Impossible Differential Attack on Reduced-Round TWINE

Abstract

TWINE, proposed at the ECRYPT Workshop on Lightweight Cryptography in 2011, is a 64-bit lightweight block cipher consisting of 36 rounds with 80-bit or 128-bit keys. In this paper, we give impossible differential attacks on both versions of the cipher, which is an improvement over what the designers claimed to be the best possible. Although our results are not the best considering different cryptanalysis methods, our algorithm which can filter wrong subkeys that have more than 80 bits and 128 bits for TWINE-80 and TWINE-128 respectively shows some novelty. Besides, some observations which may be used to mount other types of attacks are given. Overall, making use of some complicated subkey relations and time-memory tradeoff trick, the time, data and memory complexity of attacking 23-round TWINE-80 are \(2^{79.09}\) 23-round encryptions, \(2^{57.85}\) chosen plaintexts and \(2^{78.04}\) blocks respectively. Besides, the impossible differential attack on 24-round TWINE-128 needs \(2^{58.1}\) chosen plaintexts, \(2^{126.78}\) 24-round encryptions and \(2^{125.61}\) blocks of memory.

This work is partially supported by the National 973 Program of China (Grant No. 2013CB834205), and the National Natural Science Foundation of China (Grant No. 61133013).

Appendices

A

The following equations are deduced from the TWINE-80 key schedule.

$$\begin{aligned} f_1=&\;RK^2_2\oplus s[RK^2_7]\oplus RK^{22}_2\oplus s[RK^{23}_1\oplus C_H^{22}\oplus C_L^{19}]\oplus C_H^7\oplus C_L^4=0 \\ f_2=&\;RK^{22}_4\oplus RK^2_4\oplus C_H^{14}\oplus C_L^{11}\oplus s[C_H^9\oplus C_L^6\oplus RK^{21}_7\oplus s[RK^{22}_6\oplus C_L^{21}]]\oplus s[RK^{22}_3\oplus C_H^{17}\oplus C_L^{14}\\&\;\oplus s[RK^{23}_0\oplus C_H^{12}\oplus C_L^9]\oplus s[RK^1_1\oplus s[RK^{23}_4\oplus C_H^{15}\oplus C_L^{12}]]\oplus s[RK^{23}_0\oplus C_H^{12}\oplus C_L^9]]=0\\ f_3=&\;RK^2_6\oplus C^4_H\oplus C^1_L\oplus C^{21}_L\oplus RK^{22}_6\oplus s[RK^{22}_5\oplus C^{19}_H\oplus C^{16}_L]\oplus s[RK^{22}_2]=0\\ f_4=&\;RK^{23}_0\oplus RK^{23}_4\oplus C_H^{15}\oplus C_L^{12}\oplus s[RK^1_5\oplus s[C_H^{13}\oplus C_L^{10}\oplus RK^{21}_4]]\oplus C_H^{12}\oplus C_L^9\\&\;\oplus s^{-1}[RK^1_7\oplus C_H^9\oplus C_L^6\oplus RK^{21}_7\oplus s[RK^{22}_6\oplus C_L^{21}]]=0\\ f_5=&\;RK^{23}_3\oplus RK^1_5\oplus C_H^{18}\oplus C_L^{15}\oplus s[RK^{21}_4\oplus C_H^{13}\oplus C_L^{10}]\\&\;\oplus s[RK^{22}_1\oplus s[RK^2_6\oplus C_H^4\oplus C_L^1\oplus s[RK^{22}_5\oplus C_H^{19}\oplus C_L^{16}]]\oplus C_H^{21}\oplus C_L^{18}]=0\\ f_6=&\;RK^{23}_5\oplus s[C_H^{15}\oplus C_L^{12}\oplus RK^{23}_4]\oplus C_H^{20}\oplus C_L^{17}\oplus RK^1_1\oplus s[RK^1_6\oplus C_H^3\oplus s[C_H^{18}\oplus C_L^{15}\oplus RK^{23}_3]]=0\\ f_7=&\;RK^{23}_6\oplus s[C_H^{20}\oplus C_L^{17}\oplus RK^{23}_5]\oplus s[RK^{23}_2]\oplus s^{-1}[RK^2_7\oplus RK^1_0]\oplus C_H^5\oplus C_L^2\oplus C_L^{22}=0\\ f_8=&\;s^{-1}[RK^{23}_7\oplus RK^{22}_0]\oplus s[RK^{21}_7]\oplus s[C_H^{21}\oplus C_L^{18}\oplus RK^{22}_1]\oplus RK^1_2\oplus C_H^6\oplus C_L^3\oplus s[RK^1_7]=0 \end{aligned}$$

As can be seen from the above equations, \(\mathcal {K}_2= (RK^{21}_{[4,7]}, RK^{22}_{[0,2,4,6]}, RK^{23}_{[4,6]})\) can be computed from \((\mathcal {K}_0, \mathcal {K}_1)= (RK^1_{[0,1,2,3,5,6,7]}, RK^2_{[2,4,6,7]}, RK^{22}_{[1,3,5]}, RK^{23}_{[0,1,2,3,5,7]})\) successively according to equations \(f_1\), \(f_3\), \(f_5\), \(f_6\), \(f_7\), \(f_4\), \(f_8\), \(f_2\) in \(87/(23\cdot 24)\) Xor \(=2^{-2.67}\) encryptions.

$$\begin{aligned} k_9=&\; s^{-1}[RK^1_7\oplus C_H^9\oplus C_L^6\oplus RK^{21}_7\oplus s[RK^{22}_6\oplus C_L^{21}]] \oplus s[RK^2_2\oplus s[RK^2_7]]\\ k_{10}=&\; RK^{22}_3\oplus C_H^{17}\oplus C_L^{14}\oplus s[RK^{23}_0\oplus C_H^{12}\oplus C_L^9]\oplus s[RK^1_1\oplus s[RK^{23}_4\oplus C_H^{15}\oplus C_L^{12}]]\\ k_5=&\; RK^{22}_0\oplus C_H^{11}\oplus C_L^8\oplus s[RK^1_2\oplus s[RK^1_7]]\oplus s[RK^2_4\oplus s[RK^1_7\oplus s[k_9\oplus s[RK^2_2\oplus s[RK^2_7]]]]]\\ k_{11}=&\; RK^{23}_1\oplus C_H^2\oplus C_H^{22}\oplus C_L^{19}\oplus s[RK^{22}_3\oplus C_H^{17}\oplus C_L^{14}]\oplus s[s^{-1}[RK^2_7\oplus RK^1_0]\\&\;\oplus C_H^5\oplus C_L^2\oplus s[RK^{23}_5\oplus C_H^{20}\oplus C_L^{17}]]\\ k_{18}=&\; RK^{22}_5\oplus C_H^{19}\oplus C_L^{16}\oplus s[RK^{22}_4\oplus C_H^{14}\oplus C_L^{11}]\oplus s[k_{11}\oplus C_H^2\oplus s[RK^{22}_3\oplus C_H^{17}\oplus C_L^{14}]]\\ k_7=&\;RK^{22}_1\oplus C_H^1\oplus C_H^{21}\oplus C_L^{18}\oplus s[RK^1_3\oplus s[RK^{22}_0\oplus C_H^{11}\oplus C_L^8]\oplus s[k_{18}\oplus s[RK^{22}_4\\&\;\oplus C_H^{14}\oplus C_L^{11}]]]\oplus s[RK^2_6\oplus C_H^4\oplus s[RK^{22}_5\oplus C_H^{19}\oplus C_L^{16}]]\\ k_2=&\;RK^{23}_4\oplus C_H^{15}\oplus C_L^{12}\oplus s[RK^2_7\oplus s[RK^{21}_4\oplus C_H^{13}\oplus C_L^{10}\oplus s[RK^1_3\oplus s[RK^{22}_0\\&\;\oplus C_H^{11}\oplus C_L^8]]]]\oplus s[RK^1_5\oplus s[RK^{21}_4\oplus C_H^{13}\oplus C_L^{10}]]\\ k_{12}=&\;RK^{23}_2\oplus C_H^8\oplus C_L^5\oplus s[k_5\oplus s[RK^1_2\oplus s[RK^1_7]]]\oplus s[RK^1_6\oplus C_H^3\oplus s[RK^{23}_3\\ {}&\;\oplus C_H^{18}\oplus C_L^{15}]\oplus s[RK^1_2\oplus C_H^6\oplus C_L^3\oplus s[RK^1_7]\oplus s[RK^{22}_1\oplus C_H^{21}\oplus C_L^{18}]]]\\ k_{13}=&\; RK^{21}_4\oplus C_H^{13}\oplus C_L^{10}\oplus s[k_{12}\oplus s[k_5\oplus s[RK^1_2\oplus s[RK^1_7]]]]\oplus s[RK^1_3\oplus s[RK^{22}_0\oplus C_H^{11}\oplus C_L^8]] \end{aligned}$$

As can be seen from the above equations, the nine partial master key \((k2, k5, k7, k9, k10, k11, k12, k13, k18)\) can be computed in \(114/(23\cdot 24)\) encryptions \(=2^{-2.276}\) encryptions.

The following equations are deduced from the TWINE-128 key schedule.

$$\begin{aligned} g_1=&\;RK^{22}_3\oplus s[RK^{23}_5] \oplus C_L^{21}\oplus s^{-1}[RK^{22}_2\oplus RK^1_1]=0\\ g_2=&\; RK^{21}_0\oplus s[RK^{24}_6\oplus s[RK^{24}_7]] \oplus C_H^{12}\oplus C_L^9\oplus RK^2_2\oplus s[RK^1_6]=0\\ g_3=&\; s^{-1}[RK^3_1\oplus RK^{24}_2]\oplus s[RK^{23}_7\oplus s[RK^{22}_2]]\oplus RK^3_0 \oplus s[RK^{23}_5\oplus C_H^{18}\oplus C_L^{15}\oplus s[RK^{21}_0]]=0\\ g_4=&\;C_H^{20}\oplus C_L^{17}\oplus s[RK^{23}_0]\oplus s^{-1}[s^{-1}[RK^{24}_2\oplus RK^3_1]\oplus C_L^{23}\oplus RK^{24}_3]\oplus s^{-1}[RK^1_5\oplus s^{-1}[RK^{22}_6\\&\;\oplus C_H^4\oplus RK^2_3]\oplus s[RK^{21}_2]]=0\\ g_5=&\;RK^1_0\oplus s^{-1}[RK^1_1\oplus RK^{22}_2]\oplus s[RK^4_0\oplus s[RK^{24}_5\oplus C_H^{19}\oplus C_L^{16}\oplus s[RK^{22}_0]]]\oplus s[C_H^{16}\oplus C_L^{13}\oplus s[RK^{23}_4]\\&\;\oplus s^{-1}[RK^{23}_1\oplus C_H^{22}\oplus C_L^{19}\oplus s^{-1}[RK^{24}_7\oplus RK^3_5\oplus s[RK^{23}_2]]]]=0\\ g_6=&\;RK^2_4\oplus s[RK^{22}_0\oplus C_H^{13}\oplus C_L^{10}\oplus s[C_H^7\oplus C_L^4\oplus RK^1_7\oplus s[RK^{23}_2\oplus s[RK^{23}_3\oplus C_L^{22}\oplus s[RK^{24}_5]]]]]\\&\;\oplus s[RK^1_0\oplus s[C_H^{16}\oplus C_L^{13}\oplus s[RK^{23}_4]\oplus s^{-1}[RK^{23}_1\oplus C_H^{22}\oplus C_L^{19}\oplus s^{-1}[RK^{24}_7\oplus RK^3_5\oplus s[RK^{23}_2]]]]]\\&\;\oplus s^{-1}[RK^{23}_7\oplus RK^2_5\oplus s[RK^{22}_2]]=0\\ g_7=&\;C_L^{22}\oplus RK^2_0\oplus RK^{23}_3\oplus s[RK^{24}_5]\oplus s[s^{-1}[RK^{22}_6\oplus C_H^4\oplus RK^2_3]\oplus s[RK^{21}_2]]\oplus s[s^{-1}[RK^{23}_0\oplus C_H^{14}\\&\;\oplus C_L^{11}\oplus s^{-1}[RK^{24}_4\oplus C_H^{11}\oplus C_L^8\oplus RK^1_2\oplus s[C_H^5\oplus RK^3_3]]\oplus s[C_H^8\oplus C_L^5\oplus RK^2_7\oplus s[RK^3_1]]]\\&\;\oplus s[RK^1_4\oplus s[RK^2_2\oplus s[RK^1_6]]]]=0\\ g_8=&\;s^{-1}[RK^3_5\oplus RK^{24}_7\oplus s[RK^{23}_2]]\oplus s^{-1}[RK^{24}_5\oplus C_H^{19}\oplus C_L^{16}\oplus s^{-1}[RK^2_6\oplus C_H^{16}\oplus C_L^{13}\oplus s[RK^{23}_4]\\&\;\oplus s^{-1}[RK^{23}_1\oplus C_H^{22}\oplus C_L^{19}\oplus s^{-1}[RK^{24}_7\oplus RK^3_5\oplus s[RK^{23}_2]]]]\oplus s[RK^{22}_0]]\oplus s[RK^2_0\oplus s[\\&\;s^{-1}[RK^{23}_0\oplus C_H^{14}\oplus C_L^{11}\oplus s^{-1}[RK^{24}_4\oplus C_H^{11}\oplus C_L^8\oplus RK^1_2\oplus s[C_H^5\oplus RK^3_3]]\oplus s[C_H^8\oplus C_L^5\\&\;\oplus RK^2_7\oplus s[RK^3_1]]]\oplus s[RK^1_4\oplus s[RK^2_2\oplus s[RK^1_6]]]]]=0\\ g_9=&\;s^{-1}[RK^1_4\oplus s[RK^2_2\oplus s[RK^1_6]]\oplus s^{-1}[RK^1_5\oplus s^{-1}[RK^{22}_6\oplus C_H^4\oplus RK^2_3]\oplus s[RK^{21}_2]]]\oplus s[RK^3_0\oplus s[\\&\;RK^{23}_5\oplus C_H^{18}\oplus C_L^{15}\oplus s[C_H^{12}\oplus C_L^9\oplus RK^{21}_0\oplus C_H^{12}\oplus C_L^9]]]\oplus s[C_H^{17}\oplus C_L^{14}\oplus s^{-1}[RK^{23}_0\oplus C_H^{14}\oplus C_L^{11}\\&\;\oplus s^{-1}[RK^{24}_4\oplus C_H^{11}\oplus C_L^8\oplus RK^1_2\oplus s[C_H^5\oplus RK^3_3]]\oplus s[C_H^8\oplus C_L^5\oplus RK^2_7\oplus s[RK^3_1]]]\\&\;\oplus s[RK^1_4\oplus s[RK^2_2\oplus s[RK^1_6]]]\oplus s[RK^{24}_4]] \oplus C_H^{23}\oplus C_L^{20}\oplus RK^{24}_1=0 \end{aligned}$$

B

It is obvious that the value of \(\#RK^1_0\), \(\#RK^1_5\), \(\#RK^1_6\), \(\#RK^{23}_2\), \(\#RK^{23}_4\), \(\#RK^{23}_5\), \(\#RK^{23}_6\), \(\#RK^{22}_1\) are all \(\frac{16}{7}\) for each plaintext-ciphertext pair when these subkeys pass the differential path with known \(RK^{23}_0\). Besides, \(RK^{23}_3\) passes the truncated differential with probability \((\frac{7}{16})^3\), so \(\#RK^{23}_3=2^4\cdot (\frac{7}{16})^3\) for each accurate plaintext-ciphertext pair. Furthermore, once \(RK^1_7\) that pass the differential path is known, \(\#RK^2_7=\frac{16}{7}\); once \(RK^1_1\) that pass the differential path is known, \(\#RK^2_2=\frac{16}{7}\); once \(RK^{23}_3\) that pass the differential path is known, \(\#RK^{22}_2=\frac{16}{7}\); once \(RK^{22}_6\) that pass the differential path is known, \(\#RK^{21}_4=\frac{16}{7}\) with the known \(RK^{23}_7\); once \(RK^{23}_1\) that pass the differential path is known, \(\#RK^{22}_3=\frac{16}{7}\).

Therefore, it is easy to compute the value of loops \(l_i\) with the above knowledge and Observation 8.

The following is a time estimation for substep (1.2.7) to substep (1.2.10) in key recovery algorithm.

As showed in the proof of Observation 8, the computation of \(RK^1_2\) for each \((RK^1_6,RK^2_6)\) can be done in much less than one encryption. Therefore, \(\#RK^1_6=\frac{16}{7}\) and \(\#RK^2_6=2^4\) indicate that the time for computing \(RK^1_2\) is less than \(\frac{16}{7}\cdot 2^4\) encryptions.

Similarly, since \(\#RK^{23}_3=2^4\cdot (\frac{7}{16})^3\), \(\#RK^{23}_6=\frac{16}{7}\), the time for computing \(RK^{22}_4\) is less than \(2^4\cdot (\frac{7}{16})^2\) encryptions. Because \(\#RK^{23}_2\), \(\#RK^{23}_4\) and \(\#RK^{23}_5\) are all \(\frac{16}{7}\), and \(\#RK^{23}_3=2^4\cdot (\frac{7}{16})^3\), the time for computing \(RK^{22}_0\) is less than \(2^4\) encryptions. Known from Observation 8, the number of values of \(RK^{22}_0\) is \(\frac{16}{7}\) for each \(RK^{23}_{[2,3,4,5]}\). Hence the time for computing \(RK^{21}_7\) is less than \(\frac{16}{7}\cdot 2^4\) encryptions.

C

This appendix gives a detailed description of the Key Recovery algorithm for TWINE-128. Before introducing the algorithm, an observation similar to Observation 8 used in attacking TWINE-80 is given, followed by some precomputed tables for \(g_i\) functions.

Observation C.1

For a plaintext-ciphertext pair satisfying the input-output difference relations in Observation 7, the following can be deduced according to the differential path in attacking TWINE-128.

1. (1)

   Given \(RK^{21}_2,RK^{22}_3,RK^{24}_0,RK^{24}_6\) that pass the differential path, then \(\frac{16}{7}\) values of \(RK^{23}_1\) on average can pass the path and be computed;

2. (2)

   Given \(RK^{24}_{[1,5,7]},RK^{23}_3,RK^{22}_2,RK^{21}_0\) that pass the differential path, then \((\frac{16}{7})^2\) values of \(RK^{22}_0\) on average can pass the path and be computed; and then if \(RK^{24}_3\) is also known, then \(\frac{16}{7}\) values of \(RK^{23}_2\) on average can pass the path and be computed;

3. (3)

   Given \(RK^1_0,RK^2_0,RK^3_0,RK^1_5,RK^3_1\) that pass the differential path, then \((\frac{16}{7})^2\) values of \(RK^4_0\) on average can pass the path and be computed;

4. (4)

   Given \(RK^1_6,RK^3_1\) that pass the differential path, then \(\frac{16}{7}\) values of \(RK^2_5\) on average can pass the path and be computed;

5. (5)

   Given \(RK^1_2,RK^1_7,RK^2_6,RK^3_5\) that pass the differential path, then \(\frac{16}{7}\) values of \(RK^1_3\) on average can pass the path and be computed; and then if \(RK^3_3\) is also known, then \((\frac{16}{7})^2\) values of \(RK^2_4\) on average can pass the path and be computed;

Proof. Making use of the differential path and the equations \(RK^4_1=RK^1_3\), \(RK^5_0=RK^1_5\) and \(RK^{20}_1=RK^{24}_5\), it is easy to prove the above observation similarly to the proof in Observation 8.

The following tables \(KT^{'}_i (i=3,...,9)\) are precomputed for equations \(g_i\) respectively.

Table	Index	Content
\(KT^{'}_3\)	\((RK^3_{[0,1]},RK^{21}_0,RK^{22}_2,RK^{23}_5,RK^{24}_2)\)	\(RK^{23}_7\)
\(KT^{'}_4\)	\((RK^1_5,RK^2_3,RK^3_1,RK^{22}_6,RK^{23}_0,RK^{24}_{[2,3]})\)	\(RK^{21}_2\)
\(KT^{'}_5\)	\((RK^1_{[0,1]},RK^3_5,RK^{22}_{[0,2]},RK^{23}_{[1,2,4]},RK^{24}_{[5,7]})\)	\(RK^4_0\)
\(KT^{'}_6\)	\((RK^1_{[0,7]},RK^2_{[4,5]},RK^3_5,RK^{22}_{[0,2]},RK^{23}_{[1,2,3,4,7]},RK^{24}_{[5,7]})\)	\(RK^2_4\)
\(KT^{'}_7\)	\((RK^1_{[2,4,6]},RK^2_{[0,2,3,7]},RK^3_{[1,3]},RK^{21}_2,RK^{22}_6,RK^{23}_{[0,3]},RK^{24}_{[4,5]})\)	\(RK^{23}_3\)
\(KT^{'}_8\)	\((RK^1_{[2,4,6]},RK^2_{[0,2,6,7]},RK^3_{[1,3,5]},RK^{22}_0,RK^{23}_{[0,1,2,4]},RK^{24}_{[4,5,7]})\)	\(RK^3_5\)
\(KT^{'}_9\)	\((RK^1_{[2,4,5,6]},RK^2_{[2,3,7]},RK^3_{[0,1,3]},RK^{21}_{[0,2]},RK^{22}_6,RK^{23}_{[0,5]},RK^{24}_{[1,4]})\)	\(RK^3_3\)

As can be seen from Algorithm C.2, the time for combining all the subkeys involved in attacking TWINE-128 is \(l_1\cdot (5+l_2\cdot (13+l_3\cdot (1+3+1+\frac{16}{7}+l_4\cdot (1+l_{5.1}\cdot (1+\frac{16}{7}+l_{5.2}\cdot (1+l_6\cdot (1+1+\frac{16}{7}+1+l_{7.1} \cdot (1+l_{7.2}\cdot (1+l_8\cdot (2+(\frac{16}{7})^2\cdot 2^{-4}\cdot l_9\cdot 2))))))))))=2^{45.48}\) xor \(=2^{36.31}\) 24-round encryptions.

D

Table D.1. Subkeys of round 1–5 in TWINE-80

Table D.2. Subkeys of round 1–7 in TWINE-128