Cryptology ePrint Archive: Report 2006/043
New Proofs for NMAC and HMAC: Security Without Collision-Resistance
Abstract: HMAC was proved by Bellare, Canetti and Krawczyk  to be a PRF assuming that (1)
the underlying compression function is a PRF, and (2) the iterated hash
function is weakly collision-resistant.
However, recent attacks show that assumption (2) is false for
MD5 and SHA-1,
removing the proof-based support for HMAC in these cases.
This paper proves that HMAC is a PRF
under the sole assumption that the compression function is a PRF. This recovers
a proof based guarantee since no known attacks compromise the pseudorandomness
of the compression function, and it also helps explain the resistance-to-attack
that HMAC has shown even when implemented with hash functions whose
(weak) collision resistance is compromised. We also show that an even
weaker-than-PRF condition on the compression function, namely that it is a
privacy-preserving MAC, suffices to establish HMAC is a MAC as long as the hash
function meets the very weak requirement of being computationally almost
universal, where again the value lies in the fact that known attacks do not
invalidate the assumptions made.
Category / Keywords: message authentication, HMAC, PRF, security proof
Publication Info: An abridged version of this paper appears in the Proceedings of CRYPTO'06. This is the full version.
Date: received 6 Feb 2006, last revised 25 Jun 2006
Contact author: mihir at cs ucsd edu
Available formats: Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation
Version: 20060625:223418 (All versions of this report)
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]