Related-Key Rectangle Attacks on Round-Reduced TWINE
摘要
TWINE, a lightweight block cipher based on the Generalized Feistel Structure, was proposed by Suzaki et al. in SAC 2012. Since TWINE was proposed, its security has attracted considerable attention. However, to the best of our knowledge, no prior work has been published on related-key rectangle attacks against TWINE. Therefore, in this paper, we provide a comprehensive security evaluation of TWINE in the context of such attacks. Our approach focuses on the construction of key-recovery-friendly related-key boomerang distinguisher. Building upon the method of searching single-key boomerang distinguishers proposed by Hadipour et al., we model the precise differential characteristics (rather than the truncated differential characteristics) over the \(r_0\) and \(r_1\) rounds. Additionally, we model the propagation of both precise and truncated differential characteristics for the round function and key schedule and constrain the number of active S-boxes in the input and output of the boomerang distinguishers. As a result, we present the longest-known distinguishers for both TWINE-80 and TWINE-128. Using these distinguishers, we perform related-key rectangle attacks that improve upon previous results. Specifically, leveraging a 21-round boomerang distinguisher, we successfully mount a 25-round related-key rectangle attack on TWINE-80, improving upon the previous attack by one round. For TWINE-128, we conduct a 28-round related-key rectangle attack using a 23-round boomerang distinguisher, significantly reducing the time complexity required for the attack.