Cryptology ePrint Archive: Report 2019/539

Cryptanalysis of FlexAEAD

Mostafizar Rahman and Dhiman Saha and Goutam Paul

Abstract: This paper analyzes the internal keyed permutation of FLEXAEAD which is a round-1 candidate of NIST LightWeight Cryptography Competition. In our analysis, we report an iterated truncated differential leveraging on a particular property of the AES Sbox that becomes useful due to the particular nature of diffusion layer of the round function. The differential holds with a low probability of 2^(-7) for one round which allows it to penetrate the same number of rounds as claimed by the designers, but with a much less complexity. Moreover, it can be easily extended to a key-recovery attack at little extra cost. We further report a Super-Sbox construction in the internal permutation, which is exploited using the Yoyo game to devise a 6-round deterministic distinguisher and a 7-round key recovery attack for 128-bit internal permutation. Similar attacks can be mounted for the 64-bit and 256-bit variants. All these attacks are favorably compared with the existing results of the designers as well as other third party results. The iterated truncated differentials can be tweaked to mount forgery attacks similar to the ones given by Eichlseder et al. Success probabilities of all the reported distinguishing attacks are shown to be high. All practical attacks have been experimentally verified. To the best of our knowledge, this work reports the first key-recovery attack on the internal keyed permutation of FLEXAEAD.

Category / Keywords: secret-key cryptography / Distinguisher, FlexAEAD, Iterated Differential, Key Recovery, NIST lightweight cryptography project, Yoyo

Date: received 20 May 2019, last revised 23 Aug 2019

Contact author: mrahman454 at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20190823:085432 (All versions of this report)

Short URL: ia.cr/2019/539


[ Cryptology ePrint archive ]