Paper 2011/649

On the Security of NMAC and Its Variants

Fanbao Liu, Changxiang Shen, Tao Xie, and Dengguo Feng

Abstract

We first propose a general equivalent key recovery attack to a $H^2$-MAC variant NMAC$_1$, which is also provable secure, by applying a generalized birthday attack. Our result shows that NMAC$_1$, even instantiated with a secure Merkle-Damgård hash function, is not secure. We further show that this equivalent key recovery attack to NMAC$_1$ is also applicable to NMAC for recovering the equivalent inner key of NMAC, in a related key setting. We propose and analyze a series of NMAC variants with different secret approaches and key distributions, we find that a variant NMAC-E, with secret envelop approach, can withstand most of the known attacks in this paper. However, all variants including NMAC itself, are vulnerable to on-line birthday attack for verifiable forgery. Hence, the underlying cryptographic hash functions, based on Merkle-Damgård construction, should be re-evaluated seriously.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Unknown where it was published
Keywords
NMACKeying Hash FunctionEquivalent Key RecoveryVerifiable ForgeryBirthday Attack.
Contact author(s)
liufanbao @ gmail com
History
2011-12-09: received
Short URL
https://ia.cr/2011/649
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2011/649,
      author = {Fanbao Liu and Changxiang Shen and Tao Xie and Dengguo Feng},
      title = {On the Security of NMAC and Its Variants},
      howpublished = {Cryptology ePrint Archive, Paper 2011/649},
      year = {2011},
      note = {\url{https://eprint.iacr.org/2011/649}},
      url = {https://eprint.iacr.org/2011/649}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.