Weak-keys and key-recovery attack for $$\text{ TinyJAMBU }$$

Abstract

AbstractIn this paper, we study NIST lightweight 3rd round candidate $$\text{ TinyJAMBU }$$ TinyJAMBU . The core component of $$\text{ TinyJAMBU }$$ TinyJAMBU is the keyed permutation $$\mathcal {P}_n$$ P n , which is based on a non-linear feedback shift register. By analysing this permutation carefully, we are able to find good cubes that are used to build distinguishers in the weak-key setting. In particular, we show that there are at least $$2^{108}$$ 2 108 keys for which TinyJAMBU can be distinguished from a random source for up to 476 rounds. These distinguishers outperform the best-known distinguishers, which were proposed in ‘Scientific Reports - Nature’ by Teng et al. We are the first to study the exact degree of the feedback polynomial $$\mathcal {P}_n$$ P n in the nonce variables. This helped us in concluding that $$\text{ TinyJAMBU }$$ TinyJAMBU with more than 445 rounds is secure against distinguishers using 32 sized cubes in the normal setting. Finally, we give new key-recovery attacks against $$\text{ TinyJAMBU }$$ TinyJAMBU using the concepts of monomial trail presented by Hu et al. at ASIACRYPT 2020. Our attacks are unlikely to jeopardise the security of the entire 640 rounds $$\text{ TinyJAMBU }$$ TinyJAMBU , but we strongly anticipate that they will shed new lights on the cipher’s security.