A Simple Key-Recovery Attack on McOE-X

  • Florian Mendel
  • Bart Mennink
  • Vincent Rijmen
  • Elmar Tischhauser
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7712)


In this paper, we present a key-recovery attack on the online authenticated encryption scheme McOE-X proposed by Fleischmann et al. at FSE 2012. The attack is based on the observation that in McOE-X the key is changed for every block of message that is encrypted in a deterministic way. This allows an adversary to recover the key by using a standard time-memory trade-off strategy. On its best setting the attack has a complexity as low as 2 ·2n/2, while this should be 2n for a good scheme. Taking AES-128 as an example this would result in an attack with complexity of 265.


authenticated encryption McOE-X key-recovery attack 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Boldyreva, A., Knudsen, L.R., Namprempre, C.: Online Ciphers and the Hash-CBC Construction. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 292–309. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Boldyreva, A., Knudsen, L.R., Namprempre, C.: On-Line Ciphers and the Hash-CBC Constructions. Cryptology ePrint Archive, Report 2007/197 (2007)Google Scholar
  3. 3.
    Bellare, M., Namprempre, C.: Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm. J. Cryptology 21(4), 469–491 (2008)MathSciNetMATHCrossRefGoogle Scholar
  4. 4.
    Biryukov, A., Khovratovich, D., Nikolić, I.: Distinguisher and Related-Key Attack on the Full AES-256. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 231–249. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  5. 5.
    Black, J., Cochran, M., Shrimpton, T.: On the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 526–541. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Black, J., Rogaway, P., Shrimpton, T.: Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–335. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Black, J., Rogaway, P., Shrimpton, T., Stam, M.: An Analysis of the Blockcipher-Based Hash Functions from PGV. J. Cryptology 23(4), 519–545 (2010)MathSciNetMATHCrossRefGoogle Scholar
  8. 8.
    Fleischmann, E., Forler, C., Lucks, S.: McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 196–215. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  9. 9.
    Fleischmann, E., Forler, C., Lucks, S., Wenzel, J.: McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes (extended version). Cryptology ePrint Archive, Report 2011/644 (2011)Google Scholar
  10. 10.
    Hellman, M.E.: A cryptanalytic time-memory trade-off. IEEE Transactions on Information Theory 26(4), 401–406 (1980)MathSciNetMATHCrossRefGoogle Scholar
  11. 11.
    Hirose, S.: Secure Block Ciphers Are Not Sufficient for One-Way Hash Functions in the Preneel-Govaerts-Vandewalle Model. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 339–352. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  12. 12.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable Block Ciphers. J. Cryptology 24(3), 588–613 (2011)MathSciNetMATHCrossRefGoogle Scholar
  13. 13.
    Preneel, B., Govaerts, R., Vandewalle, J.: Hash Functions Based on Block Ciphers: A Synthetic Approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)Google Scholar
  14. 14.
    Quisquater, J.-J., Delescaille, J.-P.: How Easy Is Collision Search. New Results and Applications to DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 408–413. Springer, Heidelberg (1990)Google Scholar
  15. 15.
    Rogaway, P., Shrimpton, T.: Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem. Cryptology ePrint Archive, Report 2006/221 (2006)Google Scholar
  16. 16.
    Rogaway, P., Zhang, H.: Online Ciphers from Tweakable Blockciphers. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 237–249. Springer, Heidelberg (2011)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Florian Mendel
    • 1
    • 2
  • Bart Mennink
    • 1
  • Vincent Rijmen
    • 1
  • Elmar Tischhauser
    • 1
  1. 1.ESAT/COSIC and IBBTKatholieke Universiteit LeuvenBelgium
  2. 2.IAIKGraz University of TechnologyAustria

Personalised recommendations