Abstract
TWINE, proposed at the ECRYPT Workshop on Lightweight Cryptography in 2011, is a 64-bit lightweight block cipher consisting of 36 rounds with 80-bit or 128-bit keys. In this paper, we give impossible differential attacks on both versions of the cipher, which is an improvement over what the designers claimed to be the best possible. Although our results are not the best considering different cryptanalysis methods, our algorithm which can filter wrong subkeys that have more than 80 bits and 128 bits for TWINE-80 and TWINE-128 respectively shows some novelty. Besides, some observations which may be used to mount other types of attacks are given. Overall, making use of some complicated subkey relations and time-memory tradeoff trick, the time, data and memory complexity of attacking 23-round TWINE-80 are \(2^{79.09}\) 23-round encryptions, \(2^{57.85}\) chosen plaintexts and \(2^{78.04}\) blocks respectively. Besides, the impossible differential attack on 24-round TWINE-128 needs \(2^{58.1}\) chosen plaintexts, \(2^{126.78}\) 24-round encryptions and \(2^{125.61}\) blocks of memory.
Keywords
This work is partially supported by the National 973 Program of China (Grant No. 2013CB834205), and the National Natural Science Foundation of China (Grant No. 61133013).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Reference [15] ignores some known constants \(C_H^r\), \(C_L^r\) in their subkey relations.
References
Bogdanov, A., Boura, C., Rijmen, V., Wang, M., Wen, L., Zhao, J.: Key difference invariant bias in block ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 357–376. Springer, Heidelberg (2013)
Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999)
Boztaş, Ö., Karakoç, F., Çoban, M.: Multidimensional meet-in-the-middle attacks on reduced-round TWINE-128. In: Avoine, G., Kara, O. (eds.) LightSec 2013. LNCS, vol. 8162, pp. 55–67. Springer, Heidelberg (2013)
Bogdanov, A.A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)
De Cannière, C., Dunkelman, O., Knežević, M.: KATAN and KTANTAN — a family of small and efficient hardware-oriented block ciphers. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 272–288. Springer, Heidelberg (2009)
Çoban, M., Karakoç, F., Boztaş, Ö.: Biclique cryptanalysis of TWINE. In: Pieprzyk, J., Sadeghi, A.-R., Manulis, M. (eds.) CANS 2012. LNCS, vol. 7712, pp. 43–55. Springer, Heidelberg (2012)
Gong, Z., Nikova, S., Law, Y.W.: KLEIN: a new family of lightweight block ciphers. In: Juels, A., Paar, C. (eds.) RFIDSec 2011. LNCS, vol. 7055, pp. 1–18. Springer, Heidelberg (2012)
Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED block cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011)
Hong, D., et al.: HIGHT: a new block cipher suitable for low-resource device. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 46–59. Springer, Heidelberg (2006)
Knudsen, L.R.: DEAL - a 128-bit block cipher. Technical report, Department of Informatics, University of Bergen, Norway (1998)
Knudsen, L., Leander, G., Poschmann, A., Robshaw, M.J.B.: PRINTcipher: a block cipher for IC-printing. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 16–32. Springer, Heidelberg (2010)
Leander, G., Paar, C., Poschmann, A., Schramm, K.: New lightweight DES variants. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 196–210. Springer, Heidelberg (2007)
Mace, F., Standaert, F.X., Quisquater, J.J.: ASIC implementations of the block cipher SEA for constrained applications. In: Proceedings of the Third International Conference on RFID Security (2007). http://www.rfidsec07.etsit.uma.es/confhome.html
Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., Shirai, T.: Piccolo: an ultra-lightweight blockcipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 342–357. Springer, Heidelberg (2011)
Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: TWINE: a lightweight, versatile block cipher. In: ECRYPT Workshop on Lightweight Cryptography, Louvain-la-Neuve, Belgium, 28–29 November 2011
Wu, W., Zhang, L.: LBLOCK: a lightweight block cipher. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 327–344. Springer, Heidelberg (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A
The following equations are deduced from the TWINE-80 key schedule.
As can be seen from the above equations, \(\mathcal {K}_2= (RK^{21}_{[4,7]}, RK^{22}_{[0,2,4,6]}, RK^{23}_{[4,6]})\) can be computed from \((\mathcal {K}_0, \mathcal {K}_1)= (RK^1_{[0,1,2,3,5,6,7]}, RK^2_{[2,4,6,7]}, RK^{22}_{[1,3,5]}, RK^{23}_{[0,1,2,3,5,7]})\) successively according to equations \(f_1\), \(f_3\), \(f_5\), \(f_6\), \(f_7\), \(f_4\), \(f_8\), \(f_2\) in \(87/(23\cdot 24)\) Xor \(=2^{-2.67}\) encryptions.
As can be seen from the above equations, the nine partial master key \((k2, k5, k7, k9, k10, k11, k12, k13, k18)\) can be computed in \(114/(23\cdot 24)\) encryptions \(=2^{-2.276}\) encryptions.
The following equations are deduced from the TWINE-128 key schedule.
B
It is obvious that the value of \(\#RK^1_0\), \(\#RK^1_5\), \(\#RK^1_6\), \(\#RK^{23}_2\), \(\#RK^{23}_4\), \(\#RK^{23}_5\), \(\#RK^{23}_6\), \(\#RK^{22}_1\) are all \(\frac{16}{7}\) for each plaintext-ciphertext pair when these subkeys pass the differential path with known \(RK^{23}_0\). Besides, \(RK^{23}_3\) passes the truncated differential with probability \((\frac{7}{16})^3\), so \(\#RK^{23}_3=2^4\cdot (\frac{7}{16})^3\) for each accurate plaintext-ciphertext pair. Furthermore, once \(RK^1_7\) that pass the differential path is known, \(\#RK^2_7=\frac{16}{7}\); once \(RK^1_1\) that pass the differential path is known, \(\#RK^2_2=\frac{16}{7}\); once \(RK^{23}_3\) that pass the differential path is known, \(\#RK^{22}_2=\frac{16}{7}\); once \(RK^{22}_6\) that pass the differential path is known, \(\#RK^{21}_4=\frac{16}{7}\) with the known \(RK^{23}_7\); once \(RK^{23}_1\) that pass the differential path is known, \(\#RK^{22}_3=\frac{16}{7}\).
Therefore, it is easy to compute the value of loops \(l_i\) with the above knowledge and Observation 8.
The following is a time estimation for substep (1.2.7) to substep (1.2.10) in key recovery algorithm.
As showed in the proof of Observation 8, the computation of \(RK^1_2\) for each \((RK^1_6,RK^2_6)\) can be done in much less than one encryption. Therefore, \(\#RK^1_6=\frac{16}{7}\) and \(\#RK^2_6=2^4\) indicate that the time for computing \(RK^1_2\) is less than \(\frac{16}{7}\cdot 2^4\) encryptions.
Similarly, since \(\#RK^{23}_3=2^4\cdot (\frac{7}{16})^3\), \(\#RK^{23}_6=\frac{16}{7}\), the time for computing \(RK^{22}_4\) is less than \(2^4\cdot (\frac{7}{16})^2\) encryptions. Because \(\#RK^{23}_2\), \(\#RK^{23}_4\) and \(\#RK^{23}_5\) are all \(\frac{16}{7}\), and \(\#RK^{23}_3=2^4\cdot (\frac{7}{16})^3\), the time for computing \(RK^{22}_0\) is less than \(2^4\) encryptions. Known from Observation 8, the number of values of \(RK^{22}_0\) is \(\frac{16}{7}\) for each \(RK^{23}_{[2,3,4,5]}\). Hence the time for computing \(RK^{21}_7\) is less than \(\frac{16}{7}\cdot 2^4\) encryptions.
C
This appendix gives a detailed description of the Key Recovery algorithm for TWINE-128. Before introducing the algorithm, an observation similar to Observation 8 used in attacking TWINE-80 is given, followed by some precomputed tables for \(g_i\) functions.
Observation C.1
For a plaintext-ciphertext pair satisfying the input-output difference relations in Observation 7, the following can be deduced according to the differential path in attacking TWINE-128.
-
(1)
Given \(RK^{21}_2,RK^{22}_3,RK^{24}_0,RK^{24}_6\) that pass the differential path, then \(\frac{16}{7}\) values of \(RK^{23}_1\) on average can pass the path and be computed;
-
(2)
Given \(RK^{24}_{[1,5,7]},RK^{23}_3,RK^{22}_2,RK^{21}_0\) that pass the differential path, then \((\frac{16}{7})^2\) values of \(RK^{22}_0\) on average can pass the path and be computed; and then if \(RK^{24}_3\) is also known, then \(\frac{16}{7}\) values of \(RK^{23}_2\) on average can pass the path and be computed;
-
(3)
Given \(RK^1_0,RK^2_0,RK^3_0,RK^1_5,RK^3_1\) that pass the differential path, then \((\frac{16}{7})^2\) values of \(RK^4_0\) on average can pass the path and be computed;
-
(4)
Given \(RK^1_6,RK^3_1\) that pass the differential path, then \(\frac{16}{7}\) values of \(RK^2_5\) on average can pass the path and be computed;
-
(5)
Given \(RK^1_2,RK^1_7,RK^2_6,RK^3_5\) that pass the differential path, then \(\frac{16}{7}\) values of \(RK^1_3\) on average can pass the path and be computed; and then if \(RK^3_3\) is also known, then \((\frac{16}{7})^2\) values of \(RK^2_4\) on average can pass the path and be computed;
Proof. Making use of the differential path and the equations \(RK^4_1=RK^1_3\), \(RK^5_0=RK^1_5\) and \(RK^{20}_1=RK^{24}_5\), it is easy to prove the above observation similarly to the proof in Observation 8.
The following tables \(KT^{'}_i (i=3,...,9)\) are precomputed for equations \(g_i\) respectively.
Table | Index | Content |
---|---|---|
\(KT^{'}_3\) | \((RK^3_{[0,1]},RK^{21}_0,RK^{22}_2,RK^{23}_5,RK^{24}_2)\) | \(RK^{23}_7\) |
\(KT^{'}_4\) | \((RK^1_5,RK^2_3,RK^3_1,RK^{22}_6,RK^{23}_0,RK^{24}_{[2,3]})\) | \(RK^{21}_2\) |
\(KT^{'}_5\) | \((RK^1_{[0,1]},RK^3_5,RK^{22}_{[0,2]},RK^{23}_{[1,2,4]},RK^{24}_{[5,7]})\) | \(RK^4_0\) |
\(KT^{'}_6\) | \((RK^1_{[0,7]},RK^2_{[4,5]},RK^3_5,RK^{22}_{[0,2]},RK^{23}_{[1,2,3,4,7]},RK^{24}_{[5,7]})\) | \(RK^2_4\) |
\(KT^{'}_7\) | \((RK^1_{[2,4,6]},RK^2_{[0,2,3,7]},RK^3_{[1,3]},RK^{21}_2,RK^{22}_6,RK^{23}_{[0,3]},RK^{24}_{[4,5]})\) | \(RK^{23}_3\) |
\(KT^{'}_8\) | \((RK^1_{[2,4,6]},RK^2_{[0,2,6,7]},RK^3_{[1,3,5]},RK^{22}_0,RK^{23}_{[0,1,2,4]},RK^{24}_{[4,5,7]})\) | \(RK^3_5\) |
\(KT^{'}_9\) | \((RK^1_{[2,4,5,6]},RK^2_{[2,3,7]},RK^3_{[0,1,3]},RK^{21}_{[0,2]},RK^{22}_6,RK^{23}_{[0,5]},RK^{24}_{[1,4]})\) | \(RK^3_3\) |
As can be seen from Algorithm C.2, the time for combining all the subkeys involved in attacking TWINE-128 is \(l_1\cdot (5+l_2\cdot (13+l_3\cdot (1+3+1+\frac{16}{7}+l_4\cdot (1+l_{5.1}\cdot (1+\frac{16}{7}+l_{5.2}\cdot (1+l_6\cdot (1+1+\frac{16}{7}+1+l_{7.1} \cdot (1+l_{7.2}\cdot (1+l_8\cdot (2+(\frac{16}{7})^2\cdot 2^{-4}\cdot l_9\cdot 2))))))))))=2^{45.48}\) xor \(=2^{36.31}\) 24-round encryptions.
D
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Zheng, X., Jia, K. (2014). Impossible Differential Attack on Reduced-Round TWINE. In: Lee, HS., Han, DG. (eds) Information Security and Cryptology -- ICISC 2013. ICISC 2013. Lecture Notes in Computer Science(), vol 8565. Springer, Cham. https://doi.org/10.1007/978-3-319-12160-4_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-12160-4_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-12159-8
Online ISBN: 978-3-319-12160-4
eBook Packages: Computer ScienceComputer Science (R0)