Introduction

With the rapid advancement of computer and network technologies, the significance of information security has become paramount. The establishment of a resilient information security framework hinges on cryptographic algorithms, which ensure secure communication and data integrity. Authenticated encryption algorithms (Jimale et al. 2022) play a pivotal role in verifying the identities of communicating entities and protecting data from tampering or falsification during transmission. They offer assurances of confidentiality and integrity, serving as essential components in information exchange and network security. The CAESAR competition (Zhang et al. 2018), initiated by the National Institute of Standards and Technology (NIST) in the United States in 2014, aimed to identify authenticated encryption algorithms that meet stringent requirements for integrity, confidentiality, and resilience, thereby reigniting interest in the cryptographic community regarding the security analysis of authenticated encryption algorithms. Among the fifteen algorithms that advanced to the third round of the CAESAR competition, Tiaoxin-346 (Ivica 2016), an authenticated encryption algorithm based on AES with associated data (AD), demonstrated excellent performance in terms of processing speed due to its specialized structure.

In the realm of research on authenticated encryption algorithm security, the traditional emphasis is on the information confidentiality and integrity. However, with the expanding practical applications of authenticated encryption algorithms, the key commitment security (Bellare and Hoang 2022; Chan and Rogaway 2022) has recently become a growing consideration beyond the information confidentiality and integrity. Key commitment security ensures that the key, nonce and associated data obtained after decrypting a ciphertext C must match the original parameters ( key, Nonce, AD) employed for encrypting the plaintext (Menda et al. 2023). Consequently, in this security framework, an adversary can not decrypt the ciphertext to two different sets of keys for given plaintext-ciphertext pair. This concept plays a crucial role in protocols such as secure multi-party computation (Yao 1982) (Zhao et al. 2019), zero-knowledge proofs (Goldwasser et al. 1985), and others.

In authenticated encryption algorithms, in addition to key commitment, various contextual commitment frameworks such as CMT-1, CMT-3, CMT-4, and FROB have been defined in references (Bellare and Hoang 2022; Farshim et al. 2017; Grubbs et al. 2017). These commitments involve not only keys but also random numbers (Nonce), associated data (AD), and plaintext (M). Among these, FROB is the most restrictive framework. The adversary can breach FROB security by constructing two sets of \(\left( k_{1}, Nonce_{1}, AD_{1}, M_{1}\right)\) and \(\left( k_{2}, Nonce_{2}, AD_{2}, M_{2}\right)\) such that \(C_{1}=C_{2}\) when encrypting the plaintext \(M_{1}, M_{2}\). It requires the conditions of \(k_{1}\not =k_{2}\) and \(Nonce_{1}=Nonce_{2}\). Typically, the condition \(Nonce_{1}=Nonce_{2}\) can limit the likelihood for internal collisions during the initialization phase, thereby preventing collisions only with the condition \(k_{1}\not =k_{2}\). In the literature (Derbez et al. 2024), the authors construct the internal collisions for AEAD schemes by choosing appropriate AD blocks. Subsequently, they demonstrated key committing attacks against AEGIS and Rocca-S with the complexities of O(1) and \(O\left( 2^{64}\right)\), respectively. They also analyzed Tiaoxin-346 under the scenario of freely selecting round state values during associated data processing, finding that the complexity of recovering an appropriate \(A D^{*}\) was \(O\left( 2^{192}\right)\). Since Tiaoxin-346 uses a 128-bit tag, this attack is worse than the generic forgery attack whose complexity is \(O\left( 2^{64}\right)\). Hence, Derbez et al. concluded that the attack by recovering associated data does not voilate the key-committing security of Tiaoxin-346. Consequently, the status of key-committing security for Tiaoxin-346 remains an open question.

This study addresses the limitation in existing attack methods, which lack variables to control the internal state of Tiaoxin-346, resulting in a higher computational complexity for recovering \(A D^{*}\). To overcome this issue, an efficient method for selecting an appropriate \(A D^{*}\) by solving the state update equations system is proposed. The main contributions of this paper are as follows. Firstly, a detailed analysis of the state update process of the Tiaoxin-346 algorithm is presented. Secondly, a key commitment attack based on internal state collisions within the FROB framework is introduced. Finally, the principles and steps to achieve state collisions in the seventh round of the associated data processing phase are provided, leading to the construction of a key commitment attack against Tiaoxin-346 within the FROB framework. In this work, we aim to enhance the state-of-the-art attacks on the Tiaoxin-346 algorithm by introducing a novel method for selecting suitable AD, ensuring a more efficient and effective attack strategy.

Notations and conventions

The notions and conventions used in this study are defined as follows. \(\left( U_{i}, V_{i}, W_{i}\right)\): The internal state at round i. Here, the length of \(U_{i}, V_{i}, W_{i}\) are 3, 4, 6 words (a word is a sequence of 16 bytes, namely 128 bits), and the internal state can also be described as \(\left( U_{i}^{0}, U_{i}^{1}, U_{i}^{2}, V_{i}^{0}, V_{i}^{1}, V_{i}^{2}, V_{i}^{3}, W_{i}^{0}, W_{i}^{1}, W_{i}^{2}, W_{i}^{3}, W_{i}^{4}, W_{i}^{5}\right)\).

\(Z_{0}\): A 128-bit constant block in hexadecimal, \(Z_{0}= \text{0x}428a2f98d728ae227137449123ef65cd\).

\(Z_{1}\): A 128-bit constant block in hexadecimal, \(Z_{1}= \text{0x}b5c0fbcfec4d3b2fe9b5dba58189dbbc\).

\(X \oplus Y\): Bitwise addition (XOR) of the bit strings X and Y.

\(X \wedge Y\): Bitwise conjunction (AND) of the bit strings X and Y.

A(X): The AES round function without AddRoundKey, is defined as \(A(X)=M \circ R \circ S(X)\), where SRM are the same operations of SubBytes, ShiftRows and MixColumns as defined in AES.

X: A bit string. |X| is the length of X in bits. \(X \Vert Y\) denotes the concatenation of bit strings X and Y. \(0^{l}\) is a zero string of l bits.

\(\left( X_{i}^{0}, X_{i}^{1}, X_{i}^{2}\right)\): The inputs for the ith round state update function.

Description of Tiaoxin-346

Tiaoxin-346 (Ivica 2016) is an authenticated encryption stream cipher incorporating associated data. It is one of the fifteen candidates in the CAESAR cryptographic competition, showcasing commendable processing speed. The algorithm comprises four phases: initialization, associated data processing, encryption, and finalization.

During the initialization phase, the internal sate of Tiaoxin-346 is initialized with a 128-bit key denoted as k, two 128-bit constants \(Z_{0}\) and \(Z_{1}\), and a 128-bit random number N. The initial value is set to \(\left( K, K, N, K, K, N, Z_{0}, K, K, N, Z_{1}, 0,0\right)\), then it goes through 15 rounds of updates, with each round taking \(Z_{0}, Z_{1}, Z_{0}\) as input. In the subsequent phases, Tiaoxin-346 processes the associated data AD and the message M by blocks where each block is 256 bits. If the last block of AD, M, and \(\left( |A D|,|M|\right)\) is less than 256-bit, they will be padded with zero bytes \(0^{l}\) to a complete block. Each block of AD and M is composed of two words and can be divided into two 128-bit sequences, i.e. \(A D_{i}=A D_{i}^{0} \Vert A D_{i}^{1}\). Specifically, the inputs for the associated data processing phase are \(A D_{i}^{0}, A D_{i}^{1}, A D_{i}^{0} \oplus A D_{i}^{1}\), for the encryption phase \(M_{i}^{0}, M_{i}^{1}, M_{i}^{0} \oplus M_{i}^{1}\), and for the finalization(tag production) phase \(|A D|_{i},|M|_{i},|A D| \oplus |M|_{i}\). The following round update functions are employed for processing these data.

$$\begin{aligned}&U_{i+1}^{0} = U_{i}^{0} \oplus X_{i}^{0} \oplus A\left( U_{i}^{2}\right) , U_{i+1}^{1} = A\left( U_{i}^{0}\right) , U_{i+1}^{2} = U_{i}^{1}.\\&V_{i+1}^{0} = V_{i}^{0} \oplus X_{i}^{1} \oplus A\left( V_{i}^{3}\right) , V_{i+1}^{1} = A\left( V_{i}^{0}\right) , V_{i+1}^{j} = V_{i}^{j-1} \text{ for } j = 2,3. \\&W_{i+1}^{0} = W_{i}^{0} \oplus X_{i}^{2} \oplus A\left( W_{i}^{5}\right) , W_{i+1}^{1} = A\left( W_{i}^{0}\right) , W_{i+1}^{j} = W_{i}^{j-1} \text{ for } j = 2,3,4,5. \end{aligned}$$

Where \(X_{i}^{2}=X_{i}^{0} \oplus X_{i}^{1}\).The state update operations in Tiaoxin-346 are illustrated in Fig. 1.

Fig. 1
figure 1

State update operations in Tiaoxin-346 for processing the message or associated data

Full size image

In the associated data processing phase, it only updates the state and does not have an output. In the encryption phase, each block of the message is processed in one round and a block of ciphertext is output as follows:

$$\begin{aligned} \left\{ \begin{array}{l} C_{i}^{0}=U_{i}^{0} \oplus U_{i}^{2} \oplus V_{i}^{1} \oplus \left( W_{i}^{3} \wedge V_{i}^{3}\right) \\[2ex] C_{i}^{1}=W_{i}^{0} \oplus V_{i}^{2} \oplus U_{i}^{1} \oplus \left( W_{i}^{5} \wedge U_{i}^{2}\right) \end{array}\right. \end{aligned}$$

It should be noted that the ciphertext has the same length as the message. If the last block of the unpadded message is less than 256 bits, the last ciphertext block is also truncated to the same length of the original message. After another 20 rounds of update, the 128-bit authentication tag is produced as follows.

$$\begin{aligned} T=U_{i}^{0} \oplus U_{i}^{1} \oplus U_{i}^{2} \oplus V_{i}^{0} \oplus V_{i}^{1} \oplus V_{i}^{2} \oplus V_{i}^{3} \oplus W_{i}^{0} \oplus W_{i}^{1} \oplus W_{i}^{2} \oplus W_{i}^{3} \oplus W_{i}^{4} \oplus W_{i}^{5} \end{aligned}$$

The decryption and verification process also encompasses four phases of initialization, associated data processing, decryption,and finalization. The associated data processing, decryption, and finalization phases mirror the encryption process in terms of round functions. The inputs for the decryption phase are modified to \(C_{i}^{0}, C_{i}^{1}, C_{i}^{0} \oplus C_{i}^{1}\). If the produced authentication tag is invalid, the ciphertext and the wrong tag are not returned.

Key committing attack on Tiaoxin-346 in FROB framework

Attack idea based on internal collision

The FROB security framework introduced by Farshim et al. (Farshimet et al. 2017) is the most rigorous one among the existing key commitment frameworks. A key committing attack within FROB framework can be defined as: for any given \(\left( k_{1}, Nonce_{1}, AD_{1}\right)\), there exists an alternate setting of \(\left( k_{2}, Nonce_{2}, AD_{2}\right)\), with \(k_{1} \not = k_{2}\) and \(Nonce_{1}= Nonce_{2}\). When these two settings of tuple \((k, \text{ Nonce, } A D)\) are used to encrypt the same messages \(M_{1}\), they yield the same ciphertext-tag pair.

For Tiaoxin-346, we first select a setting of \(\left( k_{1}, Nonce_{1}, AD_{1}\right)\) to initiate a key committing attack. After 7 rounds of update in the associated data processing phase we get the state \(\left( U_{7}^{0}, U_{7}^{1}, U_{7}^{2}, V_{7}^{0}, V_{7}^{1}, V_{7}^{2}, V_{7}^{3}, W_{7}^{0}, W_{7}^{1}, W_{7}^{2}, W_{7}^{3}, W_{7}^{4}, W_{7}^{5}\right)\). Our aim is to find a state collision with another tuple \(\left( k_{2}, Nonce_{2}, AD^{*}\right)\) with \(k_{1}\not =k_{2}, Nonce_{1}= Nonce_{2}\). By strategically choosing an \(AD^{*}\), we can find a state collision for these two tuples at round 7, yielding the same state \(\left( U_{7}^{0}, U_{7}^{1}, U_{7}^{2}, V_{7}^{0}, V_{7}^{1}, V_{7}^{2}, V_{7}^{3}, W_{7}^{0}, W_{7}^{1}, W_{7}^{2}, W_{7}^{3}, W_{7}^{4}, W_{7}^{5}\right)\). By employing identical values for \(AD_{1}\) and \(A D^{*}\) in subsequent sequences, encrypting the same message with these two tuples will result in the same ciphertexts. As a result, utilizing two distinct keys can successfully decrypt this ciphertext into a valid plaintext, thereby facilitating a key committing attack within the FROB framework.

The rationale for achieving a state collision at the 7th round is based on the structural characteristics of Tiaoxin-346. Tiaoxin-346 has three states \(\left( U_{i}, V_{i}, W_{i}\right)\) that composed of 13 128-bit words and each word is controlled by the state update function. Since the inputs \(A D_{i}^{0}, A D_{i}^{1}, A D_{i}^{2}\) for each round satisfy \(A D_{i}^{2}=A D_{i}^{0} \oplus A D_{i}^{1}\), it introduces n additional constraint conditions, resulting in a total of \(13+n\) equations. Moreover, for n rounds of state updates, the process involves \(3*n\) variables. To facilitate a more effective resolution of the equation system, we require that the number of variables exceeds the number of equations, specifically, \(3 n \ge 13+n\), i.e., \(n \ge 6.5\). Thus, with 7 rounds, we construct a system comprising 20 equations and 21 variables. It is expected to find a valid \(A D^{*}\) with a time complexity lower than \(2^{64}\), leading a key committing attack on Tiaoxin-346 within the FROB framework.

A key committing attack on Tiaoxin-346

For any tuple of \(\left( k_{1}, Nonce_{1}, AD_{1}\right)\), the 7th round state of Tiaoxin-346 in the associated data processing phase is denoted as \(\left( U_{7}^{0}, U_{7}^{1}, U_{7}^{2}, V_{7}^{0}, V_{7}^{1}, V_{7}^{2}, V_{7}^{3}, W_{7}^{0}, W_{7}^{1}, W_{7}^{2}, W_{7}^{3}, W_{7}^{4}, W_{7}^{5}\right)\). For another set of key \(k_{2}\) with \(k_{1} \ne k_{2}\) and \(Nonce_{1}\), the state value at the 0th round of the AD processing phase can be computed as \(\left( U_{0}^{0}, U_{0}^{1}, U_{0}^{2}, V_{0}^{0}, V_{0}^{1}, V_{0}^{2}, V_{0}^{3}, W_{0}^{0}, W_{0}^{1}, W_{0}^{2}, W_{0}^{3}, W_{0}^{4}, W_{0}^{5}\right)\). To facilitate analysis, we denote the input for \(A D^{*}\) at each round as \(\left( a_{i}, b_{i}, c_{i}\right)\). According to Tiaoxin-346, the relationship \(a_{i} \oplus b_{i}=c_{i}\) holds true. Following the idea of the key committing attack described above, the equations representing the internal collision occurring at the 7th round are detailed as follows:

$$\begin{aligned} U_{7}^{0}&= U_{0}^{0} \oplus a_{0} \oplus A U_{0}^{2} \oplus a_{1} \oplus A U_{0}^{1} \oplus a_{2} \nonumber \\&\quad \oplus A A U_{0}^{0} \oplus a_{3} \oplus A A\left( U_{0}^{0} \oplus a_{0} \oplus A U_{0}^{2}\right) \nonumber \\&\quad \oplus a_{4} \oplus A A\left( U_{0}^{0} \oplus a_{0} \oplus A U_{0}^{2} \oplus a_{1} \oplus A U_{0}^{1}\right) \oplus a_{5} \nonumber \\&\quad \oplus A A\left( U_{0}^{0} \oplus a_{0} \oplus A U_{0}^{2} \oplus a_{1} \oplus A U_{0}^{1} \oplus a_{2} \oplus A A U_{0}^{0}\right) \nonumber \\&\quad \oplus a_{6} \oplus A A\left( U_{0}^{0} \oplus a_{0} \oplus A U_{0}^{2} \oplus a_{1} \oplus A U_{0}^{1} \oplus a_{2}\right. \nonumber \\&\quad \left. \oplus \,A A U_{0}^{0} \oplus a_{3} \oplus A A\left( U_{0}^{0} \oplus a_{0} \oplus A U_{0}^{2}\right) \right) \end{aligned}$$
(1.1)
$$\begin{aligned} U_{7}^{1}&= A\left( U_{0}^{0} \oplus a_{0} \oplus A U_{0}^{2} \oplus a_{1} \oplus A U_{0}^{1} \oplus a_{2}\right. \nonumber \\&\quad \oplus A A U_{0}^{0} \oplus a_{3} \oplus A A\left( U_{0}^{0} \oplus a_{0} \oplus A U_{0}^{2}\right) \nonumber \\&\quad \oplus a_{4} \oplus A A\left( U_{0}^{0} \oplus a_{0} \oplus A U_{0}^{2} \oplus a_{1} \oplus A U_{0}^{1}\right) \oplus a_{5} \nonumber \\&\quad \left. \oplus \,A A\left( U_{0}^{0} \oplus a_{0} \oplus A U_{0}^{2} \oplus a_{1} \oplus A U_{0}^{1} \oplus a_{2} \oplus A A U_{0}^{0}\right) \right) \end{aligned}$$
(1.2)
$$\begin{aligned} U_{7}^{2}&= A\left( U_{0}^{0} \oplus a_{0} \oplus A U_{0}^{2} \oplus a_{1} \oplus A U_{0}^{1} \oplus a_{2} \oplus A A U_{0}^{0} \oplus a_{3}\right. \nonumber \\&\quad \oplus A A\left( U_{0}^{0} \oplus a_{0} \oplus A U_{0}^{2}\right) \oplus a_{4}\nonumber \\&\quad \left. \oplus \,A A\left( U_{0}^{0} \oplus a_{0} \oplus A U_{0}^{2} \oplus a_{1} \oplus A U_{0}^{1}\right) \right) \end{aligned}$$
(1.3)
$$\begin{aligned} V_{7}^{0}&= V_{0}^{0} \oplus b_{0} \oplus A V_{0}^{3} \oplus b_{1} \oplus A V_{0}^{2} \oplus b_{2} \oplus A V_{0}^{1} \oplus b_{3} \nonumber \\&\quad \oplus A A V_{0}^{0} \oplus b_{4} \oplus A A\left( V_{0}^{0} \oplus b_{0} \oplus A V_{0}^{3}\right) \nonumber \\&\quad \oplus b_{5} \oplus A A\left( V_{0}^{0} \oplus b_{0} \oplus A V_{0}^{3} \oplus b_{1} \oplus A V_{0}^{2}\right) \oplus b_{6}\nonumber \\&\quad \oplus A A\left( V_{0}^{0} \oplus b_{0} \oplus A V_{0}^{3} \oplus b_{1} \oplus A V_{0}^{2} \oplus b_{2} \oplus A V_{0}^{1}\right) \end{aligned}$$
(2.1)
$$\begin{aligned} V_{7}^{1}&= A\left( V_{0}^{0} \oplus b_{0} \oplus A V_{0}^{3} \oplus b_{1} \oplus A V_{0}^{2} \oplus b_{2} \oplus A V_{0}^{1} \oplus b_{3}\right. \nonumber \\&\quad \oplus A A V_{0}^{0} \oplus b_{4} \oplus A A\left( V_{0}^{0} \oplus b_{0} \oplus A V_{0}^{3}\right) \nonumber \\&\quad \left. \oplus \,b_{5} \oplus A A\left( V_{0}^{0} \oplus b_{0} \oplus A V_{0}^{3} \oplus b_{1} \oplus A V_{0}^{2}\right) \right) \end{aligned}$$
(2.2)
$$\begin{aligned} V_{7}^{2}&= A\left( V_{0}^{0} \oplus b_{0} \oplus A V_{0}^{3} \oplus b_{1} \oplus A V_{0}^{2} \oplus b_{2} \oplus A V_{0}^{1} \oplus b_{3}\right. \nonumber \\&\quad \left. \oplus \,A A V_{0}^{0} \oplus b_{4} \oplus A A\left( V_{0}^{0} \oplus b_{0} \oplus A V_{0}^{3}\right) \right) \end{aligned}$$
(2.3)
$$\begin{aligned} V_{7}^{3} =&A\left( V_{0}^{0} \oplus b_{0} \oplus A V_{0}^{3} \oplus b_{1} \oplus A V_{0}^{2} \oplus b_{2} \oplus A V_{0}^{1} \oplus b_{3} \oplus A A V_{0}^{0}\right) \end{aligned}$$
(2.4)
$$\begin{aligned} W_{7}^{0}&= W_{0}^{0} \oplus c_{0} \oplus A W_{0}^{5} \oplus c_{1} \oplus A W_{0}^{4} \oplus c_{2} \oplus A W_{0}^{3} \oplus c_{3} \nonumber \\&\quad \oplus A W_{0}^{2} \oplus c_{4} \oplus A W_{0}^{1} \oplus c_{5} \oplus A A W_{0}^{0} \oplus c_{6}\nonumber \\&\quad \oplus A A\left( W_{0}^{0} \oplus c_{0} \oplus A W_{0}^{5}\right) \end{aligned}$$
(3.1)
$$\begin{aligned} W_{7}^{1}&= A\left( W_{0}^{0} \oplus c_{0} \oplus A W_{0}^{5} \oplus c_{1} \oplus A W_{0}^{4} \oplus c_{2} \oplus A W_{0}^{3} \oplus c_{3}\right. \nonumber \\&\quad \left. \oplus \,A W_{0}^{2} \oplus c_{4} \oplus A W_{0}^{1} \oplus c_{5} \oplus A A W_{0}^{0}\right) \end{aligned}$$
(3.2)
$$\begin{aligned} W_{7}^{2}&= A\left( W_{0}^{0} \oplus c_{0} \oplus A W_{0}^{5} \oplus c_{1} \oplus A W_{0}^{4} \oplus c_{2} \oplus A W_{0}^{3} \oplus c_{3}\right. \nonumber \\&\quad \left. \oplus \,A W_{0}^{2} \oplus c_{4} \oplus A W_{0}^{1}\right) \end{aligned}$$
(3.3)
$$\begin{aligned} W_{7}^{3}&= A\left( W_{0}^{0} \oplus c_{0} \oplus A W_{0}^{5} \oplus c_{1} \oplus A W_{0}^{4} \oplus c_{2} \oplus A W_{0}^{3}\right. \nonumber \\ &\quad \left. \oplus \,c_{3} \oplus A W_{0}^{2}\right) \end{aligned}$$
(3.4)
$$\begin{aligned} W_{7}^{4}&= A\left( W_{0}^{0} \oplus C_{0} \oplus A W_{0}^{5} \oplus c_{1} \oplus A W_{0}^{4} \oplus C_{2} \oplus A W_{0}^{3}\right) \end{aligned}$$
(3.5)
$$\begin{aligned} W_{7}^{5}&= A\left( W_{0}^{0} \oplus c_{0} \oplus A W_{0}^{5} \oplus c_{1} \oplus A W_{0}^{4}\right) \end{aligned}$$
(3.6)

The following outlines the detailed steps for solving \(a_{i}, b_{i}, c_{i}\) in the aforementioned system of equations.

Step 1 From Eqs. (3.6) to (3.1), we select \(c_{0}\) as the free variable and derive the following solution:

$$\begin{aligned} \left\{ \begin{array}{l} c_{1}=A^{-1} W_{7}^{5} \oplus W_{0}^{0} \oplus A W_{0}^{4} \oplus A W_{0}^{5} \oplus c_{0} \\[2ex] c_{2}=A^{-1} W_{7}^{4} \oplus A^{-1} W_{7}^{5} \oplus A W_{0}^{3} \\[2ex] c_{3}=A^{-1} W_{7}^{3} \oplus A^{-1} W_{7}^{4} \oplus A W_{0}^{2} \\[2ex] c_{4}=A^{-1} W_{7}^{2} \oplus A^{-1} W_{7}^{3} \oplus A W_{0}^{1} \\[2ex] c_{5}=A^{-1} W_{7}^{1} \oplus A^{-1} W_{7}^{2} \oplus A A W_{0}^{0} \\[2ex] c_{6}=A^{-1} W_{7}^{1} \oplus A A\left( W_{0}^{0} \oplus c_{0} \oplus A W_{0}^{5}\right) \end{array}\right. \end{aligned}$$
(4)

Step 2 From Eqs. (2.4) to (2.1), we select \(b_{0}, b_{1}, b_{2}\) as the free variables, leading to the following representation:

$$\begin{aligned} \left\{ \begin{array}{l} b_{3}=A^{-1} V_{7}^{3} \oplus V_{0}^{0} \oplus A V_{0}^{1} \oplus A V_{0}^{2} \oplus A V_{0}^{3} \oplus A A V_{0}^{0} \oplus b_{0} \oplus b_{1} \oplus b_{2} \\[2ex] b_{4}=A^{-1} V_{7}^{2} \oplus A^{-1} V_{7}^{3} \oplus A A\left( V_{0}^{0} \oplus b_{0} \oplus A V_{0}^{3}\right) \\[2ex] b_{5}=A^{-1} V_{7}^{1} \oplus A^{-1} V_{7}^{2} \oplus A A\left( V_{0}^{0} \oplus b_{0} \oplus A V_{0}^{3} \oplus b_{1} \oplus A V_{0}^{2}\right) \\[2ex] b_{6}=V_{7}^{0} \oplus A^{-1} V_{7}^{1} \oplus A A\left( V_{0}^{0} \oplus b_{0} \oplus A V_{0}^{3} \oplus b_{1} \oplus A V_{0}^{2} \oplus b_{2} \oplus A V_{0}^{1}\right) \end{array}\right. \end{aligned}$$
(5)

Step 3 From Eq. (1.3), it can be deduced that:

$$\begin{aligned} a_{4}&= A^{-1} U_{7}^{2} \oplus U_{0}^{0} \oplus A A U_{0}^{0} \oplus A U_{0}^{1} \oplus A U_{0}^{2} \nonumber \\&\quad \oplus A A\left( U_{0}^{0} \oplus a_{0} \oplus A U_{0}^{2}\right) \oplus a_{0} \oplus a_{1} \oplus a_{2} \nonumber \\&\quad \oplus a_{3} \oplus A A\left( U_{0}^{0} \oplus a_{0} \oplus A U_{0}^{2} \oplus a_{1} \oplus A U_{0}^{1}\right) \end{aligned}$$
(6)

By utilizing the equation \(a_{i}=c_{i} \oplus b_{i}(i=0,1, \ldots 4)\), combine Eq. (6) with the solutions of \(c_{4}, b_{4}\) in (4) and (5). We can derive the following:

$$\begin{aligned}&A^{-1} V_{7}^{2} \oplus A A\left( V_{0}^{0} \oplus b_{0} \oplus A V_{0}^{3}\right) \oplus A^{-1} W_{7}^{2} \oplus W_{0}^{0} \oplus A W_{0}^{1} \nonumber \\ &= A^{-1} U_{7}^{2} \oplus U_{0}^{0} \oplus A A U_{0}^{0} \oplus A U_{0}^{1} \oplus A U_{0}^{2} \oplus A A\left( U_{0}^{0} \oplus b_{0} \oplus c_{0} \oplus A U_{0}^{2}\right) \nonumber \\&\quad \oplus V_{0}^{0} \oplus A V_{0}^{1} \oplus A V_{0}^{2} \oplus A V_{0}^{3} \oplus A A V_{0}^{0} \oplus A W_{0}^{2} \oplus A W_{0}^{3} \oplus A W_{0}^{4} \oplus A W_{0}^{5} \nonumber \\&\quad \oplus A A\left( U_{0}^{0} \oplus b_{0} \oplus A U_{0}^{2} \oplus b_{1} \oplus A U_{0}^{1} \oplus A^{-1} W_{7}^{5} \oplus W_{0}^{0} \oplus A W_{0}^{4} \oplus A W_{0}^{5}\right) \end{aligned}$$
(7)

Equation (7) is the most critical equation in the system. To construct internal collision by selecting the appropriate AD, it is essential to gain more controllable blocks of internal state while limiting the use of round function (transformation A ). We can reduce the computational complexity of the attack algorithm by selecting an appropriate value of \(c_{0}\). Here, we select \(c_{0}=V_{0}^{0} \oplus A V_{0}^{3} \oplus U_{0}^{0} \oplus A U_{0}^{2}\), which allows the two parts of the equation to be equal, namely \(A A\left( V_{0}^{0} \oplus b_{0} \oplus A V_{0}^{3}\right) =A A\left( U_{0}^{0} \oplus b_{0} \oplus c_{0} \oplus A U_{0}^{2}\right)\). Consequently, the number of transformation A in Eq. (7) can be reduced from three to one. Furthermore, we define the known values of the internal state in Eq. (7) as

$$\begin{aligned} k_{1}&= U_{0}^{0} \oplus A U_{0}^{2} \oplus A U_{0}^{1} \oplus A^{-1} W_{7}^{5} \oplus W_{0}^{0} \oplus A W_{0}^{4} \oplus A W_{0}^{5} \end{aligned}$$
$$\begin{aligned} k_{2}&= A^{-1} V_{7}^{2} \oplus A^{-1} W_{7}^{2} \oplus W_{0}^{0} \oplus A W_{0}^{1} \oplus A^{-1} U_{7}^{2} \oplus U_{0}^{0} \oplus A A U_{0}^{0} \oplus A U_{0}^{1} \oplus A U_{0}^{2} \\&\quad \oplus V_{0}^{0} \oplus A V_{0}^{1} \oplus A V_{0}^{2} \oplus A V_{0}^{3} \oplus A A V_{0}^{0} \oplus A W_{0}^{2} \oplus A W_{0}^{3} \oplus A W_{0}^{4} \oplus A W_{0}^{5} \end{aligned}$$

Then, Eq. (7) can be expressed in a simplified form as

$$\begin{aligned} A A\left( b_{0} \oplus b_{1} \oplus k_{1}\right) =k_{2} \end{aligned}$$

Where, \(k_{1}\) and \(k_{2}\) are known once \(c_{0}\) is provided. By conducting two inverse transformations of \(\textrm{A}\), \(b_{0} \oplus b_{1}=k_{1} \oplus AA^{-1}(k_{2})\) can be determined.

Step 4 From Eq. (1.2), it can be deduced that:

$$\begin{aligned} a_{5}&= A^{-1} U_{7}^{2} \oplus A A\left( U_{0}^{0} \oplus a_{0} \oplus A U_{0}^{2} \oplus a_{1} \oplus A U_{0}^{1} \oplus a_{2} \oplus A A U_{0}^{0}\right) \end{aligned}$$
(8)

By combining Eq. (8) with the solutions in (4) and (5) as we did in Step3, we derive:

$$\begin{aligned}&A^{-1} V_{7}^{1} \oplus A^{-1} V_{7}^{2} \oplus A A\left( V_{0}^{0} \oplus b_{0} \oplus b_{1} \oplus A V_{0}^{2} \oplus A V_{0}^{3}\right) \oplus A^{-1} W_{7}^{1} \oplus A^{-1} W_{7}^{2} \oplus A A W_{0}^{0} \nonumber \\ &= A^{-1} U_{7}^{2} \oplus A A\left( U_{0}^{0} \oplus b_{0} \oplus b_{1} \oplus b_{2} \oplus A U_{0}^{2} \oplus A U_{0}^{1} \oplus A A U_{0}^{0} \oplus W_{0}^{0} \oplus A W_{0}^{3} \oplus A W_{0}^{4}\right. \nonumber \\ &\left. \oplus \,A W_{0}^{5} \oplus A^{-1} W_{7}^{4}\right) \end{aligned}$$
(9)

Similarly to Step 3, let the known values of the internal state in Eq. (9) be denoted as \(k_{3}, k_{4}, k_{5}\). Then Eq. (9) can be abbreviated as follows.

$$\begin{aligned} A A\left( b_{0} \oplus b_{1} \oplus k_{3}\right) \oplus k_{4}=A A\left( b_{0} \oplus b_{1} \oplus b_{2} \oplus k_{5}\right) \end{aligned}$$

Here \(k_{3}, k_{4}, k_{5}\) are known and \(b_{0} \oplus b_{1}\) is determined in Step3. By performing two inverse transformations of A, the values of \(b_{2}\) can be determined.

Step 5 It can be derived from Eq. (1.1):

$$\begin{aligned} a_{6}&= A^{-1} U_{7}^{1} \oplus A A\left( U_{0}^{0} \oplus a_{0} \oplus A U_{0}^{2} \oplus a_{1} \oplus A U_{0}^{1} \oplus a_{2}\right. \nonumber \\&\quad \left. \oplus \,A A U_{0}^{0} \oplus a_{3} \oplus A A\left( U_{0}^{0} \oplus a_{0} \oplus A U_{0}^{2}\right) \right\} \end{aligned}$$
(10)

By combining Eq. (10) with the solutions in (4) and (5), we derive:

$$\begin{aligned}&V_{7}^{0} \oplus A^{-1} V_{7}^{1} \oplus A^{-1} W_{7}^{1} \oplus A A\left( V_{0}^{0} \oplus A V_{0}^{3} \oplus A V_{0}^{2} \oplus A V_{0}^{1} \oplus C\right) \nonumber \\&\qquad \oplus A A\left( W_{0}^{0} \oplus V_{0}^{0} \oplus U_{0}^{0} \oplus A U_{0}^{2} \oplus A V_{0}^{3} \oplus A W_{0}^{5}\right) \nonumber \\&\quad = A^{-1} U_{7}^{1} \oplus A A(U_{0}^{0} \oplus A U_{0}^{2} \oplus W_{0}^{0} \oplus A W_{0}^{4} \oplus A W_{0}^{5} \oplus A U_{0}^{1} \oplus A W_{0}^{3} \oplus A A U_{0}^{0}\nonumber \\ &\qquad \oplus A^{-1} V_{7}^{3} \oplus V_{0}^{0} \oplus A V_{0}^{1} \oplus A V_{0}^{2} \oplus A V_{0}^{3} \oplus A A V_{0}^{0}\nonumber \\&\qquad \oplus A^{-1} W_{7}^{3} \oplus A W_{0}^{2} \oplus A A(U_{0}^{0} \oplus b_{0} \oplus V_{0}^{0} \oplus A V_{0}^{3} \oplus U_{0}^{0})) \end{aligned}$$
(11)

Similarly to Step 3, let the known values of the internal state in Eq. (11) be denoted as \(k_{i}(i=6,7,8,9)\). Then, Eq. (11) can be expressed in a simplified form as:

$$\begin{aligned} A A\left( b_{0} \oplus b_{1} \oplus b_{2} \oplus k_{6}\right) =k_{7} \oplus A A\left( k_{8} \oplus A A\left( b_{0} \oplus k_{9}\right) \right) \end{aligned}$$

Here \(k_{i}(\textrm{i}=6,7,8,9)\) is known, \(b_{0} \oplus b_{1}\) and \(b_{2}\) have been obtained from the aforementioned steps. By performing two inverse transformations of A, the values of \(b_{0}\) can be determined. Subsequently, \(b_{1}\) can be calculated.

Step 6 From the provided \(c_{0}=V_{0}^{0} \oplus A V_{0}^{3} \oplus U_{0}^{0} \oplus A U_{0}^{2}\), it follows the results of \(c_{1}, \ldots , c_{6}\) as specified in formula (4). According to formula (5), the values of \(b_{0}, b_{1}, b_{2}\) obtained in Step4 and Step 5 lead to the results of \(b_{3}, b_{4}, b_{5}, b_{6}\). Under the constraints of \(c_{i}=a_{i} \oplus b_{i}(i=0,1, \ldots 6)\), we can derive the values of \(a_{0}, \ldots , a_{6}\).

Following the above steps, for any given \(A D_{1}\), we find an appropriate \(A D^{*}=\left( a_{0}, \ldots , a_{6}; b_{0}, \ldots , b_{6}; c_{0}, \ldots , c_{6}\right)\) to construct an internal collision at the \(7{\text{ th } }\) round in the associated data processing phase. Given that the remaining variables can be determined through straightforward equation solving after selecting \(c_{0}=V_{0}^{0} \oplus A V_{0}^{3} \oplus U_{0}^{0} \oplus A U_{0}^{2}\), the overall computational complexity is O(1). The attack complexity is better than the generic attack whose computational complexity is \(2^{64}\) as Tiaoxin-346 uses a 128-bit tag.

In summary, we demonstrate that for any given key \(k_{1}\) and associated data \(A D_{1}\), we can identify a different key \(k_{2}\) and associated data \(A D^{*}\) with a time complexity of O(1). Notably, an internal collision occurs at the 7th round of the associated data processing phase with the same Nonce. Consequently, after the initial 7 rounds, employing the identical sequence for both \(A D_{1}\) and \(A D^{*}\), the tuples \(\left( k_{1}\right. , Nonce, \left. A D_{1}, M\right)\) and \(\left( k_{2}\right. , Nonce, \left. A D^{*}, M\right)\) produce the same ciphertext C and authentication tag. Thus, under the condition of using the same nonce, two distinct keys \(k_{1}\) and \(k_{2}\) can successfully decrypt the same ciphertext. The proposed attack within the FROB framework breaks the key commitment security of Tiaoxin- 346.

Conclusions

Key commitment security is an essential aspect of authenticated encryption algorithms, complementing both confidentiality and integrity. Recently, it has garnered significant attention across various applications, including encrypted messaging, key rotation schemes, and password-based key exchange. This study provides a comprehensive analysis of Tiaoxin346, enhancing the constraints associated with constructing a key committing attack within the FROB framework. Instead of pursuing a pair of \(\left( k_{1}\right. , Nonce_{1} \left. , A D_{1}, M_{1}\right)\) and \(\left( k_{2}., Nonce_{2}, A D_{2}, M_{2}\right)\) that produce the same ciphertext-tag pair, we present a novel methodology for identifying a different set of \(\left( k_{2}\right. , Nonce, \left. A D^{*}\right)\) for any given \(( k_{1}, Nonce, A D_{1})\) when executing a key committing attack against Tiaoxin-346. By strategically selecting values for \(A D^{*}\), we were able to create an internal collision during the seventh round of the associated data processing stage. The proposed attack methodology demonstrates lower computational complexity compared to generic attacks, showcasing the lacking immunity against key commitment security threats. Furthermore, the approach developed in this study shows potential for broader applicability beyond Tiaoxin-346 and could be extended to other authenticated encryption schemes. Our research provides valuable insights for improving the security of cryptographic systems and contributes to the designing of internal state update functions in encryption algorithms. Given that the attack is formulated within the more stringent FROB framework, it implies that the underlying attack techniques remain valid not only in FROB but also in other more relaxed frameworks.