Jian Guo,Yu Sasaki,Lei Wang,Shuang Wu

2015-01-01

Abstract:In this paper, we present universal forgery and key recovery attacks on the most popular hash-based MAC constructions, e.g., HMAC and NMAC, instantiated with an AES-like hash function Whirlpool. These attacks work with Whirlpool reduced to 6 out of 10 rounds in single-key setting. To the best of our knowledge, this is the first result on “original” key recovery for HMAC (previous works only succeeded in recovering the equivalent keys). Interestingly, the number of attacked rounds is comparable with that for collision and preimage attacks on Whirlpool hash function itself. Lastly, we present a distinguishing-H attack against the full HMACand NMAC-Whirlpool.

Fan Zhang,Zhijie Jerry Shi

DOI: https://doi.org/10.1109/ITNG.2011.70

2011-01-01

Abstract:In cryptography, a keyed-Hash Message Authentication Code (HMAC) is a type of message authentication code(MAC) calculated with a cryptographic hash function and a secret key. The security of the HMAC relies on the underlying hash function and the secret key. Whirlpool is a block cipher based hash algorithm that has been in public for about ten years. So far no effective attacks have been found on Whirlpool. As a result, HMAC with Whirlpool, i.e., HMAC-Whirlpool, is supposed to be secure. In this paper, we demonstrate that HMAC-Whirlpool is vulnerable to power analysis attacks. We designed two types of attacks: one is based on Differential Power Analysis (DPA) and the other on Correlation Power Analysis (CPA). We successfully launched the attacks at HMAC-Whirlpool running on an Atmel AVR processor. We also compared the attacks in terms of the number of power traces needed.

Lei Wang,Kazuo Ohta,Noboru Kunihiro

DOI: https://doi.org/10.1007/978-3-540-78967-3_14

2008-01-01

Abstract:At Crypto '07, Fouque, Leurent and Nguyen presented full key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5, by extending the partial key-recovery attacks of Contini and Yin from Asi-acrypt '06. Such attacks are based on collision attacks on the underlying hash function, and the most expensive stage is he recovery of the so-called outer key. In this paper, we show that the outer key can be recovered with near-collisions instead of collisions: near-collisions can be easier to find and can disclose more information. This improves the complexity of the FLN attack on HMAC/NMAC-MD4: the number of MAC queries decreases from 288 to 2 72, and the number of MD4 computations decreases from 2(95) to 2(77). We also improved the total complexity of the related-key attack on NMAC-MD5. Moreover, our attack on NMAC-MD5 can partially recover the outer key without the knowledge of the inner key, which might be of independent interes.

Yu Sasaki,Gaoli Wang,Lei Wang

DOI: https://doi.org/10.1587/transfun.e98.a.26

2015-01-01

Abstract:This paper presents key recovery attacks on SandwichMAC instantiating MD5, where Sandwich-MAC is an improved variant of HMAC and achieves the same provable security level and better performance especially for short messages. The increased interest in lightweight cryptography motivates us to analyze such a MAC scheme. Our attacks are based on a distinguishing-H attack on HMAC-MD5 proposed by Wang et al. We first improve its complexity from 2(97) to 2(89.04). With this improvement, we then propose key recovery attacks on Sandwich-MAC-MD5 by combining various techniques such as distinguishing-H for HMAC-MD5, IV Bridge for APOP, dBB-near-collisions for related-key NMAC-MD5, meet-in-the-middle attack etc. In particular, we generalize a previous keyrecovery technique as a new tool exploiting a conditional key-dependent distribution. Surprisingly, a key which is even longer than the tag size can be recovered without the knowledge of the key size. Finally, our attack also improves the previous partial-key (K1) recovery on MD5-MAC, and extends it to recover both of K-1 and K-2.

Xiaoyun Wang,Hongbo Yu,Wei Wang,Haina Zhang,Tao Zhan

DOI: https://doi.org/10.1007/978-3-642-01001-9_7

2009-01-01

Abstract:In this paper, we present the first distinguishing attack on HMAC and NMAC based on MD5 without related keys, which distinguishes the HMAC/NMAC-MD5 from HMAC/NMAC with a random function. The attack needs 2(97) queries, with a success probability 0.87, while the previous distinguishing attack on HMAC-MD5 reduced to 33 rounds takes 2(126.1) messages with a success rate of 0.92. Furthermore, we give distinguishing and partial key recovery attacks on MDx-MAC based on MD5. The MDx-MAC was proposed by Preneel and van Oorschot in Crypto'95 which uses three subkeys derived from the initial key. We are able to recover one 128-bit subkey with 2(97) queries.

Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1007/978-3-662-43414-7_25

2014-01-01

Abstract:This paper presents key recovery attacks on Sandwich-MAC instantiating MD5, where Sandwich-MAC is an improved variant of HMAC and achieves the same provable security level and better performance especially for short messages. The increased interest in lightweight cryptography motivates us to analyze such a MAC scheme. We first improve a distinguishing-H attack on HMAC-MD5 proposed by Wang et al. We then propose key recovery attacks on Sandwich-MAC-MD5 by combining various techniques such as distinguishing-H for HMAC-MD5, IV Bridge for APOP, dBB-near-collisions for related-key NMAC-MD5, meet-in-the-middle attack etc. In particular, we generalize a previous key-recovery technique as a new tool exploiting a conditional key-dependent distribution. Our attack also improves the partial-key (K-1) recovery on MD5-MAC, and extends it to recover both K-1 and K-2.

Hongbo Yu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-00843-6_25

2009-01-01

Abstract:In this paper, we give the full key-recovery attacks on the HMAC/NMAC instantiated with 3 and 4-Pass HAVAL using our new differential paths. The complexity to recover the inner key is about 2103 MAC queries for the 3-Pass HAVAL and 2123 MAC queries for the 4-Pass HAVAL. The complexity to recover the outer key is about 269 MAC queries and 2198 offline computations for the 3-Pass HAVAL based HMAC/NMAC. For the 4-Pass HAVAL case, the number of MAC queries for outer key-recovery is about 2103 and the offline work is about 2180 4-Pass HAVAL computations.

Jian Guo,Thomas Peyrin,Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1007/978-3-662-44371-2_8

2014-01-01

Abstract:In this paper, we present new generic attacks against HMAC and other similar MACs when instantiated with an n-bit output hash function maintaining a l-bit internal state. Firstly, we describe two types of selective forgery attacks (a forgery for which the adversary commits on the forged message beforehand). The first type is a tight attack which requires O(2(l/2)) computations, while the second one requires O(2(2l/3)) computations, but offers much more freedom degrees in the choice of the committed message. Secondly, we propose an improved universal forgery attack which significantly reduces the complexity of the best known attack from O(2(5l/6)) to O(2(3l/4)). Finally, we describe the very first time-memory tradeoff for key recovery attack on HMAC. With O(2(l)) precomputation, the internal key K-out is firstly recovered with O(2(2l/3)) computations by exploiting the Hellman's time-memory tradeoff, and then the other internal key Kin is recovered with O(2(3l/4)) computations by a novel approach. This tends to indicate an inefficiency in using long keys for HMAC.

Thomas Peyrin,Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1007/978-3-642-34961-4_35

2012-01-01

Abstract:In this article we describe new generic distinguishing and forgery attacks in the related-key scenario (using only a single relatedkey) for the HMAC construction. When HMAC uses a k-bit key, outputs an n-bit MAC, and is instantiated with an l-bit inner iterative hash function processing m-bit message blocks where m = k, our distinguishing-R attack requires about 2(n/2) queries which improves over the currently best known generic attack complexity 2(l/2) as soon as l > n. This means that contrary to the general belief, using wide-pipe hash functions as internal primitive will not increase the overall security of HMAC in the related-key model when the key size is equal to the message block size. We also present generic related-key distinguishing-H, internal state recovery and forgery attacks. Our method is new and elegant, and uses a simple cyclesize detection criterion. The issue in the HMAC construction (not present in the NMAC construction) comes from the non-independence of the two inner hash layers and we provide a simple patch in order to avoid this generic attack. Our work finally shows that the choice of the opad and ipad constants value in HMAC is important.

Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1587/transfun.e99.a.22

2016-01-01

Abstract:HMAC is the most widely used hash based MAC scheme. Recently, several generic attacks have been presented against HMAC with a complexity between 2(n/2) and 2(n), where n is the output size of an underlying hash function. In this paper, we investigate the security of strengthened HMAC instantiated with aMerkle-Damgrd hash function in which the key is used to process underlying compression functions. With such a modification, the attacker is unable to precompute the property of the compression function offline, and thus previous generic attacks are prevented. In this paper, we show that keying the compression function in all blocks is necessary to prevent a generic internal state recovery attack with a complexity less than 2(n). In other words, only with a single keyless compression function, the internal state is recovered faster than 2(n). To validate the claim, we present a generic attack against the strengthened HMAC instantiated with a Merkle-Damgard hash function in which only one block is keyless, thus pre-computable offline. Our attack uses the previous generic attack by Naito et al. as a base. We improve it so that the attack can be applied only with a single keyless compression function while the attack complexity remains unchanged from the previous work.

Yusuke Naito,Yu Sasaki,Lei Wang,Kan Yasuda

DOI: https://doi.org/10.1007/978-3-642-41383-4_6

2013-01-01

Abstract:This paper presents new attacks on message authentication codes (MACs). Our attacks are generic and applicable to (secret-prefix) ChopMD-MAC and to NMAC/HMAC, all of which are based on a Merkle-Damgård hash function. We show that an internal state value of these MACs can be recovered with time/queries less than O(2 n )—roughly, with an O(2 n /n) complexity, where ChopMD has 2n-bit state and NMAC/HMAC n-bit. We also show that state-recovery can be extended to MAC-security compromise, such as almost universal forgeries and distinguishing-H attacks. While our results remain to be of theoretical interest due to the high attack complexity, they lead to profound consequences. Namely, our analyses provide us with proper understanding of these MAC constructions, for in the literature the complexity has been implicitly and explicitly assumed to be O(2 n ). Since the complexity is very close to 2 n , we make a precise calculation of attack complexities and of success probabilities in order to show that the total complexity is indeed less than 2 n . Moreover, we perform an experiment by computer simulation to demonstrate that our calculation is correct.

Gaoli Wang,Shaohui Wang

DOI: https://doi.org/10.1007/978-3-642-02384-2_1

2009-01-01

Abstract:HAVAL is a cryptographic hash function with variable hash value sizes proposed by Zheng, Pieprzyk and Seberry in 1992. It has 3, 4, or 5 passes, and each pass contains 32 steps. There was a collision attack on 5-pass HAVAL, but no second preimage attack. In this paper, we present a second preimage differential path for 5-pass HAVAL with probability 2*** 227 and exploit it to devise a second preimage attack on 5-pass HAVAL . Furthermore, we utilize the path to recover the partial key of HMAC/NMAC-5-pass HAVAL with 2235 oracle queries and 235 memory bytes.

QIAO Si-yuan,JIA Ke-ting

2010-01-01

Abstract:A partial key recovery attack on SHA-0-MAC is presented, which is the first partial key recovery attack on SHA-0-MAC. SHA-0-MAC is a kind of MDx-MAC based on hash function SHA-0. MDx-MAC was first proposed by Preneel et al. in Crypto'95,which has 3 160-bit subkeys K0 K1, K2. 160-bit K0 can be fully recovered, and 128 bits of the subkey K1 with 2125.58 MAC queries. By using Wang's new methods of partial key recovery of MD5-MAC and a special pseudo collision differential path given by Biham et al. , the sufficient conditions are deduced which make the differential path hold.

Gaetan Leurent,Thomas Peyrin,Lei Wang

DOI: https://doi.org/10.1007/978-3-642-42045-0_1

2013-01-01

Abstract:In this paper we study the security of hash-based MAC algorithms (such as HMAC and NMAC) above the birthday bound. Up to the birthday bound, HMAC and NMAC are proven to be secure under reasonable assumptions on the hash function. On the other hand, if an n-bit MAC is built from a hash function with a l-bit state (l >= n), there is a well-known existential forgery attack with complexity 2(l/2). However, the remaining security after 2(l/2) computations is not well understood. In particular it is widely assumed that if the underlying hash function is sound, then a generic universal forgery attack should require 2(n) computations and some distinguishing (e.g. distinguishing-H but not distinguishing-R) and state-recovery attacks should also require 2(l) computations (or 2(k) if k < l).In this work, we show that above the birthday bound, hash-based MACs offer significantly less security than previously believed. Our main result is a generic distinguishing-H and state-recovery attack against hash-based MACs with a complexity of only <(O)over tilde> (2(l/2)). In addition, we show a key-recovery attack with complexity (O) over tilde (2(3l/4)) against HMAC used with a hash functions with an internal checksum, such as GOST. This surprising result shows that the use of a checksum might actually weaken a hash function when used in a MAC. We stress that our attacks are generic, and they are in fact more efficient than some previous attacks proposed on MACs instanciated with concrete hash functions. We use techniques similar to the cycle-detection technique proposed by Peyrin et al. at Asiacrypt 2012 to attack HMAC in the related-key model. However, our attacks works in the single-key model for both HMAC and NMAC, and without restriction on the key size.

Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1007/978-3-319-10879-7_19

2014-01-01

Abstract:HMAC is the most widely used hash based MAC scheme. Recently, several generic attacks have been presented against HMAC with a complexity between 2 n/2 and 2 n , where n is the output size of an underlying hash function. In this paper, we investigate the security of strengthened HMAC in which the key is used to process underlying compression functions. With such a modification, the attacker is unable to precompute the property of the compression function offline, and thus previous generic attacks are prevented. In this paper, we show that keying the compression function in all blocks is necessary to prevent a generic internal state recovery attack with a complexity less than 2 n . In other words, only with a single keyless compression function, the internal state is recovered faster than 2 n . To validate the claim, we present a generic attack against the strengthened HMAC in which only one block is keyless, thus pre-computable offline. Our attack uses the previous generic attack by Naito et al. as a base. We improve it so that the attack can be applied only with a single keyless compression function while the attack complexity remains unchanged from the previous work.

Yu Sasaki,Lei Wang,Shuang Wu,Wenling Wu

DOI: https://doi.org/10.1007/978-3-642-34961-4_34

2012-01-01

Abstract:In this paper, improved cryptanalyses for the ISO standard hash function Whirlpool are presented with respect to the fundamental security notions. While a subspace distinguisher was presented on full version (10 rounds) of the compression function, its impact to the security of the hash function seems limited. In this paper, we discuss the (second) preimage and collision attacks for the hash function and the compression function of Whirlpool. Regarding the preimage attack, 6 rounds of the hash function are attacked with 2(481) computations while the previous best attack is for 5 rounds with 2(481.5) computations. Regarding the collision attack, 8 rounds of the compression function are attacked with 2(120) computations, while the previous best attack is for 7 rounds with 2(184) computations. To verify the correctness, especially for the rebound attack on the Sbox with an unbalanced Differential Distribution Table (DDT), the attack is partially implemented, and the differences from attacking the Sbox with balanced DDT are reported.

Limin Guo,Lihui Wang,Qing Li,Zhimin Zhang,Dan Liu,Weijun Shan

DOI: https://doi.org/10.2991/iset-15.2015.25

2015-01-01

Abstract:HMAC algorithm is one of the most famous keyed hash functions, and widely utilized. And SM3 is the only standard hash algorithm of China. However, most cryptographic algorithms implementations are vulnerable against side channel attacks. But specific side channel attacks on HMAC-SM3 have not been given so far. This paper presents a first-order DPA attack on HMAC-SM3. HMAC-SM3 hash algorithm is based on the mixing of different algebraic operations, such as XOR and addition modulo 2(32), thus the proposed DPA attack is mainly against these basic group operations. Experimental results are given by attacking an implementation of HMAC-SM3 in a smart card, which demonstrate the practicability of such attacks described in this paper.

Xie Jun,Sun Wei,Gu Dawu,Guo Zheng,Liu Junrong,Bao Sigang,Ma Bo

DOI: https://doi.org/10.2991/csic-15.2015.24

2015-01-01

Abstract:The HMAC algorithm is widely used to provide authentication and message integrity in digital communications. However, if the HMAC cryptographic algorithm is implemented in cryptographic circuit, it is vulnerable to side-channel attacks. A typical example is that in 2007, McEvoy proposed an attack strategy for hardware-based implementation of HMAC-SHA2. In this paper, we research on SM3 cryptographic hash algorithm and propose a DPA attack strategy for the software-based implementation of HMAC-SM3. In the experiment, we launch a successful DPA attack on the practical cryptographic circuit and then discuss the security issues about the software-based implementation of HMAC-SM3.

Maria Eichlseder,Lorenzo Grassi,Reinhard Lüftenegger,Morten Øygarden,Christian Rechberger,Markus Schofnegger,Qingju Wang

DOI: https://doi.org/10.1007/978-3-030-64837-4_16

2020-01-01

Abstract:Algebraically simple PRFs, ciphers, or cryptographic hash functions are becoming increasingly popular, for example due to their attractive properties for MPC and new proof systems (SNARKs, STARKs, among many others). In this paper, we focus on the algebraically simple construction MiMC, which became an attractive cryptanalytic target due to its simplicity, but also due to its use as a baseline in a competition for more recent algorithms exploring this design space. For the first time, we are able to describe key-recovery attacks on all full-round versions of MiMC over $${\mathbb {F}}_{2^n}$$ , requiring half the code book. In the chosen-ciphertext scenario, recovering the key from this data for the n-bit full version of MiMC takes the equivalent of less than $$2^{n-\log _2(n) +1}$$ calls to MiMC and negligible amounts of memory. The attack procedure is a generalization of higher-order differential cryptanalysis, and it is based on two main ingredients. First, we present a higher-order distinguisher which exploits the fact that the algebraic degree of MiMC grows significantly slower than originally believed. Secondly, we describe an approach to turn this distinguisher into a key-recovery attack without guessing the full subkey. Finally, we show that approximately $$\lceil \log _3(2\cdot R)\rceil $$ more rounds (where $$R = \lceil n \cdot \log _3(2)\rceil $$ is the current number of rounds of MiMC-n/n) can be necessary and sufficient to restore the security against the key-recovery attack presented here. The attack has been practically verified on toy versions of MiMC. Note that our attack does not affect the security of MiMC over prime fields.