International Association
for Cryptologic Research

EAX$\'$ (EAX-prime) is an authenticated encryption (AE) specified by ANSI C12.22 as a standard security function for Smart Grid.

EAX$\'$ is based on EAX proposed by Bellare, Rogaway, and Wagner.

While EAX has a proof of security based on the pseudorandomness of the internal blockcipher, no published security result is known for EAX$\'$.

This paper studies the security of EAX$\'$ and shows that there is a sharp distinction in security of EAX$\'$ depending on the input length. EAX$\'$ encryption takes two inputs, called cleartext and plaintext,

and we present various efficient attacks against EAX$\'$ using single-block cleartext and plaintext.

At the same time we prove that if cleartexts are always longer than one block, it is provably secure

based on the pseudorandomness of the blockcipher.