Paper 2021/931

Practical Key Recovery Attacks on FlexAEAD

Orr Dunkelman, Maria Eichlseder, Daniel Kales, Nathan Keller, Gaëtan Leurent, and Markus Schofnegger


FlexAEAD is a block cipher candidate submitted to the NIST Lightweight Cryptography standardization project, based on repeated application of an Even-Mansour construction. In order to optimize performance, the designers chose a relatively small number of rounds, using properties of the mode and bounds on differential and linear characteristics to substantiate their security claims. Due to a forgery attack with complexity $2^{46}$, FlexAEAD was not selected to the second round of evaluation in the NIST project. In this paper we present a practical key recovery attack on FlexAEAD, using clusters of differentials for the internal permutation and the interplay between different parts of the mode. Our attack, which was fully verified in practice, allows recovering the secret subkeys of FlexAEAD-64 with a time complexity of less than $2^{31}$ encryptions (with an experimental success rate of $75\,\%$). This is the first practical key recovery attack on a candidate of the NIST standardization project.

Note: This paper is partially based on a paper presented at the IMACC 2019 workshop ( The main results of the paper are new.

Available format(s)
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Authenticated encryptionNIST LWCpractical key recoverytruncated differential
Contact author(s)
orrd @ cs haifa ac il
maria eichlseder @ iaik tugraz at
daniel kales @ iaik tugraz at
nkeller @ math biu ac il
gaetan leurent @ inria fr
markus schofnegger @ iaik tugraz at
2021-07-09: received
Short URL
Creative Commons Attribution


      author = {Orr Dunkelman and Maria Eichlseder and Daniel Kales and Nathan Keller and Gaëtan Leurent and Markus Schofnegger},
      title = {Practical Key Recovery Attacks on FlexAEAD},
      howpublished = {Cryptology ePrint Archive, Paper 2021/931},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.