. However, our attacks works in the single-key model for both HMAC and NMAC, and without restriction on the key size.

New Generic Attacks Against Hash-Based MACs.

Cryptanalysis On Hmac/Nmac-Md5 And Md5-Mac

New Birthday Attacks on Some MACs Based on Block Ciphers.

New Distinguishing Attack on MAC Using Secret-Prefix Method

Full Key-Recovery Attack on the HMAC/NMAC Based on 3 and 4-Pass HAVAL

Distinguishing Attack on the Secret-Prefix MAC Based on the 39-Step SHA-256

Practical Hash-based Anonymity for MAC Addresses

Quantum attacks on Beyond-Birthday-Bound MACs

Partial Key Recovery Attack on SHA-0-MAC

A New Non-MDS Hash Function Resisting Birthday Attack and Meet-in-the-middle Attack

Dedicated Quantum Attacks on XOR-Type Function With Applications to Beyond-Birthday- Bound MACs

Classical and Quantum Meet-in-the-Middle Nostradamus Attacks on AES-like Hashing

Distinguishing Attack On Secret Prefix Mac Instantiated With Reduced Sha-1

Automatic Search of Meet-in-the-Middle Preimage Attacks on AES-like Hashing

Differential and Correlation Power Analysis Attacks on HMAC-Whirlpool

Fault-assisted side-channel analysis of HMAC-Streebog

An Attack on Hash Function HAVAL-128

Distinguishing and Second-Preimage Attacks on CBC-Like MACs

A First-Order Differential Power Analysis Attack on Hmac-Sm3

Robustness of Practical Perceptual Hashing Algorithms to Hash-Evasion and Hash-Inversion Attacks

Meet-in-the-Middle Preimage Attacks on Sponge-based Hashing.