## An Update on the Analysis and Design of NMAC and HMAC Functions (2006)

### BibTeX

@MISC{Gauravaram06anupdate,

author = {Praveen Gauravaram and Shoichi Hirose and Suganya Annadurai},

title = {An Update on the Analysis and Design of NMAC and HMAC Functions},

year = {2006}

}

### OpenURL

### Abstract

In this paper, we investigate the issues in the analysis and design of provably secure message authentication codes (MACs) Nested MAC (NMAC) and Hash based MAC (HMAC) proposed by Bellare, Canetti and Krawczyk. First, we provide security analysis of NMAC using weaker assumptions than stated in its proof of security. This analysis shows that, theoretically, one cannot further weaken the assumptions in the proof of security of NMAC to obtain a secure MAC function NMAC and for a secure MAC function NMAC, both keys must be secret. This analysis also provides a solution to an open question in Preneel’s thesis on the security of MAC functions when the attacker has knowledge of the key(s) in relation to NMAC and HMAC. Next, we propose a new variant to the NMAC function by altering the standard padding used for the hash function in NMAC. This variant is slightly more efficient than NMAC especially for short messages. The analysis and performance aspects of this variant are compared with other efficient MAC functions based on hash functions. Next, we provide another new variant to NMAC by altering the position of the trail key used in NMAC. This variant has some advantages over NMAC from the perspective of key-recovery attacks. Finally, we formally show how to convert NMAC and HMAC functions into pseudorandom functions.

### Citations

630 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...ork Security, Vol.7, No.1, PP.49–60, July 2008 56 6 On the Pseudorandomness of NMAC and HMAC It is well known that any pseudorandom function would work as a MAC and the security reduction is standard =-=[4, 5, 11, 12]-=-. However, it is not the other way round. A MAC function may not work as a PRF. Nevertheless, HMAC with SHA-1 is used as pseudorandom function to derive keys in applications such as PKCS #5 [18] and I... |

478 | H.: Keying Hash Functions for Message Authentication
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context ...es, NMAC and HMAC, provable security 1 Introduction One of the important applications of cryptographic hash functions is their use in the construction of efficient message authentication codes (MACs) =-=[2, 25, 26, 27, 30]-=-. Hash functions based on Merkle-Damg˚ard construction [7, 22] such as SHA-1 are used with minor or no modifications in constructing MAC schemes due to their efficiency and free availability. The firs... |

289 |
A design principle for hash functions
- Damg˚ard
- 1989
(Show Context)
Citation Context ...pplications of cryptographic hash functions is their use in the construction of efficient message authentication codes (MACs) [2, 25, 26, 27, 30]. Hash functions based on Merkle-Damg˚ard construction =-=[7, 22]-=- such as SHA-1 are used with minor or no modifications in constructing MAC schemes due to their efficiency and free availability. The first formal security analysis for MACs based on hash functions wa... |

194 | The Security of the Cipher Block Chaining Message Authentication Code
- Bellare, Kilian, et al.
(Show Context)
Citation Context ...ork Security, Vol.7, No.1, PP.49–60, July 2008 56 6 On the Pseudorandomness of NMAC and HMAC It is well known that any pseudorandom function would work as a MAC and the security reduction is standard =-=[4, 5, 11, 12]-=-. However, it is not the other way round. A MAC function may not work as a PRF. Nevertheless, HMAC with SHA-1 is used as pseudorandom function to derive keys in applications such as PKCS #5 [18] and I... |

175 |
One way hash functions and DES
- Merkle
- 1990
(Show Context)
Citation Context ...pplications of cryptographic hash functions is their use in the construction of efficient message authentication codes (MACs) [2, 25, 26, 27, 30]. Hash functions based on Merkle-Damg˚ard construction =-=[7, 22]-=- such as SHA-1 are used with minor or no modifications in constructing MAC schemes due to their efficiency and free availability. The first formal security analysis for MACs based on hash functions wa... |

170 | Finding Collisions in the Full SHA-1 - Wang, Yin, et al. - 2005 |

144 | The Security of Cipher Block Chaining
- Bellare, Kilian, et al.
(Show Context)
Citation Context ...ork Security, Vol.7, No.1, PP.49–60, July 2008 56 6 On the Pseudorandomness of NMAC and HMAC It is well known that any pseudorandom function would work as a MAC and the security reduction is standard =-=[4, 5, 11, 12]-=-. However, it is not the other way round. A MAC function may not work as a PRF. Nevertheless, HMAC with SHA-1 is used as pseudorandom function to derive keys in applications such as PKCS #5 [18] and I... |

111 | Analysis and Design of Cryptographic Hash Functions - Preneel - 1993 |

106 | Message Authentication with One-Way Hash Functions
- Tsudik
- 1992
(Show Context)
Citation Context ...es, NMAC and HMAC, provable security 1 Introduction One of the important applications of cryptographic hash functions is their use in the construction of efficient message authentication codes (MACs) =-=[2, 25, 26, 27, 30]-=-. Hash functions based on Merkle-Damg˚ard construction [7, 22] such as SHA-1 are used with minor or no modifications in constructing MAC schemes due to their efficiency and free availability. The firs... |

92 | Pseudorandom Functions Revisited: The Cascade Construction and its
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context ...ture. In this section, we provide the security analysis of NMAC as a PRF, and it applies to HMAC as well. 6.1 Security Analysis The terminology used in this section shall be the same as those used in =-=[2, 3]-=- for the sake of clarity. The analytical result of NMAC as a PRF is given referring to chosen or adaptive chosen message attacks. The result uses the definition of weakly collision resistant hash func... |

83 | New Proofs for NMAC and HMAC: Security without Collision-Resistance
- Bellare
- 2006
(Show Context)
Citation Context ...e of the iterated hash function in NMAC is not implied by the pseudorandomness of the compression function. He has also shown that weakly collision resistance of the iterated 1 Very recently, Bellare =-=[1]-=- has shown the pseudorandomness of NMAC and HMAC functions based on the pseudorandomness of the compression function. hash function in NMAC implies collision resistance of its compression function if ... |

78 | MDx-MAC and Building Fast MACs from Hash Functions
- Preneel, Oorshot
- 1995
(Show Context)
Citation Context ...es, NMAC and HMAC, provable security 1 Introduction One of the important applications of cryptographic hash functions is their use in the construction of efficient message authentication codes (MACs) =-=[2, 25, 26, 27, 30]-=-. Hash functions based on Merkle-Damg˚ard construction [7, 22] such as SHA-1 are used with minor or no modifications in constructing MAC schemes due to their efficiency and free availability. The firs... |

76 | P.: Merkle-Damg˚ard revisited: How to construct a hash function
- Coron, Dodis, et al.
- 2005
(Show Context)
Citation Context ... work as a secure MAC function only when the input messages are prefix-free as extension attacks do not work on the hash functions based on Merkle-Damg˚ard construction for prefix-free input messages =-=[6]-=-. 2) From the theoretical point of view, the above analysis shows that the outer function with no secrecy is not always good enough to prevent straight forward extension attacks. Nevertheless, one can... |

50 |
On the cryptographic applications of random functions
- Goldreich, Goldwasser, et al.
- 1984
(Show Context)
Citation Context |

43 |
PKCS #5: Password-Based Cryptography Specification Version 2.0
- Kaliski
- 2000
(Show Context)
Citation Context ...5, 11, 12]. However, it is not the other way round. A MAC function may not work as a PRF. Nevertheless, HMAC with SHA-1 is used as pseudorandom function to derive keys in applications such as PKCS #5 =-=[18]-=- and IPSec’s Key Exchange (IKE) protocol. Though it has been pointed out that [18] security analysis given for HMAC as a MAC function [2] can be modified to accommodate the requirements of a PRF using... |

42 | A failure-friendly design principle for hash functions
- Lucks
- 2005
(Show Context)
Citation Context ...MAC-1 and a block cipher in the CBC mode for the external function of NMAC-1. In this sense, the result of NMAC-1 is more general than stated in the proof. In addition, one can use the wide-pipe hash =-=[20]-=- (e.g, SHA-512 and truncating half of the output bits) for the inner function and the compression function of SHA-256 for the external function in NMAC and NMAC-1. We note that design of such hybrid s... |

32 | Message authentication with MD5 - Kaliski, Robshaw - 1995 |

28 | Oorshot, "On the security of two MAC algorithms
- Preneel, van
- 1996
(Show Context)
Citation Context ...as shown in Figure 3 and is defined as below: M-NMACk(x) = f Fk 2 (x)(k1). x1 x2 xn k1 k2 f f f f Figure 3: The M-NMAC construction M-NMACk(x) M-NMAC can also be seen as a kind of envelope MAC scheme =-=[27, 28, 29]-=- except that it uses the key k2 as an IV instead of as a block. k1 denotes the key k1 made to a block size b of the compression function f. That is, if the function f is the compression function of SH... |

25 | A Handbook of Applied Cryptography, Chapter 12 - Oorschot, Menezes, et al. - 1996 |

22 | On the security of iterated Message Authentication Codes
- Preneel, Oorschot
- 1999
(Show Context)
Citation Context ...the analysis and performance aspects of the NMAC-1 function with other efficient MACs based on hash functions proposed in the literature. The analysis of MAC schemes based on dedicated hash functions =-=[2, 27, 28, 29, 30]-=- shows that one has to pay attention in using the key and the hash function while designing a MAC based on the hash function. The applicability of forgery and key-recovery attacks on MACs based on has... |

20 |
Information technology - Security Techniques - Message Authentication Codes (MACs) - Part 1: Mechanisms using a block cipher, ISO
- ISOIEC
- 1999
(Show Context)
Citation Context ...ed a variant to NMAC called Enhanced NMAC (ENMAC) by altering the standard padding scheme used in the underlying hash function to improve the efficiency of NMAC for short messages. The ISO/IEC 9797-2 =-=[16]-=- standard specfies a mechanism which is a variant of MDx-MAC [27] that offers high performance for applications that process short messages of upto 256 bits. Bellare et.al [3] have shown that the pseu... |

13 |
Software-optimized universal hashing and message authentication
- Krovetz
- 2000
(Show Context)
Citation Context ... a black-box. A formal security analysis for NMAC-1 is provided. The performance of MAC functions on short messages is important. For example, the MAC function used in IPSec operates on 43-1500 bytes =-=[19]-=-, message authentication of signaling operate on messages that fit in one or two blocks [25] and the MAC function used in TLS operates on 0-17 kilobyte. There are also applications such as entity auth... |

4 | RFC 1828: IP Authentication using Keyed MD5 - Metzger, Simpson - 1995 |

3 |
An efficient MAC for short messages
- Patel
- 2002
(Show Context)
Citation Context |

2 |
Practical Cryptography, chapter Hash Functions
- Ferguson, Schneier
- 2003
(Show Context)
Citation Context ... extension attacks where n is theInternational Journal of Network Security, Vol.7, No.1, PP.49–60, July 2008 53 size of output in bits. This scheme is basically the double hashing scheme proposed in =-=[10]-=- to obtain a higher security level against extension attacks. 4 On the Proof of Security of NMAC In this section, we show that the proof of security of NMAC does not depend on padding technique used f... |

2 |
A note on the strength of weak collision resistance
- Hirose
- 2004
(Show Context)
Citation Context ...lies to HMAC as well 1 . Several MAC functions based on dedicated hash functions [2, 27, 28, 29, 30] were analyzed. See Appendix C for a survey on the analysis of MACs based on hash functions. Hirose =-=[13]-=- has shown that weakly collision resistance of the iterated hash function in NMAC is not implied by the pseudorandomness of the compression function. He has also shown that weakly collision resistance... |

1 |
Improving Hash Function Padding
- Johnson
- 2005
(Show Context)
Citation Context ...a bit 1 followed by 0’s as the specification for xpref has |x| as an argument. In general, the length of data to be hashed is known ahead of time in many applications and in rare situations it is not =-=[8]-=-. In general, any MAC function based on a hash function used to protect the authenticity and integrity of the communicated data does not know the length of the message in advance. However, a machine e... |

1 |
Road Vehicles Extended Data Link Security,” International Organization for Standardization
- ISO
- 2004
(Show Context)
Citation Context ...he prime motivation behind the design of NMAC and HMAC functions is to authenticate information over an insecure medium, there are some applications that may use these proposals, especially HMAC (see =-=[15]-=-) requiring extra protection against the insider attacks from someone who has knowledge of the secret keys. The analysis of NMAC based on weaker assumptions on the hash functions explains the properti... |