Weak Keys for AEZ, and the External Key Padding Attack
详细信息 查看全文
- 关键词:AEZ ; Tweakable blockcipher ; Weak keys ; Attack ; External key padding ; Robustness
- 刊名:Lecture Notes in Computer Science
- 出版年:2017
- 出版时间:2017
- 年:2017
- 卷:10159
- 期:1
- 页码:223-237
- 丛书名:Topics in Cryptology ?CT-RSA 2017
- ISBN:978-3-319-52153-4
- 卷排序:10159
文摘
AEZ is one of the third round candidates in the CAESAR competition. We observe that the tweakable blockcipher used in AEZ suffers from structural design issues in case one of the three 128-bit subkeys is zero. Calling these keys “weak,” we show that a distinguishing attack on AEZ with weak key can be performed in at most five queries. Although the fraction of weak keys, around 3 out of every \(2^{128}\), seems to be too small to violate the security claims of AEZ in general, they do reveal unexpected behavior of the scheme in certain use cases. We derive a potential scenario, the “external key padding,” where a user of the authenticated encryption scheme pads the key externally before it is fed to the scheme. While for most authenticated encryption schemes this would affect the security only marginally, AEZ turns out to be completely insecure in this scenario due to its weak keys. These observations open a discussion on the significance of the “robustness” stamp, and on what it encompasses.