Paper 2016/832

Is AEZ v4.1 Sufficiently Resilient Against Key-Recovery Attacks?

Colin Chaigneau and Henri Gilbert

Abstract

AEZ is a parallelizable, AES-based authenticated encryption algorithm that is well suited for software implementations on processors equipped with the AES-NI instruction set. It aims at offering exceptionally strong security properties such as nonce and decryption-misuse resistance and optimal security given the selected ciphertext expansion. AEZ was submitted to the authenticated ciphers competition CAESAR and was selected in 2015 for the second round of the competition. In this paper, we analyse the resilience of the latest algorithm version, AEZ v4.1 (October 2015), against key-recovery attacks. While AEZ modifications introduced in 2015 were partly motivated by thwarting a key-recovery attack of birthday complexity against AEZ v3 published at Asiacrypt 2015 by Fuhr, Leurent and Suder, we show that AEZ v4.1 remains vulnerable to a key-recovery attack of similar complexity and security impact. Our attack leverages the use, in AEZ, of an underlying tweakable block cipher based on a 4-round version of AES. Although the presented key-recovery attack does not violate the security claims of AEZ since the designers made no claim for beyond-birthday security, it may be interpreted as an indication that AEZ does not meet in all respects the objective of being a highly conservative and misuse-resilient algorithm.

Metadata
Available format(s)
PDF
Publication info
Published by the IACR in FSE 2017
Keywords
CAESAR competitioncryptanalysisauthenticated encryptionAEZkey recovery
Contact author(s)
colin chaigneau @ uvsq fr
henri gilbert @ ssi gouv fr
History
2016-08-30: received
Short URL
https://ia.cr/2016/832
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2016/832,
      author = {Colin Chaigneau and Henri Gilbert},
      title = {Is AEZ v4.1 Sufficiently Resilient Against Key-Recovery Attacks?},
      howpublished = {Cryptology ePrint Archive, Paper 2016/832},
      year = {2016},
      note = {\url{https://eprint.iacr.org/2016/832}},
      url = {https://eprint.iacr.org/2016/832}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.