KEYNOTE II:

Generic Related-key Attacks for HMAC
Thomas Peyrin
Speaker: Thomas Peyrin
Abstract:In this talk, we will review state-of-the-art analysis of the well-known hash-based MAC algorithm HMAC, from distinguishers to forgery attacks. Then, we will describe a new class of generic attacks for HMAC in the related-key model using a simple cycle-size detection criterion. More precisely, when HMAC uses a k-bit key, outputs an n-bit MAC, and is instantiated with an l-bit inner iterative hash function processing m-bit message blocks, we will show how, using a single related-key query, one can derive distinguishing-R, distinguishing-H and forgery attacks when m = k and l > n. This means that contrary to the general belief, using wide-pipe hash functions as internal primitive will not increase the overall security of HMAC in the related-key model when the key size is equal to the message block size. To the best of our knowledge, this is the first theoretical flaw identified for HMAC and we will discuss potential solutions to patch this flaw.

About the speaker:
Thomas Peyrin is an NRF Assistant Professor in the Coding and Cryptography Research Group at Nanyang Technological University in Singapore since April 2012. Previously, he was a PhD student at Orange Labs (former France Télécom R&D) and University of Versailles under the supervision of Henri Gilbert and Marc Girault. He also worked for two years at Ingenico as Cryptography Expert, and at Nanyang Technological University as Research Fellow. His main research interest is the design and the cryptanalysis of hash functions, and more generally symmetric cryptography primitives. He is one of the designers of ECHO (a SHA-3 submission candidate), PHOTON (a lightweight hash function) and LED (a lightweight block cipher).