Reference : Differential Analysis and Meet-in-the-Middle Attack against Round-Reduced TWINE
Scientific congresses, symposiums and conference proceedings : Paper published in a book
Engineering, computing & technology : Computer science
Differential Analysis and Meet-in-the-Middle Attack against Round-Reduced TWINE
Biryukov, Alex mailto [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC) >]
Derbez, Patrick [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Perrin, Léo Paul mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Fast Software Encryption - 22nd International Workshop, FSE 2015, Istanbul, March 8-11, 2015
Leander, Gregor
Security and Cryptology, 9054
22nd International Workshop on Fast Software Encryption
from 08-03-2015 to 11-03-2015.
[en] TWINE ; LBlock ; Meet-in-the-Middle Attack ; Tuncated Differential Cryptanalysis
[en] TWINE is a recent lightweight block cipher based on a Feistel structure. We first present two new attacks on TWINE-128 reduced to 25 rounds that have a slightly higher overall complexity than the 25-round attack presented by Wang and Wu at ACISP 2014, but a lower data complexity.

Then, we introduce alternative representations of both the round function of this block cipher and of a sequence of 4 rounds. LBlock, another lightweight block cipher, turns out to exhibit the same behaviour. Then, we illustrate how this alternative representation can shed new light on the security of TWINE by deriving high probability iterated truncated differential trails covering 4 rounds with probability $2^{-16}$.

The importance of these is shown by combining different truncated differential trails to attack 23-rounds TWINE-128 and by giving a tighter lower bound on the high probability of some differentials by clustering differential characteristics following one of these truncated trails. A comparison between these high probability differentials and those recently found in a variant of LBlock by Leurent highlights the importance of considering the whole distribution of the coefficients in the difference distribution table of a S-Box and not only their maximum value.
Fonds National de la Recherche - FnR
I2R-DIR-PFN-12ACRY > CORE 2012 C12/IS/4009992 ACRYPT - APllied Cryptography for I > 01/07/2013 - 30/06/2016 > BIRYUKOV Alex

File(s) associated to this reference

Fulltext file(s):

Limited access
twine.pdfAuthor preprint702.89 kBRequest a copy

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.