key: cord-0046997-01laioaz authors: Rahman, Mostafizar; Saha, Dhiman; Paul, Goutam title: Cryptanalysis of FlexAEAD date: 2020-06-06 journal: Progress in Cryptology - AFRICACRYPT 2020 DOI: 10.1007/978-3-030-51938-4_8 sha: 35ce2f1f49d82499c657091b5b0053f1e2759c17 doc_id: 46997 cord_uid: 01laioaz This paper analyzes the internal keyed permutation of FlexAEAD which is a round-1 candidate of the NIST LightWeight Cryptography Competition. In our analysis, we report an iterated truncated differential leveraging on a particular property of the AES S-box that becomes useful due to the particular nature of the diffusion layer of the round function. The differential holds with a low probability of [Formula: see text] for one round which allows it to penetrate the same number of rounds as claimed by the designers, but with a much lower complexity. Moreover, it can be easily extended to a key-recovery attack at a little extra cost. We further report a Super-Sbox construction in the internal permutation, which is exploited using the Yoyo game to devise a 6-round deterministic distinguisher and a 7-round key recovery attack for the 128-bit internal permutation. Similar attacks can be mounted for the 64-bit and 256-bit variants. All these attacks outperform the existing results of the designers as well as other third-party results. The iterated truncated differentials can be tweaked to mount forgery attacks similar to the ones given by Eichlseder [Formula: see text] [Formula: see text] Success probabilities of all the reported distinguishing attacks are shown to be high. All practical attacks have been experimentally verified. To the best of our knowledge, this work reports the first key-recovery attack on the internal keyed permutation of FlexAEAD. In the modern era, the aim is to connect each of the physical devices, even the miniature ones, with the internet so that they can be monitored and controlled remotely for maximum utilization. These devices are powered with the ability of communicating among themselves. Such a huge interconnected system, consisting of numerous tiny devices, is not free from vulnerabilities. Moreover, a security breach in such systems can be catastrophic. So, a major concern in the world of internet-of-things is how to provide security and privacy to each system with the constraints of limited power and area. SKINNY [9] , PRESENT [10] , QARMA [6] , KATAN and KTANTAN [11] , GIFT [8] are some of the block ciphers which are designed for such constrained environments. Until recently, no standardization process has been introduced (like AES Development [2], SHA-3 Project [4] , CAESAR Competition [1] ) for cryptographic schemes in lightweight environments. NIST LightWeight Cryptography (LWC) competition [3] is a major step towards addressing these issues. There are a total of 57 submissions in this competition. Apart from authenticated encryption algorithms in lightweight environment, some of the designs also comprise of hash functions. Some of them have also provided new primitives for block cipher design. FlexAEAD is one of the round-1 candidates proposed by Nascimento and Xexéo in NIST LWC competition [17] . It is a family of lightweight authenticated encryption schemes with associated data. In this version, the processing of Associate Data (AD) has been added to the original variants [15, 16, 18 ]. There are mainly three variants of FlexAEAD that have been listed with block sizes of 64, 128 and 256 bits. In general, a FlexAEAD scheme is denoted by FlexAEAD-b, with b being the block size. The size of nonce and tag is the same as block size across all variants. The length of key is 128 bits for FlexAEAD-64 and FlexAEAD-128 whereas it is 256 bits for FlexAEAD-256. The nonce in FlexAEAD is used to generate sequence numbers which are eventually XOR-ed with associated data, plaintext and intermediate-state to produce ciphertext-tag pair. The lightweight of FlexAEAD essentially comes from the fact that for computational purposes it uses XOR operations, a look-up table for substitution layer and bit reorganizations for BlockShuffle layer. FlexAEAD has an underlying block cipher; internal keyed permutation (PF k ) of 64, 128 and 256 bits. We have analyzed the PF k function and reported several results. A brief description of PF k has been provided in Sect. 2.1. The PF k with x-bit state is referred to as Flex-x. Existing Security Claims. The designers have claimed that mounting an attack on Flex-x based on differential and linear characteristics is more difficult than the brute force attack. According to their analysis, the probability of best differential characteristic for Flex-64, Flex-128 and Flex-256 is 2 −168 , 2 −204 and 2 −240 respectively. The number of chosen plaintext pairs required for a linear trail in Flex-64, Flex-128 and Flex-256 are 2 272 , 2 326 and 2 380 respectively [17] . Eichlseder et al. have claimed several forgery attacks [12, 13] on FlexAEAD. They have followed several different approaches: like changing associated data, truncating ciphertexts and reordering ciphertexts. They have reported differential characteristics for 5-round Flex-64, 6-round Flex-128 and 7-round Flex-256 with probability 2 −66 , 2 −79 and 2 −108 respectively. Length extension attacks based on associated data have also been shown [14] . Table 1 shows the comparison of different trail probabilities reported till date with the ones furnished in the current work. For uniformity, we have enlisted trail probabilities for same number of rounds. Our Contributions. First of all, we report an iterated truncated differential for all the variants of PF k using the property of AES Difference Distribution Table ( DDT) where the output difference of a byte is confined to either upper or lower nibble. The probability of the truncated differential for one round is 2 −7 . Its iterative nature makes it possible to penetrate more number of rounds for all Flex-x. These differentials are further exploited to devise key-recovery attacks on all the variants. Next, we explore the application of the Yoyo property which has been introduced by Rønjom et al. [20] on generic 2-round Substitution Permutation Networks and further extended on AES-based permutations and block ciphers [7, 21] . We have been able to devise deterministic Yoyo distinguishers for 4, 6 and 8 rounds of Flex-64, Flex-128 and Flex-256 respectively which are further extended by one more round to mount key recovery attacks. All key recovery attacks (reported in this work) with their respective complexities are summarized in Table 2 . For the iterated truncated differential, the maximum number of rounds that is penetrable for a Flex-x variant are enlisted in the table. The attacks with practical complexities are experimentally verified. Further, we have used the iterated truncated differentials to mount forgery attacks on FlexAEAD similar to the ones reported by Eichlseder et al. [12, 13] . Finally, to measure the effectiveness of all distinguishers reported in this work, their theoretical success probabilities are estimated by following the approach given in [19] . The success probabilities are estimated to be high and some of them with practical complexities are experimentally verified. All the attacks presented in this paper exploit the vulnerability that merely dividing the bytes into nibbles while using AES S-box is susceptible to differential attacks as diffusion may be slow in some scenarios. Although, FlexAEAD is out of NIST lightweight cryptography competition, this particular vulnerability has a far-reaching impact on designing ciphers using AES S-box. Hence, it forms the basis of continued motivation for this work. The necessary details about PF k and Yoyo game are briefly visited in Sect. 2. Section 3 describes the key-recovery attacks based on Iterated Truncated Differential. Section 4 details the attacks based on Yoyo game. The success probabilities of distinguishing attacks and their experimental verification are illustrated in Sect. 5. Forgery attacks based on Iterated Differentials are described in Sect. 6. Finally, the concluding remarks are furnished. The analysis in this paper is regarding the PF k of FlexAEAD. So, first of all, a brief description of PF k is given. Since a major part of this work uses the Yoyo strategy, for the sake of completeness, a brief description of Yoyo game and its relevant results are provided. The design strategy of PF k follows the Feistel construction. Let m be the number of bytes in a Flex-x state (m = x/8). ] are referred to as a "pair of symmetric bytes". Application of BlockShuffle operation on state s in r-th round is denoted by BS r (s). Figure 1 shows the byte representation in Flex-128 state. Figure 2 shows the round function of Flex-128. Each round of Flex-x starts with the BlockShuffle operation. Then the state is bifurcated and the right half goes through subbytes operation. AES S-box is used for byte substitution. The left half is modified by XOR-ing it with the right half and applying the subbytes operation. The modified values of the left half are XOR-ed with the right half values and subbytes is applied to get new values of the right half. Then the left and right half are combined to form the new state and the next round follows. In Flex-x there are no round keys; there are only two subkeys K α , K β which are used at the beginning and the end of round functions respectively. The total number of rounds for Flex-64, Flex-128 and Flex-256 are 5, 6 and 7 respectively [17] . In authenticated encryption modes, three PF k are used sequentially for encrypting a block of plaintext, which makes the effective number of rounds 15, 18 and 21 in FlexAEAD-64, FlexAEAD-128 and FlexAEAD-256 respectively. Key Generation. Key generation in Flex-x uses the PF k where the master key K is divided into two parts and used as two subkeys. State is initialized with 0 |K|/2 and three times PF k is applied to generate part of the subkey to be used for encryption of the plaintext. This process is repeated several times till the required number of subkeys is obtained. Apart from the first round, each time the state is initialized with the output of the previous round. The key generation algorithm makes it difficult to recover the master key from a known subkey. The key recovery attacks presented in this paper refers to the recovery of subkeys. By applying the Yoyo game strategy, a deterministic distinguisher for two generic Substitution-Permutation (SP) rounds have been reported [20] . This has been used to devise a 6-round Flex-128 distinguisher and a 7-round Flex-128 key recovery attack. To apply their results, first Zero Difference Pattern and Swapping of Words need to be defined which were originally given in [20] . Let F : F n q → F n q be a permutation with q = 2 k and Here, S is the concatenation of several smaller S-boxes operating on elements from F q in parallel and L is the linear layer over F n q . A state is defined as the vector of words α = (α 0 , α 1 , · · · , α n−1 ) ∈ F n q . Definition 1. Zero Difference Pattern. [20] Let α ∈ F n q for q = 2 k . The Zero Difference Pattern for α is Definition 2. Swapping of Words. [20] Let α, β ∈ F n q be two states and v ∈ F n 2 be a vector, then The following theorem describes the deterministic distinguisher for 2 generic SP-rounds (G 2 ). The notion behind devising such distinguisher is to choose a plaintext pair according to some Zero Difference Pattern and query this plaintext pair to the cipher to obtain a ciphertext pair. Words are swapped between the two ciphertexts on the basis of the substitution layer to produce modified ciphertexts that are queried to obtain new pair of plaintexts. Theorem 1 states that the Zero Difference Pattern of the original plaintext pair and the modified plaintext pair should be the same if the cipher is of the form S • L • S. In the following section, details regarding iterated truncated differential attacks on PF k are discussed. Differential of iterative characteristics can be easily exploited to penetrate full rounds of a cipher. The fundamental strategy behind devising an iterated differential is to choose the output differential in a way such that after some operations the input differential can be produced easily. Alkhzaimi et al. have reported such differentials for SIMON family of block ciphers [5] . In this work, iterated differentials in truncated form have been considered. First of all, a particular property of AES S-box which has been exploited needs to be discussed. Table. From AES DDT table it has been observed that the number of randomly chosen input differences that map to output differences, such that the non-zero bits in each output difference are confined to the upper nibble is 4096. Same is true if they are confined to the lower nibble. In other words, where S is the AES S-box. Therefore, with probability 4096 2 16 = 2 −4 a random input difference transits to upper nibble in the output difference. With same probability, random input difference transits to lower nibble. The way this property is exploited to devise iterated truncated differential is provided in the next subsection. Fig. 3 . Iterated Truncated Differential with One-round probability of 2 −7 . Note that the key-addition is not shown, since it has no effect on the trail Refer to Fig. 3 for the iterated differential of Flex-128. In X 1 , keeping the differ- and B [8] . With probability 2 −7 both differences are confined in either upper nibble or lower nibble in those bytes. Therefore, after BlockShuffle only one byte is active in X 2 . In X 2 the active byte can be either B[0] or B [1] , depending on whether the upper or lower nibbles in Y 1 are active. The iterative nature of the differential comes from the fact that in X 2 only one byte is active at the cost of 2 −7 probability under the constraints that only one byte is active in X 1 , and this particular event can be repeated an infinite number of times. Similar kinds of iterated truncated differential with the same probability exists for Flex-64 and Flex-256. Now, how these one round differentials are exploited to penetrate more number of rounds is discussed. 2 −240 2 −119 † Probability of the classical differential trail claimed by the designers * Probability of the iterated truncated differential trail Application to Variants of PF k . The one round iterated truncated differential can be applied to all the versions of PF k . The iterated differential occurs with probability 2 −7 . Depending on the blocksize, last few rounds can be made free as no byte to nibble transition is needed for those rounds. Let the iterated truncated differential is kept free for last f rounds for Flex-x. Then the probability of the trail is 2 −7×(r−f ) . For uniform random discrete distribution, the same event will occur with probability 2 −8×( Then, the probability of the iterated truncated differential trail for r-round Flex-x is 2 −7×(r−f ) . Table 3 shows the trail probabilities for different Flex-x. r max denotes the maximum number of rounds reachable under the constraints of fixed f . Table 4 compares the differential probabilities claim of the designers with our claim using the iterated differential. P D denotes the designers' claim whereas Q D denotes our claim. Another aspect of such kind of trails is the position of active byte in each round. As mentioned in 3. X (i+1) . Now, the mechanism of transforming these distinguishers to key recovery attacks is detailed. At the end of each round, the difference in a pair of symmetric bytes after S-box transits to the same nibble with probability 2 −7 . This has been used as a filtering technique to eliminate wrong key bytes. Let the first subkey, K α for Flex-128 is being recovered. Using iterated truncated differential for r rounds a right pair can be identified with probability 2 −7×(r−f ) , where f is number free rounds. Suppose, in the right pair the initial difference is in B[i] and B[i+8] . So, we guess key byte K α [i] and K α [i + 8]. There are 2 16 possible guesses and these are used to verify whether at the end of first-round byte to nibble transition occur. Out of 2 16 , 2 9 key-byte candidates remain. For further filtering, two more right pairs are used. The second right pair reduces the candidate numbers to 2 2 . After filtering using three different right pairs, it is expected only one candidate should remain for the key byte pair 2 16 × (2 −7 ) 3 = 2 −5 < 1 . For the remaining symmetric key bytes, the procedure is repeated 7 more times. In the end, it is expected that only one key candidate should pass the test. The other subkeys can be recovered similarly. After recovering the first subkey, the values of the plaintexts are exactly known till the second subkey whitening. The same key recovery attacks are applicable for Flex-64 and Flex-256. In the next subsections, details about the complexities of all attacks and experimental verification of practical ones are provided. Distinguisher. To distinguish iterated truncated differential for r rounds, 2 7×(r−f ) number of plaintext pairs are required, where f is the number of free rounds at the end. In devising the distinguishers, difference can be kept in 2 bytes only in X 1 , which yields 2 16 2 ≈ 2 31 pairs of plaintexts. For distinguishers requiring more than 2 31 pairs, a different set of states is needed. So, the data complexity is 2 7×(r−f ) encryption queries. Time complexity involves the memory accesses required to compute the specified collisions, which is the number of plaintext pairs needed, i. e., 2 7×(r−f ) . Memory complexity is 2 16 Flex-x states, which is the memory required for storing different states. Consider Key Recovery. Complexities of key recovery attack of Flex-x depends on distinguisher. To recover each pair of key-byte, three different right pairs are required. This procedure also needs to be repeated x 16 times for recovering the full key. Therefore, data complexity, time complexity and memory complexity of distinguisher needs to be multiplied by a factor of 3 × x 16 . Moreover, candidate key-byte recovery for each pair of byte can be computed in parallel. To recover the other subkey, a plaintext, ciphertext pair p 1 , c 1 is chosen and PF k round functions till the second subkey whitening is computed offline and XOR-ed with c 1 . So, the complexities of r-round Flex-x with f free rounds are- Table 2 . The key recovery attack using iterated differentials has been experimentally verified for 8 rounds Flex-128 with f = 3. The attack initiates after a key is chosen randomly. The number of key candidates after using the first right pairs for each pair of symmetric bytes (from (K α [0], K α [8] ) to (K α [7] , K α [15] )) are 316, 520, 632, 448, 568, 484, 368 and 356 respectively. It conforms to the theoretical analysis, which states that the number of candidates should be around 2 9 . After using the second right pairs, the number of candidates is reduced to 2, 12, 4, 4, 6, 5, 2 and 5 respectively which is close to the theoretical value of 2 2 . The third right pair reduces the number for all pairs of bytes to 1. The key recovery attack correctly recovers the subkeys. In the next section, details regarding attacks on PF k using Yoyo game strategy are provided. The Yoyo distinguishing attack has been briefly described in Sect. 2.2. First, the result of Yoyo game on 2-generic SP rounds has been applied for devising rround Flex-x deterministic distinguisher. Then cipher specific properties has been exploited to penetrate one more extra round and recover the key. Here, r is 4, 6 and 8 for Flex-64, Flex-128 and Flex-256 respectively. First, details about Super-Sbox of Flex-x is given. Refer to Fig. 4 There are two 64-bit Super-Sbox in the Flex-128 state. In similar way, Flex-64 and Flex-256 has 32-bit and 128-bit Super-Sbox which span over 1.5 and 3.5 rounds respectively. In the next subsection, how these Super-Sboxes are used to design deterministic Yoyo distinguishers is discussed. In devising this distinguisher, Theorem 1 has been used directly. For this purpose, the S • L • S layers need to be identified in this construction. The S here corresponds to Super-Sbox described in Sect. 4.1 whereas the L corresponds to the BlockShuffle layer. A pair of plaintexts is chosen such that only one of the Super-Sbox is active at X 1 . Yoyo game is played using these two plaintexts to obtain a new pair of texts. The same Super-Sbox should be active in the new pair of texts and the other should be inactive. For a uniform random discrete distribution, this occurs with probability 1 2 x 2 . Next, attack procedures and their corresponding complexities are provided. In the attack procedure, steps pertaining to Flex-128 has been described. Same attack strategy follows for Flex-64 and Flex-256. 1. Choose two 128-bit plaintexts p 1 , p 2 such that, wt(ν(p 1 ⊕ p 2 )) = 1. Inverse BlockShuffle is applied to p 1 , p 2 and then they are queried to encryption oracle to obtain c 1 , c 2 . 2. As there is two Super-Sboxes, so only one swapping is possible. One of the Super-Sbox is swapped between c 1 and c 2 to form c 1 , c 2 , which are queried to decryption oracle and p 1 , p 2 is obtained. 3. Check whether wt(ν(BS(p 1 ) ⊕ BS(p 2 ))) = 1 or not. If it is 1, then distinguish it as Flex-128; otherwise it is a random permutation. Complexity Evaluation. The attack needs 2 encryption queries and 2 decryption queries; its time complexity is 2 BlockShuffle, 2 inverse BlockShuffle operation and 2 Flex-128 state XOR, and the memory complexity is negligible. For attacking (r + 1)-round Flex-x, Yoyo distinguishing attack on r-round is composed with the one round trail of iterated truncated differential. The attack for Flex-128 is shown in Fig. 5 . With probability 2 −7 only one Super-Sbox is active at X 2 . By virtue of Yoyo game, only one Super-Sbox should be active in W 2 . Due to inverse BlockShuffle, the differences should be confined to either upper nibbles or lower nibbles in Z 1 ; the other half should be free. With probability 2 −8 , two symmetric bytes become free at Z 1 . There are 8 (4 and 16 for Flex-64 and Flex-256 respectively) choices for symmetric byte positions which increases the probability to 2 −5 2 −6 and 2 −4 for Flex-64 and Flex-256 . Therefore, at the cost of 2 −12 , two symmetric bytes become free for the 7round Flex-128. Probability of the same event for 5-round Flex-64 and 9-round Flex-256 is 2 −13 and 2 −11 respectively. Now, the attack steps of Flex-128, it's corresponding complexities and experimental verifications are discussed. 1. Choose 2 6 plaintexts such that they differ only in B[0] and B [8] . Apply inverse BlockShuffle on them and query them to encryption oracle to obtain corresponding ciphertexts. Consider all ciphertext pairs, swap bytes between them according to the Super-Sbox output and query them to the decryption oracle to obtain new pairs of plaintexts. Check whether the pair has a pair of free symmetric bytes. At least one such pair is expected. 2. Repeat step 1 two more times to obtain two more right pairs. Let (c 1 , c 2 ), (c 3 , c 4 ) and (c 5 , c 6 ) be such pairs and their corresponding plaintexts are (p 1 , p 2 ), (p 3 , p 4 ) and (p 5 , p 6 ). After byte swapping, (c 1 , c 2 ), (c 3 , c 4 ) and (c 5 , c 6 ) becomes (c 1 , c 2 ), (c 3 , c 4 ) and (c 5 , c 6 ). BlockShuffle is applied on the decrypted value of these modified ciphertexts to obtain (p 1 , p 2 ), (p 3 , p 4 ) and (p 5 , p 6 ). 3. Guess key bytes 0 and 8 for K α , run one round encryption for p 1 , p 2 and observe whether same nibble in B[0] and B [8] remains free or not for the pair. Using nibble transition, out of 2 16 candidates, 2 7 are filtered out. Then the remaining two right pairs subsequently reduces the number of candidates for K α [0] and K α [8] to 2 2 and 1 respectively. 4. For the remaining 7 symmetric pairs of bytes, step 3 is repeated 7 more times. At, the end 1 key candidates are expected for K α . For each K α , K β is computed by using a plaintext-ciphertext pair. If there is more than one K α , K β pair, they are exhaustively tried for finding the right key candidate. Complexity Evaluation. Let probability of the event that "two symmetric bytes become free" is 2 −p . So, for retrieving a right pair, 2 p 2 encryption queries and 2 p decryption queries are required. For guessing each pair of key byte, 3 such right pairs are needed and to recover the key, this process need to be repeated x 16 times. Therefore, data complexity of the attack is 3×x 16 × 2 p 2 encryption queries and 3×x 16 × 2 p decryption queries. Time complexity is 3×x 16 ×2 p memory accesses for retrieving the stored ciphertexts. Memory complexity is 3×x 16 × 2 p 2 +1 Flex-x states for storing the plaintexts and ciphertexts. The complexities of 7-round Flex-128 key recovery attack are-1. Data Complexity is 24 × 2 6 ≈ 2 10.5 encryption queries and 24 × 2 12 ≈ 2 16.5 decryption queries. 2. Time Complexity is 2 16.5 memory accesses. 3. Memory Complexity is 2 11.5 Flex-128 states. Experimental Verification. The Yoyo attack for 7-round Flex-128 has been experimentally verified. Initially the oracle chooses a master key randomly and computes the subkeys. Adversarial algorithm queries according to attack steps in Sect. 4.3 and retrieves right pairs. The number of key candidates corresponding to each symmetric bytes from (K α [0], K α [8] ) to (K α [7] , K α [15] ) after filtering with first right pairs are 502, 618, 546, 496, 510, 486, 552 and 538 respectively which conforms to the theoretical value of 2 9 . The second right pairs further reduces it to 6, 7 6, 7, 7, 3, 3 and 5 respectively which is close to the theoretical value of 2 2 . The third pairs reduces all these values to 1. This reduction in the number of key candidates using the right pairs conforms to the theoretical analysis. At last, the algorithm successfully recovers the subkeys. In the next section, we discuss the success probability of distinguishing attacks reported in this work. The effectiveness of an attack depends on its success probability. First, the success probability of all reported distinguishers is computed. Then, the success probability of practical ones is experimentally verified. To deduce the theoretical estimation of success probabilities, the following theorem from [19] has been applied. Theorem 2. [19] Suppose, the event e happens in uniform random bitstream with probability p and in keystream of a stream cipher with probability p(1 + q). Then the data complexity of the distinguisher with false positive and false negative rates α and β is given by where Φ(−κ 1 ) = α and Φ(κ 2 ) = 1 − β. For computing success probability, we consider κ 1 = κ 2 in theorem 2, which gives us α = β. Then the success probability is given by (1 − β) . Note that, in the theorem data complexity essentially refers to sample complexity. Table 5 lists the success probabilities of different distinguishers presented in this paper. Experimental Verification. For experimental verification of success probabilities, the strategy from [21] has been followed. First, consider a blackbox which can act as either a cipher C or a uniform discrete random permutation R. Then the experiment is run two times in the following ways: 1. Consider the blackbox as C and repeat the experiment a c times. 2. Consider the blackbox as R and repeat the experiment a r times. Let out of (a c +a r ) experiments, distinguisher decides it as C o c times and as R o r times. n F P and n F N denotes the number of false positives and false negatives respectively. Based on this parameters, the confusion matrix is shown in Table 6 . Then the success probability is calculated by: The values of success probabilities for 5-round and 6-round Flex-64 derived using experiments and theoretical estimations are listed in Table 7 . Trade-Off Between Success Rate and Free Rounds. The iterated truncated differentials can have a different number of free rounds at the end. More number of free rounds reduces the trail complexity at the expense of success rate. For analysis, consider the case pertaining to 6-round Flex-64 with the number of free rounds 1 and 2. The success rate for both cases is listed in Table 8 . For 21-round Flex-128, the number of free rounds can take any value between 1 and 4. For each of the cases, the theoretical estimation of success probability is almost equal. The estimated success probabilities have been shown in Table 9 . The difference between the distribution of random bitstream and 21round Flex-128 for each case is so huge, that it has a negligible effect on the success probability. In the following section, we show how to mount forgery attacks on Flex-AEAD variants using the idea of iterated truncated differentials. Eichlseder et al. have shown forgery attacks on FlexAEAD by applying several strategies [12] . All those strategies are also applicable using the differentials described in this paper. The main difference between these two approaches is the differential characteristics for the sequence generation. First, the differential characteristic of the sequence generation step is shown. A sequence of bits is used by FlexAEAD for authenticated encryption. These sequences are generated by using PF k , with initial state being the nonce. For details on sequence generation refer to [17] . The difference between two consecutive sequence numbers is that their last call to PF k differ by a INC32 call. INC32 is a 32-bit word operation which acts as an XOR operation with probability 2 −1 . active bytes) at the cost of 2 −2m . In the next round, m 16 symmetric positions get occupied at the cost of 2 −m . After repeating the process, log 2 (m) − 2 times, only one symmetric position remains occupied by the active byte. For the rest r − log 2 (m) + 2 rounds, with probability 2 −8 for each round the position of two active nibbles in the output get fixed (Note that, in the iterated truncated differential, the position of active is not fixed and that is why the probability of 2 −7 is paid). With 2 −8 probability the value of the active nibbles can be fixed to a specific value. By following this approach, the difference of two consecutive sequence numbers can be fixed to a specific value with probability 2 −50 for FlexAEAD-64, 2 −60 for FlexAEAD-128 and 2 −80 for FlexAEAD-256 (Corresponding complexities of forgery attacks are computed by taking the inverse of these probabilities). Differential characteristics of sequence generation for FlexAEAD-128 is shown in Fig. 6 . Once the output difference value is fixed, the techniques (Changing Associated Data, Truncating Ciphertext, Reordering Ciphertext) in [12] can be applied to forge ciphertext-tag pair. Comparison between several approaches regarding forgery attack is enlisted in Table 10 . In this work, we analyzed all variants of PF k of FlexAEAD. We reported a one round differential characteristic of PF k , which due to its iterative nature was exploited to penetrate a large number of rounds. We also showed that the generalized Yoyo distinguishing attack on SPN ciphers was applicable for PF k . While deploying Yoyo attack, a Super-Sbox construction of 1.5, 2.5 and 3.5 rounds in 64-bit, 128-bit and 256-bit PF k respectively were reported. All these attacks were easily exploited to recover the subkeys. In addition, the iterated truncated differential attack strategy was applied to the nonce-based sequence number generator which was exploited to devise similar kinds of forgery attacks on FlexAEAD as given by Eichlseder et al. [12] . The success probabilities of all distinguishing attacks were shown to be high. All attacks reported in this work with practical complexities were experimentally verified. All these attacks have exploited a vulnerability in the design which is based on dividing the nibbles into two parts while using AES S-box. Lightweight cryp-tography standardization process SHA-3 Standardization Process Cryptanalysis of the SIMON Family of Block Ciphers The QARMA block cipher family. almost MDS matrices over rings with zero divisors, nearly symmetric even-mansour constructions with non-involutory central rounds, and search heuristics for low-latency S-boxes Cryptanalysis of ForkAES GIFT: A small present -towards reaching the limit of lightweight encryption The SKINNY family of block ciphers and its low-latency variant MANTIS PRESENT: an ultra-lightweight block cipher KATAN and KTANTAN -a family of small and efficient hardware-oriented block ciphers Forgery Attacks on FlexAE and Flex-AEAD. Cryptology ePrint Archive Official Comment: FleaxAEAD. Posting on the NIST LWC mailing list Official Comment: FLEXAEAD. Posting on the NIST LWC mailing list A flexible authenticated lightweight cipher using even-mansour construction A Lightweight Cipher with Integrated Authentication FlexAEAD -a lightweight cipher with integrated authentication On data complexity of distinguishing attacks versus message recovery attacks on stream ciphers Yoyo tricks with AES New Yoyo tricks with AES-based permutations