ALE: AES-Based Lightweight Authenticated Encryption

  • Andrey Bogdanov
  • Florian MendelEmail author
  • Francesco Regazzoni
  • Vincent Rijmen
  • Elmar Tischhauser
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8424)


In this paper, we propose a new Authenticated Lightweight Encryption algorithm coined ALE. The basic operation of ALE is the AES round transformation and the AES-128 key schedule. ALE is an online single-pass authenticated encryption algorithm that supports optional associated data. Its security relies on using nonces.

We provide an optimized low-area implementation of ALE in ASIC hardware and demonstrate that its area is about 2.5 kGE which is almost two times smaller than that of the lightweight implementations for AES-OCB and ASC-1 using the same lightweight AES engine. At the same time, it is at least 2.5 times more performant than the alternatives in their smallest implementations by requiring only about 4 AES rounds to both encrypt and authenticate a 128-bit data block for longer messages. When using the AES-NI instructions, ALE outperforms AES-GCM, AES-CCM and ASC-1 by a considerable margin, providing a throughput of 1.19 cpb close that of AES-OCB, which is a patented scheme. Its area- and time-efficiency in hardware as well as high performance in high-speed parallel software make ALE a promising all-around AEAD primitive.


Authenticated encryption Lightweight cryptography AES 



The authors thank Axel Poschmann for providing the reference implementation of the AES algorithm. Part of this work was done while Andrey Bogdanov and Florian Mendel were with KU Leuven. The work has been supported in part by the Austrian Science Fund (FWF), project TRP 251-N23 and by the Research Fund KU Leuven, OT/08/027.


  1. 1.
    ISO/IEC 19772:2009. Information Technology - Security techniques - Authenticated Encryption (2009)Google Scholar
  2. 2.
    Ågren, M., Hell, M., Johansson, T., Meier, W.: Grain-128a: a new version of Grain-128 with optional authentication. IJWMC 5(1), 48–59 (2011)CrossRefGoogle Scholar
  3. 3.
    Akdemir, K., Dixon, M., Feghali, W., Fay, P., Gopal, V., Guilford, J., Erdinc Ozturk, G.W., Zohar, R.: Breakthrough AES Performance with Intel AES New Instructions. Intel white paper, January 2010Google Scholar
  4. 4.
    Aumasson, J.-P., Henzen, L., Meier, W., Naya-Plasencia, M.: Quark: a lightweight hash. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 1–15. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  5. 5.
    Babbage, S., Dodd, M.: The MICKEY stream ciphers. In: Robshaw and Billet [37], pp. 191–209Google Scholar
  6. 6.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  7. 7.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak reference. Submission to NIST (Round 3), January 2011.
  8. 8.
    Biryukov, A.: design of a new stream cipher-LEX. In: Robshaw and Billet [37], pp. 48–56Google Scholar
  9. 9.
    Bogdanov, A., Knežević, M., Leander, G., Toz, D., Varıcı, K., Verbauwhede, I.: Spongent: a lightweight hash function. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 312–325. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  10. 10.
    Bogdanov, A.A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  11. 11.
    Bouillaguet, C., Derbez, P., Fouque, P.A.: Automatic search of attacks on round-reduced AES and applications. In: Rogaway [38], pp. 169–187Google Scholar
  12. 12.
    Canright, D.: A very compact S-box for AES. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 441–455. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  13. 13.
    Daemen, J., Rijmen, V.: The wide trail design strategy. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 222–238. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  14. 14.
    Daemen, J., Rijmen, V.: The Pelican MAC Function. Cryptology ePrint Archive, Report 2005/088 (2005)Google Scholar
  15. 15.
    Daemen, J., Rijmen, V.: Refinements of the ALRED construction and MAC security claims. IET Inf. Secur. 4(3), 149–157 (2010)CrossRefGoogle Scholar
  16. 16.
    De Cannière, C., Dunkelman, O., Knežević, M.: KATAN and KTANTAN — a family of small and efficient hardware-oriented block ciphers. In: Clavier, Ch., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 272–288. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  17. 17.
    De Cannière, C., Preneel, B.: Trivium. In: Robshaw and Billet [37], pp. 244–266Google Scholar
  18. 18.
    Dunkelman, O., Keller, N.: An improved impossible differential attack on MISTY1. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 441–454. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  19. 19.
    Dunkelman, O., Keller, N., Shamir, A.: ALRED Blues: New Attacks on AES-Based MAC’s. Cryptology ePrint Archive, Report 2011/095 (2011)Google Scholar
  20. 20.
    Dworkin, M.: Recommendation for Block Cipher Modes of Operation: Methods and Techniques. NIST Special Publication, Gaithersburg (2001)Google Scholar
  21. 21.
    Engels, D., Saarinen, M.-J.O., Schweitzer, P., Smith, E.M.: The Hummingbird-2 lightweight authenticated encryption algorithm. In: Juels, A., Paar, C. (eds.) RFIDSec 2011. LNCS, vol. 7055, pp. 19–31. Springer, Heidelberg (2012) Google Scholar
  22. 22.
    Englund, H., Hell, M., Johansson, T.: A note on distinguishing attacks. In: Pre-proceedings of State of the Art of Stream Ciphers workshop (SASC 2007), Bochum, Germany, pp. 73–78 (2007)Google Scholar
  23. 23.
    Gueron, S.: Intel Advanced Encryption Standard (AES) Instructions Set. Intel white paper, January 2010Google Scholar
  24. 24.
    Guo, J., Peyrin, T., Poschmann, A.: The PHOTON family of lightweight hash functions. In: Rogaway [38], pp. 222–239Google Scholar
  25. 25.
    Hell, M., Johansson, T., Maximov, A., Meier, W.: The Grain family of stream ciphers. In: Robshaw and Billet [37], pp. 179–190Google Scholar
  26. 26.
    Hong, D., Sung, J., Hong, S.H., Lim, J.-I., Lee, S.-J., Koo, B.-S., Lee, C.-H., Chang, D., Lee, J., Jeong, K., Kim, H., Kim, J.-S., Chee, S.: HIGHT: a new block cipher suitable for low-resource device. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 46–59. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  27. 27.
    Hong, S.H., Lee, S.-J., Lim, J.-I., Sung, J., Cheon, D.H., Cho, I.: Provable security against differential and linear cryptanalysis for the SPN structure. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 273–283. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  28. 28.
    Jakimoski, G., Khajuria, S.: ASC-1: an authenticated encryption stream cipher. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 356–372. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  29. 29.
    Kavun, E.B., Yalcin, T.: A lightweight implementation of Keccak hash function for radio-frequency identification applications. In: Ors Yalcin, S.B. (ed.) RFIDSec 2010. LNCS, vol. 6370, pp. 258–269. Springer, Heidelberg (2010) Google Scholar
  30. 30.
    Leander, G., Paar, C., Poschmann, A., Schramm, K.: New lightweight DES variants. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 196–210. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  31. 31.
    Lim, C.H., Korkishko, T.: mCrypton – a lightweight block cipher for security of low-cost RFID tags and sensors. In: Song, J.-S., Kwon, T., Yung, M. (eds.) WISA 2005. LNCS, vol. 3786, pp. 243–258. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  32. 32.
    Matsuda, S., Moriai, S.: Lightweight cryptography for the cloud: exploit the power of bitslice implementation. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 408–425. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  33. 33.
    McGrew, D.: Authenticated Encryption in Practice. DIAC – Directions in Authenticated Ciphers, July 2012Google Scholar
  34. 34.
    Minematsu, K., Tsunoo, Y.: Provably secure MACs from differentially-uniform permutations and AES-based implementations. In: Robshaw [36], pp. 226–241Google Scholar
  35. 35.
    Moradi, A., Poschmann, A., Ling, S., Paar, C., Wang, H.: Pushing the limits: a very compact and a threshold implementation of AES. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 69–88. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  36. 36.
    Robshaw, M. (ed.): FSE 2006. LNCS, vol. 4047. Springer, Heidelberg (2006)zbMATHGoogle Scholar
  37. 37.
    Robshaw, M., Billet, O. (eds.): New Stream Cipher Designs. LNCS, vol. 4986. Springer, Heidelberg (2008)zbMATHGoogle Scholar
  38. 38.
    Rogaway, P. (ed.): CRYPTO 2011. LNCS, vol. 6841. Springer, Heidelberg (2011)zbMATHGoogle Scholar
  39. 39.
    Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: a block-cipher mode of operation for efficient authenticated encryption. In: Reiter, M.K., Samarati, P. (eds.) Computer and Communications Security, pp. 196–205. ACM, New York (2001)Google Scholar
  40. 40.
    Rogaway, P., Krovetz, T.: OCB Latest Code and News.
  41. 41.
    Standaert, F.-X., Piret, G., Gershenfeld, N., Quisquater, J.-J.: SEA: a scalable encryption algorithm for small embedded applications. In: Domingo-Ferrer, J., Posegga, J., Schreckling, D. (eds.) CARDIS 2006. LNCS, vol. 3928, pp. 222–236. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  42. 42.
    Wu, H., Preneel, B.: Cryptanalysis of the stream cipher DECIM. In: Robshaw [36], pp. 30–40Google Scholar
  43. 43.
    Yuan, Z., Wang, W., Jia, K., Xu, G., Wang, X.: New birthday attacks on some MACs based on block ciphers. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 209–230. Springer, Heidelberg (2009) CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Andrey Bogdanov
    • 1
  • Florian Mendel
    • 2
    Email author
  • Francesco Regazzoni
    • 3
    • 4
  • Vincent Rijmen
    • 5
  • Elmar Tischhauser
    • 5
  1. 1.Technical University of DenmarkKongens LyngbyDenmark
  2. 2.IAIKGraz University of TechnologyGrazAustria
  3. 3.ALaRI - USILuganoSwitzerland
  4. 4.Delft University of TechnologyDelftNetherlands
  5. 5.Department of ESAT/COSICKU Leuven and iMindsLeuvenBelgium

Personalised recommendations