Generic Attack on Duplex-Based AEAD Modes Using Random Function Statistics

Duplex-based authenticated encryption modes with a sufficiently large key length are proven to be secure up to the birthday bound $$2^{\frac{c}{2}}$$ , where c is the capacity. However this bound is not known to be tight and the complexity of the best known generic attack, which is based on multicollisions, is much larger: it reaches $$\frac{2^c}{\alpha }$$ where $$\alpha $$ represents a small security loss factor. There is thus an uncertainty on the true extent of security beyond the bound $$2^{\frac{c}{2}}$$ provided by such constructions. In this paper, we describe a new generic attack against several duplex-based AEAD modes. Our attack leverages random functions statistics and produces a forgery in time complexity $$\mathcal {O}(2^{\frac{3c}{4}})$$ using negligible memory and no encryption queries. Furthermore, for some duplex-based modes, our attack recovers the secret key with a negligible amount of additional computations. Most notably, our attack breaks a security claim made by the designers of the NIST lightweight competition candidate Xoodyak. This attack is a step further towards determining the exact security provided by duplex-based constructions.