4

I am trying to understand the security level of TinyJAMBU-128.

As shown in Table 4.1 page 12 of this document, TinyJAMBU-128 claims 112-bit security. However, it has a 128-bit key. How have we lost 16 bits of key? What is the obvious attack that has $2^{112}$ time complexity?

kelalaka
  • 49,797
  • 12
  • 123
  • 211
user
  • 313
  • 2
  • 8

2 Answers2

4

I believe this is simply a statement of the intention to meet the submission requirements set out by NIST for lightweight ciphers. Note that the paper linked in the question refers to "security goals".

As per section 3.1:

An AEAD algorithm shall not specify key lengths that are smaller than 128 bits. Cryptanalytic attacks on the AEAD algorithm shall require at least ${2}^{112}$ computations on a classical computer in a single-key setting. If a key size larger than 128 bits is supported, it is recommended that at least one recommended parameter set has a key size of 256 bits, and that its resistance against cryptanalytical attacks is at least $2^{224}$ computations on a classical computer in a single-key setting.

Note that these are the final submission requirements from 2018. It seems the figure for 192-bit is deduced from the requirements for 256 bit, or is perhaps referencing earlier requirements.

Modal Nest
  • 1,473
  • 5
  • 18
1

I can't read the mind of the authors, but beside 112-bit security being enough to meet the submission requirements as pointed in that other answer, there are reasons to take a small security margin in what's claimed compared to key size:

  • The algorithm will still stand fully unbroken if one comes with an attack costing slightly less than brute force. Contrast with AES-128, which is technically broken by Andrey Bogdanov, Dmitry Khovratovich, Christian Rechberger's Biclique Cryptanalysis of the Full AES (in proceedings of AsiaCrypt 2011), with cost $2^{126.1}$ encryptions ($\lesssim 2$ bits within $128$).
  • For many crypto algorithms, a small saving compared to pure brute force is possible. For example, in DES, key search can be sped up by enumerating keys in a well-chosen order that allows caching earlier results, like first outer rounds (that was used for DESCHALL, see Rocke Verser's method). If we count cost in rounds or S-boxes access, that counts as a break, and justifies removing a fraction of a bit from a security claim.
fgrieu
  • 149,326
  • 13
  • 324
  • 622