ISO/IEC 9797-1

The model for MAC generation comprises six steps: • Padding of the data to a multiple of the cipher block size • Splitting of the data into blocks • Initial transformation of the first block of data • Iteration through the remaining blocks of data • Output transformation of the result of the last iteration • Truncation of the result to the required length For most steps, the standard provides several options from which to choose, and/or allows some configurability. Padding The input data must be padded to a multiple of the cipher block size, so that each subsequent cryptographic operation will have a complete block of data. Three padding methods are defined. In each case n is the block length (in bits): Padding method 1 If necessary, add bits with value 0 to the end of the data until the padded data is a multiple of n. (If the original data was already a multiple of n, no bits are added.) Padding method 2 Add a single bit with value 1 to the end of the data. Then if necessary add bits with value 0 to the end of the data until the padded data is a multiple of n. Padding method 3 The padded data comprises (in this order): • The length of the unpadded data (in bits) expressed in big-endian binary in n bits (i.e. one cipher block) • The unpadded data • As many (possibly none) bits with value 0 as are required to bring the total length to a multiple of n bits It is not necessary to transmit or store the padding bits, because the recipient can regenerate them, knowing the length of the unpadded data and the padding method used. Splitting The padded data D is split into q blocks D1, D2, ... Dq, each of length n, suitable for the block cipher. Initial transformation A cryptographic operation is performed on the first block (D1), to create an intermediate block H1. Two initial transformations are defined: Initial transformation 1 D1 is encrypted with the key K: :H1 = eK(D1) Initial transformation 2 D1 is encrypted with the key K, and then by a second key K′′: :H1 = eK′′(eK(D1)) Iteration Blocks H2 ... Hq are calculated by encrypting, with the key K, the bitwise exclusive-or of the corresponding data block and the previous H block. :for i = 2 to q ::Hi = eK(Di ⊕ Hi-1) If there is only one data block (q=1), this step is omitted. Output transformation A cryptographic operation is (optionally) performed on the last iteration output block Hq to produce the block G. Three output transformations are defined: Output transformation 1 Hq is used unchanged: :G = Hq Output transformation 2 Hq is encrypted with the key K′: :G = eK′(Hq) Output transformation 3 Hq is decrypted with the key K′ and the result encrypted with the key K: :G = eK(dK′(Hq)) Truncation The MAC is obtained by truncating the block G (keeping the leftmost bits, discarding the rightmost bits), to the required length. ==Specific algorithms==

The general model nominally allows for any combination of options for each of the padding, initial transformation, output transformation, and truncation steps. However, the standard defines four particular combinations of initial and output transformation and (where appropriate) key derivation, and two further combinations based on duplicate parallel calculations. The combinations are denoted by the standard as "MAC Algorithm 1" through "MAC Algorithm 6". MAC algorithm 1 This algorithm uses initial transformation 1 and output transformation 1. Only one key is required, K. (When the block cipher is DES, this is equivalent to the algorithm specified in FIPS PUB 113 Computer Data Authentication.) Algorithm 1 is commonly known as CBC-MAC. MAC algorithm 2 This algorithm uses initial transformation 1 and output transformation 2. Two keys are required, K and K′, but K′ may be derived from K. MAC algorithm 3 This algorithm uses initial transformation 1 and output transformation 3. Two independent keys are required, K and K′. Algorithm 3 is also known as Retail MAC. MAC algorithm 4 This algorithm uses initial transformation 2 and output transformation 2. Two independent keys are required, K and K′, with a third key K′′ derived from K′. MAC algorithm 5 MAC algorithm 5 comprises two parallel instances of MAC algorithm 1. The first instance operates on the original input data. The second instance operates on two key variants generated from the original key via multiplication in a Galois field. The final MAC is computed by the bitwise exclusive-or of the MACs generated by each instance of algorithm 1. Algorithm 5 is also known as CMAC. MAC algorithm 6 This algorithm comprises two parallel instances of MAC algorithm 4. The final MAC is the bitwise exclusive-or of the MACs generated by each instance of algorithm 4. Each instance of algorithm 4 uses a different key pair (K and K′) but those four keys are derived from two independent base keys. ==Key derivation==

MAC algorithms 2 (optionally), 4, 5 and 6 require deriving one or more keys from another key. The standard does not mandate any particular method of key derivation, although it does generally mandate that derived keys be different from each other. The standard gives some examples of key derivation methods, such as "complement alternate substrings of four bits of K commencing with the first four bits." This is equivalent to bitwise exclusive-oring each byte of the key with F0 (hex). ==Complete specification of the MAC calculation==

To completely and unambiguously define the MAC calculation, a user of ISO/IEC 9797-1 must select and specify: • The block cipher algorithm e • The padding method (1 to 3) • The specific MAC algorithm (1 to 6) • The length of the MAC • The key derivation method(s) if necessary, for MAC algorithms 2, 4, 5 or 6 ==Security analysis of the algorithms==

Annex B of the standard is a security analysis of the MAC algorithms. It describes various cryptographic attacks on the algorithms – including key-recovery attack, brute force key recovery, and birthday attack – and analyses the resistance of each algorithm to those attacks. ==References==