Paper 2026/1424
Repeated Masks, Predictable Splices: Breaking AESpolyW and Its AE Applications
Abstract
AESpolyW, proposed at IEEE S&P 2026, is a wide-block encryption mode designed to exploit instruction-level parallelism between AES and polynomial hashing. Although AESpolyW achieves high throughput and outperforms HCTR2 and EME on most tested platforms, we show that AESpolyW does not achieve strong tweakable-PRP security. Our attack requires only two encryption queries and one decryption query, and distinguishes AESpolyW from an ideal tweakable permutation with advantage close to one. We further show that this weakness directly compromises Encode-then-Encipher authenticated encryption (AE) instantiated with AESpolyW. For the appended-zero, prepended-zero, and inserted-zero variants, we construct fresh ciphertext forgeries that are accepted with probability one. The same attacks also yield chosen-ciphertext plaintext disclosure and complete IND-CCA breaks. These results are structural and do not rely on any weakness of AES, the polynomial hash, or PHASH.
Metadata
- Available format(s)
-
PDF
- Category
- Attacks and cryptanalysis
- Publication info
- Preprint.
- Keywords
- AESpolyWSplicing AttacksEncode-then-EncipherAuthenticated Encryption
- Contact author(s)
-
maoshuping19 @ mails ucas ac cn
p-wang @ ucas ac cn
hanjiadong25 @ mails ucas ac cn
guotingting @ nbut edu cn
jiayan2022 @ iie ac cn
ychen @ besti edu cn - History
- 2026-07-16: approved
- 2026-07-12: received
- See all versions
- Short URL
- https://ia.cr/2026/1424
- License
-
CC BY-NC-SA
BibTeX
@misc{cryptoeprint:2026/1424,
author = {Shuping Mao and Peng Wang and Jiadong Han and Tingting Guo and Yan Jia and Ying Chen},
title = {Repeated Masks, Predictable Splices: Breaking {AESpolyW} and Its {AE} Applications},
howpublished = {Cryptology {ePrint} Archive, Paper 2026/1424},
year = {2026},
url = {https://eprint.iacr.org/2026/1424}
}