Research Article Security Analysis of HMAC/NMAC by Using

Hindawi Publishing CorporationJournal of Applied MathematicsVolume 2013 Article ID 101907 6 pageshttpdxdoiorg1011552013101907

Research ArticleSecurity Analysis of HMACNMAC by Using Fault Injection

Kitae Jeong1 Yuseop Lee1 Jaechul Sung2 and Seokhie Hong1

1 Center for Information Security Technologies (CIST) Korea University Anam-dong Seongbuk-guSeoul 136-713 Republic of Korea

2Department of Mathematics University of Seoul Jeonnong-dong Dongdaemun-gu Seoul 130-743 Republic of Korea

Correspondence should be addressed to Jaechul Sung jcsunguosackr

Received 18 July 2013 Accepted 22 August 2013

Academic Editor Jongsung Kim

Copyright copy 2013 Kitae Jeong et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

In Choukri and Tunstall (2005) the authors showed that if they decreased the number of rounds in AES by injecting faults it ispossible to recover the secret key In this paper we propose fault injection attacks on HMACNMAC by applying the main idea oftheir attack These attacks are applicable to HMACNMAC based on the MD-family hash functions and can recover the secret keywith the negligible computational complexity Particularly these results onHMACNMAC-SHA-2 are the first known key recoveryattacks so far

1 Introduction

HMAC and NMAC are hash-based message authenticationcodes proposed in [1] The construction of HMACNMAC isbased on a keyed hash function Let119867 be an iteratedMerkle-Damgard hash function which defines a keyed hash function119867119870by replacing IVwith the key119870Then HMAC andNMAC

can be defined as follows

HMAC119870 (119872) = 119867(119870 oplus opad 10038171003817100381710038171003817119867 (119870 oplus ipad10038171003817100381710038171003817119872))

NMAC11987011198702(119872) = 119867119870

1

(1198671198702(119872))

(1)

Here119872 is a message and 119870 and (1198701 1198702) are the secret keys

of HMAC and NMAC respectively 119870means 119870 padded to asingle block and opad(= 0x5c5c sdot sdot sdot ) and ipad(= 0x3636 sdot sdot sdot )are two one-block length constants Until now many theoret-ical cryptanalytic results on HMACNMAC have been pro-posed [2ndash4] For example Wang et al presented key recoveryattacks on HMACNMAC-MD4 with 272 MAC queries and277MD4 computations [4] On the other hand McEvoy et alintroduced a differential power analysis on HMAC-SHA-256in [5] This attack does not allow the recovery of the secretkey but rather a secret intermediate hash value of SHA-256 Itleads to forging theMACs for arbitrarymessages Correlationpower analysis on HMAC based on six SHA-3 candidateswas presented in [6] This is also a forgery attack To our

knowledge there is no key recovery attack on HMAC byusing side channel analyss

Side channel analysis exploits the easily accessible infor-mation such as power consumption running time and input-output behavior under malfunctions It is often much morepowerful than the classical cryptanalysis such as differentialcryptanalysis and linear cryptanalysis Since Kocher hadintroduced timing attacks in [7] many side channel analysessuch as differential fault analysis [8] and fault injection attack[9] have been proposed [10ndash12]

Choukri and Tunstall proposed a fault injection attack onAES [13]The fault injectionmethod used a transient glitch onthe power supplied to the smart card In general the imple-mentation of a symmetric cryptographic algorithm in the PICassembly language will have the following format

movlw OAhmovwf RoudCounterRoudLabelCall RoudFunctiondecfz RoudCountergoto RoudLabel

(2)

The RAM variable (RoudCounter) is set to the number ofrounds required (in the case of AES OA in hexadecimal) Theround function is executed which has been represented by acall to the function RoudFunction The RoudCounter

2 Journal of Applied Mathematics

variable is then decremented and the round is repeated untilRoudCounter is equal to zero at which the loop point exits Itis this loop that we are trying to change so that it exits earlierthan expectedThe target of the fault is the decfz step whichconsists of a decrement a test and a conditional jump Theconditional jump is presented as a jump of one instructionwhen the test is positive otherwise the next instruction isexecuted The aim of the attack is to reduce the algorithm toone round It is not possible to remove the first round entirelyas the first conditional test is after the first round Thus thecryptanalysis of the resulting algorithm can be simple andonly requires two plaintextciphertext pairs

In this paper we propose fault injection attacks onHMACNMAC Our fault assumption is based on that of[13] That is it is assumed that we can decrease the numberof steps in the target compression function by injecting somefaults Our attack can be applied to HMACNMAC basedon the MD-family hash functions and recover the secret keywith the negligible computational complexity As concreteexamples we apply our attack to HMACNMAC based onMD4MD5 and SHA-2 Our attack results are summarized inTable 1 In the case of HMAC-SHA-256 for any message wecan recover the 119899-word secret key with [1198993] fault injectionsand only a negligible computational complexity Also weneed only 2 sdot [1198993] fault injections to recover the 2119899-wordsecret key of NMAC-SHA-256 Thus when 119899 is 4 that isthe 4(8)-word secret key we require just two(four) faultinjections to recover the secret key of HMAC-SHA-256(NMAC-SHA-256) respectively Note that the attack resultson HMACNMAC-SHA-2 are the first known key recoveryattacks on them

This paper is organized as follows in Section 2 we brieflyintroduce the MD-family hash functions Then we describethe fault injection attacks on HMAC and NMAC in mbox-Sections 3 and 4 respectively Finally we give a conclusion inSection 5

2 MD-Family Hash Function

Since MD4 [14] had been introduced in 1990 the MD-familyhash functions such as MD5 [15] and SHA-2 [16] where thedesign rationale is based on that ofMD4 have been proposedTo compute the hash value for a message 119872 of any sizethe MD-family hash functions divide119872 into message blocks(1198720 119872

119905) of fixed length 119887 and obtain the hash value by

using a compression function 119891 A compression function 119891takes a 119887-bit message string119872

119894minus1and a 119904-bit chaining variable

IHV119894minus1

as input values and outputs an updated 119904-bit chainingvariable IHV

119894 IHV

119894is computed by iteratively using a step

function It consists of addition Boolean function and rota-tion operations After operating a step function repeatedlyIHV119894is updated by adding IHV

119894minus1 Table 2 presents the

parameters of MD4 MD5 and SHA-2As a concrete example we briefly introduce SHA-2 (SHA-

224 SHA-256 SHA-384 and SHA-512) one of the mostimportant MD-family hash functions In SHA-224256 theword size is 32 bits The message string is firstly paddedto be a 512-bit multiple and is divided into 512-bit blocks

Table 1 Our attack results on HMACNMAC

Algorithm No ofinjected faults Algorithm No of

injected faultsHMAC-MD4 [1198993] NMAC-MD4 2 sdot [1198993]

HMAC-MD5 [1198993] NMAC-MD5 2 sdot [1198993]

HMAC-SHA-224 [1198993] NMAC-SHA-224 [1198993] + [1198992]

HMAC-SHA-256 [1198993] NMAC-SHA-256 2 sdot [1198993]

HMAC-SHA-384 [1198993] NMAC-SHA-384 [1198993] + 119899


Table 2 Parameters of MD4 MD5 and SHA-2

Hashfunction

Messageblock

Chainingvalue

Hashvalue

Stepfunction Word size

MD4 512 bits 128 bits 128 bits 48 steps 32 bitsMD5 512 bits 128 bits 128 bits 64 steps 32 bitsSHA-224 512 bits 256 bits 224 bits 64 steps 32 bitsSHA-256 512 bits 256 bits 256 bits 64 steps 32 bitsSHA-384 1024 bits 512 bits 384 bits 80 steps 64 bitsSHA-512 1024 bits 512 bits 512 bits 80 steps 64 bits

A compression function 119891 takes a 512-bit message string anda 256-bit chaining variable as input values and outputs anupdated 256-bit chaining variable It consists of amessage ex-pansion and a data processing The message block is expand-ed by using the following message expansion function Here(1198980 119898

15) = 119872

119894 ldquo+rdquo denotes the wordwise addition

1205900(119883) = (119883

⋙7) oplus (119883

⋙18) oplus (119883

≫3) and 120590

1(119883) = (119883

⋙17) oplus

(119883⋙19

) oplus (119883≫10)

Consider

119882119895= 119898119895 (0 le 119895 lt 16)

119882119895= 1205901(119882119895minus2) +119882

119895minus7+ 1205900(119882119895minus15

) +119882119895minus16

(16 le 119895 lt 80)

(3)

The data processing computes IHV119894as follows Here 119881

119895

denotes a 256-bit value consisting of eight words 119860119895 119861119895 119862119895

119863119895 119864119895 119865119895 119866119895 and119867

119895

Consider

1198810= IHV

119894minus1

119881119895+1

= 119877119895(119881119895119882119895) (119895 = 0 63)

IHV119894= IHV

119894minus1+ 11988164

(4)

A step function119877119895is defined as follows Here119870

119895is a constant

number for each step Ch(119883 119884 119885) = (119883 or 119884) oplus (not119883 or 119885)

Journal of Applied Mathematics 3

Maj(119883 119884 119885) = (119883or119884)oplus (119883or119885)oplus (119884or119885) Σ0(119883) = (119883

⋙2)oplus

(119883⋙13

) oplus (119883⋙22

) and Σ1(119883) = (119883

⋙6) oplus (119883

⋙11) oplus (119883

⋙25)

119879119895

1= 119867119895+ Σ1(119864119895) + Ch (119864

119895 119865119895 119866119895) + 119870119895+119882119895

119879119895

2= Σ0(119860119895) +Maj (119860

119895 119861119895 119862119895)

119860119895+1

= 119879119895

1+ 119879119895

2 119861

119895+1= 119860119895

119862119895+1

= 119861119895 119863

119895+1= 119862119895

119864119895+1

= 119863119895+ 119879119895

1 119865

119895+1= 119864119895

119866119895+1

= 119865119895 119867

119895+1= 119866119895

(5)

SHA-224 outputs the left most 224-bit value of IHV119905+1

as thehash value and SHA-256 outputs IHV

119905+1as the hash value

The structures of SHA-384512 are similar to those ofSHA-224256 In SHA-384512 the word size is double thatof SHA-224256 Thus a message block is 1024 bits and thesize of a chaining value is 512 bits A compression functionconsists of 80 steps

3 Key Recovery Attack on HMAC

Our attack can be applied to HMAC based on the MD-family hash functions As a concrete example we introducea key recovery attack on HMAC-SHA-2 Other cases can beexplained similarly For the detailed attack results see Table 1

31 Fault Assumption Recall that the authors reduced thenumber of rounds in AES to one in [13] We apply thisfault assumption to HMAC That is by using several faultinjections we can reduce the number of steps in the lasttwo compression functions (see Figure 1) Similarly to AESthe MD-family hash functions compute the hash value byiteratively using a step function Moreover there are someresults based on similar fault models [17 18] Thus our faultassumption is reasonable

For the simplicity we denote these two compressionfunctions by 119891lowast

0and 119891lowast

1 Thus we reduce the number of

steps in (119891lowast0 119891lowast

1) to some values by using fault injections

respectively and then recover the secret key 119870 of HMAC-SHA-2 When we reduced the number of steps in 119891lowast

119894to 119895 we

denoted this event by 119891lowast119894119895in this paper

32 Key Recovery Attack on HMAC-SHA-256512 As men-tioned in the previous section the structure of SHA-512 issimilar to that of SHA-256 excluding parameters such as theword size Thus we only propose a key recovery attack onHMAC-SHA-256 in this subsection

Since the word size of SHA-256 is 32 bits we assumethat the length of 119870(= 119870

01198701 sdot sdot sdot 119870

119899minus1) is 32 sdot 119899 bits Our

attack on HMAC-SHA-256 conducts the procedure recov-ering 96-bit (119870

3119894 1198703119894+1 1198703119894+2) iteratively [1198993] times (119894 =

0 [(119899 minus 1)3]) We can recover (1198700 1198701 1198702) as fol-

lows From an event (119891lowast03 119891lowast

11) we compute HMAC(=

HMAC0HMAC

1 sdot sdot sdot HMAC

7) Then we can construct

f f f f f

M0 M1 Mtminus1 Mt

Koplus opad

Koplus ipad

Fault

middot middot middotIHV0

IHV0 IHV1 HMACflowast1flowast

0

Figure 1 Our fault model on HMAC

the following six equations (see Figure 2) Here (119860 119867) =(IHV00 IHV

07)

(119884 + 119885) + (119860 + 119861) = HMAC1

(119883 + 119884) + (119861 + 119862) = HMAC2

119883 + (119860 + 119861 + 119863) = HMAC3

(120573 + 120574) + (119864 + 119865) = HMAC5

(120572 + 120573) + (119865 + 119866) = HMAC6

120572 + (119864 + 119866 + 119867) = HMAC7

(6)

Since (119860 119867) are known values in (6) we can obtain(119883 119884 119885 120572 120573 120574) With these values we can compute(1198700 1198701 1198702) by using the following equations

1198700oplus 0x5c = 119883 minus (119867 + Σ

1 (119864) + Ch (119864 119865 119866) + 1198620

+ Σ0 (119860) +Maj (119860 119861 119862)

1198701oplus 0x5c = 119884 minus (119866 + Σ

1 (120572) + Ch (120572 119864 119865) + 1198621

+ Σ0 (119883) +Maj (119883 119860 119861)

1198702oplus 0x5c = 119885 minus (119865 + Σ

1(120573) + Ch (120573 120572 119864) + 119862

2

+ Σ0 (119884) +Maj (119884119883 119860)

(7)

By repeating the previous procedure we can recover119870 byusing [1198993] fault injections Since this consists of only solvingsimple equations the computational complexity is negligible

33 Key Recovery Attack on HMAC-SHA-224384 Recallthat SHA-224384 outputs the left most 224384 bits of theresulting 256512-bit hash value as the hash valuerespectively For example HMAC-SHA-224 outputs onlyHMAC


6as the hash value Thus we can not

compute (120572 120573) in (6) (see Figure 2) However we can obtain(119883 119884 119885) in (6) and compute 119870

0in (7) And then we can

obtain 120572 by using 1198700 By repeating this procedure we can

recover (1198701 1198702) sequentially Hence we can recover 119870 of

HMAC-SHA-224384 with [1198993] fault injections and thenegligible computational complexity


A B C D E F G H

X A B C E F G

Ch

Maj

Maj

Y X A B E F

Ch

Z Y X A E

Ch

Maj

Ch

Maj

sum1 sum1

sum0 sum0

sum0

sum0

sum1

sum1

120572

120572120573

120574 120572120573

IHV00 IHV01 IHV02 IHV03 IHV04 IHV05 IHV06 IHV07 IHV10 IHV11 IHV12 IHV13 IHV14 IHV15 IHV16 IHV17

Z + A

Z + A

Y + B

Y + B

X+ C

X+ C

A+ D E + H120574 + E

120574 + E

120573 + F

120573 + F

120572 + G

120572 + G

C2

C1

C0

W0

C0

K1 oplus 0x5c

K2 oplus 0x5c

K0 oplus 0x5c

HMAC0 HMAC1 HMAC2 HMAC3 HMAC4 HMAC5 HMAC6 HMAC7

Figure 2 An event (119891lowast03 119891lowast

11)

4 Key Recovery Attack on NMAC

A key recovery attack on NMAC is similar to that on HMACThis is also applicable to NMAC based on the MD-familyhash functions As a concrete example we present a keyrecovery attack on NMAC-SHA-2 In the case of other MD-family hash functions we can attack in a similar fashionTable 1 gives the detailed results

41 Fault Assumption Differently fromHMAC NMAC usestwo 119899-word secret keys (119870

1 1198702) (see Figure 3) Thus our

attack on NMAC consists of the following two steps Firstlywe recover 119870

2by using a key recovery attack on HMAC-

SHA-2 (Fault1in Figure 3) Secondly to compute 119870

1 we

inject faults to (119891lowast2 119891lowast

3 119891lowast

1) (Fault

2in Figure 3) Note that we

assume that a message119872 is only a single block

42 Key Recovery Attack on NMAC-SHA-256512 Since thestructure of SHA-512 is similar to that of SHA-256 we onlyintroduce a key recovery attack on NMAC-SHA-256 in this

K1

K2

Fault2

Fault1

flowast3

flowast2

flowast0 flowast

1

M

NMACIHV0 IHV1

IHV0

Figure 3 Our fault model on NMAC

subsection We assume that the length of (1198701(= 11987010 sdot sdot sdot

1198701119899minus1

) 1198702(= 11987020 sdot sdot sdot 119870

2119899minus1)) is 32 sdot 119899 bits respectively By

using a key recovery attack on HMAC-SHA-256 we firstlyrecover 119870

2with [1198993] fault injections and the negligible


Table 3 Recovery of (11987010 11987011 11987012)

Chaining value Message

119891lowast

23

(119886 119887 119888 119889 119890 119891 119892 ℎ) 11987010

(119883 119886 119887 119888 119890 119891 119892) 11987011

(119884119883 119886 119887 119890 119891) 11987012

(119885 119884119883 119886 119890) mdash

(119885 + 119886 119884 + 119887119883 + 119888 119886 + 119889 119890 + ℎ)feed-

forward

119891lowast

31

(119885 + 119886 119884 + 119887119883 + 119888 119886 + 119889 119890 + ℎ) 119872

(119882119885 + 119886 119884 + 119887119883 + 119888 ) mdash(119882 + 119885 + 119886 119884 + 119885 + 119886 + 119887119883 + 119884 + 119887 + 119888119883 +

119886 + 119888 + 119889 )

feed-forward

119891lowast

14

(119860 119861 119862119863 119864 119865 119866119867) 119882 + 119885 + 119886

(1205721 119860 119861 119862 120573

1 119864 119865 119866) 119884+119885+119886+119887

(1205722 1205721 119860 119861 120573

2 1205731 119864 119865) 119883+119884+119887+119888

(1205723 1205722 1205721 119860 1205733 1205732 1205731 119864) 119883+119886+119888+119889

(1205724 1205723 1205722 1205721 1205734 1205733 1205732 1205731) mdash

(1205724+ 119860 120572

3+ 119861 120572

2+ 119862 120572

1+ 119863 120573

4+ 119864 120573

3+

119865 1205732+ 119866 120573

1+ 119867)

feed-forward

computational complexity And then we compute 1198701from

an event (119891lowast2119894 119891lowast

3119895 119891lowast

1119896)

Table 3 shows the results of an event (119891lowast23 119891lowast

31 119891lowast

14) From

Table 3 we can compute (11987010 11987011 11987012) as follows Since

we know HMAC and can compute IHV1(= 119860119861 sdot sdot sdot 119867)

by using 1198702 we can compute (120572

1 1205722 1205723 1205724 1205731 1205732 1205733 1205734) by

using the following equations

1205721= HMAC

3minus 119863 120573

1= HMAC

7minus 119867

1205722= HMAC

2minus 119862 120573

2= HMAC

6minus 119866

1205723= HMAC

1minus 119861 120573

3= HMAC

5minus 119865

1205724= HMAC

0minus 119860 120573

4= HMAC

4minus 119864

(8)

By using (1205721 1205722 1205723 1205724 1205731 1205732 1205733 1205734) we can compute the

messages of 119891lowast1(119882 + 119885 + 119886 119884 + 119885 + 119886 + 119887 119883 + 119884 + 119887 +

119888 119883 + 119886 + 119888 + 119889) easily Since we know IHV0(= 119886119887 sdot sdot sdot ℎ)

we can obtain (119883 119884 119885)Thus we can recover (11987010 11987011 11987012)

similarly to a key recovery attack on HMAC-SHA-256By repeating the previous procedure we can recover

(1198701 1198702) by using 2 sdot [1198993] fault injections Its computational

complexity is also negligible

43 Key Recovery Attack on NMAC-SHA-224384 SinceSHA-224384 outputs the left most 224384 bits of the result-ing 256512-bit hash value as the hash value respectively wedo not know (120573

1 1205732) (see Table 3) In this case we can not

compute 1198701 Thus we consider different events on these

algorithms To recover (11987010 11987011) of NMAC-SHA-224 we

use an event (119891lowast22 119891lowast

31 119891lowast

13) This attack needs [1198993] + [1198992]

fault injections and the negligible computational complex-ity In the case of NMAC-SHA-384 we consider an event(119891lowast

21 119891lowast

31 119891lowast

12) to recover 119870

10 This attack requires [1198993] + 119899

fault injections with a negligible computational complexity

5 Conclusion

In this paper we proposed key recovery attacks onHMACNAC by using a fault injection attack Our attack canbe applied to HMACNMAC based on the MD-family hashfunctions and requires a small number of fault injections witha negligible computational complexity As concrete exampleswe applied our attack to HMACNMAC based on MD4MD5 and SHA-2 The results on HMACNMAC-SHA-2 arethe first known key recovery attacks on them

Conflict of Interests

The authors declare that there is no conflict of interests re-garding the publication of this paper

Acknowledgments

This research was supported by the MSIP (Ministry ofScience ICTampFuture Planning) Korea under the C-ITRC(Convergence Information Technology Research Center)support program (NIPA-2013-H0301-13-3007) supervised bythe NIPA (National IT Industry Promotion Agency)

References

[1] M Bellare R Canetti and H Krawczyk ldquoKeying hash func-tions for message authenticationrdquo in Proceedings of the AnnualInternational Cryptology Conference (CRYPTO rsquo96) vol 1109 ofLecture Notes in Computer Science pp 10ndash15 August 1996

[2] S Contini and Y L Yin ldquoForgery and partial key-recoveryattacks on HMAC and NMAC using hash collisionsrdquo inAdvan-ces in Cryptology vol 4284 ofLectureNotes in Computer Sciencepp 37ndash53 2006

[3] P A Fouque G Leurent and P Q Nguyen ldquoFull key-recovery attacks on HMACNMAC-MD4 and NMAC-MD5rdquoin Advances in Cryptology vol 4622 of Lecture Notes in Com-puter Science pp 13ndash30 2007

[4] L Wang K Ohta and N Kunihiro ldquoNew key-recovery attackson HMACNMAC-MD4 and NMAC-MD5rdquo in Advances inCryptology (EUROCRYPT 2008) vol 4965 of Lecture Notes inComputer Science pp 237ndash253 2008

[5] RMcEvoyM Tunstall C CMurphy andW PMarnane ldquoDif-ferential power analysis of HMAC based on SHA-2 and coun-termeasuresrdquo in Advances in Cryptology vol 4867 of LectureNotes in Computer Science pp 317ndash332 2007

[6] O Benoıt and T Peyrin ldquoSide-channel analysis of six sha-3candidatesrdquo in Advances in Cryptology vol 6225 of LectureNotes in Computer Science pp 140ndash157 2010

[7] P Kocher ldquoTiming attacks on implementation of Diffie-Hellmanrdquo in Advances in Cryptology vol 1109 of Lecture Notesin Computer Science pp 104ndash113 1996

[8] E Biham andA Shamir ldquoDifferential fault analysis of secret keycryptosystemsrdquo in Advances in Cryptology vol 1294 of LectureNotes in Computer Science pp 513ndash525 1997

[9] D Boneh R A DeMillo and R J Lipton ldquoOn the importanceof checking cryptographic protocols for faultsrdquo in Advances inCryptology vol 1233 of Lecture Notes in Computer Science pp37ndash51 1997


[10] K Jeong Y Lee J Sung and S Hong ldquoDifferential fault analysison block cipher SEEDrdquoMathematical and Computer Modellingvol 55 no 1-2 pp 26ndash34 2012

[11] K Jeong and C Lee ldquoDifferential fault analysis on block cipherLED-64rdquo in Future Information Technology Application andService vol 164 of Lecture Notes in Electrical Engineering pp747ndash755 2012

[12] K Jeong J Sung S Hong and C Lee ldquoA new approachof differential fault analysis on block ciphers with S-boxrdquoInformation vol 16 no 3 pp 1915ndash1928 2013

[13] H Choukri and M Tunstall ldquoRound reduction using faultsrdquo inProceedings of theWorkshop on Fault Diagnosis and Tolerance inCryptography (FDTC rsquo05) pp 13ndash24 2005

[14] R Rivest ldquoTheMD4message digest algorithmrdquo RFC 1320 1992[15] R Rivest ldquoTheMD5message digest algorithmrdquo RFC 1321 1992[16] National Institute of Standards and Technology FIPS PUB 180-

2 Secure Hash Standard 2002[17] C H Kim and J J Quisquater ldquoFault attacks for CRT based

RSA new attacks new results and new countermeasuresrdquo inProceedings of theWorkshop on Information SecurityTheory andPractices vol 4462 of Lecture Notes in Computer Science pp215ndash228 May 2007

[18] J G J Van Woudenberg M F Witteman and F MenarinildquoPractical optical fault injection on secure microcontrollersrdquo inProceedings of the 8th InternationalWorkshop on Fault Diagnosisand Tolerance in Cryptography (FDTC rsquo11) pp 91ndash99 September2011

Submit your manuscripts athttpwwwhindawicom

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

MathematicsJournal of


Mathematical Problems in Engineering

Hindawi Publishing Corporationhttpwwwhindawicom

Differential EquationsInternational Journal of

Volume 2014

Applied MathematicsJournal of


Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Journal of


Mathematical PhysicsAdvances in

Complex AnalysisJournal of


OptimizationJournal of


CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of


Operations ResearchAdvances in

Journal of


Function Spaces

Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of Mathematics and Mathematical Sciences


The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Algebra

Discrete Dynamics in Nature and Society



Decision SciencesAdvances in

Discrete MathematicsJournal of


Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Stochastic AnalysisInternational Journal of


variable is then decremented and the round is repeated untilRoudCounter is equal to zero at which the loop point exits Itis this loop that we are trying to change so that it exits earlierthan expectedThe target of the fault is the decfz step whichconsists of a decrement a test and a conditional jump Theconditional jump is presented as a jump of one instructionwhen the test is positive otherwise the next instruction isexecuted The aim of the attack is to reduce the algorithm toone round It is not possible to remove the first round entirelyas the first conditional test is after the first round Thus thecryptanalysis of the resulting algorithm can be simple andonly requires two plaintextciphertext pairs

In this paper we propose fault injection attacks onHMACNMAC Our fault assumption is based on that of[13] That is it is assumed that we can decrease the numberof steps in the target compression function by injecting somefaults Our attack can be applied to HMACNMAC basedon the MD-family hash functions and recover the secret keywith the negligible computational complexity As concreteexamples we apply our attack to HMACNMAC based onMD4MD5 and SHA-2 Our attack results are summarized inTable 1 In the case of HMAC-SHA-256 for any message wecan recover the 119899-word secret key with [1198993] fault injectionsand only a negligible computational complexity Also weneed only 2 sdot [1198993] fault injections to recover the 2119899-wordsecret key of NMAC-SHA-256 Thus when 119899 is 4 that isthe 4(8)-word secret key we require just two(four) faultinjections to recover the secret key of HMAC-SHA-256(NMAC-SHA-256) respectively Note that the attack resultson HMACNMAC-SHA-2 are the first known key recoveryattacks on them

This paper is organized as follows in Section 2 we brieflyintroduce the MD-family hash functions Then we describethe fault injection attacks on HMAC and NMAC in mbox-Sections 3 and 4 respectively Finally we give a conclusion inSection 5

2 MD-Family Hash Function

Since MD4 [14] had been introduced in 1990 the MD-familyhash functions such as MD5 [15] and SHA-2 [16] where thedesign rationale is based on that ofMD4 have been proposedTo compute the hash value for a message 119872 of any sizethe MD-family hash functions divide119872 into message blocks(1198720 119872

119905) of fixed length 119887 and obtain the hash value by

using a compression function 119891 A compression function 119891takes a 119887-bit message string119872

119894minus1and a 119904-bit chaining variable

IHV119894minus1

as input values and outputs an updated 119904-bit chainingvariable IHV

119894 IHV

119894is computed by iteratively using a step

function It consists of addition Boolean function and rota-tion operations After operating a step function repeatedlyIHV119894is updated by adding IHV

119894minus1 Table 2 presents the

parameters of MD4 MD5 and SHA-2As a concrete example we briefly introduce SHA-2 (SHA-

224 SHA-256 SHA-384 and SHA-512) one of the mostimportant MD-family hash functions In SHA-224256 theword size is 32 bits The message string is firstly paddedto be a 512-bit multiple and is divided into 512-bit blocks

Table 1 Our attack results on HMACNMAC

Algorithm No ofinjected faults Algorithm No of

injected faultsHMAC-MD4 [1198993] NMAC-MD4 2 sdot [1198993]

HMAC-MD5 [1198993] NMAC-MD5 2 sdot [1198993]

HMAC-SHA-224 [1198993] NMAC-SHA-224 [1198993] + [1198992]


HMAC-SHA-384 [1198993] NMAC-SHA-384 [1198993] + 119899


Table 2 Parameters of MD4 MD5 and SHA-2

Hashfunction

Messageblock

Chainingvalue

Hashvalue

Stepfunction Word size

MD4 512 bits 128 bits 128 bits 48 steps 32 bitsMD5 512 bits 128 bits 128 bits 64 steps 32 bitsSHA-224 512 bits 256 bits 224 bits 64 steps 32 bitsSHA-256 512 bits 256 bits 256 bits 64 steps 32 bitsSHA-384 1024 bits 512 bits 384 bits 80 steps 64 bitsSHA-512 1024 bits 512 bits 512 bits 80 steps 64 bits

A compression function 119891 takes a 512-bit message string anda 256-bit chaining variable as input values and outputs anupdated 256-bit chaining variable It consists of amessage ex-pansion and a data processing The message block is expand-ed by using the following message expansion function Here(1198980 119898

15) = 119872

119894 ldquo+rdquo denotes the wordwise addition

1205900(119883) = (119883

⋙7) oplus (119883

⋙18) oplus (119883

≫3) and 120590

1(119883) = (119883

⋙17) oplus

(119883⋙19

) oplus (119883≫10)

Consider

119882119895= 119898119895 (0 le 119895 lt 16)

119882119895= 1205901(119882119895minus2) +119882

119895minus7+ 1205900(119882119895minus15

) +119882119895minus16

(16 le 119895 lt 80)

(3)

The data processing computes IHV119894as follows Here 119881

119895

denotes a 256-bit value consisting of eight words 119860119895 119861119895 119862119895

119863119895 119864119895 119865119895 119866119895 and119867

119895

Consider

1198810= IHV

119894minus1

119881119895+1

= 119877119895(119881119895119882119895) (119895 = 0 63)

IHV119894= IHV

119894minus1+ 11988164

(4)

A step function119877119895is defined as follows Here119870

119895is a constant

number for each step Ch(119883 119884 119885) = (119883 or 119884) oplus (not119883 or 119885)



⋙2)oplus

(119883⋙13

) oplus (119883⋙22

) and Σ1(119883) = (119883

⋙6) oplus (119883

⋙11) oplus (119883

⋙25)

119879119895

1= 119867119895+ Σ1(119864119895) + Ch (119864

119895 119865119895 119866119895) + 119870119895+119882119895

119879119895

2= Σ0(119860119895) +Maj (119860

119895 119861119895 119862119895)

119860119895+1

= 119879119895

1+ 119879119895

2 119861

119895+1= 119860119895

119862119895+1

= 119861119895 119863

119895+1= 119862119895

119864119895+1

= 119863119895+ 119879119895

1 119865

119895+1= 119864119895

119866119895+1

= 119865119895 119867

119895+1= 119866119895

(5)









0and 119891lowast





119894to 119895 we











HMAC0HMAC



f f f f f

M0 M1 Mtminus1 Mt

Koplus opad

Koplus ipad

Fault



0



07)

(119884 + 119885) + (119860 + 119861) = HMAC1

(119883 + 119884) + (119861 + 119862) = HMAC2

119883 + (119860 + 119861 + 119863) = HMAC3

(120573 + 120574) + (119864 + 119865) = HMAC5

(120572 + 120573) + (119865 + 119866) = HMAC6

120572 + (119864 + 119866 + 119867) = HMAC7

(6)


1198700oplus 0x5c = 119883 minus (119867 + Σ

1 (119864) + Ch (119864 119865 119866) + 1198620

+ Σ0 (119860) +Maj (119860 119861 119862)

1198701oplus 0x5c = 119884 minus (119866 + Σ

1 (120572) + Ch (120572 119864 119865) + 1198621

+ Σ0 (119883) +Maj (119883 119860 119861)

1198702oplus 0x5c = 119885 minus (119865 + Σ

1(120573) + Ch (120573 120572 119864) + 119862

2

+ Σ0 (119884) +Maj (119884119883 119860)

(7)











A B C D E F G H

X A B C E F G

Ch

Maj

Maj

Y X A B E F

Ch

Z Y X A E

Ch

Maj

Ch

Maj

sum1 sum1

sum0 sum0

sum0

sum0

sum1

sum1

120572

120572120573

120574 120572120573


Z + A

Z + A

Y + B

Y + B

X+ C

X+ C

A+ D E + H120574 + E

120574 + E

120573 + F

120573 + F

120572 + G

120572 + G

C2

C1

C0

W0

C0

K1 oplus 0x5c

K2 oplus 0x5c

K0 oplus 0x5c



11)








1 we


3 119891lowast

1) (Fault




K1

K2

Fault2

Fault1

flowast3

flowast2

flowast0 flowast

1

M

NMACIHV0 IHV1

IHV0



1198701119899minus1

) 1198702(= 11987020 sdot sdot sdot 119870







119891lowast

23

(119886 119887 119888 119889 119890 119891 119892 ℎ) 11987010

(119883 119886 119887 119888 119890 119891 119892) 11987011

(119884119883 119886 119887 119890 119891) 11987012

(119885 119884119883 119886 119890) mdash

(119885 + 119886 119884 + 119887119883 + 119888 119886 + 119889 119890 + ℎ)feed-

forward

119891lowast

31

(119885 + 119886 119884 + 119887119883 + 119888 119886 + 119889 119890 + ℎ) 119872

(119882119885 + 119886 119884 + 119887119883 + 119888 ) mdash(119882 + 119885 + 119886 119884 + 119885 + 119886 + 119887119883 + 119884 + 119887 + 119888119883 +

119886 + 119888 + 119889 )

feed-forward

119891lowast

14

(119860 119861 119862119863 119864 119865 119866119867) 119882 + 119885 + 119886

(1205721 119860 119861 119862 120573

1 119864 119865 119866) 119884+119885+119886+119887

(1205722 1205721 119860 119861 120573

2 1205731 119864 119865) 119883+119884+119887+119888

(1205723 1205722 1205721 119860 1205733 1205732 1205731 119864) 119883+119886+119888+119889

(1205724 1205723 1205722 1205721 1205734 1205733 1205732 1205731) mdash

(1205724+ 119860 120572

3+ 119861 120572

2+ 119862 120572

1+ 119863 120573

4+ 119864 120573

3+

119865 1205732+ 119866 120573

1+ 119867)

feed-forward



3119895 119891lowast

1119896)


31 119891lowast

14) From




1 1205722 1205723 1205724 1205731 1205732 1205733 1205734) by


1205721= HMAC

3minus 119863 120573

1= HMAC

7minus 119867

1205722= HMAC

2minus 119862 120573

2= HMAC

6minus 119866

1205723= HMAC

1minus 119861 120573

3= HMAC

5minus 119865

1205724= HMAC

0minus 119860 120573

4= HMAC

4minus 119864

(8)













31 119891lowast



21 119891lowast

31 119891lowast




5 Conclusion




Acknowledgments


References


























Volume 2014




Journal of











Journal of


Function Spaces






Algebra











⋙2)oplus

(119883⋙13

) oplus (119883⋙22

) and Σ1(119883) = (119883

⋙6) oplus (119883

⋙11) oplus (119883

⋙25)

119879119895

1= 119867119895+ Σ1(119864119895) + Ch (119864

119895 119865119895 119866119895) + 119870119895+119882119895

119879119895

2= Σ0(119860119895) +Maj (119860

119895 119861119895 119862119895)

119860119895+1

= 119879119895

1+ 119879119895

2 119861

119895+1= 119860119895

119862119895+1

= 119861119895 119863

119895+1= 119862119895

119864119895+1

= 119863119895+ 119879119895

1 119865

119895+1= 119864119895

119866119895+1

= 119865119895 119867

119895+1= 119866119895

(5)









0and 119891lowast





119894to 119895 we











HMAC0HMAC



f f f f f

M0 M1 Mtminus1 Mt

Koplus opad

Koplus ipad

Fault



0



07)

(119884 + 119885) + (119860 + 119861) = HMAC1

(119883 + 119884) + (119861 + 119862) = HMAC2

119883 + (119860 + 119861 + 119863) = HMAC3

(120573 + 120574) + (119864 + 119865) = HMAC5

(120572 + 120573) + (119865 + 119866) = HMAC6

120572 + (119864 + 119866 + 119867) = HMAC7

(6)


1198700oplus 0x5c = 119883 minus (119867 + Σ

1 (119864) + Ch (119864 119865 119866) + 1198620

+ Σ0 (119860) +Maj (119860 119861 119862)

1198701oplus 0x5c = 119884 minus (119866 + Σ

1 (120572) + Ch (120572 119864 119865) + 1198621

+ Σ0 (119883) +Maj (119883 119860 119861)

1198702oplus 0x5c = 119885 minus (119865 + Σ

1(120573) + Ch (120573 120572 119864) + 119862

2

+ Σ0 (119884) +Maj (119884119883 119860)

(7)











A B C D E F G H

X A B C E F G

Ch

Maj

Maj

Y X A B E F

Ch

Z Y X A E

Ch

Maj

Ch

Maj

sum1 sum1

sum0 sum0

sum0

sum0

sum1

sum1

120572

120572120573

120574 120572120573


Z + A

Z + A

Y + B

Y + B

X+ C

X+ C

A+ D E + H120574 + E

120574 + E

120573 + F

120573 + F

120572 + G

120572 + G

C2

C1

C0

W0

C0

K1 oplus 0x5c

K2 oplus 0x5c

K0 oplus 0x5c



11)








1 we


3 119891lowast

1) (Fault




K1

K2

Fault2

Fault1

flowast3

flowast2

flowast0 flowast

1

M

NMACIHV0 IHV1

IHV0



1198701119899minus1

) 1198702(= 11987020 sdot sdot sdot 119870







119891lowast

23

(119886 119887 119888 119889 119890 119891 119892 ℎ) 11987010

(119883 119886 119887 119888 119890 119891 119892) 11987011

(119884119883 119886 119887 119890 119891) 11987012

(119885 119884119883 119886 119890) mdash

(119885 + 119886 119884 + 119887119883 + 119888 119886 + 119889 119890 + ℎ)feed-

forward

119891lowast

31

(119885 + 119886 119884 + 119887119883 + 119888 119886 + 119889 119890 + ℎ) 119872

(119882119885 + 119886 119884 + 119887119883 + 119888 ) mdash(119882 + 119885 + 119886 119884 + 119885 + 119886 + 119887119883 + 119884 + 119887 + 119888119883 +

119886 + 119888 + 119889 )

feed-forward

119891lowast

14

(119860 119861 119862119863 119864 119865 119866119867) 119882 + 119885 + 119886

(1205721 119860 119861 119862 120573

1 119864 119865 119866) 119884+119885+119886+119887

(1205722 1205721 119860 119861 120573

2 1205731 119864 119865) 119883+119884+119887+119888

(1205723 1205722 1205721 119860 1205733 1205732 1205731 119864) 119883+119886+119888+119889

(1205724 1205723 1205722 1205721 1205734 1205733 1205732 1205731) mdash

(1205724+ 119860 120572

3+ 119861 120572

2+ 119862 120572

1+ 119863 120573

4+ 119864 120573

3+

119865 1205732+ 119866 120573

1+ 119867)

feed-forward



3119895 119891lowast

1119896)


31 119891lowast

14) From




1 1205722 1205723 1205724 1205731 1205732 1205733 1205734) by


1205721= HMAC

3minus 119863 120573

1= HMAC

7minus 119867

1205722= HMAC

2minus 119862 120573

2= HMAC

6minus 119866

1205723= HMAC

1minus 119861 120573

3= HMAC

5minus 119865

1205724= HMAC

0minus 119860 120573

4= HMAC

4minus 119864

(8)













31 119891lowast



21 119891lowast

31 119891lowast




5 Conclusion




Acknowledgments


References


























Volume 2014




Journal of











Journal of


Function Spaces






Algebra










A B C D E F G H

X A B C E F G

Ch

Maj

Maj

Y X A B E F

Ch

Z Y X A E

Ch

Maj

Ch

Maj

sum1 sum1

sum0 sum0

sum0

sum0

sum1

sum1

120572

120572120573

120574 120572120573


Z + A

Z + A

Y + B

Y + B

X+ C

X+ C

A+ D E + H120574 + E

120574 + E

120573 + F

120573 + F

120572 + G

120572 + G

C2

C1

C0

W0

C0

K1 oplus 0x5c

K2 oplus 0x5c

K0 oplus 0x5c



11)








1 we


3 119891lowast

1) (Fault




K1

K2

Fault2

Fault1

flowast3

flowast2

flowast0 flowast

1

M

NMACIHV0 IHV1

IHV0



1198701119899minus1

) 1198702(= 11987020 sdot sdot sdot 119870







119891lowast

23

(119886 119887 119888 119889 119890 119891 119892 ℎ) 11987010

(119883 119886 119887 119888 119890 119891 119892) 11987011

(119884119883 119886 119887 119890 119891) 11987012

(119885 119884119883 119886 119890) mdash

(119885 + 119886 119884 + 119887119883 + 119888 119886 + 119889 119890 + ℎ)feed-

forward

119891lowast

31

(119885 + 119886 119884 + 119887119883 + 119888 119886 + 119889 119890 + ℎ) 119872

(119882119885 + 119886 119884 + 119887119883 + 119888 ) mdash(119882 + 119885 + 119886 119884 + 119885 + 119886 + 119887119883 + 119884 + 119887 + 119888119883 +

119886 + 119888 + 119889 )

feed-forward

119891lowast

14

(119860 119861 119862119863 119864 119865 119866119867) 119882 + 119885 + 119886

(1205721 119860 119861 119862 120573

1 119864 119865 119866) 119884+119885+119886+119887

(1205722 1205721 119860 119861 120573

2 1205731 119864 119865) 119883+119884+119887+119888

(1205723 1205722 1205721 119860 1205733 1205732 1205731 119864) 119883+119886+119888+119889

(1205724 1205723 1205722 1205721 1205734 1205733 1205732 1205731) mdash

(1205724+ 119860 120572

3+ 119861 120572

2+ 119862 120572

1+ 119863 120573

4+ 119864 120573

3+

119865 1205732+ 119866 120573

1+ 119867)

feed-forward



3119895 119891lowast

1119896)


31 119891lowast

14) From




1 1205722 1205723 1205724 1205731 1205732 1205733 1205734) by


1205721= HMAC

3minus 119863 120573

1= HMAC

7minus 119867

1205722= HMAC

2minus 119862 120573

2= HMAC

6minus 119866

1205723= HMAC

1minus 119861 120573

3= HMAC

5minus 119865

1205724= HMAC

0minus 119860 120573

4= HMAC

4minus 119864

(8)













31 119891lowast



21 119891lowast

31 119891lowast




5 Conclusion




Acknowledgments


References


























Volume 2014




Journal of











Journal of


Function Spaces






Algebra












119891lowast

23

(119886 119887 119888 119889 119890 119891 119892 ℎ) 11987010

(119883 119886 119887 119888 119890 119891 119892) 11987011

(119884119883 119886 119887 119890 119891) 11987012

(119885 119884119883 119886 119890) mdash

(119885 + 119886 119884 + 119887119883 + 119888 119886 + 119889 119890 + ℎ)feed-

forward

119891lowast

31

(119885 + 119886 119884 + 119887119883 + 119888 119886 + 119889 119890 + ℎ) 119872

(119882119885 + 119886 119884 + 119887119883 + 119888 ) mdash(119882 + 119885 + 119886 119884 + 119885 + 119886 + 119887119883 + 119884 + 119887 + 119888119883 +

119886 + 119888 + 119889 )

feed-forward

119891lowast

14

(119860 119861 119862119863 119864 119865 119866119867) 119882 + 119885 + 119886

(1205721 119860 119861 119862 120573

1 119864 119865 119866) 119884+119885+119886+119887

(1205722 1205721 119860 119861 120573

2 1205731 119864 119865) 119883+119884+119887+119888

(1205723 1205722 1205721 119860 1205733 1205732 1205731 119864) 119883+119886+119888+119889

(1205724 1205723 1205722 1205721 1205734 1205733 1205732 1205731) mdash

(1205724+ 119860 120572

3+ 119861 120572

2+ 119862 120572

1+ 119863 120573

4+ 119864 120573

3+

119865 1205732+ 119866 120573

1+ 119867)

feed-forward



3119895 119891lowast

1119896)


31 119891lowast

14) From




1 1205722 1205723 1205724 1205731 1205732 1205733 1205734) by


1205721= HMAC

3minus 119863 120573

1= HMAC

7minus 119867

1205722= HMAC

2minus 119862 120573

2= HMAC

6minus 119866

1205723= HMAC

1minus 119861 120573

3= HMAC

5minus 119865

1205724= HMAC

0minus 119860 120573

4= HMAC

4minus 119864

(8)













31 119891lowast



21 119891lowast

31 119891lowast




5 Conclusion




Acknowledgments


References


























Volume 2014




Journal of











Journal of


Function Spaces






Algebra

























Volume 2014




Journal of











Journal of


Function Spaces






Algebra
















Volume 2014




Journal of











Journal of


Function Spaces






Algebra









Documents

Research Article Security Analysis of HMAC/NMAC by Using