On the Security of the LAC Authenticated Encryption Algorithm.

The LAC authenticated encryption algorithm was a candidate to the CAESAR competition on authenticated encryption, which follows the design of the ALE authenticated encryption algorithm. In this paper, we show that the security of LAC depends greatly on the parameter of the maximum message length and the order of padding the last message block, by cryptanalysing its variants that differ from the original LAC only in the above-mentioned two points. For the LAC variants, we present a structural state recovery attack in the nonce-respecting scenario, which is independent from the underlying block cipher, which requires only chosen queries to their encryption and tag generation oracles and can recover an internal state of the initialization phase for one of some used Public Message Numbers PMNs more advantageously than exhaustive key search; and the recovered internal state can be used to make an existential forgery attack under this PMN. Besides, slightly inferior to exhaustive key search, the state recovery attack can apply to the LAC variant that differs from LAC only in the order of padding the last message block. Although the state recovery attack does not apply to the original LAC, it sheds some light on this type of interesting structures, and shows that an authenticated encryption algorithm with a such or similar structure may be weakened when it is misused deliberately or accidentally with the reverse message padding order and a different maximum message length, and users should be careful about the two points when employing such a structure in reality.