On the Security of NMAC and Its Variants

Fanbao Liu; Changxiang Shen; Tao Xie; Dengguo Feng

On the Security of NMAC and Its Variants

Fanbao Liu, Changxiang Shen, Tao Xie, Dengguo Feng

Published: 01 Jan 2011, Last Modified: 11 Feb 2025IACR Cryptol. ePrint Arch. 2011EveryoneRevisionsBibTeXCC BY-SA 4.0

Abstract: We first propose a general equivalent key recovery attack to a $H^2$-MAC variant NMAC$_1$, which is also provable secure, by applying a generalized birthday attack. Our result shows that NMAC$_1$, even instantiated with a secure Merkle-Damgård hash function, is not secure. We further show that this equivalent key recovery attack to NMAC$_1$ is also applicable to NMAC for recovering the equivalent inner key of NMAC, in a related key setting. We propose and analyze a series of NMAC variants with different secret approaches and key distributions, we find that a variant NMAC-E, with secret envelop approach, can withstand most of the known attacks in this paper. However, all variants including NMAC itself, are vulnerable to on-line birthday attack for verifiable forgery. Hence, the underlying cryptographic hash functions, based on Merkle-Damgård construction, should be re-evaluated seriously.

Loading