{"title":"The exact PRF-security of NMAC and HMAC","file_date_updated":"2020-07-14T12:45:28Z","pubrep_id":"682","language":[{"iso":"eng"}],"date_created":"2018-12-11T11:55:36Z","project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","grant_number":"259668","name":"Provable Security for Physical Cryptography","call_identifier":"FP7"}],"intvolume":"      8616","issue":"1","page":"113 - 130","day":"01","file":[{"date_updated":"2020-07-14T12:45:28Z","file_size":492310,"date_created":"2018-12-12T10:13:17Z","creator":"system","checksum":"dab6ab36a5f6af94f2b597e6404ed11d","file_name":"IST-2016-682-v1+1_578.pdf","relation":"main_file","content_type":"application/pdf","file_id":"4999","access_level":"open_access"}],"publisher":"Springer","publist_id":"4955","type":"conference","abstract":[{"text":"NMAC is a mode of operation which turns a fixed input-length keyed hash function f into a variable input-length function. A practical single-key variant of NMAC called HMAC is a very popular and widely deployed message authentication code (MAC). Security proofs and attacks for NMAC can typically be lifted to HMAC. NMAC was introduced by Bellare, Canetti and Krawczyk [Crypto'96], who proved it to be a secure pseudorandom function (PRF), and thus also a MAC, assuming that (1) f is a PRF and (2) the function we get when cascading f is weakly collision-resistant. Unfortunately, HMAC is typically instantiated with cryptographic hash functions like MD5 or SHA-1 for which (2) has been found to be wrong. To restore the provable guarantees for NMAC, Bellare [Crypto'06] showed its security based solely on the assumption that f is a PRF, albeit via a non-uniform reduction. - Our first contribution is a simpler and uniform proof for this fact: If f is an ε-secure PRF (against q queries) and a δ-non-adaptively secure PRF (against q queries), then NMAC f is an (ε+ℓqδ)-secure PRF against q queries of length at most ℓ blocks each. - We then show that this ε+ℓqδ bound is basically tight. For the most interesting case where ℓqδ ≥ ε we prove this by constructing an f for which an attack with advantage ℓqδ exists. This also violates the bound O(ℓε) on the PRF-security of NMAC recently claimed by Koblitz and Menezes. - Finally, we analyze the PRF-security of a modification of NMAC called NI [An and Bellare, Crypto'99] that differs mainly by using a compression function with an additional keying input. This avoids the constant rekeying on multi-block messages in NMAC and allows for a security proof starting by the standard switch from a PRF to a random function, followed by an information-theoretic analysis. We carry out such an analysis, obtaining a tight ℓq2/2 c bound for this step, improving over the trivial bound of ℓ2q2/2c. The proof borrows combinatorial techniques originally developed for proving the security of CBC-MAC [Bellare et al., Crypto'05].","lang":"eng"}],"ec_funded":1,"oa":1,"date_published":"2014-01-01T00:00:00Z","oa_version":"Submitted Version","conference":{"start_date":"2014-08-17","end_date":"2014-08-21","location":"Santa Barbara, USA","name":"CRYPTO: International Cryptology Conference"},"department":[{"_id":"KrPi"}],"editor":[{"full_name":"Garay, Juan","last_name":"Garay","first_name":"Juan"},{"full_name":"Gennaro, Rosario","first_name":"Rosario","last_name":"Gennaro"}],"user_id":"4435EBFC-F248-11E8-B48F-1D18A9856A87","author":[{"id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","last_name":"Gazi","first_name":"Peter","full_name":"Gazi, Peter"},{"full_name":"Pietrzak, Krzysztof Z","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","orcid":"0000-0002-9139-1654","last_name":"Pietrzak"},{"full_name":"Rybar, Michal","first_name":"Michal","last_name":"Rybar","id":"2B3E3DE8-F248-11E8-B48F-1D18A9856A87"}],"has_accepted_license":"1","date_updated":"2023-09-07T12:02:27Z","quality_controlled":"1","doi":"10.1007/978-3-662-44371-2_7","alternative_title":["LNCS"],"_id":"2082","year":"2014","volume":8616,"ddc":["000","004"],"citation":{"short":"P. Gazi, K.Z. Pietrzak, M. Rybar, in:, J. Garay, R. Gennaro (Eds.), Springer, 2014, pp. 113–130.","ieee":"P. Gazi, K. Z. Pietrzak, and M. Rybar, “The exact PRF-security of NMAC and HMAC,” presented at the CRYPTO: International Cryptology Conference, Santa Barbara, USA, 2014, vol. 8616, no. 1, pp. 113–130.","ama":"Gazi P, Pietrzak KZ, Rybar M. The exact PRF-security of NMAC and HMAC. In: Garay J, Gennaro R, eds. Vol 8616. Springer; 2014:113-130. doi:<a href=\"https://doi.org/10.1007/978-3-662-44371-2_7\">10.1007/978-3-662-44371-2_7</a>","chicago":"Gazi, Peter, Krzysztof Z Pietrzak, and Michal Rybar. “The Exact PRF-Security of NMAC and HMAC.” edited by Juan Garay and Rosario Gennaro, 8616:113–30. Springer, 2014. <a href=\"https://doi.org/10.1007/978-3-662-44371-2_7\">https://doi.org/10.1007/978-3-662-44371-2_7</a>.","apa":"Gazi, P., Pietrzak, K. Z., &#38; Rybar, M. (2014). The exact PRF-security of NMAC and HMAC. In J. Garay &#38; R. Gennaro (Eds.) (Vol. 8616, pp. 113–130). Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, USA: Springer. <a href=\"https://doi.org/10.1007/978-3-662-44371-2_7\">https://doi.org/10.1007/978-3-662-44371-2_7</a>","mla":"Gazi, Peter, et al. <i>The Exact PRF-Security of NMAC and HMAC</i>. Edited by Juan Garay and Rosario Gennaro, vol. 8616, no. 1, Springer, 2014, pp. 113–30, doi:<a href=\"https://doi.org/10.1007/978-3-662-44371-2_7\">10.1007/978-3-662-44371-2_7</a>.","ista":"Gazi P, Pietrzak KZ, Rybar M. 2014. The exact PRF-security of NMAC and HMAC. CRYPTO: International Cryptology Conference, LNCS, vol. 8616, 113–130."},"month":"01","publication_status":"published","status":"public","related_material":{"record":[{"status":"public","relation":"dissertation_contains","id":"838"}]}}