Length extension attack is not possible, because of the double hashing
Collision attacks are possible
To get a security level of n bits, must use a 2n-bit hash function
However, the attack must be done "online," i.e., you have to get K's owner to compute MACK for you
Deriving the authentication key is not possible
Requires finding a preimage of the hash function
If the hash size (n bits) is greater than or equal to the key size (m bits), then a preimage search on the hash function takes the same or more time as a brute force search on the key
Similar to CBC-MAC, except the MAC is computed by a chained Galois field multiplication
MAC From a Dedicated Algorithm
An algorithm designed specifically as a MAC, not based on a hash function or block cipher
Example: SipHash
J. Aumasson and D. Bernstein.
SipHash: a fast short-input PRF.
Cryptology ePrint Archive, Report 2012/351, June 20, 2012.
http://eprint.iacr.org/2012/351
Key size: 128 bits
Tag size: 64 bits
Aumasson & Bernstein, op. cit.
Aumasson & Bernstein, op. cit.
SipHash is not collision resistant
Can find collisions with a generic 232 birthday attack
However, the collision attack must be done online
SipHash should not be used if collision resistance is required
Use cases for SipHash:
Message authentication
SipHash is specifically designed to be efficient on short messages, unlike most hash- or cipher-based MACs
Keyed hash function for hash tables
To defend against "hash flooding" denial-of-service attacks
The attacker inserts into the hash table a large number of keys all with the same hash value
Having many keys in the same hash bucket increases the lookup time
Using a fast, keyed hash function rather than a normal unkeyed hash function prevents the attacker from finding keys with the same hash value
Similar to CCM, except the MAC is computed by a chained Galois field multiplication
Alternative: Duplex sponge construction
Brought to you by the designers of Keccak, the SHA-3 winner
G. Bertoni, J. Daemen, M. Peeters, and G. Van Assche.
Duplexing the sponge: single-pass authenticated encryption and other applications.
18th International Workshop on Selected Areas in Cryptography (SAC 2011),
LNCS 7118, 2011, pages 320-337.
http://sponge.noekeon.org/SpongeDuplex.pdf
Bertoni et al., op. cit.
Feed in key-plus-nonce as input block σ0
Feed in plaintext blocks as input blocks σ1, σ2, . . . σn
Use output blocks Z0, Z1, . . . Zn−1 as the keystream
Ciphertext = plaintext XOR keystream
Use output block Zn as the authentication tag
A new multiyear competition to produce authenticated encryption algorithms was announced in January 2013:
Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR)