Paper 2021/1310

Related-Tweak Impossible Differential Cryptanalysis of Reduced-Round TweAES

Chao Niu, Muzhou Li, Meiqin Wang, Qingju Wang, and Siu-Ming Yiu

Abstract

We consider the related-tweak impossible differential cryptanalysis of \texttt{TweAES}. It is one of the underlying primitives of Authenticated Encryption with Associated Data (AEAD) scheme \texttt{ESTATE} which was accepted as one of second-round candidates in the NIST Lightweight Cryptography Standardization project. Firstly, we reveal several properties of \texttt{TweAES}, which show what kinds of distinguishers are more effective in recovering keys. With the help of automatic solver Simple Theorem Prover (STP), we achieve many 5.5-round related-tweak impossible differentials with fixed input differences and output differences that just have one active byte. Then, we implement 8-round key recovery attacks against \texttt{TweAES} based on one of these 5.5-round distinguishes. Moreover, another 5.5-round distinguisher that has four active bytes at the end is utilized to mount a 7-round key recovery attack against \texttt{TweAES}, which needs much lower attack complexities than the 6-round related-tweak impossible differential attack of \texttt{TweAES} in the design document. Our 8-round key recovery attack is the best one against \texttt{TweAES} in terms of the number of rounds and complexities so far.