Birthday-Bound Slide Attacks on TinyJAMBU’s Keyed-Permutations for All Key Sizes

Abstract

We study the security of the underlying keyed-permutations of NIST LWC finalist TinyJAMBU. Our main findings are key-recovery attacks whose data and time complexities are close to the birthday bound \(2^{64}\). The attack idea works for all versions of TinyJAMBU permutations having different key sizes, irrespective of the number of rounds repeated in the permutations. Most notably, the attack complexity is only marginally increased even when the key size becomes larger. Concretely, for TinyJAMBU permutations of key sizes 128, 192, and 256 bits, the data/time complexities of our key-recovery attacks are about \(2^{65}\), \(2^{66}\), and \(2^{69.5}\), respectively. Our attacks are on the underlying permutations and not on the TinyJAMBU AEAD scheme; the TinyJAMBU mode of operation limits the applicability of our attacks. However, our results imply that TinyJAMBU’s underlying keyed-permutations cannot be expected to provide the same security levels as robust block ciphers of the corresponding block and key sizes. Furthermore, the provable security of TinyJAMBU AEAD scheme should be carefully revisited, where the underlying permutations have been assumed to be almost ideal.

A Discussions and More Observations

1.1 A.1 Slide Attack with Deterministic Differential Characteristics

Overall Idea. The chain of queries in Sect. 4.2 efficiently increases the number of filtering bits, but requires adaptively chosen-plaintext. Here, we discuss another approach that was also discussed in [5] which avoids adaptively chosen-plaintext queries and show that it can be applied to recover a 192-bit key. The idea here is to combine differential characteristics with probability 1 with the slide attack. Suppose that there is an input and output difference of \(P_{192}\) denoted by \(\alpha \) and \(\beta \), which is satisfied with probability 1. For a slid pair \((A_0,B_0)\) and \((A_0^\prime ,B_0^\prime )\) such that \(A_0^\prime = P_{192}(A_0)\) and \(B_0^\prime = P_{192}(B_0)\), we define that \(A_1 = A_0\oplus \alpha \) and \(A_1^\prime = A_0^\prime \oplus \beta \). Then the pair \((A_1,B_1)\) and \((A_1^\prime ,B_1^\prime )\) also satisfies \(A_1^\prime = P_{192}(A_1)\) and \(B_1^\prime = P_{192}(B_1)\) thanks to the probability 1 differential characteristic. Specifically, we obtain 2 slid pairs without using adaptively-chosen-plaintext queries. Moreover, the number of slid pairs can further increase to \(2^n\) if n-many probability 1 differential characteristics are available, by assuming that it is possible to satisfy such n-many probability 1 characteristics simultaneously. This idea for the case with \(n=2\) is illustrated in Fig. 7.

Fig. 7.

Attacks on TinyJAMBU-192 with two deterministic differential characteristics.

Note that the previous attack on TinyJAMBU-192 in Sect. 4.4 required adaptively chosen-plaintext queries for not only query chains but also the bit-by-bit key-recovery explained in Sect. 4.3. Currently, we have not found an efficient key-recovery procedure that works in the chosen-plaintext setting. Hence, our approach to recover a 192-bit key is to first identify the valid slid pair and then guess the last 64 key bits. For this reason, we need to filter out all the wrong slid-pair candidates, and it is essential to have \(n=2\) distinct probability 1 characteristics to have a \(49 \times 2^2 = 196\)-bit filter.

Deterministic Differential Characteristic for \({\boldsymbol{P}}_{{\textbf {192}}}\). In the keyed-permutation of TinyJAMBU, the only non-linear operation is the AND operation between \(s_{70}\) and \(s_{85}\). Recall that in each step, the key bit only impacts \(s_{127}\), thus during the first 43 rounds, the input to the AND operation is only dependent on the plaintext. Specifically, given the plaintext value, differential propagation for the first 43 rounds is deterministic. The same can be applied in the backward direction, i.e. given the ciphertext value, differential propagation for the last 70 rounds is deterministic. Moreover, we can set some plaintext and ciphertext bits to 0 to prevent the input difference to AND gates from propagating.

With these observations, we searched for such characteristics for \(P_{192}\) by using a refined MILP-based evaluation [14] by adding new constraints to ignore the active AND gates for the first 43 and last 70 rounds from the objective function. As a result, we found many probability 1 differential characteristics.³ An example is explained in Table 3.

Table 3. An example of probability 1 differential characteristic for TinyJAMBU-192. Differential masks \(\alpha ,\beta \) are represented by hexadecimal numbers.

We confirmed that the rotated variants of the characteristic in Table 3 are also satisfied with probability 1 for a left rotation by 1, 2, 3, 6, and 7 bits.

Application to TinyJAMBU-192. As mentioned above, using 2 characteristics is sufficient for a 192-bit key. Hence, we use one in Table 3 and its left-rotated version by 1 bit. When we choose \(2^{64}\) distinct values of \(A_0\), we fix \(s_{97}=0\) and \(s_{98}=0\). We also query \(A_0 \oplus \alpha \), \(A_0 \oplus (\alpha \lll 1)\), and \(A_0 \oplus \alpha \oplus (\alpha \lll 1)\) along with \(A_0\). Similarly, when we choose \(2^{64}\) distinct values of \(A_0^\prime \), we fix 8 bits of \(s_{195},s_{225},s_{232},s_{262},s_{196},s_{226},s_{233},s_{263}\) to 0 to satisfy the conditions on the ciphertext, and we also query \(A_0^\prime \oplus \beta \), \(A_0^\prime \oplus (\beta \lll 1)\), and \(A_0^\prime \oplus \beta \oplus (\beta \lll 1)\) along with \(A_0^\prime \). Those would derive a 196-bit filter. Hence, we only have a right slid pair after examining \(2^{128}\) matching candidates. After detecting the slid pair, we exhaustively guess the last 64 key bits.

The complexity is \(4\times 2\times 2^{64}=2^{67}\) chosen-plaintext queries. The computational cost is less than \(4\times 2\times 4\times 2^{64}=2^{69}\) computations of \(P_{192}\), which is for computing 4 \(\mathcal {R}_i\) or \(\mathcal {R}_o\) functions for each query. The memory complexity is to store the queries for \(A_0\) and associated quartets, which is \(2^{66}\). The memoryless attack is made possible by incurring slightly more computational cost.

1.2 A.2 Attacks on Non-multiple Number of Rounds

In our attacks, we assumed that the total number of rounds was a multiple of the key-length, which is the case with P2 in all the members of TinyJAMBU. One may wonder that the attack can be prevented by setting the number of rounds to be a non-multiple the key-length. Here, we show that the restriction of the number of rounds to be a multiple of the key-length can easily be lifted for the attacks on \(P_{128}\) and \(P_{192}\) using the deterministic differential characteristics of Sect. A.1.

Let k be the key of length klen and consider \(klen \times m + s\) rounds of encryption for some strictly positive integers m and s. Then, a slid pair \((A_0, B_0)\), \((A'_0, B'_0)\) is such that \(A'_0 = P_{klen}^{k}(A_0)\) and \(B'_0 = P_{klen}^{k \lll s}(B_0)\). That is, \(B'_0\) is the encryption of \(B_0\) with klen rounds but with a circular-shifted key. In that setting, one clearly cannot chain queries to enhance a filter because the key schedule does not cycle back to its initial state.

Attacking \(klen = 128\) is mostly unchanged from Sect. 3. We simply derive equations on key bits independently for the unshifted and shifted cases that will give us a filter. The only difference is that the 15 unexploitable key bits (bit positions 43 to 57) are shifted in the second case, which can result in at most 30 unexploitable relationships. Nevertheless, we can always build a 98-bit filter and perform a key-recovery with the same complexity as before.

For \(klen = 192\), the attack is very similar to Sect. A.1. Indeed, taking the notation of Fig. 7, we can still apply the same filter but only on the outputs \(F(B_0, B_1) = F(B'_0, B'_1)\), \(F(B_0, B_2) = F(B'_0, B'_2)\), \(F(B_0, B_3) = F(B'_0, B'_3)\) and ignoring the relation induced by \(A_0\) and \(A'_0\). The actual shift s has no effect when only comparing relationship on outputs. More generally, in the shifted case, having n independent differential characteristics increase the filter \(2^n - 1\) fold (instead of \(2^n\) previously). For the 192-bit key case, a \(49 \times 3 = 147\)-bit filter is still more than enough to filter all the wrong pairs especially as \(A_0\) and \(A'_0\) can further help us in the guess stage for the remaining key bits.

1.3 A.3 Implication on the Security of the AEAD Schemes

Our results do not easily extend to attacks on TinyJAMBU AEAD schemes but bring their security into question. That is, they weaken the rationale to believe 112-bit (resp., 168-bit, or 224-bit) encryption/secret-key security goal being achieved by TinyJAMBU-128 (resp., TinyJAMBU-192, or TinyJAMBU-256); to believe so is essentially equivalent to regarding the security goal itself as an assumption. Neither the security of the primitive nor that of the mode implies security of the scheme; one is assuming that the combination of the two should achieve the security goal even though one is aware of the fact that the primitive is far from being ideal.

In other words, one is assuming that some features of the mode should “enhance” encryption/secret-key security to 112/168/224 bits even though the underlying primitive is vulnerable to birthday-bound (i.e., about 64 bits in any case) key-recovery attacks. The features may include, for example, the fact that “frame bits” [16]⁴ are inserted into states and that at most 32 bits of each state value are controllable by adversaries.

In fact, the underlying permutations are already known to be non-ideal. For instance, the designers show in the specifications that P1 in the AEAD mode (see Fig. 2) has a differential property of probability \(2^{-83}\). Nevertheless, we want to state that our attacks are the first to reveal that P2 of all the versions of TinyJAMBU is broken by a birthday-bound key-recovery attack, which make us less confident that the security proof of the mode by the designers can be regarded as a convincing reason for the security claim holding.

To be fair, we remark that our results do not significantly affect the privacy security (indistinguishability) shown by the designers or the authentication security goal stated by the designers [16]. This is due to the fact that both of these notions are up to the birthday bound of 64 bits and that our attacks require birthday-bound complexities.