Paper 2014/931

Cryptanalysis of JAMBU

Thomas Peyrin, Siang Meng Sim, Lei Wang, and Guoyan Zhang

Abstract

In this article, we analyse the security of the authenticated encryption mode JAMBU, a submission to the CAESAR competition that remains currently unbroken. We show that the security claims of this candidate regarding its nonce-misuse resistance can be broken. More precisely, we explain a technique to guess in advance a ciphertext block corresponding to a plaintext that has never been queried before (nor its prefix), thus breaking the confidentiality of the scheme when the attacker can make encryption queries with the same nonce. Our attack is very practical as it requires only about 2^{32} encryption queries and computations (instead of the 2^{128} claimed by the designers). Our cryptanalysis has been fully implemented in order to verify our findings. Moreover, due to the small tag length of JAMBU, we show how this attack can be extended in the nonce-respecting scenario to break confidentiality in the adaptative chosen-ciphertext model (IND-CCA2) with 2^{96} computations, with message prefixes not previously queried.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published by the IACR in FSE 2015
Keywords
JAMBUauthenticated encryptioncryptanalysisconfidentialityCAESAR competition.
Contact author(s)
thomas peyrin @ ntu edu sg
crypto s m sim @ gmail com
Wang Lei @ ntu edu sg
guoyanzhang @ sdu edu cn
History
2020-06-24: revised
2014-11-14: received
See all versions
Short URL
https://ia.cr/2014/931
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2014/931,
      author = {Thomas Peyrin and Siang Meng Sim and Lei Wang and Guoyan Zhang},
      title = {Cryptanalysis of {JAMBU}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2014/931},
      year = {2014},
      url = {https://eprint.iacr.org/2014/931}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.