Integral Cryptanalysis on Reduced-Round Tweakable TWINE
Muhammad ElSheikh, Amr M. Youssef
Concordia Institute for Information Systems Engineering, Concordia University, Montr´eal,Qu´ebec, Canada
CANS 2020 December 14-16, 2020 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Outline
1 Introduction Integral Cryptanalysis Specifications of T-TWINE
2 Integral Distinguishing Attack of T-TWINE
3 Key-recovery Attack of Reduced-Round T-TWINE
4 Conclusion
2 If L E−1(Z) 6= 0, then the guessed rk0 is incorrect. rk0 z∈Z
rk0
Ciphertext Set 0 Erk n Z ⊆ F2 Key Recovery
Z := {Ek(x)| x ∈ X} := {E−1(z)| z ∈ } Y rk0 Z
Introduction Distinguishing Attack Key-recovery Attack Conclusion
Integral Cryptanalysis Integral Cryptanalysis
rk
Plaintext Set ⊆ n n Erk Y F2 X ⊆ F2 Integral characteristic
Y := {Erk(x)| x ∈ X}
Erk has integral characteristic, if L Erk(x) = 0, For all possible rk. x∈X
3 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Integral Cryptanalysis Integral Cryptanalysis
rk rk0
Plaintext Set Ciphertext Set n Y ⊆ F2 0 n Erk Erk n X ⊆ F2 Z ⊆ F2 Integral characteristic Key Recovery
Y := {Erk(x)| x ∈ X} Z := {Ek(x)| x ∈ X} := {E−1(z)| z ∈ } Y rk0 Z
Erk has integral characteristic, if L Erk(x) = 0, For all possible rk. x∈X If L E−1(Z) 6= 0, then the guessed rk0 is incorrect. rk0 z∈Z
3 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Integral Cryptanalysis How to find an integral characteristic?
Propagation of integral property: ALL (A), BALANCE (B), CONSTANT (C), UNKNOWN (U). Exploit algebraic degree. Division property. Introduced by Yosuke Todo at Eurocrypt 2015. bit-based division property, Todo and Morii - FSE 2016.
4 Definition (Bit-based Division Property) n Let X be a multiset whose elements take a value of F2 . When the multiset has the division property D1n ,where denotes a set of X K K n-dimensional vectors whose i-th element takes 0 or 1, it fulfills the following conditions: ( M unknown if there is exist k ∈ K s.t. u k, πu(x) = 0 otherwise. x∈X where u k if u[i] ≥ k[i] ∀i.
Introduction Distinguishing Attack Key-recovery Attack Conclusion
Bit-based Division Property Bit-based Division Property [Todo and Morii, FSE 2016]
Qn u[i] bit-product function: πu(x) = i=1 x[i] , where x[i], u[i] are the i-th bits of x and u respectively. L The parity = πu(x). x∈X
5 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Bit-based Division Property Bit-based Division Property [Todo and Morii, FSE 2016]
Qn u[i] bit-product function: πu(x) = i=1 x[i] , where x[i], u[i] are the i-th bits of x and u respectively. L The parity = πu(x). x∈X Definition (Bit-based Division Property) n Let X be a multiset whose elements take a value of F2 . When the multiset has the division property D1n ,where denotes a set of X K K n-dimensional vectors whose i-th element takes 0 or 1, it fulfills the following conditions: ( M unknown if there is exist k ∈ K s.t. u k, πu(x) = 0 otherwise. x∈X where u k if u[i] ≥ k[i] ∀i.
5 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Bit-based Division Property Integral Characteristic and Bit-based Division Property
n x ∈ , D1n y ∈ , D1 X Kx E Y Ky
Let n = 4 and y = (y0, y1, y2, y3), To check if the bit y3 is balanced over Y : L L ? y3 = πv(y)|v=(0,0,0,1) = 0 y∈Y y∈Y
From the definition of the bit-based division property, the bit y3 is balanced iff v = (0, 0, 0, 1) ∈/ Ky
6 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Bit-based Division Property Bit-based division property practical problem
For n-bit cipher, the complexity of utilizing bit-based division property is roughly equal to 2n. For n > 32, propagation includes large number of vectors in K and it will be infeasible to handle. Solved by Xiang et al. at Asiacrypt 2016 by defining a new notation called Division Trail. With the Division Trail, it becomes easy to model the bit-based division property propagation using Mixed Integer Linear Programming (MILP)
7 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Bit-based Division Property Propagation rules for COPY, XOR, AND
Operation MILP Model
COPY (a) −−−−→ (b1, b2) a − b1 − b2 = 0
XOR (a1, a2) −−−→ (b) a1 + a2 − b = 0
( AND b − a1 ≥ 0, (a1, a2) −−−→ (b) b − a2 ≥ 0
8 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Bit-based Division Property MILP Model for S-box
1 Represent the S-Box using its algebraic normal form. 2 Represent the division trail though an n-bit S-box as a set of 2n-dimensional binary vectors. 3 Get the H-Representation as a set of linear inequalities that describe these vectors. 4 Use this set of inequalities as MILP constraints to present the division trail though the S-box.
9 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Specifications of T-TWINE Outline
1 Introduction Integral Cryptanalysis Specifications of T-TWINE
2 Integral Distinguishing Attack of T-TWINE
3 Key-recovery Attack of Reduced-Round T-TWINE
4 Conclusion
10 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Specifications of T-TWINE Block cipher - Tweakable
P
K E
C
11 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Specifications of T-TWINE Block cipher - Tweakable
P P
T K E K E
C C
11 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Specifications of T-TWINE Block cipher - Tweakable
Mode of Operation Dedicated Structure
P SKINNY QARMA T CRAFT T-TWINE K E
T
C
XEX Mode of operation
12 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Specifications of T-TWINE T-TWINE block cipher
1 The first lightweight dedicated TBC that is built on Generalized Feistel Structure (GFS). 2 An extension of the conventional block cipher TWINE. 3 Two variants namely, T-TWINE-80 and T-TWINE-128. 4 Block size of 64 bits, a tweak of 64 bits, and a variable key length of 80 and 128 bits.
13 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Specifications of T-TWINE T-TWINE Specifications
Data Processing
i i i i i i i i i i i i i i i i X0 X1 X2 X3 X4 X5 X6 X7 X8 X9 X10 X11 X12 X13 X14 X15 i RK i ti RK i i ti i ti RK i ti i i ti i t5 0 4 1 RK2 3 RK3 2 4 1 RK5 RK6 0 RK7 F F F F F F F F
i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 X0 X1 X2 X3 X4 X5 X6 X7 X8 X9 X10 X11 X12 X13 X14 X15
S
14 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Specifications of T-TWINE T-TWINE Specifications
Key Scheduling Function Algorithm 1: Key Schedule of T-TWINE-80 Data: The 80-bit master key K Result: The round keys RK = RK1||RK2|| · · · ||RK36 k0||k1|| · · · ||k19 ← K; for i ← 1 to 35 do i RK ← k1||k3||k4||k6||k13||k14||k15||k16; k1 ← k1 ⊕ S(k0); k4 ← k4 ⊕ S(k16); i k7 ← k7 ⊕ (0||CONH ); i k19 ← k19 ⊕ (0||CONL); k0|| · · · ||k3 ← Rot4(k0|| · · · ||k3); k0|| · · · ||k19 ← Rot16(k0|| · · · ||k19); end 36 RK ← k1||k3||k4||k6||k13||k14||k15||k16; RK ← RK1||RK2|| · · · ||RK36;
15 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Specifications of T-TWINE T-TWINE Specifications
Tweak Schduleing Function
ti ti+1
t0 t1 t2 t3 t6 t7 t8 t9
t4 t5 t6 t7 t10 t11 t12 t13 πt t8 t9 t10 t11 t14 t15 t1 t0
t12 t13 t14 t15 t4 t2 t3 t5
RT i
16 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Outline
1 Introduction Integral Cryptanalysis Specifications of T-TWINE
2 Integral Distinguishing Attack of T-TWINE
3 Key-recovery Attack of Reduced-Round T-TWINE
4 Conclusion
17 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Integral Distinguishing Attack of T-TWINE Integral distinguishing attack
1 TWINE has 16-round integral distinguisher. 2 Three attack settings: chosen tweak, chosen tweak-plaintext, and chosen tweak-ciphertext. 3 We use the following notation to present the status of each nibble of the tweak, plaintext, and ciphertext C each bit of the nibble is fixed to constant. A all bits of the nibble are active. A˜ all bits of the nibble are active except one bit is constant. B each bit of the nibble is balanced. U a nibble with unknown status.
18 The 11-round distinguisher by the designers Plaintext C C C C C C C C C C C C C C C C 11R Tweak C C C C C A C C C C A A C C C C −−→ B U U U U U U U U U U B U U U U 11R Tweak C C C C C A C C C C A A C C C C −−→ U U U U U U U U U U U B U U U U
Introduction Distinguishing Attack Key-recovery Attack Conclusion
Integral Distinguishing Attack of T-TWINE Chosen Tweak Setting
The 11-round distinguisher Plaintext C C C C C C C C C C C C C C C C 11R Tweak C C C C C C C C C C C C C C A C −−→ U U U U U U U B U U U U U U U U 11R Tweak C C C C C C C C C C C C C C C A −−→ U U U U U B U U U U U B U U U U
19 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Integral Distinguishing Attack of T-TWINE Chosen Tweak Setting
The 11-round distinguisher Plaintext C C C C C C C C C C C C C C C C 11R Tweak C C C C C C C C C C C C C C A C −−→ U U U U U U U B U U U U U U U U 11R Tweak C C C C C C C C C C C C C C C A −−→ U U U U U B U U U U U B U U U U The 11-round distinguisher by the designers Plaintext C C C C C C C C C C C C C C C C 11R Tweak C C C C C A C C C C A A C C C C −−→ B U U U U U U U U U U B U U U U 11R Tweak C C C C C A C C C C A A C C C C −−→ U U U U U U U U U U U B U U U U
19 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Integral Distinguishing Attack of T-TWINE Chosen Tweak-Plaintext Setting
Plaintext A A A A A˜ A A A A A A A A A A A 19R Tweak C C C A A C C C C C C C C C C C −−→ U U U U U U U U U U U U U B U U 19R Tweak C C C A C C C C C C C C C C C A −−→ U U U U U U U U U U U U U B U U
Plaintext A A A A A A A˜ A A A A A A A A A 19R Tweak C C C C C C A˜ C C C C C C C A C −−→ U U U U U U U U U U U U U U U B 19R Tweak C C C C C C C C C C C C A C A C −−→ U U U U U U U U U U U U U U U B 19R Tweak C C C C C C C C C C C C C C A A˜ −−→ U U U B U U U U U U U U U U U U
Plaintext A A A A A A A A A A A˜ A A A A A 19R Tweak A˜ C C A C C C C C C C C C C C C −−→ U U U U U U U U U U U U U B U U 19R Tweak C C C A C C A C C C C C C C C C −−→ U U U U U U U U U U U U U B U U 19R Tweak C C C A C C C C C C C A C C C C −−→ U U U U U U U U U U U U U B U U 19R Tweak C C C A C C C C C C C C A C C C −−→ U U U U U U U U U U U U U B U U 19R Tweak A˜ C C C C C C C C C C C A C C C −−→ U U U U U U U B U U U U U U U U 19R Tweak C A C C C C C C C C C C A C C C −−→ U U U U U U U U U U U B U U U U 19R Tweak C C C C A C C C C C C C A C C C −−→ U U U U U U U B U U U B U U U U 19R Tweak C C C C C C C C C A C C A C C C −−→ U U U U U U U B U U U U U U U U 19R Tweak C C C C C C C C C C C A A C C C −−→ U U U U U U U B U U U U U U U U
20 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Integral Distinguishing Attack of T-TWINE Chosen Tweak-Ciphertext Setting
A A A A˜ A A A A A A A A A A A A Ciphertext 19R U U U U U U B U U U U U U U U U ←−− C C C C C C C C C A C C C C A C Tweak 19R U U U U U U B U U U U U U U U U ←−− C C C C C C C C C C C C C C A A˜ Tweak
A A A A A A A A˜ A A A A A A A A Ciphertext 19R U U U U U U U U U U B U U U U U ←−− A˜ C C C C C C C C C C C A C C C Tweak 19R U U U U U U U U U U B U U U U U ←−− C C C C A C C C C C C C A C C C Tweak 19R U U U U U U U U U U B U U U U U ←−− C C C C C C C C C A C C A C C C Tweak 19R U U U U U U U U U U B U U U U U ←−− C C C C C C C C C C C A A C C C Tweak
A A A A A A A A A A A A˜ A A A A Ciphertext 19R U U U U U U U U U U B U U U U U ←−− C A C C C C C C C C C C A C C C Tweak 19R U U U U U U U U U U B U U U U U ←−− C C C C A C C C C C C C A C C C Tweak
A A A A A A A A A A A A A A˜ A A Ciphertext 19R U U U U U U U U U U B U U U U U ←−− A˜ C C A C C C C C C C C C C C C Tweak 19R U U U U B U U U U U U U U U U U ←−− C C C A A C C C C C C C C C C C Tweak 19R U U U U U U U U U U B U U U U U ←−− C C C A C C A C C C C C C C C C Tweak 19R U U U U B U U U U U B U U U U U ←−− C C C A C C C C C C C A C C C C Tweak 19R U U U U U U U U U U B U U U U U ←−− C C C A C C C C C C C C A C C C Tweak
A A A A A A A A A A A A A A A A˜ Ciphertext 19R U U U U U U B U U U U U U U U U ←−− C C C C C C A˜ C C C C C C C A C Tweak
21 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Outline
1 Introduction Integral Cryptanalysis Specifications of T-TWINE
2 Integral Distinguishing Attack of T-TWINE
3 Key-recovery Attack of Reduced-Round T-TWINE
4 Conclusion
22 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Key-recovery Attack of Reduced-Round T-TWINE Integral Distinguisher
Plaintext :(A, A, A, A, A, A, A3, A, A, A, A, A, A, A, A) Tweak :(C, C, C, C, C, C, A1,3, C, C, C, C, C, C, C, A, C) ↓ 19R (U, U, U, U, U, U, U, U, U, U, U, U, U, U, U, B)
23 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Key-recovery Attack of Reduced-Round T-TWINE Analysis Rounds
B
20R 0 1 2 3 4 5 6 7
21R 0 1 2 3 4 5 6 7
T14 22R 0 1 2 3 4 5 6 7
23R 0 1 2 3 4 5 6 7
24R 0 1 2 3 4 5 6 7
T14
25R 0 1 2 3 4 5 6 7
26R 0 1 2 3 4 5 6 7
T6
table
24 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Key-recovery Attack of Reduced-Round T-TWINE Meet-in-the-Middle Technique
i i i i XL XR XL XR RK i RK i Z i F F
i+1 i+1 i+1 i+1 XL XR XL XR
M i M i M i+1 XR = 0 =⇒ Z = XL
25 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Key-recovery Attack of Reduced-Round T-TWINE Analysis Rounds
B
20R 0 1 2 3 4 5 6 7
21R 0 1 2 3 4 5 6 7
T14 22R 0 1 2 3 4 5 6 7
23R 0 1 2 3 4 5 6 7
24R 0 1 2 3 4 5 6 7
T14
25R 0 1 2 3 4 5 6 7
26R 0 1 2 3 4 5 6 7
T6
table
26 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Key-recovery Attack of Reduced-Round T-TWINE 20 Path to Z7
B
20R 0 1 2 3 4 5 6 7
21R 0 1 2 3 4 5 6 7
22R 0 1 2 3 4 5 6 7
23R 0 1 2 3 4 5 6 7
24R 0 1 2 3 4 5 6 7
T14
25R 0 1 2 3 4 5 6 7
26R 0 1 2 3 4 5 6 7
T6
table
27 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Key-recovery Attack of Reduced-Round T-TWINE 21 Path to X14
B
20R 0 1 2 3 4 5 6 7
21R 0 1 2 3 4 5 6 7
T14 22R 0 1 2 3 4 5 6 7
23R 0 1 2 3 4 5 6 7
24R 0 1 2 3 4 5 6 7
25R 0 1 2 3 4 5 6 7
26R 0 1 2 3 4 5 6 7
T6
table
28 2 L 20 For each 56-bit round-key, obtain Z7 and store it in HZ . 3 L 21 For each 40-bit round-key, obtain X14 and store it in HX . 4 Consider a 76-bit key as a candidate if the two entries in the hash tables indexed by its two parts are equal. 5 For each 76-bit candidate, drive 24 80-bit candidates of the master key. 6 Check each 80-bit candidate using 2 pairs of plaintext/ciphertext.
Introduction Distinguishing Attack Key-recovery Attack Conclusion
Key-recovery Attack of Reduced-Round T-TWINE Attack Procedure against 26 rounds of T-TWINE-80
56 40 1 Initialize two empty hash tables HZ and HX with 2 and 2 L 20 L 21 entries to store the values of Z7 and X14 , respectively, indexed by the round keys used during the computations.
29 3 L 21 For each 40-bit round-key, obtain X14 and store it in HX . 4 Consider a 76-bit key as a candidate if the two entries in the hash tables indexed by its two parts are equal. 5 For each 76-bit candidate, drive 24 80-bit candidates of the master key. 6 Check each 80-bit candidate using 2 pairs of plaintext/ciphertext.
Introduction Distinguishing Attack Key-recovery Attack Conclusion
Key-recovery Attack of Reduced-Round T-TWINE Attack Procedure against 26 rounds of T-TWINE-80
56 40 1 Initialize two empty hash tables HZ and HX with 2 and 2 L 20 L 21 entries to store the values of Z7 and X14 , respectively, indexed by the round keys used during the computations.
2 L 20 For each 56-bit round-key, obtain Z7 and store it in HZ .
29 4 Consider a 76-bit key as a candidate if the two entries in the hash tables indexed by its two parts are equal. 5 For each 76-bit candidate, drive 24 80-bit candidates of the master key. 6 Check each 80-bit candidate using 2 pairs of plaintext/ciphertext.
Introduction Distinguishing Attack Key-recovery Attack Conclusion
Key-recovery Attack of Reduced-Round T-TWINE Attack Procedure against 26 rounds of T-TWINE-80
56 40 1 Initialize two empty hash tables HZ and HX with 2 and 2 L 20 L 21 entries to store the values of Z7 and X14 , respectively, indexed by the round keys used during the computations.
2 L 20 For each 56-bit round-key, obtain Z7 and store it in HZ . 3 L 21 For each 40-bit round-key, obtain X14 and store it in HX .
29 5 For each 76-bit candidate, drive 24 80-bit candidates of the master key. 6 Check each 80-bit candidate using 2 pairs of plaintext/ciphertext.
Introduction Distinguishing Attack Key-recovery Attack Conclusion
Key-recovery Attack of Reduced-Round T-TWINE Attack Procedure against 26 rounds of T-TWINE-80
56 40 1 Initialize two empty hash tables HZ and HX with 2 and 2 L 20 L 21 entries to store the values of Z7 and X14 , respectively, indexed by the round keys used during the computations.
2 L 20 For each 56-bit round-key, obtain Z7 and store it in HZ . 3 L 21 For each 40-bit round-key, obtain X14 and store it in HX . 4 Consider a 76-bit key as a candidate if the two entries in the hash tables indexed by its two parts are equal.
29 6 Check each 80-bit candidate using 2 pairs of plaintext/ciphertext.
Introduction Distinguishing Attack Key-recovery Attack Conclusion
Key-recovery Attack of Reduced-Round T-TWINE Attack Procedure against 26 rounds of T-TWINE-80
56 40 1 Initialize two empty hash tables HZ and HX with 2 and 2 L 20 L 21 entries to store the values of Z7 and X14 , respectively, indexed by the round keys used during the computations.
2 L 20 For each 56-bit round-key, obtain Z7 and store it in HZ . 3 L 21 For each 40-bit round-key, obtain X14 and store it in HX . 4 Consider a 76-bit key as a candidate if the two entries in the hash tables indexed by its two parts are equal. 5 For each 76-bit candidate, drive 24 80-bit candidates of the master key.
29 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Key-recovery Attack of Reduced-Round T-TWINE Attack Procedure against 26 rounds of T-TWINE-80
56 40 1 Initialize two empty hash tables HZ and HX with 2 and 2 L 20 L 21 entries to store the values of Z7 and X14 , respectively, indexed by the round keys used during the computations.
2 L 20 For each 56-bit round-key, obtain Z7 and store it in HZ . 3 L 21 For each 40-bit round-key, obtain X14 and store it in HX . 4 Consider a 76-bit key as a candidate if the two entries in the hash tables indexed by its two parts are equal. 5 For each 76-bit candidate, drive 24 80-bit candidates of the master key. 6 Check each 80-bit candidate using 2 pairs of plaintext/ciphertext.
29 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Key-recovery Attack of Reduced-Round T-TWINE L 20 The summary of the procedure to obtain Z7
Step Key Size The State (Si) Complexity
66 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 66 0 - 2 X0 , X2 , X3 , X4 , X5 , X6 , X7 , X8 , X9 , X10 , X11 , X12 , X13 , X14 , X15 , T6, T14 2 MA
26 62 27 27 27 26 27 27 27 27 27 27 27 27 27 27 4 66 70 1 RK2 2 X0 , X2 , X3 , X5 , X6 , X7 , X8 , X9 , X10 , X11 , X12 , X13 , X14 , X15 , T6, T14 2 × 2 = 2
26 58 27 27 27 26 27 27 27 27 26 27 27 27 27 8 62 70 2 RK5 2 X0 , X2 , X3 , X5 , X6 , X7 , X8 , X9 , X11 , X12 , X13 , X14 , X15 , T6, T14 2 × 2 = 2
26 54 27 27 27 26 27 27 27 27 26 27 27 26 12 58 70 3 RK7 2 X0 , X2 , X3 , X5 , X6 , X7 , X8 , X9 , X11 , X12 , X13 , X15 , T6, T14 2 × 2 = 2
25 50 25 27 27 27 27 27 27 26 27 27 26 16 54 70 4 RK0 2 X1 , X2 , X3 , X6 , X7 , X8 , X9 , X11 , X12 , X13 , X15 , T6, T14 2 × 2 = 2
26 50 25 27 27 26 26 27 27 26 27 27 26 20 50 70 5 RK3 2 X1 , X2 , X3 , X6 , X7 , X8 , X9 , X11 , X12 , X13 , X15 , T6, T14 2 × 2 = 2
24 46 24 27 27 26 26 27 27 26 27 27 26 20 50 70 6 RK1 2 X3 , X2 , X3 , X6 , X7 , X8 , X9 , X11 , X12 , X13 , X15 , T6 2 × 2 = 2
26 44 24 27 27 26 26 26 26 26 27 27 26 24 46 70 7 RK4 2 X3 , X2 , X3 , X6 , X7 , X8 , X9 , X11 , X12 , X13 , X15 2 × 2 = 2
26 44 24 26 26 26 26 26 26 26 27 27 26 28 44 72 8 RK1 2 X3 , X2 , X3 , X6 , X7 , X8 , X9 , X11 , X12 , X13 , X15 2 × 2 = 2
25 40 24 26 26 26 25 26 26 27 27 26 32 44 76 9 RK3 2 X3 , X2 , X6 , X7 , X7 , X9 , X11 , X12 , X13 , X15 2 × 2 = 2
25 36 24 26 26 25 25 26 27 27 26 36 40 76 10 RK5 2 X3 , X6 , X7 , X7 , X11 , X11 , X12 , X13 , X15 2 × 2 = 2
24 32 24 26 26 25 27 27 24 26 40 36 76 11 RK7 2 X3 , X6 , X7 , X7 , X12 , X13 , X15 , X15 2 × 2 = 2
24 28 24 24 26 26 27 27 24 40 32 72 12 RK2 2 X3 , X5 , X6 , X7 , X12 , X13 , X15 2 × 2 = 2
26 28 24 24 26 26 26 26 24 44 28 72 13 RK6 2 X3 , X5 , X6 , X7 , X12 , X13 , X15 2 × 2 = 2
24 24 24 24 26 25 26 24 48 28 76 14 RK4 2 X3 , X5 , X7 , X9 , X12 , X15 2 × 2 = 2
23 20 24 24 26 26 23 48 24 72 15 RK6 2 X3 , X5 , X7 , X12 , X13 2 × 2 = 2
22 16 24 26 22 26 48 20 68 16 RK4 2 X5 , X7 , X9 , X12 2 × 2 = 2
25 12 24 25 22 52 16 68 17 RK2 2 X5 , X5 , X9 2 × 2 = 2
23 8 23 22 56 12 68 18 RK0 2 X1 , X9 2 × 2 = 2
21 4 21 56 8 64 19 RK5 2 X11 2 × 2 = 2 20 L 20 L 21 20 56 4 60 20 RK7 1 Z7 = S(X11 ⊕ RK7 ) 2 × 2 = 2
figure 30 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Key-recovery Attack of Reduced-Round T-TWINE Attack Complexity
Data Time Complexity Memory
69 69 278.13+259.91 276 145×272 76 12 76.11 66.04 1 2 2 + 1 × 8×26 + 8×26 + 8×26 + 2 + 2 ≈ 2 2 70 70 278.13+259.91 276+272 145×268 72 8 73.03 67.04 2 2 2 + 2 × 8×26 + 8×26 + 8×26 + 2 + 2 ≈ 2 2 70.58 70.58 278.13+259.91 276+272+268 145×264 68 4 72.62 67.62 3 2 2 + 3 × 8×26 + 8×26 + 8×26 + 2 + 2 ≈ 2 2 71 71 278.13+259.91 276+272+268+264 145×260 64 72.95 68.04 4 2 2 + 4 × 8×26 + 8×26 + 8×26 + 2 ≈ 2 2
31 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Key-recovery Attack of Reduced-Round T-TWINE Attack one more round
1 1 X8 X9 1 RK4
F F F F F F F F
2 X6 A A A A A AA3 A A A A A A A A A
2 1 1 1 1 X6 [3] = X9 [3] ⊕ S(X8 ⊕ RK4 ⊕ RT2 )[3]
32 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Key-recovery Attack of Reduced-Round T-TWINE Attack results on T-TWINE
Attack #Rounds Data Time Memory Reference Imp. diff. 25 265.5 CTP 270.86 266 Tolba et al. 2020 T-TWINE-80 26 270.58 CTP 272.62 267.62 This work Integral 27 270.95 CTP 275.79 271.08 This work Imp. diff. 27 264 CTP 2120.83 2118 Tolba et al. 2020 T-TWINE-128 27 271.58 CTP 2109.54 290.58 This work Integral 28 272.27 CTP 2113.38 294.32 This work
33 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Outline
1 Introduction Integral Cryptanalysis Specifications of T-TWINE
2 Integral Distinguishing Attack of T-TWINE
3 Key-recovery Attack of Reduced-Round T-TWINE
4 Conclusion
34 We have showed that adding a tweak to the round function structure gives the attacker more room to target a large number of rounds in T-TWINE comparing to the conventional TWINE. We were able to construct several integral distinguishers that cover 19 rounds of T-TWINE whereas the longest distinguisher covers only 16 rounds of TWINE. Using one of these distinguishers, we launched key recovery attacks against 27 and 28 of T-TWINE-80 and T-TWINE-128, respectively. The presented attacks are the best-published attacks against both variants of T-TWINE.
Introduction Distinguishing Attack Key-recovery Attack Conclusion
Conclusion
We have studied the security of T-TWINE against the integral cryptanalysis.
35 We were able to construct several integral distinguishers that cover 19 rounds of T-TWINE whereas the longest distinguisher covers only 16 rounds of TWINE. Using one of these distinguishers, we launched key recovery attacks against 27 and 28 of T-TWINE-80 and T-TWINE-128, respectively. The presented attacks are the best-published attacks against both variants of T-TWINE.
Introduction Distinguishing Attack Key-recovery Attack Conclusion
Conclusion
We have studied the security of T-TWINE against the integral cryptanalysis. We have showed that adding a tweak to the round function structure gives the attacker more room to target a large number of rounds in T-TWINE comparing to the conventional TWINE.
35 Using one of these distinguishers, we launched key recovery attacks against 27 and 28 of T-TWINE-80 and T-TWINE-128, respectively. The presented attacks are the best-published attacks against both variants of T-TWINE.
Introduction Distinguishing Attack Key-recovery Attack Conclusion
Conclusion
We have studied the security of T-TWINE against the integral cryptanalysis. We have showed that adding a tweak to the round function structure gives the attacker more room to target a large number of rounds in T-TWINE comparing to the conventional TWINE. We were able to construct several integral distinguishers that cover 19 rounds of T-TWINE whereas the longest distinguisher covers only 16 rounds of TWINE.
35 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Conclusion
We have studied the security of T-TWINE against the integral cryptanalysis. We have showed that adding a tweak to the round function structure gives the attacker more room to target a large number of rounds in T-TWINE comparing to the conventional TWINE. We were able to construct several integral distinguishers that cover 19 rounds of T-TWINE whereas the longest distinguisher covers only 16 rounds of TWINE. Using one of these distinguishers, we launched key recovery attacks against 27 and 28 of T-TWINE-80 and T-TWINE-128, respectively. The presented attacks are the best-published attacks against both variants of T-TWINE.
35 Introduction Distinguishing Attack Key-recovery Attack Conclusion
Thank You
For Questions: m [email protected]
36