Chapter

Advances in Cryptology - CRYPTO 2009

Volume 5677 of the series Lecture Notes in Computer Science pp 209-230

New Birthday Attacks on Some MACs Based on Block Ciphers

  • Zheng YuanAffiliated withInstitute for Advanced Study, Tsinghua UniversityBeijing University of Posts and Telecommunications
  • , Wei WangAffiliated withKey Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University
  • , Keting JiaAffiliated withKey Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University
  • , Guangwu XuAffiliated withDepartment of Electrical Engineering and Computer Science, University of Wisconsin-Milwaukee
  • , Xiaoyun WangAffiliated withInstitute for Advanced Study, Tsinghua UniversityKey Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University

Abstract

This paper develops several new techniques of cryptanalyzing MACs based on block ciphers, and is divided into two parts.

The first part presents new distinguishers of the MAC construction Alred and its specific instance Alpha-MAC based on AES. For the Alred construction, we first describe a general distinguishing attack which leads to a forgery attack directly with the complexity of the birthday attack. A 2-round collision differential path of Alpha-MAC is adopted to construct a new distinguisher with about 265.5 chosen messages and 265.5 queries. One of the most important results is to use this new distinguisher to recover the internal state, which is an equivalent subkey of Alpha-MAC. Moreover, our distinguisher on Alred construction can be applied to the MACs based on CBC and CFB encryption modes.

The second part describes the first impossible differential attack on MACs-Pelican, MT-MAC-AES and PC-MAC-AES. Using the birthday attack, enough message pairs that produce the inner near-collision with some specific differences are detected, then the impossible differential attack on 4-round AES to the above mentioned MACs is performed. For Pelican, our attack recovers its internal state, which is an equivalent subkey. For MT-MAC-AES, the attack turns out to be a subkey recovery attack directly. The complexity of the two attacks is 285.5 chosen messages and 285.5 queries. For PC-MAC-AES, we recover its 256-bit key with 285.5 chosen messages and 2128 queries.

Keywords

MAC Birthday attack Distinguishing attack Forgery attack Impossible differential cryptanalysis AES