'Sandwich' Is Indeed Secure: How to Authenticate a Message with Just One Hashing

摘要

This paper shows that the classical "Sandwich" method, which prepends and appends a key to a message and then hashes the data using Merkle-Damgard iteration, does indeed provide a secure Message Authentication Code (MAC). The Sandwich construction offers a single-key MAC which can use the existing Merkle-Damgard implementation of hash functions as is, without direct access to the compression function. Hence the Sandwich approach gives us an alternative for HMAC particularly in a situation where message size is small and high performance is required, because the Sandwich scheme is more efficient than HMAC: it consumes only two blocks of "waste" rather than three as in HMAC, and it calls the hash function only once, whereas HMAC requires two invocations of hash function. The security result of the Sandwich method is similar to that of HMAC; namely, we prove that the Sandwich construction yields a PRF(Pseudo-Random Functions)-based MAC, provided that the underlying compression function satisfies PRF properties. In theory, the security reduction of the Sandwich scheme is roughly equivalent to that of HMAC, but in practice the requirements on the underlying compression function look quite different. Also, the security of the Sandwich construction heavily relies on the filling and padding methods to the data, and we show several ways of optimizing them without losing a formal proof of security.