Security analysis of the message authenticator algorithm (MAA)

The security of the ISO banking standard Message Authenticator Algorithm (ISO 8731-2), also known as MAA, is considered. The attacks presented herein, which exploit the internal structure of the algorithm, are the first computationally feasible attacks on MAA. First a MAC forgery attack is presented that requires 2 17 messages of 256 kbytes or 2 24 messages of 1 kbyte; the latter circumvents the special MAA mode for long messages defined in the standard. Next a key recovery attack on MAA is described which requires 2 32 chosen texts consisting of a single message block. The number of off-line multiplications for this attack varies between 2 44 for one key in 1000 to about 2 51 for one key in 50. This should be compared to about 3.2 65 multiplications for an exhaustive key search. Finally it is shown that MAA has 2 33 keys for which it is rather easy to create a large cluster of collisions. These keys can be detected and recovered with 2 27 chosen texts. From these attacks follows the identification of several classes of weak keys for MAA.

[1]  Bart Preneel,et al.  On the Security of Two MAC Algorithms , 1996, EUROCRYPT.

[2]  Lars R. Knudsen,et al.  Chosen-text attack on CBC-MAC , 1997 .

[3]  Xuejia Lai,et al.  Markov Ciphers and Differential Cryptanalysis , 1991, EUROCRYPT.

[4]  Bart Preneel,et al.  RIPEMD-160: A Strengthened Version of RIPEMD , 1996, FSE.

[5]  W. Feller,et al.  An Introduction to Probability Theory and Its Applications, Vol. 1 , 1967 .

[6]  Matthew J. Weiner,et al.  Efficient DES Key Search , 1994 .

[7]  Phillip Rogaway,et al.  Bucket Hashing and Its Application to Fast Message Authentication , 1995, Journal of Cryptology.

[8]  Hugo Krawczyk,et al.  LFSR-based Hashing and Authentication , 1994, CRYPTO.

[9]  Hugo Krawczyk,et al.  MMH: Software Message Authentication in the Gbit/Second Rates , 1997, FSE.

[10]  Mitsuru Matsui,et al.  The First Experimental Cryptanalysis of the Data Encryption Standard , 1994, CRYPTO.

[11]  Thomas Johansson,et al.  On the Relation between A-Codes and Codes Correcting Independent Errors , 1994, EUROCRYPT.

[12]  Mihir Bellare,et al.  XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions , 1995, CRYPTO.

[13]  Eli Biham,et al.  Differential Cryptanalysis of the Data Encryption Standard , 1993, Springer New York.

[14]  Bart Preneel,et al.  On the Security of Iterated Message Authentication Codes , 1999, IEEE Trans. Inf. Theory.

[15]  Bart Preneel,et al.  Key recovery attack on ANSI X9.19 retail MAC , 1996 .

[16]  Feller William,et al.  An Introduction To Probability Theory And Its Applications , 1950 .

[17]  Willi Meier,et al.  Cryptographic Significance of the Carry for Ciphers Based on Integer Addition , 1990, CRYPTO.

[18]  Donald W. Davies,et al.  A Message Authenticator Algorithm Suitable for A Mainframe Computer , 1985, CRYPTO.

[19]  Mihir Bellare,et al.  The Security of Cipher Block Chaining , 1994, CRYPTO.

[20]  Bart Preneel,et al.  MDx-MAC and Building Fast MACs from Hash Functions , 1995, CRYPTO.

[21]  Gustavus J. Simmons,et al.  Contemporary Cryptology: The Science of Information Integrity , 1994 .

[22]  Larry Carter,et al.  New Hash Functions and Their Use in Authentication and Set Equality , 1981, J. Comput. Syst. Sci..

[23]  Gustavus J. Simmons,et al.  A survey of information authentication , 1988, Proc. IEEE.

[24]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.