Abstract: International audience ; Duplex-based authenticated encryption modes with a sufficiently large key length are proven to be secure up to the birthday bound 2c2, where c is the capacity. However this bound is not known to be tight and the complexity of the best known generic attack, which is based on multicollisions, is much larger: it reaches 2cα where α represents a small security loss factor. There is thus an uncertainty on the true extent of security beyond the bound 2c2 provided by such constructions. In this paper, we describe a new generic attack against several duplex-based AEAD modes. Our attack leverages random functions statistics and produces a forgery in time complexity O(23c4) using negligible memory and no encryption queries. Furthermore, for some duplex-based modes, our attack recovers the secret key with a negligible amount of additional computations. Most notably, our attack breaks a security claim made by the designers of the NIST lightweight competition candidate Xoodyak. This attack is a step further towards determining the exact security provided by duplex-based constructions.
No Comments.