Practical Key Recovery Attacks on FlexAEAD

Orr Dunkelman*, Maria Eichlseder, Daniel Kales, Nathan Keller, Gaëtan Leurent, Markus Schofnegger

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review


FlexAEAD is a block cipher candidate submitted to the NIST Lightweight Cryptography standardization project, based on repeated application of an Even-Mansour construction. In order to optimize performance, the designers chose a relatively small number of rounds, using properties of the mode and bounds on differential and linear characteristics to substantiate their security claims. Due to a forgery attack with complexity of 246, FlexAEAD was not selected to the second round of evaluation in the NIST project. In this paper we present a practical key recovery attack on FlexAEAD, using clusters of differentials for the internal permutation and the interplay between different parts of the mode. Our attack, that was fully verified in practice, allows recovering the secret subkeys of FlexAEAD-64 with time complexity of less than 231 encryptions (with experimental success rate of 75%). This is the first practical key recovery attack on a candidate of the NIST standartization project.
Original languageEnglish
Number of pages25
JournalDesigns, Codes and Cryptography
Early online dateMar 2022
Publication statusE-pub ahead of print - Mar 2022


  • Authenticated encryption
  • Practical key recovery
  • Truncated differential

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Applied Mathematics
  • Discrete Mathematics and Combinatorics
  • Computer Science Applications


Dive into the research topics of 'Practical Key Recovery Attacks on FlexAEAD'. Together they form a unique fingerprint.

Cite this