Cryptology ePrint Archive: Report 2019/539

Cryptanalysis of FlexAEAD

Mostafizar Rahman and Dhiman Saha and Goutam Paul

Abstract: This paper analyzes the internal keyed permutation of FlexAEAD which is a round-1 candidate of the NIST LightWeight Cryptography Competition. In our analysis, we report an iterated truncated differential leveraging on a particular property of the AES S-box that becomes useful due to the particular nature of the diffusion layer of the round function. The differential holds with a low probability of 2^-7 for one round which allows it to penetrate the same number of rounds as claimed by the designers, but with a much lower complexity. Moreover, it can be easily extended to a key-recovery attack at a little extra cost. We further report a Super-Sbox construction in the internal permutation, which is exploited using the Yoyo game to devise a 6-round deterministic distinguisher and a 7-round key recovery attack for the 128-bit internal permutation. Similar attacks can be mounted for the 64-bit and 256-bit variants. All these attacks outperform the existing results of the designers as well as other third-party results. The iterated truncated differentials can be tweaked to mount forgery attacks similar to the ones given by Eichlseder et al Success probabilities of all the reported distinguishing attacks are shown to be high. All practical attacks have been experimentally verified. To the best of our knowledge, this work reports the first key-recovery attack on the internal keyed permutation of FlexAEAD.

Category / Keywords: secret-key cryptography / Distinguisher, FlexAEAD, Iterated Differential, Key Recovery, NIST lightweight cryptography project, Yoyo

Original Publication (with minor differences): Africacrypt 2020

Date: received 20 May 2019, last revised 11 May 2020

Contact author: mrahman454 at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20200511:164539 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]