Forgery attacks on FlexAE and FlexAEAD. (English) Zbl 1454.94065
Albrecht, Martin (ed.), Cryptography and coding. 17th IMA international conference, IMACC 2019, Oxford, UK, December 16–18, 2019. Proceedings. Cham: Springer. Lect. Notes Comput. Sci. 11929, 200-214 (2019).
Summary: FlexAEAD is one of the round-1 candidates in the ongoing NIST lightweight cryptography standardization project and an evolution of the previously published FlexAE scheme. For each data block, the mode performs multiple calls to a permutation in an Even-Mansour construction. The designers argue that the mode permits using a permutation with slightly suboptimal properties in order to increase performance, such as allowing differential distinguishers which cannot be extended to attacks on the full construction.
We first show that this claim is incorrect since differences can not only be introduced via the processed data, but also via the mode’s control flow. Second, by exploiting a strong differential clustering effect in the permutation, we propose several forgery attacks on FlexAEAD with complexity less than the security bound given by the designers, such as a block reordering attack on full FlexAEAD with estimated success probability about \(2^{-54}\). Additionally, we discuss some trivial forgeries and point out domain separation issues.
For the entire collection see [Zbl 1428.94003].
We first show that this claim is incorrect since differences can not only be introduced via the processed data, but also via the mode’s control flow. Second, by exploiting a strong differential clustering effect in the permutation, we propose several forgery attacks on FlexAEAD with complexity less than the security bound given by the designers, such as a block reordering attack on full FlexAEAD with estimated success probability about \(2^{-54}\). Additionally, we discuss some trivial forgeries and point out domain separation issues.
For the entire collection see [Zbl 1428.94003].
