{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,5,13]],"date-time":"2025-05-13T02:43:11Z","timestamp":1747104191643},"reference-count":32,"publisher":"Wiley","issue":"5","license":[{"start":{"date-parts":[[2008,9,12]],"date-time":"2008-09-12T00:00:00Z","timestamp":1221177600000},"content-version":"vor","delay-in-days":4029,"URL":"http:\/\/onlinelibrary.wiley.com\/termsAndConditions#vor"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Trans Emerging Tel Tech"],"published-print":{"date-parts":[[1997,9]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>The security of the ISO banking standard Message Authenticator Algorithm (ISO 8731\u20102), also known as MAA, is considered. The attacks presented herein, which exploit the internal structure of the algorithm, are the first computationally feasible attacks on MAA. First a MAC forgery attack is presented that requires 2<jats:sup>17<\/jats:sup> messages of 256 kbytes or 2<jats:sup>24<\/jats:sup> messages of 1 kbyte; the latter circumvents the special MAA mode for long messages defined in the standard. Next a key recovery attack on MAA is described which requires 2<jats:sup>32<\/jats:sup> chosen texts consisting of a single message block. The number of off\u2010line multiplications for this attack varies between 2<jats:sup>44<\/jats:sup> for one key in 1000 to about 2<jats:sup>51<\/jats:sup> for one key in 50. This should be compared to about 3 2<jats:sup>65<\/jats:sup>multiplications for an exhaustive key search. Finally it is shown that MAA has 2<jats:sup>33<\/jats:sup> keys for which it is rather easy to create a large cluster of collisions. These keys can be detected and recovered with 2<jats:sup>27<\/jats:sup> chosen texts. From these attacks follows me identification of several classes of weak keys for MAA.<\/jats:p>","DOI":"10.1002\/ett.4460080504","type":"journal-article","created":{"date-parts":[[2008,9,12]],"date-time":"2008-09-12T14:47:25Z","timestamp":1221230845000},"page":"455-470","source":"Crossref","is-referenced-by-count":16,"title":["Security analysis of the message authenticator algorithm (MAA)"],"prefix":"10.1002","volume":"8","author":[{"given":"Bart","family":"Preneel","sequence":"first","affiliation":[]},{"given":"Vincent","family":"Rumen","sequence":"additional","affiliation":[]},{"given":"Paul C.","family":"Van Oorschot","sequence":"additional","affiliation":[]}],"member":"311","published-online":{"date-parts":[[2008,9,12]]},"reference":[{"key":"e_1_2_1_2_2","unstructured":"ANSI X9.9 (revised):Financial institution message authentication (wholesale).American Bankers Association. April 7 1986."},{"key":"e_1_2_1_3_2","unstructured":"ANSI X9.19:Financial institution retail message authentication.American Bankers Association August 13.1986."},{"key":"e_1_2_1_4_2","doi-asserted-by":"crossref","unstructured":"M.Bellare J.Kilian P.Rogaway:The security of cipher block chaininq. Proc. Crypto \u203294 LNCS 839 Springer\u2010Verlag 1994 p.341\u2013358.","DOI":"10.1007\/3-540-48658-5_32"},{"key":"e_1_2_1_5_2","doi-asserted-by":"crossref","unstructured":"M.Bellare R.Gu\u00e9rin P.Rogaway:XOR MACs: new methods for message authentication using block ciphers. Proc. Crypto\u203295 LNCS 963 Springer\u2010Verlag 1995 p.15\u201328.","DOI":"10.1007\/3-540-44750-4_2"},{"key":"e_1_2_1_6_2","unstructured":"M.Bellare R.Canetti H.Krawczyk:How to key Merkle\u2010Cascaded pseudo\u2010randomness and its concrete security.10 November1995 http:\/\/www.research.ibm.com\/security\/"},{"key":"e_1_2_1_7_2","doi-asserted-by":"crossref","unstructured":"M.Bellare R.Canetti H.Krawczyk Keying hash functions for message authentication Proc. Crypto\u203296 LNCS 1109 Springer\u2010Verlag 1996 p. 1\u201315. Full version:http:\/\/www.\u2010research.ibm.com\/security\/","DOI":"10.1007\/3-540-68697-5_1"},{"key":"e_1_2_1_8_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4613-9314-6"},{"key":"e_1_2_1_9_2","unstructured":"H.Block:File authentication: A rule for constructing algorithms. SAKdata Report October 12 1983."},{"issue":"1","key":"e_1_2_1_10_2","first-page":"24","article-title":"The RlPEMD\u2010160 cryptographic hash function","volume":"22","author":"Bosselaers A.","year":"1997","journal-title":"Dr. Dobb's Journal"},{"key":"e_1_2_1_11_2","doi-asserted-by":"crossref","unstructured":"D.Davies:A message authenticator algorithm suitable for a mainframe computer. Proc. Crypto\u203284 LNCS 196 Springer\u2010Verlag 1985 p.393\u2013400.","DOI":"10.1007\/3-540-39568-7_30"},{"key":"e_1_2_1_12_2","unstructured":"D.Davies D. O.Clayden:The message authenticator algorithm (MAA) and its implementation. NPL Report D1TC 109\/88 Feb.1988."},{"key":"e_1_2_1_13_2","volume-title":"Security for Computer Networks","author":"Davies D.","year":"1989"},{"key":"e_1_2_1_14_2","volume-title":"An Introduction to Probability Theory and Its Applications","author":"Feller W.","year":"1968"},{"key":"e_1_2_1_15_2","unstructured":"FIPS 46:Data encryption standard. NBS U.S. Department of Commerce Washington D.C. Jan.1977."},{"key":"e_1_2_1_16_2","unstructured":"FIPS 180\u20101:Secure hash standard. NIST US Department of Commerce Washington D.C. April1995."},{"key":"e_1_2_1_17_2","unstructured":"ISO 8731:1987.Banking \u2010 approved algorithms for message authentication Part 1 DEA. IS 8731\u20101. Part 2. Message Authentication Algorithm. (MAA). IS 8731\u20102."},{"key":"e_1_2_1_18_2","unstructured":"1SO\/IEC 9797:1993:Information technology? Data cryptographic techniques \u2010 Data integrity mechanisms using a cryptographic check function employing a block cipher algorithm."},{"key":"e_1_2_1_19_2","doi-asserted-by":"crossref","unstructured":"T.Johansson G.Kabatianskii B.Smeets:On the relation between A\u2010codes and codes correcting independent errors. Proc. Eurocrypt\u203293 LNCS 765 Springer\u2010Verlag 1994 p.1\u201311.","DOI":"10.1007\/3-540-48285-7_1"},{"key":"e_1_2_1_20_2","doi-asserted-by":"publisher","DOI":"10.1007\/BFb0052345"},{"key":"e_1_2_1_21_2","doi-asserted-by":"publisher","DOI":"10.1049\/el:19970028"},{"key":"e_1_2_1_22_2","doi-asserted-by":"crossref","unstructured":"H.Krawczyk:LFSR\u2010based hashing and authentication. Proc. Crypto\u203294 LNCS 839 Springer\u2010Verlag 1994 p.129\u2013139.","DOI":"10.1007\/3-540-48658-5_15"},{"key":"e_1_2_1_23_2","doi-asserted-by":"crossref","unstructured":"X.Lai J. L.Massey S.Murphy:Markov ciphers and differential cryptanalysis. Proc. Eurocrypt\u203291 LNCS 547 Springer\u2010Verlag 1991 p.17\u201338.","DOI":"10.1007\/3-540-46416-6_2"},{"key":"e_1_2_1_24_2","doi-asserted-by":"crossref","unstructured":"M.Matsui:The first experimental cryptanalysis of the Data Encryption Standard. Proc. Crypto\u203294 LNCS 839 Springer\u2010Verlag 1994 p.1\u201311.","DOI":"10.1007\/3-540-48658-5_1"},{"key":"e_1_2_1_25_2","doi-asserted-by":"crossref","unstructured":"B.Preneel P. C.van Oorschot:MDx\u2010MAC and building fast MACs from hash functions. Proc. Crypto\u203295 LNCS 963 Springer\u2010Verlag 1995 p.1\u201314.","DOI":"10.1007\/3-540-44750-4_1"},{"key":"e_1_2_1_26_2","doi-asserted-by":"crossref","unstructured":"B.Preneel P. C.van Oorschot:On the security of two MAC algorithms. Proc. Eurocrypt\u203296 LNCS 1070 Springer\u2010Verlag 1996 p.19\u201332.","DOI":"10.1007\/3-540-68339-9_3"},{"key":"e_1_2_1_27_2","doi-asserted-by":"publisher","DOI":"10.1049\/el:19961045"},{"key":"e_1_2_1_28_2","unstructured":"B.Preneel P. C.van Oorschot:On the security of iterated message authentication codes. Submitted June1996."},{"key":"e_1_2_1_29_2","doi-asserted-by":"crossref","unstructured":"P.Rogaway:Bucket hashing and its application to fast message authentication. Proc. Crypto\u203295 LNCS 963 Springer\u2010Verlag 1995 p.29\u201342.","DOI":"10.1007\/3-540-44750-4_3"},{"key":"e_1_2_1_30_2","first-page":"381","volume-title":"Contemporary Cryptology: The Science of Information Integrity","author":"Simmons G. J.","year":"1991"},{"key":"e_1_2_1_31_2","unstructured":"O.Staffelbach W.Meier:Cryptographic significance of the carry for ciphers based on integer addition. Proc. Crypto\u203290 LNCS 537 Springer\u2010Verlag 1991 p.601\u2013615."},{"key":"e_1_2_1_32_2","doi-asserted-by":"publisher","DOI":"10.1016\/0022-0000(81)90033-7"},{"key":"e_1_2_1_33_2","unstructured":"M. J.Wiener:Efficient DES key search. Technical Report TR\u2010244 School of Computer Science Carleton University Ottawa Canada May1994. Presented at the rump session of Crypto\u203293."}],"container-title":["European Transactions on Telecommunications"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.wiley.com\/onlinelibrary\/tdm\/v1\/articles\/10.1002%2Fett.4460080504","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/onlinelibrary.wiley.com\/doi\/pdf\/10.1002\/ett.4460080504","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,10,28]],"date-time":"2023-10-28T07:50:09Z","timestamp":1698479409000},"score":1,"resource":{"primary":{"URL":"https:\/\/onlinelibrary.wiley.com\/doi\/10.1002\/ett.4460080504"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[1997,9]]},"references-count":32,"journal-issue":{"issue":"5","published-print":{"date-parts":[[1997,9]]}},"alternative-id":["10.1002\/ett.4460080504"],"URL":"https:\/\/doi.org\/10.1002\/ett.4460080504","archive":["Portico"],"relation":{},"ISSN":["1124-318X","1541-8251"],"issn-type":[{"value":"1124-318X","type":"print"},{"value":"1541-8251","type":"electronic"}],"subject":[],"published":{"date-parts":[[1997,9]]}}}