Generalized MitM attacks on full TWINE

Highlights

• Presented a generalized Meet-in-the-Middle attack.

• The key is partitioned into $n\ge 3$ subsets, which are not necessarily independent.

• Showed how to combine the attack with a splice-and-cut approach.

• Applied the attack to TWINE-80 and TWINE-128.

Abstract

TWINE is a lightweight block cipher which employs a generalized Feistel structure with 16 nibble-blocks. It has two versions: TWINE-80 and TWINE-128, both have a block length of 64 bits and employ keys of length 80 and 128 bits, respectively. In this paper, we propose a low data complexity key recovery attack on the full cipher. This attack is inspired by the 3-subset Meet-in-the-Middle (MitM) attack. However, in our attack, we remove the restrictions of the 3-subset MitM by allowing the key to be partitioned into $n\ge 3$ subsets and by not restricting these subsets to be independent. To improve the computational complexity of the attack, we adopt a recomputation strategy similar to the one used in the original biclique attack. Adopting this approach, we present a known plaintext key recovery attack on TWINE-80 and TWINE-128 with time complexities of 2^78.74 and 2^126.1, respectively. Both attacks require only two plaintext–ciphertext pairs. Furthermore, by combining our technique with a splice-and-cut approach, we gain a slight improvement in the time complexity of the attack at the expense of increasing the number of required plaintext–ciphertext pairs.

Introduction

Recently, there has been a rapid increase in utilizing resource constrained devices such as wireless sensor networks and RFIDs. The limited resources (e.g., memory, battery life and processing power) available on these devices impose challenging requirements on the cryptographic primitives that can be deployed on them. Over the past few years, several new lightweight block ciphers were proposed (e.g., PRESENT [5], KATAN/KTANTAN [8], Zorro [11], HIGHT [12], and TWINE [15], [16]). These ciphers use new design concepts that aim to reduce the algorithm footprints on resource constrained devices. In particular, the majority of these lightweight ciphers tend to employ simple key schedules with relatively slow diffusion. Therefore, it seems intuitive to develop advanced variants of the basic MitM attack in order to evaluate the security margins of these ciphers. At the ECRYPT workshop on lightweight cryptography, TWINE was proposed by Suzaki et al. [15]. Afterwards, it was presented at SAC 2012 [16]. TWINE adopts a generalized Feistel structure with 16 nibble-blocks. It has two versions: TWINE-80 and TWINE-128, both with a block length of 64 bits, iterate over 36 rounds, and employ keys of length 80 and 128 bits, respectively. While the encryption/decryption structures of both variants of the cipher are identical, each variant has its own key scheduling algorithm.

In this paper, we present a low data complexity attack on both TWINE-80 and TWINE-128 in the single key attack model. Our attack can be seen as a generalization of the 3-subset MitM attack that partitions the key into 3 disjoint subsets [6]. In this generalized attack, we allow the key to be partitioned into $n\ge 3$ subsets and we do not restrict these subsets to be independent. These n subsets are used in the forward and backward computations of the MitM attack, and the effect of dependency is handled by a re-computation technique in a manner similar to the recomputation phase of the biclique cryptanalysis [3], [4], [17]. Using this approach, we present a known plaintext key recovery attack on TWINE-80 and TWINE-128 with time complexities of 2^78.74 and 2^126.1, respectively. Both attacks require only two plaintext–ciphertext pairs, which are equal to the unicity distance of the cipher. Furthermore, by combining our technique with a splice-and-cut approach, we can gain a slight improvement in the time complexity of the attack at the expense of increasing the number of required plaintext–ciphertext pairs. In particular, using 2³² chosen plaintext–ciphertext pairs, the time complexity is reduced to 2^78.63 and 2^125.97 for TWINE-80 and TWINE-128, respectively.

It should be noted that biclique cryptanalysis of TWINE was presented in [9], [13] and a multidimensional MitM attack was presented in [7] (see also [18]). Recently, Biryukov et al. presented a MitM attack on TWINE-128 reduced to 25 rounds. The attack data, time and memory complexities are given by $2^{48},2^{124.7}$ and 2¹⁰⁹, respectively [2]. The only attack that considers the full versions of TWINE-80 and TWINE-128 is the biclique cryptanalysis in [9] with time complexity 2^79.1, and 2^126.82, respectively. The data complexity of this attack is 2⁶⁰ for the two variants of TWINE which is clearly not practical given the nature of the lightweight environment in which these ciphers are likely to be deployed. Table 1, Table 2 contrast our results with the previous cryptanalytic results, in the single key model, on the full versions of TWINE-80 and TWINE-128, respectively.

The rest of the paper is organized as follows. Section 2 presents an overview of the original 3-subset MitM attack. In Section 3, we provide the notation used throughout the rest of this paper and a brief description of TWINE. Our attack is presented in Section 4. The combination of our new attack with the splice-and-cut attack is presented in Section 5. Finally, we conclude our work in Section 6.