Re: HMAC -NMAC security
From: Anton Stiglic (stiglic_at_cs.mcgill.ca)
Date: 07/02/03
- Previous message: Stonelock: "Re: Surviving Einstein."
- In reply to: whoami: "Re: HMAC -NMAC security"
- Next in thread: whoami: "Re: HMAC -NMAC security"
- Reply: whoami: "Re: HMAC -NMAC security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 2 Jul 2003 12:19:02 -0400
"whoami" <whoami7878@yahoo.com> wrote in message
news:9bd74c94.0307010034.56a84a30@posting.google.com...
> > [..]
> > >
> > >
> > > What hard means here? How easy is finding a collision for this inner
> > > function? Is there any papers explaining the number of trials needed
> > > to find a collision for hash functions and in particular this inner
> > > function?
> >
> > It all depends on what you assume about the hash function H. If you
> > assume that H(k, .), for a random k, defines a random oracle, then the
> > birthday paradox will tell you that (with good probability) you should
> > get your first collision after trying sqrt(size_output_of_H) inputs.
> >
>
> Ok. Suppose that the size of the output of H is 160. This means that
> the attacker needs to try 2^80 messages. Now in the HMAC case, if I
> give the result of the inner function, how many trials does the
> attacker needs to find a collision with good probability?
If I have an oracle that takes as input any message m and always gives me
the
answer to the inner function calculation, i.e. H(Kinner, m), then I will
need
to send it about 2^80 messages in order to find (with good probability ) two
different messages m1 and m2, such that H(Kinner, m1) = H(Kinner, m2).
A collision in the inner hash computation will automatically translate into
a
collision in the whole HMAC calculation, since if H(Kinner, m1)=H(Kinner,
m2),
you also have that
H(Koutter, H(Kinner, m1)) = H(Koutter, H(Kinner, m2))
Same thing applies if I have an oracle that takes any message m and gives
me the answer to the HMAC computation on m, i.e. H(Koutter, H(Kinner, m)).
So I dont' think I understand Mark Wooding's last point:
>* Keeping the intermediate value $H(K_2 \cat x)$ secret makes it
> harder for an adversary to know whether he's found a collision.
The way I see it, if there is a collision in the intermediate value, you'll
see it in the whole HMAC value, so I don't see how not knowing the
indermediate value makes things more difficult (except possibibly if you
are trying to guess the key K).
Note that the type of attack I described with the oracle is not of the type
that
you can do offline, see for example this post by David Wagner:
http://groups.google.ca/groups?q=g:thl4072053967d&dq=&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=anl29h%2415rl%241%40agate.berkeley.edu
--Anton
--Anton
- Previous message: Stonelock: "Re: Surviving Einstein."
- In reply to: whoami: "Re: HMAC -NMAC security"
- Next in thread: whoami: "Re: HMAC -NMAC security"
- Reply: whoami: "Re: HMAC -NMAC security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
