Abstract
The LAC authenticated encryption algorithm was a candidate to the CAESAR competition on authenticated encryption, which follows the design of the ALE authenticated encryption algorithm. In this paper, we show that the security of LAC depends greatly on the parameter of the maximum message length and the order of padding the last message block, by cryptanalysing its variants that differ from the original LAC only in the above-mentioned two points. For the LAC variants, we present a structural state recovery attack in the nonce-respecting scenario, which is independent from the underlying block cipher, which requires only chosen queries to their encryption and tag generation oracles and can recover an internal state of the initialization phase for one of some used Public Message Numbers (PMNs) more advantageously than exhaustive key search; and the recovered internal state can be used to make an existential forgery attack under this PMN. Besides, slightly inferior to exhaustive key search, the state recovery attack can apply to the LAC variant that differs from LAC only in the order of padding the last message block. Although the state recovery attack does not apply to the original LAC, it sheds some light on this type of interesting structures, and shows that an authenticated encryption algorithm with a such or similar structure may be weakened when it is misused deliberately or accidentally with the reverse message padding order and a different maximum message length, and users should be careful about the two points when employing such a structure in reality.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
An equivalent of this point under our attack is that the position of the most significant 24 bits of the output of the eighth round of the \(\widehat{\mathbf {G}}\) operation is exchanged with the position of the most significant 24 bits of the output of the sixteenth round of the \(\widehat{\mathbf {G}}\) operation, (without reversing the message padding order), that is \((X_{17}[9\sim 32]||X_9[9\sim 32])\).
- 2.
Note that \((PMN_i, PMN_j)\) is a permutation, rather than a combination. Thus, \((PMN_i, PMN_j)\) and \((PMN_j, PMN_i)\) are different.
- 3.
Likewise, \((\widehat{PMN}_p, \widehat{PMN}_q)\) is a permutation, so \((\widehat{PMN}_p, \widehat{PMN}_q)\) and \((\widehat{PMN}_q,\) \(\widehat{PMN}_p)\) are different.
References
Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. J. Cryptology 21(4), 469–491 (2008)
Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptology 4(1), 3–72 (1991). Springer
Bogdanov, A., Mendel, F., Regazzoni, F., Rijmen, V., Tischhauser, E.: ALE: AES-based lightweight authenticated encryption. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 447–466. Springer, Heidelberg (2014)
CAESAR – Competition for Authenticated Encryption: Security, Applicability, and Robustness. http://competitions.cr.yp.to/caesar.html
Leurent, G.: Differential forgery attack against LAC. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 217–224. Springer, Heidelberg (2016). doi:10.1007/978-3-319-31301-6_13
Lin, L.: Private communications (2014)
Wu, S., Wu, H., Huang, T., Wang, M., Wu, W.: Leaked-state-forgery attack against the authenticated encryption algorithm ALE. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 377–404. Springer, Heidelberg (2013)
Wu, W., Zhang, L.: LBlock: a lightweight block cipher. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 327–344. Springer, Heidelberg (2011)
Zhang, L., Wu, W., Wang, Y., Wu, S., Zhang, J.: LAC: a lightweifht authenticated encryption cipher version 1, Submission to the CAESAR competition, 15 March 2014. http://competitions.cr.yp.to/round1/lacv1.pdf
Acknowledgments
The author is grateful to Prof. Wenling Wu and Lei Zhang for their discussions on an earlier version of this work, and to Prof. Yongzhuang Wei and the Natural Science Foundation of China (No. 61572148) for their support.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Lu, J. (2016). On the Security of the LAC Authenticated Encryption Algorithm. In: Liu, J., Steinfeld, R. (eds) Information Security and Privacy. ACISP 2016. Lecture Notes in Computer Science(), vol 9723. Springer, Cham. https://doi.org/10.1007/978-3-319-40367-0_25
Download citation
DOI: https://doi.org/10.1007/978-3-319-40367-0_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-40366-3
Online ISBN: 978-3-319-40367-0
eBook Packages: Computer ScienceComputer Science (R0)