1 Introduction

ANSI C12.22 [3] specifies a blockcipher mode for authenticated encryption (AE) as the standard security function for Smart Grid. It is called \(\text {EAX}'\) (or EAX-prime)Footnote 1. As its name suggests, \(\text {EAX}'\) is based on EAX proposed by Bellare, Rogaway, and Wagner at FSE 2004 [7]. Though EAX is already efficient with a small amount of precomputation, \(\text {EAX}'\) aims at even reducing the amount of precomputation and memory, for making it suitable to the resource-constrained devices, typically smart meters. ANSI submitted \(\text {EAX}'\) to NIST [13] and NIST called for the public comments on the proposal to approve \(\text {EAX}'\). Following ANSI C12.22, IEEE 1703 [6] and MC1222 [4] included \(\text {EAX}'\). There is also an RFC [5] related to ANSI C12.22.

Though \(\text {EAX}'\) is similar to EAX, to the best of our knowledge, its formal security analysis has not been published to date. In this paper, we investigate the security of \(\text {EAX}'\) and show that there is a sharp distinction depending on the input length. The encryption algorithm of \(\text {EAX}'\) takes two inputs, called cleartext and plaintext. In the standard AE terminology, the cleartext serves as a nonce, or a combination of nonce and associated data (the latter is also called header).

First, we show that if the lengths of cleartext and plaintext are not exceeding one block, there exist attacks against \(\text {EAX}'\) for both privacy and authenticity. Specifically, we present

  • forgeries, i.e., cleartext/ciphertext pairs with valid authentication tags,

  • chosen-plaintext distinguishers, distinguishing the \(\text {EAX}'\) encryption from a random encryption process, and

  • chosen-ciphertext plaintext recovery attacks, decrypting ciphertexts by asking for the decryption of another ciphertext with a valid authentication tag.

Our attacks are simple and efficient as they require only one or two queries. The simplest one even produces a successful forgery without observing any valid plaintext/ciphertext pair. Our forgery and distinguishing attacks strictly require the target system to accept one-block cleartext and plaintext. The plaintext recovery attacks relax this condition, and given any ciphertext with one-block cleartext it works for any circumstance where ciphertext is decrypted without checking the cleartext length. This makes the possibility of attack even larger. Our attacks imply that, while the original EAX has a proof of security, the security of \(\text {EAX}'\) has totally collapsed as a general-purpose AE.

Next, we show that if the cleartext is always longer than one block, it recovers the provable security based on the pseudorandomness of the blockcipher for both privacy and authenticity notions. The security proof is obtained by combining previous proof techniques of EAX by Bellare, Rogaway, and Wagner [7] with some non-trivial extensions, such as Iwata and Kurosawa’s one used for proving the security of OMAC [9].

One may naturally wonder if our attacks are applicable to ANSI C12.22. Unfortunately we do not know if ANCI C12.22 protocols exclude one-block cleartexts or not, hence we have no clear answer. Still, considering the effect of our attacks, we conclude that \(\text {EAX}'\) must be used with cleartext length check mechanisms at both ends of encryption and decryption.

2 Preliminaries

Basic Notations. Let \(\mathbb {N} = \{0,1,\dots \}\). Let \(\{0,1\}^{*}\) be the set of all finite-length binary strings, including the empty string \(\varepsilon \). The bit length of a binary string \(X\) is written as \(|X|\), and let \(|X|_n\mathop {=}\limits ^{{\tiny {{\text {def}}}}}\lceil |X|/n \rceil \). Here \(|\varepsilon |=0\). A concatenation of \(X,Y\in \{0,1\}^{*}\) is written as \(X\Vert Y\) or simply \(XY\). A sequence of \(a\) zeros (ones) is denoted by \(0^{a}\) (\(1^{a}\)). For \(k\ge 0\), let \(\{0,1\}^{>k}\mathop {=}\limits ^{{\tiny {{\text {def}}}}}\bigcup _{i=k+1,\dots }\{0,1\}^{i}\) and \((\{0,1\}^n)^{> k} \mathop {=}\limits ^{{\tiny {{\text {def}}}}}\bigcup _{j=k+1,\dots }(\{0,1\}^{n})^{j}\), and \((\{0,1\}^n)^+ \mathop {=}\limits ^{{\tiny {{\text {def}}}}}(\{0,1\}^n)^{> 0}\). We also define \(\{0,1\}^{\ge k}\), \((\{0,1\}^n)^{\ge k}\), \(\{0,1\}^{< k}\), \((\{0,1\}^n)^{< k}\), \(\{0,1\}^{\le k}\), and \((\{0,1\}^n)^{\le k}\) analogously. For \(X,Y\in \{0,1\}^n\), \(X+Y\) or \(X-Y\) is considered as an addition or a subtraction modulo \(2^n\).

For \(X\in \{0,1\}^{*}\), let \(X[1]\Vert X[2]\Vert \dots \Vert X[m]\mathop {\leftarrow }\limits ^{{\scriptscriptstyle {n}}} X\) denote the \(n\)-bit block partitioning of \(X\), i.e., \(X[1]\Vert X[2]\Vert \dots \Vert X[m]=X\) where \(m=|X|_n\), and \(|X[i]|=n\) for \(i<m\) and \(|X[m]|\le n\). For \(X,Y\in \{0,1\}^{*}\), let \(X\oplus _{\text {end}}Y\) be the XOR of \(X\) into the end of \(Y\) if \(|X|\le |Y|\), i.e. \(X\oplus _{\text {end}}Y=(0^{|Y|-|X|}\Vert X)\oplus Y\). Otherwise \(X\oplus _{\text {end}}Y=X\oplus (0^{|X|-|Y|}\Vert Y)\).

For a finite set \(\mathcal{X}\), if \(X\) is uniformly chosen from \(\mathcal{X}\) we write \(X\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathcal{X}\).

Random Function and Random Permutation. Let \(\text {Func}(n,m)\) be the set of all functions \(\{0,1\}^{n}\rightarrow \{0,1\}^{m}\). We may abbreviate \(\text {Func}(n,n)\) to \(\text {Func}(n)\). In addition, let \(\text {Perm}(n)\) be the set of all permutations over \(\{0,1\}^n\). A uniform random function (URF) having \(n\)-bit input and \(m\)-bit output is the set \(\text {Func}(n,m)\) with uniform distribution over \(\text {Func}(n,m)\). It is denoted by \( \mathsf R \), and the corresponding sampling is written as \( \mathsf R \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\text {Func}(n,m)\). An \(n\)-bit uniform random permutation (URP) is the set \(\text {Perm}(n)\) with uniform distribution over \(\text {Perm}(n)\). It is denoted by \( \mathsf P \), and the corresponding sampling is written as \( \mathsf P \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\text {Perm}(n)\).

Galois Field. Following [7], an \(n\)-bit string \(X\) may be viewed as an element of \(\mathrm{GF(2}^n\mathrm{)}\) by taking \(X\) as a coefficient vector of the polynomial in \(\mathrm{GF(2}^n\mathrm{)}\). We write \(2X\) to denote the multiplication of \(2\) and \(X\) over \(\mathrm{GF(2}^n\mathrm{)}\), where \(2\) denotes the generator of the field \(\mathrm{GF(2}^n\mathrm{)}\). This operation is called doubling. We also write \(4L\) to denote \(2(2L)\). The doubling is efficiently implemented by one-bit shift with conditional XOR of a constant, see e.g. [9].

3 Specification of EAX-Prime

We describe the encryption and decryption algorithms of \(\text {EAX}'\). We changed the original notations of \(\text {EAX}'\) [3, 13] following those of EAX [7]. This illustrates the similarities and the differences of EAX and \(\text {EAX}'\) (See also the last part of this section).

\(\text {EAX}'\) is a mode of operation based on an \(n\)-bit blockcipher, \(E\). Here we typically assume \((n,E)=(128,\) AES-128), however other choice is possible [13]. The key of \(E\) is written as \(K\). Formally, the encryption function of \(\text {EAX}'\) accepts a cleartext, \(N\in \{0,1\}^{*}\) with \(N\ne \varepsilon \), a plaintext, \(M\in \{0,1\}^{*}\), and a secret key, \(K\), to produce the ciphertext, \(C\in \{0,1\}^{*}\), with \(|C|=|M|\) and the tag \(T\in \{0,1\}^{32}\). The decryption function, which we also call the verification function, accepts \(N\), \(C\), \(T\), and \(K\) and generates the decrypted plaintext \({M}\) if \((N,C,T)\) is valid, or the flag \(\bot \) if invalid. Cleartext \(N\) contains information that needs to be authenticated, but not encrypted. ANSI document requires that \(N\) must be unique for all encryptions using the same keyFootnote 2. Hence \(N\) can be seen as a combination of a nonce and associated data in the standard terminology of AE (e.g., see [7]). The plaintext \(M\) can be the empty string \(\varepsilon \), corresponding to the null string in [13], and in this case \(\text {EAX}'\) works as a message authentication code for \(N\).

For generality we assume that the tag length is specified by a predetermined parameter, \(\tau \in \{1,\dots ,n\}\). The original definition employs \(\tau =32\). Let \(\text {EAX}'[E,\tau ]\) be \(\text {EAX}'\) using \(n\)-bit blockcipher \(E\) with \(\tau \)-bit tag. The corresponding encryption and decryption algorithms are written as \(\text {EAX}'\text {-}\mathcal {E}_{K,\tau }\) and \(\text {EAX}'\text {-}\mathcal {D}_{K,\tau }\). If \(\tau \) is clear from the context we may write \(\text {EAX}'[E]\) and \(\text {EAX}'\text {-}\mathcal {E}_{K}\) and \(\text {EAX}'\text {-}\mathcal {D}_{K}\). These algorithms and their components are shown in Fig. 1. The encryption algorithm of \(\text {EAX}'\) is depicted in Fig. 2. In Fig. 1, \(\alpha \) denotes an \(n\)-bit constant, \((1^{n-32}\Vert 01^{15}\Vert 01^{15})\). Note that \(\text {CBC'}_K(0^n,M)\) is equivalent to the standard CBC-MAC using \(E_K\) with input \(M\), denoted by \(\text {CBC}_K(M)\). In our description, we fixed an apparent error in line 72 of the original definition of \(\text {EAX}'.\mathrm{{encrypt}}_{K}\) in [3, 13]. Some editorial errors of [13] were also pointed out by [1].

\(\mathbf{EAX }'\) and the Original EAX. The major differences between \(\text {EAX}'\) and the original EAX are summarized as follows. For other minor differences, see Section 3 of [13]. For the definition of EAX, see [7].

  1. 1.

    Role of \(N\). Inputs to \(\text {EAX}'\text {-}\mathcal {E}_K\) consist of a cleartext \(N\) and a plaintext \(M\), whereas those to the original EAX consist of a nonce \(N\), a header (or associated data) \(H\), and a plaintext \(M\). \(\text {EAX}'\) requires \(N\) to be unique, hence it works as a nonce. \(\text {EAX}'\) does not explicitly define a header \(H\); information corresponding to the header is included in the cleartext \(N\).

  2. 2.

    Tweaking method for CMAC. For input \(M\), CMAC [2] using \(E_K\) is defined as \(\text {CMAC}_K(M)=\text {CBC}_K( \mathtt {pad} (M;D,Q))\). The original EAX uses the tweaked CMAC having an \(n\)-bit tweak \(t\), defined as \(\text {CMAC}_K(t\Vert M)\), for \(t\in \{0^n,0^{n-1}1,0^{n-2}10\}\), to process \(N\), \(H\), and \(C\). For fast operation we need to precompute \(E_K(t)\) for all \(t\) and store them to RAM. \(\text {EAX}'\) employs a different way to tweak CMAC accepting two tweak values (\(i=0,1\)) to generate \({\text {CMAC}'}_K^{(0)}\) and \({\text {CMAC}'}_K^{(1)}\) for processing \(N\) and \(C\). For fast operation we can precompute \(L=E_K(0^n)\). This reduces the precomputation time and RAM consumption from the original EAX.

  3. 3.

    Counter mode incrementation. The original EAX uses \(\text {CMAC}_{K}(0^n\Vert N)\) as an initial counter block for CTR mode, while that of \(\text {EAX}'\) is \({\text {CMAC}'}^{(0)}_{K}(N) \wedge \alpha \) to set some bits to zero. One can find a similar zeroing-out in the deterministic authenticated encryption called SIV [15]. As explained by [15], this contributes to a slight simpler operation.

Fig. 1.
figure 1

(Upper) The encryption and decryption algorithms of \(\text {EAX}'[E,\tau ]\), originally with \(\tau =32\). (Lower) Component algorithms of \(\text {EAX}'[E,\tau ]\). Here, \(\alpha =(1^{n-32}\Vert 01^{15}\Vert 01^{15})\).

Full size image
Fig. 2.
figure 2

The encryption algorithm of EAX\('\). In the figure, \(|N|_n=b\) and \(|M|_n=m\). \( \mathtt {bp} (x)=x\) if \(|x|=n\) and \( \mathtt {bp} (x)=x\Vert 10^{n-1-(|x|\mathrm {~mod~}n)}\) if \(|x|<n\).

Full size image

4 Attacks Based on One-Block Cleartext

4.1 Chosen-Message Forgeries

We first describe forgery attacks against \(\text {EAX}'[E,\tau ]\). Throughout the section \(D\) and \(Q\) denote \(2L\) and \(4L\) with \(L=E_K(0^n)\). The adversary \(\mathcal{A}\) we consider here can access both encryption and decryption (verification) oracles, namely \(\text {EAX}'\text {-}\mathcal {E}_K\) and \(\text {EAX}'\text {-}\mathcal {D}_K\). Suppose \(\mathcal{A}\) (possibly adaptively) asks \(q\) queries to the encryption oracle, \((N_1,M_1),\dots ,(N_q,M_q)\), and receives \((C_1,T_1),\dots ,(C_q,T_q)\), and then asks \((N,C,T)\) to the decryption oracle. We say \(\mathcal{A}\) is successful if \(\mathcal{A}\) receives a string other than \(\bot \) and \((N,C,T)\ne (N_i,C_i,T_i)\) for any \(1\le i\le q\) (see also Sect. 5). Here we assume the nonce-respecting adversary [14]; it is allowed to query any \((N_i,M_i)\) to the encryption oracle as long as \(N_i\) is unique.

Suppose \(M\in \{0,1\}^{\le n}\). Then \( \mathtt {pad} (M;D,Q)= M\oplus _{\text {end}}D = M\oplus D\) when \(|M|=n\) and \( \mathtt {pad} (M;D,Q)= M\Vert 10^{n-1-|M|}\oplus _{\text {end}}Q = M\Vert 10^{n-1-|M|}\oplus Q\) when \(0\le |M|<n\). Therefore, the definition of \({\text {CMAC}'}^{(i)}_K\) in the previous section conforms to that

$$\begin{aligned}&{{\text {CMAC}}'}^{(0)}_{K}(M) = {\left\{ \begin{array}{ll} E_{K}(M) &{} \text {if}~|\text {M}|=\text {n}\\ E_{K}(M\Vert 10^{n-1-|M|}\oplus D\oplus Q) &{} \text {if}~0\le |\text {M}|< \text {n} \end{array}\right. }\\&{{\text {CMAC}}'}^{(1)}_{K}(M) = {\left\{ \begin{array}{ll} E_{K}(M\oplus D\oplus Q) &{} \qquad \qquad \! \text {if}~|\text {M}|=\text {n}\\ E_{K}(M\Vert 10^{n-1-|M|}) &{} \qquad \qquad \! \text {if}~0\le |\text {M}|<\text {n} \end{array}\right. } \end{aligned}$$

The above observation immediately gives the following attacks:

Forgery attack 1 (\(|N|=n\) and \(|C|<n\)).

  1. 1.

    Prepare \(({N},{C})\) such that \(|N|=n\) and \(|C|<n\) and \({C}\Vert 10^{n-1-|C|}={N}\).

  2. 2.

    Query \(({N},{C},{T})\) to the verification oracle, where \({T}=0^{\tau }\).

This attack always succeeds as the “valid” tag for \(({N},{C})\) is \(\text {msb}_{\tau }(E_{K}(N)\oplus E_{K}(C\Vert 10^{n-1-|C|}))=0^{\tau }\).

Forgery attack 2 (\(|N|<n\) and \(|C|=n\)).

  1. 1.

    Prepare \(({N},{C})\) such that \(|N|<n\), \(|C|=n\), and \(N\Vert 10^{n-1-|N|}=C\).

  2. 2.

    Query \((N,C,T)\) to the verification oracle, where \({T}=0^{\tau }\).

The attack is again successful as the valid tag for \((N,C)\) is \(\text {msb}_{\tau }(E_{K}(D\oplus Q\oplus N\Vert 10^{n-1-|N|})\oplus E_{K}(Q\oplus D\oplus C))=0^{\tau }\). These attacks use only one forgery attempt and no encryption query. By using one encryption query the forgery attack is possible even when \(|N|=n\) and \(|C|=n\):

Forgery attack 3 (\(|N|=|M|=n\)).

  1. 1.

    Query \((N,M)\) with \(|N|=|M|=n\) and \(N\ne 0^n\) to the encryption oracle.

  2. 2.

    Obtain \((C,T)\) (where \(|C|=n\)) from the oracle and see if \(C\ne 0^n\) (quit if \(C=0^n\)).

  3. 3.

    Query \((\widetilde{N},\widetilde{C},\widetilde{T})\) to the verification oracle, where \(|\widetilde{N}|<n\), \(\widetilde{N}\Vert 10^{n-1-|\widetilde{N}|}=C\), \(|\widetilde{C}|<n\), \(\widetilde{C}\Vert 10^{n-1-|\widetilde{C}|}=N\), and \(\widetilde{T}=T\).

The above attack is almost always successful; unless \(C=0^n\) we have \(T=\text {msb}_{\tau }(E_{K}(N)\oplus E_{K}(Q\oplus D\oplus C))\) and the valid tag for \((\widetilde{N},\widetilde{C})\) is

$$\begin{aligned}&\text {msb}_{\tau }(E_{K}(D\oplus Q\oplus \widetilde{N}\Vert 10^{n-1-|\widetilde{N}|}) \oplus E_{K}(Q\oplus Q\oplus \widetilde{C}\Vert 10^{n-1-|\widetilde{C}|})) \\&\ = \text {msb}_{\tau }(E_{K}(D\oplus Q\oplus C)\oplus E_{K}(N)), \end{aligned}$$

thus equals to \(T\). The converse of Forgery attack 3 is also possible for \(|N|<n\) and \(|M|<n\):

Forgery attack 4 (\(|N|<n\) and \(|M|<n\)).

  1. 1.

    Query \((N,M)\) with \(|N|<n\) and \(|M|<n\) to the encryption oracle.

  2. 2.

    Obtain \((C,T)\) (where \(|C|=|M|<n\)) from the oracle.

  3. 3.

    Query \((\widetilde{N},\widetilde{C},\widetilde{T})\) to the verification oracle, where \(|\widetilde{N}|=|\widetilde{C}|=n\), \(\widetilde{N}=C\Vert 10^{n-1-|C|}\), \(\widetilde{C}=N\Vert 10^{n-1-|N|}\), and \(\widetilde{T}=T\).

We have \(T=\text {msb}_{\tau }(E_{K}(D\oplus Q\oplus N\Vert 10^{n-1-|N|})\oplus E_{K}(Q\oplus Q\oplus C\Vert 10^{n-1-|C|}))\) and the valid tag for \((\widetilde{N},\widetilde{C})\) is

$$\begin{aligned}&\text {msb}_{\tau }(E_{K}(D\oplus D\oplus \widetilde{N}) \oplus E_{K}(Q\oplus D\oplus \widetilde{C})) \\&\ = \text {msb}_{\tau }(E_{K}(C\Vert 10^{n-1-|C|}) \oplus E_{K}(Q\oplus D\oplus N\Vert 10^{n-1-|N|})) = T. \end{aligned}$$

Partially Selective Forgeries. A forgery is selective instead of existential, if the adversary can determine the content of the message to be forged. Since \(\text {EAX}'\) provides \({{\underline{a}}}uthenticated\) \({{\underline{e}}}ncryption with\) \({{\underline{a}}}ssociated\) \({{\underline{d}}}ata\) (AEAD), the content of the message consists of both the confidential plaintext \(M\) and the non-confidential associated data (or cleartext) \(N\). While the above attacks do not allow to choose \(M\), the adversary can arbitrarily choose \(N\) (restricted to \(|N| \le n\) and, for \(|N|=n\), \(N \ne 0^n\)). In this sense, the forgery attacks above are partially selective.

4.2 Chosen-Plaintext Distinguishers

The forgery attacks above are based on the idea of generating \((N,C)\) that makes the tag \(T=0^{\tau }\). To distinguish \(\text {EAX}'\text {-}\mathcal {E}_{K}\) from a random encryption process, which produces \((|M|+\tau )\)-bit random sequence on receiving \((N,M)\), one can similarly make \((N,M)\) so that \(\text {EAX}'\text {-}\mathcal {E}_{K}\) will generate \((C,T)\) with \(T=0^\tau \).

Distinguishing attack 1 (\(|N|=n\) and \(|M|=0\)).

  1. 1.

    Query \((N,M)\) to the encryption oracle, where \(N=10^{n-1}\) and \(M=\varepsilon \).

  2. 2.

    Obtain \((C,T)\) from the oracle with \(C=\varepsilon \).

  3. 3.

    If \(T=0^{\tau }\) then return \(1\), otherwise return \(0\).

As \(\text {EAX}'\text {-}\mathcal {E}_{K}\) returns \(T=0^{\tau }\) with probability \(1\) while the same event occurs with probability \(1/2^{\tau }\) with a random encryption process, this enables us to easily distinguish \(T\) from random with the distinguishing advantage almost \(1\), using only one encryption query.

Distinguishing attack 2 (\(|N|=n\), \(1\le |M|<n\), and fixed \(i\) for \(1\le i\le n-1\)).

  1. 1.

    Fix \(M\in \{0,1\}^{i}\), and query \((N,M)\) to the encryption oracle with \(N=M\Vert 10^{n-1-|M|}\).

  2. 2.

    Obtain \((C,T)\) from the oracle.

  3. 3.

    If \(C=M\) and \(T=0^{\tau }\) then return \(1\), otherwise return \(0\).

In this case, we have \(C=M\) with probability \(1/2^{i}\) for both \(\text {EAX}'\text {-}\mathcal {E}_{K}\) and a random encryption process. Given the event \(C=M\), we have

$$\begin{aligned} T =\text {msb}_{\tau }(E_{K}(N)\oplus E_{K}(C\Vert 10^{n-1-|C|})) =0^{\tau } \end{aligned}$$

with probability \(1\) for \(\text {EAX}'\text {-}\mathcal {E}_{K}\), while \(T=0^{\tau }\) occurs with probability \(1/2^{\tau }\) for the random encryption process. Thus, with probability \(1/2^i\) the distinguisher succeeds with a high probability, which is non-negligible when \(i\) is small.

4.3 Chosen-Ciphertext Plaintext Recovery Attacks

Consider a triple \((N^*,C^*,T^*)\) of cleartext \(N^*\), ciphertext \(C^*\) and tag \(T^*\). The corresponding plaintext \(M^*\) is unknown. The adversary can ask a decryption oracle, for the decryption of any \((N,C,T)\) under its choice, except for \((N,C,T) = (N^*,C^*,T^*)\) (otherwise, finding \(M^*\) would be trivial). The adversary receives either \(\bot \) (if verification fails) or the decryption \(M\) of \(C\). This is the setting in a chosen ciphertext attack. Below, we focus on plaintext recovery attacks, where the adversary actually finds (a part of) \(M^*\). We describe two attacks: the first for \(|N^*| = n\), the second for \(|N^*| < n\).

Plaintext recovery attack 1 (\(|N^*| = n\)).

  1. 1.

    Obtain \((N^*,C^*,T^*)\) for unknown plaintext \(M^*\).

  2. 2.

    Prepare \(C\) with \(|C|<n\) and \({C}\Vert 10^{n-1-|C|}={N^*}\) and \(T=0^{\tau }\).

  3. 3.

    Query \(({N^*},{C},{T})\) to the decryption oracle. Let \(M\) be the answer.

  4. 4.

    Compute the keystream \(KS = C \oplus M \in \{0,1\}^{|C|}\).

Since the decryption of \((N^*,C^*,T^*)\) uses the same keystream \(KS\), we now can compute the first \(|C|\) bits of \(M^*\), or the full \(M^*\) if \(|M^*| \le |C|\). It succeeds for the same reason as Forgery attack 1 (unless \(N^*=0^n\), in which case there is no \(C\) in Step 2, or \({C^{*}}\Vert 10^{n-1-|C^{*}|}={N^*}\) and \(T^{*}=0^{\tau }\), in which case the decryption query in Step 3 makes the attack trivial).

Plaintext recovery attack 2 (\(|N^*| < n\)).

  1. 1.

    Obtain \((N^*,C^*,T^*)\) for unknown plaintext \(M^*\).

  2. 2.

    Prepare \(C\) with \(|C|=n\) and \(N^*\Vert 10^{n-1-|N^*|}=C\) and \(T=0^\tau \).

  3. 3.

    Query \((N^*,C,T)\) to the decryption oracle. Let \(M\) be the answer.

  4. 4.

    Compute the keystream \(KS = C \oplus M \in \{0,1\}^n\).

Unless \({N^{*}}\Vert 10^{n-1-|N^{*}|}={C^*}\) and \(T^{*}=0^{\tau }\), the attack succeeds for the same reason as Forgery attack 2.

4.4 Remarks

The Source of Attacks. Not to mention, our attacks cannot be applied on the original EAX having the proof of security. Our attacks exploit the wrong tweaking method of CMAC in \(\text {EAX}'\). While the tweaking method in the original EAX provides a set of computationally independent PRFs, the tweaking method of \(\text {EAX}'\) fails to do this. For instance \({\text {CMAC}'}^{(0)}_K(M)={\text {CMAC}'}^{(1)}_K(M')\) holds with probability \(1\) for any \((M,M')\) such that \(|M|=n\) and \(|M'|<n\) and \(M'\Vert 10^{n-1-|M'|}=M\), which is unlikely to occur if \({\text {CMAC}'}^{(0)}_K\) and \({\text {CMAC}'}^{(1)}_K\) were computationally independent. The SIV-like counter incrementation also increases the collision probability of counter blocks, however this only leads to a small degradation in security, as mentioned by [3], hence our attacks do not rely on this fact.

Applicability to ANSI C12.22 Protocols. All our attacks require \(|N| \le n\). The forgery and distinguishing attacks also require \(|M|,|C| \le n\), and the plaintext recovery attacks actually require at most the first \(n\) bits of the ciphertext. In addition, the forgery and plaintext recovery attacks could not be prevented by restricting the input length at encryption: one must implement the input length check at decryption as well.

One can find some examples that have \(|M|=n\) or \(|M|=0\) (i.e. the authentication of \(N\)) with \(n=128\) in communication examples of ANSI C12.22 (Annex G of [3]) or test vectorsFootnote 3 of \(\text {EAX}'\) (Section V of [13]). At the same time, we do not knowFootnote 4 whether \(|N| > n\) holds for ANSI C12.22 protocols, even though the specification [13] does not, at least explicitly, regulate the length of cleartext. The reference code of \(\text {EAX}'\) given by [3, 6] has no restriction on input lengths, and we verified our attacks with that code.

A natural question arises from the above observation: whether \(\text {EAX}'\) is provably secure under the restriction \(|N| > n\). In the next section we provide a positive answer to this question.

5 Provable Security for More-Than-One-Block Cleartext

Now we are going to prove that \(\text {EAX}'\) provides the provable security when the cleartext \(N\) is always more than \(n\) bits for both encryption and decryption. Combined with the attacks described in the previous section, the result of this section draws a sharp distinction on the security between the case \(|N|>n\) and the case \(|N|\le n\).

Security Notions. Following [7, 14], we introduce two security notions, privacy and authenticity, to model the security of \(\text {EAX}'\). For \(c\) oracles, \(O_1,O_2,\dots ,O_c\), we write \(\mathcal{A}^{O_1,O_2,\dots ,O_c}\) to represent the adversary \(\mathcal{A}\) accessing these \(c\) oracles in an arbitrarily order. If \(F\) and \(G\) are oracles having the same input and output domains, we say they are compatible.

A CPA-adversary \(\mathcal{A}\) against \(\text {EAX}'[E,\tau ]\) accesses \(\text {EAX}'\text {-}\mathcal {E}_{K,\tau }\). The encryption queries made by \(\mathcal{A}\) are denoted by \((N_1,M_1),\dots ,(N_q,M_q)\). We define \(\mathcal{A}\)’s parameter list as \((q,\sigma _N,\sigma _M)\), where \(\sigma _N\mathop {=}\limits ^{{\tiny {{\text {def}}}}}\sum ^q_{i=1} |N_i|_n\) and \(\sigma _M\mathop {=}\limits ^{{\tiny {{\text {def}}}}}\sum ^q_{i=1} |M_i|_n\) if all \(|M_i|_n>0\). For convention, if \(|M_i|=0\) for some \(i\le q\), \(\sigma _M\mathop {=}\limits ^{{\tiny {{\text {def}}}}}(\sum ^q_{i=1} |M_i|_n)+1\). We also define random-bit oracle, $, which takes \((N,M)\in \{0,1\}^{*}\times \{0,1\}^{*}\) and returns \((C,T)\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\{0,1\}^{|M|}\times \{0,1\}^{\tau }\). The privacy notion for CPA-adversary \(\mathcal{A}\) is defined as

$$\begin{aligned} \mathtt{Adv }^\mathtt{priv }_{\text {EAX}'[E,\tau ]}(\mathcal{A}) \mathop {=}\limits ^{{\tiny {{\text {def}}}}}\Pr [K\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathcal{K}: \mathcal{A}^{\text {EAX}'\text {-}\mathcal {E}_K}\Rightarrow 1]-\Pr [\mathcal{A}^{\$}\Rightarrow 1]. \end{aligned}$$
(1)

We assume \(\mathcal{A}\) in the privacy notion is nonce-respecting, i.e., all \(N_i\)s are distinct. Similarly, a CCA-adversary \(\mathcal{A}\) against \(\text {EAX}'[E,\tau ]\) accesses \(\text {EAX}'\text {-}\mathcal {E}_{K,\tau }\) and \(\text {EAX}'\text {-}\mathcal {D}_{K,\tau }\). The encryption and decryption queries made by \(\mathcal{A}\) are denoted by \((N_1,M_1),\dots ,(N_q,M_q)\) and \((\widetilde{N}_1,\widetilde{C}_1,\widetilde{T}_1),\dots ,(\widetilde{N}_{q_v},\widetilde{C}_{q_v},\widetilde{T}_{q_v})\). We define \(\mathcal{A}\)’s parameter list as \((q,q_v,\sigma _N,\sigma _M, \sigma _{\widetilde{N}},\sigma _{\widetilde{C}})\), where \(\sigma _{\widetilde{N}}\mathop {=}\limits ^{{\tiny {{\text {def}}}}}\sum ^{q_v}_{i=1} |\widetilde{N}_i|_n\), \(\sigma _{\widetilde{C}}\mathop {=}\limits ^{{\tiny {{\text {def}}}}}\sum ^{q_v}_{i=1} |\widetilde{C}_i|_n\) when all \(|\widetilde{C}_i|_n>0\) and \(\sigma _{\widetilde{C}}\mathop {=}\limits ^{{\tiny {{\text {def}}}}}(\sum ^{q_v}_{i=1} |\widetilde{C}_i|_n) +1\) otherwise. The definitions of \(\sigma _N\) and \(\sigma _M\) are the same as above. The authenticity notion for a CCA-adversary \(\mathcal{A}\) is defined as

$$\begin{aligned} \mathtt{Adv }^\mathtt{auth }_{\text {EAX}'[E,\tau ]}(\mathcal{A}) \mathop {=}\limits ^{{\tiny {{\text {def}}}}}\Pr [K\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathcal{K}: \mathcal{A}^{\text {EAX}'\text {-}\mathcal {E}_K,\text {EAX}'\text {-}\mathcal {D}_K}~\text {forges}], \end{aligned}$$
(2)

where \(\mathcal{A}\) forges if \(\text {EAX}'\text {-}\mathcal {D}_K\) returns a bit string (other than \(\bot \)) for a query \((\widetilde{N}_i,\widetilde{C}_i,\widetilde{T}_i)\) for some \(1\le i\le q_v\) such that \((\widetilde{N}_i,\widetilde{C}_i,\widetilde{T}_i)\ne (N_j, C_j, T_j)\) for all \(1\le j\le q\). We assume \(\mathcal{A}\) in the authenticity notion is always nonce-respecting with respect to encryption queries; using the same \(N\) for encryption and decryption queries is allowed, and the same \(N\) can be repeated within decryption queries, i.e. \(N_i\) is different from \(N_j\) for any \(j\ne i\) but \(\widetilde{N}_i\) may be equal to \(N_j\) or \(\widetilde{N}_{i'}\) for some \(j\) and \(i'\ne i\).

Bounds. We denote \(\text {EAX}'\) with an \(n\)-bit URP being used as a blockcipher by \(\text {EAX}'[\text {Perm}(n),\tau ]\) and the corresponding encryption and decryption functions by \(\text {EAX}'\text {-}\mathcal {E}_{ \mathsf P }\) and \(\text {EAX}'\text {-}\mathcal {D}_{ \mathsf P }\). Similarly, the subscript \(K\) in the component algorithms is substituted with \( \mathsf P \), e.g. \({\text {CMAC}'}^{(i)}_{ \mathsf P }\). We here provide the security bounds for \(\text {EAX}'[\text {Perm}(n),\tau ]\); the computational counterpart for \(\text {EAX}'[E,\tau ]\) is trivial. The security bound for the privacy notion is as follows.

Theorem 1

Let \(\mathcal{A}\) be the CPA-adversary against \(\text {EAX}'[\text {Perm}(n),\tau ]\) who does not query cleartexts of \(n\) bits or shorter and has parameter list \((q,\sigma _N,\sigma _M)\). Let \(\sigma _{ priv }=\sigma _N+\sigma _M\). Then we have

$$\begin{aligned} \mathtt{Adv }^\mathtt{priv }_{\text {EAX}'[\text {Perm}(n),\tau ]}(\mathcal{A}) \le \frac{18\sigma _{ priv }^2}{2^n}. \end{aligned}$$

The security bound for the authenticity notion is as follows.

Theorem 2

Let \(\mathcal{A}\) be the CCA-adversary against \(\text {EAX}'[\text {Perm}(n),\tau ]\) who does not query cleartexts of \(n\) bits or shorter for both encryption and decryption oracles, and has parameter list \((q,q_v,\sigma _N,\sigma _M, \sigma _{\widetilde{N}},\sigma _{\widetilde{C}})\). Let \(\sigma _{ auth }=\sigma _N+\sigma _M + \sigma _{\widetilde{N}} + \sigma _{\widetilde{C}}\). Then we have

$$\begin{aligned} \mathtt{Adv }^\mathtt{auth }_{\text {EAX}'[\text {Perm}(n),\tau ]}(\mathcal{A}) \le \frac{18\sigma _{ auth }^2}{2^n} + \frac{q_v}{2^\tau }. \end{aligned}$$

6 Proofs of Theorem 1 and Theorem 2

6.1 Overview

The proofs of Theorems 1 and 2 are bit long, hence we first provide the overview. The basic strategy follows from the proof of the original EAX [7] with some extensions taken from OMAC proofs [9, 10]. We first break down the algorithm of \(\text {EAX}'[\text {Perm}(n),\tau ]\) into a pair of functions, which we call OMAC-extension, \(\text {OMAC-e}[ \mathsf P ]=(\text {OMAC-e}[ \mathsf P ]^{(0)},\text {OMAC-e}[ \mathsf P ]^{(1)})\), where \(\text {OMAC-e}[ \mathsf P ]^{(0)}: \{0,1\}^{>n}\times \mathbb {N} \rightarrow (\{0,1\}^{n})^{>0}\) and \(\text {OMAC-e}[ \mathsf P ]^{(1)}: \{0,1\}^{*} \rightarrow \{0,1\}^{n}\). It uses an \(n\)-bit random permutation \( \mathsf P \) and an additional independent and random value, \(U\in \{0,1\}^n\). Intuitively, \(\text {OMAC-e}[ \mathsf P ]^{(0)}\) is a function that takes \((N,d)\), where \(d=|M|_n\) (\(d=|C|_n\)) for encryption (decryption), and produces \(\underline{N}\oplus U\) and the \(d\)-block keystream before truncation, i.e., \(S\) of Fig. 1 (See also Fig. 2). Similarly, \(\text {OMAC-e}[ \mathsf P ]^{(1)}\) takes a ciphertext, \(C\), and produces \({\text {CMAC}'}^{(1)}_ \mathsf P (C)\oplus U\). Since \((\underline{N}\oplus U)\oplus ({\text {CMAC}'}^{(1)}_ \mathsf P (C)\oplus U) = \underline{N}\oplus {\text {CMAC}'}^{(1)}_ \mathsf P (C)\), such a function pair can perfectly simulate \(\text {EAX}'[\text {Perm}(n),\tau ]\). We introduce \(U\) to make the remaining analysis less involved. Then, the bound evaluation for \(\text {EAX}'[\text {Perm}(n),\tau ]\) is mostly reduced to that of the indistinguishability between \(\text {OMAC-e}[ \mathsf P ]\) and a random function pair \({\mathbb {RND}}=({\mathbb {RND}}^{(0)},{\mathbb {RND}}^{(1)})\). Here \({\mathbb {RND}}^{(0)}\) takes \((N,d)\) and samples \(Y\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}(\{0,1\}^n)^{d_{\max }+1}\) if \(N\) is new, and outputs the first \((d+1)\) blocks of \(Y\), where \(d_{\max }\) is the maximum possible value of \(d\) implied by the game we consider. Similarly \({\mathbb {RND}}^{(1)}\) takes \(C\in \{0,1\}^{*}\) and outputs \(Y'\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\{0,1\}^n\) if \(C\) is new. To bound the indistinguishability between \(\text {OMAC-e}[ \mathsf P ]\) and \({\mathbb {RND}}\), we further break down \(\text {OMAC-e}[ \mathsf P ]\) into a set of ten small functions, \( \mathbf Q =\{ \mathbf Q _i\}_{i=1,\dots ,10}\), following the proof of OMAC [9]. Using two random values in addition to \(U\), these functions are built so that they behave close to a set of independent URFs or URPs, and at the same time have the capability to perfectly simulate \(\text {OMAC-e}[ \mathsf P ]\) (hence \(\text {EAX}'[\text {Perm}(n)]\)). The indistinguishability of \( \mathbf Q \) from the set of URPs/URFs is relatively easy to derive, and as a result the following analysis becomes much easier.

6.2 Proof

Setup. Without loss of generality and for simplicity this section assumes that the space of valid cleartexts of \(\text {EAX}'\) is \(\{0,1\}^{>n}\), rather than restricting the adversary’s strategy.

For convenience we introduce the following notions. Let \(F_K:\mathcal{X}\rightarrow \mathcal{Y}\) and \(G_{K'}:\mathcal{X}\rightarrow \mathcal{Y}\) be two keyed functions with \(K\in \mathcal{K}\) and \(K'\in \mathcal{K}'\), and let \(\mathcal{A}\) be the CPA-adversary. We define

$$\begin{aligned} \mathtt{Adv }^{ {\mathtt{cpa }}}_{F, G}(\mathcal{A}) \mathop {=}\limits ^{{\tiny {{\text {def}}}}}\Pr [K\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathcal{K}: \mathcal{A}^{F_K}\Rightarrow 1]-\Pr [K'\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathcal{K}': \mathcal{A}^{G_{K'}}\Rightarrow 1]. \end{aligned}$$
(3)

Note that this definition can be naturally extended when \(G_{K'}\) is substituted with the random-bit oracle compatible with \(F_K\). Moreover, when \(F_K\) and \(G_{K'}\) are compatible with \(\text {EAX}'\text {-}\mathcal {E}_K\), we define \( \mathtt{Adv }^\mathtt{cpa\text {-}nr }_{F, G}(\mathcal{A})\) as the same function as \( \mathtt{Adv }^{ {\mathtt{cpa }}}_{F, G}(\mathcal{A})\) but CPA-adversary \(\mathcal{A}\) is restricted to be nonce-respecting. Let \({\mathbf F}=(F^{e}_K,F^{d}_K)\) and \({\mathbf G}=(G^{e}_{K'},G^{d}_{K'})\) be the pairs of functions that are compatible with \((\text {EAX}'\text {-}\mathcal {E}_K,\text {EAX}'\text {-}\mathcal {D}_K)\). We define

$$\begin{aligned} \mathtt{Adv }^\mathtt{cca\text {-}nr }_{{\mathbf F}, {\mathbf G}}(\mathcal{A}) \mathop {=}\limits ^{{\tiny {{\text {def}}}}}\Pr [K\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathcal{K}:\mathcal{A}^{F^{e}_K,F^{d}_K}\Rightarrow 1]-\Pr [K'\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathcal{K}':\mathcal{A}^{G^{e}_{K'},G^{d}_{K'}}\Rightarrow 1], \end{aligned}$$
(4)

where the underlying \(\mathcal{A}\) is assumed to be nonce-respecting for encryption queries. Note that we have \( \mathtt{Adv }^\mathtt{priv }_{\text {EAX}'[E,\tau ]}(\mathcal{A}) = \mathtt{Adv }^\mathtt{cpa\text {-}nr }_{\text {EAX}'\text {-}\mathcal {E}_{K}, \$}(\mathcal{A})\) for any nonce-respecting CPA-adversary \(\mathcal{A}\).

Step 1: OMAC-extension. For \(x\in \{0,1\}^{\le n}\), let \( \mathtt {bp} (x)=x\) if \(|x|=n\) and \( \mathtt {bp} (x)=x\Vert 10^{n-1-(|x| \mathrm {~mod~}n)}\) if \(|x|<n\). If \(x=\varepsilon \) then \( \mathtt {bp} (x)=10^{n-1}\). We first define OMAC-extension using an \(n\)-bit URP, denoted by \(\text {OMAC-e}[ \mathsf P ]:\{0,1\}\times \{0,1\}^{*}\times \mathbb {N}\rightarrow (\{0,1\}^n)^{>0}\). The definition is given in Fig. 3. See also Fig. 4. Actually it consists of two functions, written as

$$\begin{aligned}&\text {OMAC-e}[ \mathsf P ]^{(0)}: \{0,1\}^{>n}\times \mathbb {N} \rightarrow (\{0,1\}^{n})^{>0},~\text {and}\end{aligned}$$
(5)
$$\begin{aligned}&\text {OMAC-e}[ \mathsf P ]^{(1)}: \{0,1\}^{*} \rightarrow \{0,1\}^{n}, \end{aligned}$$
(6)

where the first argument to \(\text {OMAC-e}[ \mathsf P ]\), \(t\in \{0,1\}\), specifies which function to be used, i.e., \(\text {OMAC-e}[ \mathsf P ](0,X,d)=\text {OMAC-e}[ \mathsf P ]^{(0)}(X,d)\) and \(\text {OMAC-e}[ \mathsf P ](1,X,d)=\text {OMAC-e}[ \mathsf P ]^{(1)}(X)\) (\(d\) is discarded). Here \(|\text {OMAC-e}[ \mathsf P ]^{(0)}(X,d)|=(d+1)n\). For simplicity we assume the input domain of \(\text {OMAC-e}[ \mathsf P ]\) is a set of \((t,X,d)\in \{0,1\}\times \{0,1\}^{*}\times \mathbb {N}\) that is acceptable for \(\text {OMAC-e}[ \mathsf P ]^{(t)}\). More formally, when \(t=0\) we assume \(|X|>n\) and \(d\in \mathbb {N}\), and when \(t=1\) we assume \(d\) is fixed (say \(0\)). As described in Sect. 6.1, \(\text {OMAC-e}[ \mathsf P ]\) enables us to simulate \(\text {EAX}'\text {-}\mathcal {E}_{ \mathsf P }\) and \(\text {EAX}'\text {-}\mathcal {D}_{ \mathsf P }\); note that the simulator only needs to compute the sum of two outputs from \({\text {CMAC}'}^{(0)}_ \mathsf P \) and \({\text {CMAC}'}^{(1)}_ \mathsf P \), and not to compute the output itself. For instance, if we want to perform \(\text {EAX}'\text {-}\mathcal {E}_{ \mathsf P }\) for \(N=(N[1]\Vert N[2])\) and \(M=(M[1]\Vert M[2])\) with \(|N[1]|=|N[2]|=|M[1]|=n\) and \(|M[2]|=n-2\), then the procedure is (1) \(Y\Vert S[1]S[2]\leftarrow \text {OMAC-e}[ \mathsf P ](0,N,2)\), (2) \(C\leftarrow \text {msb}_{2n-2}(S[1]S[2])\oplus M\), (3) \(Y'\leftarrow \text {OMAC-e}[ \mathsf P ](1,C,0)\), where the last argument is arbitrary, (4) \(T\leftarrow \text {msb}_{\tau }(Y\oplus Y')\), and (5) output \((C,T)\). The following proposition is easy to check.

Proposition 1

There exist deterministic procedures, \(f_e(\cdot )\) and \(f_d(\cdot )\), that use \(\text {OMAC-e}[ \mathsf P ]\) as a black box and perfectly simulate \(\text {EAX}'\text {-}\mathcal {E}_{ \mathsf P }\) and \(\text {EAX}'\text {-}\mathcal {D}_{ \mathsf P }\). That is, we haveFootnote 5 \(\text {EAX}'\text {-}\mathcal {E}_{ \mathsf P }\equiv f_e(\text {OMAC-e}[ \mathsf P ])\) and \(\text {EAX}'\text {-}\mathcal {D}_{ \mathsf P }\equiv f_d(\text {OMAC-e}[ \mathsf P ])\).

A keyed function \(F\) compatible with \(\text {OMAC-e}[ \mathsf P ]\) is said to have OMAC-e profile, and we denote \(F(t,X,d)\) by \(F^{(t)}(X,d)\). Suppose an adversary querying \(F\) of OMAC-e profile has \(q\) queries \((t_1,X_1,d_1),\dots , (t_q,X_q,d_q)\) and corresponding answers are \(Y_1,\dots ,Y_q\). Such an adversary is called to be with parameter list \((q,\sigma _{\text {in}},\sigma _{\text {out}})\) where \(\sigma _{\text {in}}\mathop {=}\limits ^{{\tiny {{\text {def}}}}}\sum _{i=1,\dots ,q}|X_i|_n\) and \(\sigma _{\text {out}}\mathop {=}\limits ^{{\tiny {{\text {def}}}}}\sum _{i=1,\dots ,q; t_i=0}|Y_i|_n\).

Fig. 3.
figure 3

OMAC-extension using an \(n\)-bit URP, \( \mathsf P \).

Full size image
Fig. 4.
figure 4

Component functions of OMAC-extension. Here \(D\) and \(Q\) denote \(2L\) and \(4L\) with \(L= \mathsf P (0^n)\), and \(U\) is uniformly random over \(n\) bits.

Full size image

To further analyze \(\text {OMAC-e}[ \mathsf P ]\), we introduce a set of ten functions, \( \mathbf Q = \{ \mathbf Q _{i}\}_{i=1,\dots ,10}\).

Definition 1

Let \( \mathbf Q _i:\{0,1\}^{n}\rightarrow \{0,1\}^{n}\) for \(i=1,2,3,4,7,8,9\) and let \( \mathbf Q _j:\{0,1\}^{n}\times \mathbb {N}\rightarrow (\{0,1\}^{n})^{>0}\) for \(j=5,6\), and let \( \mathbf Q _{10}:\{0,1\}^{n}\setminus \{0^n\}\rightarrow \{0,1\}^{n}\). These functions are defined as

where \( \mathsf P \) is an \(n\)-bit URP, and \(L= \mathsf P (0^n)\), and \( \mathtt{Rnd } _{1}\) and \( \mathtt{Rnd } _{2}\) are independent \(n\)-bit random sequences, and \(U\) is another random \(n\)-bit value. Here, \(G_{ \mathsf P ,U}(v,d)\) is \(v\oplus U\) if \(d=0\) and \((v\oplus U\Vert \mathsf P (v\wedge \alpha )\Vert \mathsf P ((v\wedge \alpha ) + 1)\Vert \dots \Vert \mathsf P ((v\wedge \alpha ) + (d-1)))\) if \(d>0\). The sampling procedures for \( \mathsf P , \mathtt{Rnd } _1, \mathtt{Rnd } _2\), and \(U\) are shared by all \( \mathbf Q _i\)s.

We also treat \( \mathbf Q \) as a tweakable function with tweak \(t\in \{1,\dots ,10\}\) by writing \( \mathbf Q (t,x,d)= \mathbf Q _{t}(x,d)\) when \(t\in \{5,6\}\) and otherwise \( \mathbf Q (t,x,d)= \mathbf Q _{t}(x)\). We can easily see that \(\text {OMAC-e}[ \mathsf P ]\) can be simulated with black-box access to \( \mathbf Q \), just the same as \(Q\) functions appeared in the proof of OMAC [9] that simulate OMAC.

We next define \(\widetilde{ \mathbf Q } = \{\widetilde{ \mathbf Q }_{i}\}_{i=1,\dots ,10}\). For all \(i=1,\dots , 10\), \(\widetilde{ \mathbf Q }_i\) is compatible with \( \mathbf Q _i\).

Definition 2

Let \( \mathsf P _1,\dots , \mathsf P _4\) be four independent \(n\)-bit URPs. Let \( \mathsf R _7,\dots , \mathsf R _{10}\) be four independent \(n\)-bit URFs, and let \( \mathsf R _5\) and \( \mathsf R _6\) be two independent URFs with \(n\)-bit input and \((d_{\max }+1)n\)-bit output. Using them we define

where \( \mathsf R ^{d+1}_{i}(x) = \mathrm{{msb}}_{n(d+1)}( \mathsf R _{i}(x))\) for \(i=5,6\). Here \(d_{\max }\) is the maximum possible value of queried \(d\), which will be determined by the underlying game and the adversary’s parameter.

We say a function compatible with \( \mathbf Q \) is said to have \( \mathbf Q \) profile. An adversary querying a function of \( \mathbf Q \) profile is characterized by the number of queries, \(q\), and the total sum of output \(n\)-bit blocks for \(t\in \{5,6\}\), \(\sigma _{\text {out}}\). The next lemma shows the CPA-advantage in distinguishing \( \mathbf Q \) and \(\widetilde{ \mathbf Q }\).

Lemma 1

Let \(\mathcal{A}\) be the adversary querying a function of \( \mathbf Q \) profile with parameter list \((q,\sigma _{\text {out}})\). Then we have \( \mathtt{Adv }^{ {\mathtt{cpa }}}_{ \mathbf Q ,\widetilde{ \mathbf Q }}(\mathcal{A}) \le {(3.5q^2 + 10\sigma _{\text {out}}q + 2.5\sigma _{\text {out}}^2)}/{2^n}\).

The proof is given in the full-version.

Step 2: Modified CBC-MAC. For any \(n\)-bit (keyed) permutations, \(G\) and \(G'\), let \(\text {CBC}_{G,G'}:(\{0,1\}^{n})^{>0}\rightarrow \{0,1\}^{n}\) be defined as

$$\begin{aligned} \text {CBC}_{G,G'}(X[1]\Vert \dots \Vert X[m]) = {\left\{ \begin{array}{ll} G(X[1]) &{} \text {if}~\text {m}=1\\ \text {CBC}_{G'}(G(X[1])\Vert X[2]\Vert \dots \Vert X[m]) &{} \text {if m}~\ge 2, \end{array}\right. } \end{aligned}$$

where \(\text {CBC}_{G'}\) is the standard CBC-MAC using \(G'\). We then define a function compatible with \(\text {OMAC-e}[ \mathsf P ]\), denoted by \(\mathbb {CBC}\). For any \(X\in \{0,1\}^{*}\), let \(w(X)=1\) if \(|X|\mathrm {~mod~}n\ne 0\) or \(X=\varepsilon \) and otherwise \(w(X)=0\). For \(|X|>n\), \(\mathbb {CBC}^{(0)}(X,d)\) is computed as follows.

  1. 1.

    \(X[1]\Vert X[2]\Vert \dots \Vert X[m]\mathop {\leftarrow }\limits ^{{\scriptscriptstyle {n}}} X\) and \(w \leftarrow w(X)\)

  2. 2.

    \(Z \leftarrow \text {CBC}_{ \mathsf P _{1}, \mathsf P _{3}}(X[1]\Vert \dots \Vert X[m-1])\)

  3. 3.

    Output \(Y\Vert S[1]\Vert \dots \Vert S[d] \leftarrow \mathsf R _{5+w}^{d+1}(Z\oplus \mathtt {bp} (X[m]))\)

Here, if \(d=0\) the output is \(Y\). Similarly, for \(X\in \{0,1\}^{*}\), \(\mathbb {CBC}^{(1)}(X)\) is computed as follows.

  1. 1.

    \(X[1]\Vert X[2]\Vert \dots \Vert X[m]\mathop {\leftarrow }\limits ^{{\scriptscriptstyle {n}}} X\) and \(w \leftarrow w(X)\)

  2. 2.

    If \(|X|\le n\) output \(Y' \leftarrow \mathsf R _{9+w}( \mathtt {bp} (X))\),

  3. 3.

    Otherwise \(Z' \leftarrow \text {CBC}_{ \mathsf P _{2}, \mathsf P _{4}}(X[1]\Vert \dots \Vert X[m-1])\), and output \(Y' \leftarrow \mathsf R _{7+w}(Z'\oplus \mathtt {bp} (X[m]))\).

The pseudo-code of \(\mathbb {CBC}\) (combining \(\mathbb {CBC}^{(0)}\) and \(\mathbb {CBC}^{(1)}\)) is presented in Fig. 5. Here, \({ \mathsf R }^{i}_j(X)\) for \(j=5,6\) denotes \(\text {msb}_{n i}({ \mathsf R }_j(X))\). One can simulate \(\text {OMAC-e}[ \mathsf P ]\) via black-box accesses to \( \mathbf Q \), including the final mask by \(U\). For example, to simulate \(\text {OMAC-e}[ \mathsf P ](0,N,2)\) for \(|N|=3n\), we first perform a partition, \(N[1]\Vert N[2]\Vert N[3]\mathop {\leftarrow }\limits ^{{\scriptscriptstyle {n}}} N\), and then proceed as (1) \(Y[1]\leftarrow \mathbf Q _1(N[1])\), (2) \(Y[2]\leftarrow \mathbf Q _3(N[2]\oplus Y[1])\), and (3) \(Y[3]\Vert S[1]S[2]\leftarrow \mathbf Q _5(N[3]\oplus Y[2])\). If \(|N[3]|=n-2\) then \( \mathbf Q _5(N[3]\oplus Y[2])\) is replaced with \( \mathbf Q _6(N[3]\Vert 10\oplus Y[2])\). For more examples, \(\text {OMAC-e}[ \mathsf P ](1,C,0)\) for \(|C|=n\) can be simulated via calling \( \mathbf Q _9(C)\). For \(|C|<n\), \(\text {OMAC-e}[ \mathsf P ](1,C,0)\) can be simulated via calling \( \mathbf Q _{10}( \mathtt {bp} (C))= \mathbf Q _{10}(C\Vert 10\dots 0)\). Formally, we have the following proposition.

Proposition 2

There exists a procedure \(h(\cdot )\) that uses \( \mathbf Q \) as a black box and perfectly simulates \(\text {OMAC-e}[ \mathsf P ]\), i.e. \(h( \mathbf Q )\equiv \text {OMAC-e}[ \mathsf P ]\). Moreover, we have \(h(\widetilde{ \mathbf Q })\equiv \mathbb {CBC}\) for this \(h(\cdot )\).

Let \({\mathbb {RND}}^{(0)}\) and \({\mathbb {RND}}^{(1)}\) be the independent random functions compatible with \(\text {OMAC-e}[ \mathsf P ]^{(0)}\) and \(\text {OMAC-e}[ \mathsf P ]^{(1)}\). Here, \({\mathbb {RND}}^{(0)}\) takes \((N,d)\in \{0,1\}^{>n}\times \mathbb {N}\) and samples \(Y\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}(\{0,1\}^n)^{d_{\max }+1}\) if \(N\) is new, and outputs \(\text {msb}_{n(d+1)}(Y)\), where \(d_{\max }\) is the same as \(\mathbb {CBC}\). Similarly \({\mathbb {RND}}^{(1)}\) takes \(C\in \{0,1\}^{*}\) and outputs \(Y'\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\{0,1\}^n\) if \(C\) is new. We define \({\mathbb {RND}}\) as a function consisting of \({\mathbb {RND}}^{(0)}\) and \({\mathbb {RND}}^{(1)}\) and taking \(t=0,1\) as a tweak. Then, we have the following lemma. The proof is given in the full-version.

Lemma 2

Let \(\mathcal{A}\) be an adversary querying a function of OMAC-e profile with parameter list \((q,\sigma _{\text {in}},\sigma _{\text {out}})\). Then, \( \mathtt{Adv }^{ {\mathtt{cpa }}}_{\mathbb {CBC},{\mathbb {RND}}}(\mathcal{A})\le {2\sigma _{\text {in}}^2}/{2^n}\).

Step 3: Derivation of PRIV Bound. Combining the above lemmas and propositions, our PRIV bound is derived. Let \(\mathcal{A}\) be the CPA-adversary against AE with parameter list \((q,\sigma _N,\sigma _M)\). Then there exist adversary \(\mathcal{B}\) querying to a function of OMAC-e profile with \(2q\) queries, \(\sigma _{\text {in}}=\sigma _N+\sigma _M\) input blocks, and \(\sigma _{\text {out}}=\sigma _M+2q\) output blocks, and adversary \(\mathcal{C}\) querying to a set of ten functions with \( \mathbf Q \) profile, using \(\sigma _N+\sigma _M\) queries and \(\sigma _M+q\) output \(n\)-bit blocks for queries with \(t=5,6\), such that

$$\begin{aligned}&\mathtt{Adv }^\mathtt{priv }_{\text {EAX}'[\text {Perm}(n)]}(\mathcal{A}) = \mathtt{Adv }^\mathtt{cpa\text {-}nr }_{\text {EAX}'\text {-}\mathcal {E}_{ \mathsf P },\$}(\mathcal{A})= \mathtt{Adv }^\mathtt{cpa\text {-}nr }_{f_e(\text {OMAC-e}[ \mathsf P ]),\$}(\mathcal{A})\end{aligned}$$
(7)
$$\begin{aligned}&\le \mathtt{Adv }^\mathtt{cpa\text {-}nr }_{f_e(\text {OMAC-e}[ \mathsf P ]),f_e(\mathbb {CBC})}(\mathcal{A}) + \mathtt{Adv }^\mathtt{cpa\text {-}nr }_{f_e(\mathbb {CBC}), f_e({\mathbb {RND}})}(\mathcal{A}) + \underbrace{ \mathtt{Adv }^\mathtt{cpa\text {-}nr }_{f_e({\mathbb {RND}}),\$}(\mathcal{A})}_{=0} \end{aligned}$$
(8)
$$\begin{aligned}&\le \mathtt{Adv }^{ {\mathtt{cpa }}}_{\text {OMAC-e}[ \mathsf P ],\mathbb {CBC}}(\mathcal{B}) + \mathtt{Adv }^{ {\mathtt{cpa }}}_{\mathbb {CBC}, {\mathbb {RND}}}(\mathcal{B})\end{aligned}$$
(9)
$$\begin{aligned}&= \mathtt{Adv }^{ {\mathtt{cpa }}}_{h( \mathbf Q ),h(\widetilde{ \mathbf Q })}(\mathcal{B}) + \mathtt{Adv }^{ {\mathtt{cpa }}}_{\mathbb {CBC}, {\mathbb {RND}}}(\mathcal{B}) \end{aligned}$$
(10)
$$\begin{aligned}&\le \mathtt{Adv }^{ {\mathtt{cpa }}}_{ \mathbf Q ,\widetilde{ \mathbf Q }}(\mathcal{C})+ \frac{2(\sigma _N+\sigma _M)^2}{2^n} \end{aligned}$$
(11)
$$\begin{aligned}&\le \frac{3.5(\sigma _N+\sigma _M)^2 + 10(\sigma _M+q) (\sigma _N+\sigma _M) + 2.5(\sigma _M+q)^2}{2^n} + \frac{2(\sigma _N+\sigma _M)^2}{2^n} \end{aligned}$$
(12)
$$\begin{aligned}&\le \frac{18(\sigma _N+\sigma _M)^2}{2^n}=\frac{18\sigma _{\text {priv}}^2}{2^n}, \end{aligned}$$
(13)

as \(q \le \sigma _N\). Here, the second equality in Eq. (7) follows from Proposition 1, Eq. (10) follows from Proposition 2, Eq. (11) follows from Lemma 2, and Eq. (12) follows from Lemma 1. In addition, \( \mathtt{Adv }^\mathtt{cpa\text {-}nr }_{f_e({\mathbb {RND}}),}(\mathcal{A})=0\) holds because when \(\mathcal{A}\) queries \((N,M)\) to \(f_e({\mathbb {RND}})\) the output is a subsequence of \({\mathbb {RND}}^{(0)}(N,|M|_n)\) with the first \(n\) bits XORed by the output of \({\mathbb {RND}}^{(1)}\) (whose input is a part of \({\mathbb {RND}}^{(0)}(N,|M|_n)\)). As \(N\) is always fresh, the output is always random. This concludes the proof of Theorem 1.

Step 4: Derivation of AUTH Bound. The AUTH bound is derived in a similar way. Let \(\mathbb {EAX}'\) be the AE algorithm compatible with \(\text {EAX}'[\text {Perm}(n)]\) using \(f_e({\mathbb {RND}})\) and \(f_d({\mathbb {RND}})\) for the encryption and decryption algorithms. We let \(\mathcal{A}\) be the CCA-adversary against AE with parameter list \((q,q_v,\sigma _N,\sigma _M,\sigma _{\widetilde{N}},\sigma _{\widetilde{C}})\). Then we have the following bound.

$$\begin{aligned} \mathtt{Adv }^\mathtt{auth }_{\mathbb {EAX}'}(\mathcal{A})\le q_v/2^\tau . \end{aligned}$$
(14)

The proof of Eq. (14) is given in the full-version. Then, there exist adversary \(\mathcal{B}\) querying to a function of OMAC-e profile with \(2(q+q_v)\) queries with \(\sigma _{\text {in}}=\sigma _N+\sigma _M+\sigma _{\widetilde{N}}+\sigma _{\widetilde{C}}\) and \(\sigma _{\text {out}}=\sigma _M + 2q + \sigma _{\widetilde{C}} + 2q_v\), and adversary \(\mathcal{C}\) querying to a function of \( \mathbf Q \) profile with \(\sigma _N+\sigma _M+\sigma _{\widetilde{N}}+\sigma _{\widetilde{C}}\) queries and \(\sigma _M+q+\sigma _{\widetilde{C}}+q_v\) output blocks for queries with \(t=5,6\), such that

$$\begin{aligned}&\mathtt{Adv }^\mathtt{auth }_{\text {EAX}'[\text {Perm}(n)]}(\mathcal{A})\nonumber \\&\le \mathtt{Adv }^\mathtt{cca\text {-}nr }_{(\text {EAX}'\text {-}\mathcal {E}_{ \mathsf P },\text {EAX}'\text {-}\mathcal {D}_{ \mathsf P }),(f_e({\mathbb {RND}}),f_d({\mathbb {RND}}))}(\mathcal{A}) + { \mathtt{Adv }^\mathtt{auth }_{\mathbb {EAX}'}(\mathcal{A})}\end{aligned}$$
(15)
$$\begin{aligned}&\le \mathtt{Adv }^\mathtt{cca\text {-}nr }_{(f_e(\text {OMAC-e}[ \mathsf P ]),f_d(\text {OMAC-e}[ \mathsf P ])),(f_e({\mathbb {RND}}),f_d({\mathbb {RND}}))}(\mathcal{A}) + \frac{q_v}{2^\tau } \end{aligned}$$
(16)
$$\begin{aligned}&\le \mathtt{Adv }^{ {\mathtt{cpa }}}_{\text {OMAC-e}[ \mathsf P ], {\mathbb {RND}}}(\mathcal{B}) + \frac{q_v}{2^\tau } \end{aligned}$$
(17)
$$\begin{aligned}&\le \mathtt{Adv }^{ {\mathtt{cpa }}}_{\text {OMAC-e}[ \mathsf P ], \mathbb {CBC}}(\mathcal{B}) + \mathtt{Adv }^{ {\mathtt{cpa }}}_{\mathbb {CBC}, {\mathbb {RND}}}(\mathcal{B}) + \frac{q_v}{2^\tau } \end{aligned}$$
(18)
$$\begin{aligned}&= \mathtt{Adv }^{ {\mathtt{cpa }}}_{h( \mathbf Q ),h(\widetilde{ \mathbf Q })}(\mathcal{B}) + \mathtt{Adv }^{ {\mathtt{cpa }}}_{\mathbb {CBC}, {\mathbb {RND}}}(\mathcal{B}) + \frac{q_v}{2^\tau } \end{aligned}$$
(19)
$$\begin{aligned}&\le \mathtt{Adv }^{ {\mathtt{cpa }}}_{ \mathbf Q ,\widetilde{ \mathbf Q }}(\mathcal{C}) + \frac{2(\sigma _N+\sigma _M+\sigma _{\widetilde{N}}+\sigma _{\widetilde{C}})^2}{2^n} + \frac{q_v}{2^\tau } \end{aligned}$$
(20)
$$\begin{aligned}&\le \frac{3.5(\sigma _N+\sigma _M+\sigma _{\widetilde{N}}+\sigma _{\widetilde{C}})^2 + 10(\sigma _M+q+\sigma _{\widetilde{C}}+q_v)(\sigma _N+\sigma _M+\sigma _{\widetilde{N}}+\sigma _{\widetilde{C}})}{2^n}\nonumber \\&\quad + \frac{2.5(\sigma _M+q+\sigma _{\widetilde{C}}+q_v)^2}{2^n} + \frac{2(\sigma _N+\sigma _M+\sigma _{\widetilde{N}}+\sigma _{\widetilde{C}})^2}{2^n} + \frac{q_v}{2^\tau } \end{aligned}$$
(21)
$$\begin{aligned}&\le \frac{18\sigma _{\text {auth}}^2}{2^n} + \frac{q_v}{2^\tau }, \end{aligned}$$
(22)

since \(q\le \sigma _N\) and \(q_v\le \sigma _{\widetilde{N}}\). Here, Eq. (16) follows from Proposition 1 and Eqs. (14), (19) follows from Proposition 2, Eq. (20) follows from Lemma 2, and Eq. (21) follows from Lemma 1. This concludes the proof of Theorem 2.

Fig. 5.
figure 5

\(\mathbb {CBC}\) using four \(n\)-bit URPs, four \(n\)-bit URFs, and two \(n\)-bit input, \((d_{\max }+1)n\)-bit output URFs.

Full size image

7 Fixing the Flaw

There would be ways to fix the flaw of \(\text {EAX}'\) to make it as a secure general-purpose AE accepting cleartexts of any length. Below, we provide some of them, naming it to \( EAX ''\). The concept here is not to touch the inside of \(\text {EAX}'\), instead using it as a black box. We only propose the fixes for encryption, as the corresponding decryptions are fairly straightforward.

   

  • Method 1: \(\mathrm{EAX}^{\prime \prime }_1\text {-}\mathcal {E}_{K}(N,M) \mathop {=}\limits ^{{\tiny {{\text {def}}}}}\text {EAX}'\text {-}\mathcal {E}_K(0^n \Vert N,M)\).

  • Method 2: Use two keys for \(E\), \(K\) and \(K'\), and let

    $$\begin{aligned} \text {EAX}''_2\text {-}\mathcal {E}_{K,K'}(N,M) \mathop {=}\limits ^{{\tiny {{\text {def}}}}}{\left\{ \begin{array}{ll} \text {EAX}'\text {-}\mathcal {E}_K(N,M) &{} \text {if}~|\text {N}|> \text {n},\\ \text {EAX}'\text {-}\mathcal {E}_{K'}(0^n\Vert N,M) &{} \text {if}~|\text {N}|\le \text {n}, \end{array}\right. } \end{aligned}$$

    where \(K\) and \(K'\) are independent or \(K'=K\oplus \mathtt{cst }\) for a non-zero constant \(\mathtt{cst }\). The choice of \(\mathtt{cst }\) must be done with care to avoid related-key attacks. For instance, letting \(\mathtt{cst }=1^{|K|}\) seems natural while this is problematic with DES due to the complementary property of the key schedule. One option is to use a random-looking constant, say the first few digits of \(\pi \).

  • Method 3: Use a key for \(E\), \(K\), and an independent \(n\)-bit key, \(L\), and let

    $$\begin{aligned} \text {EAX}''_3\text {-}\mathcal {E}_{K,L}(N,M) \mathop {=}\limits ^{{\tiny {{\text {def}}}}}{\left\{ \begin{array}{ll} \text {EAX}'\text {-}\mathcal {E}_{K}(N,M) &{} \text {if}~|\text {N}|> \text {n},\\ \text {EAX}'\text {-}\mathcal {E}^{\oplus }_{K,L}(0^n\Vert N,M) &{} \text {if}~|\text {N}|\le \text {n}, \end{array}\right. } \end{aligned}$$

    where \(\text {EAX}'\text {-}\mathcal {E}^{\oplus }_{K,L}\) is \(\text {EAX}'\) encryption with blockcipher \(\widetilde{E}_{K,L}\) defined as \(\widetilde{E}_{K,L}(X) = E_K(X\oplus L)\).

 

The security bounds of the above methods are easily derived from the results of Theorems 1 and 2. For the latter option of Method 2 we also need a very restricted form of related-key security of \(E\), and for Method 3 we need the theory of tweakable blockcipher [11]. Each method has its own pros and cons: Method 1 is the simplest but needs additional blockcipher calls irrespective of \(|N|\). Methods \(2\) and \(3\) keep the original operation for \(|N|>n\), but need additional key or a stronger security requirement on \(E\). We also warn that Method \(3\) allows a partial key recovery attack with birthday complexity.

8 Concluding Remarks

Practical Implications. Attacks as those described in the current paper are often turned down by non-cryptographers as “only theoretical” or “don’t apply in practice”. Indeed, none of our attacks is applicable if the cleartext size exceeds \(n\) bits. But even if ANSI C12.22 prohibited any cleartexts of size \(n=128\) bits or shorter, including \(\text {EAX}'\) in the standard would be like an unexploded bomb – waiting to go off any time in the future. Remember that \(\text {EAX}'\) is intended for Smart Grid, i.e., for the use in dedicated industrial systems such as electrical meters, controllers and appliances. It hardly seems reasonable to assume that every device will always carefully check cleartexts and plaintexts for validity and plausibility. Also, vendors may be tempted to implement their own nonstandard extensions avoiding “unnecessarily long” texts.

For a non-cryptographer, assuming a “decryption oracle” may seem strange – if there were such an oracle, why bother with message recovery attacks at all? However, experience shows that such theoretical attacks are often practically exploitable. For example, some error messages return the input that caused the error: “Syntax error in ‘xyzgarble’.” Even if the error message does not transmit the entire fake plaintext, any error message telling the attacker whether the fake message followed some syntactic conventions or not is potentially useful for the attacker. See [8] for an early example.

Also note that our forgery attacks allow a malicious attacker to create a large number of messages with given single-block cleartexts and random single-block plaintexts, that appear to come from a trusted source, because the authentication succeeded. What the actual devices will do when presented with apparently valid random commands is a source of great speculation.

Our Recommendation. Whenever possible, avoid adopting \(\text {EAX}'\) in new applications. If \(\text {EAX}'\) cannot be avoided, then this has to be carefully implemented to exclude one-block cleartexts. We note that specifying the minimum data length in standard documents does not necessarily prevent the adversary from using short cleartexts. Therefore, the cleartext length checking mechanisms are needed at both ends of encryption and decryption. Instead, one can safely use EAX\(''\) which allows the re-use of \(\text {EAX}'\) implementations. Other provably secure authenticated encryptions, including the original EAX, are also safe options.