Department of Computer Science, Chennai Mathematical Institute, Chennai, India.
Department of Computer Science, Indian Institute of Technology Kanpur, Kanpur, India.
Sci Rep. 2022 Sep 29;12(1):16313. doi: 10.1038/s41598-022-19046-2.
In this paper, we study NIST lightweight 3rd round candidate [Formula: see text]. The core component of [Formula: see text] is the keyed permutation [Formula: see text], which is based on a non-linear feedback shift register. By analysing this permutation carefully, we are able to find good cubes that are used to build distinguishers in the weak-key setting. In particular, we show that there are at least [Formula: see text] keys for which TinyJAMBU can be distinguished from a random source for up to 476 rounds. These distinguishers outperform the best-known distinguishers, which were proposed in 'Scientific Reports - Nature' by Teng et al. We are the first to study the exact degree of the feedback polynomial [Formula: see text] in the nonce variables. This helped us in concluding that [Formula: see text] with more than 445 rounds is secure against distinguishers using 32 sized cubes in the normal setting. Finally, we give new key-recovery attacks against [Formula: see text] using the concepts of monomial trail presented by Hu et al. at ASIACRYPT 2020. Our attacks are unlikely to jeopardise the security of the entire 640 rounds [Formula: see text], but we strongly anticipate that they will shed new lights on the cipher's security.
在本文中,我们研究了 NIST 轻量级第三轮候选算法[Formula: see text]。[Formula: see text]的核心组件是基于非线性反馈移位寄存器的密钥置换[Formula: see text]。通过仔细分析这个置换,我们能够找到用于在弱密钥设置中构建区分器的好立方体。特别是,我们表明,对于至少[Formula: see text]个密钥,TinyJAMBU 可以与随机源区分开,最多可达 476 轮。这些区分器优于由 Teng 等人在“自然科学报告”中提出的最佳已知区分器。我们是第一个研究非零阶变量中反馈多项式[Formula: see text]的确切阶数的人。这有助于我们得出结论,在正常设置下,使用 32 大小的立方体的区分器,[Formula: see text]超过 445 轮是安全的。最后,我们使用 Hu 等人在 ASIACRYPT 2020 上提出的单项式轨迹的概念对[Formula: see text]进行了新的密钥恢复攻击。我们的攻击不太可能危及整个 640 轮[Formula: see text]的安全性,但我们强烈预计,它们将为密码的安全性提供新的思路。
