earticle

영어

In this paper, we propose an ecient method to break H2-MAC, by using a generalized birthday attack to recover the equivalent key, under the assumption that the underlying hash function is secure (collision resistance). We can successfully recover the equivalent key of H2-MAC in about 2n=2 on-line MAC queries and 2n=2 o-line hash computations with great probability. This attack shows that the security of H2-MAC is totally dependent on the col- lision resistance of the underlying hash function, instead of the PRF-AX of the underlying compression function in the origin security proof of H2-MAC.