{"title":"依赖于DEEPAND:基于nlfsr的轻量级密码TinyJAMBU, KATAN和KTANTAN的密码分析","authors":"Amit Jana;Mostafizar Rahman;Dhiman Saha","doi":"10.1109/TIT.2025.3580774","DOIUrl":null,"url":null,"abstract":"Automated cryptanalysis has taken center stage in the arena of cryptanalysis since the pioneering work by Mouha et al. which showcased the power of Mixed Integer Linear Programming (<inline-formula> <tex-math>$\\textsf {MILP}$ </tex-math></inline-formula>) in solving cryptanalysis problems that otherwise, required significant effort. Since the inception, research in this area has moved in primarily two directions. One is to model more and more classical cryptanalysis tools as optimization problems to leverage the ease provided by state-of-the-art solvers. The other direction is to improve existing models to make them more efficient and/or accurate. The current work is an attempt to contribute to the latter. In this work, a general model referred to as <inline-formula> <tex-math>$\\textsf {DEEPAND}$ </tex-math></inline-formula> has been devised to capture the correlation between <inline-formula> <tex-math>$\\textsf {AND}$ </tex-math></inline-formula> gates in <inline-formula> <tex-math>$\\textsf {NLFSR}$ </tex-math></inline-formula>-based lightweight block ciphers. <inline-formula> <tex-math>$\\textsf {DEEPAND}$ </tex-math></inline-formula> builds upon and generalizes the idea of joint propagation of differences through <inline-formula> <tex-math>$\\textsf {AND}$ </tex-math></inline-formula> gates captured using refined <inline-formula> <tex-math>$\\textsf {MILP}$ </tex-math></inline-formula> modeling of <inline-formula> <tex-math>$\\textsf {TinyJAMBU}$ </tex-math></inline-formula> by Saha et al. in FSE 2020. The proposed model has been applied to <inline-formula> <tex-math>$\\textsf {TinyJAMBU}$ </tex-math></inline-formula>, <inline-formula> <tex-math>$\\textsf {KATAN}$ </tex-math></inline-formula>, <inline-formula> <tex-math>$\\textsf {KTANTAN}$ </tex-math></inline-formula> and can detect correlations that were missed by earlier models. This leads to more accurate differential bounds for both the ciphers. In particular, a 384-round (<italic>full-round</i> as per earlier specification) <inline-formula> <tex-math>$\\textsf {Type-IV}$ </tex-math></inline-formula> trail is found for <inline-formula> <tex-math>$\\textsf {TinyJAMBU}$ </tex-math></inline-formula> with 14-active <inline-formula> <tex-math>$\\textsf {AND}$ </tex-math></inline-formula> gates using the new model, while the refined model reported this figure to be 19. This also reaffirms the decision of the designers to increase the number of rounds from 384 to 640. Moreover, the model succeeds in searching a <italic>full round</i> <inline-formula> <tex-math>$\\textsf {Type-IV}$ </tex-math></inline-formula> trail of <inline-formula> <tex-math>$\\textsf {TinyJAMBU}$ </tex-math></inline-formula> keyed permutation <inline-formula> <tex-math>${\\mathcal {P}}_{1024}$ </tex-math></inline-formula> with probability <inline-formula> <tex-math>$2^{-105} (\\gg 2^{-128})$ </tex-math></inline-formula>. This reveals the non-random properties of <inline-formula> <tex-math>${\\mathcal {P}}_{1024}$ </tex-math></inline-formula> thereby showing it to be <italic>non-ideal</i>. Hence it cannot be expected to provide the same security levels as robust block ciphers. Further, the provable security of <inline-formula> <tex-math>$\\textsf {TinyJAMBU}$ </tex-math></inline-formula> <inline-formula> <tex-math>$\\textsf {AEAD}$ </tex-math></inline-formula> scheme should be carefully revisited. Similarly, for the variants of <inline-formula> <tex-math>$\\textsf {KATAN}$ </tex-math></inline-formula>, several previously reported trails are improved upon by employing the <inline-formula> <tex-math>$\\textsf {DEEPAND}$ </tex-math></inline-formula> model. Moreover, in the related-key setting, the <inline-formula> <tex-math>$\\textsf {DEEPAND}$ </tex-math></inline-formula> model is able to make a better 140-round boomerang distinguisher (for both the data and time complexity) in comparison to the previous boomerang attack by Isobe et al. in ACISP 2013. Furthermore, for enhanced applicability, we employ the <inline-formula> <tex-math>$\\textsf {DEEPAND}$ </tex-math></inline-formula> model on another multiple <inline-formula> <tex-math>$\\textsf {AND}$ </tex-math></inline-formula>-based cipher, <inline-formula> <tex-math>$\\textsf {KTANTAN}$ </tex-math></inline-formula>, in the related-key setting. Our analysis reveals practical differential distinguishers with low data and time complexities for all full-round <inline-formula> <tex-math>$\\textsf {KTANTAN}$ </tex-math></inline-formula> variants. In summary, <inline-formula> <tex-math>$\\textsf {DEEPAND}$ </tex-math></inline-formula> seems to capture the underlying correlation better when multiple <inline-formula> <tex-math>$\\textsf {AND}$ </tex-math></inline-formula> gates are at play and can be adapted to other classes of ciphers as well.","PeriodicalId":13494,"journal":{"name":"IEEE Transactions on Information Theory","volume":"71 9","pages":"7348-7366"},"PeriodicalIF":2.9000,"publicationDate":"2025-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Depending on DEEPAND: Cryptanalysis of NLFSR-Based Lightweight Ciphers TinyJAMBU, KATAN, and KTANTAN\",\"authors\":\"Amit Jana;Mostafizar Rahman;Dhiman Saha\",\"doi\":\"10.1109/TIT.2025.3580774\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Automated cryptanalysis has taken center stage in the arena of cryptanalysis since the pioneering work by Mouha et al. which showcased the power of Mixed Integer Linear Programming (<inline-formula> <tex-math>$\\\\textsf {MILP}$ </tex-math></inline-formula>) in solving cryptanalysis problems that otherwise, required significant effort. Since the inception, research in this area has moved in primarily two directions. One is to model more and more classical cryptanalysis tools as optimization problems to leverage the ease provided by state-of-the-art solvers. The other direction is to improve existing models to make them more efficient and/or accurate. The current work is an attempt to contribute to the latter. In this work, a general model referred to as <inline-formula> <tex-math>$\\\\textsf {DEEPAND}$ </tex-math></inline-formula> has been devised to capture the correlation between <inline-formula> <tex-math>$\\\\textsf {AND}$ </tex-math></inline-formula> gates in <inline-formula> <tex-math>$\\\\textsf {NLFSR}$ </tex-math></inline-formula>-based lightweight block ciphers. <inline-formula> <tex-math>$\\\\textsf {DEEPAND}$ </tex-math></inline-formula> builds upon and generalizes the idea of joint propagation of differences through <inline-formula> <tex-math>$\\\\textsf {AND}$ </tex-math></inline-formula> gates captured using refined <inline-formula> <tex-math>$\\\\textsf {MILP}$ </tex-math></inline-formula> modeling of <inline-formula> <tex-math>$\\\\textsf {TinyJAMBU}$ </tex-math></inline-formula> by Saha et al. in FSE 2020. The proposed model has been applied to <inline-formula> <tex-math>$\\\\textsf {TinyJAMBU}$ </tex-math></inline-formula>, <inline-formula> <tex-math>$\\\\textsf {KATAN}$ </tex-math></inline-formula>, <inline-formula> <tex-math>$\\\\textsf {KTANTAN}$ </tex-math></inline-formula> and can detect correlations that were missed by earlier models. This leads to more accurate differential bounds for both the ciphers. In particular, a 384-round (<italic>full-round</i> as per earlier specification) <inline-formula> <tex-math>$\\\\textsf {Type-IV}$ </tex-math></inline-formula> trail is found for <inline-formula> <tex-math>$\\\\textsf {TinyJAMBU}$ </tex-math></inline-formula> with 14-active <inline-formula> <tex-math>$\\\\textsf {AND}$ </tex-math></inline-formula> gates using the new model, while the refined model reported this figure to be 19. This also reaffirms the decision of the designers to increase the number of rounds from 384 to 640. Moreover, the model succeeds in searching a <italic>full round</i> <inline-formula> <tex-math>$\\\\textsf {Type-IV}$ </tex-math></inline-formula> trail of <inline-formula> <tex-math>$\\\\textsf {TinyJAMBU}$ </tex-math></inline-formula> keyed permutation <inline-formula> <tex-math>${\\\\mathcal {P}}_{1024}$ </tex-math></inline-formula> with probability <inline-formula> <tex-math>$2^{-105} (\\\\gg 2^{-128})$ </tex-math></inline-formula>. This reveals the non-random properties of <inline-formula> <tex-math>${\\\\mathcal {P}}_{1024}$ </tex-math></inline-formula> thereby showing it to be <italic>non-ideal</i>. Hence it cannot be expected to provide the same security levels as robust block ciphers. Further, the provable security of <inline-formula> <tex-math>$\\\\textsf {TinyJAMBU}$ </tex-math></inline-formula> <inline-formula> <tex-math>$\\\\textsf {AEAD}$ </tex-math></inline-formula> scheme should be carefully revisited. Similarly, for the variants of <inline-formula> <tex-math>$\\\\textsf {KATAN}$ </tex-math></inline-formula>, several previously reported trails are improved upon by employing the <inline-formula> <tex-math>$\\\\textsf {DEEPAND}$ </tex-math></inline-formula> model. Moreover, in the related-key setting, the <inline-formula> <tex-math>$\\\\textsf {DEEPAND}$ </tex-math></inline-formula> model is able to make a better 140-round boomerang distinguisher (for both the data and time complexity) in comparison to the previous boomerang attack by Isobe et al. in ACISP 2013. Furthermore, for enhanced applicability, we employ the <inline-formula> <tex-math>$\\\\textsf {DEEPAND}$ </tex-math></inline-formula> model on another multiple <inline-formula> <tex-math>$\\\\textsf {AND}$ </tex-math></inline-formula>-based cipher, <inline-formula> <tex-math>$\\\\textsf {KTANTAN}$ </tex-math></inline-formula>, in the related-key setting. Our analysis reveals practical differential distinguishers with low data and time complexities for all full-round <inline-formula> <tex-math>$\\\\textsf {KTANTAN}$ </tex-math></inline-formula> variants. In summary, <inline-formula> <tex-math>$\\\\textsf {DEEPAND}$ </tex-math></inline-formula> seems to capture the underlying correlation better when multiple <inline-formula> <tex-math>$\\\\textsf {AND}$ </tex-math></inline-formula> gates are at play and can be adapted to other classes of ciphers as well.\",\"PeriodicalId\":13494,\"journal\":{\"name\":\"IEEE Transactions on Information Theory\",\"volume\":\"71 9\",\"pages\":\"7348-7366\"},\"PeriodicalIF\":2.9000,\"publicationDate\":\"2025-06-18\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IEEE Transactions on Information Theory\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://ieeexplore.ieee.org/document/11040085/\",\"RegionNum\":3,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Information Theory","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/11040085/","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
Depending on DEEPAND: Cryptanalysis of NLFSR-Based Lightweight Ciphers TinyJAMBU, KATAN, and KTANTAN
Automated cryptanalysis has taken center stage in the arena of cryptanalysis since the pioneering work by Mouha et al. which showcased the power of Mixed Integer Linear Programming ($\textsf {MILP}$ ) in solving cryptanalysis problems that otherwise, required significant effort. Since the inception, research in this area has moved in primarily two directions. One is to model more and more classical cryptanalysis tools as optimization problems to leverage the ease provided by state-of-the-art solvers. The other direction is to improve existing models to make them more efficient and/or accurate. The current work is an attempt to contribute to the latter. In this work, a general model referred to as $\textsf {DEEPAND}$ has been devised to capture the correlation between $\textsf {AND}$ gates in $\textsf {NLFSR}$ -based lightweight block ciphers. $\textsf {DEEPAND}$ builds upon and generalizes the idea of joint propagation of differences through $\textsf {AND}$ gates captured using refined $\textsf {MILP}$ modeling of $\textsf {TinyJAMBU}$ by Saha et al. in FSE 2020. The proposed model has been applied to $\textsf {TinyJAMBU}$ , $\textsf {KATAN}$ , $\textsf {KTANTAN}$ and can detect correlations that were missed by earlier models. This leads to more accurate differential bounds for both the ciphers. In particular, a 384-round (full-round as per earlier specification) $\textsf {Type-IV}$ trail is found for $\textsf {TinyJAMBU}$ with 14-active $\textsf {AND}$ gates using the new model, while the refined model reported this figure to be 19. This also reaffirms the decision of the designers to increase the number of rounds from 384 to 640. Moreover, the model succeeds in searching a full round $\textsf {Type-IV}$ trail of $\textsf {TinyJAMBU}$ keyed permutation ${\mathcal {P}}_{1024}$ with probability $2^{-105} (\gg 2^{-128})$ . This reveals the non-random properties of ${\mathcal {P}}_{1024}$ thereby showing it to be non-ideal. Hence it cannot be expected to provide the same security levels as robust block ciphers. Further, the provable security of $\textsf {TinyJAMBU}$ $\textsf {AEAD}$ scheme should be carefully revisited. Similarly, for the variants of $\textsf {KATAN}$ , several previously reported trails are improved upon by employing the $\textsf {DEEPAND}$ model. Moreover, in the related-key setting, the $\textsf {DEEPAND}$ model is able to make a better 140-round boomerang distinguisher (for both the data and time complexity) in comparison to the previous boomerang attack by Isobe et al. in ACISP 2013. Furthermore, for enhanced applicability, we employ the $\textsf {DEEPAND}$ model on another multiple $\textsf {AND}$ -based cipher, $\textsf {KTANTAN}$ , in the related-key setting. Our analysis reveals practical differential distinguishers with low data and time complexities for all full-round $\textsf {KTANTAN}$ variants. In summary, $\textsf {DEEPAND}$ seems to capture the underlying correlation better when multiple $\textsf {AND}$ gates are at play and can be adapted to other classes of ciphers as well.
期刊介绍:
The IEEE Transactions on Information Theory is a journal that publishes theoretical and experimental papers concerned with the transmission, processing, and utilization of information. The boundaries of acceptable subject matter are intentionally not sharply delimited. Rather, it is hoped that as the focus of research activity changes, a flexible policy will permit this Transactions to follow suit. Current appropriate topics are best reflected by recent Tables of Contents; they are summarized in the titles of editorial areas that appear on the inside front cover.