Re: HMAC -NMAC security

From: Mark Wooding (
Date: 06/30/03

Date: 30 Jun 2003 10:52:13 GMT

whoami <> wrote:

> I don't understand why we need to hide the result of the inner
> function h(K2||x). I know that because of the extension attack one
> can easily find h(K2||x||y) no matter what y is but does this give
> some information on h(K1||h(K2||x||y)) which is the result of HMAC
> over x||y?

Quick overview of the thinking behind HMAC:

  * The inner layer is intended to be collision resistant. The key is
    present at this layer because finding collisions with an unknown
    initialization vector is harder than finding them if the IV is

  * The outer layer is intended to be a pseudorandom function[1], with
    fixed-length input and output. It's this layer which really
    provides the security of the construction.

  * As long as the output from the inner layer is different for
    different input messages, an adversary can't predict the tag for a
    message (because the outer layer is effectively random). If he
    finds a collision in the inner layer, he can request a tag for one
    of the colliding pair, and present the other other as his forgery.

  * Keeping the intermediate value $H(K_2 \cat x)$ secret makes it
    harder for an adversary to know whether he's found a collision.

[1] The proof that NMAC is a decent MAC only assumes that the outer
    layer works as a MAC on fixed-length inputs. However, it's the
    PRF-like property of the outer layer that means you can get away
    with things like truncating the tag.

-- [mdw]