Skip to main content
SpringerLink
Log in

Practical key recovery attacks on FlexAEAD

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

FlexAEAD  is a block cipher candidate submitted to the NIST Lightweight Cryptography standardization project, based on repeated application of an Even-Mansour construction. In order to optimize performance, the designers chose a relatively small number of rounds, using properties of the mode and bounds on differential and linear characteristics to substantiate their security claims. Due to a forgery attack with complexity of \(2^{46}\), FlexAEAD  was not selected to the second round of evaluation in the NIST project. In this paper we present a practical key recovery attack on FlexAEAD, using clusters of differentials for the internal permutation and the interplay between different parts of the mode. Our attack, that was fully verified in practice, allows recovering the secret subkeys of FlexAEAD-64 with time complexity of less than \(2^{31}\) encryptions (with experimental success rate of 75%). This is the first practical key recovery attack on a candidate of the NIST standartization project.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

References

  1. Bertoni G., Daemen J., Peeters M., Van Assche G., Van Keer R.: Ketje v2. Submission to CAESAR: competition for authenticated encryption. Security, applicability, and robustness (Round 3) (2014). http://competitions.cr.yp.to/round3/ketjev2.pdf.

  2. Daemen J., Rijmen V.: The Design of Rijndael: AES—The Advanced Encryption Standard. Information Security and Cryptography. Springer, New York (2002).

  3. do Nascimento E.M.: Algoritmo de Criptografia Leve com Utilização de Autenticação. Ph.D. thesis, Instituto Militar de Engenharia, Rio de Janeiro (2017). http://www.comp.ime.eb.br/pos/arquivos/publicacoes/dissertacoes/2017/2017-Eduardo.pdf.

  4. do Nascimento E.M., Xexéo J.A.M.: A flexible authenticated lightweight cipher using Even-Mansour construction. In: IEEE International Conference on Communications—ICC 2017. pp. 1–6. IEEE (2017). https://doi.org/10.1109/ICC.2017.7996734.

  5. do Nascimento E.M., Xexéo J.A.M.: A lightweight cipher with integrated authentication. In: Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais – SBSEG. pp. 25–32. Sociedade Brasileira de Computação (2018). https://portaldeconteudo.sbc.org.br/index.php/sbseg_estendido/article/view/4138.

  6. do Nascimento E.M., Xexéo J.A.M.: FlexAEAD. Submission to Round 1 of the NIST lightweight cryptography standardization process (2019). https://csrc.nist.gov/CSRC/media/Projects/Lightweight-Cryptography/documents/round-1/spec-doc/FlexAEAD-spec.pdf.

  7. do Nascimento E.M., Xexéo J.A.M.: Official comment: FlexAEAD. Posting on the NIST LWC mailing list (2019). https://csrc.nist.gov/CSRC/media/Projects/Lightweight-Cryptography/documents/round-1/official-comments/FlexAEAD-official-comment.pdf.

  8. Eichlseder M., Kales D., Schofnegger M.: Forgery attacks on flexae and flexaead. In: Albrecht, M. (ed.) Cryptography and Coding—17th IMA International Conference, IMACC 2019, Oxford, UK, December 16-18, 2019, Proceedings. Lecture Notes in Computer Science, vol. 11929, pp. 200–214. Springer (2019). https://doi.org/10.1007/978-3-030-35199-1_10.

  9. Jutla C.S.: Encryption modes with almost free message integrity. In: Pfitzmann, B. (ed.) Advances in Cryptology—EUROCRYPT 2001. LNCS, vol. 2045, pp. 529–544. Springer, New York (2001). https://doi.org/10.1007/3-540-44987-6_32.

  10. Jutla C.S.: Encryption modes with almost free message integrity. J. Cryptol. 21(4), 547–578 (2008). https://doi.org/10.1007/s00145-008-9024-z.

    Article  MathSciNet  MATH  Google Scholar 

  11. Kam J.B., Davida G.I.: Structured design of substitution-permutation encryption networks. IEEE Trans. Comput. 28(10), 747–753 (1979). https://doi.org/10.1109/TC.1979.1675242.

    Article  MathSciNet  MATH  Google Scholar 

  12. Mège A.: Official comment: FlexAEAD. Posting on the NIST LWC mailing list. https://groups.google.com/a/list.nist.gov/d/msg/lwc-forum/DPQVEJ5oBeU/YXW0QjfjBQAJ.

  13. Mouha N., Wang Q., Gu D., Preneel B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Wu, C., Yung, M., Lin, D. (eds.) Information Security and Cryptology—Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, New York (2011). https://doi.org/10.1007/978-3-642-34704-7_5.

  14. National Institute of Standards and Technology (NIST): lightweight cryptography standardization process (2019). https://csrc.nist.gov/projects/lightweight-cryptography.

  15. National Institute of Standards and Technology (NIST): status report on the first round of the nist lightweight cryptography standardization process (2019). https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8268.pdf.

  16. Rahman M., Saha D., Paul G.: Cryptanalysis of FlexAEAD. In: Nitaj, A., Youssef, A.M. (eds.) Progress in Cryptology—AFRICACRYPT 2020—12th International Conference on Cryptology in Africa, Cairo, Egypt, July 20-22, 2020, Proceedings. Lecture Notes in Computer Science, vol. 12174, pp. 152–171. Springer (2020). https://doi.org/10.1007/978-3-030-51938-4_8.

  17. Wu H., Preneel B.: AEGIS v1.1. Submission to CAESAR: competition for authenticated encryption. Security, applicability, and robustness (Round 3 and Final Portfolio) (2014). http://competitions.cr.yp.to/round3/aegisv11.pdf.

  18. Wu S., Wang M.: Security evaluation against differential cryptanalysis for block cipher structures. IACR Cryptology ePrint Archive, Report 2011/551 (2011).

Download references

Acknowledgements

We thank the designers of FlexAE  and FlexAEAD  for their comments on a preliminary version of this analysis on the NIST LWC mailing list. Some of the results presented in this paper were obtained during a workshop dedicated to cryptanalysis of the NIST lightweight candidates, held in the framework of the European Research Council project ‘LightCrypt’ (ERC StG no. 757731). The first author was supported by the Israeli Science Foundation through grants No. 880/18 and 3380/19. The fourth author was also supported by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office. We thank the participants of the workshop who contributed to the discussion on FlexAEAD, and in particular Tomer Ashur, Roberto Avanzi, Anne Canteaut, Itai Dinur, Eran Lambooij, Eyal Ronen, and Yu Sasaki, for their valuable suggestions.

Author information

Authors and Affiliations

  1. Computer Science Department, University of Haifa, Haifa, Israel

    Orr Dunkelman

  2. Graz University of Technology, Graz, Austria

    Maria Eichlseder, Daniel Kales & Markus Schofnegger

  3. Department of Mathematics, Bar Ilan University, Ramat Gan, Israel

    Nathan Keller

  4. Inria, Paris, France

    Gaëtan Leurent

Authors
  1. Orr Dunkelman
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Maria Eichlseder
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Daniel Kales
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Nathan Keller
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Gaëtan Leurent
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Markus Schofnegger
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Orr Dunkelman.

Additional information

Communicated by X. Wang.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This paper is partially based on [8], presented at the IMACC 2019 workshop. The main results of the paper, presented in Sect. 4, are new.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Dunkelman, O., Eichlseder, M., Kales, D. et al. Practical key recovery attacks on FlexAEAD. Des. Codes Cryptogr. 90, 983–1007 (2022). https://doi.org/10.1007/s10623-022-01023-5

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-022-01023-5

Keywords

Mathematics Subject Classification

Search

Navigation