International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis

Authors:
Dhiman Saha , de.ci.phe.red Lab, Department of Electrical Engineering and Computer Science, IIT Bhilai, Chhattisgarh, India
Yu Sasaki , NTT Secure Platform Laboratories, Tokyo, JapanNTT Secure Platform Laboratories, Tokyo, Japan
Danping Shi , State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China; University of Chinese Academy of Sciences, Beijing, China
Ferdinand Sibleyras , Inria, Paris, France
Siwei Sun , State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China; University of Chinese Academy of Sciences, Beijing, China
Yingjie Zhang , State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China; University of Chinese Academy of Sciences, Beijing, China
Download:
DOI: 10.13154/tosc.v2020.i3.152-174
URL: https://tosc.iacr.org/index.php/ToSC/article/view/8699
Search ePrint
Search Google
Abstract: This paper presents the first third-party security analysis of TinyJAMBU, which is one of 32 second-round candidates in NIST’s lightweight cryptography standardization process. TinyJAMBU adopts an NLFSR based keyed-permutation that computes only a single NAND gate as a non-linear component per round. The designers evaluated the minimum number of active AND gates, however such a counting method neglects the dependency between multiple AND gates. There also exist previous works considering such dependencies with stricter models, however those are known to be too slow. In this paper, we present a new model that provides a good balance of efficiency and accuracy by only taking into account the first-order correlation of AND gates that frequently occurs in TinyJAMBU. With the refined model, we show a 338-round differential with probability 2−62.68 that leads to a forgery attack breaking 64-bit security. This implies that the security margin of TinyJAMBU with respect to the number of unattacked rounds is approximately 12%. We also show a differential on full 384 rounds with probability 2−70.64, thus the security margin of full rounds with respect to the data complexity, namely the gap between the claimed security bits and the attack complexity, is less than 8 bits. Our attacks also point out structural weaknesses of the mode that essentially come from the minimal state size to be lightweight.
Video from TOSC 2020
BibTeX
@article{tosc-2020-30567,
  title={On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis},
  journal={IACR Transactions on Symmetric Cryptology},
  publisher={Ruhr-Universität Bochum},
  volume={2020, Issue 3},
  pages={152-174},
  url={https://tosc.iacr.org/index.php/ToSC/article/view/8699},
  doi={10.13154/tosc.v2020.i3.152-174},
  author={Dhiman Saha and Yu Sasaki and Danping Shi and Ferdinand Sibleyras and Siwei Sun and Yingjie Zhang},
  year=2020
}