key: cord-0046999-c5rteoc8
authors: Tolba, Mohamed; ElSheikh, Muhammad; Youssef, Amr M.
title: Impossible Differential Cryptanalysis of Reduced-Round Tweakable TWINE
date: 2020-06-06
journal: Progress in Cryptology - AFRICACRYPT 2020
DOI: 10.1007/978-3-030-51938-4_5
sha: 9a79ac1dea05d9ea44145eb8b2aee34a2c572d8f
doc_id: 46999
cord_uid: c5rteoc8

Tweakable TWINE (T-TWINE) is a new lightweight tweakable block cipher family proposed by Sakamoto et al. at IWSEC 2019. T-TWINE is the first Tweakable Block Cipher (TBC) that is built on Generalized Feistel Structure (GFS). It is based on the TWINE block cipher in addition to a simple tweak scheduling based on SKINNY’s tweakey schedule. Similar to TWINE, it has two versions, namely, T-TWINE-80 and T-TWINE-128, both have a block length of 64 bits and employ keys of length 80 and 128 bits, respectively. In this paper, we present impossible differential attacks against reduced-round versions of T-TWINE-80 and T-TWINE-128. First, we present an 18-round impossible differential distinguisher against T-TWINE. Then, using this distinguisher, we attack 25 and 27 rounds of T-TWINE-80 and T-TWINE-128, respectively.

Tweakable Block Ciphers (TBCs) [11] differ from the conventional block ciphers since they accept an additional input called a tweak. Different specific keyed instances of the cipher can be generated by varying this tweak. TBCs allow new interesting highly-secure modes of operation and applications to become possible as they are designed to allow changing the tweak very efficiently compared to the key setup operation.

Block ciphers can be used to build TBCs through modes of operation such as LRW (Liskov, Rivest, and Wagner) and XEX (Xor-Encrypt-Xor) [14] . These modes of operations, for one TBC encryption/decryption, require few cipher calls. Therefore, they are efficient. However, their provable security guarantee, which is 2 n/2 for n-bit block cipher, is not enough, in particular, for TBCs employed in modes of operation aiming to achieve "beyond-the-birthday-bound" (BBB) security. As a result, less efficient modes of operations [9, 10] , compared to LRW and XEX, are proposed to achieve BBB security guarantee.

Dedicated constructions is another approach to build efficient TBCs with an acceptable level of security guarantee. HPC [16] , one of the submission to the AES competition, is the first proposal, where the tweak is called "spice". Threefish [4] , Deoxys-BC [7] , SKINNY [2] and QARMA [1] are examples of recently proposed dedicated TBCs. Challenges such as designing efficient dedicated TBCs while having sufficient security guarantee is solved by the tweakey flamework [6] which is based on a Substitution Permutation Network (SPN).

Tweakable TWINE (T-TWINE) [15] is the first dedicated TBC that is based on Generalized Feistel Structure (GFS) [13, 20] . The only work on GFS-based TBC, before the T-TWINE proposal, is done by Goldenberg et al. [5] and Mitsuda and Iwata [12] who focused on studding the provable security of the round functions that are instantiated by PRFs. TWINE, which is a GFS-based block cipher, was proposed by Suzaki et al. [18] after a comprehensive study done by Suzaki and Minematsu [17] showing the effect of the choice of sub-block permutation on the diffusion, the number of differential/linear active S-boxes, and the maximum numbers of rounds for impossible differential characteristics and saturation characteristics. The choice of the permutation of TWINE was a result of the work done in [17] , it permutes over 16 nibbles to achieve the best characteristics.

T-TWINE [15] is built with the goal of reducing the cost of design, security evaluation, and implementation. As a result, TWINE was selected to be the basic building block of T-TWINE with extremely simple tweak scheduling. This tweak schedule is based on the SKINNY's [2] tweakey schedule. Similar to TWINE, T-TWINE has a block size of 64 bits and iterates using either 80-bit or 128-bit key over 36 rounds. It accepts an additional 64-bit tweak. It also uses independent key and tweak schedules where the tweak is mixed with the states by adding few nibble XORs to TWINE. Therefore, it has the same hardware cost of TWINE except for the additional tweak registers.

The designers of T-TWINE evaluated its security against differential, linear, impossible differential, and integral attacks in the chosen-tweak setting. However, they only presented distinguishers without converting any distinguisher to a key recovery attack. For impossible differential, they utilized the miss-in-the-middle approach to search the impossible differential characteristics that have one active nibble in the 16 tweak nibbles and one active nibble in 16 ciphertext nibbles at the decryption side. However, the 18-round impossible differential distinguisher that was proposed by the designers does not seem to be correct as we will illustrate in Sect. 3 1 .

In this paper, we start by presenting an 18-round impossible differential distinguisher. Then, we use this distinguisher to launch a 25-round attack against T-TWINE-80 by pre-appending and appending 4 and 3 rounds, respectively. Finally, we launched a 27-round attack against T-TWINE-128, using the 18round distinguisher, by pre-appending and appending 6 and 3 rounds, respectively. The data, time, and memory complexities of the 25-round (27-round) against T-TWINE-80 (T-TWINE-128) are 2 61.5 (2 60 ) chosen plaintexts, 2 70.86 25-round (2 120.83 27-round) encryptions, 2 66 (2 118 ) 64-bit block, respectively. The rest of the paper is organized as follows. Section 2 provides the notations used throughout the paper and a brief description of T-TWINE. In Sect. 3, we present the impossible differential distinguisher used in our attacks. The details of our attacks are presented in Sects. 4 and 5. Finally, the paper is concluded in Sect. 6.

The following notation will be used throughout the rest of the paper: 

The difference at state X i and nibble X i j , respectively. T-TWINE is based on TWINE [18] . T-TWINE-80/128 iterates 36 rounds over 64-bit block using 80/128-bit key, respectively, and 64-bit tweak T . The block cipher has three parts: data processing, key schedule, and tweak schedule. Except for the tweaks addition, T-TWINE-80/128 has the same data processing and key schedule of TWINE-80/128, respectively. Both T-TWINE-80 and T-TWINE-128 employ the same generalized Feistel structure and tweak schedule where the only difference between them is the key schedule. Fig. 1 , the round function is based on a variant of Type-2 GFS with 16 4-bit nibbles [17] . It has four operations: 4-bit S-box (S, see Table 1 ), round key XOR, round tweak XOR, and a 16-nibble shuffle operation (π, see Table 2 ). Both versions of T-TWINE have the same number of rounds (36). The nibble shuffle operation in the last round is omitted. 

Impossible differential cryptanalysis was proposed independently by Knudsen [8] and Biham, Biryukov and Shamir [3] . It exploits a (truncated) differential characteristic of probability exactly 0 and thus acts as a distinguisher. Then, this distinguisher is turned into a key-recovery attack by prepending and/or appending additional rounds, which are usually referred to as the analysis rounds. The keys involved in the analysis rounds which lead to the impossible differential are wrong keys and thus are excluded. Miss-in-the-Middle is the general technique used to construct impossible differentials, where the cipher, E, is split such that E = E 2 • E 1 , and we try to find two deterministic differentials, the first one covers E 1 and has the form Δδ → Δγ, and the second covers E −1 2 , and has the form Δβ → Δζ. When the intermediate differences Δγ, Δζ do not match, the differential Δδ → Δβ that covers the whole cipher E holds with zero probability. 

Data: The 80-bit master key K Result: The round keys RK = RK 0 ||RK 1 || · · · ||RK 35 k0||k1|| · · · ||k19 ← K;

Data: The 128-bit master key K Result:

The designers of T-TWINE in [15] presented an 18-round impossible differential distinguisher. They found this distinguisher using the Miss-in-the-Middle approach. The distinguisher begins at "1R" with zero differences and the tweak has a non-zero difference at the first nibble t 0 . As mentioned above, this 18round impossible differential distinguisher does not seem to be correct. In what follows, we list some of the problems (mistakes) we identified in this distinguisher (See Fig. 5 ): i) the numbers of rounds involved in the distinguisher is only 17 not 18 (as the plaintext is marked "1R" and the ciphertext is marked "18R"), ii) the tweaks used in the distinguisher are wrong. For example, the tweaks that are used in the seventh and ninth rounds are actually the tweaks of the sixth and seventh rounds, respectively, and iii) this distinguisher assumes that the tweak has difference at nibble "0" at the first round, then it appear again at nibble "0" at the nineteenth round, while it should appear again at the seventeenth round, after 16 rounds of the tweak schedule. Moreover, as shown in Figure 8 of [15] (See Fig. 5 ), the zero difference at "1R" associated with a non-zero difference at the first nibble t 0 of the tweak gives, after being propagated 7 rounds in the forward direction, the difference at "8R" in the form of (1, 1, 1, 0, 0, ?, 0, 1, 1, ?, 0, 1, ?, ?, ?, ?). However, the correct difference should be in the form of (?, 1, ?, 0, 1, ?, ?, 1, 1, ?, ?, 1, ?, ?, ?, ?).

In this section, we present an 18-round distinguisher that begins and ends with zero difference and has a difference at t 12 at the first round, see Fig. 2 . To the best of our knowledge, this is the first valid 18-round impossible differential distinguisher. This distinguisher is found using the Miss-in-the-Middle approach, where we propagate the difference in the tweak forward 8 rounds with probability 1 and propagate the difference in the tweak backward 10 rounds with probability 1, then match at the middle at the end of round 8. As seen in Fig. 2 , there is a contradiction at nibble "6", where in the forward path, it should have a zero difference, while in the backward path, it should have a non-zero difference.

In this section, we present some useful observations that will be utilized in our attack.

Observation 1 [18, 19] . For any input difference a( = 0) and output difference b(∈ ΔS[a]) of the S-box in TWINE, the average number of pairs that satisfy the differential characteristic (a → b) is 16 7 . Given an 8-bit pair Fig. 2 is extended 6 rounds forward and 3 rounds backward, then we have the following relations, see Fig. 3 :

Observation 4. If the impossible differential illustrated in Fig. 2 is extended 4 rounds forward and 3 rounds backward, then we have the following relations, see Fig. 4 : 

In this section, we present the first attack on 27-round T-TWINE-128 in the chosen-tweak model. We use the notion of data structures to generate enough pairs of messages to launch the attack. Our utilized structure takes all the possible values of the 12 nibbles X 0 2 , X 0 3 , X 0 4 , X 0 5 , X 0 6 , X 0 7 , X 0 8 , X 0 9 , X 0 11 , X 0 12 , X 0 13 , X 0 15 while the remaining nibbles assume a fixed value. In addition, we choose the tweak T 2 such that it takes all its possible values. Thus, one structure generates 2 4×13 × (2 4×13 − 1)/2 ≈ 2 103 possible pairs. Hence, we have 2 103 possible pairs of messages satisfying the plaintext differences. In addition, we utilize the following pre-computation tables in order to efficiently extract/filter the round keys involved in the analysis rounds: 3 2 , X 3 9 , ΔX 3 9 , t 2 1 , and RK 2 5 = K 26 , compute X 2 10 , ΔX 2 10 , X 2 11 , and ΔX 2 11 . Then, store X 3 9 , ΔX 3 9 , and RK 2 5 = K 26 in H 9 indexed by X 2 10 , ΔX 2 10 , X 2 11 , ΔX 2 11 , and t 2 1 . H 9 has 2 20 rows and on average about 2 20 /2 20 = 1 value in each row. -H 10 : For all the 2 20 possible values of X 3 11 , ΔX 3 11 , X 3 14 , t 2 0 , and RK 2 7 = K 4 + S(K 16 4 2 , X 4 9 , t 3 1 , ΔT 2 , RK 3 5 = K 30 , X 3 15 , and RK 2 6 = K 5 + S(K 4 + S(K 16 )), compute X 3 11 , ΔX 3 11 , X 2 12 , and X 2 13 . Then, store RK 3 5 = K 30 , and RK 2 6 = K 5 + S(K 4 + S(K 16 )) in H 14 indexed by X 3 11 , ΔX 3 11 , X 2 12 , t 3 1 , ΔT 2 , and X 2 13 . H 14 has 2 24 rows and on average about 2 28 /2 24 = 2 4 values in each row.

-H 15 : For all the 2 44 possible values of X 5 3 2 3 , and RK 2 3 = K 23 + S(K 30 ), compute X 4 7 , ΔX 4 7 , X 3 9 , ΔX 3 9 , X 2 6 , and X 2 7 . Then, store X 5 3 , ΔX 5 3 , RK 3 4 = K 29 , and RK 2 3 = K 23 + S(K 30 ) in H 15 indexed by X 4 7 , ΔX 4 7 , X 3 9 , ΔX 3 9 , X 2 6 , X 2 7 , t 4 3 , t 3 2 , t 2 3 , and 6 1 , X 6 4 , t 5 4 , ΔT 2 , RK 5 1 = K 23 +S(K 30 ), X 5 9 , t 4 1 , RK 4 5 = K 3 , X 4 15 , RK 3 6 = K 9 + S(K 8 + S(K 20 )), X 3 7 , and RK 2 2 = K 20 , compute X 5 3 , ΔX 5 3 , X 3 14 , X 2 8 , X 2 4 , and X 2 5 . Then, store RK 4 5 In the general approach, the round keys involved in the analysis rounds are guessed and the plaintext/ciphertext pairs are filtered to satisfy the differential path leading to the impossible differential distinguisher. Here, we use the above proposed pre-computation tables to deduce the round keys that lead a specific pair of plaintext/ciphertext to the impossible differential. Then, we exclude the deduced keys as they are wrong keys. Our attack proceeds as follows. We initialize an array H of 2 31×4=124 entries to "0", where each entry is 1-bit and the index of the array is 31 key nibbles involved in the attack, as we will see later. Then we generate 2 m structures as described above. Therefore, we have 2 m+103 pairs of plaintext/ciphertext pairs generated using 2 m+48 chosen plaintexts. Then, we ask the encryption oracle for their corresponding ciphertexts. The plaintext/ciphertext pairs that satisfy Observation 3 are 2 m+103 × 2 −10.734 = 2 m+92.266 pairs. After the ciphertext filtration, we have only 2 m+92.266 × 2 −12×4 = 2 m+44.266 remaining pairs. For each remaining pair, we access the pre-computation tables in sequential order from table H 1 to H 20 one by one in order to deduce 31 key nibbles that lead each remaining pair of plaintext/ciphertext to the impossible differential. Then, we mark them in H as invalid "1". Table 3 summarize these steps by identifying which table will be used and which key nibble is involved in this step in addition to the time complexity of each step.

Remarks on the analysis steps:

1. During steps 1-14 and step 18, we directly access the corresponding table to obtain the values of the involved key nibbles. For example, in step 1, we determine the number of possible values of RK 0 1 = K 3 that satisfy the path to the impassible differential by accessing H 1 . Therefore, we have (16/7) possible values for K 3 16 , K 20 , K 21 , RK 6 3 , K 27 , K 28 ) and RK 25 5 = f 3 (K 0 , K 1 , K 2 , K 4 , K 12 , K 13 , RK 3 6 , K 15 , K 16 , K 20 , K 21 , K 24 , K 28 ), respectively. Therefore, we can deduce the values of K 27 and K 13 , respectively, since all the other key nibbles in f 2 and f 3 are determined during the previous steps. 6. After step 20, we have 2 60 × (16/7) 9 possible values for K 0 , K 1 , K 2 , K 3 , K 4 , K 5 , K 6 , K 7 , K 9 +S(K 8 +S(K 20 )), K 10 , K 11 , K 12 , K 13 Fig. 3 , we have 37 round keys involved in the analysis rounds. According to the key schedule, these 37 round keys take only 2 124 possible values (see step 21 in Table 3 ). As mentioned in step 21, we remove on average 2 60 × (16/7) 9 = 2 70.734 out of 2 124 possible values of these 37 round keys involved in the attack for each pair of the 2 m+44.266 remaining pairs. Hence, a wrong key is not discarded using one pair with probability 1 − 2 70.734−124 = 1 − 2 −53.266 . Therefore, we have 2 124 × (1 − 2 −53.266 ) 2 m+44.266 ≈ 2 124 × (e −1 ) 2 m+44.266−53.266 ≈ 2 124 × 2 −1.4×2 m−9 remaining candidates for 124bit of the key, after processing all the 2 m+44.266 remaining pairs. We evaluated the computational complexity of the attack as a function of m, as illustrated in Table 3 , to determine the optimal value of m that leads to the best computational complexity. As steps 20 and 21 dominate the time complexity of the attack, see Table 3 , we choose m = 12 in order to optimize the time complexity of the attack. Therefore, we have 2 124 × 2 −1.4×2 12−9=3 = 2 124−11.2 = 2 112.8 remaining candidates for 124-bit of the key. The remaining key nibbles can be retrieved by guessing K 8 and exhaustively searching the 2 112.8 remaining key candidates using 2 plaintext/ciphertext pairs. This step requires 2 × 2 4 × 2 112.8 = 2 117.8 encryptions. Therefore, the time complexity of the attack is 2 120.245 + 2 119.245 + 2 117.8 ≈ 2 120.83 encryptions. The data complexity of the attack is 2 m+4×13 = 2 64 chosen tweak/plaintext combinations that can be generated using 2 m+48 = 2 60 chosen plaintexts. The memory complexity of the attack is dominated by the memory that is required to store H. Hence, the memory complexity is 2 124 × 2 −6 = 2 118 64-bit blocks.

In this section, we present the first attack on 25-round T-TWINE-80 in the chosen-tweak model. We use the notion of data structures to generate enough pairs of messages to launch the attack. Our utilized structure takes all the possible values in 7 nibbles X 0 0 , X 0 1 , X 0 3 , X 0 10 , X 0 11 , X 0 14 , X 0 15 while the remaining nibbles take a fixed value. In addition, we choose the tweak T 7 such that it takes all the values. Thus, one structure generates 2 4×8 × (2 4×8 − 1)/2 ≈ 2 63 possible pairs. Hence, we have 2 63 possible pairs of messages satisfying the plaintext differences. In addition, we utilize the following pre-computation tables in order Table 3 . Time complexity of the different steps of the attack on 27-round T-TWINE-128, where NK denotes the number of keys to be excluded.

Step Table Key of the key, after processing all the 2 m+1.881 remaining pairs. We evaluated the computational complexity of the attack as a function of m, as illustrated in Table 4 , to determine the optimal value of m that leads to the best computational complexity. As steps 11 and 12 dominate the time complexity of the attack, see Table 4 , we choose m = 33.5 in order to optimize the time complexity of the attack. Therefore, we have 2 72 × 2 −1.4×2 33.5−29=4.5 = 2 72−31.678 = 2 40.322 remaining candidates for 72-bit of the key. These 72-bit of the key include 11 master key nibbles and 7 round key nibbles. To retrieve the whole master key, we perform the following steps:

1. Retrieve K 10 from RK 24 4 by guessing the 6 key nibbles K 0 , K 2 , K 5 , K 9 , K 12 , K 13 . Since this step includes 18 S-box operations, it requires 2 40.322+24=64.322 × 18 8 × 25 ≈ 2 60.848 encryptions. Since RK 24 4 and RK 24 0 are functions in the same nibbles of the master key, we can compute RK 24 0 using the retrieved K 10 and then match the computed value with its value in the remaining candidate key. is also a function in the same nibbles of the master key, we can compute it using the retrieved K 7 and compare it with its value in the remaining candidate. As a result, we have 4-bit filtration. Hence, we have only 2 60.322+4−4=60.322 80-bit remaining key candidates. This step requires 2 60.322+4=64.322 × 112 8 × 25 ≈ 2 63.485 . Then, we perform the previous filtration to the following round key nibbles RK 22 7 , RK 23 7 , and RK 24 7 . Finally, we have another 3 4-bit filtrations. Therefore, we have only 2 60.322−12 = 2 48.322 remaining candidates for the whole master key. The time complexity of this step is dominated by 2 64.335 encryptions.

The right master key can be retrieved by exhaustively searching the 2 48.322 remaining key candidates using 2 plaintext/ciphertext pairs. This step requires 2 × 2 48.322 = 2 49.322 encryptions. Therefore, the time complexity of the attack is dominated by steps 11 and 12 in Table 4 which requires 2 70.441 + 2 68.856 ≈ 2 70.86 encryptions, see Table 4 . The data complexity of the attack is 2 m+4×8 = 2 65.5 chosen tweak/plaintext combinations that can be generated using 2 m+28 = 2 61.5 chosen plaintexts. The memory complexity of the attack is dominated by the memory that is required to store H. Hence, the memory complexity is 2 72 ×2 −6 = 2 66 64-bit blocks.

In this work, we presented two impossible differential attacks against reducedround versions of T-TWINE. Both attacks use our proposed 18-round impossible differential distinguisher. To the best of our knowledge, this distinguisher is the first valid 18-round distinguisher. Utilizing this distinguisher, we launched 25round and 27-round attacks on T-WINE-80 and T-TWINE-128, respectively. The presented attacks are the first published attacks against both versions of T-TWINE. 5 . 18-round impossible differential characteristic as depicted in Figure 8 of [15] with our comments.

The QARMA block cipher family. Almost MDS matrices over rings with zero divisors, nearly symmetric even-mansour constructions with non-involutory central rounds, and search heuristics for low-latency S-boxes

The SKINNY family of block ciphers and its low-latency variant MANTIS

Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials

The SKEIN hash function family

On tweaking Luby-Rackoff blockciphers

Tweaks and keys for block ciphers: the TWEAKEY framework

Deoxys v1.41. Submitted to CAESAR Competition

DEAL: a 128-bit block cipher

Tweakable blockciphers with asymptotically optimal security

Tweakable blockciphers with beyond birthday-bound security

Tweakable block ciphers

Tweakable pseudorandom permutation from generalized feistel structure

Generalized feistel networks

Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC

Tweakable TWINE: building a tweakable block cipher on generalized feistel structure

An overview of the hasty pudding cipher

Improving the generalized feistel

TWINE: a lightweight block cipher for multiple platforms

Impossible differential attack on reduced-round TWINE

Impossibility and optimality results on constructing pseudorandom permutations

 9 2 119.245 that, for the 7 round keys that are involved in the 3 rounds below the distinguisher, we wrote them as 7 functions f 1 , f 2 , f 3 , f 4 , f 5 , f 6 , f 7 of the key nibbles that are not involved in the above analysis rounds, K 0 , K 2 , K 5 , K 7 , K 9 , K 10 , K 11 , K 12 , K 13 , and ignored the other key nibbles as they are known.-H 1 : For all the 2 20 possible values of X 1 0 , X 1 5 , ΔX 1 5 , t 0 5 and RK 0 0 = K 1 , compute X 0 0 , ΔX 0 0 , X 0 1 , and ΔX 0 1 . Then, store X 1 5 , ΔX 1 5 , and RK 0 10 , t 23 1 ,RK 23 5 = f 6 (K 0 , K 2 , K 5 , K 7 , K 9 , K 10 , K 11 , K 12 , K 13 ), X 24 8 , t 24 2 , and RK 24 4 = f 7 (K 0 , K 2 , K 5 , K 9 , K 10 , K 12 , K 13 ), compute X 23 14 , ΔX 25 11 = ΔX 23 14 , X 25 2 , X 25 9 , and X 25 8 . Then, store RK 22 7 = f 5 (K 0 , K 2 , K 5 , K 7 , K 9 , K 10 , K 11 , K 12 , K 13 ), RK 23 5 = f 6 (K 0 , K 2 , K 5 , K 7 , K 9 , K 10 , K 11 , K 12 , K 13 ), and RK 24 4 = f 7 (K 0 , K 2 , K 5 , K 9 , K 10 , K 12 , K 13 ) in H 11 indexed by X 23 14 , ΔX 25 11 = ΔX 23 14 , X 25 2 , X 25 9 , X 25 8 , t 22 0 , ΔT 7 , t 23 1 , and t 24 2 . ΔX 25 11 is chosen such that ΔX 25 11 ∈ S[ΔT 7 ], see Observation 4. Therefore, H 11 has 7 × 2 32 rows and on average about 2 44 /(7 × 2 32 ) = (16/7) × 2 8 values in each row.Our attack proceeds as follows. We initialize an array H of 2 18×4=72 entries to "0", where each entry is 1-bit and the index of the array is 18 key nibbles involved in the attack, as we will see later. Then, we generate 2 m structures as described above. Therefore, we have 2 m+63 pairs of plaintext/ciphertext pairs generated using 2 m+28 chosen plaintexts. Next, we ask the encryption oracle for their corresponding ciphertexts. The plaintext/ciphertext pairs that satisfy Observation 4 are 2 m+63 × 2 −13.119 = 2 m+49.881 pairs. After the ciphertext filtration, we have only 2 m+49.881 × 2 −12×4 = 2 m+1.881 remaining pairs. For each remaining pair, we perform the following steps: Fig. 4 , we have 22 round keys involved in the analysis rounds. According to the key schedule, these 22 round keys take only 2 72 possible values (see step 12 in Table 4 ). As mentioned in step 12, we remove on average 2 28 × (16/7) 11 = 2 41.119 out of 2 72 possible values of these 22 round keys involved in the attack for each pair of the 2 m+1.881 remaining pairs. Hence, a wrong key is not discarded using one pair with probability 1 − 2 41.119−72 = 1 − 2 −30.881 . Therefore, we have 2 72 × (1 − 2 −30.881 ) 2 m+1.881 ≈ 2 72 × (e −1 ) 2 m+1.881−30.881 ≈ 2 72 × 2 −1.4×2 m−29 remaining candidates for 72-bit