Multilane HMAC— Security beyond the Birthday Limit

  • Kan Yasuda
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4859)


HMAC is a popular MAC (Message Authentication Code) that is based on a cryptographic hash function. HMAC is provided with a formal proof of security, in which it is proven to be a PRF (Pseudo-Random Function) under the condition that its underlying compression function is a PRF. Nonetheless, the security of HMAC is limited by a birthday attack, that is, HMAC using a compression function with n-bit output gets forged after about 2n/2 queries. In this paper we resolve this problem by introducing novel construction we call L-Lane HMAC. Our construction is provided with concrete-security reduction accomplishing a security guarantee well beyond the birthday limit. L-Lane HMAC requires more invocations to the compression function than the conventional HMAC, but the performance decline is smaller than those of previous constructs. In addition, L-Lane HMAC inherits the design principles of the original HMAC, such as single-key usage and off-the-shelf hash-function calls.


message authentication code hash function birthday attack multilane NMAC HMAC failure-friendly 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aiello, W., Venkatesan, R.: Foiling birthday attacks in length-doubling transformations — Benes: A non-reversible alternative to Feistel. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 307–320. Springer, Heidelberg (1996)Google Scholar
  2. 2.
    Bellare, M.: New proofs for NMAC and HMAC: Security without collision-resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  4. 4.
    Bellare, M., Goldreich, O., Krawczyk, H.: Stateless evaluation of pseudorandom functions: Security beyond the birthday barrier. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 270–287. Springer, Heidelberg (1999)Google Scholar
  5. 5.
    Bellare, M., Guérin, R., Rogaway, P.: XOR MACs: New methods for message authentication using finite pseudorandom functions. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 15–28. Springer, Heidelberg (1995)Google Scholar
  6. 6.
    Contini, S., Yin, Y.L.: Forgery and partial key-recovery attacks on HMAC and NMAC using hash collisions. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 37–53. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  7. 7.
    den Boer, B., Rompay, B.V., Preneel, B., Vandewalle, J.: New (two-track-)MAC based on the two trails of RIPEMD. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 314–324. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
    Jaulmes, É., Joux, A., Valette, F.: On the security of randomized CBC-MAC beyond the birthday paradox limit: A new construction. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 237–251. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. 9.
    Kim, J., Biryukov, A., Preneel, B., Hong, S.: On the security of HMAC and NMAC based on HAVAL, MD4, MD5, SHA-0 and SHA-1. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 242–256. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. 10.
    Lucks, S.: A failure-friendly design principle for hash functions. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 474–494. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  11. 11.
    Matsui, M., Fukuda, S.: How to maximize software performance of symmetric primitives on Pentium III and 4 processors. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 398–412. Springer, Heidelberg (2005)Google Scholar
  12. 12.
    Nakajima, J., Matsui, M.: Performance analysis and parallel implementation of dedicated hash functions. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 165–180. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  13. 13.
    Patarin, J.: Improved security bounds for pseudorandom permutations. In: ACM Conference on Computer and Communications Security, pp. 142–150 (1997)Google Scholar
  14. 14.
    Patarin, J.: About Feistel schemes with six (or more) rounds. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 103–121. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  15. 15.
    Preneel, B., van Oorschot, P.C.: On the security of iterated message authentication codes. IEEE Transactions on Information Theory 45(1), 188–199 (1999)zbMATHCrossRefGoogle Scholar
  16. 16.
    Speirs, W.R., Molloy, I.: Making large hash functions from small compression functions. Cryptology ePrint Archive, 2007/239 (2007)Google Scholar
  17. 17.
    Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)zbMATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    Yasuda, K.: ”Sandwich” is indeed secure: How to authenticate a message with just one hashing. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 355–369. Springer, Heidelberg (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Kan Yasuda
    • 1
  1. 1.NTT Information Sharing Platform Laboratories, NTT Corporation, 3-9-11 Midoricho Musashino-shi, Tokyo 180-8585Japan

Personalised recommendations