Impossible differential attack on reduced-round TWINE

Abstract

TWINE, proposed at the ECRYPT Workshop on Lightweight Cryptography in 2011, is a 64-bit lightweight block cipher consisting of 36 rounds with 80-bit or 128-bit keys. In this paper, we give impossible differential attacks on both versions of the cipher, which is an improvement over what the designers claimed to be the best possible. Although our results are not the best considering different cryptanalysis methods, our algorithm which can filter wrong subkeys that have more than 80 bits and 128 bits for TWINE-80 and TWINE-128 respectively shows some novelty. Besides, some observations which may be used to mount other types of attacks are given. Overall, making use of some complicated subkey relations and time-memory tradeoff trick, the time, data and memory complexity of attacking 23-round TWINE-80 are 279.0923-round encryptions, 257.85chosen plaintexts and 278.04blocks respectively. Besides, the impossible differential attack on 24-round TWINE-128 needs 258.1chosen plaintexts, 2126.7824-round encryptions and 2125.61blocks of memory.