Attacks Against FlexAEAD

[Dr. Dhiman Saha]

Dear All,

               We have analysed the internal keyed permutation of FlexAEAD. In our analysis, we have first reported an iterated truncated differential for one round which holds with a probability of 2^{-7} and can penetrate same number of rounds as claimed by the designers with much less complexity and  can be easily converted to a key-recovery attack. We also verified the differential experimentally up to 5 rounds. We have further reported a Super-Sbox construction in the internal permutation, which has been exploited using the Yoyo game to devise a 6-round deterministic distinguisher and a 7-round key recovery attack for 128-bit internal permutation. Similar attacks can be mounted for the 64-bit and 256-bit variants. 

A preliminary draft has been attached here. Please point us if there is something wrong in our analysis.

Thanks and Regards

Dhiman Saha, Mostafizar Rahman, and Goutam Paul

[Eduardo Marsola Nascimento]

Dear Researchers,

First of all congratulations for the quality of your work. Our team has analyzed deeply your document and your analysis is correct. The FlexAEAD is indeed vulnerable to the attacks you propose.

After evaluating several changes on the cipher, the solution we found to avoid the attacks is to add another linear transformation after the Block Shuffle Layer on the keyed permutation function.

This transformation divides the internal state in 8 bytes sub-blocks and make the XOR in between every 3 adjacent bytes within the sub-block: B0'=B7⊕B0⊕B1,B1'=B0⊕B1⊕B2,…,B7'=B6⊕B7⊕B0  (⊕ = XOR).  The reason for dividing in 8 bytes sub-blocks is The figure 1 shows the diagram of the new PFK function.

Now in one round, if there is one different byte after the Block Shuffle, it will reflect in 3 different bytes on after Mix Adjacent Bytes. With this change, it will not be possible to create the Super-Sbox proposed on section 2 of the paper. The figure 2 shows how the bytes are mixed together in a way that prevents the creation of the proposed Super-Sbox1 and Super-Sbox2.

The proposed change also increases the cipher security against classical differential cryptanalysis attacks as well as on linear cryptanalysis attacks. After 3 rounds, all SBoxes will be active for 128 bits and bits 256 block size (2 rounds for 64 bits block size) (Figure 3).

The new difficult for differential cryptanalysis attacks had been calculate for each proposed variant. They are FlexAEAD128b064 - 2^978, FlexAEAD128b128 - 2^2448 and FlexAEAD256b256 - 2^5580.

For Linear Cryptanalysis attacks, there are FlexAEAD128b064 - 2^1052, FlexAEAD128b128 - 2^2594 and FlexAEAD256b256 - 2^5870.

On the paper there is also an iterated truncated differential attack based on the fact that the difference on byte B0 of X1 affects only bytes B0 and B8 of Y1. After the change, this assumption is no longer true causing the attack ineffective.

The algorithm amendment with the proposed changes will be submitted to NIST.

Kind Regards

FlexAEAD Team