Paper 2018/468

On Beyond-Birthday-Bound Security: Revisiting the Development of ISO/IEC 9797-1 MACs

Yaobin Shen and Lei Wang


ISO/IEC 9797-1 is an international standard for block-cipher-based Message Authentication Code (MAC). The current version ISO/IEC 9797-1:2011 specifies six single-pass CBC-like MAC structures that are capped at the birthday bound security. For a higher security that is beyond-birthday bound, it recommends to use the concatenation combiner of two single-pass MACs. In this paper, we reveal the invalidity of the suggestion, by presenting a birthday bound forgery attack on the concatenation combiner, which is essentially based on Joux’s multi-collision. Notably, our new forgery attack for the concatenation of two MAC Algorithm 1 with padding scheme 2 only requires 3 queries. Moreover, we look for patches by revisiting the development of ISO/IEC 9797-1 with respect to the beyond-birthday bound security. More specifically, we evaluate the XOR combiner of single-pass CBC-like MACs, which was used in previous version of ISO/IEC 9797-1.

Note: revised some typos

Available format(s)
Secret-key cryptography
Publication info
Published by the IACR in FSE 2020
ISOIEC 9797-1Beyond Birthday Bound SecurityXOR Combiner
Contact author(s)
yb_shen @ sjtu edu cn
wanglei_hb @ sjtu edu cn
2020-12-30: last of 3 revisions
2018-05-22: received
See all versions
Short URL
Creative Commons Attribution


      author = {Yaobin Shen and Lei Wang},
      title = {On Beyond-Birthday-Bound Security: Revisiting the Development of ISO/IEC 9797-1 MACs},
      howpublished = {Cryptology ePrint Archive, Paper 2018/468},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.