Keywords

1 Introduction

CAESAR competition [1] (Competition for Authenticated Encryption: Security, Applicability, and Robustness) has been announced in January 2013 aiming at fulfilling the needs of secure, efficient and robust authenticated encryption schemes. In total, 57 candidates are submitted to the competition. These schemes are released to crypto community for their security analysis and around 20 of them were eliminated in the first round of the competition in July 2015. Since then, around 30 candidates compete in the second round, and are being analyzed in terms of their security and efficiency.

ELmD is amongst the second-round CAESAR candidates designed by Datta and Nandi [5]. It is an Encrypt-Linear-mix-Decrypt block cipher authentication mode accepting associated data, and its structure is similar to some other authenticated encryption schemes such as AES-COPA [2], Marble [10], and SHELL [12]. ELmD is fully parallelizable and online, that is, \(i^{th}\) block of ciphertext only depends on the first i blocks of plaintext. As an optional property, it provides intermediate tag verification in order to fasten verification process and to be secure against block-wise adaptive adversaries. Designers of ELmD claim that the scheme provides nonce misuse resistance against forgery attacks. According to authors’ assertion, ELmD provides 62.8-bit security for integrity (forgery attacks) and for privacy (distinguishing attacks). Indeed, they claim that ELmD provides 128-bit security against key recovery attacks that we disprove by applying partial-sum [7] and Demirci-Selçuk meet-in-the-middle attacks [6] on ELmD(6,6) where 6-round AES is used as the block cipher.

figure a
figure b

Previous Results. As far as we know, ELmD has been analyzed only by Zhang and Wu [13] in terms of both integrity and privacy. Very similar to our internal state recovery, they first find internal state parameter of ELmD by birthday attack and then they provide an almost universal forgery attack with a few queries. For breaking privacy, they propose a truncated differential analysis of reduced version of ELmD (\(\text {ELmD}(4,4)\)) with \(2^{123}\) time and memory complexities. In [13], the authors consider the internal parameter L generated by only the encryption of zero with 4-round AES, i.e., \(L=\text {AES}^4(0)\). However, both the usage of 4 rounds of encryption/decryption and the generation of the internal parameter L with four AES rounds in ELmD are not acceptable in the proposal. Actually, after obtaining an input and output pair of 4-round AES (i.e., \(L=\text {AES}^4(0)\)), it is feasible to make a meet-in-the-middle analysis to recover the secret key. Previously, similar efforts are made to other CAESAR candidates COPA [11], Marble and AEZ in [8] to find state collisions beyond the birthday bound. Indeed, for AEZ and Marble [8], this attack is used for realizing a key recovery attack.

Our Contribution: In this paper, after obtaining the internal state parameter of ELmD, we make universal forgeries with a few queries to the oracle. Furthermore, by exploiting the structure of ELmD, we are able to query decryption oracle of the block cipher in ELmD. Finally, we mount key recovery attacks on ELmD(6,6) reducing effective key strength more than 60 bits.

Outline of the rest of the paper: In Sect. 2, a brief description of ELmD is given. Then in Sect. 3, we show how to recover internal state parameter L, and present universal forgery attacks on ELmD with a few queries to the oracle. In Sect. 4, we introduce novel methods to generate special plaintext pairs having relation between their ciphertexts and to query to the decryption oracle of the block cipher. By using chosen ciphertexts, in Sect. 5, key recovery attacks on ELmD(6,6) are presented. Section 6 concludes the paper.

2 Brief Description of ELmD

Notation:\(\oplus \)’: bitwise addition in modulo 2 (exclusive OR), ‘\(\cdot \)’: field multiplication modulo the polynomial \(p(x)=x^{128}+x^7+x^2+x+1\) in \(GF(2^{128})\). Also, \(0^{a}\) denotes a-bit string of 0.

ELmD is a block cipher based Encrypt-Linear-mix-Decrypt authentication mode proposed by Datta and Nandi [5] for CAESAR competition. In the proposal of ELmD, AES-128 [4] is used as the block cipher where the number of rounds can be either 10 or 6. Note that 6-round AES used in ELmD includes whitening-key layer and MixColumns operation at the last round. Hence from now on, \(\text {AES}^{\text {rd}}\) denotes AES with rd rounds. For simplicity, \(E_K\) is also used for AES-128 in the rest of the paper. In addition, L is a key-depending mask which is generated in two ways; \(L=\text {AES}^6(\text {AES}^6(0))\) when \(\text {rd}=6\) and \(L=\text {AES}^{10}(0)\) when \(\text {rd}=10\).

The linear mixing function \(\rho \) takes two inputs \(t,x \in \left\{ 0,1\right\} ^{128}\) and produces two outputs \(t', y \in \left\{ 0,1\right\} ^{128}\) as follows

$$\begin{aligned} \rho (x,t)=(y,t') :\quad y = x \oplus 3 \cdot t \,\, \text {and} \,\, t'=x \oplus 2 \cdot t. \end{aligned}$$
Fig. 1.
figure 1

Processing associated data and the generation of tagged ciphertext in ELmD when \(|D_d|=|M_\ell |=n\)

Full size image

Associated data is used to generate IV (see Algorithm 1) which is an input to both encryption/decryption function of ELmD. Let \(\mathsf {pub}\) and \(\mathsf {param}\) be a public message number and the parameter set, respectively, which are both 64 bits, and \(D=(D_1, \ldots , D^*_d)\) be an associated data. By construction, the designers of ELmD assign \(D_0= \mathsf {pub} \Vert \mathsf {param}\) and \(W'_0=0\). The last block of associated data is padded as \(D_d=D^*_d \Vert 10^{*}\) if \(|D_d^*| \ne 128\), otherwise \(D_d=D^*_d\).

ELmD has two versions, namely v1.0 and v2.0. ELmD v1.0 was modified by the generation of last message block in such a way that the XOR of previous messages added to this block. Also, rd is modified to ELmD(6,6) and ELmD(10,10).

Tagged ciphertext is generated as follows. Let \(M=M_1 \Vert M_2 \Vert \cdots \Vert M_{\ell }^*\) be the message to be encrypted. Padding is performed as \(M_{\ell }= (\oplus _{i=1}^{\ell -1} M_i) \oplus (M_\ell ^* \Vert 10^*)\) if \(| M_\ell ^* | < 128\), otherwise \(M_{\ell }= (\oplus _{i=1}^{\ell -1} M_i) \oplus M_\ell ^*\). ELmD has an intermediate tag option if it is needed, however for the simplicity we mention only tagged ciphertext generation without producing intermediate tags (\(t=0\)) in Algorithm 2. ELmD encryption including processing associated data is depicted in Fig. 1.

ELmD decrypts and verifies a given tagged ciphertext pair in three steps. First of all, IV is produced by using \(\mathsf {pub}\), \(\mathsf {param}\), and D as in Algorithm 1. Afterwards, the tagged ciphertext is decrypted as an inversion of Algorithm 2, and then tag is verified when \(M_{\ell +1} = M_{\ell }\). Once the tag is verified, plaintext is released otherwise \(\bot \) is returned.

3 Universal Forgery Attack on ELmD

In this section, we present universal forgery attacks on ELmD. First, we recover ELmD state L by collision search of ciphertexts. Using L, we can make universal forgery attack on ELmD. Before going into details, we briefly describe the two main forgery models:

  • Existential Forgery is the generation of a valid ciphertext and tag pair for an unspecified message which is not previously queried to an oracle.

  • Universal Forgery is the generation of ciphertext and tag pair for a given message which is not previously queried to an oracle.

3.1 Recovering Internal State Parameter L

Similar to state recovery attacks of COPA and Marble [8, 11], we recover ELmD state L by collision search of ciphertexts which has approximate complexity \(2^{65}\) due to birthday attack as follows.

For a fixed \(D_0\), let \((D,M)=(D_1,M_1)=(\alpha ,M)\) and \((D',M')=(D_1',M_1')=(\beta ,M)\) be two set of message pairs including associated data where \(\alpha \) and \(\beta \) take all possible values from the set \(\left\{ 0,1,\dots ,2^{64}-1\right\} \) and \(\alpha \) is an incomplete block and \(\beta \) is complete, i.e., \(|\alpha |= 64\) and \(|\beta |= 128\). Here, we aim to exploit different parameter mask additions to the last blocks of associated data when the block is incomplete. Also, we pick \(\alpha \) and \(\beta \) such that \((\alpha \Vert 10^{63}) \oplus \beta \) scans all values in \(\mathbb {F}_{2^{128}}\).

After message pairs are queried, we search a collision in the first ciphertexts \(C_1\) and \(C_1'\), i.e., \(C_1=C_1'\). According to the birthday attack, around \(2\cdot 2^{64}\) message pairs is enough to construct a collision. This collision implies that messages’ corresponding IV values are equal, i.e., \(IV=IV'\). As we use the same \(D_0\) for two messages implying the same internal chaining value (\(W_1'=W_1''\)), we obtain \(DD_1=DD_1'\) (see Fig. 2). We recover L by solving

$$\begin{aligned} D_1' \oplus 3 \cdot 7 \cdot L = D_1 \oplus 3 \cdot 2 \cdot L, \end{aligned}$$
(1)

since L is the only unknown in the equation, where \(D_1=\alpha \Vert 10^{63}\) and \(D_1'=\beta \).

Fig. 2.
figure 2

Recovering L by finding a collision in \((t=0)\)

Full size image

3.2 Forgery

Once we recover L, we can make universal forgery attacks on ELmD by making a few queries to the oracle.

A Universal Forgery Attack. Let (DM) = \((D_1, \dots ,D_{d-1}, D_d, M_1,\dots , M_{\ell -1},M_\ell )\) be targeted associated data and message pair with assigned \(D_0= \mathsf {pub} \Vert \mathsf {param}\), where \(|D_d| = 128\). Compute \(D_d'\) such that \(D_d'\Vert 10^*=D_d \oplus 2^{d} \cdot 3L \oplus 7 \cdot 2^{d-1} \cdot 3L\) and \(|D_d'| < 128\). Note that because of the padding rule, we can always obtain \(D_d'\) with \(|D_d'| < 128\).

Query \((D',M)=(D_1, \dots ,D_{d-1}, D_d', M_1,\dots ,M_{\ell -1},M_\ell )\) with the same \(D_0\) and obtain the corresponding ciphertext and tag pair as \((\widetilde{C},\widetilde{T})\). Due to the choice of associated data, D and \(D'\) produce the same IV. Hence, the corresponding ciphertext and tag pair (CT) of (DM) is equal to that of \((D',M)\), i.e., \((C,T)=(\widetilde{C},\widetilde{T})\). Note that the same attack also works for \(|D_d| < 128\) case. In a similar manner, a \(|D_d'| = 128\) block can be chosen where \(D_d'=D_d\Vert 10^* \oplus 2^{d} \cdot 3L \oplus 7 \cdot 2^{d-1} \cdot 3L\), and the rest of the attack is the same. Therefore, this forgery attack works for any associated data and message pair.

Another Universal Forgery Attack. Here we present another forgery for the same \((D_0,D,M)\) triple using only completed blocks. First, query \(M_1=D_0\oplus 3L \oplus L\) without D, and obtain \(C_1\). Then, query \((D',M)\) such that \(D'_0=D_0\), \(D'_1=C_1\oplus 3^2L\oplus 2\cdot 3L\), \(D'_{i+2}=D_i\oplus 2^{i}\cdot 3L\oplus 2^{i+2}\cdot 3L\) for \(i=0,1,\ldots ,d\) and obtain ciphertext C and tag T. It can be seen that this (CT) pair is also valid for (DM).

Note that this forgery attack introduces an important ability of generating a pair of plaintexts such that one of the corresponding ciphertext is half of the other one. These related plaintext pairs are explained in Sect. 4, and used for key recovery in Sect. 5.

Forgery of Intermediate tags (when \(\varvec{t \ne 0}\) ). In the proposal of ELmD, the authors state that “When intermediate tags are used i.e. \(t \ne 0,\) if the forger can compute a valid intermediate tag such that the ciphertext up to that is not identical to any of previous ciphertexts then the forger succeeds”. Once L is known, we can make a universal forgery attack for the version of ELmD with intermediate tags. Without any further details, it can be seen that the previously given forgery attacks also applies when \(t \ne 0\). Because both attacks only uses the associated data.

4 Exploiting the Structure of ELmD

In this section, we explore the block cipher used in ELmD by exploiting the general structure of the authenticated encryption algorithm where the bottom function is the decryption mode of the upper one. First, using the recovered L value, we can obtain two types of plaintext pairs:

  1. 1.

    For any \(P_1\) and \(\mu \), \((P_1,P_2)\) pair such that \(\mu \cdot E(P_1)= E(P_2)\).

  2. 2.

    For any \(\varDelta \), \((Q_1,Q_2)\) pair such that \(E(Q_1)=E(Q_2)\oplus \varDelta \).

Using these special plaintext pairs, we can obtain plaintext and corresponding ciphertext pairs of the encryption block cipher \(E_K(\cdot )\) or \(\text {AES}^{\text {rd}}\). Especially, we can query any ciphertext to the decryption mode of the cipher.

Following attacks are mostly explained for the maskless version of ELmD. Since we know the L value, we can easily switch from (DMC) triple to (DDMMCC) triple and vice versa, where \(D_i=DD_i\oplus 2^{i-1}\cdot 3L\), \(M_i=MM_i\oplus 2^{i-1} L\) and \(C_i=CC_i\oplus 2^{i-1} \cdot 3^2 L\). In other words, we can query (DDMM) and obtain CC values. For the simplicity, we usually use (DDMMCC) triples. It is important to note that the last message block cannot be controlled since \(MM_{\ell +1}=MM_{\ell }\oplus 2^{\ell -1}L\oplus 2^{\ell }L\).

4.1 2-Multiplicative Pairs: \((R_1,R_2)\) with \(2\cdot E(R_1)= E(R_2)\)

Initially, for any given/fixed \(D_0= \mathsf {pub} \Vert \mathsf {param}\), we make a query for one block message \(MM^1_1= DD_0\) without an additional associated data and obtain the corresponding ciphertext and tag pair \((C^1,T^1)\). As seen in Fig. 3, \(IV^1 = E_K(DD_0)\). Because of our message choice, \(X^1_1\) is also equal to \(IV^1\) and therefore \(Y^1_1=2\cdot IV^1\). Even without knowing \(IV^1\) value, we obtain \(CC^1_1\) such that \(E_K(CC^1_1)=2\cdot IV^1 =2\cdot E_K(DD_0)\). Here, it is important to note that \(D_0\) has a special structure and cannot take any 128-bit value. For any \(R_1\), using the same \(D_0\), query \(DD^2_1=CC^1_1,MM^2_1=MM^2_2=R_1\) and obtain the corresponding ciphertext and tag pair \((C^2,T^2)\). It can be seen that \(IV^2=\rho (IV^1,2\cdot IV^1)=0\) and therefore \(X^2_1=W^2_1=E_K(MM^2_1)\). \(W^2_1=E_K(MM^2_1)=X^2_2\) implies \(Y^2_2=2\cdot X^2_2\) and \(E_K(CC^2_2)=2\cdot E_K(MM^2_1)\). As can be seen in Fig. 3, by setting \(R_2=CC^2_2\), we obtain \((R_1,R_2)\) pair such that \(2\cdot E(R_1)= E(R_2)\). The complexity to obtain N such 2-multiplicative pairs is only \(N+1\) queries if the same \(D_0= \mathsf {pub} \Vert \mathsf {param}\) is used. Therefore, the complexity of getting a 2-multiplicative pair is approximately one block query.

Fig. 3.
figure 3

2-multiplicative pairs

Full size image

4.2 \(\mu \)-multiplicative Pairs: \((P_1,P_2)\) with \(\mu \cdot E(P_1)= E(P_2)\)

Here, we present a method to generate \((P_1,P_2)\) pair satisfying \(\mu \cdot E(P_1)= E(P_2)\) for any \(P_1\) and \(\mu \) values with the help of observations in the previous part. First, for a given \(P_1\), we obtain the plaintext \(R_2\) such that \(2\cdot E(P_1)= E(R_2)\). Also, we arrange associated data to make \(IV=0\).

Let \(\mu '=3^{-1}(\mu \oplus 1)\) where \(3^{-1}\) represents the multiplicative inverse of 3 in the given field. It can be seen that any \(\mu ' \in \mathbb {F}_{2^{128}}\) can be represented as \(2^{127}\cdot m_1 \oplus 2^{126}\cdot m_2 \oplus \cdots \oplus 2\cdot m_{127} \oplus m_{128}\) where \(m_i \in \{1,2\}\).

As shown in Fig. 4, by querying 129-block message with \(MM_i=R_{m_i}\) for \(i=1,\ldots ,128\) and \(MM_{129}=P_{1}\), we can obtain the plaintext \(P_2=CC_{129}\) satisfying \(E(P_2)=\mu \cdot E(P_1)\). The complexity to obtain any multiplicative pair of a given \(P_i\) is about \(2^7\) block encryptions. In other words, obtaining the plaintext of a given multiple of a given ciphertext costs \(2^7\) block ELmD encryptions which is approximately \(2^8\) block cipher calls.

Fig. 4.
figure 4

\(\mu \)-multiplicative pairs

Full size image

Note that using \(\mu \)-multiplicative pairs, we can obtain the plaintext \(P_0\) satisfying \(E(P_0)=0\cdot E(\cdot )=0\).

4.3 1-Difference Pairs: \((R_1,R_2)\) with \(E(R_1)= E(R_2)\oplus 1\)

In this part, we show how to construct \((R_1,R_2)\) pairs such that \(E(R_1)= E(R_2)\oplus 0^{127}1\) by using 2-multiplicative pairs (see Fig. 5). For any \(D_0\) (resp. \(M_1\)), we can obtain \(D_1\) (resp. \(M_2\)) such that \(E(DD_1)=2\cdot E(DD_0)\) (resp. \(E(MM_2)=2\cdot E(MM_1)\)). By querying the corresponding associated data and message pair, we can obtain \(R_1=MM_3\) and \(R_2=CC_3\) satisfying \(E(R_1)= E(R_2)\oplus 1\). The complexity to obtain a 1-difference pair is simply a query of 1 associated data block and 2 message blocks where associated data and message blocks are 2-multiplicative pairs.

Fig. 5.
figure 5

1-difference pairs

Full size image

4.4 \(\varDelta \)-difference Pairs: \((Q_1,Q_2)\) with \(E(Q_1)=E(Q_2)\oplus \varDelta \)

First, we generate a 1-difference pair: \(\{R_1,R_2\}\) where \(E(R_1)= E(R_2)\oplus 0^{127}1\). Then, for any \(\varDelta \), compute \(\delta =\delta _1\Vert \delta _2\Vert \cdots \Vert \delta _{128}\) such that \(3\cdot \delta =\varDelta \) over the defined field.

We construct two messages \(M,M'\) each containing 129 blocks with the same associated data D such that

$$MM_i=R_1\quad \text {and} \quad MM'_i=R_{\delta _i+1} \quad \text {for}\quad i=1,2,\ldots ,129$$

where \(\delta _{129}=0\).

As illustrated in Fig. 6, \(129^{th}\) ciphertext blocks of (DM) and \((D,M')\) differ by \(\varDelta \). Here, we briefly, explain the differential path of two messages (DM) and \((D,M')\). As their associated data are equal, they will provide the same IV, that is \(IV \oplus IV'=0\). After processing of the first blocks of two messages \(R_1\) and \(R_{\delta _1+1}\) in the upper layer of encryption, we will get difference in \(X_1\)’s as \(\varDelta X_1=X_1 \oplus X_1' = \delta _1\). Since \(\varDelta IV=0\), \(\varDelta W_1=W_1\oplus W_1' = \delta _1\). For the second message blocks \(R_1\) and \(R_{\delta _2+1}\), we get \(\varDelta X_2=X_2 \oplus X_2' = \delta _2\). Then, we have \(\varDelta W_2=W_2\oplus W_2' = 2 \delta _1 + \delta _2\). Similarly, after the encryption of 128th blocks, we have \(\varDelta W_{128}=W_{128} \oplus W_{128}'= 2^{127} \delta _1 + 2^{126} \delta _2 + \cdots + \delta _{128}=\delta \). Finally, as we choose the last message blocks equal, we have \(\varDelta X_{129} =X_{129} \oplus X_{129}' = 0\). Since no difference is coming from upper encryption layer \(\varDelta Y_{129}= Y_{129} \oplus Y_{129}'= 3 \cdot \varDelta W_{128}= 3\cdot \delta = \varDelta \). Hence, we obtain plaintexts \(Q_1=CC_{129}\) and \(Q_2=CC_{129}'\) having required ciphertext difference: \(E(Q_1) = E(Q_2) \oplus \varDelta \). Note that by changing the last message block, we can get several message pairs having desired ciphertext difference.

Fig. 6.
figure 6

\(\varDelta \)-difference pairs

Full size image

4.5 Querying Decryption Oracle of the Block Cipher

Here, we describe how to query inner block cipher of ELmD, \(\text {AES}^{\text {rd}}\). Since, we can obtain any multiple of a given ciphertext in \(\mu \)-multiplicative pairs, it is obvious that any ciphertext can be queried, i.e., plaintext of a given ciphertext can be obtained, if the decryption of \(0^{127}1\) is known.

First, using 1-difference pairs, we obtain a pair \((R_1,R_2)\) with \(E(R_1)= E(R_2)\oplus 1\). Then, using \(\mu \)-multiplicative pairs, we acquire \(R_3\) such that \(3^{-1} E(R_1)=E(R_3)\). By querying associated data satisfying \(IV=0\) and message with \(MM_1=R_3\), \(MM_2=R_2\), we obtain \(CC_2\) which is equal to decryption of 1, i.e., \(E(CC_2)=0^{127}1\). After obtaining decryption of 1, we can query any ciphertext with the help of \(\mu \)-multiplicative pairs.

This property enables us to mount a chosen ciphertext attack.

5 Key Recovery

The encryption function \(E_K\) used in ElmD is either 6-round AES (\(\text {AES}^6\)) or 10-round AES (\(\text {AES}^{10}\)) depending on the application. For both versions of ELmD, the designers claim that ELmD provides 128 bits of security against plaintext and key recovery attacks. In this section, we show that this claim is not valid if the function \(E_K\) is \(\text {AES}^6\).

In Sect. 4, after recovering L parameter, it is shown how to obtain corresponding plaintext for any given ciphertext in a time complexity of about \(2^8\) encryption operations. As a result, we can mount attacks on 6-round AES with chosen ciphertexts. In [7], by using partial sums an attack on 6-round AES was given with a time and data complexities of \(2^{44}\) and \(2^{34.6}\), respectively in chosen plaintext scenario. This attack can be easily adapted to chosen ciphertext case because of the AES structure. MixColumns and AddRoundKey operations can be swapped with applying the inverse of MixColumns to the round key. As known, the inverse of AES without the MixColumns operation in the last round has the same structure with AES, the similar attack can be applied. Note that the MixColumn operations at the end of the cipher is not important because ciphertexts can be easily manipulated. The total time complexity of key recovery is \(2^{65} + 2^{8} \times 2^{34.6} + 2^{44} \approx 2^{65}\) which is dominated by the cost of recovery of L.

In addition, we propose a Demirci-Selçuk meet-in-the-middle attack [6] using the distinguisher on 3-round AES [9]. This attack also uses chosen ciphertexts. The time and data complexities of this attack is \(2^{66}\) and \(2^{33}\), respectively. With this attack the time complexity of key recovery attack on ELmD is \(2^{65} + 2^{8} \times 2^{33} + 2^{66} \approx 2^{66.6}\) encryptions. Even though the time complexity is relatively higher than the previous attack, this attack uses relatively less data and illustrates Demirci-Selçuk MITM in a splice-and-cut [3] perspective.

Fig. 7.
figure 7

Demirci-Selçuk MITM attack on 6-round AES. The offline and online steps are on the left-hand and right-hand sides, respectively.

Full size image

While presenting the attack we use the following notation. \(\text {AES}^6\) consists of 6 full rounds of AES with initial key whitening and supports a key size of 128 bits. One full round of AES is composed of SubBytes (SB), ShiftRows (SR), MixColumns (MC) and AddRoundKey (AK) operations [4]. The whitening key and i-th round key (\(i \in \{1,2,3,4,5,6\}\)) are denoted by \(k_0\) and \(k_i\) respectively. We use \(x_i\), \(y_i\), \(z_i\) and \(w_i\) to represent the blocks in i-th round before the SubBytes, ShiftRows, MixColumns and AddRoundKey operations respectively where the input of the first round is \(x_1 = P \oplus k_0\) and P is the plaintext. In the case of swapping MixColumns and AddRoundKey operations we denote the round key as \(u_i = \text {MC}^{-1}(k_i)\) and the state after round key addition as \(\bar{w_i}\). Also \(x^j_i\), \(y^j_i\), \(z^j_i\), \(w^j_i\) and \(\bar{w}^j_i\) denotes the blocks for j-th plaintext and a(mn, ..., l) are used for mn, ..., l-th bytes of a block a. The orders of 128-bit blocks’ bytes in \(4 \times 4\) matrix of bytes is as conventional, that is the first row is composed of 0, 4, 8 and 12-th bytes of 128-bit block where 0-th byte is the left-most byte.

The attack is given in Algorithm 3 and depicted in Fig. 7. The number of bits guessed in the attack is 144 and the probability that a wrong guess passes the condition in Step 10 is \(2^{-144}\). Thus, with the correct guess, a wrong one can be returned by the algorithm. In Step 3 in Algorithm 3, \(2^{80} \times 19 \times \frac{10}{16 \times 6} \approx 2^{81}\) encryptions are performed by guessing 10 bytes. Note that this step can be done offline. For a ciphertext the time complexity of getting the corresponding plaintext is approximately \(2^8\) encryptions as mentioned in Sect. 4. Thus the number of operations performed in Step 6 is \(19 \times 2^{32} \times 2^8 = 2^{44.25}\) encryptions. In Step 9, 144-bit differences are computed performing \(2^{64} \times 19 \times \frac{10}{16 \times 6} \approx 2^{65}\) encryption operations. As a result the time complexity of Algorithm 3 is \(2^{81}\) offline and \(2^{65}\) online encryptions. To store the 144-bit difference for possible \(2^{80}\) values \(2^{80} \times 144\)-bit memory is required. Note that in the attack 12 bytes of \(\bar{w}_6^j\) are fixed to a constant 0. Thus the attack needs \(2^{32}\) chosen ciphertexts and corresponding plaintexts.

Notice that with this attack we obtain 4 bytes of \(k_0\) so far. With slight modifications in the attack it can be seen easily that other 4 bytes of \(k_0\) can be found. Remaining 64 bits of the key can be recovered by brute force. The total complexity of recovering 128-bit key will be \(2 \times 2^{81} = 2^{82}\) offline and \(2 \times 2^{65} + 2^{64} \approx 2^{66}\) online encryptions.

The memory and data complexities will be \(2 \times 2^{80} \times 144\)-bit memory and \(2 \times 2^{32} = 2^{33}\) data respectively. Note that the offline time complexity can be reduced to \(2^{74}\) by removing the guess of \(y_5(0)\) from the offline step and adding 8-bit guess for \(u_5(0)\) to online step. In that case the time complexity of online step will be \(2^{74}\) encryption operations.

figure c

6 Conclusion

ELmD is an a block cipher based Encrypt-Linear-mix-Decrypt authentication mode submitted to CAESAR Competition. It is claimed to be strong against misuse forgery attacks, block-wise adaptive adversaries and key recovery attacks with 128-bit security. This work provides universal forgery attacks against ELmD. Furthermore, we disprove the 128-bit security claim of ELmD by applying two key recovery attacks, namely partial-sum and Demirci Selçuk meet-in-the-middle attacks with \(2^{65}\) and \(2^{66.6}\) time complexities, respectively.