Is there any good attack model of HMAC?

Question

Are there any good attack models of HMAC? Like how it can be attacked? If there are any possible attacks of HMAC I would be happy to know about it.

Answer 1

HMAC as message authentication code should be resistant to existential forgery under chosen message attack, this is known as EUF-CMA.

HMAC as a pseudo-random function should be resistant to distinguishing attack under, again, chosen message attack, which is known as IND-CMA.

I'm quite certain about the MAC part, but I'm not absolutely confident about PRF part. I don't know good references on this, feel free to add to here.

Answer 2

Beyond brute force and plain key leak, the only plausible attacks against HMAC are attacks on implementations.

One is: Sonia Belaïd, Luk Bettale, Emmanuelle Dottax, Laurie Genelle, Franck Rondepierre: Differential Power Analysis of HMAC SHA-2 in the Hamming Weight Model, in proceedings of SECRYPT 2013.

Another is a generic key search using fault injection, which finds an $n$-bit MAC key in $n+1$ queries (regardless of algorithm), assuming a device computes and outputs the (H)MAC of a fixed message; that device copies the key from long term storage (e.g. Flash) to RAM sequentially at each MAC computation; and (that's the difficult point) an attacker can replace a bit of their choice(s) with zero during that transfer (e.g. by laser illumination of the right location at the right instant in the execution). To find a key bit, the attacker compares the MAC with and without the replacement.