Partial Key Recovery Attack Against RMAC

In this paper new “partial” key recovery attacks against the RMAC block cipher based Message Authentication Code scheme are described. That is we describe attacks that, in some cases, recover one of the two RMAC keys much more efficiently than previously described attacks. Although all attacks, but one, are of no major threat in practice, in some cases there is reason for concern. In particular, the recovery of the second RMAC key (of k bits) may only require around 2k/2 block cipher operations (encryptions or decryptions). The RMAC implementation using triple DES proposed by NIST is shown to be very weak.

[1]  Chris J. Mitchell,et al.  Key Recovery and Forgery Attacks on the MacDES MAC Algorithm , 2000, CRYPTO.

[2]  Jack Lloyd An Analysis of RMAC , 2002, IACR Cryptol. ePrint Arch..

[3]  Antoine Joux,et al.  New Attacks against Standardized MACs , 2003, FSE.

[4]  Bruce Schneier,et al.  Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES , 1996, CRYPTO.

[5]  Mitsuru Matsui,et al.  New Block Encryption Algorithm MISTY , 1997, FSE.

[6]  Lars R. Knudsen,et al.  Analysis of RMAC , 2003, FSE.

[7]  Chris J. Mitchell Key recovery attack on ANSI retail MAC , 2003 .

[8]  Joos Vandewalle,et al.  Integrity primitives for secure information systems : final report of RACE Integrity Primitives Evaluation RIPE-RACE 1040 , 1995 .

[9]  Bart Preneel,et al.  MacDES: MAC algorithm based on DES , 1998 .

[10]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[11]  Neal Koblitz,et al.  Advances in Cryptology — CRYPTO ’96 , 2001, Lecture Notes in Computer Science.

[12]  Mihir Bellare,et al.  The Security of Cipher Block Chaining , 1994, CRYPTO.

[13]  Don Coppersmith,et al.  Attacks on MacDES MAC algorithm , 1999 .

[14]  Bart Preneel,et al.  Key recovery attack on ANSI X9.19 retail MAC , 1996 .

[15]  Bart Preneel,et al.  Integrity Primitives for Secure Information Systems , 2005, Lecture Notes in Computer Science.

[16]  Adi Shamir,et al.  PayWord and MicroMint: Two Simple Micropayment Schemes , 1996, Security Protocols Workshop.

[17]  Chris J. Mitchell,et al.  Analysis of 3gpp-MAC and Two-key 3gpp-MAC , 2003, Discret. Appl. Math..

[18]  Bart Preneel,et al.  On the Security of Iterated Message Authentication Codes , 1999, IEEE Trans. Inf. Theory.

[19]  Antoine Joux,et al.  On the Security of Randomized CBC-MAC Beyond the Birthday Paradox Limit: A New Construction , 2002, FSE.