Abstract
This paper presents the first third-party security analysis of TinyJAMBU, which is one of 32 second-round candidates in NIST’s lightweight cryptography standardization process. TinyJAMBU adopts an NLFSR based keyed-permutation that computes only a single NAND gate as a non-linear component per round. The designers evaluated the minimum number of active AND gates, however such a counting method neglects the dependency between multiple AND gates. There also exist previous works considering such dependencies with stricter models, however those are known to be too slow. In this paper, we present a new model that provides a good balance of efficiency and accuracy by only taking into account the first-order correlation of AND gates that frequently occurs in TinyJAMBU. With the refined model, we show a 338-round differential with probability 2−62.68 that leads to a forgery attack breaking 64-bit security. This implies that the security margin of TinyJAMBU with respect to the number of unattacked rounds is approximately 12%. We also show a differential on full 384 rounds with probability 2−70.64, thus the security margin of full rounds with respect to the data complexity, namely the gap between the claimed security bits and the attack complexity, is less than 8 bits. Our attacks also point out structural weaknesses of the mode that essentially come from the minimal state size to be lightweight.
Highlights
IntroductionAt the time of writing, the only existing security evaluation of TinyJAMBU is the one provided in the design document [WH19], which counts the number of active AND gates to find differential and linear trails with the minimum of such active gates by using Mixed Integer Linear Programming (MILP) [MWGP]
National Institute of Standards and Technology (NIST) initiated a public competitionlike process to solicit, evaluate, and standardize authenticated encryption and hashing schemes suitable for highly constrained computing environments like RFID tags, lightweight industrial controllers and sensor nodes [Nat19a]
We presented the refined model to efficiently find highly accurate differential and linear trails of TinyJAMBU
Summary
At the time of writing, the only existing security evaluation of TinyJAMBU is the one provided in the design document [WH19], which counts the number of active AND gates to find differential and linear trails with the minimum of such active gates by using Mixed Integer Linear Programming (MILP) [MWGP]. This kind of analysis is insufficient due to the following reasons.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
