CLRW1$^{3}$ is not Secure Beyond the Birthday Bound: Breaking TNT with ${O(2^{n/2})}$ queries

ePrint Report: CLRW1$^{3}$ is not Secure Beyond the Birthday Bound: Breaking TNT with ${O(2^{n/2})}$ queries

Mustafa Khairallah

In this paper, we present a new distinguisher for the Tweak-aNd-Tweak (TNT) tweakable block cipher with $O(2^{n/2})$ complexity. The distinguisher is an adaptive chosen ciphertext distinguisher, unlike previous attacks that are only non-adaptive chosen plaintext attacks. However, the attack contradicts the security claims made by the designers. Given TNT can be seen as the three-round CLRW1 tweakable block cipher, our attack matches its …

attacks beyond block breaking cipher ciphertext complexity eprint report report