Security analysis of the message authenticator algorithm (MAA)

Abstract

The security of the ISO banking standard Message Authenticator Algorithm (ISO 8731‐2), also known as MAA, is considered. The attacks presented herein, which exploit the internal structure of the algorithm, are the first computationally feasible attacks on MAA. First a MAC forgery attack is presented that requires 2¹⁷ messages of 256 kbytes or 2²⁴ messages of 1 kbyte; the latter circumvents the special MAA mode for long messages defined in the standard. Next a key recovery attack on MAA is described which requires 2³² chosen texts consisting of a single message block. The number of off‐line multiplications for this attack varies between 2⁴⁴ for one key in 1000 to about 2⁵¹ for one key in 50. This should be compared to about 3 2⁶⁵multiplications for an exhaustive key search. Finally it is shown that MAA has 2³³ keys for which it is rather easy to create a large cluster of collisions. These keys can be detected and recovered with 2²⁷ chosen texts. From these attacks follows me identification of several classes of weak keys for MAA.