文摘
AEZ is one of the third round candidates in the CAESAR competition. We observe that the tweakable blockcipher used in AEZ suffers from structural design issues in case one of the three 128-bit subkeys is zero. Calling these keys “weak,” we show that a distinguishing attack on AEZ with weak key can be performed in at most five queries. Although the fraction of weak keys, around 3 out of every \(2^{128}\), seems to be too small to violate the security claims of AEZ in general, they do reveal unexpected behavior of the scheme in certain use cases. We derive a potential scenario, the “external key padding,” where a user of the authenticated encryption scheme pads the key externally before it is fed to the scheme. While for most authenticated encryption schemes this would affect the security only marginally, AEZ turns out to be completely insecure in this scenario due to its weak keys. These observations open a discussion on the significance of the “robustness” stamp, and on what it encompasses.