This paper presents two types of cryptanalysis on a Merkle-Damgård hash based MAC, which computes a MAC value of a message M by Hash(K||l||M) with a shared key K and the message length l. This construction is often called LPMAC. Firstly, we present a distinguishing-H attack against LPMAC instantiated with any narrow-pipe Merkle-Damgård hash function with O(2n/2) queries, which indicates the incorrectness of the widely believed assumption that LPMAC instantiated with a secure hash function should resist the distinguishing-H attack up to 2n queries. In fact, all of the previous distinguishing-H attacks considered dedicated attacks depending on the underlying hash algorithm, and most of the cases, reduced rounds were attacked with a complexity between 2n/2 and 2n. Because it works in generic, our attack updates these results, namely full rounds are attacked with O(2n/2) complexity. Secondly, we show that an even stronger attack, which is a powerful form of an almost universal forgery attack, can be performed on LPMAC. In this setting, attackers can modify the first several message-blocks of a given message and aim to recover an internal state and forge the MAC value. For any narrow-pipe Merkle-Damgård hash function, our attack can be performed with O(2n/2) queries. These results show that the length prepending scheme is not enough to achieve a secure MAC.

In this note we suggest a new parallelizable mode of operation for message authentication codes (MACs). The new MAC algorithm iterates a pseudo-random function (PRF) FK:{0,1}m → {0,1}n, where K is a key and m,n are positive integers such that m ≥ 2n. The new construction is an improvement over a sequential MAC algorithm presented at FSE2008, solving positively an open problem posed in the paper – the new mode is capable of fully parallel execution while achieving rate-1 efficiency and “full n-bit” security. Interestingly enough, PMAC-like parallel structure, rather than CBC-like serial iteration, has beneficial side effects on security. That is, the new construction is provided with a more straightforward security proof and with an even better (“-free”) security bound than the FSE 2008 construction.