Generalized MitM attacks on full TWINE
Introduction
Recently, there has been a rapid increase in utilizing resource constrained devices such as wireless sensor networks and RFIDs. The limited resources (e.g., memory, battery life and processing power) available on these devices impose challenging requirements on the cryptographic primitives that can be deployed on them. Over the past few years, several new lightweight block ciphers were proposed (e.g., PRESENT [5], KATAN/KTANTAN [8], Zorro [11], HIGHT [12], and TWINE [15], [16]). These ciphers use new design concepts that aim to reduce the algorithm footprints on resource constrained devices. In particular, the majority of these lightweight ciphers tend to employ simple key schedules with relatively slow diffusion. Therefore, it seems intuitive to develop advanced variants of the basic MitM attack in order to evaluate the security margins of these ciphers. At the ECRYPT workshop on lightweight cryptography, TWINE was proposed by Suzaki et al. [15]. Afterwards, it was presented at SAC 2012 [16]. TWINE adopts a generalized Feistel structure with 16 nibble-blocks. It has two versions: TWINE-80 and TWINE-128, both with a block length of 64 bits, iterate over 36 rounds, and employ keys of length 80 and 128 bits, respectively. While the encryption/decryption structures of both variants of the cipher are identical, each variant has its own key scheduling algorithm.
In this paper, we present a low data complexity attack on both TWINE-80 and TWINE-128 in the single key attack model. Our attack can be seen as a generalization of the 3-subset MitM attack that partitions the key into 3 disjoint subsets [6]. In this generalized attack, we allow the key to be partitioned into subsets and we do not restrict these subsets to be independent. These n subsets are used in the forward and backward computations of the MitM attack, and the effect of dependency is handled by a re-computation technique in a manner similar to the recomputation phase of the biclique cryptanalysis [3], [4], [17]. Using this approach, we present a known plaintext key recovery attack on TWINE-80 and TWINE-128 with time complexities of 278.74 and 2126.1, respectively. Both attacks require only two plaintext–ciphertext pairs, which are equal to the unicity distance of the cipher. Furthermore, by combining our technique with a splice-and-cut approach, we can gain a slight improvement in the time complexity of the attack at the expense of increasing the number of required plaintext–ciphertext pairs. In particular, using 232 chosen plaintext–ciphertext pairs, the time complexity is reduced to 278.63 and 2125.97 for TWINE-80 and TWINE-128, respectively.
It should be noted that biclique cryptanalysis of TWINE was presented in [9], [13] and a multidimensional MitM attack was presented in [7] (see also [18]). Recently, Biryukov et al. presented a MitM attack on TWINE-128 reduced to 25 rounds. The attack data, time and memory complexities are given by and 2109, respectively [2]. The only attack that considers the full versions of TWINE-80 and TWINE-128 is the biclique cryptanalysis in [9] with time complexity 279.1, and 2126.82, respectively. The data complexity of this attack is 260 for the two variants of TWINE which is clearly not practical given the nature of the lightweight environment in which these ciphers are likely to be deployed. Table 1, Table 2 contrast our results with the previous cryptanalytic results, in the single key model, on the full versions of TWINE-80 and TWINE-128, respectively.
The rest of the paper is organized as follows. Section 2 presents an overview of the original 3-subset MitM attack. In Section 3, we provide the notation used throughout the rest of this paper and a brief description of TWINE. Our attack is presented in Section 4. The combination of our new attack with the splice-and-cut attack is presented in Section 5. Finally, we conclude our work in Section 6.
Section snippets
An overview of the three-subset Meet-in-the-Middle attack
A 3-subset MitM attack [6] is a generalization of the basic MitM which was originally proposed by Diffie and Helman [10]. The two main stages of this attack are:
- 1.
MitM stage: which is responsible for filtering out some wrong key candidates, thereby reducing the remaining key search space.
- 2.
Key testing stage: which is responsible for finding the right key among the remaining key candidates in a brute force manner.
Specifications of TWINE
The following notation will be used throughout the rest of the paper:
- •
K: The master key.
- •
: The 32-bit key used in round i.
- •
: The 80 or 128 bits generated from K after i rounds to obtain the round key .
- •
: jth nibble of . The indices of the nibbles begin from 0.
- •
: ith, jth, ⋯, and lth nibbles of .
- •
: The 16 4-bit nibbles output of round i.
- •
: jth nibble of .
- •
: ith, jth, ⋯, and lth nibbles of .
Proposed attack
In order to apply the 3-subset MitM attack, one needs to find two independent subsets, and , from the master key bits. Finding these two subsets is hard and possibly no two independent subsets can cover the whole cipher. We solve this problem by relaxing this condition. More precisely, in our attack, the subsets produced by the key partitioning process are allowed to be dependent. However, using these dependent subsets raises a new problem of how to efficiently compute the inner state
A generalized MitM attack on TWINE with splice-and-cut
Several improvements to the basic 3-subset MitM attack have been presented. One of these improvements is the splice-and-cut technique that was proposed by Aoki and Sasaki [1] to present a preimage attack on the SHA-0 and SHA-1 hash functions. As depicted in Fig. 4, this technique differs from the basic 3-subset MitM attack in that the beginning of the forward/backward directions is not restricted to the plaintext/ciphertext. Instead, we may choose any intermediate variable X, partially decrypt X
Conclusion
We presented a low data complexity key recovery attack on TWINE-80 and TWINE-128. Our attack generalizes the original 3-subset MitM attack by allowing the key to be partition into, possibly dependent, subsets. It also utilizes some ideas from the recomputation phase of the biclique cryptanalysis to reduce the time complexity of the attack. Combining this attack with the splice-and-cut technique allows for some data-time trade off. To the best of our knowledge, both proposed attacks present
Acknowledgements
The authors would like to thank the anonymous reviewers for their valuable comments and suggestions that helped improve the quality of the paper. This work is supported in part by the Natural Sciences and Engineering Research Council of Canada under Grant N00930.
References (18)
- et al.
Biclique cryptanalysis of LBlock and TWINE
Inf. Process. Lett.
(2013) - et al.
Meet-in-the-middle preimage attacks against reduced SHA-0 and SHA-1
- et al.
Differential analysis and meet-in-the-middle attack against round-reduced TWINE
- et al.
Bicliques with minimal data and time complexity for AES
- et al.
Biclique cryptanalysis of the full AES
- et al.
PRESENT: an ultra-lightweight block cipher
- et al.
A 3-subset meet-in-the-middle attack: cryptanalysis of the lightweight block cipher KTANTAN
- et al.
Multidimensional meet-in-the-middle attacks on reduced-round TWINE-128
- et al.
KATAN and KTANTAN – a family of small and efficient hardware-oriented block ciphers
Cited by (7)
Quantum Cryptanalysis of Lightweight Cipher TWINE-128
2022, Journal of Cryptologic ResearchCiphertext-only fault analysis of the TWINE lightweight cryptogram algorithm
2021, Tongxin Xuebao/Journal on CommunicationsRelated-key impossible boomerang cryptanalysis on TWINE
2019, Tongxin Xuebao/Journal on CommunicationsRelated-key impossible differential cryptanalysis on lightweight cipher TWINE
2019, Journal of Ambient Intelligence and Humanized ComputingRecent trends in the cryptanalysis of block ciphers
2018, Information Security: Foundations, Technologies and Applications