Weak collision-resistance for variable input length can imply collision-resistance for fixed input length

摘要

HMAC and NMAC are well-known message authentication functions based on cryptographic hash functions such as SHA. HMAC is a modified practical version of NMAC and has not been given any provable security. On the other hand, NMAC is shown to be a message authentication code if its compression function with fixed input length is a message authentication code and its iterated hash function with variable input length constructed with the compression function is weak collision-resistant. In this article, two results are shown on the strength of weak collision-resistance of the iterated hash function in NMAC. First, it is shown that weak collision-resistance of the iterated hash function in NMAC is not implied by pseudorandomness of its compression function even if the MD-strengthening is assumed. Second, weak collision-resistance of the iterated hash function in NMAC implies collision-resistance of its compression function if the compression function is pseudorandom.