Differential Analysis and Meet-in-the-Middle Attack Against Round-Reduced TWINE

TWINE is a recent lightweight block cipher based on a Feistel structure. We rst present two new attacks on TWINE-128 reduced to 25 rounds that have a slightly higher overall complexity than the 25round attack presented by Wang and Wu at ACISP 2014, but a lower data complexity. Then, we introduce alternative representations of both the round function of this block cipher and of a sequence of 4 rounds. LBlock, another lightweight block cipher, turns out to exhibit the same behaviour. Then, we illustrate how this alternative representation can shed new light on the security of TWINE by deriving high probability iterated truncated di erential trails covering 4 rounds with probability 2−16. The importance of these is shown by combining di erent truncated differential trails to attack 23-rounds TWINE-128 and by giving a tighter lower bound on the high probability of some di erentials by clustering di erential characteristics following one of these truncated trails. A comparison between these high probability di erentials and those recently found in a variant of LBlock by Leurent highlights the importance of considering the whole distribution of the coe cients in the di erence distribution table of a S-Box and not only their maximum value.