NMAC is a mode of operation which turns a fixed input-length
keyed hash function f into a variable input-length function.
A~practical single-key variant of NMAC called HMAC is a very
popular and widely deployed message authentication code
(MAC). Security proofs and attacks for NMAC can typically
be lifted to HMAC.
NMAC was introduced by Bellare, Canetti and Krawczyk
[Crypto\u2796], who proved it to be a secure pseudorandom
function (PRF), and thus also a MAC, assuming that
(1) f is a PRF and
(2) the function we get when cascading f is weakly
collision-resistant.
Unfortunately, HMAC is typically instantiated with
cryptographic hash functions like MD5 or SHA-1 for which (2)
has been found to be wrong. To restore the provable
guarantees for NMAC, Bellare [Crypto\u2706] showed its
security based solely on the assumption that f is a PRF,
albeit via a non-uniform reduction.
Our first contribution is a simpler and uniform proof: If f
is an \eps-secure PRF (against q queries) and a
\delta-non-adaptively secure PRF (against q queries), then
NMAC^f is an (\eps+lq\delta)-secure PRF against q queries of
length at most l blocks each.
We then show that this \eps+lq\delta bound is basically
tight. For the most interesting case where lq\delta>=\eps
we prove this by constructing an f for which an attack with
advantage lq\delta exists. This also violates the bound
O(l\eps) on the PRF-security of NMAC recently claimed by
Koblitz and Menezes.
Finally, we analyze the PRF-security of a modification of
NMAC called NI [An and Bellare, Crypto\u2799] that differs
mainly by using a compression function with an additional
keying input. This avoids the constant rekeying on
multi-block messages in NMAC and allows for a security proof
starting by the standard switch from a PRF to a random
function, followed by an information-theoretic analysis. We
carry out such an analysis, obtaining a tight lq^2/2^c bound
for this step, improving over the trivial bound of
l^2q^2/2^c. The proof borrows combinatorial techniques
originally developed for proving the security of CBC-MAC
[Bellare et al., Crypto\u2705]. We also analyze a variant of
NI that does not include the message length in the last call
to the compression function, proving a l^{1+o(1)}q^2/2^c
bound in this case