 Hello everyone, this is Dheeman and I'm really happy to share this result on the security margin of TinyJambu with Refined Differential and Linear Cryptanalysis. This is a joint work with you, Damping, Ferdinand, CV and Youngjae and was started in during the group discussion sessions of Ask in Japan last year. So TinyJambu as you all know is one of the submissions to the NIST LWC competition and say in round 2 and the like the AEAD setup I think all of you know so I wouldn't spend time on this. This is the basic interface which TinyJambu supports like being the requirement. So it was designed by Honjunu and Tao Wang and most of you would be familiar with this the pretty scissor if I can say the Jambu which was part of the scissor competition and TinyJambu is actually as the name suggests it's a small variant of Jambu. So it's a family of AEAD schemes basically it has three variants in its specifications which vary in the also in the encryption security that they provide. And the authentication security is actually same all across a 64 bit level that it supports and moving on we will now first look into the specification of the algorithm first the mode and then we look into the internal permutation. So if I look into TinyJambu it has a very standard way of initializing the thing but the there is something interesting that happens during the installation. So what is that? So if you can see that the initialization actually can be broken up into these steps. So of course the key is processed through a permutation first and then subsequent to that the nonce is being processed in three blocks. So the nonce is 96 bits that's a constant across all the variants of TinyJambu as per the specification and every time it actually absorbs 32 bits okay and it's a duplex punch construction and this is something very important that it absorbs the nonce in multiple blocks and you will see why I emphasize on this because this is something which was our point of interest. Now another important thing I would like to highlight is this PK and PK hat both of these are actually the permutation the keyed permutations which are which differ in the number of rounds. So the PK is actually same across all variants it has 384 rounds but PK hat varies across to according to the key size. So let's look further and then we will come back to this. So after the key nonce has been absorbed the next thing is the associated data processing again the associated data is processed through the permutation with the lesser number of rounds PK and you can see that in the lower part it uses some bits and this the designers call them as frame bits essentially these are the domain separators okay and you can see that as this the iterations the number of blocks change this domain separators also change because the domain changes from the associated and next comes the plain text. Now a very important thing to appreciate is for the encryption part actually TinyJambu uses the bigger permutation or I should not say bigger bigger in the number of number of rounds right PK hat it uses that and finally when for the finalization when the tag is being given as output the thing that has to be noted is again in two iterations okay it breaks it down 64 bit tag 32 bits every every time it gives out so there is one call to PK. Now our point of interest is here where we have PK here where we have PK and again here where we have PK that is the permutation with the lesser number of rounds of course that is quite intuitive why we are interested in that looking at the entire structure together you just as I promised you this PK hat is actually the number of rounds vary while PK is same across all variants and again this what it makes it is our point of interest right so it is the that is where the permutation results we have these two types right and you can see the nonce is also same across right. So now let us move on to the internal permutation so the internal permutation of TinyJambu is very interesting because it is very minimally you know designed it has got very it is very very simple in its structure you can see it has got only one point of nonlinearity which is this NAND gate across these two tap points okay that is it and the key is gets XOR through this this place and that is the key bit and based on the design based on the variant the it will wrap back so because the key size would change but the you know the number of iterations would be more than the key size and so it was just wrap wrap around right so this is it it's a keyed permutation and it's basically a nonlinear feedback shift ratio that's it all that's all we have to say right and the nonlinearity is just at one point I think is it's very you know minimal in that sense okay now with with this in view with this knowledge we can now go into what has already been done so the literature in terms of the cryptonesis and in fact this our work being the first third party the results that we will show is are basically you know created to the designers right so let's look into this so the strategy of proving resistance to linear and differential cryptonesis is you know the standard one that is using MILB modeling after it was introduced by Mohamed it is I think one of the most popular ways of you know selling your design by showing your resistance so the but in case of MILB modeling one thing that's very important is to model it properly now in case of a very minimalistic design like tiny jambu it is quite pertinent that the authors or the designers used a way of just counting the number of active angles that's quite fine okay but the problem is is this sufficient that's the question we are we trying to ask right and our our verdict is actually it is fast but inaccurate and we prove this right so the first thing that this model ignores and we are not telling this this has been shown in literature before that it ignores the correlation that can happen between multiple and gates right so they will get correlated but this simple model actually considers every and get independently hence it will miss that correlation right so it is basically overcome stuff and claim a probability that will actually means it's actually in practice will be lower than what it claims sorry it will be higher in that what it what it claims the number of and gates would be lower so so designers ignore that so that is one thing so it will ignore this is one one thing we want to note the second thing is that we this is quite quite well known that the effect of different shells actually can amplify the probability so we can look at cluster of trails okay and then taking the probabilities together we can actually amplify the probability and the designers again didn't do this so this is another thing on to note in terms of the linear cryptonesis part we would like to mention that the designers the model that they've used was that they assume that the access to the input bits is there that all the input bits which is a unrealistic in terms of the modeling that right so with this the next point we want to make is what is there existing in the literature that could already be address this situation okay there are quite a few number of works that have come up of late which show us how to do a MLP modeling that will be very very accurate okay the problem with this kind of modeling are these are very strict the strict because they will impose a lot of constraints on the system and with these constraints we know that the solver will actually struggle to give us a result right most of the time will not be practical it will just keep on running running and you know one day it's just just give up right so though it has been noted in literature though these kind of techniques are good in showing the validity of a given trail they are seldom good to find optimal ones right so with all this in view we try to put this point forward that our motivation is to strike a balance between the both so accuracy and efficiency so what is our contribution the first thing we note is the that what is the problem of the simple model now if we just look into this very simple way of looking how the restrictions on the input actual value of the input determines the output difference that is important and you can see there's very simple and get and we are just trying to see it is active and we can show that it has it relies on the values of the inputs right well if we look at the simple model what it does it just if there's a difference in one of at least one of the two input bits the output of the gates is has a difference with probability half or doesn't have it with probability that's all it cares about and it cakes it considers all the inputs all the end gates independently right they treat say it treats a with them same and all them independently so that is the fallacy here which has to be overcome and the simple model fails to capture both the things both the correlation as well as the dependence on the values right that is what we want to show us in the refined model so there's a title suggests we are finally here with the refined model so refined model actually tells us a very simple thing that the same value that will shift remember it's a shift ratio it goes in this direction the same value that shifts the value if it enters the end gates to s 85 eventually after some rounds will enter it again through this right and that is what the refined model is all about so let's look into a simulation is a very simple simulation you have this entire 128 bit state laid out you have these inputs we are marking them as a b and c right and let's see what happens so we first have the first end gate so the entry b so b enters from a 75 enters the get twice first of all as b dot c next after 15 rounds it enters as a dot b again so this is the thing so twice it enters and get twice hence this value b actually is common to both right and hence it it shows us that there has to be some kind of correlation that will happen and if I look then this is the first order correlation right that a dot b and b dot c for some values a b c they will be correlated right and these are first order was very simple thing we are not trying to impose more just a very this first order correlation that we are trying to look into and the if I see in terms of the differential propagation and look at the actual values and how this propagates let's see just the consider the event you are considering in terms of the differences this is 0 while we have a difference in the other inputs right the common input the input difference is 0 now let's look at the values if the values b is 0 then we see that both the end gates are actually having a output difference 0 with probability half while if b is 1 then both of them would take the value output difference is 1 with probability half so this is the important point this is a joint propagation happening either both propagate it or both do not propagate it and here actually instead of under this particular event we will not consider them as this different gates rather we consider both of them as a single gate that's all we are trying to impose in the refined model so what would it translate in terms of the MILP very simple just model the differences okay so the difference for the individual values the difference for the gates and finally this captures the correlation gamma abc it will capture the correlation that whether ab and bc are correlated or not so we just impose a set of constraints over and above the simple model simple model is there we just impose some additional constraints now let's look at this chain values so okay they will be going like this so this chain values then for consecutive couples you have this consecutive couples in this nature these are the constraints additional constraints we are imposing and this is what actually takes care of that 101 thing right if that even doesn't occur this model actually boils down to the simple model right so what is the final thing that subtract all values gamma abc in the objective function so the objective function like before just subtract this additional value from that the this would result in single counting for correlated and gates while for the original simple model it would have counted it should have over counted it actually that's it that's all so now with all these ideas in place we can look into the results that we have for the differential analysis first so what is the thing that the designers claimed in the original submission document they actually gave us four kinds of trails right the first trail was type 1 so in terms of differential analysis for the simple model so you can see these are the restrictions on the permutation the input bits of the permutation so for the if the input bits are restricted only to the 32 msb's then it's type 1 output is unrestricted the reverse is input is unrestricted output is restricted to 30 msb's remember in the msb's we have those bits being XORed the either the associated data nonce everything is happening in the msb side from that side and then we have type 3 so type 3 is a very important one because these constraints both the input and output remember both the input and output constraints so it is our point of interest in terms of forgeries and then type 4 is unconstrained which actually takes care of the underlying permutation right now the designers claim that for 384 rounds the maximum was 2 to the 80 which actually is good in terms of the security level they provided for authenticity 64 it was good and then for type 4 they said the best they could do us for 320 rounds was 2 to the minus 13 right and we prove both of them wrong and I'll show you how so in the refined model before I proceed let's let me show you what is the attack setting for the forgery so it is very important remember I am talking about type 3 trails that is constrained both in input and output now let's think that we have with the first nonce we have this delta i as our input difference we have imposed this right so this goes here this delta i the input difference here now this transits to output difference let's say here as delta o this output difference here delta o so this transition from delta i to delta o with some probability may be p right it happened now what we'll do with nonce the second no iteration of the nonce will give the same input the same difference delta o so that both of them are cancelled here and the difference here is actually equal to 0 right the delta becomes 0 here right at this point at this point right so hence we have a collision and we will have a forgery right this is quite easily understandable this will happen both for the case of the nonce as well as associated data and we are interested because both of them the pk is the is the permutation it has got 384 rounds right which is the least possible here so this is how we will capture do our forgery it's very easy we'll take to this is that the input and output differences and this we want to impose and using the second nonce we'll try to nullify it right this is the setting for the forgery now we have an additional thing of reforgeability that comes up just because there's a multi-block absorption of nonce and associated data right what is this reforgeability reforgeability as you know shown by a black and cocker in FSE 2009 was about the additional effort for the case of forgery what is the additional effort you need for new forgeries once you have already have one forgery okay so the in this case is quite easily understandable since the nonce is being absorbed through three blocks once we have this delta 0 we can actually take any value of this nonce arbitrary value so that every value will give us a new forgery right so the effort is negligible in that in that sense right so the MAC forgibility becomes an interesting case along with this we also look at clusters of multiple trails to boost the probability right that is what this we already is already claimed earlier that's what we did different from the designers now let's look at the results the first is that type 3 trails observation on the 384 rounds now remember the designers claimed 2 to the 80 but we found that there is no trail with 2 to the 80 that doesn't have a correlated and gate and if it has a correlated and gate definitely it is not actually reaching the 2 to the 80 probability 2 to the minus 80 probability right so we actually found out a refined with a refined model 88 active and gates with 14 couples so 14 correlated correlated couples which have to be subtracted by our model and the resultant is 2 to the minus 74 that's what we get but we get 103 such distinct trails in our analysis and we pulled all of them together and this results to the complexity effective complex effective probability of 2 to the minus 70.68 and just compare it to the 64 64 bits right it's quite near to that right so hence the security margin is quite thin if we can if I can say that now moving on for the next strategy was how many rounds can we penetrate while violating the 64 bit barrier right so find the largest number of rounds with security less than 64 bits again we found out a trail with 74 76 active and gates with 12 couples correlated couples again for following the same logic we get 2 to the minus 64 okay one thing I forgot to mention is the trail here actually gives us the final means you can verify that which can be verified and the internal values here actually are given to reconstruct the trail they are not a part of it you can just highlight it just using the input and output itself the intermediate values are given just to reconstruct the entire trail okay now for the same for 338 rounds what we found was we found 24 distinct trails and all of these trails pulling together the security results to 2 to the 62.68 minus 62.68 so the probability this 338 rounds is the maximum we could get while violating the security claim of the designers right now another interesting observation we made when we look across the spectrum of all the while searching for this when we increase the number of rounds and keep on searching for the trails of course from the initial part as the number of rounds increase the probability got better so this is this this is basically score versus so we have the score here so this score versus here is the number of rounds so here is the number of rounds score versus number of rounds and you can see that we have three spots where this is some kind of a pattern emerging right here here and here where we can see that there's some periodicity coming into the picture though there is nothing significant or we I don't have any result for that I can't say but it seems to be an interesting part where we have a periodicity where that probability seems to go below means sorry probability go seems to go higher right with the number of rounds so this is an interesting and it happens at roughly 50 rounds apart roughly 50 rounds apart that's an interesting or open problem maybe for further study then if I look at unrestricted differentials here we actually got results which you could practically verify you see we better the results with this for for type 4 from 13 to 12 from the designers and we also got a full round thing which were minus 19 which we could easily verify and the results are actually given in this github repo so with confirming pairs we could generate and this is the corresponding trail for that now moving on we have also the type 1 and type 2 results now for type 1 we again better whatever the designers gave we better this question mark here indicates that the solver did not finish so we better the results though the same cannot be said about type 2 right but the interesting part is if I look at type 1 and type 2 together type 2 his output is unrestricted and type type 1 is output unrestricted and type 2 is input unrestricted then you can combine both of them and that is also a important for forgery because combining both of them leads to interesting setting of the forgery so they are also if I combine them then you can see this is for the full round 384 45 and 28 why it is 41 and 28 and hence we get a 16 factor improvement over the designers claims right now if I look into the linear cryptosis part again the setting is very similar okay so what we have here is in instead of approximating independently when you have correlated and gates we can go for joint linear approximations okay and hence improve the bias so with joint linear approximations the same idea it is the same idea like before we can actually go for a setting where we can try to improve the bias this particular case here we are showing is a case where we can check the correlation for the tag remember this is important because the tag is given out through two I want with two iterations in two blocks and hence and with one pk in between which makes a good case for this and the same same setting applies and the linear linear trails can be looked at so the first results come in the form of the partially restricted key permutations okay here what has interestingly has happened is we found that there was no correlation okay we could not find any correlated gates but we still improve the results 10 and 50 just see this is very interesting okay again question mark says that we it was did with solver did not finish so what we have is this is quite counterintuitive because if there is no correlation then our model basically points down to the simple model but then the if the designers have already done that then this result should have matched so there is something going on here which I guess is interesting again if I move forward for the bias in the tag so we find a there's a 2 to the minus 41 bias for the full round but again this doesn't contradict because this will translate to 2 to the 82 which doesn't violate anything this is again the trail that was that has been obtained so that's all for the linear results now if I can summarize the entire thing so the this first third party cryptonesis of a tiny jumbo actually gives us some insight about the structural weakness of these kinds of designs okay so you see this multi block processing actually gives us a very interesting thing so you can't say this for a traditional sponge duplex construction but this multi block processing makes this case for this forgery makes the case for reforgeability and so this gives us some insight for this kind of constructions okay maybe it can be taken up by designers and then we see that the refined model actually is quite accurate despite not being too much strict like the traditional results we have in literature so this is an interesting thing and we can look forward to these kinds of modeling in future too so in terms of the results we we saw that we have a very thin security margin left 12 percent in terms of unattacked rounds because 2 to the 62.68 we get for 338 rounds and in terms of the full rounds we get 2 to the 70 minus 70.68 which leaves less than 8 bits of security in terms of margin so it's very thin left for tiny jumbo for linear also we got interesting results because we kind of improve the bounce bar from the designers despite not having some correlation that was important okay and then what could be a solution if I look into this a solution could be improving the number of rounds from 384 to 512 of course that is that is possible but this would impact the number other throughput right so that is something to be taken care of again if we take the refined model into consideration we can choose better tap points so by tuning the parameters and see that if the bounce can be improved right so I think that would conclude this talk and I would really look forward to the live question and answer session during the thing the main event and thank you all for listening and the this github repo actually contains all the details if you any interested researcher can look it up thank you again very much and goodbye