Analysis of 3gpp-MAC and two-key 3gpp-MAC Original Research Article

Forgery and key-recovery attacks are described on the 3gpp-MAC scheme, proposed for inclusion in the 3gpp specification. Three main classes of attack are given, all of which operate whether or not truncation is applied to the MAC value. Attacks in the first class use a large number of ‘chosen MACs’, those in the second class use a large number of ‘known MACs’, and those in the third class require a large number of MAC verifications, but very few known MACs and no chosen MACs. The first class yields both forgery and key-recovery attacks, whereas the second and third classes are key-recovery attacks only. Both single-key and two-key variants of 3gpp-MAC are considered; the forgery attacks are relevant to both variants, whereas the key-recovery attacks are only relevant to the two-key variant.