Improved Meet-in-the Middle Attacks on Reduced-Round TWINE-128.

TWINE is a lightweight block cipher, which was proposed by NEC corporation in 2012. It is both a good example of common trade-offs in lightweight cryptography and one of the only instances of a GFN with improved diffusion layer. Therefore, its security has attracted amount of attention in recent years. In this paper, we present a meet-in-the-middle attack on 26-round TWINE-128 by exploiting the slow diffusion of key schedule. Specifically, we first construct a new 11-round distinguisher of TWINE. Based on it, we mount a meet-in-the-middle attack on 26-round TWINE-128. The data, time and memory complexities are 2(60) chosen plaintexts, 2(126.18) 26-round encryptions and 2(109) 64-bit blocks, respectively. Our results are better than all previous ones on TWINE-128 in the single-key scenario if not considering biclique cryptanalysis of TWINE-128.