Paper 2025/1339

Breaking the Twinkle Authenticated Encryption Scheme and Analyzing Its Underlying Permutation

Debasmita Chakraborty, Graz University of Technology, Graz, Austria
Hosein Hadipour, Ruhr University Bochum, Bochum, Germany
Anup Kumar Kundu, Indian Statistical Institute, Kolkata 700108, India
Mostafizar Rahman, Kyoto University, Kyoto, Japan
Prathamesh Ram, Indian Institute of Technology Bhilai, India
Yu Sasaki, NTT Social Informatics Laboratories and NIST Associate, Tokyo, Japan
Dilip Sau, Indian Institute of Technology Kharagpur, India
Aman Sinha, Nanyang Technological University, Singapore
Abstract

This paper studies the Twinkle family of low-latency symmetric key schemes designed by Wang et al. (CiC 2024). In particular, it presents cryptanalysis of both the mode and the underlying primitive. Twinkle is a PRF-based design, and an authenticated encryption scheme Twinkle-AE is specified based on a dedicated PRF called Twinkle-PRF. To achieve low latency, Twinkle-PRF uses a large key and state to produce sufficient randomness in a single step. Twinkle-AE uses a 1024- or 512-bit key for authentication and generates a $t$-bit tag, where $t \in \{64, 128\}$. It claims to provide $t$ bits of integrity. Several Twinkle-AE parameter sets claim higher confidentiality than integrity. In this setup, for any ciphertext, an adversary can obtain the message after $O(2^t)$ decryption attempts by guessing the tag, allowing attacks in the chosen-ciphertext setting. We show that a 1024- or 512-bit authentication key can be recovered using only $O(2^t)$ queries. The recovered authentication key enables the generation of valid ciphertexts for arbitrary plaintexts, thus achieving universal forgery. In the second part of the paper, we perform cryptanalysis on reduced-round variants of the 1280-bit public permutation Twinkle-P, which serves as a core component of Twinkle-PRF. We investigate impossible differential, zero-correlation linear, integral, and differential-linear distinguishers by developing automated analytic tools. We provide practical distinguishers for up to 5 rounds, and the longest distinguisher reaches 6 rounds with a complexity of $2^{74.32}$. This surpasses the round bounds evaluated by the designers. We stress that our attacks on mode exploits the gap between the claimed confidentiality and integrity levels, thus have no impact on the parameter sets having the same security level. Our attacks on the permutation do not have any significant impact on the whole specifications. Moreover, we note that Twinkle-AE-512b/Twinkle-AE-1024b and Twinkle-PA remain secure, and the versions we attacked would also be secure if the claimed confidentiality level matched the integrity level.

Note: The source code of our tools is available at: https://github.com/hadipourh/twinkle

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Published elsewhere. Selected Areas in Cryptography 2025 (SAC 2025)
Keywords
CryptanalysisLightweight cryptographyLow-latency primitiveTwinkleauthenticationconfidentialitypermutation
Contact author(s)
debasmitachakraborty1 @ gmail com
hsn hadipour @ gmail com
anupkundumath @ gmail com
mrahman454 @ gmail com
rprathamesh @ iitbhilai ac in
yusk sasaki @ ntt com
dilip sau @ kgpian iitkgp ac in
aman0804 @ gmail com
History
2025-07-23: approved
2025-07-22: received
See all versions
Short URL
https://ia.cr/2025/1339
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2025/1339,
      author = {Debasmita Chakraborty and Hosein Hadipour and Anup Kumar Kundu and Mostafizar Rahman and Prathamesh Ram and Yu Sasaki and Dilip Sau and Aman Sinha},
      title = {Breaking the Twinkle Authenticated Encryption Scheme and Analyzing Its Underlying Permutation},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/1339},
      year = {2025},
      url = {https://eprint.iacr.org/2025/1339}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.