The Exact PRF-Security of NMAC and HMAC

A. De; C. Cho; D. Jetchev; G.H. Hardy; J. Kim; J.-S. Coron; J.H. An; K. Pietrzak; K. Pietrzak; M. Bellare; M. Bellare; M. Bellare; M. Bellare; M. Bellare; M.E. Hellman; N. Alon; S. Tessaro; U. Maurer; U. Maurer; U. Maurer; X. Wang; X. Wang; Y. Dodis

The Exact PRF-Security of NMAC and HMAC

Authors: A. De
C. Cho
D. Jetchev
G.H. Hardy
J. Kim
J.-S. Coron
J.H. An
K. Pietrzak
K. Pietrzak
M. Bellare
M. Bellare
M. Bellare
M. Bellare
M. Bellare
M.E. Hellman
N. Alon
S. Tessaro
U. Maurer
U. Maurer
U. Maurer
X. Wang
X. Wang
Y. Dodis
Publication date: 1 January 2014
Publisher: 'Springer Science and Business Media LLC'
Doi

Abstract

NMAC is a mode of operation which turns a fixed input-length keyed hash function f into a variable input-length function. A~practical single-key variant of NMAC called HMAC is a very popular and widely deployed message authentication code (MAC). Security proofs and attacks for NMAC can typically be lifted to HMAC. NMAC was introduced by Bellare, Canetti and Krawczyk [Crypto\u2796], who proved it to be a secure pseudorandom function (PRF), and thus also a MAC, assuming that (1) f is a PRF and (2) the function we get when cascading f is weakly collision-resistant. Unfortunately, HMAC is typically instantiated with cryptographic hash functions like MD5 or SHA-1 for which (2) has been found to be wrong. To restore the provable guarantees for NMAC, Bellare [Crypto\u2706] showed its security based solely on the assumption that f is a PRF, albeit via a non-uniform reduction. Our first contribution is a simpler and uniform proof: If f is an \eps-secure PRF (against q queries) and a \delta-non-adaptively secure PRF (against q queries), then NMAC^f is an (\eps+lq\delta)-secure PRF against q queries of length at most l blocks each. We then show that this \eps+lq\delta bound is basically tight. For the most interesting case where lq\delta>=\eps we prove this by constructing an f for which an attack with advantage lq\delta exists. This also violates the bound O(l\eps) on the PRF-security of NMAC recently claimed by Koblitz and Menezes. Finally, we analyze the PRF-security of a modification of NMAC called NI [An and Bellare, Crypto\u2799] that differs mainly by using a compression function with an additional keying input. This avoids the constant rekeying on multi-block messages in NMAC and allows for a security proof starting by the standard switch from a PRF to a random function, followed by an information-theoretic analysis. We carry out such an analysis, obtaining a tight lq^2/2^c bound for this step, improving over the trivial bound of l^2q^2/2^c. The proof borrows combinatorial techniques originally developed for proving the security of CBC-MAC [Bellare et al., Crypto\u2705]. We also analyze a variant of NI that does not include the message length in the last call to the compression function, proving a l^{1+o(1)}q^2/2^c bound in this case

Similar works

Full text

Open in the Core reader

Download PDF

Available Versions

Cryptology ePrint Archive

oai:eprint.iacr.org:2014/578

Last time updated on 25/08/2023

Crossref

info:doi/10.1007%2F978-3-662-4...

Last time updated on 01/04/2019