This paper studies the security of EAX$'$ and shows that there is a sharp distinction in security of EAX$'$ depending on the input length. EAX$'$ encryption takes two inputs, called cleartext and plaintext, and we present various efficient attacks against EAX$'$ using single-block cleartext and plaintext. At the same time we prove that if cleartexts are always longer than one block, it is provably secure based on the pseudorandomness of the blockcipher.
Category / Keywords: Authenticated Encryption, EAX, EAX$'$, Attack, Provable Security Date: received 11 Jan 2012, last revised 13 May 2013 Contact author: k-minematsu at ah jp nec com Available format(s): PDF | BibTeX Citation Note: The previous title was "Cryptanalysis of EAXprime". A part of the result was presented at DIAC, and a preliminary version of this paper appears in the proceedings of FSE 2013. This is the full version. Version: 20130514:042359 (All versions of this report) Short URL: ia.cr/2012/018