Depending on DEEPAND: Cryptanalysis of NLFSR-Based Lightweight Ciphers TinyJAMBU, KATAN, and KTANTAN

Abstract

Automated cryptanalysis has taken center stage in the arena of cryptanalysis since the pioneering work by Mouha et al. which showcased the power of Mixed Integer Linear Programming ( $\textsf {MILP}$ ) in solving cryptanalysis problems that otherwise, required significant effort. Since the inception, research in this area has moved in primarily two directions. One is to model more and more classical cryptanalysis tools as optimization problems to leverage the ease provided by state-of-the-art solvers. The other direction is to improve existing models to make them more efficient and/or accurate. The current work is an attempt to contribute to the latter. In this work, a general model referred to as $\textsf {DEEPAND}$ has been devised to capture the correlation between $\textsf {AND}$ gates in $\textsf {NLFSR}$ -based lightweight block ciphers. $\textsf {DEEPAND}$ builds upon and generalizes the idea of joint propagation of differences through $\textsf {AND}$ gates captured using refined $\textsf {MILP}$ modeling of $\textsf {TinyJAMBU}$ by Saha et al. in FSE 2020. The proposed model has been applied to $\textsf {TinyJAMBU}$ , $\textsf {KATAN}$ , $\textsf {KTANTAN}$ and can detect correlations that were missed by earlier models. This leads to more accurate differential bounds for both the ciphers. In particular, a 384-round (full-round as per earlier specification) $\textsf {Type-IV}$ trail is found for $\textsf {TinyJAMBU}$ with 14-active $\textsf {AND}$ gates using the new model, while the refined model reported this figure to be 19. This also reaffirms the decision of the designers to increase the number of rounds from 384 to 640. Moreover, the model succeeds in searching a full round $\textsf {Type-IV}$ trail of $\textsf {TinyJAMBU}$ keyed permutation ${\mathcal {P}}_{1024}$ with probability $2^{-105} (\gg 2^{-128})$ . This reveals the non-random properties of ${\mathcal {P}}_{1024}$ thereby showing it to be non-ideal. Hence it cannot be expected to provide the same security levels as robust block ciphers. Further, the provable security of $\textsf {TinyJAMBU}$ $\textsf {AEAD}$ scheme should be carefully revisited. Similarly, for the variants of $\textsf {KATAN}$ , several previously reported trails are improved upon by employing the $\textsf {DEEPAND}$ model. Moreover, in the related-key setting, the $\textsf {DEEPAND}$ model is able to make a better 140-round boomerang distinguisher (for both the data and time complexity) in comparison to the previous boomerang attack by Isobe et al. in ACISP 2013. Furthermore, for enhanced applicability, we employ the $\textsf {DEEPAND}$ model on another multiple $\textsf {AND}$ -based cipher, $\textsf {KTANTAN}$ , in the related-key setting. Our analysis reveals practical differential distinguishers with low data and time complexities for all full-round $\textsf {KTANTAN}$ variants. In summary, $\textsf {DEEPAND}$ seems to capture the underlying correlation better when multiple $\textsf {AND}$ gates are at play and can be adapted to other classes of ciphers as well.