On the Security of NMAC and Its Variants

Based on the three earlier MAC (Message Authentication Code) construction approaches, we propose and analyze some variants of NMAC. We propose some key recovery attacks to these NMAC variants, for example, we can recover the equivalent inner key of NMAC in about O(2 n/2 ) MAC operations, in a related key setting. We propose NMAC-E, a variant of NMAC with secret envelop, to achieve more process efficiency and no loss of security, which needs only one call to the underlying hash function, instead of two invocations in HMAC.


Introduction
HMAC (Hash-based Message Authentication Code) [2][3], a derivative of NMAC (Nested Message Authentication Code), is a practically and commonly used, widely standardized message authentication code (MAC) construction.HMAC has two advantages.First, HMAC can make use of current hash functions, the most widely used ones are based on Merkle-Damg˚ard construction [5] [14], without modification.Second, it is provable secure under two assumptions that the keyed compression function of the underlying hash function and the key derivation function in HMAC are pseudo random functions (PRFs) [2].
There are mainly three kinds of approaches to construct MAC algorithms by keying hash functions in early days: secret prefix, secret suffix and secret envelop approaches [20].The secret prefix approach prepends a secret key K to the message M before hashing computation, which is the basic design unit of NMAC and HMAC.The secret suffix approach appends a secret key K to the message M before hashing computation.The secret envelop approach, involving two keys, prepends a secret key K 1 and appends a secret key K 2 to the message M, respectively, before hashing computation.Based on these approaches and different key distributions, we propose some NMAC variants (also are HMAC variants), and analyze their security, by checking whether they are resistant to known attacks, for a better choice.This paper, however, analyzes the security of NMAC and its variants based on the assumption that the underlying hash functions are secure (collision resistance, CR), instead of that instantiated with broken hash functions.We also point out that the assumption of CR is a stronger notion than the origin assumption of that the underlying compression function is a PRF [2].We then find that NMAC is not secure enough to some extent, for example, its inner key is vulnerable to equivalent key recovery attack, which needs O(2 n/2 ) on-line queries and off-line computations, in a related key setting.
In this paper, we propose some variants of NMAC, and analyze their security, based on the assumption that the underlying hash functions are secure.We first point out that NMAC 1 like the keyed input version H 2 -MAC proposed in [31], is vulnerable to equivalent key recovery attack with complexity about 2 n/2 on-line queries.The security of NMAC 1 and H 2 -MAC are totally dependent on the collision resistance of the underlying hash function, instead of the PRF property, which directly violates the claimed provable security.Further, we point out the inner key of NMAC is vulnerable to equivalent key recovery attack, in a related key setting.The security strength of NMAC depends on one of its two keys, even if it's both keys are independently and randomly generated.We also propose a more secure variant NMAC-E, which has some advantages compared to NMAC, and HMAC-E.
This paper is divided into seven sections.Section 2 recalls the related definitions and background.Section 3 proposes and crypt analyzes some NMAC variants including NMAC with secret prefix approach.Section 4 proposes and analyzes the security of some NMAC variants with secret suffix approach.We present and analyze a better choice of NMAC variant with the modified version of the secret envelop approach, in section 5. Section six presents some related work.We conclude the paper in the last section.

Preliminaries 2.1 Notations
Let h be a compression function mapping {0, 1} n ×{0, 1} b →{0, 1} n , and let H be a concrete hash function mapping {0, 1}* → {0, 1} n .Let IV be the initial chaining variable of H. Let k denote a secret key with b bits and K denote a secret key with n bits, respectively.x||y denotes the concatenation of two bit strings x and y. |G| denotes the number of elements of the set G. pad(M) denotes the padding bits of M in Merkle-Damg˚ard style.

NMAC
NMAC [2] [3], proposed by Bellare et al., is the basis of the most widely used cryptographic algorithm HMAC.NMAC is built from iterated hash function H, where the IV of H is replaced with a secret n-bit key K , the NMAC algorithm is defined as: Where keys K in , Kout ∈ {0, 1} n in NMAC are to replace the IV of hash function H before further process.In practice, both keys are randomly and independently generated [3].

Security Notions of MAC
A universal forgery attack results in the ability to forge MACs for any message.A selective forgery attack results in a MAC tag on a message of the adversary's choice.An existential forgery merely results in some valid message/MAC pair not already known to the adversary.

-MAC)
We define NMAC 1 through keyed IV approach as: Where the IV of the outer hashing of NMAC -MAC [31], which is shown as (3).It was claimed that H 2 -MAC gets rid of the disadvantage of the secret key management without losing the original advantage of HMAC.Wang announced an attack to recover the equivalent key of H 2 -MAC instantiated with the broken MD5 [25] [27], with about 297 on-line MAC operations [22].However, Liu et al. pointed out that the absence of the outer key is a real threat to the security of H 2 -MAC [12], they could recover the equivalent key using birthday paradox with complexity of about O(2 n/2 ) MAC operations.
On-Line Birthday Attack for Existential Forgery Attack.
If we apply on-line birth-day attack to NMAC 1 oracle, after about 2 n/2 queries, we can get a collision pair (M, M') with the same length, which satisfies NMAC 1 (M) = NMAC 1 (M').Then for arbitrary message x, the equation NMAC 1

(M||pad(M)||x) = NMAC 1 (M'||pad(M')||x) always holds. This means that we can generate verifiable forgery of NMAC 1 , we first query the corresponding MAC value of M||pad(M)||x, and we get the very MAC value for M'||pad(M')||x, eventually.
This kind of attack is applicable to all MAC algorithms instantiated with Merkle-Damg˚ard hash functions, also noticed by Yasuda [29].Hence, the rest of the paper will not discuss the specified attack again.

Equivalent Key Recovery Attack to NMAC 1 .
We use the same technologies to recover the equivalent key of NMAC 1 as in [12] of H 2 -MAC, with slight modifications to achieve more efficiency.We generate the group one G 1 using H(x), instead of H(H(C, M i )) in [12], which can reduce at least half of the space and time.We apply the generalized birthday attack with two groups [8] to NMAC 1 and then recover its equivalent key K e = H(K in , M j ).
Here, We first define the notation N 2 as N 2 = H(x), where x is an n-bit input (key).x can be viewed as x = H (C, M), where C is a constant and M is the input message.Generally, N 2 is the non-key version of NMAC 1 .We use different n-bit input messages x i s (0 ≤ i ≤ 2 n − 1) to generate the corresponding N 2 values, and use different 1-block messages M j s (0 ≤ j ≤ 2 n − 1) to generate the corresponding NMAC 1 values.The overall strategy of equivalent key recovery attack to NMAC 1 is shown as follows.1. Generate a group one G 1 with r = 2 n/2 elements, by computing the corresponding values of H(x i ) for r different x i s, which can be randomly generated.2. Generate a group two G 2 with s = 2 n/2 elements, by querying the corresponding values to NMAC 1 oracle with the secret key K in for s different M j s, where M j s are also randomly generated.
3. There will be some pairs (x i , M j ) that satisfies (NMAC 1 ) Kin (M j ) = N 2 (x i ), with good probability [8]. 4.However, we cannot know that whether x j = H(K in , M j ) further holds, we need to kick out the unsatisfied pairs, which will be discussed later in key selection.After that, we have a pair that satisfies x i = H(K in , M j ) and (NMAC 1 ) Kin (M j ) = N(x i ).So we find out the equivalent key of NMAC 1 of K e = H(K in , M j ) = x i . 5. Let pad 0 and pad 1 be the padding bits of M j and M j ||pad 0 ||x, respectively, for arbitrary message x.We generate the intermediate value of H(K in , M j ||pad 0 ||x) by computing y = h(K e ,x||pad 1 ), and calculate H(y) further, and get NMAC 1 (K in , M j ||pad 0 ||x), eventually.

Key Selection
To select a pair that satisfies x i = H(K in , M j ), we always assume that each pair we have is the right pair.To confirm the assumption, we first randomly generate an arbitrary message α; and then we generate the padding bits pad of the M j ||pad 0 ||α; third, we compute N 2 (α) = h(x i , α||pad) and query the corresponding result θ of M j ||pad 0 ||α to NMAC 1 oracle, we note that θ may be computed as follows.(α) = θ holds, if so, (x i , M j ) is the right pair.Otherwise, discard that pair.

Success probability and Complexity.
The probability Pr (|G 1 ∩ G 2 | = 0) that there are no distinct element in the intersection of the two groups is denoted by P (2 n , r, s, 0).Let sp denote the success probability of the above attack (at least one collision pair exists), then we can get the value of sp by computing sp = 1 − P(2 n , r, s, 0) ≥ 0.632 [12].The elements of group G 1 computed by N 2 need 2 n/2 off-line N 2 computations (N 2 just consists of one hash computation).The elements of group G 2 computed by NMAC 1 need 2 n/2 on-line NMAC 1 queries.We can store the values of both groups using hash tables.Then the above algorithm will require O(2 n/2 ) time and space to complete.We can use the recovered equivalent key K e to launch any selective forgery attack to NMAC 1 without additional on-line query, which claims that the security of NMAC 1 is broken.Hence, we point out that the security of NMAC 1 is solely dependent on the collision resistance of the underlying hash function, not the strength of the used key.

The security of NMAC 2
We define NMAC 2 as: Where the inner key K in is omitted.This variant NMAC 2 was also noted by Bellare et al. in [3].
The outer hashing only accepts H(M) as legal input, which is an n-bit value.Though we can learn the value of H(K out , H(M)) easily, we cannot use that information to launch the extension attack to NMAC 2 .

Off-Line Birthday Attack to NMAC 2
We first apply an off-line birthday attack to H(M).After about 2 n/2 off-line computations, we can get a collision pair (M,M'), which satisfies H(M) = H(M') and NMAC

The security of NMAC 3
We define NMAC 3 as: Where the inner and outer keys are both set to K io .The on-line birthday attack for existential forgery applied to NMAC 1 is also applicable to NMAC 3 with any modification.Further, we point out that the off-line birthday attack to get existential forgery is also Applicable to NMAC 3 after some optimization.We show the strategy as follows: 1. Query the corresponding MAC value of M 0 to the NMAC 3 oracle, which will answer H(K io , H(K io , M 0 )). 2. Assume the unknown H(K io , M 0 ) be x 0 , and pad 0 be the padding bits of x 0 .We already know the corresponding value of H(K io , x 0 ) (an equivalent key of the inner hashing), which is NMAC 3 (M 0 ). 3. Based on the known H(K io , x 0 ), we launch an off-line birthday attack to find a collision pair (M x , M x ') satisfying H(K io , x 0 ||pad 0 ||M x ) = H(K io , x 0 ||pad 0 ||M x '). 4. For arbitrary message x, we can launch a verifiable forgery attack.However, since the value of H(K io , M 0 ) is unknown, how to use the above information to launch a verifiable forgery attack is still an open problem.

The security of NMAC
As pointed out by Bellare et al., the on-line birthday attack for existential forgery attack is also applicable to NMAC [2], here we omit the details.However, we further notice that we can generate existential forgery for NMAC, by an off-line birthday attack, which is shown as the Related Key Attack to Recover the Equivalent Inner Key.
To recover the equivalent inner key K e with n-bit, we have the following setting for our related-key attacks on NMAC.There are two oracles NMAC (Kout ,Kin) and NMAC (Kout′, Kin') .We set the relation between (K out , K in ) and (K out ′, K in ′) as follows: Where these two oracles share the same outer key, and the inner key of NMAC (Kout′, Kin') can be any known n-bit Constants, such as the IV of H.The overall strategy of the equivalent inner key recovery attack to NMAC is shown as follows.
1. Query NMAC (Kout, Kin) oracle for the corresponding values of 2 n/2 different M i s, store their values in group one G 1 .2. Query NMAC (Kout', Kin') oracle for the corresponding values of 2 n/2 different M j ′s, store their values in group two G2. 3. A pair (M i , M j ′) satisfies NMAC (Kout ,Kin) (M i ) = NMAC (Kout′, Kin') (M j ') (the generalized birthday attack with two groups), and further satisfies H(K in , M i ) = H(K in ′, M j ′) (an inner collision happens).4. Since H(K in , M i ) = H(K in ′, M j ′), and we know the value of K in ′ and M j ′, hence we can calculate the very value of We conclude that the equivalent inner key of NMAC is totally dependent on the generalized birthday attack, not the strength of the used inner key, in the related key setting.However, if the outer key K out of NMAC is leaked, then, it needs a generalized birthday attack to recover the equivalent inner key to break the entire system, shown as the attack to NMAC 1 .
From these attacks, we claim that the security of NMAC is dependent on the secrecy of one of the keys, even if it's both key are independently and randomly generated.As pointed out by the editors of Cryptology ePrint Archive in our preliminary version of this paper, the equivalent key recovery attack to NMAC is not applicable to the practical HMAC, since the HMAC keys are derived from a base key, and there exists no related key.

The security of Some Variants with Secret Suffix
In this section, we discuss the security of some NMAC variants NMAC-S i with secret suffix approach.We first prove that the security of original secret suffix is totally dependent on the collision resistance (CR) of the underlying hash function.We then discuss the security of some variants of NMAC with secret suffix approach.

The Security of H (M||K)
For an n-bit key K, we will prove as follows, the security of the secret suffix M-S is totally dependent on the collision resistance of the underlying hash function, instead of the strengthen of the key.

Theorem 1
The security of H(M||K) is totally dependent on the collision resistance of the underlying hash function H, instead of the strengthen of the used key.We prove Theorem 1 by giving the complexity of the worst case of the key recovery attack and best case attack, respectively, which are all based on the assumption that the message M is multiples of bytes.The worst case of the key recovery attack is that we assume the collision attack of H has no control over the content of the collision pair (M, M′).The best case is that we assume the collision attack has full control over some bytes of the collision pair.We notice that the complexity of the collision attack is 2 n/2 hash compressions by an off-line birthday attack, for a hash function H with n-bit output.The attack is based on the "slice-by-slice" key recovery of trail key in secret envelop approach, proposed by Preneel et al [16].Since the collision attack has full control over some bits of the collision pair, to recover each byte of the key K, only ( 28 − 1) collision pairs must be generated in the worst case.So we need to generate ( 28 − 1)(n/16) collision pairs to recover the first n/2 bits of K, and we can recover the last n/2 bits of K through brute force attack, which needs 2 n/2 hash compressions.So the total complexity of the full key recovery attack is 2 n/2 ×(2 8 − 1)×(n/16) + 2 n/2 < 2 n/2+8+log2 n/16 hash compressions.
The Worst Case.Since the collision attack has no control over any bit of the collision pair, to recover the j-th (1≤j≤n/8) character of the key K, 2 8•j collision pairs must be first generated.So we can recover the first n/4 bits of the key by generating ( 28 + 2 ) collision pairs, and we can recover the last 3•n/4 bits through brute force attack, which needs 2  All in all then, the complexity of the key recovery to H(M||K) ranges from 2 n/2+8+log 2 n/`16 to 2 n/2+n/4+1 hash compressions, which means that the security of M-S is dependent on the collision resistance of the underlying hash function H , instead of the strength of the key.Here, we assume that the underlying hash function is secure, in fact, for some applications with broken hash functions; the situation is totally in danger.For example, APOP (Authentication Post Office Protocol), which is instantiated with broken MD5, applies secret suffix approach; an attacker can recover the password as long as 352 bits in practical time [11].
We list the complexity of key recovery attack to H(M||K) in Table 1, with different limitations on the input message M .Word means that M must be multiples of 32-bit words.However, as shown in Table 1, we point out that both the best and worst cases are exhaustive key search, if the message M is multiples of n bits.

The security of NMAC-S 1
We define NMAC-S 1 as: Where the outer key K out is omitted.The off-line birthday attack can be applied to NMAC-S 1 .
Full Key Recovery Attack to NMAC-S 1 .We can directly apply the full key recovery attack to H(M||K in ), since the outer hashing does not hide the inner collision.After that, we can fully recover the inner key of NMAC-S 1 , and then can construct any verifiable forgery.The complexity of the key recovery attack to NMAC-S 1 can be shown Table 1.

The security of NMAC-S 2
We define NMAC-S 2 as: Where the inner key K in is omitted.The off-line birthday attack can be applied to NMAC-S 2 .However, it seems that no key recovery attack to NMAC-S 2 can be launched as NMAC-S 1 .

TELKOMNIKA
ISSN: 1693-6930  On the Security of NMAC and Its Variants (Fanbao Liu)

387
H(M) is n bits long, and K out is also n bits, which means that the concatenation of both are inside one block, so the slice-by-slice key recovery strategy can't be applied.Exhaustive search must be performed to break the outer key K out , whose complexity is 2 n MAC computations.

The security of NMAC-S 3
We define NMAC-S 3 as: Where the inner and outer keys are equal.The off-line birthday attack can be applied to NMAC-S 3 .

Key Recovery Attack to NMAC-S 3
We can directly apply the full key recovery attack to H(M||K io ), since the outer hashing does not hide the inner collision.After that, we can fully recover the inner key K io , which is also the outer key, of NMAC-S 3 .Finally, we can construct any verifiable forgery.The complexity of the key recovery attack to NMAC-S 3 , which is analogous to NMAC-S 1 , is also shown in Table 1.

The security of NMAC-S
We define NMAC-S as: Where the inner and outer keys are different.The off-line birthday attack can be applied to NMAC-S.

Inner Key Recovery Attack to NMAC-S.
We can directly apply the full key recovery attack to H(M||K in ), since the outer hashing does not hide the appearance of the inner collision.After that, we can fully recover the inner key K in of NMAC-S.However, with K in , we can't directly construct any verifiable forgery, thanks to the outer hashing with the unknown K out .The outer key K out can't be recovered like K in , which is also analyzed in NMAC-S 2 .It seems that we have to apply additional off-line birthday attack to H(M), for a meaningful existential forgery.

Counterpart for the Key Recovery Attack to NMAC-S Variants
To avoid the full key recovery attack to NMAC-S Variants, we modify the inner hashing form H(M||K in ).We always assume that n|b, which means that b is the multiples of n.Let pad n (1||0 * ) be the padding bits of M, pad n is defined as

n|(|M| + |pad n |)
(10) We re-define the inner hashing form as: Where the inner key K in resides as a whole part on the input block.We have the following theorem for the key recovery attack.

The security of an NMAC Variant with Secret Envelop
In last two sections, we discuss the security of NMAC variants with secret prefix and secret suffix, respectively.In this section, we discuss the security of an NMAC variant, NMAC-E, with secret envelop approach.

NMAC-E with Modified Secret Envelop
We propose NMAC-E with modified version of the secret envelop approach, which has the advantage of both equivalent key recovery resistance and slice-by-slice key recovery resistance.The modification is straightforward, we pad the input message M with pad n , which can be some fixed constants, before appending the outer key K .We define NMAC-E as:

NMAC-E (K) = H (K, M||pad n ||K)
Where K is a randomly generated n-bit key.M ||pad n is multiples of n bits.

The security of NMAC-E
Off-Line Birthday Attack Resistance.
NMAC-E is resistant to off-line birthday attack for existential forgery, thanks to the secret "IV", the key K. Without any knowledge about the "IV", the off-line birthday attack to find a collision pair can't be launched.

Equivalent Key Recovery Attack Resistance.
NMAC-E is resistant to equivalent key recovery attack, thanks to the appended key K.Even if the attacker can find out the result of NMAC-E (K) easily, no extension attack can be launched; hence, no equivalent key recovery attack happens.

Slice-by-Slice Key Recovery Attack Resistance.
NMAC-E is also resistant to slice-by-slice key recovery attack as proven in Theorem 2.

Divide-and-Conquer Exhaustive-Search Key Recovery.
The divide-and-conquer exhaustive-search key recovery [16] cannot be applied to NMAC-E, since our scheme use one key, and a brute force attack should be performed to find out the key.The attacks performed to NMAC also show that it is not necessary to bind two keys to strengthen the MAC scheme.

On-Line Birthday Attack.
The on-line birthday attack is applicable to NMAC-E, after about 2 n/2 on-line MAC queries, a collision pair may be found that NMAC-E(M) = NMAC-E(M′).We list the security properties of all NMAC variants discussed in this paper, in Table 2. OFBAR stands for off-line birthday attack resistance, ONBAR stands for on-line birthday attack resistance, EKRAR means equivalent key recovery attack resistance, SSKRAR means slice-by-slice key recovery attack resistance, DCESKRR stands for divide-and-conquer exhaustive-search key recovery resistance. means there only one key exists.
On the Security of NMAC and Its Variants (Fanbao Liu) 385 attack to NMAC 2 , once the inner key K in is leaked.
1is not replaced with any secret key.A

Table 1 .
Complexity of Key Recovery Attack to Secret Suffix Approach

Theorem 2
Slice-by-slice key recovery strategy cannot be applied to H(M||pad n ||K in ), for launching key recovery attack.Proof.Since n|b and n|(|M| + |pad n |), and |K in | = n, then n|(|M||pad n ||K in |), hence, no slice can be made to the key K in .However, the NMAC-S Variants after modification are still vulnerable to off-line birthday attack for existential forgery attack.

Table 2 .
Security Comparison between NMAC Variants