Cryptanalyses on a Merkle-Damgård Based MAC - Almost Universal Forgery and Distinguishing-H Attacks

This paper presents two types of cryptanalysis on a MerkleDamg̊ard hash based MAC, which computes a MAC value of a message M by Hash(K‖`‖M) with a shared key K and the message length `. This construction is often called LPMAC. Firstly, we present a distinguishingH attack against LPMAC instantiating any narrow-pipe Merkle-Damg̊ard hash function with O(2) queries, which indicates the incorrectness of the widely believed assumption that LPMAC instantiating a secure hash function should resist the distinguishing-H attack up to 2 queries. In fact, all of the previous distinguishing-H attacks considered dedicated attacks depending on the underlying hash algorithm, and most of the cases, reduced rounds were attacked with a complexity between 2 and 2. Because it works in generic, our attack updates these results, namely full rounds are attacked with O(2) complexity. Secondly, we show that an even stronger attack, which is a powerful form of an almost universal forgery attack, can be performed on LPMAC. In this setting, attackers can modify the first several message-blocks of a given message and aim to recover an internal state and forge the MAC value. For any narrowpipe Merkle-Damg̊ard hash function, our attack can be performed with O(2) queries. These results show that the length prepending scheme is not enough to achieve a secure MAC.