Paper 2013/248

Another Look at Security Theorems for 1-Key Nested MACs

Neal Koblitz and Alfred Menezes


We prove a security theorem without collision-resistance for a class of 1-key hash-function-based MAC schemes that includes HMAC and Envelope MAC. The proof has some advantages over earlier proofs: it is in the uniform model, it uses a weaker related-key assumption, and it covers a broad class of MACs in a single theorem. However, we also explain why our theorem is of doubtful value in assessing the real-world security of these MAC schemes. In addition, we prove a theorem assuming collision-resistance. From these two theorems we conclude that from a provable security standpoint there is little reason to prefer HMAC to Envelope MAC or similar schemes.

Available format(s)
Publication info
Published elsewhere. Unknown status
Contact author(s)
ajmeneze @ uwaterloo ca
2013-12-24: last of 2 revisions
2013-05-03: received
See all versions
Short URL
Creative Commons Attribution


      author = {Neal Koblitz and Alfred Menezes},
      title = {Another Look at Security Theorems for 1-Key Nested {MACs}},
      howpublished = {Cryptology ePrint Archive, Paper 2013/248},
      year = {2013},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.