Distinguishing and Second-Preimage Attacks on CBC-Like MACs

  • Keting Jia
  • Xiaoyun Wang
  • Zheng Yuan
  • Guangwu Xu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5888)


This paper first presents a new distinguishing attack on the CBC-MAC structure based on block ciphers in cipher block chaining (CBC) mode. This attack detects a CBC-like MAC from random functions. The second result of this paper is a second-preimage attack on the CBC-MAC, which is an extension of the attack of Brincat and Mitchell. The attack also covers MT-MAC, PMAC and MACs with three-key enciphered CBC mode. Instead of exhaustive search, both types of attacks are of birthday attack complexity.


CBC MAC Distinguishing attack Second preimage attack 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    ANSI X9.9 (revised): Financial Institution Message Authentication (wholesale), American Bankers Association (1986)Google Scholar
  2. 2.
    ANSI X9.19: Financial Institution Retail Message Authentication, American Bankers Association (1986)Google Scholar
  3. 3.
    Bellare, M., Kilian, J., Rogaway, P.: The Security of the Cipher Block Chaining Message Authentication Code. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 341–358. Springer, Heidelberg (1994)Google Scholar
  4. 4.
    Brincat, K., Mitchell, C.J.: New CBC-MAC Forgery Attacks. In: Varadharajan, V., Mu, Y. (eds.) ACISP 2001. LNCS, vol. 2119, pp. 3–14. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  5. 5.
    Bosselaers, A., Preneel, B. (eds.): RIPE 1992. LNCS, vol. 1007. Springer, Heidelberg (1995)Google Scholar
  6. 6.
    Black, J., Rogaway, P.: CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 197–215. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  7. 7.
    Black, J., Rogaway, P.: A Block-Cipher Mode of Operation for Parallelizable Message Authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Coppersmith, D., Knudsen, L.R., Mitchell, C.J.: Key Recovery and Forgery Attacks on the MacDES MAC Algorithm. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 184–196. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  9. 9.
    Coppersmith, D., Mitchell, C.J.: Attacks on MacDES MAC algorithm. Electronics Letters 35, 1626–1627 (1999)CrossRefGoogle Scholar
  10. 10.
    Dodis, Y., Pietrzak, K., Puniya, P.: A New Mode of Operation for Block Ciphers and Length-Preserving MACs. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 198–219. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  11. 11.
    ISO/IEC 9797–1, Information technology Security techniques Message Authentication Codes (MACs) Part 1: Mechanisms using a block cipher. International Organization for Standardization, Genève, Switzerland (1999)Google Scholar
  12. 12.
    Knudsen, L.R.: Chosen-text Attack on CBC-MAC. Electronic Letters 33(1) (1997)Google Scholar
  13. 13.
    Iwata, T., Kurosawa, K.: OMAC: One-Key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003)Google Scholar
  14. 14.
    Kurosawa, K., Iwata, T.: TMAC: Two-Key CBC MAC. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 265–273. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    Minematsu, K., Tsunoo, Y.: Provably Secure MACs from Differentially-Uniform Permutations and AES-Based Implementations. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 226–241. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  16. 16.
    NIST, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication. NIST Special Publication 800-38B (2005)Google Scholar
  17. 17.
    Preneel, B., Knudsen, L.R.: MacDES: MAC algorithm based on DES. Electronic Letters 33(1) (1997)Google Scholar
  18. 18.
    Preneel, B., van Oorschot, P.C.: MDx-MAC and Building Fast MACs from Hash Functions. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 1–14. Springer, Heidelberg (1995)Google Scholar
  19. 19.
    Preneel, B., van Oorschot, P.C.: Key Recovery Attack on ANSI X9.19 Retail MAC. Electronic Letters 32(17) (1996)Google Scholar
  20. 20.
    Petrank, E., Rackoff, C.: CBC MAC for Real-Time Data Sources. J. Cryptology 13(3), 315–338 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  21. 21.
    Wang, X., Wang, W., Jia, K., Wang, M.: New Distinguishing Attack on MAC using Secret-Prefix Method. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 363–374. Springer, Heidelberg (2009)Google Scholar
  22. 22.
    Wang, X., Yu, H., Wang, W., Zhang, H., Zhan, T.: Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 121–133. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  23. 23.
    Yuan, Z., Jia, K., Wang, W., Wang, X.: Distinguishing and Forgery Attacks on Alred and Its AES-based Instance Alpha-MAC (2008),
  24. 24.
    Yuval, G.: How to Swindle Rabin. Cryptologia 3, 187–189 (1979)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Keting Jia
    • 1
  • Xiaoyun Wang
    • 1
    • 2
  • Zheng Yuan
    • 2
    • 3
  • Guangwu Xu
    • 2
    • 4
  1. 1.Key Laboratory of Cryptologic Technology and Information Security, Ministry of EducationShandong UniversityJinanChina
  2. 2.Institute for Advanced StudyTsinghua UniversityBeijingChina
  3. 3.Beijing Electronic Science and Technology InstituteBeijingChina
  4. 4.Department of Electrical Engineering and Computer ScienceUniversity of Wisconsin-MilwaukeeUSA

Personalised recommendations