A new key recovery attack on the ANSI retail MAC Chris J. Mitchell Information Security Group, Royal Holloway, University of London Egham, Surrey TW20 0EX, UK c.mitchell@rhul.ac.uk 13th November 2002 Abstract A new type of attack is introduced which takes advantage of MAC truncation to simplify key recovery attacks based on MAC verifications. One example of the attack is described which, in certain circumstances, enables a more efficient attack than was previously known to be launched against the ANSI retail MAC. The existence of this attack means that truncation for this MAC scheme should be used with greater care than was previously believed, and very short MACs should be avoided altogether. 1 Introduction MACs, i.e. Message Authentication Codes, are a widely used method for protecting the integrity and guaranteeing the origin of transmitted messages and stored files. To use a MAC it is necessary for the sender and recipient of a message (or the creator and verifier of a stored file) to share a secret key K, chosen from some (large) keyspace. The data string to be protected, D say, is input to a MAC function f , along with the secret key K, and the output is the MAC. We write MAC = f K (D). The MAC is then sent or stored with the message. 1.1 The ANSI retail MAC The ANSI retail MAC scheme [1], otherwise known as CBC-MAC-Y or ISO/IEC 9797-1 algorithm 3 [3], operates as follows. Suppose the underlying block cipher has n-bit blocks and uses a key of k bits. If X is an n-bit block then we write e K (X ) (or d K (X )) for the block cipher encryption (or 1