##
###
New Birthday Attacks on Some MACs Based on Block Ciphers
[chapter]

Zheng Yuan, Wei Wang, Keting Jia, Guangwu Xu, Xiaoyun Wang

2009
*
Lecture Notes in Computer Science
*

This paper develops several new techniques of cryptanalyzing MACs based on block ciphers, and is divided into two parts. The first part presents new distinguishers of the MAC construction Alred and its specific instance Alpha-MAC based on AES. For the Alred construction, we first describe a general distinguishing attack which leads to a forgery attack directly with the complexity of the birthday attack. A 2-round collision differential path of Alpha-MAC is adopted to construct a new
## more »

... r with about 2 65.5 chosen messages and 2 65.5 queries. One of the most important results is to use this new distinguisher to recover the internal state, which is an equivalent subkey of Alpha-MAC. Moreover, our distinguisher on Alred construction can be applied to the MACs based on CBC and CFB encryption modes. The second part describes the first impossible differential attack on MACs-Pelican, MT-MAC-AES and PC-MAC-AES. Using the birthday attack, enough message pairs that produce the inner near-collision with some specific differences are detected, then the impossible differential attack on 4-round AES to the above mentioned MACs is performed. For Pelican, our attack recovers its internal state, which is an equivalent subkey. For MT-MAC-AES, the attack turns out to be a subkey recovery attack directly. The complexity of the two attacks is 2 85.5 chosen messages and 2 85.5 queries. For PC-MAC-AES, we recover its 256-bit key with 2 85.5 chosen messages and 2 128 queries. Message Authentication Code (MAC) is a fixed length information used to ensure data integrity and authenticity, and is widely used in network and security protocols, such as IPsec, SNMP, and SSL/TLS. A MAC algorithm takes a secret key and a message of arbitrary length as input, and outputs a short digest. MAC algorithms have been constructed using various approaches, for example, CBC-MAC [11], OMAC [12], TMAC [14], HMAC/NMAC [2], etc. The MAC construction Alred was introduced by Daemen and Rijmen [8] . Alred is an iterative MAC construction using reduced block ciphers as iteration functions. The secret key, which is used as the key of the block cipher, is applied in the initialization and the finalization, respectively. The internal state is updated by consecutive injections of message blocks. Alpha-MAC is an efficient instance of Alred based on AES [7] . Since AES has been widely used in practice, Alpha-MAC can be easily implemented. For the performance, Alpha-MAC is 2.5 times faster than the popular CBC-MAC with AES. It was proved that the Alred construction is as strong as the underlying block cipher with respect to key recovery attacks and any forgery attacks not involving inner collisions [8] . Moreover, for Alpha-MAC, any colliding messages of the same size have to be at least 5 blocks long. Recently, Huang et al. exploited the algebraic properties of the AES, constructed internal collisions, and found second preimages for Alpha-MAC, under the assumption that a key or an internal state is known [10]. Biryukov et al. proposed a side-channel collision attack on Alpha-MAC which recovered its internal state, and mounted a selective forgery attack [5] . The main contribution of this part is to present novel distinguishing attacks on the Alred construction and Alpha-MAC, which lead to forgery attacks directly. More importantly, the distinguishing attack on Alpha-MAC can be applied to recover the internal state, and results in a second preimage attack. There are two kinds of distinguishing attacks on MACs. Preneel and van Oorschot introduced a general distinguishing attack to identify iterated MACs from a random function [17] . Using the birthday paradox, the adversary can detect the internal collision by appending the same one-block message. Another kind of attacks was suggested by Kim et al., which distinguishes the cryptographic primitive embedded in a MAC construction from a random function [13] . Recently, new techniques to identify the underlying hash functions of MACs were proposed [19, 20] . For example, distinguishing attacks on HMAC/NMAC-MD5 and MD5-MAC were proposed in [20] . The inner near-collisions are used in the distinguisher which reveals more information than inner collisions. In the same work, they were able to recover partial subkey of the MD5-MAC as well.

doi:10.1007/978-3-642-03356-8_13
fatcat:ih77tc3l4jgk3o4eowz5swfa2e