FlexAEAD is a block cipher candidate submitted to the NIST Lightweight Cryptography standardization project, based on repeated application of an Even-Mansour construction. In order to optimize performance, the designers chose a relatively small number of rounds, using properties of the mode and bounds on differential and linear characteristics to substantiate their security claims. Due to a forgery attack with complexity of 2 46, FlexAEAD was not selected to the second round of evaluation in the NIST project. In this paper we present a practical key recovery attack on FlexAEAD, using clusters of differentials for the internal permutation and the interplay between different parts of the mode. Our attack, that was fully verified in practice, allows recovering the secret subkeys of FlexAEAD-64 with time complexity of less than 2 31 encryptions (with experimental success rate of 75%). This is the first practical key recovery attack on a candidate of the NIST standartization project.
Bibliographical noteFunding Information:
We thank the designers of FlexAE and FlexAEAD for their comments on a preliminary version of this analysis on the NIST LWC mailing list. Some of the results presented in this paper were obtained during a workshop dedicated to cryptanalysis of the NIST lightweight candidates, held in the framework of the European Research Council project ‘LightCrypt’ (ERC StG no. 757731). The first author was supported by the Israeli Science Foundation through grants No. 880/18 and 3380/19. The fourth author was also supported by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office. We thank the participants of the workshop who contributed to the discussion on FlexAEAD, and in particular Tomer Ashur, Roberto Avanzi, Anne Canteaut, Itai Dinur, Eran Lambooij, Eyal Ronen, and Yu Sasaki, for their valuable suggestions.
© 2022, The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature.
- Authenticated encryption
- NIST LWC
- Practical key recovery
- Truncated differential
ASJC Scopus subject areas
- Theoretical Computer Science
- Computer Science Applications
- Discrete Mathematics and Combinatorics
- Applied Mathematics