Improved Generic Attacks Against Hash-Based MACs and HAIFA

Itai Dinur, Gaëtan Leurent

Research output: Contribution to journalArticlepeer-review

2 Scopus citations


The security of HMAC (and more general hash-based MACs) against state-recovery and universal forgery attacks was shown to be suboptimal, following a series of results by Leurent et al. and Peyrin et al. These results have shown that such powerful attacks require significantly less than 2 computations, contradicting the common belief (where ℓ denotes the internal state size). In this work, we revisit and extend these results, with a focus on concrete hash functions that limit the message length, and apply special iteration modes. We begin by devising the first state-recovery attack on HMAC with a HAIFA hash function (using a block counter in every compression function call), with complexity 2 4 / 5. Then, we describe improved tradeoffs between the message length and the complexity of a state-recovery attack on HMAC with a Merkle–Damgård hash function. Consequently, we obtain improved attacks on several HMAC constructions used in practice, in which the hash functions limits the maximal message length (e.g., SHA-1 and SHA-2). Finally, we present the first universal forgery attacks, which can be applied with short message queries to the MAC oracle. In particular, we devise the first universal forgery attacks applicable to SHA-1 and SHA-2. Despite their theoretical interest, our attacks do not seem to threaten the practical security of the analyzed concrete HMAC constructions.

Original languageEnglish
Pages (from-to)1161-1195
Number of pages35
Issue number4
StatePublished - 1 Dec 2017


  • GOST
  • HMAC
  • Hash functions
  • MAC
  • Merkle–Damgård
  • SHA family
  • State-recovery attack
  • Streebog
  • Universal forgery attack

ASJC Scopus subject areas

  • General Computer Science
  • Computer Science Applications
  • Applied Mathematics


Dive into the research topics of 'Improved Generic Attacks Against Hash-Based MACs and HAIFA'. Together they form a unique fingerprint.

Cite this