IACR News item: 24 July 2014
Peter Gazi, Krzysztof Pietrzak, Michal Rybár
ePrint Reportkeyed hash function f into a variable input-length function.
A~practical single-key variant of NMAC called HMAC is a very
popular and widely deployed message authentication code
(MAC). Security proofs and attacks for NMAC can typically
be lifted to HMAC.
NMAC was introduced by Bellare, Canetti and Krawczyk
[Crypto\'96], who proved it to be a secure pseudorandom
function (PRF), and thus also a MAC, assuming that
(1) f is a PRF and
(2) the function we get when cascading f is weakly
collision-resistant.
Unfortunately, HMAC is typically instantiated with
cryptographic hash functions like MD5 or SHA-1 for which (2)
has been found to be wrong. To restore the provable
guarantees for NMAC, Bellare [Crypto\'06] showed its
security based solely on the assumption that f is a PRF,
albeit via a non-uniform reduction.
Our first contribution is a simpler and uniform proof: If f
is an \\eps-secure PRF (against q queries) and a
\\delta-non-adaptively secure PRF (against q queries), then
NMAC^f is an (\\eps+lq\\delta)-secure PRF against q queries of
length at most l blocks each.
We then show that this \\eps+lq\\delta bound is basically
tight. For the most interesting case where lq\\delta>=\\eps
we prove this by constructing an f for which an attack with
advantage lq\\delta exists. This also violates the bound
O(l\\eps) on the PRF-security of NMAC recently claimed by
Koblitz and Menezes.
Finally, we analyze the PRF-security of a modification of
NMAC called NI [An and Bellare, Crypto\'99] that differs
mainly by using a compression function with an additional
keying input. This avoids the constant rekeying on
multi-block messages in NMAC and allows for a security proof
starting by the standard switch from a PRF to a random
function, followed by an information-theoretic analysis. We
carry out such an analysis, obtaining a tight lq^2/2^c bound
for this step, improving over the trivial bound of
l^2q^2/2^c. The proof borrows combinatorial techniques
originally developed for proving the security of CBC-MAC
[Bellare et al., Crypto\'05]. We also analyze a variant of
NI that does not include the message length in the last call
to the compression function, proving a l^{1+o(1)}q^2/2^c
bound in this case.
Additional news items may be found on the IACR news page.