Security analysis of the message authenticator algorithm (MAA)

The security of the ISO banking standard Message Authenticator Algorithm (ISO 87312), also known as MAA, is considered. The attacks, which exploit the internal structure of the algorithm, are the first computationally feasible attacks on MAA. First a MAC forgery attack is presented that requires 2 messages of 256 Kbytes or 2 messages of 1 Kbyte; the latter circumvents the special MAA mode for long messages defined in the standard. Next a key recovery attack on MAA is described which requires 2 chosen texts consisting of a single message block. The number of off-line multiplications for this attack varies between 2 for one key in 1000 to about 2 for one key in 50. This should be compared to about 3 · 2 multiplications for an exhaustive key search. Finally it is shown that MAA has 2 keys for which it is rather easy to create a large cluster of collisions. These keys can be detected and recovered with 2 chosen texts. From these attacks follows the identification of several classes of weak keys for MAA.