Abstract
The security of HMAC (and more general hash-based MACs) against state-recovery and universal forgery attacks was shown to be suboptimal, following a series of results by Leurent et al. and Peyrin et al. These results have shown that such powerful attacks require significantly less than 2 ℓ computations, contradicting the common belief (where ℓ denotes the internal state size). In this work, we revisit and extend these results, with a focus on concrete hash functions that limit the message length, and apply special iteration modes. We begin by devising the first state-recovery attack on HMAC with a HAIFA hash function (using a block counter in every compression function call), with complexity 2 4 ℓ / 5. Then, we describe improved tradeoffs between the message length and the complexity of a state-recovery attack on HMAC with a Merkle–Damgård hash function. Consequently, we obtain improved attacks on several HMAC constructions used in practice, in which the hash functions limits the maximal message length (e.g., SHA-1 and SHA-2). Finally, we present the first universal forgery attacks, which can be applied with short message queries to the MAC oracle. In particular, we devise the first universal forgery attacks applicable to SHA-1 and SHA-2. Despite their theoretical interest, our attacks do not seem to threaten the practical security of the analyzed concrete HMAC constructions.
Original language | English |
---|---|
Pages (from-to) | 1161-1195 |
Number of pages | 35 |
Journal | Algorithmica |
Volume | 79 |
Issue number | 4 |
DOIs | |
State | Published - 1 Dec 2017 |
Keywords
- GOST
- HAIFA
- HMAC
- Hash functions
- MAC
- Merkle–Damgård
- SHA family
- State-recovery attack
- Streebog
- Universal forgery attack
ASJC Scopus subject areas
- General Computer Science
- Computer Science Applications
- Applied Mathematics