# New HMAC Message Patches: Secret Patch and CrOw Patch

## Abstract

At Asiacrypt 2012, Peyrin *et al.* showed generic attacks against the HMAC design. They utilized a pair of related keys where only the relation between the keys is known to the attacker but not the keys themselves (the secret key model). On similar lines, at Crypto 2012, Dodis *et al.* showed differentiability attacks based on ambiguous and colliding keys on HMAC in known/chosen key model. Peyrin *et al.* also proposed a patching scheme for HMAC and claimed that the proposed patch thwarts their attacks.

In this work, we first show that the patch proposed by Peyrin *et al.* will not prevent their attacks for the HMAC construction for certain “good” cryptographic hash functions. Specifically, we show that no public and reversible patch will prevent their attack on HMAC instantiated with a weakly collision resistant hash function. Following this, we propose two different patches, called the *secret* patch and the *collision resistant one way (CrOw)* patch, to thwart the attacks of Peyrin *et al.* and Dodis *et al.* Our work is theoretical in nature, and does not threaten the security of HMAC used with standard hash functions. Further, both our patches are designed to be used as wrappers and do not affect the underlying HMAC construction. This property is similar to Peyrin *et al.*’s patch.

### Keywords

HMAC Patch Related key attack Colliding keys Ambiguous keys Indifferentiability### References

- 1.Request For Comments: 3174, US Secure Hash Algorithm 1 (SHA1). IETF Working group (2001)Google Scholar
- 2.Andreeva, E., Preneel, B.: A three-property-secure hash function. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 228–244. Springer, Heidelberg (2009) CrossRefGoogle Scholar
- 3.Bellare, M.: New proofs for \(\sf {NMAC}\) and \(\sf {HMAC}\): security without collision-resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006) CrossRefGoogle Scholar
- 4.Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996) Google Scholar
- 5.Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård revisited: how to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005) CrossRefGoogle Scholar
- 6.Dodis, Y., Ristenpart, T., Steinberger, J., Tessaro, S.: To hash or not to hash again? (In)differentiability results for
*H*\(^\text{2 }\) and HMAC. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 348–366. Springer, Heidelberg (2012) CrossRefGoogle Scholar - 7.Guo, J., Peyrin, T., Sasaki, Y., Wang, L.: Updates on generic attacks against \(\mathtt {HMAC}\) and \(\mathtt {NMAC}\). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 131–148. Springer, Heidelberg (2014)Google Scholar
- 8.Leurent, G., Peyrin, T., Wang, L.: New generic attacks against hash-based MACs. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 1–20. Springer, Heidelberg (2013) CrossRefGoogle Scholar
- 9.Canetti, R., Bellare, M., Krawczyk, H.: Request For Comments: 2104, HMAC: Keyed-Hashing for Message Authentication. IETF Working group (1997)Google Scholar
- 10.Maurer, U.M., Renner, R.S., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004) CrossRefGoogle Scholar
- 11.Peyrin, T., Sasaki, Y., Wang, L.: Generic related-key attacks for HMAC. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 580–597. Springer, Heidelberg (2012) CrossRefGoogle Scholar