TY - GEN
T1 - Improved generic attacks against hash-based MACs and HAIFA
AU - Dinur, Itai
AU - Leurent, Gaëtan
PY - 2014/1/1
Y1 - 2014/1/1
N2 - The security of HMAC (and more general hash-based MACs) against state-recovery and universal forgery attacks was very recently shown to be suboptimal, following a series of surprising results by Leurent et al. and Peyrin et al.. These results have shown that such powerful attacks require much less than 2ℓ computations, contradicting the common belief (where ℓ denotes the internal state size). In this work, we revisit and extend these results, with a focus on properties of concrete hash functions such as a limited message length, and special iteration modes. We begin by devising the first state-recovery attack on HMAC with a HAIFA hash function (using a block counter in every compression function call), with complexity 2 4ℓ/5. Then, we describe improved trade-offs between the message length and the complexity of a state-recovery attack on HMAC. Consequently, we obtain improved attacks on several HMAC constructions used in practice, in which the hash functions limit the maximal message length (e.g., SHA-1 and SHA-2). Finally, we present the first universal forgery attacks, which can be applied with short message queries to the MAC oracle. In particular, we devise the first universal forgery attacks applicable to SHA-1 and SHA-2.
AB - The security of HMAC (and more general hash-based MACs) against state-recovery and universal forgery attacks was very recently shown to be suboptimal, following a series of surprising results by Leurent et al. and Peyrin et al.. These results have shown that such powerful attacks require much less than 2ℓ computations, contradicting the common belief (where ℓ denotes the internal state size). In this work, we revisit and extend these results, with a focus on properties of concrete hash functions such as a limited message length, and special iteration modes. We begin by devising the first state-recovery attack on HMAC with a HAIFA hash function (using a block counter in every compression function call), with complexity 2 4ℓ/5. Then, we describe improved trade-offs between the message length and the complexity of a state-recovery attack on HMAC. Consequently, we obtain improved attacks on several HMAC constructions used in practice, in which the hash functions limit the maximal message length (e.g., SHA-1 and SHA-2). Finally, we present the first universal forgery attacks, which can be applied with short message queries to the MAC oracle. In particular, we devise the first universal forgery attacks applicable to SHA-1 and SHA-2.
KW - GOST
KW - HAIFA
KW - HMAC
KW - Hash functions
KW - MAC
KW - Merkle-Damgård
KW - SHA family
KW - Streebog
KW - state-recovery attack
KW - universal forgery attack
UR - http://www.scopus.com/inward/record.url?scp=84905379083&partnerID=8YFLogxK
U2 - 10.1007/978-3-662-44371-2_9
DO - 10.1007/978-3-662-44371-2_9
M3 - Conference contribution
AN - SCOPUS:84905379083
SN - 9783662443705
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 149
EP - 168
BT - Advances in Cryptology, CRYPTO 2014 - 34th Annual Cryptology Conference, Proceedings
PB - Springer Verlag
T2 - 34rd Annual International Cryptology Conference, CRYPTO 2014
Y2 - 17 August 2014 through 21 August 2014
ER -