Then, we introduce alternative representations of both the round function of this block cipher and of a sequence of 4 rounds. LBlock, another lightweight block cipher, turns out to exhibit the same behaviour. Then, we illustrate how this alternative representation can shed new light on the security of TWINE by deriving high probability iterated truncated differential trails covering 4 rounds with probability $2^{-16}$.
The importance of these is shown by combining different truncated differential trails to attack 23-rounds TWINE-128 and by giving a tighter lower bound on the high probability of some differentials by clustering differential characteristics following one of these truncated trails. A comparison between these high probability differentials and those recently found in a variant of LBlock by Leurent highlights the importance of considering the whole distribution of the coefficients in the difference distribution table of a S-Box and not only their maximum value.
Category / Keywords: secret-key cryptography / TWINE, LBlock, meet-in-the-middle, truncated differential, cryptanalysis Original Publication (in the same form): IACR-FSE-2015 Date: received 13 Mar 2015, last revised 19 Mar 2015 Contact author: patrick derbez at uni lu Available format(s): PDF | BibTeX Citation Note: IACR copyright agreement added. Version: 20150319:150405 (All versions of this report) Short URL: ia.cr/2015/240 Discussion forum: Show discussion | Start new discussion