Very interesting, I wonder how this integrates with the following paper
http://citeseer.ist.psu.edu/bellare06new.html
which basically says:
Abstract: HMAC was proved in [2] to be a PRF assuming that (1) the
underlying compression function is a PRF, and (2) the iterated hash
function is weakly collision-resistant. However, recent attacks show that
assumption (2) is false for MD5 and SHA-1, removing the proof-based
support for HMAC in these cases. This paper proves that HMAC is a PRF
under the sole assumption that the compression function is a PRF. This
recovers a proof based guarantee since no known attacks compromise the
pseudorandomness of the compression function, and it also helps explain
the resistance-to-attack that HMAC has shown even when implemented with
hash functions whose (weak) collision resistance is compromised.
--Anton
Perry E. Metzger
Sat, 23 Sep 2006 05:52:04 -0700
http://eprint.iacr.org/2006/319
Cryptology ePrint Archive: Report 2006/319
Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash
Collisions
Scott Contini and Yiqun Lisa Yin
Abstract. In this paper, we analyze the security of HMAC and NMAC,
both of which are hash-based message authentication codes. We present
distinguishing, forgery, and partial key recovery attacks on HMAC and
NMAC using collisions of MD4, MD5, SHA-0, and reduced SHA-1. Our
results demonstrate that the strength of a cryptographic scheme can be
greatly weakened by the insecurity of the underlying hash function.
[I Heard about this paper from ekr's blog.]
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
