원문정보
초록
영어
This paper presents the first equivalent key recovery attack on H2-MAC-MD5, which
conduces to a selective forgery attack directly. H2-MAC is similar with HMAC except that
the outer key is omitted. For HMAC-MD5, since the available differential paths are pseudo-
collisions, all the key recovery attacks are in the related-key setting, while our attack on H2-
MAC-MD5 gets rid of this restriction. Based on the distinguisher of HMAC-MD5 proposed
by Wang et al., a pair of intermediate chaining variables, i.e., the equivalent keys ( ˜K , ˜K ′),
is detected which fulfils the specific conditions on (IV, IV ′) of the pseudo-collision. Then
the inner key recovery attack on HMAC-MD5 explored by Contini and Yin is adopted to
recover ( ˜K , ˜K ′). Consequently, the adversary can compute the valid MAC value of M0kM∗
effortlessly, where M0 is a fixed one-block message, and M∗ can be any bit string.
Keywords: Cryptanalysis, H2-MAC-MD5, Distinguishing attack, Equivalent key recovery
attack
목차
1 Introduction
2 Preliminaries
2.1 Notations
2.2 Brief Description of MD5
2.3 Pseudo-collisions of MD5
2.4 Brief Description of H2-MAC
3 Equivalent Key Recovery Attack on H2-MAC-MD5
3.1 Distinguishing Attack on H2-MAC-MD5
3.2 Recovering the Equivalent Key ˜K
3.3 Selective Forgery Attack
4 Conclusions
References