Paper 2014/183

Impact of ANSI X9.24-1:2009 Key Check Value on ISO/IEC 9797-1:2011 MACs

Tetsu Iwata and Lei Wang


ANSI X9.24-1:2009 specifies the key check value, which is used to verify the integrity of the blockcipher key. This value is defined as the most significant bits of the ciphertext of the zero block, and is assumed to be publicly known data for verification. ISO/IEC 9797-1:2011 illustrates a total of ten CBC MACs, where one of these MACs, the basic CBC MAC, is widely known to be insecure. In this paper, we consider the remaining nine CBC MACs and derive the quantitative security impact of using the key check value. We first show attacks against five MACs by taking advantage of the knowledge of the key check value. We then prove that the analysis is tight, in a concrete security paradigm. For the remaining four MACs, we prove that the standard birthday bound still holds even with the presence of the key check value. As a result, we obtain a complete characterization of the impact of using ANSI X9.24-1 key check value with the ISO/IEC 9797-1 MACs.

Note: A preliminary version of this paper appears in the pre-proceedings of FSE 2014. This is the full version.

Available format(s)
Secret-key cryptography
Publication info
A major revision of an IACR publication in FSE 2014
ANSI X9.24-1:2009key check valueISOIEC 9797-1:2011CBC MACproof of security.
Contact author(s)
iwata @ cse nagoya-u ac jp
2014-03-09: received
Short URL
Creative Commons Attribution


      author = {Tetsu Iwata and Lei Wang},
      title = {Impact of ANSI X9.24-1:2009 Key Check Value on ISO/IEC 9797-1:2011 MACs},
      howpublished = {Cryptology ePrint Archive, Paper 2014/183},
      year = {2014},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.