Integral Cryptanalysis on Reduced-Round Tweakable TWINE

Home , Distinguishing attack, Integral cryptanalysis

Muhammad ElSheikh, Amr M. Youssef

Concordia Institute for Information Systems Engineering, Concordia University, Montr´eal,Qu´ebec, Canada

CANS 2020 December 14-16, 2020 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Outline

1 Introduction Integral Cryptanalysis Speciﬁcations of T-TWINE

2 Integral Distinguishing Attack of T-TWINE

3 Key-recovery Attack of Reduced-Round T-TWINE

4 Conclusion

2 If L E−1(Z) 6= 0, then the guessed rk0 is incorrect. rk0 z∈Z

rk0

Ciphertext Set 0 Erk n Z ⊆ F2 Key Recovery

Z := {Ek(x)| x ∈ X} := {E−1(z)| z ∈ } Y rk0 Z

Introduction Distinguishing Attack Key-recovery Attack Conclusion

Integral Cryptanalysis Integral Cryptanalysis

Plaintext Set ⊆ n n Erk Y F2 X ⊆ F2 Integral characteristic

Y := {Erk(x)| x ∈ X}

Erk has integral characteristic, if L Erk(x) = 0, For all possible rk. x∈X

3 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Integral Cryptanalysis Integral Cryptanalysis

rk rk0

Plaintext Set Ciphertext Set n Y ⊆ F2 0 n Erk Erk n X ⊆ F2 Z ⊆ F2 Integral characteristic Key Recovery

Y := {Erk(x)| x ∈ X} Z := {Ek(x)| x ∈ X} := {E−1(z)| z ∈ } Y rk0 Z

Erk has integral characteristic, if L Erk(x) = 0, For all possible rk. x∈X If L E−1(Z) 6= 0, then the guessed rk0 is incorrect. rk0 z∈Z

3 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Integral Cryptanalysis How to ﬁnd an integral characteristic?

Propagation of integral property: ALL (A), BALANCE (B), CONSTANT (C), UNKNOWN (U). Exploit algebraic degree. Division property. Introduced by Yosuke Todo at Eurocrypt 2015. bit-based division property, Todo and Morii - FSE 2016.

4 Deﬁnition (Bit-based Division Property) n Let X be a multiset whose elements take a value of F2 . When the multiset has the division property D1n ,where denotes a set of X K K n-dimensional vectors whose i-th element takes 0 or 1, it fulﬁlls the following conditions: ( M unknown if there is exist k ∈ K s.t. u k, πu(x) = 0 otherwise. x∈X where u k if u[i] ≥ k[i] ∀i.

Introduction Distinguishing Attack Key-recovery Attack Conclusion

Bit-based Division Property Bit-based Division Property [Todo and Morii, FSE 2016]

Qn u[i] bit-product function: πu(x) = i=1 x[i] , where x[i], u[i] are the i-th bits of x and u respectively. L The parity = πu(x). x∈X

5 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Bit-based Division Property Bit-based Division Property [Todo and Morii, FSE 2016]

Qn u[i] bit-product function: πu(x) = i=1 x[i] , where x[i], u[i] are the i-th bits of x and u respectively. L The parity = πu(x). x∈X Deﬁnition (Bit-based Division Property) n Let X be a multiset whose elements take a value of F2 . When the multiset has the division property D1n ,where denotes a set of X K K n-dimensional vectors whose i-th element takes 0 or 1, it fulﬁlls the following conditions: ( M unknown if there is exist k ∈ K s.t. u k, πu(x) = 0 otherwise. x∈X where u k if u[i] ≥ k[i] ∀i.

5 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Bit-based Division Property Integral Characteristic and Bit-based Division Property

n x ∈ , D1n y ∈ , D1 X Kx E Y Ky

Let n = 4 and y = (y0, y1, y2, y3), To check if the bit y3 is balanced over Y : L L ? y3 = πv(y)|v=(0,0,0,1) = 0 y∈Y y∈Y

From the deﬁnition of the bit-based division property, the bit y3 is balanced iﬀ v = (0, 0, 0, 1) ∈/ Ky

6 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Bit-based Division Property Bit-based division property practical problem

For n-bit cipher, the complexity of utilizing bit-based division property is roughly equal to 2n. For n > 32, propagation includes large number of vectors in K and it will be infeasible to handle. Solved by Xiang et al. at Asiacrypt 2016 by deﬁning a new notation called Division Trail. With the Division Trail, it becomes easy to model the bit-based division property propagation using Mixed Integer Linear Programming (MILP)

7 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Bit-based Division Property Propagation rules for COPY, XOR, AND

Operation MILP Model

COPY (a) −−−−→ (b1, b2) a − b1 − b2 = 0

XOR (a1, a2) −−−→ (b) a1 + a2 − b = 0

( AND b − a1 ≥ 0, (a1, a2) −−−→ (b) b − a2 ≥ 0

8 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Bit-based Division Property MILP Model for S-box

1 Represent the S-Box using its algebraic normal form. 2 Represent the division trail though an n-bit S-box as a set of 2n-dimensional binary vectors. 3 Get the H-Representation as a set of linear inequalities that describe these vectors. 4 Use this set of inequalities as MILP constraints to present the division trail though the S-box.

9 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Speciﬁcations of T-TWINE Outline

1 Introduction Integral Cryptanalysis Speciﬁcations of T-TWINE

2 Integral Distinguishing Attack of T-TWINE

3 Key-recovery Attack of Reduced-Round T-TWINE

4 Conclusion

10 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Speciﬁcations of T-TWINE Block cipher - Tweakable

K E

11 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Speciﬁcations of T-TWINE Block cipher - Tweakable

P P

T K E K E

C C

11 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Speciﬁcations of T-TWINE Block cipher - Tweakable

Mode of Operation Dedicated Structure

P SKINNY QARMA T CRAFT T-TWINE K E

XEX Mode of operation

12 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Speciﬁcations of T-TWINE T-TWINE block cipher

1 The ﬁrst lightweight dedicated TBC that is built on Generalized Feistel Structure (GFS). 2 An extension of the conventional block cipher TWINE. 3 Two variants namely, T-TWINE-80 and T-TWINE-128. 4 Block size of 64 bits, a tweak of 64 bits, and a variable key length of 80 and 128 bits.

13 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Speciﬁcations of T-TWINE T-TWINE Speciﬁcations

Data Processing

i i i i i i i i i i i i i i i i X0 X1 X2 X3 X4 X5 X6 X7 X8 X9 X10 X11 X12 X13 X14 X15 i RK i ti RK i i ti i ti RK i ti i i ti i t5 0 4 1 RK2 3 RK3 2 4 1 RK5 RK6 0 RK7 F F F F F F F F

i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 X0 X1 X2 X3 X4 X5 X6 X7 X8 X9 X10 X11 X12 X13 X14 X15

14 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Speciﬁcations of T-TWINE T-TWINE Speciﬁcations

Key Scheduling Function Algorithm 1: Key Schedule of T-TWINE-80 Data: The 80-bit master key K Result: The round keys RK = RK1||RK2|| · · · ||RK36 k0||k1|| · · · ||k19 ← K; for i ← 1 to 35 do i RK ← k1||k3||k4||k6||k13||k14||k15||k16; k1 ← k1 ⊕ S(k0); k4 ← k4 ⊕ S(k16); i k7 ← k7 ⊕ (0||CONH ); i k19 ← k19 ⊕ (0||CONL); k0|| · · · ||k3 ← Rot4(k0|| · · · ||k3); k0|| · · · ||k19 ← Rot16(k0|| · · · ||k19); end 36 RK ← k1||k3||k4||k6||k13||k14||k15||k16; RK ← RK1||RK2|| · · · ||RK36;

15 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Speciﬁcations of T-TWINE T-TWINE Speciﬁcations

Tweak Schduleing Function

ti ti+1

t0 t1 t2 t3 t6 t7 t8 t9

t4 t5 t6 t7 t10 t11 t12 t13 πt t8 t9 t10 t11 t14 t15 t1 t0

t12 t13 t14 t15 t4 t2 t3 t5

RT i

16 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Outline

1 Introduction Integral Cryptanalysis Speciﬁcations of T-TWINE

2 Integral Distinguishing Attack of T-TWINE

3 Key-recovery Attack of Reduced-Round T-TWINE

4 Conclusion

17 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Integral Distinguishing Attack of T-TWINE Integral distinguishing attack

1 TWINE has 16-round integral distinguisher. 2 Three attack settings: chosen tweak, chosen tweak-plaintext, and chosen tweak-ciphertext. 3 We use the following notation to present the status of each nibble of the tweak, plaintext, and ciphertext C each bit of the nibble is ﬁxed to constant. A all bits of the nibble are active. A˜ all bits of the nibble are active except one bit is constant. B each bit of the nibble is balanced. U a nibble with unknown status.

18 The 11-round distinguisher by the designers Plaintext C C C C C C C C C C C C C C C C 11R Tweak C C C C C A C C C C A A C C C C −−→ B U U U U U U U U U U B U U U U 11R Tweak C C C C C A C C C C A A C C C C −−→ U U U U U U U U U U U B U U U U

Introduction Distinguishing Attack Key-recovery Attack Conclusion

Integral Distinguishing Attack of T-TWINE Chosen Tweak Setting

The 11-round distinguisher Plaintext C C C C C C C C C C C C C C C C 11R Tweak C C C C C C C C C C C C C C A C −−→ U U U U U U U B U U U U U U U U 11R Tweak C C C C C C C C C C C C C C C A −−→ U U U U U B U U U U U B U U U U

19 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Integral Distinguishing Attack of T-TWINE Chosen Tweak Setting

The 11-round distinguisher Plaintext C C C C C C C C C C C C C C C C 11R Tweak C C C C C C C C C C C C C C A C −−→ U U U U U U U B U U U U U U U U 11R Tweak C C C C C C C C C C C C C C C A −−→ U U U U U B U U U U U B U U U U The 11-round distinguisher by the designers Plaintext C C C C C C C C C C C C C C C C 11R Tweak C C C C C A C C C C A A C C C C −−→ B U U U U U U U U U U B U U U U 11R Tweak C C C C C A C C C C A A C C C C −−→ U U U U U U U U U U U B U U U U

19 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Integral Distinguishing Attack of T-TWINE Chosen Tweak-Plaintext Setting

Plaintext A A A A A˜ A A A A A A A A A A A 19R Tweak C C C A A C C C C C C C C C C C −−→ U U U U U U U U U U U U U B U U 19R Tweak C C C A C C C C C C C C C C C A −−→ U U U U U U U U U U U U U B U U

Plaintext A A A A A A A˜ A A A A A A A A A 19R Tweak C C C C C C A˜ C C C C C C C A C −−→ U U U U U U U U U U U U U U U B 19R Tweak C C C C C C C C C C C C A C A C −−→ U U U U U U U U U U U U U U U B 19R Tweak C C C C C C C C C C C C C C A A˜ −−→ U U U B U U U U U U U U U U U U

Plaintext A A A A A A A A A A A˜ A A A A A 19R Tweak A˜ C C A C C C C C C C C C C C C −−→ U U U U U U U U U U U U U B U U 19R Tweak C C C A C C A C C C C C C C C C −−→ U U U U U U U U U U U U U B U U 19R Tweak C C C A C C C C C C C A C C C C −−→ U U U U U U U U U U U U U B U U 19R Tweak C C C A C C C C C C C C A C C C −−→ U U U U U U U U U U U U U B U U 19R Tweak A˜ C C C C C C C C C C C A C C C −−→ U U U U U U U B U U U U U U U U 19R Tweak C A C C C C C C C C C C A C C C −−→ U U U U U U U U U U U B U U U U 19R Tweak C C C C A C C C C C C C A C C C −−→ U U U U U U U B U U U B U U U U 19R Tweak C C C C C C C C C A C C A C C C −−→ U U U U U U U B U U U U U U U U 19R Tweak C C C C C C C C C C C A A C C C −−→ U U U U U U U B U U U U U U U U

20 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Integral Distinguishing Attack of T-TWINE Chosen Tweak-Ciphertext Setting

A A A A˜ A A A A A A A A A A A A Ciphertext 19R U U U U U U B U U U U U U U U U ←−− C C C C C C C C C A C C C C A C Tweak 19R U U U U U U B U U U U U U U U U ←−− C C C C C C C C C C C C C C A A˜ Tweak

A A A A A A A A˜ A A A A A A A A Ciphertext 19R U U U U U U U U U U B U U U U U ←−− A˜ C C C C C C C C C C C A C C C Tweak 19R U U U U U U U U U U B U U U U U ←−− C C C C A C C C C C C C A C C C Tweak 19R U U U U U U U U U U B U U U U U ←−− C C C C C C C C C A C C A C C C Tweak 19R U U U U U U U U U U B U U U U U ←−− C C C C C C C C C C C A A C C C Tweak

A A A A A A A A A A A A˜ A A A A Ciphertext 19R U U U U U U U U U U B U U U U U ←−− C A C C C C C C C C C C A C C C Tweak 19R U U U U U U U U U U B U U U U U ←−− C C C C A C C C C C C C A C C C Tweak

A A A A A A A A A A A A A A˜ A A Ciphertext 19R U U U U U U U U U U B U U U U U ←−− A˜ C C A C C C C C C C C C C C C Tweak 19R U U U U B U U U U U U U U U U U ←−− C C C A A C C C C C C C C C C C Tweak 19R U U U U U U U U U U B U U U U U ←−− C C C A C C A C C C C C C C C C Tweak 19R U U U U B U U U U U B U U U U U ←−− C C C A C C C C C C C A C C C C Tweak 19R U U U U U U U U U U B U U U U U ←−− C C C A C C C C C C C C A C C C Tweak

A A A A A A A A A A A A A A A A˜ Ciphertext 19R U U U U U U B U U U U U U U U U ←−− C C C C C C A˜ C C C C C C C A C Tweak

21 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Outline

1 Introduction Integral Cryptanalysis Speciﬁcations of T-TWINE

2 Integral Distinguishing Attack of T-TWINE

3 Key-recovery Attack of Reduced-Round T-TWINE

4 Conclusion

22 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Key-recovery Attack of Reduced-Round T-TWINE Integral Distinguisher

Plaintext :(A, A, A, A, A, A, A3, A, A, A, A, A, A, A, A) Tweak :(C, C, C, C, C, C, A1,3, C, C, C, C, C, C, C, A, C) ↓ 19R (U, U, U, U, U, U, U, U, U, U, U, U, U, U, U, B)

23 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Key-recovery Attack of Reduced-Round T-TWINE Analysis Rounds

20R 0 1 2 3 4 5 6 7

21R 0 1 2 3 4 5 6 7

T14 22R 0 1 2 3 4 5 6 7

23R 0 1 2 3 4 5 6 7

24R 0 1 2 3 4 5 6 7

T14

25R 0 1 2 3 4 5 6 7

26R 0 1 2 3 4 5 6 7

table

24 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Key-recovery Attack of Reduced-Round T-TWINE Meet-in-the-Middle Technique

i i i i XL XR XL XR RK i RK i Z i F F

i+1 i+1 i+1 i+1 XL XR XL XR

M i M i M i+1 XR = 0 =⇒ Z = XL

25 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Key-recovery Attack of Reduced-Round T-TWINE Analysis Rounds

20R 0 1 2 3 4 5 6 7

21R 0 1 2 3 4 5 6 7

T14 22R 0 1 2 3 4 5 6 7

23R 0 1 2 3 4 5 6 7

24R 0 1 2 3 4 5 6 7

T14

25R 0 1 2 3 4 5 6 7

26R 0 1 2 3 4 5 6 7

table

26 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Key-recovery Attack of Reduced-Round T-TWINE 20 Path to Z7

20R 0 1 2 3 4 5 6 7

21R 0 1 2 3 4 5 6 7

22R 0 1 2 3 4 5 6 7

23R 0 1 2 3 4 5 6 7

24R 0 1 2 3 4 5 6 7

T14

25R 0 1 2 3 4 5 6 7

26R 0 1 2 3 4 5 6 7

table

27 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Key-recovery Attack of Reduced-Round T-TWINE 21 Path to X14

20R 0 1 2 3 4 5 6 7

21R 0 1 2 3 4 5 6 7

T14 22R 0 1 2 3 4 5 6 7

23R 0 1 2 3 4 5 6 7

24R 0 1 2 3 4 5 6 7

25R 0 1 2 3 4 5 6 7

26R 0 1 2 3 4 5 6 7

table

28 2 L 20 For each 56-bit round-key, obtain Z7 and store it in HZ . 3 L 21 For each 40-bit round-key, obtain X14 and store it in HX . 4 Consider a 76-bit key as a candidate if the two entries in the hash tables indexed by its two parts are equal. 5 For each 76-bit candidate, drive 24 80-bit candidates of the master key. 6 Check each 80-bit candidate using 2 pairs of plaintext/ciphertext.

Introduction Distinguishing Attack Key-recovery Attack Conclusion

Key-recovery Attack of Reduced-Round T-TWINE Attack Procedure against 26 rounds of T-TWINE-80

56 40 1 Initialize two empty hash tables HZ and HX with 2 and 2 L 20 L 21 entries to store the values of Z7 and X14 , respectively, indexed by the round keys used during the computations.

29 3 L 21 For each 40-bit round-key, obtain X14 and store it in HX . 4 Consider a 76-bit key as a candidate if the two entries in the hash tables indexed by its two parts are equal. 5 For each 76-bit candidate, drive 24 80-bit candidates of the master key. 6 Check each 80-bit candidate using 2 pairs of plaintext/ciphertext.

Introduction Distinguishing Attack Key-recovery Attack Conclusion

Key-recovery Attack of Reduced-Round T-TWINE Attack Procedure against 26 rounds of T-TWINE-80

56 40 1 Initialize two empty hash tables HZ and HX with 2 and 2 L 20 L 21 entries to store the values of Z7 and X14 , respectively, indexed by the round keys used during the computations.

2 L 20 For each 56-bit round-key, obtain Z7 and store it in HZ .

29 4 Consider a 76-bit key as a candidate if the two entries in the hash tables indexed by its two parts are equal. 5 For each 76-bit candidate, drive 24 80-bit candidates of the master key. 6 Check each 80-bit candidate using 2 pairs of plaintext/ciphertext.

Introduction Distinguishing Attack Key-recovery Attack Conclusion

Key-recovery Attack of Reduced-Round T-TWINE Attack Procedure against 26 rounds of T-TWINE-80

56 40 1 Initialize two empty hash tables HZ and HX with 2 and 2 L 20 L 21 entries to store the values of Z7 and X14 , respectively, indexed by the round keys used during the computations.

2 L 20 For each 56-bit round-key, obtain Z7 and store it in HZ . 3 L 21 For each 40-bit round-key, obtain X14 and store it in HX .

29 5 For each 76-bit candidate, drive 24 80-bit candidates of the master key. 6 Check each 80-bit candidate using 2 pairs of plaintext/ciphertext.

Introduction Distinguishing Attack Key-recovery Attack Conclusion

Key-recovery Attack of Reduced-Round T-TWINE Attack Procedure against 26 rounds of T-TWINE-80

56 40 1 Initialize two empty hash tables HZ and HX with 2 and 2 L 20 L 21 entries to store the values of Z7 and X14 , respectively, indexed by the round keys used during the computations.

29 6 Check each 80-bit candidate using 2 pairs of plaintext/ciphertext.

Introduction Distinguishing Attack Key-recovery Attack Conclusion

Key-recovery Attack of Reduced-Round T-TWINE Attack Procedure against 26 rounds of T-TWINE-80

56 40 1 Initialize two empty hash tables HZ and HX with 2 and 2 L 20 L 21 entries to store the values of Z7 and X14 , respectively, indexed by the round keys used during the computations.

2 L 20 For each 56-bit round-key, obtain Z7 and store it in HZ . 3 L 21 For each 40-bit round-key, obtain X14 and store it in HX . 4 Consider a 76-bit key as a candidate if the two entries in the hash tables indexed by its two parts are equal. 5 For each 76-bit candidate, drive 24 80-bit candidates of the master key.

29 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Key-recovery Attack of Reduced-Round T-TWINE Attack Procedure against 26 rounds of T-TWINE-80

56 40 1 Initialize two empty hash tables HZ and HX with 2 and 2 L 20 L 21 entries to store the values of Z7 and X14 , respectively, indexed by the round keys used during the computations.

29 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Key-recovery Attack of Reduced-Round T-TWINE L 20 The summary of the procedure to obtain Z7

Step Key Size The State (Si) Complexity

66 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 66 0 - 2 X0 , X2 , X3 , X4 , X5 , X6 , X7 , X8 , X9 , X10 , X11 , X12 , X13 , X14 , X15 , T6, T14 2 MA

26 62 27 27 27 26 27 27 27 27 27 27 27 27 27 27 4 66 70 1 RK2 2 X0 , X2 , X3 , X5 , X6 , X7 , X8 , X9 , X10 , X11 , X12 , X13 , X14 , X15 , T6, T14 2 × 2 = 2

26 58 27 27 27 26 27 27 27 27 26 27 27 27 27 8 62 70 2 RK5 2 X0 , X2 , X3 , X5 , X6 , X7 , X8 , X9 , X11 , X12 , X13 , X14 , X15 , T6, T14 2 × 2 = 2

26 54 27 27 27 26 27 27 27 27 26 27 27 26 12 58 70 3 RK7 2 X0 , X2 , X3 , X5 , X6 , X7 , X8 , X9 , X11 , X12 , X13 , X15 , T6, T14 2 × 2 = 2

25 50 25 27 27 27 27 27 27 26 27 27 26 16 54 70 4 RK0 2 X1 , X2 , X3 , X6 , X7 , X8 , X9 , X11 , X12 , X13 , X15 , T6, T14 2 × 2 = 2

26 50 25 27 27 26 26 27 27 26 27 27 26 20 50 70 5 RK3 2 X1 , X2 , X3 , X6 , X7 , X8 , X9 , X11 , X12 , X13 , X15 , T6, T14 2 × 2 = 2

24 46 24 27 27 26 26 27 27 26 27 27 26 20 50 70 6 RK1 2 X3 , X2 , X3 , X6 , X7 , X8 , X9 , X11 , X12 , X13 , X15 , T6 2 × 2 = 2

26 44 24 27 27 26 26 26 26 26 27 27 26 24 46 70 7 RK4 2 X3 , X2 , X3 , X6 , X7 , X8 , X9 , X11 , X12 , X13 , X15 2 × 2 = 2

26 44 24 26 26 26 26 26 26 26 27 27 26 28 44 72 8 RK1 2 X3 , X2 , X3 , X6 , X7 , X8 , X9 , X11 , X12 , X13 , X15 2 × 2 = 2

25 40 24 26 26 26 25 26 26 27 27 26 32 44 76 9 RK3 2 X3 , X2 , X6 , X7 , X7 , X9 , X11 , X12 , X13 , X15 2 × 2 = 2

25 36 24 26 26 25 25 26 27 27 26 36 40 76 10 RK5 2 X3 , X6 , X7 , X7 , X11 , X11 , X12 , X13 , X15 2 × 2 = 2

24 32 24 26 26 25 27 27 24 26 40 36 76 11 RK7 2 X3 , X6 , X7 , X7 , X12 , X13 , X15 , X15 2 × 2 = 2

24 28 24 24 26 26 27 27 24 40 32 72 12 RK2 2 X3 , X5 , X6 , X7 , X12 , X13 , X15 2 × 2 = 2

26 28 24 24 26 26 26 26 24 44 28 72 13 RK6 2 X3 , X5 , X6 , X7 , X12 , X13 , X15 2 × 2 = 2

24 24 24 24 26 25 26 24 48 28 76 14 RK4 2 X3 , X5 , X7 , X9 , X12 , X15 2 × 2 = 2

23 20 24 24 26 26 23 48 24 72 15 RK6 2 X3 , X5 , X7 , X12 , X13 2 × 2 = 2

22 16 24 26 22 26 48 20 68 16 RK4 2 X5 , X7 , X9 , X12 2 × 2 = 2

25 12 24 25 22 52 16 68 17 RK2 2 X5 , X5 , X9 2 × 2 = 2

23 8 23 22 56 12 68 18 RK0 2 X1 , X9 2 × 2 = 2

21 4 21 56 8 64 19 RK5 2 X11 2 × 2 = 2 20 L 20 L 21 20 56 4 60 20 RK7 1 Z7 = S(X11 ⊕ RK7 ) 2 × 2 = 2

ﬁgure 30 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Key-recovery Attack of Reduced-Round T-TWINE Attack Complexity

Data Time Complexity Memory

69 69 278.13+259.91 276 145×272 76 12 76.11 66.04 1 2 2 + 1 × 8×26 + 8×26 + 8×26 + 2 + 2 ≈ 2 2 70 70 278.13+259.91 276+272 145×268 72 8 73.03 67.04 2 2 2 + 2 × 8×26 + 8×26 + 8×26 + 2 + 2 ≈ 2 2 70.58 70.58 278.13+259.91 276+272+268 145×264 68 4 72.62 67.62 3 2 2 + 3 × 8×26 + 8×26 + 8×26 + 2 + 2 ≈ 2 2 71 71 278.13+259.91 276+272+268+264 145×260 64 72.95 68.04 4 2 2 + 4 × 8×26 + 8×26 + 8×26 + 2 ≈ 2 2

31 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Key-recovery Attack of Reduced-Round T-TWINE Attack one more round

1 1 X8 X9 1 RK4

F F F F F F F F

2 X6 A A A A A AA3 A A A A A A A A A

2 1 1 1 1 X6 [3] = X9 [3] ⊕ S(X8 ⊕ RK4 ⊕ RT2 )[3]

32 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Key-recovery Attack of Reduced-Round T-TWINE Attack results on T-TWINE

Attack #Rounds Data Time Memory Reference Imp. diﬀ. 25 265.5 CTP 270.86 266 Tolba et al. 2020 T-TWINE-80 26 270.58 CTP 272.62 267.62 This work Integral 27 270.95 CTP 275.79 271.08 This work Imp. diﬀ. 27 264 CTP 2120.83 2118 Tolba et al. 2020 T-TWINE-128 27 271.58 CTP 2109.54 290.58 This work Integral 28 272.27 CTP 2113.38 294.32 This work

33 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Outline

1 Introduction Integral Cryptanalysis Speciﬁcations of T-TWINE

2 Integral Distinguishing Attack of T-TWINE

3 Key-recovery Attack of Reduced-Round T-TWINE

4 Conclusion

34 We have showed that adding a tweak to the round function structure gives the attacker more room to target a large number of rounds in T-TWINE comparing to the conventional TWINE. We were able to construct several integral distinguishers that cover 19 rounds of T-TWINE whereas the longest distinguisher covers only 16 rounds of TWINE. Using one of these distinguishers, we launched key recovery attacks against 27 and 28 of T-TWINE-80 and T-TWINE-128, respectively. The presented attacks are the best-published attacks against both variants of T-TWINE.

Introduction Distinguishing Attack Key-recovery Attack Conclusion

Conclusion

We have studied the security of T-TWINE against the integral cryptanalysis.

35 We were able to construct several integral distinguishers that cover 19 rounds of T-TWINE whereas the longest distinguisher covers only 16 rounds of TWINE. Using one of these distinguishers, we launched key recovery attacks against 27 and 28 of T-TWINE-80 and T-TWINE-128, respectively. The presented attacks are the best-published attacks against both variants of T-TWINE.

Introduction Distinguishing Attack Key-recovery Attack Conclusion

Conclusion

35 Using one of these distinguishers, we launched key recovery attacks against 27 and 28 of T-TWINE-80 and T-TWINE-128, respectively. The presented attacks are the best-published attacks against both variants of T-TWINE.

Introduction Distinguishing Attack Key-recovery Attack Conclusion

Conclusion

35 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Conclusion

We have studied the security of T-TWINE against the integral cryptanalysis. We have showed that adding a tweak to the round function structure gives the attacker more room to target a large number of rounds in T-TWINE comparing to the conventional TWINE. We were able to construct several integral distinguishers that cover 19 rounds of T-TWINE whereas the longest distinguisher covers only 16 rounds of TWINE. Using one of these distinguishers, we launched key recovery attacks against 27 and 28 of T-TWINE-80 and T-TWINE-128, respectively. The presented attacks are the best-published attacks against both variants of T-TWINE.

35 Introduction Distinguishing Attack Key-recovery Attack Conclusion

Thank You

For Questions: m [email protected]