On the Security of NMAC and Its Variants

Fanbao Liu; Changxiang Shen; Tao Xie; Dengguo Feng

Paper 2011/649

On the Security of NMAC and Its Variants

Fanbao Liu, Changxiang Shen, Tao Xie, and Dengguo Feng

Abstract

We first propose a general equivalent key recovery attack to a $H^{2}$ -MAC variant NMAC $_{1}$ , which is also provable secure, by applying a generalized birthday attack. Our result shows that NMAC $_{1}$ , even instantiated with a secure Merkle-Damgård hash function, is not secure. We further show that this equivalent key recovery attack to NMAC $_{1}$ is also applicable to NMAC for recovering the equivalent inner key of NMAC, in a related key setting. We propose and analyze a series of NMAC variants with different secret approaches and key distributions, we find that a variant NMAC-E, with secret envelop approach, can withstand most of the known attacks in this paper. However, all variants including NMAC itself, are vulnerable to on-line birthday attack for verifiable forgery. Hence, the underlying cryptographic hash functions, based on Merkle-Damgård construction, should be re-evaluated seriously.

Metadata

Available format(s): PDF
Publication info: Published elsewhere. Unknown where it was published
Keywords: NMAC Keying Hash Function Equivalent Key Recovery Verifiable Forgery Birthday Attack.
Contact author(s): liufanbao @ gmail com
History: 2011-12-09: received
Short URL: https://ia.cr/2011/649
License: CC BY

BibTeX

@misc{cryptoeprint:2011/649,
      author = {Fanbao Liu and Changxiang Shen and Tao Xie and Dengguo Feng},
      title = {On the Security of {NMAC} and Its Variants},
      howpublished = {Cryptology {ePrint} Archive, Paper 2011/649},
      year = {2011},
      url = {https://eprint.iacr.org/2011/649}
}