Equivalent Key Recovery Attack on H 2-MAC Instantiated with MD5

This paper presents the first equivalent key recovery attack on H2-MAC-MD5, which conduces to a selective forgery attack directly. H2-MAC is similar with HMAC except that the outer key is omitted. For HMAC-MD5, since the available differential paths are pseudocollisions, all the key recovery attacks are in the related-key setting, while our attack on H2MAC-MD5 gets rid of this restriction. Based on the distinguisher of HMAC-MD5 proposed by Wang et al., a pair of intermediate chaining variables, i.e., the equivalent keys (K̃, K̃ ′), is detected which fulfils the specific conditions on (IV, IV ′) of the pseudo-collision. Then the inner key recovery attack on HMAC-MD5 explored by Contini and Yin is adopted to recover (K̃, K̃ ′). Consequently, the adversary can compute the valid MAC value of M0‖M ∗ effortlessly, where M0 is a fixed one-block message, and M ∗ can be any bit string.