What are the consequences of a MAC tag collision?

Question

I've seen some proofs of MAC security that are based on the extremely-unlikely event that two MAC tags collide (ie, they are equal for distinct messages). Suppose that this extremely unlikely event occurs, then what? Can we forge arbitrarily more messages with this same tag? With ANY tag? Or even better, do we get the MAC key?

Answer 1

Whether we get any information from a MAC collision rather depends on the details of the MAC.

HMAC is one extreme. If you happen to find a collision (that is, two distinct messages that happen to MAC to the same value), well, that doesn't tell you very much. We don't know how to use that to generate any more collisions, or to gain any information on the key.

MACs based on universal hashes (UMAC) are on the other extreme; in these MACs, the message is sent through a universal hash primitive (which takes a key, and has the property that any two distinct messages hash to the same value for only a small number of keys), and then that hash is protected with some cryptographical primitive. These types of MACs typically take a nonce; two messages with two nonces that hash to the same value is generally harmless; however, if you MAC two messages with the same nonce and they evaluate to the same value, that usually means that the result of the universal hash happened to be the same, and that gives the attacker information about the key used in the universal hash; usually enough for the attacker to generate second preimages for other messages. Also, with some MACs of this type, sometimes it is not necessary for the two messages to have the same MAC, the fact that the attacker knows the messages and MAC values based on the same nonce may be sufficient.

CMAC and XCBC are similar to the UMAC case (even though a universal hash is not involved); if you find two messages that have the same CMAC value, it is likely that a simple length-extension to the two messages will allow the attacker to create other pairs of messages with the same MAC. However, this observation gives no information about the CMAC key; whether this is actually useful in practice depends on whether those length-extended messages happen to be something the attacker can use.