IACR News item: 13 June 2014
Itai Dinur, Gaëtan Leurent
ePrint Reportstate-recovery and universal forgery attacks was very recently shown to
be suboptimal, following a series of surprising results by Leurent et
al. and Peyrin et al. These results have shown that such powerful
attacks require much less than $2^{\\ell}$ computations, contradicting
the common belief (where $\\ell$ denotes the internal state size). In
this work, we revisit and extend these results, with a focus on
properties of concrete hash functions such as a limited message length,
and special iteration modes.
We begin by devising the first state-recovery attack on HMAC with a
HAIFA hash function (using a block counter in every compression function
call), with complexity $2^{4\\ell/5}$. Then, we describe improved
trade-offs between the message length and the complexity of a
state-recovery attack on HMAC. Consequently, we obtain improved attacks
on several HMAC constructions used in practice, in which the the hash
functions limit the maximal message length (e.g., SHA-1 and SHA-2).
Finally, we present the first universal forgery attacks, which can be
applied with short message queries to the MAC oracle. In particular, we
devise the first universal forgery attacks applicable to SHA-1 and
SHA-2.
Additional news items may be found on the IACR news page.