20 research outputs found
On the Security of NMAC and Its Variants
Based on the three earlier MAC (Message Authentication Code) construction approaches, we propose and analyze some variants of NMAC. We propose some key recovery attacks to these NMAC variants, for example, we can recover the equivalent inner key of NMAC in about O(2n/2) MAC operations, in a related key setting. We propose NMAC-E, a variant of NMAC with secret envelop, to achieve more process efficiency and no loss of security, which needs only one call to the underlying hash function, instead of two invocations in HMAC
The Exact PRF-Security of NMAC and HMAC
NMAC is a mode of operation which turns a fixed input-length
keyed hash function f into a variable input-length function.
A~practical single-key variant of NMAC called HMAC is a very
popular and widely deployed message authentication code
(MAC). Security proofs and attacks for NMAC can typically
be lifted to HMAC.
NMAC was introduced by Bellare, Canetti and Krawczyk
[Crypto\u2796], who proved it to be a secure pseudorandom
function (PRF), and thus also a MAC, assuming that
(1) f is a PRF and
(2) the function we get when cascading f is weakly
collision-resistant.
Unfortunately, HMAC is typically instantiated with
cryptographic hash functions like MD5 or SHA-1 for which (2)
has been found to be wrong. To restore the provable
guarantees for NMAC, Bellare [Crypto\u2706] showed its
security based solely on the assumption that f is a PRF,
albeit via a non-uniform reduction.
Our first contribution is a simpler and uniform proof: If f
is an \eps-secure PRF (against q queries) and a
\delta-non-adaptively secure PRF (against q queries), then
NMAC^f is an (\eps+lq\delta)-secure PRF against q queries of
length at most l blocks each.
We then show that this \eps+lq\delta bound is basically
tight. For the most interesting case where lq\delta>=\eps
we prove this by constructing an f for which an attack with
advantage lq\delta exists. This also violates the bound
O(l\eps) on the PRF-security of NMAC recently claimed by
Koblitz and Menezes.
Finally, we analyze the PRF-security of a modification of
NMAC called NI [An and Bellare, Crypto\u2799] that differs
mainly by using a compression function with an additional
keying input. This avoids the constant rekeying on
multi-block messages in NMAC and allows for a security proof
starting by the standard switch from a PRF to a random
function, followed by an information-theoretic analysis. We
carry out such an analysis, obtaining a tight lq^2/2^c bound
for this step, improving over the trivial bound of
l^2q^2/2^c. The proof borrows combinatorial techniques
originally developed for proving the security of CBC-MAC
[Bellare et al., Crypto\u2705]. We also analyze a variant of
NI that does not include the message length in the last call
to the compression function, proving a l^{1+o(1)}q^2/2^c
bound in this case
Distinguishing Attack and Second-Preimage Attack on the CBC-like MACs
In this paper, we first present a new distinguisher on the CBC-MAC based on a block cipher in Cipher Block Chaining (CBC) mode. It can also be used to distinguish other CBC-like MACs from random functions. The main results of this paper are on the second-preimage attack on CBC-MAC and CBC-like MACs include TMAC, OMAC, CMAC, PC-MAC and MACs based on three-key encipher CBC mode. Instead of exhaustive search, this attack can be performed with the birthday attack complexity
Quantum linearization attacks
Recent works have shown that quantum period-finding can be used to break many popular constructions (some block ciphers such as Even-Mansour, multiple MACs and AEs...) in the superposition query model. So far, all the constructions broken exhibited a strong algebraic structure, which enables to craft a periodic function of a single input block. Recoverin
Comparison of authentication schemes for wireless sensor networks as applied to secure data aggregation
Il processo di aggregazione è fondamentale nell'economia energetica di una rete di sensori wireless (WSN). Tale processo, però, pone delle nuove sfide sul piano della sicurezza, dettate dagli stringenti vincoli di complessità tipici di una WSN. In questa tesi, in particolare, si indaga l'applicabilità degli algoritmi di autenticazione al contesto dell'aggregazion