Equivalent key recovery attack on H2-MAC instantiated with MD5

Abstract

This paper presents the first equivalent key recovery attack on H 2-MAC-MD5, which conduces to a selective forgery attack directly. H2-MAC is similar with HMAC except that the outer key is omitted. For HMAC-MD5, since the available differential paths are pseudo-collisions, all the key recovery attacks are in the related-key setting, while our attack on H 2-MAC-MD5 gets rid of this restriction. Based on the distinguisher of HMAC-MD5 proposed by Wang et al., a pair of intermediate chaining variables, i.e., the equivalent keys (K̃, K̃′), is detected which fulfils the specific conditions on (IV,IV′) of the pseudo-collision. Then the inner key recovery attack on HMAC-MD5 explored by Contini and Yin is adopted to recover (K̃, K̃′). Consequently, the adversary can compute the valid MAC value of M0||M* effortlessly, where M0 is a fixed one-block message, and M* can be any bit string. © 2011 Springer-Verlag.