Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1587/transfun.e99.a.22

2016-01-01

Abstract:HMAC is the most widely used hash based MAC scheme. Recently, several generic attacks have been presented against HMAC with a complexity between 2(n/2) and 2(n), where n is the output size of an underlying hash function. In this paper, we investigate the security of strengthened HMAC instantiated with aMerkle-Damgrd hash function in which the key is used to process underlying compression functions. With such a modification, the attacker is unable to precompute the property of the compression function offline, and thus previous generic attacks are prevented. In this paper, we show that keying the compression function in all blocks is necessary to prevent a generic internal state recovery attack with a complexity less than 2(n). In other words, only with a single keyless compression function, the internal state is recovered faster than 2(n). To validate the claim, we present a generic attack against the strengthened HMAC instantiated with a Merkle-Damgard hash function in which only one block is keyless, thus pre-computable offline. Our attack uses the previous generic attack by Naito et al. as a base. We improve it so that the attack can be applied only with a single keyless compression function while the attack complexity remains unchanged from the previous work.

Jian Guo,Thomas Peyrin,Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1007/978-3-662-44371-2_8

2014-01-01

Abstract:In this paper, we present new generic attacks against HMAC and other similar MACs when instantiated with an n-bit output hash function maintaining a l-bit internal state. Firstly, we describe two types of selective forgery attacks (a forgery for which the adversary commits on the forged message beforehand). The first type is a tight attack which requires O(2(l/2)) computations, while the second one requires O(2(2l/3)) computations, but offers much more freedom degrees in the choice of the committed message. Secondly, we propose an improved universal forgery attack which significantly reduces the complexity of the best known attack from O(2(5l/6)) to O(2(3l/4)). Finally, we describe the very first time-memory tradeoff for key recovery attack on HMAC. With O(2(l)) precomputation, the internal key K-out is firstly recovered with O(2(2l/3)) computations by exploiting the Hellman's time-memory tradeoff, and then the other internal key Kin is recovered with O(2(3l/4)) computations by a novel approach. This tends to indicate an inefficiency in using long keys for HMAC.

Thomas Peyrin,Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1007/978-3-642-34961-4_35

2012-01-01

Abstract:In this article we describe new generic distinguishing and forgery attacks in the related-key scenario (using only a single relatedkey) for the HMAC construction. When HMAC uses a k-bit key, outputs an n-bit MAC, and is instantiated with an l-bit inner iterative hash function processing m-bit message blocks where m = k, our distinguishing-R attack requires about 2(n/2) queries which improves over the currently best known generic attack complexity 2(l/2) as soon as l > n. This means that contrary to the general belief, using wide-pipe hash functions as internal primitive will not increase the overall security of HMAC in the related-key model when the key size is equal to the message block size. We also present generic related-key distinguishing-H, internal state recovery and forgery attacks. Our method is new and elegant, and uses a simple cyclesize detection criterion. The issue in the HMAC construction (not present in the NMAC construction) comes from the non-independence of the two inner hash layers and we provide a simple patch in order to avoid this generic attack. Our work finally shows that the choice of the opad and ipad constants value in HMAC is important.

Gaetan Leurent,Thomas Peyrin,Lei Wang

DOI: https://doi.org/10.1007/978-3-642-42045-0_1

2013-01-01

Abstract:In this paper we study the security of hash-based MAC algorithms (such as HMAC and NMAC) above the birthday bound. Up to the birthday bound, HMAC and NMAC are proven to be secure under reasonable assumptions on the hash function. On the other hand, if an n-bit MAC is built from a hash function with a l-bit state (l >= n), there is a well-known existential forgery attack with complexity 2(l/2). However, the remaining security after 2(l/2) computations is not well understood. In particular it is widely assumed that if the underlying hash function is sound, then a generic universal forgery attack should require 2(n) computations and some distinguishing (e.g. distinguishing-H but not distinguishing-R) and state-recovery attacks should also require 2(l) computations (or 2(k) if k < l).In this work, we show that above the birthday bound, hash-based MACs offer significantly less security than previously believed. Our main result is a generic distinguishing-H and state-recovery attack against hash-based MACs with a complexity of only <(O)over tilde> (2(l/2)). In addition, we show a key-recovery attack with complexity (O) over tilde (2(3l/4)) against HMAC used with a hash functions with an internal checksum, such as GOST. This surprising result shows that the use of a checksum might actually weaken a hash function when used in a MAC. We stress that our attacks are generic, and they are in fact more efficient than some previous attacks proposed on MACs instanciated with concrete hash functions. We use techniques similar to the cycle-detection technique proposed by Peyrin et al. at Asiacrypt 2012 to attack HMAC in the related-key model. However, our attacks works in the single-key model for both HMAC and NMAC, and without restriction on the key size.

Lei Wang,Kazuo Ohta,Noboru Kunihiro

DOI: https://doi.org/10.1007/978-3-540-78967-3_14

2008-01-01

Abstract:At Crypto '07, Fouque, Leurent and Nguyen presented full key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5, by extending the partial key-recovery attacks of Contini and Yin from Asi-acrypt '06. Such attacks are based on collision attacks on the underlying hash function, and the most expensive stage is he recovery of the so-called outer key. In this paper, we show that the outer key can be recovered with near-collisions instead of collisions: near-collisions can be easier to find and can disclose more information. This improves the complexity of the FLN attack on HMAC/NMAC-MD4: the number of MAC queries decreases from 288 to 2 72, and the number of MD4 computations decreases from 2(95) to 2(77). We also improved the total complexity of the related-key attack on NMAC-MD5. Moreover, our attack on NMAC-MD5 can partially recover the outer key without the knowledge of the inner key, which might be of independent interes.

Thomas Peyrin,Lei Wang

DOI: https://doi.org/10.1007/978-3-642-55220-5_9

2014-01-01

Abstract:In this article, we study the security of iterative hash-based MACs, such as HMAC or NMAC, with regards to universal forgery attacks. Leveraging recent advances in the analysis of functional graphs built from the iteration of HMAC or NMAC, we exhibit the very first generic universal forgery attack against hash-based MACs. In particular, our work implies that the universal forgery resistance of an n-bit output HMAC construction is not 2n queries as long believed by the community. The techniques we introduce extend the previous functional graphs-based attacks that only took in account the cycle structure or the collision probability: we show that one can extract much more meaningful secret information by also analyzing the distance of a node from the cycle of its component in the functional graph.

Yusuke Naito,Yu Sasaki,Lei Wang,Kan Yasuda

DOI: https://doi.org/10.1007/978-3-642-41383-4_6

2013-01-01

Abstract:This paper presents new attacks on message authentication codes (MACs). Our attacks are generic and applicable to (secret-prefix) ChopMD-MAC and to NMAC/HMAC, all of which are based on a Merkle-Damgård hash function. We show that an internal state value of these MACs can be recovered with time/queries less than O(2 n )—roughly, with an O(2 n /n) complexity, where ChopMD has 2n-bit state and NMAC/HMAC n-bit. We also show that state-recovery can be extended to MAC-security compromise, such as almost universal forgeries and distinguishing-H attacks. While our results remain to be of theoretical interest due to the high attack complexity, they lead to profound consequences. Namely, our analyses provide us with proper understanding of these MAC constructions, for in the literature the complexity has been implicitly and explicitly assumed to be O(2 n ). Since the complexity is very close to 2 n , we make a precise calculation of attack complexities and of success probabilities in order to show that the total complexity is indeed less than 2 n . Moreover, we perform an experiment by computer simulation to demonstrate that our calculation is correct.

Yu Sasaki,Gaoli Wang,Lei Wang

DOI: https://doi.org/10.1587/transfun.e98.a.26

2015-01-01

Abstract:This paper presents key recovery attacks on SandwichMAC instantiating MD5, where Sandwich-MAC is an improved variant of HMAC and achieves the same provable security level and better performance especially for short messages. The increased interest in lightweight cryptography motivates us to analyze such a MAC scheme. Our attacks are based on a distinguishing-H attack on HMAC-MD5 proposed by Wang et al. We first improve its complexity from 2(97) to 2(89.04). With this improvement, we then propose key recovery attacks on Sandwich-MAC-MD5 by combining various techniques such as distinguishing-H for HMAC-MD5, IV Bridge for APOP, dBB-near-collisions for related-key NMAC-MD5, meet-in-the-middle attack etc. In particular, we generalize a previous keyrecovery technique as a new tool exploiting a conditional key-dependent distribution. Surprisingly, a key which is even longer than the tag size can be recovered without the knowledge of the key size. Finally, our attack also improves the previous partial-key (K1) recovery on MD5-MAC, and extends it to recover both of K-1 and K-2.

Jian Guo,Yu Sasaki,Lei Wang,Shuang Wu

2015-01-01

Abstract:In this paper, we present universal forgery and key recovery attacks on the most popular hash-based MAC constructions, e.g., HMAC and NMAC, instantiated with an AES-like hash function Whirlpool. These attacks work with Whirlpool reduced to 6 out of 10 rounds in single-key setting. To the best of our knowledge, this is the first result on “original” key recovery for HMAC (previous works only succeeded in recovering the equivalent keys). Interestingly, the number of attacked rounds is comparable with that for collision and preimage attacks on Whirlpool hash function itself. Lastly, we present a distinguishing-H attack against the full HMACand NMAC-Whirlpool.

Xiaoyun Wang,Hongbo Yu,Wei Wang,Haina Zhang,Tao Zhan

DOI: https://doi.org/10.1007/978-3-642-01001-9_7

2009-01-01

Abstract:In this paper, we present the first distinguishing attack on HMAC and NMAC based on MD5 without related keys, which distinguishes the HMAC/NMAC-MD5 from HMAC/NMAC with a random function. The attack needs 2(97) queries, with a success probability 0.87, while the previous distinguishing attack on HMAC-MD5 reduced to 33 rounds takes 2(126.1) messages with a success rate of 0.92. Furthermore, we give distinguishing and partial key recovery attacks on MDx-MAC based on MD5. The MDx-MAC was proposed by Preneel and van Oorschot in Crypto'95 which uses three subkeys derived from the initial key. We are able to recover one 128-bit subkey with 2(97) queries.

Hongbo Yu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-00843-6_25

2009-01-01

Abstract:In this paper, we give the full key-recovery attacks on the HMAC/NMAC instantiated with 3 and 4-Pass HAVAL using our new differential paths. The complexity to recover the inner key is about 2103 MAC queries for the 3-Pass HAVAL and 2123 MAC queries for the 4-Pass HAVAL. The complexity to recover the outer key is about 269 MAC queries and 2198 offline computations for the 3-Pass HAVAL based HMAC/NMAC. For the 4-Pass HAVAL case, the number of MAC queries for outer key-recovery is about 2103 and the offline work is about 2180 4-Pass HAVAL computations.

Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1007/978-3-662-43414-7_25

2014-01-01

Abstract:This paper presents key recovery attacks on Sandwich-MAC instantiating MD5, where Sandwich-MAC is an improved variant of HMAC and achieves the same provable security level and better performance especially for short messages. The increased interest in lightweight cryptography motivates us to analyze such a MAC scheme. We first improve a distinguishing-H attack on HMAC-MD5 proposed by Wang et al. We then propose key recovery attacks on Sandwich-MAC-MD5 by combining various techniques such as distinguishing-H for HMAC-MD5, IV Bridge for APOP, dBB-near-collisions for related-key NMAC-MD5, meet-in-the-middle attack etc. In particular, we generalize a previous key-recovery technique as a new tool exploiting a conditional key-dependent distribution. Our attack also improves the partial-key (K-1) recovery on MD5-MAC, and extends it to recover both K-1 and K-2.

Jian Guo,Yu Sasaki,Lei Wang,Meiqin Wang,Long Wen

DOI: https://doi.org/10.1007/978-3-662-46706-0_29

2015-01-01

Abstract:A main contribution of this paper is an improved analysis against HMAC instantiating with reduced Whirlpool. It recovers equivalent keys, which are often denoted as K-in and K-out, of HMAC with 7-round Whirlpool, while the previous best attack can work only for 6 rounds. Our approach is applying the meet-in-the-middle (MITM) attack on AES to recover MAC keys of Whirlpool. Several techniques are proposed to bypass different attack scenarios between a block cipher and a MAC, e.g., the chosen plaintext model of the MITM attacks on AES cannot be used for HMAC-Whirlpool. Besides, a larger state size and different key schedule designs of Whirlpool leave us a lot of room to study. As a result, equivalent keys of HMAC with 7-round Whirlpool are recovered with a complexity of (Data, Time, Memory) = (2(481.7), 2(482.3), 2(481)).

Fan Zhang,Zhijie Jerry Shi

DOI: https://doi.org/10.1109/ITNG.2011.70

2011-01-01

Abstract:In cryptography, a keyed-Hash Message Authentication Code (HMAC) is a type of message authentication code(MAC) calculated with a cryptographic hash function and a secret key. The security of the HMAC relies on the underlying hash function and the secret key. Whirlpool is a block cipher based hash algorithm that has been in public for about ten years. So far no effective attacks have been found on Whirlpool. As a result, HMAC with Whirlpool, i.e., HMAC-Whirlpool, is supposed to be secure. In this paper, we demonstrate that HMAC-Whirlpool is vulnerable to power analysis attacks. We designed two types of attacks: one is based on Differential Power Analysis (DPA) and the other on Correlation Power Analysis (CPA). We successfully launched the attacks at HMAC-Whirlpool running on an Atmel AVR processor. We also compared the attacks in terms of the number of power traces needed.

Gaoli Wang,Shaohui Wang

DOI: https://doi.org/10.1007/978-3-642-02384-2_1

2009-01-01

Abstract:HAVAL is a cryptographic hash function with variable hash value sizes proposed by Zheng, Pieprzyk and Seberry in 1992. It has 3, 4, or 5 passes, and each pass contains 32 steps. There was a collision attack on 5-pass HAVAL, but no second preimage attack. In this paper, we present a second preimage differential path for 5-pass HAVAL with probability 2*** 227 and exploit it to devise a second preimage attack on 5-pass HAVAL . Furthermore, we utilize the path to recover the partial key of HMAC/NMAC-5-pass HAVAL with 2235 oracle queries and 235 memory bytes.

Lei Wang,Kazuo Ohta,Noboru Kunihiro

DOI: https://doi.org/10.1587/transfun.e92.a.76

2009-01-01

Abstract:The most widely used hash functions from MD4 family have been broken, which lead to a public competition on designing new hash functions held by NIST. This paper focuses on one concept called near-collision resistance: computationally difficult to find a pair of messages with hash values differing in only few bits, which new hash functions should satisfy. In this paper, we will give a model of near-collisions on MD4, and apply it to attack protocols including HMAC/NMAC-MD4 and MD4(Password||Challenge). Our new outer-key recovery attacks on HMAC/NMAC-MD4 has a complexity of 272 online queries and 277 MD4 computations, while previous result was 288 online queries and 295 MD4 computations. Our attack on MD4(Password||Challenge) can recover 16 password characters with a complexity of 237 online queries and 221 MD4 computations, which is the first approach to attack such protocols.

Zheng Gong,Xuejia Lai,Kefei Chen

2008-01-01

Abstract:In this work the security of the rate-1 double block length hash functions, which based on a block cipher with a block length of n-bit and a key length of 2n-bit, is reconsidered. Counter-examples and new attacks are presented on this general class of double block length hash functions with rate 1, which disclose uncovered flaws in the necessary conditions given by Satoh et al. and Hirose. Preimage and second preimage attacks are presented on Hirose's two examples which were left as an open problem. Therefore, although all the rate-1 hash functions in this general class are failed to be optimally (second) preimage resistant, the necessary conditions are refined for ensuring this general class of the rate-1 hash functions to be optimally secure against the collision attack. In particular, two typical examples, which designed under the refined conditions, are proven to be indifferentiable from the random oracle in the ideal cipher model. The security results are extended to a new class of double block length hash functions with rate 1, where one block cipher used in the compression function has the key length is equal to the block length, while the other is doubled.

Gautham SekarMabin JosephR. BalasubramanianGautham Sekar is the PGDM Chair at the Madras School of Economics,India,and a Director of Madras Fintech Services Pvt. Ltd,India. He holds a PhD from KU Leuven in the area of cryptology. His interests include information security,data science and financial technology.Mabin Joseph is working as a Scientist at Indira Gandhi Centre for Atomic Research,Tamil Nadu,India. He completed his Ph.D. from the Homi Bhabha National Institute,India. His research interests are in cryptology,network security and data analytics.R. Balasubramanian is a Retired Professor and former Director of the Institute of Mathematical Sciences,Chennai,India. He obtained his Ph.D. in Mathematics from the University of Bombay. His interests include number theory and cryptology. He is the recipient of several national and international accolades including the Padma Shri by the Government of India and the Chevalier de l'Ordre National du Merite by the Government of France.

DOI: https://doi.org/10.1080/01611194.2024.2328548

2024-04-16

Cryptologia

Abstract:Streebog is a family of hash functions defined in the Russian cryptographic standard GOST R 34.11–2012. HMAC-Streebog, which is defined in RFC 7836, is a Streebog-based message authentication code. It supports keys of size ranging from 256 bits to 512 bits. In this article, we present fault-assisted side channel attacks on HMAC-Streebog-256 and HMAC-Streebog-512 that can recover the keys in real-time with 212.98 and 214.97 average number of fault injections, respectively, to ensure 95% success. The attacker is assumed to be able to simultaneously flip at the most 181 chosen bits of the inner hash if it is a 256–bit variant and 361 chosen bits of the hash otherwise. In comparison to existing fault attacks on HMAC-Streebog, our attacks have a larger temporal window for fault injection, target a more accessible location, and cannot be mitigated with output redundancy countermeasures. Some of the latest hardware vulnerabilities make the HMAC-Streebog implementations vulnerable to our attacks.

mathematics, applied,computer science, theory & methods,history & philosophy of science

Yu Sasaki,Lei Wang,Yasuhiro Takasaki,Kazuo Sakiyama,Kazuo Ohta

DOI: https://doi.org/10.1007/978-3-642-34117-5_10

2012-01-01

Abstract:This paper studies a boomerang-attack-based distinguisher against full steps of the compression function of HAS-160, which is the hash function standard in Korea. The attack produces a second-order collision for the full steps of the compression function with a complexity of 276.06, which is faster than the currently best-known generic attack with a complexity of 280. Previously Dunkelman et al. in 2009 applied a boomerang-based key-recovery attack on the internal block cipher of HAS-160. Because the goal of their attack is different from ours, the attack on the compression function has been reconstructed and optimized from scratch. As a result of the exhaustive search of the message difference, we found that the same message difference as theirs is the best choice for the first subcipher. We then propose some improvement to construct a differential characteristic from the message difference, which the probability of the characteristic increases from 2− 47 to 2− 44. Thus our new characteristic also improves their key-recovery attack on the internal block cipher of HAS-160.