Weak-keys and key-recovery attack for [Formula: see text]

In this paper, we study NIST lightweight 3rd round candidate [Formula: see text] . The core component of [Formula: see text] is the keyed permutation [Formula: see text] , which is based on a non-linear feedback shift register. By analysing this permutation carefully, we are able to find good cubes that are used to build distinguishers in the weak-key setting. In particular, we show that there are at least [Formula: see text] keys for which TinyJAMBU can be distinguished from a random source for up to 476 rounds. These distinguishers outperform the best-known distinguishers, which were proposed in ‘Scientific Reports - Nature’ by Teng et al. We are the first to study the exact degree of the feedback polynomial [Formula: see text] in the nonce variables. This helped us in concluding that [Formula: see text] with more than 445 rounds is secure against distinguishers using 32 sized cubes in the normal setting. Finally, we give new key-recovery attacks against [Formula: see text] using the concepts of monomial trail presented by Hu et al. at ASIACRYPT 2020. Our attacks are unlikely to jeopardise the security of the entire 640 rounds [Formula: see text] , but we strongly anticipate that they will shed new lights on the cipher’s security.