AES-LBBB: AES Mode for Lightweight and BBB-Secure Authenticated Encryption


  • Yusuke Naito Mitsubishi Electric Corporation, Kanagawa, Japan
  • Yu Sasaki NTT Secure Platform Laboratories, Tokyo, Japan
  • Takeshi Sugawara The University of Electro-Communications, Tokyo, Japan



AES, authenticated encryption, backward compatibility, beyond-birthday-bound security, lightweight, AES accelerator, AES coprocessor


In this paper, a new lightweight authenticated encryption scheme AESLBBB is proposed, which was designed to provide backward compatibility with advanced encryption standard (AES) as well as high security and low memory. The primary design goal, backward compatibility, is motivated by the fact that AES accelerators are now very common for devices in the field; we are interested in designing an efficient and highly secure mode of operation that exploits the best of those AES accelerators. The backward compatibility receives little attention in the NIST lightweight cryptography standardization process, in which only 3 out of 32 round-2 candidates are based on AES. Our mode, LBBB, is inspired by the design of ALE in the sense that the internal state size is a minimum 2n bits when using a block cipher of length n bits for the key and data. Unfortunately, there is no security proof of ALE, and forgery attacks have been found on ALE. In LBBB, we introduce an additional feed from block cipher’s output to the key state via a certain permutation λ, which enables us to prove beyond-birthday-bound (BBB) security. We then specify its AES instance, AES-LBBB, and evaluate its performance for (i) software implementation on a microcontroller with an AES coprocessor and (ii) hardware implementation for an application-specific integrated circuit (ASIC) to show that AES-LBBB performs better than the current state-of-the-art Remus-N2 with AES-128.




How to Cite

Naito, Y., Sasaki, Y., & Sugawara, T. (2021). AES-LBBB: AES Mode for Lightweight and BBB-Secure Authenticated Encryption. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2021(3), 298–333.