对TweAES的相关调柄多重不可能差分攻击

TweAES算法是在NIST轻量级密码标准竞赛中，进入到第2轮的认证加密候选算法。该文提出了对8轮TweAES算法的相关调柄多重不可能差分攻击。首先，利用两类不可能差分区分器，构造了两条攻击路径，每条攻击路径需要攻击16 Byte子密钥。值得注意的是，两条攻击路径有相同的明文结构和14 Byte的公共子密钥，攻击者可以利用同一个明文结构下的明文对，筛选两次错误子密钥，且因为有大量的公共子密钥，可以提高子密钥筛选的效率。此外，利用密钥生成算法的不完全性，有针对性地选择子密钥字节。利用子密钥之间的相关性，提高主密钥恢复效率，从而改进整体攻击方案的结果。与前人的分析结果相比较，该文对8轮TweAES的攻击方案在时间、数据、存储3项复杂度结果上均有所改进。

Related-Tweak Multiple Impossible Differential Attack for TweAES

TweAES is one of the second-round candidates in the NIST Lightweight Cryptography Standardization competition. The related-tweak multiple impossible differentials attack of 8-round TweAES is presented. Firstly, two types of impossible differential distinguishers are utilized to construct two attack trails, and each attack trail needs to guess 16 Byte subkey. It is worth noting that two attack trails have the same plaintext structure and 14 Byte common subkey. Attackers can utilize the plaintext pairs with the same plaintext structure to reject wrong subkeys by two filters processed, and because of a large number of common subkey, the efficiency of subkeys sifting can be improved. Furthermore, the incompleteness of the key schedule is utilized to choose the subkey Bytes. With the help of the relations of subkey Bytes, the efficiency of reconstructing the corresponding master keys can be improved, so the complexity of the whole attack scheme can be improved. Compared with the previous results, this work obtain the new attack scheme of 8-round TweAES, which needs lower time, data, and memory complexities than other attack schemes.