In this paper, we present a key-recovery attack on the online authenticated encryption scheme McOE-X proposed by Fleischmann et al. at FSE 2012. The attack is based on the observation that in McOE-X the key is changed for every block of message that is encrypted in a deterministic way. This allows an adversary to recover the key by using a standard time-memory trade-off strategy. On its best setting the attack has a complexity as low as 2 · 2~(n/2), while this should be 2~n for a good scheme. Taking AES-128 as an example this would result in an attack with complexity of 2~(65).
展开▼
