Cryptanalyses on a Merkle-Damgård based MAC-almost universal forgery and distinguishing-H attacks

Abstract

This paper presents two types of cryptanalysis on a Merkle-Damgård hash based MAC, which computes a MAC value of a message M by Hash(K||ℓ||M) with a shared key K and the message length ℓ. This construction is often called LPMAC. Firstly, we present a distinguishing-H attack against LPMAC instantiating any narrow-pipe Merkle-Damgård hash function with O(2 n/2) queries, which indicates the incorrectness of the widely believed assumption that LPMAC instantiating a secure hash function should resist the distinguishing-H attack up to 2 n queries. In fact, all of the previous distinguishing-H attacks considered dedicated attacks depending on the underlying hash algorithm, and most of the cases, reduced rounds were attacked with a complexity between 2 n/2 and 2 n . Because it works in generic, our attack updates these results, namely full rounds are attacked with O(2 n/2) complexity. Secondly, we show that an even stronger attack, which is a powerful form of an almost universal forgery attack, can be performed on LPMAC. In this setting, attackers can modify the first several message-blocks of a given message and aim to recover an internal state and forge the MAC value. For any narrow-pipe Merkle-Damgård hash function, our attack can be performed with O(2 n/2) queries. These results show that the length prepending scheme is not enough to achieve a secure MAC. © 2012 International Association for Cryptologic Research.