Generalized MitM attacks on full TWINE

TWINE is a lightweight block cipher which employs a generalized Feistel structure with 16 nibble-blocks. It has two versions: TWINE-80 and TWINE-128, both have a block length of 64 bits and employ keys of length 80 and 128 bits, respectively. In this paper, we propose a low data complexity key recovery attack on the full cipher. This attack is inspired by the 3-subset Meet-in-the-Middle (MitM) attack. However, in our attack, we remove the restrictions of the 3-subset MitM by allowing the key to be partitioned into n ? 3 subsets and by not restricting these subsets to be independent. To improve the computational complexity of the attack, we adopt a recomputation strategy similar to the one used in the original biclique attack. Adopting this approach, we present a known plaintext key recovery attack on TWINE-80 and TWINE-128 with time complexities of 278.74 and 2126.1, respectively. Both attacks require only two plaintext-ciphertext pairs. Furthermore, by combining our technique with a splice-and-cut approach, we gain a slight improvement in the time complexity of the attack at the expense of increasing the number of required plaintext-ciphertext pairs. Presented a generalized Meet-in-the-Middle attack.The key is partitioned into n ? 3 subsets, which are not necessarily independent.Showed how to combine the attack with a splice-and-cut approach.Applied the attack to TWINE-80 and TWINE-128.

[1]  Jongsung Kim,et al.  HIGHT: A New Block Cipher Suitable for Low-Resource Device , 2006, CHES.

[2]  Kazuhiko Minematsu,et al.  $\textnormal{\textsc{TWINE}}$ : A Lightweight Block Cipher for Multiple Platforms , 2012, Selected Areas in Cryptography.

[3]  Ferhat Karakoç,et al.  Multidimensional Meet-in-the-Middle Attacks on Reduced-Round TWINE-128 , 2013, LightSec.

[4]  Christophe De Cannière,et al.  KATAN and KTANTAN - A Family of Small and Efficient Hardware-Oriented Block Ciphers , 2009, CHES.

[5]  Alex Biryukov,et al.  Differential Analysis and Meet-in-the-Middle Attack Against Round-Reduced TWINE , 2015, FSE.

[6]  Hongjun Wu,et al.  Improving the Biclique Cryptanalysis of AES , 2015, ACISP.

[7]  Ferhat Karakoç,et al.  Biclique Cryptanalysis of TWINE , 2012, CANS.

[8]  T. Suzaki,et al.  TWINE : A Lightweight , Versatile Block Cipher , 2011 .

[9]  Andrey Bogdanov,et al.  Note of Multidimensional MITM Attack on 25-Round TWINE-128 , 2014, IACR Cryptol. ePrint Arch..

[10]  Andrey Bogdanov,et al.  A 3-Subset Meet-in-the-Middle Attack: Cryptanalysis of the Lightweight Block Cipher KTANTAN , 2010, IACR Cryptol. ePrint Arch..

[11]  A. Emre Harmanci,et al.  Biclique cryptanalysis of LBlock and TWINE , 2013, Inf. Process. Lett..

[12]  Christian Rechberger,et al.  On Bruteforce-Like Cryptanalysis: New Meet-in-the-Middle Attacks in Symmetric Cryptanalysis , 2012, ICISC.

[13]  Andrey Bogdanov,et al.  Biclique Cryptanalysis of the Full AES , 2011, ASIACRYPT.

[14]  Yu Sasaki,et al.  Meet-in-the-Middle Preimage Attacks Against Reduced SHA-0 and SHA-1 , 2009, CRYPTO.

[15]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[16]  Whitfield Diffie,et al.  Special Feature Exhaustive Cryptanalysis of the NBS Data Encryption Standard , 1977, Computer.

[17]  María Naya-Plasencia,et al.  Block Ciphers That Are Easier to Mask: How Far Can We Go? , 2013, CHES.

[18]  Andrey Bogdanov,et al.  Bicliques with Minimal Data and Time Complexity for AES , 2014, ICISC.