International Association
for Cryptologic Research

\\paes~is an authenticated encryption scheme designed by Ye {\\it et al.},

and submitted to the CAESAR competition.

The designers claim that \\paese, which is one of the designs of the \\paes-family,

provides 128-bit security in the nonce misuse model.

In this note, we show our forgery attack against \\paese.

Our attack works in the nonce misuse model.

The attack exploits the slow propagation of message differences.

The attack is very close to the universal forgery attack.

As long as the target message is not too short, {\\it e.g.} more than 10 blocks (160 bytes),

a tag is forged only with $2^{11}$ encryption oracle calls, $2^{11}$ computational cost, and negligible memory.