Impossible Differential Cryptanalysis of Reduced-Round Tweakable TWINE

Abstract

Tweakable TWINE (T-TWINE) is a new lightweight tweakable block cipher family proposed by Sakamoto et al. at IWSEC 2019. T-TWINE is the first Tweakable Block Cipher (TBC) that is built on Generalized Feistel Structure (GFS). It is based on the TWINE block cipher in addition to a simple tweak scheduling based on SKINNY’s tweakey schedule. Similar to TWINE, it has two versions, namely, T-TWINE-80 and T-TWINE-128, both have a block length of 64 bits and employ keys of length 80 and 128 bits, respectively. In this paper, we present impossible differential attacks against reduced-round versions of T-TWINE-80 and T-TWINE-128. First, we present an 18-round impossible differential distinguisher against T-TWINE. Then, using this distinguisher, we attack 25 and 27 rounds of T-TWINE-80 and T-TWINE-128, respectively.

1 Introduction

Tweakable Block Ciphers (TBCs) [11] differ from the conventional block ciphers since they accept an additional input called a tweak. Different specific keyed instances of the cipher can be generated by varying this tweak. TBCs allow new interesting highly-secure modes of operation and applications to become possible as they are designed to allow changing the tweak very efficiently compared to the key setup operation.

Block ciphers can be used to build TBCs through modes of operation such as LRW (Liskov, Rivest, and Wagner) and XEX (Xor-Encrypt-Xor) [14]. These modes of operations, for one TBC encryption/decryption, require few cipher calls. Therefore, they are efficient. However, their provable security guarantee, which is \(2^{n/2}\) for n-bit block cipher, is not enough, in particular, for TBCs employed in modes of operation aiming to achieve “beyond-the-birthday-bound” (BBB) security. As a result, less efficient modes of operations [9, 10], compared to LRW and XEX, are proposed to achieve BBB security guarantee.

Dedicated constructions is another approach to build efficient TBCs with an acceptable level of security guarantee. HPC [16], one of the submission to the AES competition, is the first proposal, where the tweak is called “spice”. Threefish [4], Deoxys-BC [7], SKINNY [2] and QARMA [1] are examples of recently proposed dedicated TBCs. Challenges such as designing efficient dedicated TBCs while having sufficient security guarantee is solved by the tweakey flamework [6] which is based on a Substitution Permutation Network (SPN).

Tweakable TWINE (T-TWINE) [15] is the first dedicated TBC that is based on Generalized Feistel Structure (GFS) [13, 20]. The only work on GFS-based TBC, before the T-TWINE proposal, is done by Goldenberg et al. [5] and Mitsuda and Iwata [12] who focused on studding the provable security of the round functions that are instantiated by PRFs. TWINE, which is a GFS-based block cipher, was proposed by Suzaki et al. [18] after a comprehensive study done by Suzaki and Minematsu [17] showing the effect of the choice of sub-block permutation on the diffusion, the number of differential/linear active S-boxes, and the maximum numbers of rounds for impossible differential characteristics and saturation characteristics. The choice of the permutation of TWINE was a result of the work done in [17], it permutes over 16 nibbles to achieve the best characteristics.

T-TWINE [15] is built with the goal of reducing the cost of design, security evaluation, and implementation. As a result, TWINE was selected to be the basic building block of T-TWINE with extremely simple tweak scheduling. This tweak schedule is based on the SKINNY’s [2] tweakey schedule. Similar to TWINE, T-TWINE has a block size of 64 bits and iterates using either 80-bit or 128-bit key over 36 rounds. It accepts an additional 64-bit tweak. It also uses independent key and tweak schedules where the tweak is mixed with the states by adding few nibble XORs to TWINE. Therefore, it has the same hardware cost of TWINE except for the additional tweak registers.

The designers of T-TWINE evaluated its security against differential, linear, impossible differential, and integral attacks in the chosen-tweak setting. However, they only presented distinguishers without converting any distinguisher to a key recovery attack. For impossible differential, they utilized the miss-in-the-middle approach to search the impossible differential characteristics that have one active nibble in the 16 tweak nibbles and one active nibble in 16 ciphertext nibbles at the decryption side. However, the 18-round impossible differential distinguisher that was proposed by the designers does not seem to be correct as we will illustrate in Sect. 3¹.

In this paper, we start by presenting an 18-round impossible differential distinguisher. Then, we use this distinguisher to launch a 25-round attack against T-TWINE-80 by pre-appending and appending 4 and 3 rounds, respectively. Finally, we launched a 27-round attack against T-TWINE-128, using the 18-round distinguisher, by pre-appending and appending 6 and 3 rounds, respectively. The data, time, and memory complexities of the 25-round (27-round) against T-TWINE-80 (T-TWINE-128) are \(2^{61.5}\) (\(2^{60}\)) chosen plaintexts, \(2^{70.86}\) 25-round (\(2^{120.83}\) 27-round) encryptions, \(2^{66}\) (\(2^{118}\)) 64-bit block, respectively.

The rest of the paper is organized as follows. Section 2 provides the notations used throughout the paper and a brief description of T-TWINE. In Sect. 3, we present the impossible differential distinguisher used in our attacks. The details of our attacks are presented in Sects. 4 and 5. Finally, the paper is concluded in Sect. 6.

2 Specifications of T-TWINE

The following notation will be used throughout the rest of the paper:

• K: The 80 or 128 bits master key.

• \(K_j\): The \(j^{th}\) nibble of K. The indices of the nibbles begin from 0.

• \({RK}^{i}\): The 32-bit round key used in round \(i+1\).

• \(RK_j^i\): The \(j^{th}\) nibble of \(RK^i\). The indices of the nibbles begin from 0.

• T: The 64-bit tweak.

• \(T_i\): The \(i^{th}\) nibble of the tweak T.

• \(RT^i\): The 24-bit round tweak used in round \(i+1\), where \({RT}^{i} \leftarrow t_0^i||t_1^i||\) \(t_2^i||t_3^i||t_4^i||t_5^i\), and \(t_j^i\) is the \(j^{th}\) nibble of \(RT^i\).

• \(X^{i}\): The 16 4-bit nibbles output of round i.

• \({X_j}^{i}\): \(j^{th}\) nibble of \(X^{i}\).

• \(\varDelta X^i, \varDelta X_j^i\): The difference at state \(X^i\) and nibble \(X_j^i\), respectively.

• \(\oplus \): The XOR operation.

• ||: The concatenation operation.

• Rotz(x): The z-bit left cyclic shift of x.

T-TWINE is based on TWINE [18]. T-TWINE-80/128 iterates 36 rounds over 64-bit block using 80/128-bit key, respectively, and 64-bit tweak T. The block cipher has three parts: data processing, key schedule, and tweak schedule. Except for the tweaks addition, T-TWINE-80/128 has the same data processing and key schedule of TWINE-80/128, respectively. Both T-TWINE-80 and T-TWINE-128 employ the same generalized Feistel structure and tweak schedule where the only difference between them is the key schedule.

Fig. 1.

The T-TWINE round function, for simplicity we use \(t_j\) instead of \(t_j^i\). For example \(t_0\) equivalent to \(t_0^i\)

Data Processing Part. As depicted in Fig. 1, the round function is based on a variant of Type-2 GFS with 16 4-bit nibbles [17]. It has four operations: 4-bit S-box (S, see Table 1), round key XOR, round tweak XOR, and a 16-nibble shuffle operation (\(\pi \), see Table 2). Both versions of T-TWINE have the same number of rounds (36). The nibble shuffle operation in the last round is omitted.

Table 1. 4-bit S-box S in hexadecimal form

Key Schedule. A round key \(RK^i\) of 8 nibbles is generated from the master key K for each round i, where \(0\le i < 35\). Each version of T-TWINE has its own key schedule. Algorithm 1 and show the details of T-TWINE-80/128, respectively, where \(CON^i_{H}\) and \(CON^i_{L}\) are predefined constants. For further details, the reader is referred to [15, 18].

Tweak Schedule. A round tweak \(RT^i\) of 6 nibbles is generated from the tweak T for each round i, where \(0\le i < 35\). Both versions of T-TWINE have the same tweak schedule, shown in Algorithm 3, where \(\pi ^t\) is a 6-nibble permutation s.t. \((0, 1, 2, 3, 4, 5) \rightarrow (1, 0, 4, 2, 3, 5)\).

3 An Impossible Differential Distinguisher of T-TWINE

Impossible differential cryptanalysis was proposed independently by Knudsen [8] and Biham, Biryukov and Shamir [3]. It exploits a (truncated) differential characteristic of probability exactly 0 and thus acts as a distinguisher. Then, this distinguisher is turned into a key-recovery attack by prepending and/or appending additional rounds, which are usually referred to as the analysis rounds. The keys involved in the analysis rounds which lead to the impossible differential are wrong keys and thus are excluded. Miss-in-the-Middle is the general technique used to construct impossible differentials, where the cipher, E, is split such that \(E=E_2 \circ E_1\), and we try to find two deterministic differentials, the first one covers \(E_1\) and has the form \(\varDelta \delta \rightarrow \varDelta \gamma \), and the second covers \(E_2^{-1}\), and has the form \(\varDelta \beta \rightarrow \varDelta \zeta \). When the intermediate differences \(\varDelta \gamma , \varDelta \zeta \) do not match, the differential \(\varDelta \delta \rightarrow \varDelta \beta \) that covers the whole cipher E holds with zero probability.

Table 2. Nibble shuffle \(\pi \)

The designers of T-TWINE in [15] presented an 18-round impossible differential distinguisher. They found this distinguisher using the Miss-in-the-Middle approach. The distinguisher begins at “1R” with zero differences and the tweak has a non-zero difference at the first nibble \(t_{0}\). As mentioned above, this 18-round impossible differential distinguisher does not seem to be correct. In what follows, we list some of the problems (mistakes) we identified in this distinguisher (See Fig. 5): i) the numbers of rounds involved in the distinguisher is only 17 not 18 (as the plaintext is marked “1R” and the ciphertext is marked “18R”), ii) the tweaks used in the distinguisher are wrong. For example, the tweaks that are used in the seventh and ninth rounds are actually the tweaks of the sixth and seventh rounds, respectively, and iii) this distinguisher assumes that the tweak has difference at nibble “0” at the first round, then it appear again at nibble “0” at the nineteenth round, while it should appear again at the seventeenth round, after 16 rounds of the tweak schedule. Moreover, as shown in Figure 8 of [15] (See Fig. 5), the zero difference at “1R” associated with a non-zero difference at the first nibble \(t_{0}\) of the tweak gives, after being propagated 7 rounds in the forward direction, the difference at “8R” in the form of (1, 1, 1, 0, 0, ?, 0, 1, 1, ?, 0, 1, ?, ?, ?, ?). However, the correct difference should be in the form of (?, 1, ?, 0, 1, ?, ?, 1, 1, ?, ?, 1, ?, ?, ?, ?).

In this section, we present an 18-round distinguisher that begins and ends with zero difference and has a difference at \(t_{12}\) at the first round, see Fig. 2. To the best of our knowledge, this is the first valid 18-round impossible differential distinguisher. This distinguisher is found using the Miss-in-the-Middle approach, where we propagate the difference in the tweak forward 8 rounds with probability 1 and propagate the difference in the tweak backward 10 rounds with probability 1, then match at the middle at the end of round 8. As seen in Fig. 2, there is a contradiction at nibble “6”, where in the forward path, it should have a zero difference, while in the backward path, it should have a non-zero difference.

Fig. 2.

An 18-round impossible differential distinguisher

3.1 Observations

In this section, we present some useful observations that will be utilized in our attack.

Observation 1

[18, 19]. For any input difference \(a(\ne 0)\) and output difference \(b(\in \varDelta S[a])\) of the S-box in TWINE, the average number of pairs that satisfy the differential characteristic \((a \rightarrow b)\) is \(\frac{16}{7}\). Given an 8-bit pair \((X_{2j}^i, X_{2j+1}^i)\) and \((X_{2j}^i\oplus a, X_{2j+1}^i\oplus b)\), the probability that \(RK_j^i\) leads to the S-box differential characteristic \((a \rightarrow b)\) is \(7^{-1}\).

Observation 2

Given two nonzero differences \(\varDelta i\) and \(\varDelta o\) in \(\mathbb {F}16\), the equation: \(S(x) + S(x + \varDelta i) = \varDelta o\) has one solution on average. This property also applies to \(S^{-1}\).

Observation 3

If the impossible differential illustrated in Fig. 2 is extended 6 rounds forward and 3 rounds backward, then we have the following relations, see Fig. 3: \(\varDelta X_3^0 \in S[\varDelta X_2^0]\), \(\varDelta X_7^0 \in S[\varDelta X_6^0]\), \(\varDelta X_{13}^0 \in S[\varDelta X_{12}^0]\), \(\varDelta X_6^0 \in S[\varDelta X_{11}^0]\), \(\varDelta X_{11}^0 \in S[\varDelta X_2^0]\), \(\varDelta X_{1}^{27} \in S[\varDelta T_{2}]\), \(\varDelta X_{15}^{27} \in S[\varDelta X_{14}^{27}]\), \(\varDelta X_{14}^{27} \in S[\varDelta X_{11}^{27}]\), \(\varDelta X_{11}^{27} \in S[\varDelta T_{2}]\) that hold with probability \({(\frac{7}{16})}^9=2^{-10.734}\).

Fig. 3.

Impossible differential attack on 27-round T-TWINE-128

Observation 4

If the impossible differential illustrated in Fig. 2 is extended 4 rounds forward and 3 rounds backward, then we have the following relations, see Fig. 4: \(\varDelta X_1^0 \in S[\varDelta X_0^0]\), \(\varDelta X_{11}^0 \in S[\varDelta X_{10}^0]\), \(\varDelta X_{15}^0 \in S[\varDelta X_{14}^0]\), \(\varDelta X_{14}^0 \in S[\varDelta T_7]\), \(\varDelta X_{0}^0 \in S[\varDelta X_3^0]\), \(\varDelta X_{3}^{0} \in S[\varDelta X_{10}^0]\), \(\varDelta X_{10}^{0} \in S[\varDelta T_7]\), \(\varDelta X_{1}^{25} \in S[\varDelta T_7]\), \(\varDelta X_{15}^{25} \in S[\varDelta X_{14}^{25}]\), \(\varDelta X_{14}^{25} \in S[\varDelta X_{11}^{25}]\), \(\varDelta X_{11}^{25} \in S[\varDelta T_7]\) that hold with probability \({(\frac{7}{16})}^{11}=2^{-13.119}\).

Fig. 4.

Impossible differential attack on 25-round T-TWINE-80

4 Impossible Differential Key-Recovery Attack on 27-Round T-TWINE-128

In this section, we present the first attack on 27-round T-TWINE-128 in the chosen-tweak model. We use the notion of data structures to generate enough pairs of messages to launch the attack. Our utilized structure takes all the possible values of the 12 nibbles \(X_{2}^{0}\), \(X_{3}^{0}\), \(X_{4}^{0}\), \(X_{5}^{0}\), \(X_{6}^{0}\), \(X_{7}^{0}\), \(X_{8}^{0}\), \(X_{9}^{0}\), \(X_{11}^{0}\), \(X_{12}^{0}\), \(X_{13}^{0}\), \(X_{15}^{0}\) while the remaining nibbles assume a fixed value. In addition, we choose the tweak \(T_2\) such that it takes all its possible values. Thus, one structure generates \(2^{4\times 13}\times (2^{4\times 13}-1)/2\approx 2^{103}\) possible pairs. Hence, we have \(2^{103}\) possible pairs of messages satisfying the plaintext differences. In addition, we utilize the following pre-computation tables in order to efficiently extract/filter the round keys involved in the analysis rounds:

• \(H_1\): For all the \(2^{20}\) possible values of \(X_{1}^{1}\), \(\varDelta X_{1}^{1}\), \(X_{4}^{1}\), \(t_{4}^{0}\) and \(RK_{1}^{0}=K_3\), compute \(X_{2}^{0}\), \(\varDelta X_{2}^{0}\), \(X_{3}^{0}\), and \(\varDelta X_{3}^{0}\). Then, store \(X_{1}^{1}\), \(\varDelta X_{1}^{1}\), \(X_{4}^{1}\), and \(RK_{1}^{0}=K_3\) in \(H_1\) indexed by \(X_{2}^{0}\), \(\varDelta X_{2}^{0}\), \(X_{3}^{0}\), \(\varDelta X_{3}^{0}\), and \(t_{4}^{0}\). \(\varDelta X_3^0\) is chosen such that \(\varDelta X_3^0 \in S[\varDelta X_2^0]\), see Observation 3. Therefore, \(H_1\) has \(7\times 2^{16}\) rows and on average about \(2^{20}/(7\times 2^{16})\) = 16/7 values in each row.

• \(H_2\): For all the \(2^{20}\) possible values of \(X_{3}^{1}\), \(\varDelta X_{3}^{1}\), \(X_{8}^{1}\), \(t_{3}^{0}\), and \(RK_{3}^{0}=K_{15}\), compute \(X_{6}^{0}\), \(\varDelta X_{6}^{0}\), \(X_{7}^{0}\), and \(\varDelta X_{7}^{0}\). Then, store \(X_{3}^{1}\), \(\varDelta X_{3}^{1}\), \(X_{8}^{1}\), and \(RK_{3}^{0}=K_{15}\) in \(H_1\) indexed by \(X_{6}^{0}\), \(\varDelta X_{6}^{0}\), \(X_{7}^{0}\), \(\varDelta X_{7}^{0}\), and \(t_{3}^{0}\). \(\varDelta X_{7}^{0}\) is chosen such that \(\varDelta X_{7}^{0} \in S[\varDelta X_{6}^{0}]\), see Observation 3. Therefore, \(H_2\) has \(7\times 2^{16}\) rows and on average about \(2^{20}/(7\times 2^{16})\) = 16/7 values in each row.

• \(H_{3}\): For all the \(2^{16}\) possible values of \(X_{10}^{1}\), \(\varDelta X_{15}^{1}\), \(X_{15}^{1}\), and \(RK_{6}^{0}=K_{28}\), compute \(X_{12}^{0}\), \(\varDelta X_{12}^{0}\), \(X_{13}^{0}\), and \(\varDelta X_{13}^{0}\). Then, store \(X_{10}^{1}\), \(\varDelta X_{15}^{1}\), \(X_{15}^{1}\), and \(RK_{6}^{0}=K_{28}\) in \(H_{3}\) indexed by \(X_{12}^{0}\), \(\varDelta X_{12}^{0}\), \(X_{13}^{0}\), and \(\varDelta X_{13}^{0}\). \(\varDelta X_{13}^{0}\) is chosen such that \(\varDelta X_{13}^{0} \in S[\varDelta X_{12}^{0}]\), see Observation 3. Therefore, \(H_{3}\) has \(7\times 2^{12}\) rows and on average about \(2^{16}/(7\times 2^{12})\) = 16/7 values in each row.

• \(H_{4}\): For all the \(2^{32}\) possible values of \(X_{1}^{2}\), \(\varDelta X_{1}^{2}\), \(X_{4}^{2}\), \(t_{4}^{1}\), \(RK_{1}^{1}=K_{7}\), \(X_{9}^{1}\), \(t_{1}^{0}\), and \(RK_{5}^{0}=K_{18}\), compute \(X_{3}^{1}=X_{6}^{0}\), \(\varDelta X_{3}^{1} = \varDelta X_{6}^{0}\), \(X_{10}^{0}\), \(X_{11}^{0}\), and \(\varDelta X_{11}^{0}\). Then, store \(X_{1}^{2}\), \(\varDelta X_{1}^{2}\), \(X_{4}^{2}\), \(RK_{1}^{1}=K_{7}\), \(X_{9}^{1}\), and \(RK_{5}^{0}=K_{18}\) in \(H_{4}\) indexed by \(X_{3}^{1}= X_{6}^{0}\), \(\varDelta X_{3}^{1}= \varDelta X_{6}^{0}\), \(X_{10}^{0}\), \(X_{11}^{0}\), \(\varDelta X_{11}^{0}\), \(t_{4}^{1}\), and \(t_{1}^{0}\). \(\varDelta X_{6}^{0}\) is chosen such that \(\varDelta X_{6}^{0} \in S[\varDelta X_{11}^{0}]\), see Observation 3. Therefore, \(H_{4}\) has \(7\times 2^{24}\) rows and on average about \(2^{32}/(7\times 2^{24})\) = \((16/7)\times 2^{4}\) values in each row.

• \(H_{5}\): For all the \(2^{40}\) possible values of \(X_{3}^{2}\), \(\varDelta X_{3}^{2}\), \(X_{8}^{2}\), \(t_{3}^{1}\), \(RK_{3}^{1}=K_{19}\), \(X_{13}^{1}\), \(\varDelta X_{13}^{1}\), \(t_{2}^{0}\), \(\varDelta T_2\), and \(RK_{4}^{0}=K_{17}\), compute \(X_{4}^{0}\), \(\varDelta X_{4}^{0}\), \(X_{8}^{0}\), \(\varDelta X_{8}^{0}\), \(X_{9}^{0}\), and \(\varDelta X_{9}^{0}\). Then, store \(X_{3}^{2}\), \(\varDelta X_{3}^{2}\), \(X_{8}^{2}\), \(RK_{3}^{1}=K_{19}\), \(X_{13}^{1}\), \(\varDelta X_{13}^{1}\), and \(RK_{4}^{0}=K_{17}\) in \(H_{5}\) indexed by \(X_{4}^{0}\), \(\varDelta X_{4}^{0}\), \(X_{8}^{0}\), \(\varDelta X_{8}^{0}\), \(X_{9}^{0}\), \(\varDelta X_{9}^{0}\), \(t_{3}^{1}\), \(t_{2}^{0}\), and \(\varDelta T_2\). \(H_{5}\) has \(2^{36}\) rows and on average about \(2^{40}/2^{36}\) = \(2^{4}\) values in each row.

• \(H_{6}\): For all the \(2^{44}\) possible values of \(X_{0}^{3}\), \(X_{5}^{3}\), \(\varDelta X_{5}^{3}\), \(t_{5}^{2}\), \(RK_{0}^{2}=K_{10}\), \(X_{5}^{2}\), \(t_{5}^{1}\), \(RK_{0}^{1}=K_{6}\), \(X_{5}^{1}\), \(t_{5}^{0}\), and \(RK_{0}^{0}=K_{2}\), compute \(X_{1}^{2}\), \(\varDelta X_{1}^{2}=\varDelta X_{11}^{0}\), \(X_{1}^{1}=X_{2}^{0}\), \(\varDelta X_{1}^{1}=\varDelta X_{2}^{0}\), \(X_{0}^{0}\), and \(X_{1}^{0}\). Then, store \(X_{5}^{3}\), \(\varDelta X_{5}^{3}\), \(RK_{0}^{2}=K_{10}\), \(X_{5}^{2}\), \(RK_{0}^{1}=K_{6}\), \(X_{5}^{1}\), and \(RK_{0}^{0}=K_{2}\) in \(H_{6}\) indexed by \(X_{1}^{2}\), \(\varDelta X_{1}^{2}=\varDelta X_{11}^{0}\), \(X_{1}^{1}=X_{2}^{0}\), \(\varDelta X_{1}^{1}=\varDelta X_{2}^{0}\), \(X_{0}^{0}\), \(X_{1}^{0}\), \(t_{5}^{0}\), \(t_{5}^{1}\), and \(t_{5}^{2}\). \(\varDelta X_{11}^{0}\) is chosen such that \(\varDelta X_{11}^{0} \in S[\varDelta X_{2}^{0}]\), see Observation 3. Therefore, \(H_{6}\) has \(7\times 2^{32}\) rows and on average about \(2^{44}/(7\times 2^{32})\) = \((16/7)\times 2^{8}\) values in each row.

• \(H_{7}\): For all the \(2^{32}\) possible values of \(X_{10}^{2}\), \(\varDelta X_{10}^{2}\), \(X_{15}^{2}\), \(\varDelta X_{15}^{2}\), \(RK_{6}^{1}=K_{1}+S(K_{0})\), \(X_{7}^{1}\), \(\varDelta X_{7}^{1}\), and \(RK_{2}^{0}=K_{12}\), compute \(X_{13}^{1}\), \(\varDelta X_{13}^{1}\), \(X_{4}^{0}\), \(\varDelta X_{4}^{0}\), \(X_{5}^{0}\), and \(\varDelta X_{5}^{0}\). Then, store \(X_{10}^{2}\), \(\varDelta X_{10}^{2}\), \(X_{15}^{2}\), \(\varDelta X_{15}^{2}\), \(RK_{6}^{1}=K_{1}+S(K_{0})\), \(X_{7}^{1}\), \(\varDelta X_{7}^{1}\), and \(RK_{2}^{0}=K_{12}\) in \(H_{7}\) indexed by \(X_{13}^{1}\), \(\varDelta X_{13}^{1}\), \(X_{4}^{0}\), \(\varDelta X_{4}^{0}\), \(X_{5}^{0}\), and \(\varDelta X_{5}^{0}\). \(H_{7}\) has \(2^{24}\) rows and on average about \(2^{32}/2^{24}\) = \(2^{8}\) values in each row.

• \(H_{8}\): For all the \(2^{36}\) possible values of \(X_{11}^{2}\), \(\varDelta X_{11}^{2}\), \(X_{14}^{2}\), \(\varDelta X_{14}^{2}\), \(t_{0}^{1}\), \(RK_{7}^{1}=K_{0}\), \(X_{11}^{1}\), \(t_{0}^{0}\), and \(RK_{7}^{0}=K_{31}\), compute \(X_{15}^{1}\), \(\varDelta X_{15}^{1}\), \(X_{14}^{0}\), \(X_{15}^{0}\), and \(\varDelta X_{15}^{0}\). Then, store \(X_{11}^{2}\), \(\varDelta X_{11}^{2}\), \(X_{14}^{2}\), \(\varDelta X_{14}^{2}\), \(RK_{7}^{1}=K_{0}\), \(X_{11}^{1}\), and \(RK_{7}^{0}=K_{31}\) in \(H_{8}\) indexed by \(X_{15}^{1}\), \(\varDelta X_{15}^{1}\), \(X_{14}^{0}\), \(X_{15}^{0}\), \(\varDelta X_{15}^{0}\), \(t_{0}^{1}\), and \(t_{0}^{0}\). \(H_{8}\) has \(2^{28}\) rows and on average about \(2^{36}/2^{28}\) = \(2^{8}\) values in each row.

• \(H_{9}\): For all the \(2^{20}\) possible values of \(X_{2}^{3}\), \(X_{9}^{3}\), \(\varDelta X_{9}^{3}\), \(t_{1}^{2}\), and \(RK_{5}^{2}=K_{26}\), compute \(X_{10}^{2}\), \(\varDelta X_{10}^{2}\), \(X_{11}^{2}\), and \(\varDelta X_{11}^{2}\). Then, store \(X_{9}^{3}\), \(\varDelta X_{9}^{3}\), and \(RK_{5}^{2}=K_{26}\) in \(H_{9}\) indexed by \(X_{10}^{2}\), \(\varDelta X_{10}^{2}\), \(X_{11}^{2}\), \(\varDelta X_{11}^{2}\), and \(t_{1}^{2}\). \(H_{9}\) has \(2^{20}\) rows and on average about \(2^{20}/2^{20}\) = 1 value in each row.

• \(H_{10}\): For all the \(2^{20}\) possible values of \(X_{11}^{3}\), \(\varDelta X_{11}^{3}\), \(X_{14}^{3}\), \(t_{0}^{2}\), and \(RK_{7}^{2}=K_{4}+S(K_{16})\), compute \(X_{14}^{2}\), \(\varDelta X_{14}^{2}\), \(X_{15}^{2}\), and \(\varDelta X_{15}^{2}\). Then, store \(X_{11}^{3}\), \(\varDelta X_{11}^{3}\), \(X_{14}^{3}\), and \(RK_{7}^{2}=K_{4}+S(K_{16})\) in \(H_{10}\) indexed by \(X_{14}^{2}\), \(\varDelta X_{14}^{2}\), \(X_{15}^{2}\), \(\varDelta X_{15}^{2}\), and \(t_{0}^{2}\). \(H_{10}\) has \(2^{20}\) rows and on average about \(2^{20}/2^{20}\) = 1 value in each row.

• \(H_{11}\): For all the \(2^{40}\) possible values of \(X_{7}^{4}\), \(\varDelta X_{7}^{4}\), \(X_{12}^{4}\), \(RK_{2}^{3}=K_{24}\), \(X_{1}^{3}\), \(t_{4}^{2}\), \(RK_{1}^{2}=K_{11}\), \(X_{9}^{2}\), \(t_{1}^{1}\), and \(RK_{5}^{1}=K_{22}\), compute \(X_{5}^{3}\), \(\varDelta X_{5}^{3}\), \(X_{3}^{2}\), \(\varDelta X_{3}^{2}\), \(X_{10}^{1}\), and \(X_{11}^{1}\). Then, store \(X_{7}^{4}\), \(\varDelta X_{7}^{4}\), \(RK_{2}^{3}=K_{24}\), \(RK_{1}^{2}=K_{11}\), and \(RK_{5}^{1}=K_{22}\) in \(H_{11}\) indexed by \(X_{5}^{3}\), \(\varDelta X_{5}^{3}\), \(X_{3}^{2}\), \(\varDelta X_{3}^{2}\), \(X_{10}^{1}\), \(X_{11}^{1}\), \(t_{4}^{2}\), and \(t_{1}^{1}\). \(H_{11}\) has \(2^{32}\) rows and on average about \(2^{40}/2^{32}\) = \(2^{8}\) values in each row.

• \(H_{12}\): For all the \(2^{12}\) possible values of \(X_{7}^{2}\), \(X_{12}^{2}\), and \(RK_{2}^{1}=K_{16}\), compute \(X_{4}^{1}\), and \(X_{5}^{1}\). Then, store \(X_{7}^{2}\), \(X_{12}^{2}\), and \(RK_{2}^{1}=K_{16}\) in \(H_{12}\) indexed by \(X_{4}^{1}\), and \(X_{5}^{1}\). \(H_{12}\) has \(2^{8}\) rows and on average about \(2^{12}/2^{8}\) = \(2^4\) value in each row.

• \(H_{13}\): For all the \(2^{16}\) possible values of \(X_{6}^{2}\), \(X_{13}^{2}\), \(t_{2}^{1}\), and \(RK_{4}^{1}=K_{21}\), compute \(X_{8}^{1}\), and \(X_{9}^{1}\). Then, store \(X_{6}^{2}\), \(X_{13}^{2}\), and \(RK_{4}^{1}=K_{21}\) in \(H_{13}\) indexed by \(X_{8}^{1}\), \(X_{9}^{1}\), and \(t_{2}^{1}\). \(H_{13}\) has \(2^{12}\) rows and on average about \(2^{16}/2^{12}\) = \(2^4\) value in each row.

• \(H_{14}\): For all the \(2^{28}\) possible values of \(X_{2}^{4}\), \(X_{9}^{4}\), \(t_{1}^{3}\), \(\varDelta T_2\), \(RK_{5}^{3}=K_{30}\), \(X_{15}^{3}\), and \(RK_{6}^{2}=K_{5}+S(K_4+S(K_{16}))\), compute \(X_{11}^{3}\), \(\varDelta X_{11}^{3}\), \(X_{12}^{2}\), and \(X_{13}^{2}\). Then, store \(RK_{5}^{3}=K_{30}\), and \(RK_{6}^{2}=K_{5}+S(K_4+S(K_{16}))\) in \(H_{14}\) indexed by \(X_{11}^{3}\), \(\varDelta X_{11}^{3}\), \(X_{12}^{2}\), \(t_{1}^{3}\), \(\varDelta T_2\), and \(X_{13}^{2}\). \(H_{14}\) has \(2^{24}\) rows and on average about \(2^{28}/2^{24}\) = \(2^{4}\) values in each row.

• \(H_{15}\): For all the \(2^{44}\) possible values of \(X_{3}^{5}\), \(\varDelta X_{3}^{5}\), \(X_{8}^{5}\), \(t_{3}^{4}\), \(RK_{3}^{4}=K_{31}+S(K_{7})\), \(X_{13}^{4}\), \(t_{2}^{3}\), \(RK_{4}^{3}=K_{29}\), \(X_{3}^{3}\), \(t_{3}^{2}\), and \(RK_{3}^{2}=K_{23}+S(K_{30})\), compute \(X_{7}^{4}\), \(\varDelta X_{7}^{4}\), \(X_{9}^{3}\), \(\varDelta X_{9}^{3}\), \(X_{6}^{2}\), and \(X_{7}^{2}\). Then, store \(X_{3}^{5}\), \(\varDelta X_{3}^{5}\), \(RK_{4}^{3}=K_{29}\), and \(RK_{3}^{2}=K_{23}+S(K_{30})\) in \(H_{15}\) indexed by \(X_{7}^{4}\), \(\varDelta X_{7}^{4}\), \(X_{9}^{3}\), \(\varDelta X_{9}^{3}\), \(X_{6}^{2}\), \(X_{7}^{2}\), \(t_{3}^{4}\), \(t_{2}^{3}\), \(t_{3}^{2}\), and \(RK_{3}^{4}=K_{31}+S(K_{7})\). \(H_{15}\) has \(2^{40}\) rows and on average about \(2^{44}/2^{40}\) = \(2^{4}\) values in each row.

• \(H_{16}\): For all the \(2^{48}\) possible values of \(X_{1}^{6}\), \(X_{4}^{6}\), \(t_{4}^{5}\), \(\varDelta T_2\), \(RK_{1}^{5}=K_{23}+S(K_{30})\), \(X_{9}^{5}\), \(t_{1}^{4}\), \(RK_{5}^{4}=K_{3}\), \(X_{15}^{4}\), \(RK_{6}^{3}=K_{9}+S(K_{8}+S(K_{20}))\), \(X_{7}^{3}\), and \(RK_{2}^{2}=K_{20}\), compute \(X_{3}^{5}\), \(\varDelta X_{3}^{5}\), \(X_{14}^{3}\), \(X_{8}^{2}\), \(X_{4}^{2}\), and \(X_{5}^{2}\). Then, store \(RK_{5}^{4}=K_{3}\), \(RK_{6}^{3}=K_{9}+S(K_{8}+S(K_{20}))\), and \(RK_{2}^{2}=K_{20}\) in \(H_{16}\) indexed by \(X_{3}^{5}\), \(\varDelta X_{3}^{5}\), \(X_{14}^{3}\), \(X_{8}^{2}\), \(X_{4}^{2}\), \(X_{5}^{2}\), \(RK_{1}^{5}=K_{23}+S(K_{30})\), \(RK_{5}^{4}=K_{3}\), \(t_{4}^{5}\), \(\varDelta T_2\), and \(t_{1}^{4}\). \(H_{16}\) has \(2^{44}\) rows and on average about \(2^{48}/2^{44}\) = \(2^{4}\) values in each row.

• \(H_{17}\): For all the \(2^{20}\) possible values of \(X_{14}^{26}\), \(\varDelta X_{14}^{26}\), \(X_{15}^{26}\), \(t_{0}^{26}\), and \(RK_{7}^{26}= f_1(K_0,K_1,K_4,K_5,K_6,K_7,RK_6^3,K_{10},K_{16},K_{17},K_{18},K_{19},K_{20},K_{21},K_{28},K_{29},K_{30})\), compute \(X_{14}^{27}\), \(\varDelta X_{14}^{27}\), \(X_{15}^{27}\), and \(\varDelta X_{15}^{27}\). Then, store \(X_{14}^{26}\) and \(\varDelta X_{14}^{26}\) in \(H_{17}\) indexed by \(X_{14}^{27}\), \(\varDelta X_{14}^{27}\), \(X_{15}^{27}\), \(\varDelta X_{15}^{27}\), \(RK_{7}^{26}\), and \(t_{0}^{26}\). \(\varDelta X_{15}^{27}\) is chosen such that \(\varDelta X_{15}^{27} \in S[\varDelta X_{14}^{27}]\), see Observation 3. Therefore, \(H_{17}\) has \(7\times 2^{20}\) rows and on average about \(2^{20}/(7\times 2^{20})\) = \((16/7)\times 2^{-4}\) values in each row.

• \(H_{18}\): For all the \(2^{20}\) possible values of \(X_{0}^{26}\), \(X_{1}^{26}\), \(t_{5}^{26}\), \(\varDelta T_2\), and \(RK_{0}^{26}= f_2(K_0,K_1,K_3,K_{16},K_{20},K_{21},RK_{6}^{3}, K_{27},K_{28})\), compute \(X_{0}^{27}\), \(\varDelta X_{1}^{27}\), and \(X_{1}^{27}\). Then, store \(RK_{0}^{26}\) in \(H_{18}\) indexed by \(X_{0}^{27}\), \(\varDelta X_{1}^{27}\), \(X_{1}^{27}\), \(t_{5}^{26}\), and \(\varDelta T_2\). \(\varDelta X_{1}^{27}\) is chosen such that \(\varDelta X_{1}^{27} \in S[\varDelta T_2]\), see Observation 3. Therefore, \(H_{18}\) has \(7\times 2^{16}\) rows and on average about \(2^{20}/(7\times 2^{16})\) = 16/7 values in each row.

• \(H_{19}\): For all the \(2^{28}\) possible values of \(X_{10}^{25}\), \(X_{11}^{25}\), \(t_{1}^{25}\), \(RK_{5}^{25}= f_3(K_0,K_1,K_2,K_4,K_{12},K_{13},RK_{6}^{3},K_{15}, K_{16}, K_{20},K_{21},K_{24},K_{28})\), \(X_{8}^{26}\), \(t_{2}^{26}\), and \(RK_{4}^{26}= f_4(K_0,K_4, K_5,K_{11},K_{16},K_{24})\), compute \(X_{2}^{27}\), \(X_{9}^{27}\), and \(X_{8}^{27}\). Then, store \(X_{11}^{25}\) and \(RK_{5}^{25}\) in \(H_{19}\) indexed by \(X_{2}^{27}\), \(X_{9}^{27}\), \(X_{8}^{27}\), \(RK_{4}^{26}\), \(t_{1}^{25}\), and \(t_{2}^{26}\). \(H_{19}\) has \(2^{24}\) rows and on average about \(2^{28}/2^{24}\) = \(2^4\) values in each row.

• \(H_{20}\): For all the \(2^{44}\) possible values of \(X_{14}^{24}\), \(X_{15}^{24}\), \(t_{0}^{24}\), \(\varDelta T_2\), \(RK_{7}^{24}= f_5( K_0, K_1, K_2, K_{10},K_{11},K_{12},K_{13}, RK_{6}^{3},K_{20},K_{21},K_{22},K_{24},K_{28},K_{29},K_{30})\), \(X_{15}^{25}\),\(t_{0}^{25}\),\(RK_{7}^{25}= f_6(K_0, K_1,K_2,K_{3},K_{4},K_{5},K_{6},K_{12},K_{13},K_{14},K_{15}, K_{16},K_{17},K_{24},K_{25},K_{26},K_{28})\), \(X_{10}^{26}\), \(t_{1}^{26}\),and \(RK_{5}^{26}= f_7(_0,K_1,K_4,K_{5},K_{6},K_{8},K_{12},K_{13},K_{16},K_{17},K_{19},K_{20}, K_{24},K_{25},K_{28})\), compute \(X_{11}^{25}\), \(X_{14}^{27}=X_{14}^{26}\), \(\varDelta X_{14}^{27}=\varDelta X_{14}^{26}\), \(X_{11}^{27}\), \(\varDelta X_{11}^{27}\), and \(X_{10}^{27}\). Then, store \(RK_{7}^{25},RK_{5}^{26}\) in \(H_{20}\) indexed by \(X_{11}^{25}\), \(X_{14}^{26}\), \(\varDelta X_{14}^{26}\), \(X_{11}^{27}\), \(\varDelta X_{11}^{27}\), \(X_{10}^{27}\), \(t_{0}^{24}\), \(\varDelta T_2\), \(RK_{7}^{24}\), \(t_{0}^{25}\), and \(t_{1}^{26}\). \(\varDelta X_{14}^{27}\) and \(\varDelta X_{11}^{27}\) are chosen such that \(\varDelta X_{14}^{27} \in S[\varDelta X_{11}^{27}]\) and \(\varDelta X_{11}^{27} \in S[\varDelta T_2]\), receptively, see Observation 3. Therefore, \(H_{19}\) has \(7^2\times 2^{36}\) rows and on average about \(2^{44}/(7^2\times 2^{36})\) = \({(16/7)}^2\) values in each row.

In the general approach, the round keys involved in the analysis rounds are guessed and the plaintext/ciphertext pairs are filtered to satisfy the differential path leading to the impossible differential distinguisher. Here, we use the above proposed pre-computation tables to deduce the round keys that lead a specific pair of plaintext/ciphertext to the impossible differential. Then, we exclude the deduced keys as they are wrong keys. Our attack proceeds as follows. We initialize an array H of \(2^{31\times 4=124}\) entries to “0”, where each entry is 1-bit and the index of the array is 31 key nibbles involved in the attack, as we will see later. Then we generate \(2^{m}\) structures as described above. Therefore, we have \(2^{m+103}\) pairs of plaintext/ciphertext pairs generated using \(2^{m+48}\) chosen plaintexts. Then, we ask the encryption oracle for their corresponding ciphertexts. The plaintext/ciphertext pairs that satisfy Observation 3 are \(2^{m+103}\times 2^{-10.734}=2^{m+92.266}\) pairs. After the ciphertext filtration, we have only \(2^{m+92.266}\times 2^{-12\times 4}=2^{m+44.266}\) remaining pairs. For each remaining pair, we access the pre-computation tables in sequential order from table \(H_1\) to \(H_{20}\) one by one in order to deduce 31 key nibbles that lead each remaining pair of plaintext/ciphertext to the impossible differential. Then, we mark them in H as invalid “1”. Table 3 summarize these steps by identifying which table will be used and which key nibble is involved in this step in addition to the time complexity of each step.

Remarks on the analysis steps:

1. 1.

   During steps 1–14 and step 18, we directly access the corresponding table to obtain the values of the involved key nibbles. For example, in step 1, we determine the number of possible values of \(RK_{1}^{0}=K_{3}\) that satisfy the path to the impassible differential by accessing \(H_{1}\). Therefore, we have (16/7) possible values for \(K_{3}\).

2. 2.

   During steps 15, 16, 17, 19, and 20, and because some combinations of the key nibbles determined during the previous steps are used in the indexing of the tables \(H_{15}\) to \(H_{20}\), we firstly deduce these indices and then access the corresponding table. For example, during step 15, we deduce the value of \(RK_{3}^{4}=K_{31}+S(K_{7})\) that is used in the indexing of table \(H_{15}\), then determine the number of possible values of \(RK_{4}^{3}=K_{29}\) and \(RK_{3}^{2}=K_{23}+S(K_{30})\) that satisfy the path by accessing \(H_{15}\). After that, the value of \(RK_{3}^{2}=K_{23}+S(K_{30})\) is used to deduce the value of \(K_{23}\) using the determined value of \(K_{30}\) from Step 14.

3. 3.

   During steps 7 and 8, we determine the possible values of \(RK_{6}^{1}=K_{1}+S(K_{0})\) and \(RK_{7}^{1}=K_{0}\), respectively. Therefore, after step 8, we can deduce the values of \(K_1\). In the same manner, we can deduce the values of \(K_4\) and \(K_5\) after steps 10, 12 and 14 where we determine the values of \(RK_{7}^{2}=K_{4}+S(K_{16})\) and \(RK_{2}^{1}=K_{16}\), and \(RK_{6}^{2}=K_5+S(K_4+S(K_{16}))\), respectively.

4. 4.

   During step 17, we deduce the value of \(RK_{7}^{26}= f_1(K_0, K_1, K_4, K_5, K_6, K_7, RK_{6}^{3}, K_{10}, K_{16}, K_{17}, K_{18}, K_{19}, K_{20}, K_{21}, K_{28}, K_{29}, K_{30})\), then determine the values of \(X_{14}^{26}\) and \(\varDelta X_{14}^{26}\) that satisfy the path by accessing \(H_{17}\). Therefore, no new key nibbles are involved during this step but there is a filtration of some keys.

5. 5.

   During steps 18 and 19, we can determine the values of \(RK_{0}^{26}= f_2(K_0, K_1, K_3, K_{16}, K_{20}, K_{21}, {RK_{6}}^3, K_{27}, K_{28})\) and \(RK_{5}^{25}= f_3(K_0, K_1, K_2, K_4, K_{12},K_{13}, RK_{6}^{3}, K_{15}, K_{16}, K_{20}, K_{21}, K_{24}, K_{28})\), respectively. Therefore, we can deduce the values of \(K_{27}\) and \(K_{13}\), respectively, since all the other key nibbles in \(f_2\) and \(f_3\) are determined during the previous steps.

6. 6.

   After step 20, we have \(2^{60}\times (16/7)^{9}\) possible values for \(K_{0}, K_{1}, K_{2}, K_{3}, K_{4}, K_{5}, K_{6}, K_{7}, K_{9}+S(K_8+S(K_{20})), K_{10}, K_{11}, K_{12}, K_{13}, K_{15}, K_{16}, K_{17}, K_{18}, K_{19}, K_{20}, K_{21}, K_{22}, K_{23}, K_{24}, K_{26}, K_{27}, K_{28}, K_{29}, K_{30}, K_{31}, RK_{7}^{25} =f_6(K_{14}, K_{25}), RK_{5}^{26}=f_7(K_{8}, K_{25})\). Hence, we marks them in H as invalid “1” in step 21.

Table 3. Time complexity of the different steps of the attack on 27-round T-TWINE-128, where NK denotes the number of keys to be excluded.

Attack Complexity. As depicted in Fig. 3, we have 37 round keys involved in the analysis rounds. According to the key schedule, these 37 round keys take only \(2^{124}\) possible values (see step 21 in Table 3). As mentioned in step 21, we remove on average \(2^{60}\times {(16/7)}^{9}=2^{70.734}\) out of \(2^{124}\) possible values of these 37 round keys involved in the attack for each pair of the \(2^{m+44.266}\) remaining pairs. Hence, a wrong key is not discarded using one pair with probability \(1-2^{70.734-124}=1-2^{-53.266}\). Therefore, we have \(2^{124}\times (1-2^{-53.266})^{2^{m+44.266}}\approx 2^{124}\times (e^{-1})^{2^{m+44.266-53.266}} \approx 2^{124}\times 2^{-1.4\times 2^{m-9}}\) remaining candidates for 124-bit of the key, after processing all the \(2^{m+44.266}\) remaining pairs. We evaluated the computational complexity of the attack as a function of m, as illustrated in Table 3, to determine the optimal value of m that leads to the best computational complexity. As steps 20 and 21 dominate the time complexity of the attack, see Table 3, we choose \(m=12\) in order to optimize the time complexity of the attack. Therefore, we have \(2^{124}\times 2^{-1.4\times 2^{12-9=3}}=2^{124-11.2}=2^{112.8}\) remaining candidates for 124-bit of the key. The remaining key nibbles can be retrieved by guessing \(K_8\) and exhaustively searching the \(2^{112.8}\) remaining key candidates using 2 plaintext/ciphertext pairs. This step requires \(2\times 2^{4}\times 2^{112.8}=2^{117.8}\) encryptions. Therefore, the time complexity of the attack is \(2^{120.245} + 2^{119.245} + 2^{117.8} \approx 2^{120.83}\) encryptions. The data complexity of the attack is \(2^{m+4\times 13 } = 2^{64}\) chosen tweak/plaintext combinations that can be generated using \(2^{m+48}=2^{60}\) chosen plaintexts. The memory complexity of the attack is dominated by the memory that is required to store H. Hence, the memory complexity is \(2^{124}\times 2^{-6}=2^{118}\) 64-bit blocks.

5 Impossible Differential Key-Recovery Attack on 25-Round T-TWINE-80

In this section, we present the first attack on 25-round T-TWINE-80 in the chosen-tweak model. We use the notion of data structures to generate enough pairs of messages to launch the attack. Our utilized structure takes all the possible values in 7 nibbles \(X_{0}^{0}\), \(X_{1}^{0}\), \(X_{3}^{0}\), \(X_{10}^{0}\), \(X_{11}^{0}\), \(X_{14}^{0}\), \(X_{15}^{0}\) while the remaining nibbles take a fixed value. In addition, we choose the tweak \(T_7\) such that it takes all the values. Thus, one structure generates \(2^{4\times 8}\times (2^{4\times 8}-1)/2\approx 2^{63}\) possible pairs. Hence, we have \(2^{63}\) possible pairs of messages satisfying the plaintext differences. In addition, we utilize the following pre-computation tables in order to efficiently extract/filter the round keys involved in the analysis rounds. Note that, for the 7 round keys that are involved in the 3 rounds below the distinguisher, we wrote them as 7 functions \(f_1,f_2,f_3,f_4,f_5,f_6,f_7\) of the key nibbles that are not involved in the above analysis rounds, \(K_0,K_2,K_5,K_7,K_9,K_{10},K_{11}, K_{12},K_{13}\), and ignored the other key nibbles as they are known.

• \(H_1\): For all the \(2^{20}\) possible values of \(X_{0}^{1}\), \(X_{5}^{1}\), \(\varDelta X_{5}^{1}\), \(t_{5}^{0}\) and \(RK_{0}^{0}=K_1\), compute \(X_{0}^{0}\), \(\varDelta X_{0}^{0}\), \(X_{1}^{0}\), and \(\varDelta X_{1}^{0}\). Then, store \(X_{5}^{1}\), \(\varDelta X_{5}^{1}\), and \(RK_{0}^{0}=K_1\) in \(H_1\) indexed by \(X_{0}^{0}\), \(\varDelta X_{0}^{0}\), \(X_{1}^{0}\), \(\varDelta X_{1}^{0}\), and \(t_{5}^{0}\). \(\varDelta X_{1}^{0}\) is chosen such that \(\varDelta X_{1}^{0} \in S[\varDelta X_{0}^{0}]\), see Observation 4. Therefore, \(H_1\) has \(7\times 2^{16}\) rows and on average about \(2^{20}/(7\times 2^{16})\) = 16/7 values in each row.

• \(H_2\): For all the \(2^{20}\) possible values of \(X_{2}^{1}\), \(X_{9}^{1}\), \(\varDelta X_{9}^{1}\), \(t_{1}^{0}\), and \(RK_{5}^{0}=K_{14}\), compute \(X_{10}^{0}\), \(\varDelta X_{10}^{0}\), \(X_{11}^{0}\), and \(\varDelta X_{11}^{0}\). Then, store \(X_{9}^{1}\), \(\varDelta X_{9}^{1}\), and \(RK_{5}^{0}=K_{14}\) in \(H_2\) indexed by \(X_{10}^{0}\), \(\varDelta X_{10}^{0}\), \(X_{11}^{0}\), \(\varDelta X_{11}^{0}\), and \(t_{1}^{0}\). \(\varDelta X_{11}^{0}\) is chosen such that \(\varDelta X_{11}^{0} \in S[\varDelta X_{10}^{0}]\), see Observation 4. Therefore, \(H_2\) has \(7\times 2^{16}\) rows and on average about \(2^{20}/(7\times 2^{16})\) = 16/7 values in each row.

• \(H_{3}\): For all the \(2^{20}\) possible values of \(X_{11}^{1}\), \(\varDelta X_{11}^{1}\), \(X_{14}^{1}\), \(t_{0}^{0}\), and \(RK_{7}^{0}=K_{16}\), compute \(X_{14}^{0}\), \(\varDelta X_{14}^{0}\), \(X_{15}^{0}\), and \(\varDelta X_{15}^{0}\). Then, store \(X_{11}^{1}\), \(\varDelta X_{11}^{1}\), \(X_{14}^{1}\), and \(RK_{7}^{0}=K_{16}\) in \(H_{3}\) indexed by \(X_{14}^{0}\), \(\varDelta X_{14}^{0}\), \(X_{15}^{0}\), \(\varDelta X_{15}^{0}\), and \(t_{0}^{0}\). \(\varDelta X_{15}^{0}\) is chosen such that \(\varDelta X_{15}^{0} \in S[\varDelta X_{14}^{0}]\), see Observation 4. Therefore, \(H_{3}\) has \(7\times 2^{16}\) rows and on average about \(2^{20}/(7\times 2^{16})\) = 16/7 values in each row.

• \(H_{4}\): For all the \(2^{28}\) possible values of \(X_{7}^{2}\), \(\varDelta X_{7}^{2}\), \(X_{12}^{2}\), \(RK_{2}^{1}=K_8\), \(X_{1}^{1}\), \(t_{4}^{0}\), and \(RK_{1}^{0}=K_{3}\), compute \(X_{5}^{1}=X_{0}^{0}\), \(\varDelta X_{5}^{1} = \varDelta X_{0}^{0}\), \(X_{2}^{0}\), \(X_{3}^{0}\), and \(\varDelta X_{3}^{0}\). Then, store \(X_{7}^{2}\), \(\varDelta X_{7}^{2}\), \(RK_{2}^{1}=K_8\), and \(RK_{1}^{0}=K_{3}\) in \(H_{4}\) indexed by \(X_{5}^{1}=X_{0}^{0}\), \(\varDelta X_{5}^{1} = \varDelta X_{0}^{0}\), \(X_{2}^{0}\), \(X_{3}^{0}\), \(\varDelta X_{3}^{0}\), and \(t_{4}^{0}\). \(\varDelta X_{0}^{0}\) is chosen such that \(\varDelta X_{0}^{0} \in S[\varDelta X_{3}^{0}]\), see Observation 4. Therefore, \(H_{4}\) has \(7\times 2^{20}\) rows and on average about \(2^{28}/(7\times 2^{20})\) = \((16/7)\times 2^{4}\) values in each row.

• \(H_{5}\): For all the \(2^{28}\) possible values of \(X_{2}^{2}\), \( X_{9}^{2}\), \(t_{1}^{1}\), \(\varDelta T_7\), \(RK_{5}^{1}=K_{18}\), \(X_{15}^{1}\), and \(RK_{6}^{0}=K_{15}\), compute \(X_{14}^{0}=X_{11}^{1}\), \(\varDelta X_{14}^{0}=\varDelta X_{11}^{1}\), \(X_{12}^{0}\), and \(X_{13}^{0}\). Then, store \(RK_{5}^{1}=K_{18}\) and \(RK_{6}^{0}=K_{15}\) in \(H_{5}\) indexed by \(X_{11}^{1}\), \(\varDelta X_{11}^{1}\), \(X_{12}^{0}\), \(X_{13}^{0}\), \(t_{1}^{1}\), and \(\varDelta T_7\). \(\varDelta X_{14}^{0}\) is chosen such that \(\varDelta X_{14}^{0} \in S[\varDelta T_7]\), see Observation 4. Therefore, \(H_{5}\) has \(7\times 2^{20}\) rows and on average about \(2^{28}/(7\times 2^{20})\) = \((16/7)\times 2^{4}\) values in each row.

• \(H_{6}\): For all the \(2^{44}\) possible values of \(X_{3}^{3}\), \(\varDelta X_{3}^{3}\), \(X_{8}^{3}\), \(t_{3}^{2}\), \(RK_{3}^{2}=K_{14}\), \(X_{13}^{2}\), \(t_{2}^{1}\), \(RK_{4}^{1}=K_{17}\), \(X_{3}^{1}\), \(t_{3}^{0}\), and \(RK_{3}^{0}=K_{6}\), compute \(X_{7}^{2}\), \(\varDelta X_{7}^{2}=\varDelta X_{3}^{0}\), \(X_{9}^{1}\), \(\varDelta X_{9}^{1}=\varDelta X_{10}^{0}\), \(X_{6}^{0}\), and \(X_{7}^{0}\). Then, store \(X_{3}^{3}\), \(\varDelta X_{3}^{3}\), \(RK_{3}^{2}=K_{14}\), \(RK_{4}^{1}=K_{17}\), and \(RK_{3}^{0}=K_{6}\) in \(H_{6}\) indexed by \(X_{7}^{2}\), \(\varDelta X_{7}^{2}=\varDelta X_{3}^{0}\), \(X_{9}^{1}\), \(\varDelta X_{9}^{1}=\varDelta X_{10}^{0}\), \(X_{6}^{0}\), \(X_{7}^{0}\), \(t_{3}^{2}\), \(t_{2}^{1}\), \(t_{3}^{0}\), and \(RK_{3}^{2}=K_{14}\). \(\varDelta X_{3}^{0}\) is chosen such that \(\varDelta X_{3}^{0} \in S[\varDelta X_{10}^{0}]\), see Observation 4. Therefore, \(H_{6}\) has \(7\times 2^{36}\) rows and on average about \(2^{44}/(7\times 2^{36})\) = \((16/7)\times 2^{4}\) values in each row.

• \(H_{7}\): For all the \(2^{48}\) possible values of \(X_{1}^{4}\), \(X_{4}^{4}\), \(t_{4}^{3}\), \(\varDelta T_7\), \(RK_{1}^{3}=K_{15}\), \(X_{9}^{3}\), \(t_{1}^{2}\), \(RK_{5}^{2}=K_{3}\), \(X_{15}^{2}\), \(RK_{6}^{1}=K_{19}\), \(X_{7}^{1}\), and \(RK_{2}^{0}=K_{4}\), compute \(X_{3}^{3}\), \(\varDelta X_{10}^{0}= \varDelta X_{3}^{3}\), \(X_{14}^{1}\), \(X_{8}^{0}\), \(X_{4}^{0}\), and \(X_{5}^{0}\). Then, store \(RK_{1}^{3}=K_{15}\), \(RK_{5}^{2}=K_{3}\), \(RK_{6}^{1}=K_{19}\), and \(RK_{2}^{0}=K_{4}\) in \(H_{7}\) indexed by \(X_{3}^{3}\), \(\varDelta X_{10}^{0}=\varDelta X_{3}^{3}\), \(X_{14}^{1}\), \(X_{8}^{0}\), \(X_{4}^{0}\), \(X_{5}^{0}\), \(RK_{1}^{3}=K_{15}\), \(RK_{5}^{2}=K_{3}\), \(t_{4}^{3}\), \(\varDelta T_7\), and \(t_{1}^{2}\). \(\varDelta X_{10}^{0}\) is chosen such that \(\varDelta X_{10}^{0} \in S[\varDelta T_7]\), see Observation 4. Therefore, \(H_{7}\) has \(7\times 2^{40}\) rows and on average about \(2^{48}/(7\times 2^{40})\) = \((16/7)\times 2^{4}\) values in each row.

• \(H_{8}\): For all the \(2^{20}\) possible values of \(X_{0}^{24}\), \(X_{1}^{24}\), \(t_{5}^{24}\), \(\varDelta T_7\), and \(RK_{0}^{24}= f_1(K_0,K_2, K_5,K_{9},K_{10},K_{12},K_{13})\), compute \(X_{0}^{25}\), \(\varDelta X_{1}^{25}\), and \(X_{1}^{25}\). Then, store \(RK_{0}^{24}\) in \(H_{8}\) indexed by \(X_{0}^{25}\), \(\varDelta X_{1}^{25}\), \(X_{1}^{25}\), \(t_{5}^{24}\), and \(\varDelta T_7\). \(\varDelta X_{1}^{25}\) is chosen such that \(\varDelta X_{1}^{25} \in S[\varDelta T_7]\), see Observation 4. Therefore, \(H_{8}\) has \(7\times 2^{16}\) rows and on average about \(2^{20}/(7\times 2^{16})\) = 16/7 values in each row.

• \(H_{9}\): For all the \(2^{20}\) possible values of \(X_{14}^{24}\), \(\varDelta X_{14}^{24}\), \(X_{15}^{24}\), \(t_{0}^{24}\), and \(RK_{7}^{24}= f_2(K_0, K_2, K_5, K_{7}, K_{9}, K_{10}, K_{11}, K_{12}, K_{13})\), compute \(X_{14}^{25}\), \(\varDelta X_{14}^{25}\), \(X_{15}^{25}\), and \(\varDelta X_{15}^{25}\). Then, store \(X_{14}^{24}\), \(\varDelta X_{14}^{24}\), and \(RK_{7}^{24}= f_2(K_0, K_2, K_5, K_{7}, K_{9}, K_{10}, K_{11}, K_{12}, K_{13})\) in \(H_{9}\) indexed by \(X_{14}^{25}\), \(\varDelta X_{14}^{25}\), \(X_{15}^{25}\), \(\varDelta X_{15}^{25}\), and \(t_{0}^{24}\). \(\varDelta X_{15}^{25}\) is chosen such that \(\varDelta X_{15}^{25} \in S[\varDelta X_{14}^{25}]\), see Observation 4. Therefore, \(H_{9}\) has \(7\times 2^{16}\) rows and on average about \(2^{20}/(7\times 2^{16})\) = 16/7 values in each row.

• \(H_{10}\): For all the \(2^{32}\) possible values of \(X_{14}^{23}\), \(\varDelta X_{14}^{23}\), \(X_{15}^{23}\), \(t_{0}^{23}\), \(RK_{7}^{23}= f_3(K_0,K_2, K_5,K_{7},K_{9},K_{10},K_{11},K_{12},K_{13})\), \(X_{10}^{24}\), \(t_{1}^{24}\), and \(RK_{5}^{24}= f_4(K_0,K_2,K_5,K_{7},K_{9}, K_{10},K_{11},K_{12},K_{13})\), compute \(X_{14}^{25}=X_{14}^{24}\), \(\varDelta X_{14}^{25} =\varDelta X_{14}^{24}\), \(X_{11}^{25}\), \(\varDelta X_{11}^{25}\), and \(X_{10}^{25}\). Then, store \(X_{14}^{23}\), \(\varDelta X_{14}^{23}\), \(RK_{7}^{23}= f_3(K_0,K_2,K_5,K_{7},K_{9},K_{10},K_{11},K_{12},K_{13})\), and \(RK_{5}^{24}= f_4(K_0,K_2,K_5,K_{7},K_{9},K_{10},K_{11},K_{12},K_{13})\) in \(H_{10}\) indexed by \(X_{14}^{25}=X_{14}^{24}\), \(\varDelta X_{14}^{25} =\varDelta X_{14}^{24}\), \(X_{11}^{25}\), \(\varDelta X_{11}^{25}\), \(X_{10}^{25}\), \(t_{0}^{23}\), and \(t_{1}^{24}\). \(\varDelta X_{14}^{25}\) is chosen such that \(\varDelta X_{14}^{25} \in S[\varDelta X_{11}^{25}]\), see Observation 4. Therefore, \(H_{10}\) has \(7\times 2^{24}\) rows and on average about \(2^{32}/(7\times 2^{24})\) = \((16/7)\times 2^4\) values in each row.

• \(H_{11}\): For all the \(2^{44}\) possible values of \(X_{14}^{22}\), \(X_{15}^{22}\), \(t_{0}^{22}\), \(\varDelta T_7, RK_{7}^{22}= f_5(K_0,K_2, K_5,K_{7},K_{9},K_{10},K_{11},K_{12},K_{13})\), \(X_{10}^{23}\), \(t_{1}^{23}\),\(RK_{5}^{23}= f_6(K_0,K_2,K_5,K_{7},K_{9},K_{10},K_{11}, K_{12},K_{13})\), \(X_{8}^{24}\), \(t_{2}^{24}\), and \(RK_{4}^{24}= f_7(K_0,K_2,K_5,K_{9},K_{10},K_{12},K_{13})\), compute \(X_{14}^{23}\), \(\varDelta X_{11}^{25}= \varDelta X_{14}^{23}\), \(X_{2}^{25}\), \(X_{9}^{25}\), and \(X_{8}^{25}\). Then, store \(RK_{7}^{22}= f_5(K_0,K_2,K_5,K_{7},K_{9}, K_{10},K_{11},K_{12},K_{13} )\), \(RK_{5}^{23}= f_6( K_0,K_2,K_5,K_{7},K_{9},K_{10},K_{11},K_{12},K_{13} )\), and \(RK_{4}^{24}= f_7( K_0,K_2,K_5,K_{9},K_{10},K_{12},K_{13})\) in \(H_{11}\) indexed by \(X_{14}^{23}\), \(\varDelta X_{11}^{25}= \varDelta X_{14}^{23}\), \(X_{2}^{25}\), \(X_{9}^{25}\), \(X_{8}^{25}\), \(t_{0}^{22}\), \(\varDelta T_7\), \(t_{1}^{23}\), and \(t_{2}^{24}\). \(\varDelta X_{11}^{25}\) is chosen such that \(\varDelta X_{11}^{25} \in S[\varDelta T_7]\), see Observation 4. Therefore, \(H_{11}\) has \(7\times 2^{32}\) rows and on average about \(2^{44}/(7\times 2^{32})\) = \({(16/7)}\times 2^8\) values in each row.

Our attack proceeds as follows. We initialize an array H of \(2^{18\times 4=72}\) entries to “0”, where each entry is 1-bit and the index of the array is 18 key nibbles involved in the attack, as we will see later. Then, we generate \(2^{m}\) structures as described above. Therefore, we have \(2^{m+63}\) pairs of plaintext/ciphertext pairs generated using \(2^{m+28}\) chosen plaintexts. Next, we ask the encryption oracle for their corresponding ciphertexts. The plaintext/ciphertext pairs that satisfy Observation 4 are \(2^{m+63}\times 2^{-13.119}=2^{m+49.881}\) pairs. After the ciphertext filtration, we have only \(2^{m+49.881}\times 2^{-12\times 4}=2^{m+1.881}\) remaining pairs. For each remaining pair, we perform the following steps:

1. 1.

   Determine the number of possible values of \(RK_{0}^{0}=K_{1}\) that satisfy the path by accessing \(H_{1}\). Therefore, we have (16/7) possible values for \(K_{1}\).

2. 2.

   Determine the number of possible values of \(RK_{5}^{0}=K_{14}\) that satisfy the path by accessing \(H_{2}\). Therefore, we have \((16/7)^{2}\) possible values for \(K_{1},K_{14}\).

3. 3.

   Determine the number of possible values of \(RK_{7}^{0}=K_{16}\) that satisfy the path by accessing \(H_{3}\). Therefore, we have \((16/7)^{3}\) possible values for \(K_{1},K_{14},K_{16}\).

4. 4.

   Determine the number of possible values of \(RK_{2}^{1}=K_{8},RK_{1}^{0}=K_{3}\) that satisfy the path by accessing \(H_{4}\). Therefore, we have \(2^{4}\times (16/7)^{4}\) possible values for \(K_{1},K_{3},K_{8},K_{14},K_{16}\).

5. 5.

   Determine the number of possible values of \(RK_{5}^{1}=K_{18},RK_{6}^{0}=K_{15}\) that satisfy the path by accessing \(H_{5}\). Therefore, we have \(2^{8}\times (16/7)^{5}\) possible values for \(K_{1},K_{3},K_{8},K_{14},K_{15},K_{16},K_{18}\).

6. 6.

   Determine the number of possible values of \(RK_{3}^{2}=K_{14},RK_{4}^{1}=K_{17},RK_{3}^{0} =K_{6}\) that satisfy the path by accessing \(H_{6}\). Therefore, we have \(2^{12}\times (16/7)^{6}\) possible values for \(K_{1},K_{3},K_{6},K_{8},K_{14},K_{15},K_{16},K_{17},K_{18}\).

7. 7.

   Determine the number of possible values of \(RK_{1}^{3}=K_{15},RK_{5}^{2}=K_{3},RK_{6}^{1} =K_{19},RK_{2}^{0}=K_{4}\) that satisfy the path by accessing \(H_{7}\). Therefore, we have \(2^{16}\times (16/7)^{7}\) possible values for \(K_{1},K_{3},K_{4},K_{6},K_{8},K_{14},K_{15},K_{16},K_{17},K_{18}, K_{19}\).

8. 8.

   Determine the number of possible values of \(RK_{0}^{24}\) that satisfy the path by accessing \(H_{8}\). Therefore, we have \(2^{16}\times (16/7)^{8}\) possible values for \(K_{1},K_{3},K_{4},K_{6},K_{8},K_{14},K_{15},K_{16},K_{17},K_{18}, K_{19},RK_{0}^{24}\).

9. 9.

   Determine the number of possible values of \(RK_{7}^{24}\) that satisfy the path by accessing \(H_{9}\). Therefore, we have \(2^{16}\times (16/7)^{9}\) possible values for \(K_{1},K_{3},K_{4},K_{6}, K_{8},K_{14},K_{15},K_{16},K_{17},K_{18},K_{19},RK_{0}^{24},RK_{7}^{24}\).

10. 10.

    Determine the number of possible values of \(RK_{7}^{23},RK_{5}^{24}\) that satisfy the path by accessing \(H_{10}\). Therefore, we have \(2^{20}\times (16/7)^{10}\) possible values for \(K_{1},K_{3},K_{4},K_{6},K_{8},K_{14},K_{15},K_{16},K_{17},K_{18},K_{19}, RK_{0}^{24}, RK_{7}^{24}, RK_{7}^{23}, RK_{5}^{24}\).

11. 11.

    Determine the number of possible values of \(RK_{7}^{22},RK_{5}^{23},RK_{4}^{24}\) that satisfy the path by accessing \(H_{11}\). Therefore, we have \(2^{28}\times (16/7)^{11}\) possible values for \(K_{1},K_{3},K_{4},K_{6},K_{8},K_{14},K_{15},K_{16},K_{17}, K_{18}, K_{19}, RK_{0}^{24},RK_{7}^{24},RK_{7}^{23},RK_{5}^{24},RK_{7}^{22},RK_{5}^{23}, RK_{4}^{24}\).

12. 12.

    The deduced \(2^{28}\times (16/7)^{11}\) values for 18 key nibbles, \(K_{1},K_{3},K_{4},K_{6},K_{8},K_{14}, K_{15},K_{16},K_{17},K_{18},K_{19}, RK_{0}^{24},RK_{7}^{24},RK_{7}^{23},RK_{5}^{24},RK_{7}^{22}, K_{5}^{23}, RK_{4}^{24}\), involved in the attack are wrong keys. Hence, mark them in H invalid “1”.

Attack Complexity. As depicted in Fig. 4, we have 22 round keys involved in the analysis rounds. According to the key schedule, these 22 round keys take only \(2^{72}\) possible values (see step 12 in Table 4). As mentioned in step 12, we remove on average \(2^{28}\times {(16/7)}^{11}=2^{41.119}\) out of \(2^{72}\) possible values of these 22 round keys involved in the attack for each pair of the \(2^{m+1.881}\) remaining pairs. Hence, a wrong key is not discarded using one pair with probability \(1-2^{41.119-72}=1-2^{-30.881}\). Therefore, we have \(2^{72}\times (1-2^{-30.881})^{2^{m+1.881}}\approx 2^{72}\times (e^{-1})^{2^{m+1.881-30.881}} \approx 2^{72}\times 2^{-1.4\times 2^{m-29}}\) remaining candidates for 72-bit of the key, after processing all the \(2^{m+1.881}\) remaining pairs. We evaluated the computational complexity of the attack as a function of m, as illustrated in Table 4, to determine the optimal value of m that leads to the best computational complexity. As steps 11 and 12 dominate the time complexity of the attack, see Table 4, we choose \(m=33.5\) in order to optimize the time complexity of the attack. Therefore, we have \(2^{72}\times 2^{-1.4\times 2^{33.5-29=4.5}}=2^{72-31.678}=2^{40.322}\) remaining candidates for 72-bit of the key. These 72-bit of the key include 11 master key nibbles and 7 round key nibbles. To retrieve the whole master key, we perform the following steps:

1. 1.

   Retrieve \(K_{10}\) from \(RK_{4}^{24}\) by guessing the 6 key nibbles \(K_0,K_2,K_5,K_9,K_{12}, K_{13}\). Since this step includes 18 S-box operations, it requires \(2^{40.322+24=64.322}\times \frac{18}{8\, \times \, 25}\approx 2^{60.848}\) encryptions. Since \(RK_{4}^{24}\) and \(RK_{0}^{24}\) are functions in the same nibbles of the master key, we can compute \(RK_{0}^{24}\) using the retrieved \(K_{10}\) and then match the computed value with its value in the remaining candidate key. As a result, we have 4-bit filtration. Hence, we have only \(2^{40.322+24-4=60.322}\) remaining key candidates. This step requires \(2^{40.322+24=64.322}\times \frac{37}{8\, \times \, 25}\approx 2^{61.888}\) encryptions.

2. 2.

   Using the same technique, retrieve \(K_7\) from \(RK_{5}^{23}\) by guessing \(K_{11}\). This step requires \(2^{60.322+4=64.322}\times \frac{90}{8\, \times \, 25}\approx 2^{63.167}\) encryptions. Since \(RK_{5}^{24}\) is also a function in the same nibbles of the master key, we can compute it using the retrieved \(K_{7}\) and compare it with its value in the remaining candidate. As a result, we have 4-bit filtration. Hence, we have only \(2^{60.322+4-4=60.322}\) 80-bit remaining key candidates. This step requires \(2^{60.322+4=64.322}\times \frac{112}{8\, \times \, 25}\approx 2^{63.485}\). Then, we perform the previous filtration to the following round key nibbles \(RK_{7}^{22}\), \(RK_{7}^{23}\), and \(RK_{7}^{24}\). Finally, we have another 3 4-bit filtrations. Therefore, we have only \(2^{60.322-12}=2^{48.322}\) remaining candidates for the whole master key. The time complexity of this step is dominated by \(2^{64.335}\) encryptions.

The right master key can be retrieved by exhaustively searching the \(2^{48.322}\) remaining key candidates using 2 plaintext/ciphertext pairs. This step requires \(2\times 2^{48.322}=2^{49.322}\) encryptions. Therefore, the time complexity of the attack is dominated by steps 11 and 12 in Table 4 which requires \(2^{70.441} + 2^{68.856} \approx 2^{70.86}\) encryptions, see Table 4. The data complexity of the attack is \(2^{m+4\times 8}=2^{65.5}\) chosen tweak/plaintext combinations that can be generated using \(2^{m+28}=2^{61.5}\) chosen plaintexts. The memory complexity of the attack is dominated by the memory that is required to store H. Hence, the memory complexity is \(2^{72}\times 2^{-6}=2^{66}\) 64-bit blocks.

6 Conclusion

In this work, we presented two impossible differential attacks against reduced-round versions of T-TWINE. Both attacks use our proposed 18-round impossible differential distinguisher. To the best of our knowledge, this distinguisher is the first valid 18-round distinguisher. Utilizing this distinguisher, we launched 25-round and 27-round attacks on T-WINE-80 and T-TWINE-128, respectively. The presented attacks are the first published attacks against both versions of T-TWINE.

Table 4. Time complexity of the different steps of the attack on 25-round T-TWINE-80, where NK denotes the number of keys to be excluded.

A 18-round Impossible Differential Characteristic as Depicted in Figure 8 of [15]

Fig. 5.

18-round impossible differential characteristic as depicted in Figure 8 of [15] with .