New Attacks against Standardized MACs

  • Antoine Joux
  • Guillaume Poupard
  • Jacques Stern
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2887)


In this paper, we revisit the security of several message authentication code (MAC) algorithms based on block ciphers, when instantiated with 64-bit block ciphers such as DES. We essentially focus on algorithms that were proposed in the norm ISO/IEC 9797–1. We consider both forgery attacks and key recovery attacks. Our results improve upon the previously known attacks and show that all algorithms but one proposed in this norm can be broken by obtaining at most about 233 MACs of chosen messages and performing an exhaustive search of the same order as the search for a single DES key.


Exhaustive Search Block Cipher Giant Component Forgery Attack Double Collision 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    ANSIX9.19, American National Standard–Financial institution retail message authentication (1986)Google Scholar
  2. 2.
    ANSIX9.9, American National Standard–Financial institution message authentication (wholesale) (1982) (Revised in 1986)Google Scholar
  3. 3.
    Bellare, M., Kilian, J., Rogaway, P.: The Security of the Cipher Block Chaining Message Authentication Code. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 362–399. Springer, Heidelberg (1994)Google Scholar
  4. 4.
    Bollobás, B.: Random Graphs. Academic Press, New York (1985)zbMATHGoogle Scholar
  5. 5.
    Coppersmith, D., Knudsen, L.R., Mitchell, C.J.: Key recovery and forgery attacks on the MacDES MAC algorithm. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 184–196. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Coppersmith, D., Mitchell, C.J.: Attacks on MacDES MAC algorithm. Electronic Letters 35, 1626–1627 (1999)CrossRefGoogle Scholar
  7. 7.
    ISO/IEC 9797–1, Information technology–Security techniques–Message Authentication Codes (MACs)–Part 1: Mechanisms using a block cipher (1999)Google Scholar
  8. 8.
    Janson, S., Łuczak, T., Ruciński, A.: Random Graphs. John Wiley, New York (1999)Google Scholar
  9. 9.
    Knudsen, L.R., Preneel, B.: MacDES: MAC algorithm based on DES. Electronic Letters 34, 871–873 (1998)CrossRefGoogle Scholar
  10. 10.
    NIST. Computer Data Authentication, Federal Information Processing Standards PUBlication 113 (May 1985)Google Scholar
  11. 11.
    NIST. Recommendation for Block Cipher Modes of Operation: The RMAC Authentication Mode, NIST Special Publication 800-38B (November 2002)Google Scholar
  12. 12.
    Preneel, B., van Oorschot, P.C.: On the security of iterated Message Authentication Codes. IEEE Transactions on Information Theory 45(1), 188–199 (1999)zbMATHCrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Antoine Joux
    • 1
  • Guillaume Poupard
    • 1
  • Jacques Stern
    • 2
  1. 1.DCSSI Crypto LabParis 07France
  2. 2.Département d’InformatiqueEcole normale supérieureParis Cedex 05France

Personalised recommendations