Weak-keys and key-recovery attack for \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\text{ TinyJAMBU }$$\end{document}TinyJAMBU

In this paper, we study NIST lightweight 3rd round candidate \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\text{ TinyJAMBU }$$\end{document}TinyJAMBU. The core component of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\text{ TinyJAMBU }$$\end{document}TinyJAMBU is the keyed permutation \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathcal {P}_n$$\end{document}Pn, which is based on a non-linear feedback shift register. By analysing this permutation carefully, we are able to find good cubes that are used to build distinguishers in the weak-key setting. In particular, we show that there are at least \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^{108}$$\end{document}2108 keys for which TinyJAMBU can be distinguished from a random source for up to 476 rounds. These distinguishers outperform the best-known distinguishers, which were proposed in ‘Scientific Reports - Nature’ by Teng et al. We are the first to study the exact degree of the feedback polynomial \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathcal {P}_n$$\end{document}Pn in the nonce variables. This helped us in concluding that \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\text{ TinyJAMBU }$$\end{document}TinyJAMBU with more than 445 rounds is secure against distinguishers using 32 sized cubes in the normal setting. Finally, we give new key-recovery attacks against \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\text{ TinyJAMBU }$$\end{document}TinyJAMBU using the concepts of monomial trail presented by Hu et al. at ASIACRYPT 2020. Our attacks are unlikely to jeopardise the security of the entire 640 rounds \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\text{ TinyJAMBU }$$\end{document}TinyJAMBU, but we strongly anticipate that they will shed new lights on the cipher’s security.


1.
We begin by studying TinyJAMBU in the weak-key setting. Since the core component of TinyJAMBU is the keyed permutation P n , we analyse the structure of P n for any weakness. Using this, we present a class of good cubes which will help us in our attack. We show that there are at least 2 108 keys for which TinyJAMBU can be distinguished from a random source for up to 476 rounds. 2. Next, we focus on determining the exact degree in the nonce variables of the feedback polynomial. Using the monomial trail concepts 37 and MILP tool, we demonstrate that after 381 rounds, the degree equals 32. This is the first time one has studied the exact degree of the feedback polynomial of TinyJAMBU . Moreover, the exact degree from our experiments implies that TinyJAMBU is secure against cube attacks with 32-dimension cubes after 445 rounds. 3. Finally, we present key-recovery attacks for reduced round TinyJAMBU . We again use monomial trail concept and MILP tool to find superpolies consisting of key variables only for 440 rounds. This leads to an improved key-recovery attack, which is better than the 428 round key-recovery attack presented by Teng et. al. 36 , in their recent result published in Scientific Reports -Nature.
Roadmap of the Paper. The rest of the paper is organized as follows. In "Preliminaries and notations" section, we first describe the specification of TinyJAMBU . Following that, we go through some relevant cryptanalytic techniques. In "Weak-keys for TinyJAMBU" section, we discuss practical weak-key distinguishers for roundreduced TinyJAMBU . The procedure for determining the exact degree of the feedback polynomial has been presented in "Exact degree in nonce of the feedback polynomial in P n " section. "Key-recovery attacks" section discusses key-recovery attacks for reduced round TinyJAMBU . Finally, we conclude in "Conclusion" section with future research directions.

Preliminaries and notations
Notations. We will use bold font to denote vectors and sets and normal font to denote the component of a vector/set.
1. Fi For any vector u of dimension n, we denote the i th coordinate of u as u i , therefore, u can be written as [u 1 , u 2 , . . . , u n ]. 2. Fi For a Boolean vector u ∈ {0, 1} n , we define the weight of u as wt(u) = n i=1 u i .
Polynomials. Let f (x) ∈ F 2 [x] be a Boolean polynomial over n-variables x 1 , . . . , x n . Then, the algebraic normal form of f (x) is where α u ∈ F 2 and We will use the notation π u (x) → f (x) when π u (x) is a monomial in f (x) , i.e., α u = 1 . For any index set I ⊆ n , we will use x I to denote i∈I x i and x I to denote i∈[n]\I x i .
The core permutation P n updates the state using a non-linear feedback shift register for n-rounds where the i th rounds is described in Algorithm 1. We will use the notation P for P 1 . The permutations Q and Q mentioned in Table 1 are P n with different values of n.
Specification of TinyJAMBU-128. As shown in Table 1, TinyJAMBU-128 has a 128-bit state and key whereas the number of nonce bits is 96. The tag size is 64 bits. The permutation function Q is P 640 whereas Q is P 1024 .
The authenticated encryption algorithm of TinyJAMBU can be divided into four phases as shown in Fig. 1: Initialisation, associated data processing, encryption and finalisation.
Initialization: In this phase, the state is set to all zero and is updated by the keyed permutation Q . The 96 bit nonce is divided into 3 parts-nonce 0 , nonce 1 and nonce 2 of equal size and updates the state using Algorithm 2.
Associated date processing: After the initialization phase, the associated date (A 0 , A 1 ) are processed by XOR ing them to the state and updating it using the keyed permutation Q as described in Algorithm 3. www.nature.com/scientificreports/ Encryption: In the encryption phase, the message M is encrypted to produce the ciphertext C. In the paper, we will always assume that the size of the message M denoted by ℓ is a multiple of 32. In Fig. 1, we have assumed that M consists of 64 bits. In general, Algorithm 4 is performed ℓ/32 times on M 0 , . . . , M ℓ/32−1 where M i is the i th block of M having size equal to 32.
Tag generation: Finally, the 64-bit tag T = (T 0 , T 1 ) is generated as shown in Algorithm 5.
Cube attack. Here we provide a high-level overview of the cube attack model. To initialise its state, a stream cipher typically uses one secret key, k , and a set of public variables x . The secret key remains secret, and it is known only to the encryptor and the decryptor.
However, the x (or nonce) is considered a public variable. Keystream bits are typically generated by the ciphers after some initialization rounds. By interpreting the keystream bit z as a Boolean polynomial over the secret keys k and x , it can be expressed as z = f (x, k) . Let secret key variable k = (k 1 , . . . , k l ) and public variable x = (x 1 , . . . , x m ) . The cube attack is based on the principle of simplifying the polynomial z = f (x, k) in order to obtain the value of k . Let us set the cube indices I = {i 1 , . . . , i c } ⊆ {1, 2, . . . , m} in the preprocessing phase. Then we can express f (x, k) as where each monomial of the function q misses at least one variable from {x i 1 , x i 2 , · · · x i c }.
In order to use the attack during the online phase, we only need to know its superpoly p I , and we can set the values of non-cube variables x i to 0 (or to 1) to simplify the long superpoly expression. Consider the The superpoly can then be recovered because (x i 1 ,...,x ic )∈C I f (x 1 , . . . , x m , k 1 , . . . , k l ) = p I . Thus, the attacker first finds some cube variables and then computes the sum of the output bits for all possible values of the cube variables to determine the value of the superpoly. The attacker's objective is to select cube variables and fix the remaining public variables in such a way so that the superpoly is reduced to a linear function in secret variables.
The main point of concern is that after a large number of initialization rounds, the expression of the output bit always becomes very much complicated.
In reality, after a few rounds of initialization, it is not possible to compute the algebraic expression of the output bit in the latest stream ciphers because of the way they are designed. To tackle this problem, the attacker www.nature.com/scientificreports/ uses the cipher as a blackbox. He randomly chooses the cube variables, and the blackbox provides the output bits corresponding to all possible values of the cube variables. The value of the superpoly can be recovered by the attacker by performing the sum on the values that have been retrieved. The BLR linearity test 39 can be used by the attacker to determine whether or not the superpoly is linear. A more in-depth description of the cube attack may be found in 9 .
In 2009, Aumasson et al. 40 proposed cube tester to assess the non-randomness of a Boolean function. The presence of a monomial, balancedness, constantness, presence of linear variables, and the presence of neutral variables can be determined by using cube tester. A Boolean function is said to be vulnerable if it can be distinguished by some property such as the ones mentioned above.
Upper bound of degree. Given a Boolean polynomial f in n variable, we want to find its algebraic degree after fixing some variables. Let x 1 , . . . , x n be the variables of the function f.
Assume that x 1 , . . . , x k are initially fixed to 0. Now we are interested to check whether the reduced polynomial (after setting x 1 , . . . , x k to 0) has degree n − k or not. For this purpose, we do the following: 1. Consider x k+1 , x k+2 , . . . , x n as cube variables. 2. Calculate the cube sum on the reduced polynomial over the prescribed cube variables. 3. If the cube sum is zero, then we conclude that the degree of the reduced polynomial is strictly less than n − k.
Therefore, Claim 2 gives us a procedure to find whether a monomial exists in a polynomial or not. For more details on monomail trails, we refer to 37 .

Weak-keys for TinyJAMBU
In this section, we will present a new cube distinguisher for 451 rounds TinyJAMBU that works for 2 101 keys. We also show another distinguisher for 476 rounds for 2 80 keys. We will first analyse the feedback polynomial in the permutation P which will help to find good cubes. Using these cubes, we will further study the key variables involved in the feedback polynomials, which will help us to find weak-keys for TinyJAMBU.
To be more precise, let us consider the scenario of a traditional cube attack as a distinguisher. Let x be the set of all public (nonce) variables, k be the set of key variables and f (x, k) be the output polynomial. Then, for any cube C I where I ⊆ [n] is the index set and n is the number of public variables, we have where p I (x, k) does not contain any variable x i , where i ∈ I and every monomial of q I (x, k) is not divisible by i∈I x i . In a cube attack, one takes advantage of the fact that for a properly chosen cube C I and constant values a i , ∀i ∈ [n] \ I , the superpoly of the output polynomial Observe that for p I (A, k) be to a constant, its degree with respect to k must be 0. Therefore, the above attack fails when there is no possible cube with appropriate constant values that has a superpoly equal to a constant. This happens when the number of rounds increases because the degree of the polynomials with respect to both public and key variables increases exponentially. Nevertheless, if we can find the superpoly p I (A, k) which is a polynomial in the key variabes only, then we can use this information to find weak-keys such that p I (A, k) is a constant. These weak-keys are essentially ones that satisfies the equation But, to find out the superpolies is itself a difficult task. Using MILP, one can find superpoly. However this technique is only possible for small rounds because the degree of the superpolies will be small. Therefore, instead of extracting the exact superpolies, we will show a method to decrease the degree of the superpoly by imposing some constraints on the key variables. By doing so, we will get weak-keys such that the superpoly is a constant with some probability. www.nature.com/scientificreports/ Weak-keys attacks using cubes from 36 . In 36 , the authors presented several cube attacks for TinyJAMBU .
In their experiments, the authors devised five different cube attacks, DA1 to DA5, depending on the scenario. DA1 and DA2 are attacks against the initialization phase, i.e., • DA1 uses only first 64 bits of nonce (i.e., nonce 0 and nonce 1 only) and can observe the keystream after the initialization phase. But, the total number of permutation rounds being considered is 1024 + 3 × 384 . This is according to 33 , but Wu and Huang have updated the initialisation phase in 34 from using P 384 to P 640 . This change was made after a recent differential forgery attack due to 35 . • DA2 uses all 96 bits of the nonce but observes the keystream after applying r rounds of permutation after the initialization phase.
In DA3 to DA5, the authors use the plaintext bits to build new distinguishers. Since, our focus is towards building distinguishers based on nonce bits only, we will be skipping DA3 to DA5 in further discussions.
In Table 2, we have given the best cubes mentioned in 36 for DA2 where the authors have used cube indices from 64 to 95, i.e., only nonce 2 . The zero-sum value is observed at the 64th index of the final state.
In our experiments, we will consider distinguishing attacks (as well as key-recovery in the next section) for the keyed permutation P n . The experiment is as follows.
1. We start with a state with all the bits set to 0. 2. The bits that are accessible to the attacker are {96, 97, . . . , 127} , i.e., the nonce bits. (Refer to Algorithm 2 ). 3. After the public bits are set, the state is updated using P n . 4. Finally, the attacker is only given access to the bits at positions {64, 65, . . . , 96}.
The designers of TinyJAMBU 34 claimed the following (directly quoting from 34

[p. 28]):
We consider the algebraic property for the input bits at s 96 · · · s 127 . Our experiment shows that after 512 rounds, every output bit at s 64 · · · s 95 is affected by the 32-bit input cube tester at s 96 · · · s 127 . So, building distinguishers using 32-sized cubes is not possible.
We present our experimental results in Fig. 2.
How to find good cubes. The state bits of TinyJAMBU are updated using the nonce, associated data and plaintext using the permutation P . Let us recall the feedback polynomial in permutation P . Please see Fig. 3. It is a quadratic polynomial involving 5 state variables and 1 key variable. The only quadratic term in the polynomial is s 70 · s 85 . For the (weak-key) distinguishing attack, we will start with a state s with all 0 entries. As mentioned in "Specification of TinyJAMBU-128" section, the 32 bit nonce is XOR ed at the 96th position of the state. In any distinguishing attack, the desired cube must have two good properties.
1. The size of the cube must be small. 2. The number of rounds it can be used as a distinguisher must be large.
To achieve these properties simultaneously, one way is to make sure that the degrees of the polynomials in the state are as small as possible for the initial rounds. Observe that the the degree of the polynomials in the state can increase only due to the quadratic term in the permutation P function. Therefore, if we can control the quadratic term in the initial rounds, the degree of the polynomial can be minimized.
Since, the feedback polynomial has a non-linear term s 70 · s 85 (i.e., the terms are 15 indices apart) we just need to ensure that in the initial rounds, we can minimize the number of index pairs (i, i + 15) such that at most one among s i or s i+15 contains a nonce variable. In doing so, the feedback polynomial will become linear for up-to certain rounds. Therefore, if we set a cube C = {c i | 0 ≤ i < 32} such that (c i , c i+15 ) � ⊆ C, ∀i ∈ {0, 1, . . . , 16} , then we can ensure for larger number of rounds, the state will contain linear polynomials only.
For example, suppose we consider two cube C and C ′ such that (c 0 , c 15 ) ⊆ C whereas c 0 ∈ C ′ , c 15 / ∈ C ′ . As mentioned earlier, we will start with a state with all 0 bits and the 32-bit nonce is XOR ed at index 96th. This implies www.nature.com/scientificreports/ that at round 0, we have s 96 = c 0 and s 111 = c 15 while considering the cube C . Also, s i = 0 for all 0 ≤ i < 96 . After 26 rounds, the state would get updated in such a way that s 70 = c 0 and s 85 = c 15 . Observe that all the polynomials of the state are linear upto this round. But, in the 27th round, the feedback polynomial will contain the term c 0 · c 15 and s 127 will become quadratic. When we consider the cube C ′ , then after 26 rounds, we will get s 70 = c 0 and s 85 will be some constant. Therefore, s 127 in the 27th will also be linear.
Getting cubes for higher rounds. The best distinguisher mentioned in 36 works for 438 rounds and uses a cube of size 18. In this subsection, we will present weak-keys for TinyJAMBU where the number of rounds is greater than 450. To begin with, we will use the cubes mentioned in "How to find good cubes" section which gives us an advantage over other cubes by making the feedback polynomials linear for more rounds. After picking a good cube, we will follow the steps mentioned in "Weak-keys attacks using cubes from 36 section to find key constraints so that we can build better distinguishers, i.e., we will carefully analyse the feedback polynomial at each round and try to set up constraints on the key variables so that either we are able to decrease the degree of the polynomial with respect to nonce variable or completely eliminate a term from the polynomial.
For example, let us consider the 14 sized cube C I where The rest of the nonce variables are set to 0. Observe that the set I has the required property that ensure that C I is a good cube, i.e., (i, i + 15) � ⊆ I . At the 59th rounds, the feedback polynomial is By setting k 0 = 1 , the polynomial gets reduced to (5) k 0 · k 15 + k 0 · x 10 + k 0 + k 15 + k 21 + k 58 + x 9 + x 10 + 1 .   www.nature.com/scientificreports/ Observe that even though the degree of the polynomial with respect to nonce variable has not decreased, but the nonce variable x 10 does not appear in the polynomial. This allows us to control the mixing of nonce variables in subsequent rounds. Similarly, we set k 1 = k 2 = k 3 = k 4 = 1 for the next four rounds. At the 65th round, the feedback polynomial is In this case, if we set k 21 = 1 , the polynomial gets reduced to k 27 + k 64 , i.e., the degree of the polynomial with respect to nonce variable gets reduced to 0 as well as the number of monomials. By analysing the feedback polynomial in the next 13 rounds, we set k i = In Table 3, we present our experimental results. We use 10 5 random keys to find the probabilities. All cubes are of size 14. One can see from the first row that superpoly is always equal to 0 for 451 rounds if key satisfies 13 constraints. From the last row, it is clear that one can distinguish TinyJAMBU for 476 rounds if the secret key satisfies 20 constraints. Thus size of the corresponding weak-key class is 2 108 . Without any constraint, we get an approximate probability 0.5 in all the four cases.

Exact degree in nonce of the feedback polynomial in P n
In this section, we will use the concept of monomial trails to find the exact degrees in nonce of the feedback polynomials for some rounds of TinyJAMBU . To find the exact degrees, we will use the algorithms mentioned in 37 and discuss the important changes required to adapt those algorithms into our scenario.
The exact degree of a polynomial f (x) can be written as deg(f ) = max π u (x)→f (x) (wt(u)) . Using Claim 2, we have a procedure to find the exact degree of f (x) given as follows.
1. Find a highest degree monomial π u (x) such that π u (x) f (x).
2. If |π u (x) f (x)| is odd, then return wt(u) . Else, repeat the whole process until we find a new monomial whose degree is the largest and has an odd number of monomial trails.
We will use Mixed Integer Linear Programming (MILP) to find monomial trails and use Gurobi to solve the MILP instance. The objective function is to maximize the weight of u whereas the constraints will be set up in such that a solution u will ensure a monomial trail π u (x) f (x) . To count the number of monomial trails, we will use PoolSearchMode in Gurobi which will help us to find multiple solutions. Here, we are using the fact that each solution of the model is a monomial trail π u (x) f (x).
We now focus on the MILP model for finding the exact degree in nonce of the feedback polynomial of P n . To make the concepts easy to understand, we will consider the permutation P taking as input the state s and key k and output an updated state s ′ but the same key k . Observe that the keyed permutation P n can be written as and the feedback polynomial at the n th round is π e 128 (P n (s, k)) where From the definition of monomial trail, a trail exists from π u (0) (s) to π e 128 (P n (s, k)) (denoted as π u (0) (s) π e 128 (P n (s, k)) ) if there is a set of binary vectors u (1) , u (2) , . . . , u (n−1) such that (7) k 6 · k 21 + k 6 + k 21 · x 1 + k 21 + k 27 + k 64 + x 1 + 1 .

Cube indices
Observe that from the description of P , we have z i = y i+1 , ∀i ∈ {0, 1, . . . , 126} and z 127 depends on five entries of y and a single key entry. In other words, only one entry in z is different from y and it depends only on few entries of the input. Let us capture this in a function F which takes as input (y 0 , y 47 , y 70 , y 85 , y 91 , k i ) and outputs (z 127 , z 46 , z 69 , z 84 , z 90 , k i ) such that Apart from (z 127 , z 46 , z 69 , z 84 , z 90 , k i ) , the rest of the z j 's and k j 's are equal to some y j 's or k j 's or they are not involved in the function F . Therefore, in the MILP model, we can set those z j 's and k j 's to their corresponding y j 's or k j 's. We only need to figure out constraints on u ′ and v ′ such that u ′ (y 0 , y 47 , y 70 , y 85 , y 91 , k i ) → v ′ (z 127 , z 46 , z 69 , z 84 , z 90 , k i ). We begin by enumerating all binary vectors of dimension 6 into a set V (see Fig. 4) such that [u ′ , v ′ ] ∈ V ⇐⇒ π u ′ (y 0 , y 47 , y 70 , y 85 , y 91 , k i ) → π v ′ (z 127 , z 46 , z 69 , z 84 , z 90 , k i ) . Using the set V , we can generate the linear constraints that define the convex hull of V . This can be achieved by using the inequality_generator() function in SAGE 41 . Observe that the convex hull generated does not contain any spurious points because the (11) π u (i−1) (P i−1 (s, k)) → π u (i) (P i (s, k)), ∀i ∈ [128] (12) z i+1 =y i , ∀i ∈ {47, 70, 85, 91} (13) z 127 =y 0 + y 47 + y 70 · y 85 + y 91 + k i www.nature.com/scientificreports/ points in V are on the surface of a 12 dimensional unit cube. Therefore, the convex hull is bounded by the unit cube unless the hull is unbounded, which is not the case. Since, the interior of the unit cube does not contain any integer points, the convex hull won't contain any spurious points. Since, the number of inequalities affects the running time of the MILP solver, one needs to make sure they work with minimal number of constraints. For this, we go through the inequalities generated through SAGE and check one by one whether any inequality can be removed. By doing so, we arrive at a system of 27 linear inequalities that describes π u ′ (y 0 , y 47 , y 70 , y 85 , y 91 , k i ) → π v ′ (z 127 , z 46 , z 69 , z 84 , z 90 , k i ) as shown in Fig. 5. Now we have the required inequalities (which we will denote an L ), we will describe the MILP model for finding largest monomial that has a trail to the feedback polynomial of P n . The objective function is to maximize i . This is because the nonce variables are present at those index. We must also set u (0) i == 0, ∀i < 96 as we are not interested in monomials containing s i where i < 96 . Using the set L , we will create linear inequalities for u (i−1) and u (i) which will ensure that π u (i−1) (P i−1 (s, k)) → π u (i) (P i (s, k)) . Finally, since we are interested in the feedback polynomial of P n , we will set u (n) 127 == 1 and the rest to 0. Solving the above model using Gurobi 42 , will only give us information about the largest term that has a monomial trail. To conclude that the term is also a monomial in the feedback polynomial, we need to count the number of monomial trails. Observe that an optimal solution in the above model is a valid monomial trail, i.e., u (i) 's gives us all the information of the trail. Therefore, it is enough to count the number of solutions in the model by only fixing u (0) to the one returned by optimal. The number of solutions can be obtained by using the PoolSearchMode of Gurobi which searches for all the solutions. One can see from Fig. 6 that the degree of the feedback polynomial after 381 rounds is 32.

Key-recovery attacks
In this section, we will present key-recovery attacks against TinyJAMBU . Like other key-recovery attacks, our attacks consist of two phases: offline and online phases. In the offline phase, the attacker finds polynomials consisting of key variables by using methods such as cube attacks, MILP, etc. Once the attacker is equipped with these polynomials, in the offline phase, he will try to obtain the evaluations of these polynomials and recover certain key bits.
Offline phase: finding the polynomials. In the offline phase of our attack, we will use MILP to extract the polynomials with key variables. Let C I be a cube with index set I and the output polynomial written with respect to this cube be www.nature.com/scientificreports/ where t = i∈I x i . Let A = {a i | i / ∈ I} be the set of constants for the non-cube variables. Our objective is to find the superpoly p t (A, k) which will be used in the online phase. We will again use the concept of monomial trails to find the superpolies. This technique was also used in 37 to find the superpolies for Trivium.
In our attack, we will consider A to be all zeroes. Recall that in "Exact degree in nonce of the feedback polynomial in P n section, we presented a MILP model that would find the degree of the largest monomial containing nonce variables only that has a monomial trail to the feedback polynomial. This is achieved by setting up a system of linear inequalities with the objective function being "maximize 127 i=96 u (0) i ". Then, by counting the number of monomial trails, we can confirm whether it is monomial in the feedback polynomial or not. We will simply modify the above MILP model that will help us find every monomial and build the entire superpoly.
We first begin by modifying the MILP model. The objective function must be changed to maximizing 255 i=128 u (0) i . Recall that we considered the input to P as (s, k) were s is the state and k is the key. Therefore, the objective function is looking for the largest term consisting of key variables. Since, we are interested in the superpoly with respect to some t , we need to add the following equalities as constraints also.
The rest of the inequalities are exactly same as the ones used in "Exact degree in nonce of the feedback polynomial in P n section. Observe that a solution to the above MILP model gives us a monomial x I k J for some index set J such that |J| is the largest and x I k J has a monomial trail to P n (s, k) (127) . To confirm that this is a monomial, we must again count the number of solutions and store it if it is a monomial. Now, to find the next monomial, we must add a new constraint so that the MILP solver won't return the same solution again. To be precise, suppose the MILP solver returns a solution u (0) . For the sake of simplicity, let J = {i | u 0 i = 1, i ≥ 128} . Then, we add the constraint, This constraint ensures that the MILP solver won't return the same solution twice.
In Table 4, we present a few superpolies of the feedback polynomial with respect to cubes of size 31 for P 376 by solving the MILP model mentioned above.
Online phase: recovering the key bits. In the online phase, the attacker is given a blackbox access to TinyJAMBU , i.e., the attacker is allowed to choose the value of 32-bit nonce and is given the bits at position (14) f (x, k) = t · p t (x, k) + q t (x, k) ,  Table 4. This implies that the attacker can get the evaluations of these superpolies by performing cube tester for 440 round TinyJAMBU . Therefore, the attacker can recover the entire key in time 2 123 + 5 · 2 31 .

Conclusion
In this work, we presented the first weak-key attack against TinyJAMBU . We also study the exact degree in nonce of the feedback polynomial of keyed permutation P n and give better key recovered attack for TinyJAMBU . As future work, we would like to investigate the following questions.
1. Similar to the DA3 attack considered in 36 , can we give distinguisher for rounds greater than 480 by using all 96 bits of the nonce? 2. Is there a practical key recovery attack for TinyJAMBU where the number of rounds is more than 450? 3. Does there exist any other inherent weakness for the permutation P n which can be exploited to get better cubes or used in any attacks?

Data availability
One can generate data using our source codes. The source codes of our results are publicly available at https:// drive. google. com/ file/d/ 1nkyJ iogxu eZUg5 gQvES BkAtg 6WKHu m1p/ view.  Table 4. Superpolies for P 376 .