Comparative Study of Eight Formal Specifications of the Message Authenticator Algorithm

The Message Authenticator Algorithm (MAA) is one of the first cryptographic functions for computing a Message Authentication Code. Between 1987 and 2001, the MAA was adopted in international standards (ISO 8730 and ISO 8731-2) to ensure the authenticity and integrity of banking transactions. In 1990 and 1991, three formal, yet non-executable, specifications of the MAA (in VDM, Z, and LOTOS) were developed at NPL. Since then, five formal executable specifications of the MAA (in LOTOS, LNT, and term rewrite systems) have been designed at INRIA Grenoble. This article provides an overview of the MAA and compares its formal specifications with respect to common-sense criteria, such as conciseness, readability, and efficiency of code generation.Comment: In Proceedings MARS/VPT 2018, arXiv:1803.0866

Specifying a Cryptographical Protocol in Lustre and SCADE

We present SCADE and Lustre models of the Message Authenticator Algorithm (MAA), which is one of the first cryptographic functions for computing a message authentication code. The MAA was adopted between 1987 and 2001, in international standards (ISO 8730 and ISO 8731-2), to ensure the authenticity and integrity of banking transactions. This paper discusses the choices and the challenges of our MAA implementations. Our SCADE and Lustre models validate 201 official test vectors for the MAA.Comment: In Proceedings MARS 2020, arXiv:2004.12403. arXiv admin note: text overlap with arXiv:1703.0657

Security Analysis of the Message Authenticator Algorithm (MAA)

The security of the ISO banking standard Message Authenticator Algorithm (ISO 8731-2), also known as MAA, is considered. The attacks presented herein, which exploit the internal structure of the algorithm, are the first computationally feasible attacks on MAA. First a MAC forgery attack is presented that requires 217 messages of 256 kbytes or 224 messages of 1 kbyte; the latter circumvents the special MAA mode for long messages defined in the standard. Next a key recovery attack on MAA is described which requires 232 chosen texts consisting of a single message block. The number of off-line multiplications for this attack varies between 244 for one key in 1000 to about 251 for one key in 50. This should be compared to about 3 · 265 multiplications for an exhaustive key search. Finally it is shown that MAA has 233 keys for which it is rather easy to create a large cluster of collisions. These keys can be detected and recovered with 227 chosen texts. From these attacks follows the identification of several classes of weak keys for MAA