On the security of iterated message authentication codes

IEEE Transactions on Information Theory

Volumn 45, Issue 1, 1999, Pages 188-199

  Preneel, Bart ^a   Van Oorschot, Paul C ^a  

^a UNIVERSITY OF LEUVEN   (Belgium)

Author keywords

Collisions; Cryptanalysis; Data authentication; Hash functions; Message authentication codes

Indexed keywords

ALGORITHMS; CRYPTOGRAPHY; ITERATIVE METHODS; SECURITY OF DATA;

AUTHENTICATION CODES;

CODES (SYMBOLS);

EID: 0032665874     PISSN: 00189448     EISSN: None     Source Type: Journal    
DOI: 10.1109/18.746787     Document Type: Article

References (52)

1. ANSI X9.9 (revised), "Financial institution message authentication (wholesale)," Amer. Bankers Assoc., Apr. 7, 1986.
2. ANSI X9.19, "Financial institution retail message authentication," Amer. Bankers Assoc., Aug. 13, 1986.
3. R. Anderson, "The classification of hash functions," in Codes and Cyphers: Cryptography and Coding IV, P. G. Farrell, Ed. Inst. Math, and Its Applications (IMA), 1995, pp. 83-93.
4. M. Atici and D. Stinson, "Universal hashing and multiple authentication," in Advances in Cryptology, Proc. Crypto'96, Lecture Notes in Computer Science, Vol. 1109, N. Koblitz, Ed. New York: SpringerVerlag, 1996, pp. 16-30.
5. M. Bellare, J. Kilian, and P. R. Rogaway, "The security of cipher block chaining," in Advances in Cryptology, Proc. Crypto'94, Lecture Notes in Computer Science, Vol. 839, Y. Desmedt, Ed. New York: Springer-Verlag, 1994, pp. 341-358.
6. M. Bellare, R. Guérin, and P. R. Rogaway, "XOR MAC's: New methods for message authentication using block ciphers," in Advances in Cryptology, Proc. Crypto'95, Lecture Notes in Computer Science, Vol. 963, D. Coppersmith, Ed. New York: Springer-Verlag, 1995, pp. 15-28.
7. M. Bellare, R. Canetti, and H. Krawczyk, "Pseudorandom functions revisited: The cascade construction and its concrete security," in Proc. 37th Annu. Symp. Foundations of Computer Science. Los Alamitos, ÇA: IEEE Comp. Soc. Press, 1996, pp. 514-523. [Online]. Full version available WWW: http://www-cse.ucsd.edu/users/mihir.
8. Keying hash functions for message authentication," in Advances in Cryptology, Proc. Crypto '96, Lecture Notes in Computer Science, Vol. 1109, N. Koblitx, Ed. New York: Springer-Verlag, 1996, pp. 1-15. [Online]. Full version available WWW: http:// www.research. ibm.com/security/.
9. HMAC: Keyed-hashing for message authentication," Request for Comments (RFC) 2104, Internet Activities Board, Internet Privacy Task Force, Feb. 1997.
10. E. Biham and A. Shamir, Differential Cryptanalysis of the Data Encryption Standard. New York: Springer-Verlag, 1993.
11. F. Cohen, "A cryptographic checksum for integrity protection," Comput. Security, vol. 6, no. 5, pp. 505-510, 1987.
12. I. B. Damgârd, "A design principle for hash functions," in Advances in Cryptology, Proc. Crypto'89, Lecture Notes in Computer Science, Vol. 435, G. Brassard, Ed. New York: Springer-Verlag, 1990, pp. 416-427.
13. D. Davies, "A message authenticator algorithm suitable for a mainframe computer," in Advances in Cryptology, Proc. Crypto'84, Lecture Notes in Computer Science, Vol. 196, G. R. Blakley and D. Chaum, Eds. New York: Springer-Verlag, 1985, pp. 393-400.
14. D. Davies and D. O. Clayden, "The message authenticator algorithm (MAA) and its implementation," NPL Rep. DITC 109/88, Feb. 1988.
15. D. Davies and W. Price, Security for Computer Networks, 2nd ed. New York: Wiley, 1989.
16. B. den Boer and A. Bosselaers, "An attack on the last two rounds of MD4," in Advances in Cryptology, Proc. Crypto'91, Lecture Notes in Computer Science, Vol. 576, 3. Feigenbaum, Ed. New York: Springer-Verlag, 1992, pp. 194-203.
17. Collisions for the compression function of MD5," in Advances in Cryptology, Proc. Eurocrypt'93, Lecture Notes in Computer Science, Vol. 765, T. Helleseth, Ed. New York: Springer-Verlag, 1994, pp. 293-304.
18. H. Dobbertin, "Cryptanalysis of MD4," in Fast Software Encryption, Lecture Notes in Computer Science, Vol. 1039, D. Gollmann, Ed. New York: Springer-Verlag, 1996, pp. 53-69.
19. RIPEMD with two-round compress function is not collisionfree," J. Cryptol, vol. 10, no. 1, pp. 51-69, Winter 1997.
20. H. Dobbertin, A. Bosselaers, and B. Preneel, "RIPEMD-160: A strengthened version of RIPEMD," in Fast Software Encryption, Lecture Notes in Computer Science, Vol. 1039, D. Gollmann, Ed. New York: Springer-Verlag, 1996, pp. 71-82.
21. W. Feller, An Introduction to Probability Theory and Its Applications, vol. 1. New York: Wiley, 1968.
22. FIPS 46, "Data encryption standard," Washington, DC: NBS, U.S. Dept. Commerce, Jan. 1977.
23. FIPS 81, "DES modes of operation," Washington, DC: NBS, U.S. Dept. Commerce, Dec. 1980.
24. FIPS 180-1, "Secure hash standard," Washington, DC: NIST, U.S. Dept. Commerce, Apr. 1995.
25. A. O. Freier, P. Karlton, and P. C. Kocher, "The SSL protocol version 3.0," Internet Draft (work in progress), Internet Activities Board, Internet Privacy Task Force, Mar. 1996.
26. J. M. Galvin, K. McCloghrie, and J. R. Davin, "Secure management of SNMP networks," Integrated Network Management, II, I. Krishnan and W. Zimmer, Eds. Amsterdam, The Netherlands: North-Holland, 1991, pp. 703-714.
27. M. Girault, R. Cohen, and M. Campana, "A generalized birthday attack," in Advances in Cryptology, Proc. Eurocrypt '88, Lecture Notes in Computer Science, Vol. 330, C. G. Günther, Ed. New York: SpringerVerlag, 1988, pp. 129-156.
28. ISO 8731:1987, "Banking-Approved algorithms for message authentication, Part 1, DEA, Part 2, message authenticator algorithm (MAA)."
29. ISO/IEC 9797:1993, "Information technology-Data cryptographic techniques-Data integrity mechanisms using a cryptographic check function employing a block cipher algorithm."
30. T. Johansson, G. Kabatianskii, and B. Smeets, "On the relation between A-codes and codes correcting independent errors," in Advances in Cryptology, Proc. Eurocrypt'93, Lecture Notes in Computer Science, Vol. 765, T. Helleseth, Ed. New York: Springer-Verlag, 1994, pp. 1-11.
31. R. R. Jueneman, S. M. Matyas, and C. H. Meyer, "Message authentication with manipulation detection codes," in Proc. 1983 IEEE Symp. Security and Privacy. Los Alamitos, CA: IEEE Comp. Soc. Press, 1983, pp. 33-54.
32. B. Kaliski and M. Robshaw, "Message authentication with MD5," CryptoBytes (RSA Lab. Tech. Newslett.), vol. 1, no. 1, pp. 5-8, Spring 1995.
33. L. R. Knudsen, "A chosen text attack on CBC-MAC," Electron. Lett., vol. 33, no. 1, pp. 48_49, 1997.
34. H. Krawczyk, "LFSR-based hashing and authentication," in Advances in Cryptology, Proc. Cryto'94, Lecture Notes in Computer Science, Vol. 839, Y. Desmedt, Ed. New York: Springer-Verlag, 1994, pp. 129-139.
35. J. Linn, "The Kerberos version 5 GSS-API mechanism," Request for Comments (RFC) 1964, Internet Activities Board, Internet Privacy Task Force, June 1996.
36. M. Matsui, "A new method for known plaintext attack of FEAL cipher," in Advances in Cryptology, Proc. Eurocrypt'92, Lecture Notes in Computer Science, Vol. 658, R. A. Rueppel, Ed. New York: SpringerVerlag, 1993, pp. 81-91.
37. The first experimental cryptanalysis of the data encryption standard," in Advances in Cryptology, Proc. Cryto'94, Lecture Notes in Computer Science, Vol. 839, Y. Desmedt, Ed. New York: Springer-Verlag, 1994, pp. 1-11.
38. P. Metzger and W. Simpson, "IP authentication using keyed MD5," Request for Comments (RFC) 1828, Internet Activities Board, Internet Privacy Task Force, Aug. 1995.
39. C. Mitchell and M. Walker, "Solutions to the multidestination secure electronic mail problem," in Comput. Security, vol. 7, no. 5, pp. 483_488, 1988.
40. B. Preneel, "Analysis and design of cryptographic hash functions," Katholieke Universiteit Leuven, Belgium, Doctoral dissertation, Jan. 1993 (updated version to be published as Cryptographic Hash Functions. Boston, MA: Kluwer).
41. B. Preneel and P. C. van Oorschot, "MDx-MAC and building fast MAC's from hash functions," in Advances in Cryptology, Proc. Crypto'95, Lecture Notes in Computer Science, Vol. 963, D. Coppersmith, Ed. New York: Springer-Verlang, 1995, pp. 1-14.
42. On the security of two MAC algorithms," in Advances in Cryptology, Proc. Eurocrypt'96, Lecture Notes in Computer Science, Vol. 1070, U. Maurer, Ed. New York: Springer-Verlag, 1996, pp. 19-32.
43. A key recovery attack on the ANSI X9.19 retail MAC," Electron. Lett., vol. 32, no. 17, pp. 1568-1569, 1996.
44. B. Preneel, V. Rijmen, and P. C. van Oorschot, "A security analysis of the message authenticator algorithm (MAA)," Europ. Trans. Telecommun., vol. 8, no. 5, pp. 455_470, 1997.
45. RIPE, Integrity Primitives for Secure Information Systems, Final Report of RACE Integrity Primitives Evaluation (RIPE-RACE 1040), " Lecture Notes in Computer Science, Vol. 1007, A. Bosselaers and B. Preneel, Eds. New York: Springer-Verlag, 1995.
46. R. L. Rivest, "The MD4 message digest algorithm," in Advances in Cryptology, Proc. Crypto'90, Lecture Notes in Computer Science, Vol. 537, S. Vanstone, Ed. New York: Springer-Verlag, 1991, pp. 303-311.
47. The MD5 message-digest algorithm," Request for Comments (RFC) 1321, Internet Activities Board, Internet Privacy Task Force, Apr. 1992.
48. P. R. Rogaway, "Bucket hashing and its application to fast message authentication," in Advances in Cryptology, Proc. Crypto'95, Lecture Notes in Computer Science, Vol. 963, D. Coppersmith, Ed. New York: Springer-Verlang, 1995, pp. 29_412.
49. G. Tsudik, "Message authentication with one-way hash functions," ACM Comput. Commun. Rev., vol. 22, no. 5, pp. 29-38, 1992.
50. S. Vaudenay, "On the need for multipermutations: Cryptanalysis of MD4 and SAFER," in Fast Software Encryption, Lecture Notes in Computer Science, Vol. 1008, B. Preneel, Ed. New York: Springer-Verlag, 1995, pp. 286-297.
51. M. N. Wegman and J. L. Carter, "New hash functions and their use in authentication and set equality," J. Comput. Sys. Sci., vol. 22, no. 3, pp. 265-279, 1981.
52. M. J. Wiener, "Efficient DES key search," presented at rump session of Crypto'93, Santa Barbara, CA. Reprinted in Practical Cryptography for Data Internetworks, W. Stallings, Ed. Los Alamitos, CA: IEEE Comp. Soc. Press, 1996, pp. 31-79.