Generalized MitM attacks on full TWINE

TWINE is a lightweight block cipher which employs a generalized Feistel structure with 16 nibble-blocks. It has two versions: TWINE-80 and TWINE-128, both have a block length of 64 bits and employ keys of length 80 and 128 bits, respectively. In this paper, we propose a low data complexity key recovery attack on the full cipher. This attack is inspired by the 3-subset Meet-in-the-Middle (MitM) attack. However, in our attack, we remove the restrictions of the 3-subset MitM by allowing the key to be partitioned into n≥3 subsets and by not restricting these subsets to be independent. To improve the computational complexity of the attack, we adopt a recomputation strategy similar to the one used in the original biclique attack. Adopting this approach, we present a known plaintext key recovery attack on TWINE-80 and TWINE-128 with time complexities of 2ˆ7ˆ8ˆ.ˆ7ˆ4 and 2ˆ1ˆ2ˆ6ˆ.ˆ1, respectively. Both attacks require only two plaintext-ciphertext pairs. Furthermore, by combining our technique with a splice-and-cut approach, we gain a slight improvement in the time complexity of the attack at the expense of increasing the number of required plaintext-ciphertext pairs.