Attacks and Security Proofs of EAX-Prime

\(\text {EAX}'\) (or EAX-prime) is an authenticated encryption (AE) specified by ANSI C12.22 as a standard security function for Smart Grid. \(\text {EAX}'\) is based on EAX proposed by Bellare, Rogaway, and Wagner. While EAX has a proof of security based on the pseudorandomness of the internal blockcipher, no published security result is known for \(\text {EAX}'\). This paper studies the security of \(\text {EAX}'\) and shows that there is a sharp distinction in security of \(\text {EAX}'\) depending on the input length. \(\text {EAX}'\) encryption takes two inputs, called cleartext and plaintext, and we present various efficient attacks against \(\text {EAX}'\) using single-block cleartext and plaintext. At the same time we prove that if cleartexts are always longer than one block, it is provably secure based on the pseudorandomness of the blockcipher.