New Proofs for NMAC and HMAC: Security Without Collision-Resistance

HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collision-resistant. However, recent attacks show that assumption (2) is false for MD5 and SHA-1, removing the proof-based support for HMAC in these cases....

Ausführliche Beschreibung

Gespeichert in:

Bibliographische Detailangaben
1. Verfasser:	Bellare, Mihir
Format:	Buchkapitel
Sprache:	eng
Schlagworte:	Applied sciences Compression Function Computer science control theory systems Cryptographic Hash Function Cryptography Exact sciences and technology Hash Function Information, signal and communications theory Memory and file management (including protection and security) Memory organisation. Data processing Message Authentication Code Security Proof Signal and communications theory Software Telecommunications and information theory
Online-Zugang:	Volltext
Tags:	Tag hinzufügen Keine Tags, Fügen Sie den ersten Tag hinzu!

container_end_page	619
container_issue
container_start_page	602
container_title
container_volume
creator	Bellare, Mihir
description	HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collision-resistant. However, recent attacks show that assumption (2) is false for MD5 and SHA-1, removing the proof-based support for HMAC in these cases. This paper proves that HMAC is a PRF under the sole assumption that the compression function is a PRF. This recovers a proof based guarantee since no known attacks compromise the pseudorandomness of the compression function, and it also helps explain the resistance-to-attack that HMAC has shown even when implemented with hash functions whose (weak) collision resistance is compromised. We also show that an even weaker-than-PRF condition on the compression function, namely that it is a privacy-preserving MAC, suffices to establish HMAC is a secure MAC as long as the hash function meets the very weak requirement of being computationally almost universal, where again the value lies in the fact that known attacks do not invalidate the assumptions made.
doi_str_mv	10.1007/11818175_36
format	Book Chapter
fullrecord	<record><control><sourceid>pascalfrancis_sprin</sourceid><recordid>TN_cdi_pascalfrancis_primary_19688005</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>19688005</sourcerecordid><originalsourceid>FETCH-LOGICAL-c364t-abed00c13f64a5f96fafec2b01c4465b80fd423cccd64ac7d1c69d1e0616efe63</originalsourceid><addsrcrecordid>eNpNkMtOwzAQRc1LopSu-AFvWLAIzMSOk7CrokKRSkE8xNJyHBsCIa7sVKh_j1GRYGYxM7pHd6RLyAnCOQLkF4hF7DyTTOyQI5ZxYDlnLN8lIxSICWO83PsT0nKfjIBBmpTxOiSTEN4hFsOsAD4i1dJ80XvvnA3UOk-Xt9OKqr6h87hc0kej174dNvSlHd7ceqCV67o2tK5PHkxow6B6bY7JgVVdMJPfOSbPV7Onap4s7q5vquki0UzwIVG1aQA0Miu4ymwprLJGpzWg5lxkdQG24SnTWjcR0HmDWpQNGhAojDWCjcnp1nelglad9fF5G-TKt5_KbySWoigAssidbbkQpf7VeFk79xEkgvyJUP6LkH0DMw9deQ</addsrcrecordid><sourcetype>Index Database</sourcetype><iscdi>true</iscdi><recordtype>book_chapter</recordtype></control><display><type>book_chapter</type><title>New Proofs for NMAC and HMAC: Security Without Collision-Resistance</title><source>Springer Books</source><creator>Bellare, Mihir</creator><contributor>Dwork, Cynthia</contributor><creatorcontrib>Bellare, Mihir ; Dwork, Cynthia</creatorcontrib><description>HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collision-resistant. However, recent attacks show that assumption (2) is false for MD5 and SHA-1, removing the proof-based support for HMAC in these cases. This paper proves that HMAC is a PRF under the sole assumption that the compression function is a PRF. This recovers a proof based guarantee since no known attacks compromise the pseudorandomness of the compression function, and it also helps explain the resistance-to-attack that HMAC has shown even when implemented with hash functions whose (weak) collision resistance is compromised. We also show that an even weaker-than-PRF condition on the compression function, namely that it is a privacy-preserving MAC, suffices to establish HMAC is a secure MAC as long as the hash function meets the very weak requirement of being computationally almost universal, where again the value lies in the fact that known attacks do not invalidate the assumptions made.</description><identifier>ISSN: 0302-9743</identifier><identifier>ISBN: 3540374329</identifier><identifier>ISBN: 9783540374329</identifier><identifier>EISSN: 1611-3349</identifier><identifier>EISBN: 3540374337</identifier><identifier>EISBN: 9783540374336</identifier><identifier>DOI: 10.1007/11818175_36</identifier><language>eng</language><publisher>Berlin, Heidelberg: Springer Berlin Heidelberg</publisher><subject>Applied sciences ; Compression Function ; Computer science; control theory; systems ; Cryptographic Hash Function ; Cryptography ; Exact sciences and technology ; Hash Function ; Information, signal and communications theory ; Memory and file management (including protection and security) ; Memory organisation. Data processing ; Message Authentication Code ; Security Proof ; Signal and communications theory ; Software ; Telecommunications and information theory</subject><ispartof>Advances in Cryptology - CRYPTO 2006, 2006, p.602-619</ispartof><rights>Springer-Verlag Berlin Heidelberg 2006</rights><rights>2007 INIST-CNRS</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c364t-abed00c13f64a5f96fafec2b01c4465b80fd423cccd64ac7d1c69d1e0616efe63</citedby><relation>Lecture Notes in Computer Science</relation></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktopdf>$$Uhttps://link.springer.com/content/pdf/10.1007/11818175_36$$EPDF$$P50$$Gspringer$$H</linktopdf><linktohtml>$$Uhttps://link.springer.com/10.1007/11818175_36$$EHTML$$P50$$Gspringer$$H</linktohtml><link.rule.ids>309,310,779,780,784,789,790,793,4050,4051,27925,38255,41442,42511</link.rule.ids><backlink>$$Uhttp://pascal-francis.inist.fr/vibad/index.php?action=getRecordDetail&idt=19688005$$DView record in Pascal Francis$$Hfree_for_read</backlink></links><search><contributor>Dwork, Cynthia</contributor><creatorcontrib>Bellare, Mihir</creatorcontrib><title>New Proofs for NMAC and HMAC: Security Without Collision-Resistance</title><title>Advances in Cryptology - CRYPTO 2006</title><description>HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collision-resistant. However, recent attacks show that assumption (2) is false for MD5 and SHA-1, removing the proof-based support for HMAC in these cases. This paper proves that HMAC is a PRF under the sole assumption that the compression function is a PRF. This recovers a proof based guarantee since no known attacks compromise the pseudorandomness of the compression function, and it also helps explain the resistance-to-attack that HMAC has shown even when implemented with hash functions whose (weak) collision resistance is compromised. We also show that an even weaker-than-PRF condition on the compression function, namely that it is a privacy-preserving MAC, suffices to establish HMAC is a secure MAC as long as the hash function meets the very weak requirement of being computationally almost universal, where again the value lies in the fact that known attacks do not invalidate the assumptions made.</description><subject>Applied sciences</subject><subject>Compression Function</subject><subject>Computer science; control theory; systems</subject><subject>Cryptographic Hash Function</subject><subject>Cryptography</subject><subject>Exact sciences and technology</subject><subject>Hash Function</subject><subject>Information, signal and communications theory</subject><subject>Memory and file management (including protection and security)</subject><subject>Memory organisation. Data processing</subject><subject>Message Authentication Code</subject><subject>Security Proof</subject><subject>Signal and communications theory</subject><subject>Software</subject><subject>Telecommunications and information theory</subject><issn>0302-9743</issn><issn>1611-3349</issn><isbn>3540374329</isbn><isbn>9783540374329</isbn><isbn>3540374337</isbn><isbn>9783540374336</isbn><fulltext>true</fulltext><rsrctype>book_chapter</rsrctype><creationdate>2006</creationdate><recordtype>book_chapter</recordtype><recordid>eNpNkMtOwzAQRc1LopSu-AFvWLAIzMSOk7CrokKRSkE8xNJyHBsCIa7sVKh_j1GRYGYxM7pHd6RLyAnCOQLkF4hF7DyTTOyQI5ZxYDlnLN8lIxSICWO83PsT0nKfjIBBmpTxOiSTEN4hFsOsAD4i1dJ80XvvnA3UOk-Xt9OKqr6h87hc0kej174dNvSlHd7ceqCV67o2tK5PHkxow6B6bY7JgVVdMJPfOSbPV7Onap4s7q5vquki0UzwIVG1aQA0Miu4ymwprLJGpzWg5lxkdQG24SnTWjcR0HmDWpQNGhAojDWCjcnp1nelglad9fF5G-TKt5_KbySWoigAssidbbkQpf7VeFk79xEkgvyJUP6LkH0DMw9deQ</recordid><startdate>2006</startdate><enddate>2006</enddate><creator>Bellare, Mihir</creator><general>Springer Berlin Heidelberg</general><general>Springer</general><scope>IQODW</scope></search><sort><creationdate>2006</creationdate><title>New Proofs for NMAC and HMAC: Security Without Collision-Resistance</title><author>Bellare, Mihir</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c364t-abed00c13f64a5f96fafec2b01c4465b80fd423cccd64ac7d1c69d1e0616efe63</frbrgroupid><rsrctype>book_chapters</rsrctype><prefilter>book_chapters</prefilter><language>eng</language><creationdate>2006</creationdate><topic>Applied sciences</topic><topic>Compression Function</topic><topic>Computer science; control theory; systems</topic><topic>Cryptographic Hash Function</topic><topic>Cryptography</topic><topic>Exact sciences and technology</topic><topic>Hash Function</topic><topic>Information, signal and communications theory</topic><topic>Memory and file management (including protection and security)</topic><topic>Memory organisation. Data processing</topic><topic>Message Authentication Code</topic><topic>Security Proof</topic><topic>Signal and communications theory</topic><topic>Software</topic><topic>Telecommunications and information theory</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Bellare, Mihir</creatorcontrib><collection>Pascal-Francis</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Bellare, Mihir</au><au>Dwork, Cynthia</au><format>book</format><genre>bookitem</genre><ristype>CHAP</ristype><atitle>New Proofs for NMAC and HMAC: Security Without Collision-Resistance</atitle><btitle>Advances in Cryptology - CRYPTO 2006</btitle><seriestitle>Lecture Notes in Computer Science</seriestitle><date>2006</date><risdate>2006</risdate><spage>602</spage><epage>619</epage><pages>602-619</pages><issn>0302-9743</issn><eissn>1611-3349</eissn><isbn>3540374329</isbn><isbn>9783540374329</isbn><eisbn>3540374337</eisbn><eisbn>9783540374336</eisbn><abstract>HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collision-resistant. However, recent attacks show that assumption (2) is false for MD5 and SHA-1, removing the proof-based support for HMAC in these cases. This paper proves that HMAC is a PRF under the sole assumption that the compression function is a PRF. This recovers a proof based guarantee since no known attacks compromise the pseudorandomness of the compression function, and it also helps explain the resistance-to-attack that HMAC has shown even when implemented with hash functions whose (weak) collision resistance is compromised. We also show that an even weaker-than-PRF condition on the compression function, namely that it is a privacy-preserving MAC, suffices to establish HMAC is a secure MAC as long as the hash function meets the very weak requirement of being computationally almost universal, where again the value lies in the fact that known attacks do not invalidate the assumptions made.</abstract><cop>Berlin, Heidelberg</cop><pub>Springer Berlin Heidelberg</pub><doi>10.1007/11818175_36</doi><tpages>18</tpages><oa>free_for_read</oa></addata></record>
fulltext	fulltext
identifier	ISSN: 0302-9743
ispartof	Advances in Cryptology - CRYPTO 2006, 2006, p.602-619
issn	0302-9743 1611-3349
language	eng
recordid	cdi_pascalfrancis_primary_19688005
source	Springer Books
subjects	Applied sciences Compression Function Computer science control theory systems Cryptographic Hash Function Cryptography Exact sciences and technology Hash Function Information, signal and communications theory Memory and file management (including protection and security) Memory organisation. Data processing Message Authentication Code Security Proof Signal and communications theory Software Telecommunications and information theory
title	New Proofs for NMAC and HMAC: Security Without Collision-Resistance
url	https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-08T05%3A30%3A15IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-pascalfrancis_sprin&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=bookitem&rft.atitle=New%20Proofs%20for%20NMAC%20and%20HMAC:%20Security%20Without%20Collision-Resistance&rft.btitle=Advances%20in%20Cryptology%20-%20CRYPTO%202006&rft.au=Bellare,%20Mihir&rft.date=2006&rft.spage=602&rft.epage=619&rft.pages=602-619&rft.issn=0302-9743&rft.eissn=1611-3349&rft.isbn=3540374329&rft.isbn_list=9783540374329&rft_id=info:doi/10.1007/11818175_36&rft_dat=%3Cpascalfrancis_sprin%3E19688005%3C/pascalfrancis_sprin%3E%3Curl%3E%3C/url%3E&rft.eisbn=3540374337&rft.eisbn_list=9783540374336&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true