. We consider the security of message authentication code (MAC) algorithms, and the construction of MACs from fast hash functions. A new forgery attack applicable to all iterated MAC algorithms is described, the first known such attack requiring fewer operations than exhaustive key search. Existing methods for constructing MACs from hash functions, including the secret prefix, secret suffix, and envelope methods, are shown to be unsatisfactory. Motivated by the absence of a secure, fast MAC algorithm not based on encryption, a new generic construction (MDx-MAC) is proposed for transforming any secure hash function of the MD4-family into a secure MAC of equal or smaller bitlength and comparable speed. 1 Introduction Hash functions play a fundamental role in modern cryptography. One main application is their use in conjunction with digital signature schemes; another is in conventional techniques for message authentication. In the latter, it is preferable that a hash function take as a d...

We consider the security of two message authentication code �MAC � algorithms� the MD5�based envelope method �RFC 1828� � and the banking standard MAA �ISO 8731�2�. Customization of a general MAC forgery attack allows improvements in both cases. For the envelope method � the forgery attack is extended to allow key recovery� for example � a 128�bit key can be recovered using 2 67 known text�MAC pairs and time plus 2 13 chosen texts. For MAA � internal collisions are found with fewer and shorter messages than previously by exploiting the algorithm�s internal structure � the number of chosen texts �each 256 Kbyte long � for a forgery can be reduced by two orders of magnitude � e.g. from 2 24 to 2 17. Moreover � certain internal collisions allow key recovery � and weak keys for MAA are identi�ed. 1

Abstract. This paper compares the parameters sizes and software performance of several recent constructions for universal hash functions: bucket hashing, polynomial hashing, Toeplitz hashing, division hashing, evaluation hashing, and MMH hashing. An objective comparison between these widely varying approaches is achieved by defining constructions that offer a comparable security level. It is also demonstrated how the security of these constructions compares favorably to existing MAC algorithms, the security of which is less understood. 1

We propose a new mode of multiple encryption, namely "Triple DES cipher block chaining with output feedback masking." The aim is to provide strong protection against certain attacks ("dictionary attacks" and "matching ciphertext attacks") which exploit the DES blocksize of 64 bits. The new mode obtains this protection through the introduction of secret masking values that are Exclusive-ORed with the intermediate outputs of each triple-DES encryption operation. The secret mask value is derived from a fourth encryption operation per message block, in addition to the three used in previous modes. The new mode is part of a suite of encryption modes proposed in the ANSI X9.F.1 Triple-DES draft standard (X9.52). 1 Introduction Much effort has gone into attempted cryptanalysis of multiple DES [2, 3, 4, 6, 8, 10, 11, 14, 17, 18, 21]. Because the DES is still a fundamentally sound base to build on, the American National Standards Institute (ANSI) committee X9.F.1 is working to standardize a ...

We propose a new mode of multiple encryption, namely "Triple DES cipher block chaining with output feedback masking." The aim is to provide strong protection against certain attacks ("dictionary attacks" and "matching ciphertext attacks") which exploit the DES blocksize of 64 bits. The new mode obtains this protection through the introduction of secret masking values that are Exclusive-ORed with the intermediate outputs of each triple-DES encryption operation. The secret mask value is derived from a fourth encryption operation per message block, in addition to the three used in previous modes. The new mode is part of a suite of encryption modes proposed in the ANSI X9.F.1 Triple-DES draft standard (X9.52). 1 1 Introduction Much effort has gone into attempted cryptanalysis of multiple DES [2, 3, 4, 6, 8, 10, 11, 14, 17, 18, 21]. Because the DES is still a fundamentally sound base to build on, the American National Standards Institute (ANSI) committee X9.F.1 is working to sta...