# The LOCAL Attack: Cryptanalysis of the Authenticated Encryption Scheme ALE

## Abstract

We show how to produce a forged (ciphertext, tag) pair for the scheme ALE with data and time complexity of \(2^{102}\) ALE encryptions of short messages and the same number of authentication attempts. We use a differential attack based on a local collision, which exploits the availability of extracted state bytes to the adversary. Our approach allows for a time-data complexity tradeoff, with an extreme case of a forgery produced after \(2^{119}\) attempts and based on a single authenticated message. Our attack is further turned into a state recovery and a universal forgery attack with a time complexity of \(2^{120}\) verification attempts using only a single authenticated 48-byte message.

## 1 Introduction

Cryptanalysis and design of authenticated encryption primitives are getting renewed interest, not least because of the CAESAR initiative [1]. Recently, at DIAC 2012 and FSE 2013, a proposal named ALE was presented by Bogdanov et al. [6]. ALE provides online single-pass encryption and authentication functionality with optional processing of associated data in a single primitive. The design borrows well tested ideas from Pelican-MAC [9] and the AES-based stream-cipher LEX [3]. From an implementation point of view it is an attractive proposal as it both lends itself to lightweight hardware implementation, and at the same time offers very high speed software implementations on platforms with AES instructions available.

The designers claim 128-bit security against state recovery, key recovery, or forgery attacks, under the assumptions that nonces are not re-used. Our cryptanalysis suggests that the security against forgery and state recovery attacks is less than expected and claimed. Even though the designers limited the amount of data that can be authenticated or both authenticated and encrypted to \(2^{45}\) bytes, our forgery attack will likely succeed. In fact, for a variant of our approach, as little as 32 bytes of available data are enough. Furthermore our approach can be extended to recover the full 256-bit internal state of ALE.

* Our methods.* We use differential cryptanalysis despite the designers’ intention of making these attacks unlikely. Their motivation comes from the good properties of the AES round function when iterated a few times, leading to very low bounds for the probability of differential characteristics and differentials. Study of so-called extinguishing differentials in the context of Pelican-MAC backs up this analysis.

Our attack uses differentials of a particular type, called “local collisions”, as they lead to the same tags for different plaintexts. These seem to have been first used in the collision search of SHA-0 [7], and more recently in related-key key-recovery attacks on AES-192 and AES-256 [4], and are also related to the aforementioned extinguishing differentials from the security analysis of Pelican-MAC [9]. However, as we discovered, using information that is leaked via the ciphertext these local collisions can be constructed much faster than expected, in turn leading to forgery attacks. Because of these properties, we call our method the **LOCAL** method: “LOcal-Collision Amplification via Leakage”.

* Outline of the paper and our results.* We give a short introduction into the state of the art in the authenticated encryption in Sect. 2. We also provide a detailed description of ALE and discuss its similarities and differences to LEX. Then we proceed with the description of our attack in Sect. 3. We show that each encrypted message has many counterparts which yield the same tag with probability from \(2^{-119}\) to \(2^{-102}\). Hence we can use a time-data tradeoff and demonstrate the fastest attack when \(2^{102}\) messages are available, and the slowest with complexity \(2^{119}\) when only a single message is available. In Sect. 4 we turn this attack into a stronger attack, allowing for state recovery and hence universal forgery. We discuss various repair strategies in Sect. 5 and conclude that a version of ALE resistant to our attack would have to suffer about 30 % in performance.

## 2 Authenticated Encryption Schemes and ALE

Confidentiality (inability to distinguish the ciphertext from a random string);

Ciphertext integrity (inability to find a valid pair (ciphertext, tag)).

Since at least the year of 2000, cryptographers have tried to design an authenticated encryption scheme, which would use a single key and would be at least as efficient as Encrypt-then-MAC. The research went in two directions. The first one deals with new modes of operation which use an arbitrary block cipher. The ISO standards GCM, CCM, and OCB are typical examples [16]. The patented OCB mode runs almost as fast as the counter encryption mode, which yields the speed below one cycle per byte on modern CPUs if used with AES [12]. The second approach deals with dedicated AE schemes, such as Nessie submissions like Helix or Sober-128, the eStream candidate Phelix, or Grain128a. Both approaches typically use probabilistic encryption to achieve confidentiality, and nonces are the usual source of randomness.

Modern authenticated encryption schemes are also able to authenticate so called *associated data* (AD) without encrypting it [15]. A typical application is Internet packets, whose contents are encrypted, whereas headers are not for routing purposes, while they still should be bound to the encrypted data.

*It is customary to use the following syntax for a nonce-based authenticated encryption scheme with associated data. The encryption function \(\mathcal {E}\) operates as follows:*

**Syntax of authenticated encryption.*** Attack model.* Though particular applications may have their own restrictions, the security of the authenticated encryption scheme is defined with respect to a quite powerful adversary [15]. She may ask almost arbitrary requests to encryption and decryption oracles, with the main restriction that nonces do not repeat in encryption requests (so called nonce-respective adversary). Usually, no security is offered if the sender reuses the nonce. However, the receiver usually does not have technical means to check whether the nonce has not been used in another communication. Hence an adversary may ask to decrypt several tuples \((C,N,A)\) with the same nonce (authenticating herself to distinct receivers if needed). A secure authenticated encryption scheme returns \(\perp \) even in this case.

*forgery*, if she is able to submit a tuple \((C,N,A)\) to the decryption oracle such that

It does not return \(\perp \).

There have been no encryption request which contained \(N\) and \(A\) and returned \(C\).

*universal forgery*if she indeed can choose the message at her own, and an

*existential forgery*if she cannot.

**Description of ALE**

The authenticated encryption scheme ALE [6] is a dedicated scheme, which uses components of the AES-128 block cipher [8].

*AES-128 operates on a 16-byte block, which is traditionally represented as a matrix:*

**AES.**SubBytes (SB) — nonlinear bytewise transformation. Each byte enters a so called S-box (the same for the whole cipher). S-box has a maximal differential probability of \(2^{-6}\) (four conforming inputs), but the majority of differentials have probability of either \(2^{-7}\) or zero;

ShiftRows (SR) — rotates row \(i\) in the array (counting from 0) by \(i\) positions to the left;

MixColumns (MC) — linear columnwise transformation. Is invertible, has branch number 5, i.e. two inputs differing in \(k\) bytes have outputs differing in at least \(5-k\) bytes, and vice versa.

* ALE.* ALE encrypts plaintexts up to \(2^{45}\) bytes long. The nonces and keys are 128-bit strings. The encryption proceeds as follows (Fig. 1). During

*the initialization phase*the 128-bit nonce \(N\) is encrypted on the 128-bit master key \(K\) to produce the temporary key \(K_1\). The zero 128-bit string is encrypted on \(K\) to produce the temporary state \(S_1\). The state \(S_1\) is then encrypted on \(K_1\) with 10 AES rounds. The last subkey of the latter encryption is denoted by \(K_2\).

The associated data is appropriately padded and split into 16-byte blocks. The *associated data phase* alternates injecting the AD blocks into the state with encrypting the state with 4 AES rounds. The AD blocks are 16 bytes long and are simply xored into the internal state. The encryption subkeys are taken from the AES key schedule algorithm applied to \(K_2\) and extended for as many rounds as needed (the original paper is a bit vague on the details, and we’ll return to this issue in Sect. 4). This process continues in the message processing phase.

The message is partitioned into 16-byte blocks. For the sake of simplicity, we consider only the case where the message byte length is a multiple of 16. Then the *message processing phase* alternates groups of four leaking rounds with message block injections. Every odd round the scheme extracts bytes 0, 2, 8, 10, and every even round it extracts bytes 4, 6, 12, 14. The bytes are extracted after the SubBytes operation.

A message block is xored to the internal state and is simultaneously xored to the last 16 bytes extracted, which forms a new block of ciphertext \(C\). After the full message is processed, the scheme encrypts the state with four rounds using the previous subkeys, xors 0x70 to byte 0, and encrypts the state again with the key \(K\) for the full 10 rounds of AES-128. The result is declared the authentication tag \(T\).

* Security claims.* ALE designers claim the following:

*“Any forgery attack not involving key recovery/internal state recovery has a success probability at most*\(2^{-128}\)”.

*Differences between LEX and ALE and design weaknesses.* ALE inherited a lot from the stream cipher LEX [3], which generates the keystream also by outputting specific bytes of the AES internal state. There are two crucial differences between them apart of the authentication option: first, LEX uses the same key in all its 10-group rounds, and second, LEX does not feed any data to the internal state. The former property led to distinguishing attacks on LEX based on colliding states [10]. Distinct keys in ALE make these attacks irrelevant.

However, the latter difference actually weakens the design, as the attacker is now able to manipulate the internal state, whose contents he has just observed via leakage. Even though the extracted bytes and the message injections are separated by subkey additions, a classical differential analysis bypasses this countermeasure, as we see below.

## 3 Forgery Attack

* Outline.* In this section we demonstrate a forgery attack on ALE. Our goal is to produce a fresh tuple \((C,N,A)\) that does not decrypt to \(\perp \) (here \(C\) includes the tag \(T\)). An adversary first asks for the encryption of some messages, and then attempts to forge the tag by modifying ciphertexts. Even though nonces repeat in forgery attempts, they do not repeat in encryption requests. Therefore, our attack operates in a standard model.

*The attack proceeds as follows. We ask for the encryption of a message \(M = (M_1,M_2)\):*

**Attack overview.***known-plaintext*as long as the plaintexts are at least two blocks long. Then we attempt to construct a pair of differences \(\varDelta =(\varDelta _1,\varDelta _2)\), which yields a

*local collision*in ALE if being applied to \((M_1,M_2)\), meaning that the two differences compensate each other. If the local collision property holds, the authentication tag remains the same, and the ciphertext is simply xored with \(\varDelta _C = (\varDelta _1,\varDelta _2,0^{128})\):

The designers of ALE supposedly ruled out such an attack, since the group of four rounds of AES between the message injection benefits from the wide trail strategy. The latter concept enables to prove that any 4-round differential trail activates at least 25 S-boxes, which yields the maximum probability of \(2^{-25\cdot 6} = 2^{-150}\). It should make any differential event, including the local collision, highly unlikely. However, this idea does not take into account the fact that as many as 16 bytes from the internal states have been extracted during these four rounds. Since they are known to the adversary, he can select the differential trail so that it has higher probability than the wide trail strategy offers. A differential trail is easily converted to a verification attempt.

* Attack details.* First we note that the extracted bytes are the S-box outputs (the inputs would work too). Hence whenever a trail activates an S-box whose value is extracted, the difference propagation is deterministic in this S-box, and it does not add a factor to the total probability. Thus we attempt to find a trail that has low weight and this weight consists of as many “extraction” S-boxes as possible.

These trails can be constructed online very quickly in the start-from-the-middle framework [13]. We select a random difference in state \(\#3\) and expand it in both directions. Whenever we encounter extraction S-boxes or MixColumns, the difference evolves deterministically. For each active non-extraction S-box we select an output difference so that the differential probability equals the maximum \(2^{-6}\). Eventually, we obtain values of \(\varDelta _1\) and \(\varDelta _2\). Hence for every extraction tuple it is easy to obtain a differential trail that holds with probability \(2^{-17\cdot 6} = 2^{-102}\).

Therefore, for each encrypted 2-block message we can construct a counterpart that yields the same authentication tag with probability \(2^{-102}\). Hence we can construct a forgery for ALE with complexity of \(2^{102}\) ALE encryptions of two-block messages and \(2^{102}\) verification attempts. While it is enough to constitute a weakness in ALE, the data complexity should be reduced further to match the design restrictions.

* Reducing the data complexity.* The specification [6] requires that no more than \(2^{40}\) 2-block messages be authenticated with a single key. In order to match this condition, we use a simple tradeoff by allowing some \(r\le 17\) S-boxes in a trail to have non-maximal differential probability. Instead of one choice per S-box, we now have \(2^7\) choices per non-optimal S-box, and hence many more trails for the same message. The value \(r=8\) yields \(\left( {\begin{array}{c}17\\ 8\end{array}}\right) 2^{56} \approx 2^{70.5}\) trails with probability \(2^{-110}\). Hence we can use \(2^{40}\) plaintexts to generate \(2^{110.5}\) verification attempts with the total attack probability close to 1. By further increasing \(r\) we can work with very low data complexity up to the extreme case of one message block, where we have to use all the degrees of freedom in each S-box so that the attack complexity increases to \(2^{7\cdot 17} = 2^{119}\).

The memory complexity of our attack is negligible, as we store only several AES internal states and the S-box difference distribution table.

## 4 Turning the Forgery into a State Recovery Attack

The fact that the forgery from above is the result of a differential attack reveals much information about the internal state. Indeed, as long as the differential trail holds, each active S-boxes takes at most 4 possible values (2 if the probability is \(2^{-7}\)). Hence we obtain at least \(12\cdot 7+ 4\cdot 8 = 116\) bits of information about the state \(\#1\). This may seem insufficient to fully recover the state and the key, as they take 256 bits altogether.

It is easy to see that we can derive \(K_b[0\ldots 11]\) and \(F(K_a[12\ldots 15])\) from \(K_a\oplus K_b\), which easily yields the full \(K_b\). Since the key schedule is invertible, we can recover all the subkeys used in ALE. Furthermore, we obtain \(S_1 = E_K(0)\) and \(K_1 = E_K(N)\), where \(K\) is the master key and \(N\) is the nonce. While we cannot recover the master key, we have got enough information to encrypt and authenticate any message with nonce \(N\).

* Attack complexity.* From Sect. 3 we have that the first local collision can be obtained in time from \(2^{102}\) to \(2^{119}\), depending on the amount of available data (Sect. 3). However, for the second collision we are restricted to the same message. Hence we have to test possible differential trails one by one till we find one that yields the local collision. The complexity of this step is equal to that of the forgery attack with a single message — \(2^{119}\). As soon as both local collisions are constructed, the state recovery takes negligible time, as we only have to test \(2^{24}\) state values conforming to the active S-boxes. The memory complexity is also negligible. The total time complexity equals \(2^{120}\) forgery attempts of \(48\)-byte messages.

## 5 Strengthening ALE

Another countermeasure could be to decrease the number of extracted bytes. If only 3 bytes are extracted at each round, so that 12 bytes are injected, it might be difficult to construct a trail that yields a local collision. A much more elaborate analysis is needed to investigate this option. Still, it would give quite a penalty on the performance, but not that big as using 6 rounds instead of 4.

Summary of attacks on ALE

Data | Verification attempts | Memory | Security claim |
---|---|---|---|

Forgery | |||

\(2^{102} \) | \(2^{102}\) | negl. | not violated |

\(2^{40}\) | \(2^{110}\) | negl. | violated |

1 | \(2^{119}\) | negl. | violated |

1 | 1 | negl. | violated, success rate \(2^{-102}\) |

State recovery | |||

1 | \(2^{120}\) | negl. | violated |

## 6 Conclusion

We have demonstrated how to construct forgeries for ALE within the security claim limits. We show that the mere weight of a differential trail is a poor measure of the scheme resistance to differential attack as long as the values of active S-boxes are partially extracted or leaked. By choosing the trail values according to the extracted bytes, we can amplify its probability and eventually construct a forgery using \(2^{45}\) encrypted messages and \(2^{110}\) time. The inability of the receiver in a general case to avoid the nonce reuse enables us to reconstruct the internal state of the encryption out of two forgeries on the same message, which in turn leads to the universal forgery attack. One can hence say that ALE, similarly to GCM, has high reforgeability [5].

We have also proposed several ways to strengthen ALE against our attack, which include a larger number of rounds and a different leakage scheme (Table 1)

## Notes

### Acknowledgements

We thank Florian Mendel and the anonymous reviewers for helpful comments.

### References

- 1.
- 2.Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000) Google Scholar
- 3.Biryukov, A.: The design of a stream cipher LEX. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 67–75. Springer, Heidelberg (2007)Google Scholar
- 4.Biryukov, A., Khovratovich, D.: Related-key cryptanalysis of the full AES-192 and AES-256. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 1–18. Springer, Heidelberg (2009) Google Scholar
- 5.Black, J., Cochran, M.: MAC reforgeability. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 345–362. Springer, Heidelberg (2009)Google Scholar
- 6.Bogdanov, A., Mendel, F., Regazzoni, F., Rijmen, V., Tischhauser, E.: ALE: AES-based lightweight authenticated encryption. In: FSE’13, to appear (2013)Google Scholar
- 7.Chabaud, F., Joux, A.: Differential collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998) Google Scholar
- 8.Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer, Heidelberg (2002)Google Scholar
- 9.Daemen, J., Rijmen, V.: The pelican MAC function. IACR Cryptology ePrint Archive 2005: 88 (2005)Google Scholar
- 10.Dunkelman, O., Keller, N.: A new attack on the LEX stream cipher. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 539–556. Springer, Heidelberg (2008) Google Scholar
- 11.Jakimoski, G., Khajuria, S.: ASC-1: an authenticated encryption stream cipher. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 356–372. Springer, Heidelberg (2012)Google Scholar
- 12.Krovetz, T., Rogaway, P.: The software performance of authenticated-encryption modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 306–327. Springer, Heidelberg (2011) Google Scholar
- 13.Mendel, F., Peyrin, T., Rechberger, C., Schläffer, M.: Improved cryptanalysis of the reduced grøstl compression function, ECHO permutation and AES block cipher. In: Jacobson Jr, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 16–35. Springer, Heidelberg (2009)Google Scholar
- 14.Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.: The rebound attack: cryptanalysis of reduced whirlpool and grøstl. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009)Google Scholar
- 15.Rogaway, P.: Authenticated-encryption with associated-data. In: ACM Conference on Computer and Communications Security’02, pp. 98–107 (2002)Google Scholar
- 16.ISO/IEC 19772 JTC 1 SC 27. Information technology – Security techniques – Authenticated encryption (2009)Google Scholar