Dear Researchers,
First of all congratulations for the quality of your work. Our team has analyzed deeply your document and your analysis is correct. The FlexAEAD is indeed vulnerable to the attacks you propose.
After evaluating several changes on the cipher, the solution we found to avoid the attacks is to add another linear transformation after the Block Shuffle Layer on the keyed permutation function.
This transformation divides the internal state in 8 bytes sub-blocks and make the XOR in between every 3 adjacent bytes within the sub-block: B0'=B7⊕B0⊕B1,B1'=B0⊕B1⊕B2,…,B7'=B6⊕B7⊕B0 (⊕ = XOR). The reason for dividing in 8 bytes sub-blocks is The figure 1 shows the diagram of the new PFK function.
Now in one round, if there is one different byte after the Block Shuffle, it will reflect in 3 different bytes on after Mix Adjacent Bytes. With this change, it will not be possible to create the Super-Sbox proposed on section 2 of the paper. The figure 2 shows how the bytes are mixed together in a way that prevents the creation of the proposed Super-Sbox1 and Super-Sbox2.
The proposed change also increases the cipher security against classical differential cryptanalysis attacks as well as on linear cryptanalysis attacks. After 3 rounds, all SBoxes will be active for 128 bits and bits 256 block size (2 rounds for 64 bits block size) (Figure 3).
The new difficult for differential cryptanalysis attacks had been calculate for each proposed variant. They are FlexAEAD128b064 - 2^978, FlexAEAD128b128 - 2^2448 and FlexAEAD256b256 - 2^5580.
For Linear Cryptanalysis attacks, there are FlexAEAD128b064 - 2^1052, FlexAEAD128b128 - 2^2594 and FlexAEAD256b256 - 2^5870.
On the paper there is also an iterated truncated differential attack based on the fact that the difference on byte B0 of X1 affects only bytes B0 and B8 of Y1. After the change, this assumption is no longer true causing the attack ineffective.
The algorithm amendment with the proposed changes will be submitted to NIST.
Kind Regards
FlexAEAD Team