Key recovery attacks on the RMAC, TMAC, and IACBC

Jaechul Sung, Deukjo Hong, Sangjin Lee

Research output: Contribution to journalArticle

6 Citations (Scopus)

Abstract

The RMAC[6] is a variant of CBC-MAC, which resists birthday attacks and gives provably full security. The RMAC uses 2k-bit keys and the size of the RMAC is 2n, where n is the size of underlying block cipher. The TMAC[10] is the improved MAC scheme of XCBC[4] such that it requires (k +n)-bit keys while the XCBC requires (k +2n)-bit keys. In this paper, we introduce trivial key recovery attack on the RMAC with about 2n computations, which is more realistic than the attacks in [9]. Also we give a new attack on the TMAC using about 2 n/2+1 texts, which can recover an (k + n)-bit key. However this attack can not be applied to the XCBC. Furthermore we analyzed the IACBC mode[8], which gives confidentiality and message integrity.

Original languageEnglish
Pages (from-to)265-273
Number of pages9
JournalLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume2727 LNCS
DOIs
Publication statusPublished - 2003 Dec 1

Fingerprint

Key Recovery
Attack
Recovery
Block Cipher
Confidentiality
Resist
Integrity
Trivial

Keywords

  • CBC-MAC
  • IACBC
  • Key recovery attacks
  • Message authentication codes
  • Modes of operation
  • RMAC
  • TMAC
  • XCBC

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science

Cite this

@article{e9251a575a1a4b67882bde1fd3a8c860,
title = "Key recovery attacks on the RMAC, TMAC, and IACBC",
abstract = "The RMAC[6] is a variant of CBC-MAC, which resists birthday attacks and gives provably full security. The RMAC uses 2k-bit keys and the size of the RMAC is 2n, where n is the size of underlying block cipher. The TMAC[10] is the improved MAC scheme of XCBC[4] such that it requires (k +n)-bit keys while the XCBC requires (k +2n)-bit keys. In this paper, we introduce trivial key recovery attack on the RMAC with about 2n computations, which is more realistic than the attacks in [9]. Also we give a new attack on the TMAC using about 2 n/2+1 texts, which can recover an (k + n)-bit key. However this attack can not be applied to the XCBC. Furthermore we analyzed the IACBC mode[8], which gives confidentiality and message integrity.",
keywords = "CBC-MAC, IACBC, Key recovery attacks, Message authentication codes, Modes of operation, RMAC, TMAC, XCBC",
author = "Jaechul Sung and Deukjo Hong and Sangjin Lee",
year = "2003",
month = "12",
day = "1",
doi = "10.1007/3-540-45067-X_23",
language = "English",
volume = "2727 LNCS",
pages = "265--273",
journal = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
issn = "0302-9743",
publisher = "Springer Verlag",

}

TY - JOUR

T1 - Key recovery attacks on the RMAC, TMAC, and IACBC

AU - Sung, Jaechul

AU - Hong, Deukjo

AU - Lee, Sangjin

PY - 2003/12/1

Y1 - 2003/12/1

N2 - The RMAC[6] is a variant of CBC-MAC, which resists birthday attacks and gives provably full security. The RMAC uses 2k-bit keys and the size of the RMAC is 2n, where n is the size of underlying block cipher. The TMAC[10] is the improved MAC scheme of XCBC[4] such that it requires (k +n)-bit keys while the XCBC requires (k +2n)-bit keys. In this paper, we introduce trivial key recovery attack on the RMAC with about 2n computations, which is more realistic than the attacks in [9]. Also we give a new attack on the TMAC using about 2 n/2+1 texts, which can recover an (k + n)-bit key. However this attack can not be applied to the XCBC. Furthermore we analyzed the IACBC mode[8], which gives confidentiality and message integrity.

AB - The RMAC[6] is a variant of CBC-MAC, which resists birthday attacks and gives provably full security. The RMAC uses 2k-bit keys and the size of the RMAC is 2n, where n is the size of underlying block cipher. The TMAC[10] is the improved MAC scheme of XCBC[4] such that it requires (k +n)-bit keys while the XCBC requires (k +2n)-bit keys. In this paper, we introduce trivial key recovery attack on the RMAC with about 2n computations, which is more realistic than the attacks in [9]. Also we give a new attack on the TMAC using about 2 n/2+1 texts, which can recover an (k + n)-bit key. However this attack can not be applied to the XCBC. Furthermore we analyzed the IACBC mode[8], which gives confidentiality and message integrity.

KW - CBC-MAC

KW - IACBC

KW - Key recovery attacks

KW - Message authentication codes

KW - Modes of operation

KW - RMAC

KW - TMAC

KW - XCBC

UR - http://www.scopus.com/inward/record.url?scp=24944460529&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=24944460529&partnerID=8YFLogxK

U2 - 10.1007/3-540-45067-X_23

DO - 10.1007/3-540-45067-X_23

M3 - Article

AN - SCOPUS:24944460529

VL - 2727 LNCS

SP - 265

EP - 273

JO - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

JF - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SN - 0302-9743

ER -