A Simple Key-Recovery Attack on McOE-X

In this paper, we present a key-recovery attack on the online authenticated encryption scheme McOE-X proposed by Fleischmann et al. at FSE 2012. The attack is based on the observation that in McOE-X the key is changed for every block of message that is encrypted in a deterministic way. This allows an adversary to recover the key by using a standard time-memory trade-off strategy. On its best setting the attack has a complexity as low as 2 • 2n/2, while this should be 2n for a good scheme. Taking AES-128 as an example this would result in an attack with complexity of 265. © Springer-Verlag 2012.status: publishe