Attacks and Security Proofs of EAX-Prime

  • Kazuhiko Minematsu
  • Stefan Lucks
  • Hiraku Morita
  • Tetsu Iwata
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8424)


\(\text {EAX}'\) (or EAX-prime) is an authenticated encryption (AE) specified by ANSI C12.22 as a standard security function for Smart Grid. \(\text {EAX}'\) is based on EAX proposed by Bellare, Rogaway, and Wagner. While EAX has a proof of security based on the pseudorandomness of the internal blockcipher, no published security result is known for \(\text {EAX}'\). This paper studies the security of \(\text {EAX}'\) and shows that there is a sharp distinction in security of \(\text {EAX}'\) depending on the input length. \(\text {EAX}'\) encryption takes two inputs, called cleartext and plaintext, and we present various efficient attacks against \(\text {EAX}'\) using single-block cleartext and plaintext. At the same time we prove that if cleartexts are always longer than one block, it is provably secure based on the pseudorandomness of the blockcipher.


Authenticated encryption EAX \(\text {EAX}'\) Attack Provable security 


  1. 1.
  2. 2.
    Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication. NIST Special Publication 800-38B (2005)Google Scholar
  3. 3.
    American National Standard Protocol Specification For Interfacing to Data Communication Networks. ANSI C12.22-2008 (2008)Google Scholar
  4. 4.
    Measurement Canada, Specification for Local Area Network/Wide Area Network (LAN/WAN) Node Communication Protocol to Complement the Utility Industry End Device Data Tables. MC1222, 2009 (2009)Google Scholar
  5. 5.
    ANSI C12.22, IEEE 1703, and MC12.22 Transport Over IP. RFC 6142 (2011)Google Scholar
  6. 6.
    IEEE Standard for Local Area Network/Wide Area Network (LAN/WAN) Node Communication Protocol to Complement the Utility Industry End Device Data Tables. IEEE 1703–2012 (2012)Google Scholar
  7. 7.
    Bellare, M., Rogaway, P., Wagner, D.: The EAX mode of operation. In: Roy, Meier: [16], pp. 389–407Google Scholar
  8. 8.
    Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998) CrossRefGoogle Scholar
  9. 9.
    Iwata, T., Kurosawa, K.: OMAC: one-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  10. 10.
    Iwata, T., Kurosawa, K.: Stronger security bounds for OMAC, TMAC, and XCBC. In: Johansson, T., Maitra, S. (eds.) INDOCRYPT 2003. LNCS, vol. 2904, pp. 402–415. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  11. 11.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. J. Cryptology 24(3), 588–613 (2011)CrossRefMATHMathSciNetGoogle Scholar
  12. 12.
    Minematsu, K., Lucks, S., Morita, H., Iwata, T.: Cryptanalysis of EAX-Prime. DIAC - Directions in Authenticated Ciphers (2012).
  13. 13.
    Moise, A., Beroset, E., Phinney, T., Burns, M.: EAX’ cipher mode. NIST Submission, May 2011.
  14. 14.
    Rogaway, P.: Nonce-based symmetric encryption. In: Roy, Meier: [16], pp. 348–359Google Scholar
  15. 15.
    Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  16. 16.
    Roy, B., Meier, W. (eds.): FSE 2004. LNCS, vol. 3017. Springer, Heidelberg (2004)MATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Kazuhiko Minematsu
    • 1
  • Stefan Lucks
    • 2
  • Hiraku Morita
    • 3
  • Tetsu Iwata
    • 3
  1. 1.NEC CorporationKawasaki-ShiJapan
  2. 2.Bauhaus-Universität WeimarWeimarGermany
  3. 3.Nagoya UniversityNagoyaJapan

Personalised recommendations