## Cryptology ePrint Archive: Report 2014/931

Cryptanalysis of JAMBU

Thomas Peyrin and Siang Meng Sim and Lei Wang and Guoyan Zhang

Abstract: In this article, we analyse the security of the authenticated encryption mode JAMBU, a submission to the CAESAR competition that remains currently unbroken. We show that the security claims of this candidate regarding its nonce-misuse resistance can be broken. More precisely, we explain a technique to guess in advance a ciphertext block corresponding to a plaintext that has never been queried before (nor its prefix), thus breaking the confidentiality of the scheme when the attacker can make encryption queries with the same nonce. Our attack is very practical as it requires only about $2^{32}$ encryption queries and computations (instead of the $2^{128}$ claimed by the designers). Our cryptanalysis has been fully implemented in order to verify our findings. Moreover, due to the small tag length of JAMBU, we show how this attack can be extended in the nonce-respecting scenario to break confidentiality in the adaptative chosen-ciphertext model ({\tt IND-CCA2}) with $2^{96}$ computations, with message prefixes not previously queried.

Category / Keywords: secret-key cryptography / JAMBU, authenticated encryption, cryptanalysis, confidentiality, CAESAR competition.

Date: received 13 Nov 2014

Contact author: thomas peyrin at ntu edu sg, ssim011@e ntu edu sg, Wang Lei@ntu edu sg, guoyanzhang@sdu edu cn

Available format(s): PDF | BibTeX Citation

Short URL: ia.cr/2014/931

[ Cryptology ePrint archive ]