Re: HMAC -NMAC security
From: Anton Stiglic (stiglic_at_cs.mcgill.ca)
Date: 06/30/03
- Next message: Anton Stiglic: "Re: HMAC -NMAC security"
- Previous message: Douglas A. Gwyn: "Re: Stream cipher against block cipher"
- In reply to: Mark Wooding: "Re: HMAC -NMAC security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 30 Jun 2003 12:05:59 -0400
See my comment bellow..
"Mark Wooding" <mdw@nsict.org> wrote in message
news:slrnbg05it.18j.mdw@tux.nsict.org...
[..]
> * As long as the output from the inner layer is different for
> different input messages, an adversary can't predict the tag for a
> message (because the outer layer is effectively random). If he
> finds a collision in the inner layer, he can request a tag for one
> of the colliding pair, and present the other other as his forgery.
>
> * Keeping the intermediate value $H(K_2 \cat x)$ secret makes it
> harder for an adversary to know whether he's found a collision.
>
> [1] The proof that NMAC is a decent MAC only assumes that the outer
> layer works as a MAC on fixed-length inputs. However, it's the
> PRF-like property of the outer layer that means you can get away
> with things like truncating the tag.
Indeed. There is also the paper [2], which proves that H(k, m), for an
iterative
hash function H, is a good PRF assuming that the messages m are prefix-free
(which is the case if the inputs are all of the same length for example) and
assuming
that the compression function of H acts like a good fixed-length input PRF.
Note that this last assumption is stronger than what
is assumed in the proof of security of NMAC (where they only assume that
the compression function acts like a good MAC and the hash function is
weakly collision resistant). Proving that NMAC is a decent MAC is easier
then proving that it is a decent PRF (this is why in [1] the assumptions are
weaker than in [2]), since good PRF implies good MAC, but the opposite
is not necessarily true.
If you want a MAC based on the assumptions in [2], the following is
good enough:
H(k, H(m)), for all messages m.
[2] Pseudorandom Functions Revisited: The Cascade Construction and its
Concrete Security. M. Bellare, R. Canetti, H. Karwczyk, 1996.
--Anton
- Next message: Anton Stiglic: "Re: HMAC -NMAC security"
- Previous message: Douglas A. Gwyn: "Re: Stream cipher against block cipher"
- In reply to: Mark Wooding: "Re: HMAC -NMAC security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
