Related-Key Differential Attacks on Reduced-Round LBlock

Weng, Tianling; Cui, Tingting; Yang, Ting; Guo, Yinghua

doi:https://doi.org/10.1155/2022/8464960

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2022 | Article ID 8464960 | https://doi.org/10.1155/2022/8464960

Related-Key Differential Attacks on Reduced-Round LBlock

Tianling Weng,¹Tingting Cui,¹Ting Yang,²and Yinghua Guo³

Academic Editor: Jinguang Han

Received13 Feb 2022

Revised05 Jun 2022

Accepted04 Jul 2022

Published16 Sept 2022

Abstract

LBlock, as one of the typical lightweight encryption schemes, is a 32-round block cipher with 64 bit block and 80 bit master key. It can be widely applied in the IoT environment because of its friendly software and hardware implementations. Since it came out, it has encountered many attacks. In this paper, we evaluate LBlock’s ability against related-key differential attack more accurately based on SMT method. On the one hand, we propose tighter lower bounds on the minimal number of active S-boxes for up to 19 rounds of LBlock, which are 8 more rounds than previous ones. Then, we propose the upper bounds of total probabilities for up to 19 rounds of LBlock for the first time. On the other hand, with a suitable 17-round related-key differential distinguisher, we propose attacks on 22- and 23-round LBlock. Each of these attacks has lower time complexity and data complexity than previous ones for the same rounds of LBlock.

1. Introduction

In recent years, the Internet of Things (IoT), as the emerging product of Internet, has been widely applied in industry, agriculture, environment and so on, such as smart transportation and smart medical. In IoT, Radio Frequency Identification (RFID), Sensor Network[1], Machine-to-Machine (M2M) and Cloud Computing are key techniques. However, within them, lots of devices have limited resources, which results in the useless of traditional encryption ciphers to guarantee the security of data. To solve this problem, lightweight encryption schemes are more and more popular, such as PRESENT [2], LED [3], HIGHT [4], LBlock [5], SIMON [6], SPECK [6] and SKINNY [7].

As one of the typical lightweight encryption schemes, LBlock is a 32-round block cipher proposed by Wu et al. at ACNS [5]. It adopts a variant Feistel construction with 80 bit master key and 64 bit block. Thanks to its simple round function, it has friendly software and hardware implementations. Its slightly modified version LBlock-s [8] has been used in authenticated encryption scheme LAC in CAESAR competition.

Since LBlock was raised, it has encountered differential attacks [9, 10], integral attacks [11], impossible differential attacks [12] and boomerang attacks [13] in both single-key settings and related-key settings. In single-key settings, the designers of LBlock proposed the first impossible differential attack and integral attack on 20-round LBlock in the design document. Then, the impossible differential attack was further improved in [14, 15], and it could attack 22-round LBlock now.

In related-key settings, the designers first gave valid related-key differential characteristics for up to 13-round LBlock in the design document [5]. At ASIACRYPT’14, Sun et al. [16] used MILP method to evaluate the lower bounds on the minimal active S-boxes of related-key differential characteristics for reduced rounds of LBlock. In the end, they gave security bounds for reduced 1- to 11-round LBlock, although the bounds were a little relax. Later, Sun et al. [17] improved these results and proposed more accurate bounds for the same reduced rounds of LBlock. Besides that, they found a valid characteristic for 15-round LBlock with 23 active S-boxes. Please note that all bounds in these previous works are measured by the number of active S-boxes instead of the total probability due to high time complexity in the search process, although measuring by probability is more accurate. To recover the key for as many rounds of a cipher as possible, the distinguisher used in the attack usually is expected for as long as possible. How to overcome the shortage in MILP method so as to evaluate more accurate bounds of related-key differential attack on LBlock? This is our first motivation to do this work.

Once a good distinguisher is found, we can go on recovering the secret key out. In [14], Liu et al. proposed the first related-key differential attack on 22-round LBlock based on a 16-round truncated differential. Then, Minier and Naya-Plasencia [18] used related-key impossible differential cryptanalysis to attack 22-round LBlock. Then this work was improved by Wen et al. [19]. They built a new searching algorithm to find out a 16-round related-key impossible differential instead of the 15-round one in [18], so they attacked one more round, i.e. 23 rounds. Please note that although the 23-round attack is suitable for all master keys, it needs 4 different related keys totally. This is a more strict requirement than 2 related keys in traditional related-key (impossible) differential attacks. If we can find longer related-key differential characteristics (more than 16 rounds), when we evaluate more accurate security bounds of LBlock, is there any better related-key differential attack on LBlock? This is our second motivation to do this work.

In this paper, we evaluate the resistance of LBlock against related-key differential attacks by security bounds based on SMT technique [20] and propose better related-key differential attacks on LBlock. Our contributions are as follows:

1.1. Propose More Accurate Bounds of Security against Related-Key Differential Attack on LBlock

In this work, we first propose tighter lower bounds on the minimal number of active S-boxes for up to 19 rounds of LBlock based on the SMT method. Then, we take the total probability of related-key differential characteristic as an objective function to evaluate the ability of LBlock against related-key differential attack and propose the upper bounds of probabilities for up to 19 rounds of LBlock for the first time. All results are summarized in Tables 1–3.

1.2. Propose 22- and 23-Round Related-Key Differential Attacks on LBlock

In this work, we first find out a suitable related-key differential distinguisher for 17-round LBlock with SMT method by a special observation and some constraints on input and output differences. This strategy is similar to that in [21] to some extent, aiming to reduce the search space so as to speed up the search according to some suitable observations. With this distinguisher, we propose attacks on 22- and 23-round LBlock. Each of these attacks has lower time complexity and data complexity than previous ones. All results are summarized in Table 4.

1.2.1. Outline

In Section 2, we briefly recall the specification of LBlock and the description of the SMT method. Then, we propose new security bounds against related-key differential attack on LBlock in Section 3. In Section 4, we find out a suitable 17-round related-key differential distinguisher and use it to attack 22- and 23-round LBlock. In the end, we conclude the paper in Section 5.

2. Preliminaries

In this part, we first introduce some notations used in this paper, then briefly recall the specification of LBlock and the description of Simple theorem Prover (STP) Solver.

2.1. Notations

In this paper, some notations are defined as follows:

Notation	Definition
	32 bits of 64 bit input difference
	64 bit input of round
	32 bit input of S-box layer in round
	32 bit output of S-box layer in round
	80 bit master key
	32 bit subkey used in round
	The -th to -th bits of master key,
	The -th nibble of subkey ,
	Round function of LBlock
	Exclusive-OR
	Left rotate bits
	Concatenation of two binary strings
	Binary form of an integer

2.2. Specification of LBlock

LBlock [5] is a 32-round lightweight block cipher proposed by Wu et al. at ACNS 2011. It adopts a variant Feistel construction with 80 bit master key and 64 bit block. LBlock’s round function is shown in Figure 1.

As we can see from Figure 1, the 64 bit input of the -th round function is divided into two branches named as and , then is updated with the following equation to generate 64 bit output , :

Here symbol function consists of three parts: AddRoundKey , nonlinear S-box layer and nibble permutation layer , which are listed as follows:(i)AddRoundKey : The secret subkey is mixed with input by XOR operation.(ii)S-box layer : This layer includes 8 different parallel S-boxes whose specifications are shown in Table 5.(iii)Nibble Permutation layer : This layer is a linear symmetric nibble-wise permutation.

Please note that there is no branch-wise permutation in the last round function and LBlock has totally 32 rounds, so we can denote plaintext as and ciphertext as .

2.2.1. Key Schedule Algorithm

The master key of LBlock has 80 bits, which is stored in a register at very beginning. Without loss of generality, we also denote the master key as . The leftmost 32 bits of master key are used as the first subkey , then the current register is updated with the following operations in Algorithm 1.

(1)
(2)	fordo





	end

Here and are two 4 bit S-boxes, which are shown in Table 5. For more details about LBlock, please refer to [5].

2.3. Simple theorem Prover

During the last few years, automatic search tools are more and more widely used to search for differential characteristics or linear approximations. One of the tools is Simple theorem Prover (STP) which bases on Satisfiability Modulo Theories (SMT) method. STP [20] is an effective SMT solver originally designed to solve the constraints of bit-vectors and arrays. When searching for differential characteristics with the STP solver, users usually transform such problems into a series of constraints. This solver has been used for cryptanalysis, such as [25–28]. CVC language [20] is STP’s default language. Here, we use Table 6 to list some orders in the CVC language. For more details, please refer to https://stp.readthedocs.io/en/latest/cvc-input-language.html.

In order to describe the STP model clearly, we also give two simple examples as follows.

Example 1. Describe : ; ; ; ;The first three statements are to claim that are 4 bit variables.

Example 2. is an S-box used in LBlock, the Differential Distribution Table (DDT) of can be described in CVC language as: ; ; ; ⋮ ;In this Example 2, denotes that the variable has bits. denotes that the input of the array is bits, and the output is bits. In the statement of , the 8 bit includes 4 bit input difference and 4 bit output difference . If this differential pattern is possible in DDT. Then , otherwise .

Taking the total number of active S-boxes as the objective function is a very traditional method to evaluate the resistance of such cipher against related-key differential attack by designers because it is more easier and less time-consuming, especially for byte-wise ciphers. However, taking the maximal probability as the objective function directly results in more precise evaluation. Unluckily, it is more complex and time-consuming, especially for high rounds of a cipher. Attackers usually would like this method to find the best related-key differential characteristic so as to carry out a good attack. In this work, we evaluate the security of LBlock with both ideas.

In this section, we use the SMT method to automatically evaluate the resistance of LBlock against related-key differential attack by computing the exact lower bounds on the minimal number of active S-boxes and the upper bounds of the maximal probabilities. As a result, we find out the minimal number of active S-boxes for rounds and a lower bound on the number of active S-boxes for 19-round related-key differential characteristics in Subsection 3.1, as well as the maximal probabilities for rounds and upper bounds of probabilities for rounds of related-key differential characteristics in Subsection 3.2.

3.1. Lower Bounds on the Minimal Number of Active S-Boxes

Computing the lower bounds on the minimal number of active S-boxes in related-key differential characteristics under different rounds of target cipher, is a common and traditional method to evaluate the ability of a cipher against related-key differential attack. In [16], Sun et al. first proposed bounds on the number of active S-boxes in related-key differential characteristics under different rounds of LBlock. However, because of the time complexity, they could only evaluate under at most 11 rounds of LBlock. Besides that, they found the differential characteristics with the lower bounds on the number of active S-boxes instead of maximal probability for block cipher with 4 4 S-boxes. Later, these results were improved in [17] based on MILP method. They gave the exact lower bounds on the number of active S-boxes for 5 11 rounds of LBlock. Similarly, because of high time complexity, they only could try to find the bound for high rounds and gave a bound for 15 rounds of LBlock (the program did not run over). Since the MILP-based method which they used could not find the differential characteristic with the maximal probability in practical time, the bounds they proposed still were not the exact lower bounds. All these results are summarized in Table 2.

In this work, we use the SMT method to automatically search for the exact lower bounds on the number of active S-boxes in related-key differential characteristics for 119 rounds of LBlock. Firstly, we describe the differential propagations on encryption scheme and key schedule algorithm of LBlock by an STP model in CVC language and add the objective function as a constraint to limit the number of active S-boxes in the model. The whole process is summarized in Algorithm 2. By solving the STP model, the exact lower bounds on the number of active S-boxes for 119 rounds of LBlock can be solved out, which are shown in Table 2.

As we can see from Table 2, our results are more accurate and strong to show the actual ability of LBlock against related-key differential attack compared with previous related works. Firstly, our work shows there is valid related-key differential characteristic for 19-round LBlock for the first time. As an example, we list one related-key differential characteristic for 19-round LBlock in Table 7. Secondly, we find that the exact lower bound of -round related-key differential characteristic has 2 or 3 active S-boxes more than the exact lower bound of -round related-key differential characteristic, where . In other words, there may be at least 40 active S-boxes for 23-round LBlock, which means there is no valid related-key differential characteristic for 23-round LBlock.

3.2. Upper Bounds of the Maximal Probabilities

In Subsection 3.1, we give the exact lower bounds on the minimal number of active S-boxes for 119 rounds of LBlock by the SMT method to evaluate the ability of LBlock against the related-key differential attack. However, although we have obtained the minimal number of active S-boxes under different rounds of LBlock, we can not directly determine the maximal probability under different rounds. For example, the minimal number of active S-boxes of 12-round related-key differential characteristic is 13. Among such characteristics, their probabilities are in range from to , but actually, the maximal probability for 12-round LBlock is (totally 13 active S-boxes). In other words, evaluating the ability against related-key differential attack with the maximal probability can get tighter security bounds, compared with evaluating with the minimal number of active S-boxes. Unfortunately, there is no previous work on searching the upper bound of probabilities for related-key differential characteristics under different rounds of LBlock. In this work, we evaluate the upper bounds of probabilities under different rounds of LBlock by the SMT method.

In fact, taking the upper bound of probability as the objective function instead of the number of active S-boxes will slow down the searching speed, especially for high rounds of LBlock.

Luckily, by observing the best related-key differential characteristics for short rounds of LBlock, we find an observation as follows.

Transforming this observation as a constraint into the STP model can speed up the STP solver and get tighter results for rounds.

Observation 1 Assume is an -round related-key differential characteristic with the maximal probability and is the probability on the -th round, there are at least two consecutive rounds with probability of 1. i.e. .

For example, we list one of the best related-key differential characteristic for 13-round LBlock in Table 8. From this Table, we can see that the probability is 1 on both round 6 and 7.

We transform the above observation in CVC language as a constraint and add it to the STP model. After that, we can apply Algorithm 3 (similar to Algorithm 2) to search the upper bounds of probabilities for related-key differential characteristics under different rounds of LBlock. The results are shown in Table 3.

Please note that the probability in Table 3 denotes the total probability including both probabilities on cipher itself and on the key schedule. From Table 3, we can see that the best probability of related-key differential charateristic for 19-round LBlock is no less than .

As an example, we give one related-key differential characteristic with high probablity for 19-round LBlock in Table 9.

(1)	FunctionEncryption Algorithm:
(2)	: the number of rounds
(3)	eqn = [ ] //list
(4)	for i 0 to r − 1 do
(5)	Add “;” in eqn
(6)	Add “;” in eqn
(7)
(8)	Add “;” in eqn
(9)	Add “;” in eqn
	//Note: These variables are from Figure 1
(10)	end
(11)	return eqn
(12)
(13)	FunctionKey Schedule Algorithm:
(14)	: the number of rounds
(15)	eqn = [ ] //list
(16)	for i 0 to r − 1 do
(17)	Add “;” in eqn
(18)	Add “;” in eqn
(19)	Add “; ” in eqn
(20)	end
(21)	return eqn
(22)
(23)	FunctionMain:
(24)	Create a file LBlock.cvc
(25)	eqn = [ ] //list
(26)	Add “;
(27)
(28)	;
(29)	;
(30)	;
(31)
(32)	;
(33)	;” in eqn
	//Describe the differential distribution table of

(34)	eqn + = Encryption Algorithm();
(35)	eqn + = Key Schedule Algorithm();
(36)
(37)	Add “; ” in eqn
(38)	Add “;” in eqn
(39)	write eqn in LBlock.cvc
(40)
(41)	stp LBlock.cvc

(1)	Function Encryption Algorithm:
(2)	: the number of rounds
(3)	eqn = [ ] //list
(4)	for i 0 to r − 1 do
(5)	Add “;” in eqn
(6)	Add “;” in eqn
(7)
(8)	Add “;” in eqn
(9)	Add “; ” in eqn
(10)	end
(11)	return eqn
(12)
(13)	Function Key Schedule Algorithm:
(14)	: the number of rounds
(15)	eqn = [ ] //list
(16)	for i 0 to r − 1 do
(17)	Add “;” in eqn
(18)	Add “;” in eqn
(19)	Add “;” in eqn
(20)	end
(21)	return eqn
(22)
(23)	Function Main:
(24)	Create a file LBlock.cvc
(25)	eqn = [ ] //list
(26)	Add “;
(27)
(28)	;
(29)	;
(30)	;
(31)
(32)	;
(33)	;” in eqn
(34)	eqn + = Encryption Algorithm();
(35)	eqn + = Key Schedule Algorithm();
(36)
(37)	Add “;” in eqn
(38)	Add “;” in eqn
(39)	Add “;” in eqn
(40)	write eqn in LBlock.cvc 19
(41)
(42)	stp LBlock.cvc

In this section, we propose the best related-key differential attacks on LBlock as far as we know. Firstly, we search out a suitable 17-round related-key differential distinguisher on LBlock by combining the techniques used in Section 3.2 and some extra constraints, which are described in Subsection 4.1. Then, based on this distinguisher, we propose the best related-key differential attacks on 22-round and 23-round LBlock in Subsections 4.2 and 4.3 respectively.

4.1. Automatic Search for Suitable Related-Key Differential Distinguishers on LBlock

A related-key differential attack consists of a suitable related-key differential characteristic and a key-recovery phase. In most cases, the longer rounds an attack achieves on a cipher, the better such attack is. Thus, the related-key differential distinguisher is expected as long as possible, while the corresponding key-recovery phase is expected to involve more rounds. However, there is a tradeoff between the related-key differential distinguisher and key-recovery phase. The longest related-key differential characteristic with the largest probability may not result in the best attack because it may lead to fast diffusion and confusion in the key-recovery phase, further leading to attack fewer rounds. Generally, In order to enhance the effect in the key-recovery phase, few active nibbles are expected on input and output differences of related-key differential distinguisher.

In this part, we combine the automatic search method used in section 3.2 and extra constraints on input and output differences of distinguisher to search out a good related-key differential distinguisher which is very suitable to implement the best attack on LBlock. In detail, some requirements and constraints in the automatic search method of suitable -round related-key differential distinguisher are listed as follows:(i)Assume the input and output differences of target -round related-key differential characteristic are and respectively, we require that , where denotes the number of active nibbles in state ;(ii)There exist consecutive two rounds with probability 1 in the related-key differential characteristic, which is exactly the requirement in Observation 1;(iii)In order to adapt key-recovery attack on most cases of masterkey, we limit the probability on the key schedule is ;(iv)General requirement: the number of active nibbles on masterkey satisfies ;(v)Objective function: maximize the probability on cipher itself .

As a result, we finally find a suitable 17-round related-key differential characteristic, whose total probability is including on cipher itself and on the key schedule. This characteristic is listed in Table 10.

In this 17-round related-key differential characteristic, there are 4 active S-boxes within the key schedule that are distributed on the of rounds 6, 7, 8 and 17. In round 6, the differential pattern passing is with probability . According to the difference distribution table of , there are two cases for that is and , where means the -th nibble of subkey in round . Similarly, we can analyze the differential patterns on in rounds 7, 8 and 17, which are summarized in Table 11.

4.2. Related-Key Differential Attack on 22-Round LBlock

In subsection 4.1, we search out an expected 17-round related-key differential distinguisher on LBlock, whose total probability is including on cipher itself and on the key schedule. In this subsection, we extend three rounds before this distinguisher and two rounds behind this distinguisher to attack 22-round LBlock. It is shown in Figure 2.

4.2.1. Data Collection

From Figure 2, we can see that the forms of differences on plaintext and ciphertext are and respectively, where denotes any 4 bit value. According to the form of difference on plaintext, we can build structures and each structure involves plaintexts. Totally, the data complexity is chosen plaintexts.

Since each structure composes plaintext pairs, there are expected plaintext pairs to satisfy the 17-round distinguisher on both input and output differences.

4.2.2. Filtering on Ciphertext

According to the form of ciphertext difference , there are on average pairs remained after the filtering on ciphertext.

4.2.3. Filtering on Rounds

In this part, we guess the subkey nibbles , , , , , , , , , and one by one to filter pairs. Which are summarized within steps in Table 12. Taking step 1 as an example, we explain how we filter pairs in detail.

In this step, we need to guess 4 bits subkey corresponding to the master key . Note that we know according to the key schedule algorithm of LBlock. Since , and are already known, it is only necessary to guess so as to obtain the value of .

Please note that has 2 possible cases, which is equivalent to guessing one more bit. Under each out of possible values of , we can calculate the output difference of in round 1 for each plaintext pair, and check whether it equals the third nibble of . If not, we filter out the current plaintext pair. Otherwise, we remain it and go next step. Totally, it needs operations on Sbox in step 1, while plaintext pairs are remained on average after step 1 because the probability is . The similar idea is applied on steps .

Sometimes, instead of considering the subkey nibbles independently, we would like to focus on their related masterkey bits according to the key schedule. Thanks to the slow diffusion of LBlock’s key schedule, the corresponding masterkey bits of , , , , , , , , , and are , , , , , , , , , and , respectively. However, please note that there are only 2 cases for , 4 cases for and 4 cases for because of the 17-round related-key differential distinguisher. Thus, in step 1, we only need to guess and 2 cases of (We all know that there are two encryption machines with different masterkeys in related-key setting. Here, we don’t fix to a certain machine, so there are only two cases for . Once we recover all masterkey bits, we finally check which machine such masterkey belongs to.). The time complexity of this step is , and the number of pairs remained is . Similarly, we can handle other subkey nibbles on rounds within steps . Finally, 33 bits of masterkey are guessed in this part, and pairs are left.

4.2.4. Filtering on Rounds

In this part, we guess the subkey nibbles , , , , one by one to further filter pairs, which are summarized within steps in Table 12. Luckily, can be calculated by the masterkey bits in which there are only 2 unknown bits , while is exactly the 4 bit masterkey . By guessing such subkey nibbles one by one, ciphertext pairs can be decrypted to the end of distinguisher. In the end, about pairs are filtered to satisfy the output difference of distinguisher . Until now, there are 51 bits of key information (including 39 masterkey bits and 12 subkey bits) guessed.

4.2.5. Exhaustive Search of Remained Key Bits

In order to recover the right key with a high probability, we expect there are 2 pairs left under right key, which means in the data collection phase. Once 2 pairs or larger than 2 pairs are left under certain guessed key, we regard such key as a candidate key. Then we search exhaustively remaining key bits and check if it is right with another plaintext/ciphertext pairs.

4.2.6. Complexity Analysis

According to the data collection phase, we can see that the data complexity is chosen plaintexts when we take . In this case, there are expected 2 pairs left under tthe right key, which is enough to recover the right key with a high probability. The time complexity mainly happens in steps when filtering on rounds and , which are listed in Table 12 one by one step. By summing the time complexities of all steps, the total time is about 22-round encryptions, which is

According to [29], the signal-to-noise ratio iswhere denotes the probability of the related-key differential distinguisher, denotes number of key bits to recover, denotes the probability that a pair survives the filtering, denotes keys suggested by each pair surviving the filtering.

Based on signal-to-noise ratio , the success probability of attack iswhere denotes that the number of the right pairs, denotes that -bit advantage.

We can calculate that signal-to-noise ratio is , when . Thus, according to equation (4).

4.3. Related-Key Differential Attack on 23-Round LBlock

In Subsection 4.1, we search out an expected 17-round related-key differential distinguisher on LBlock, whose total probability is including on cipher itself and on the key schedule. In this subsection, we extend three rounds before this distinguisher and three rounds behind this distinguisher to attack 23-round LBlock. It is shown in Figure 3.

4.3.1. Data Collection

From Figure 3, we can see that the forms of differences on plaintext and ciphertext are and respectively, where denotes any 4 bit value. According to the form of difference on plaintext, we can build structures and each structure involves plaintexts. Totally, the data complexity is chosen plaintexts. Since each structure composes plaintext pairs, there are expected plaintext pairs to satisfy the 17-round distinguisher on both input and output differences.

4.3.2. Filtering on Ciphertext

According to the form of ciphertext difference , there are on average pairs remained after the filtering on ciphertext.

4.3.3. Filtering on Rounds

In this part, because we are using the same distinguisher as that in 22-round attack, the details are the same as the Filtering on rounds in Subsection 4.2.

4.3.4. Filtering on Rounds

In this part, we guess the subkey nibbles , , , , , , , , , , one by one to further filter pairs, which are summarized within steps in Table 13. Luckily, can be calculated by the masterkey bits in which there are only 2 unknown bits , can be calculated by the masterkey bits in which there are only 2 unknown bits and , can be calculated by the masterkey bits in which there are not unknown bits, while is exactly the 4 bit masterkey . By guessing such subkey nibbles one by one, ciphertext pairs can be decrypted to the end of distinguisher. In the end, about pairs are filtered to satisfy the output difference of distinguisher . Until now, there are 65 bits of key information (including 37 masterkey bits and 28 subkey bits) guessed.

4.3.5. Exhaustive Search of Remained Key Bits

In order to recover the right key with a high probability, we expect there are 2 pairs left under right key, which means in the data collection phase. Once 2 pairs or larger than 2 pairs are left under certain guessed key, we regard such key as a candidate key. Then we search exhaustively remaining key bits and check if it is right with another plaintext/ciphertext pairs.

4.3.6. Complexity Analysis

According to the data collection phase, we can see that the data complexity is chosen plaintexts when we take . In this case, there are expected 2 pairs left under right key, which is enough to recover the right key with a high probability. The time complexity mainly happens in steps when filtering on rounds and , which are listed in Table 13 one by one step. By summing the time complexities of all steps, the total time is about 23-round encryptions, which is

According to equations (3) and (4), the signal-to-noise ratio is , when , so the final success rate is .

5. Conclusion

In this paper, we use SMT-based approaches to evaluate the security bounds of LBlock against related-key differential cryptanalysis. Firstly, we propose tighter security bounds, including both the minimal number of active S-boxes and the upper bounds of probabilities for up to 19 rounds of LBlock. As far as we know, these are the best security bounds so far. Secondly, we find a 17-round related-key differential characteristic, whose total probability is including probability on the encryption algorithm itself. With this characteristic, we mount key-recovery attacks on 22-round and 23-round LBlock. These are the best related-key differential attacks on LBlock so far. However, there are still some problems that remained in this work that we need to further study. For example, We will focus on how to find as many useful related-key differentials with high probability as possible so as to increase the total probability of the related-key differential distinguisher. With such distinguisher, we can further improve the related-key differential attack on LBlock.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work has been supported by NSFC Projects (No. 61902100), Key Research, Development Program of Zhejiang Province (No. 2020C01078).

References

C. Pei, Y. Xiao, W. Liang, and X. Han, “Trade-off of security and performance of lightweight block ciphers in industrial wireless sensor networks,” EURASIP Journal on Wireless Communications and Networking, vol. 2018, no. 1, p. 117, 2018.
View at: Publisher Site | Google Scholar
A. Bogdanov, L. R. Knudsen, G. Leander et al., “PRESENT: an ultra-lightweight block cipher,” in Proceedings of the Cryptographic Hardware and Embedded Systems - CHES 2007, 9th International Workshop, P. Paillier and I. Verbauwhede, Eds., vol. 4727, pp. 450–466, Springer, Vienna, Austria, September 2007.
View at: Publisher Site | Google Scholar
J. Guo, T. Peyrin, A. Poschmann, and M. J. B. Robshaw, “The LED block cipher,” IACR Cryptol. ePrint Arch., p. 600, 2012.
View at: Google Scholar
D. Hong, J. Sung, S. Hong et al., “HIGHT: a new block cipher suitable for low-resource device,” in Proceedings of the Cryptographic Hardware and Embedded Systems - CHES 2006, 8th International Workshop, L. Goubin and M. Matsui, Eds., vol. 4249, pp. 46–59, Springer, Yokohama, Japan, October 2006, Lecture Notes in Computer Science.
View at: Publisher Site | Google Scholar
W. Wu, L. Zhang, and L. Block, “A lightweight block cipher,” in Proceedings of the Applied Cryptography and Network Security - 9th International Conference, ACNS 2011, J. López and G. Tsudik, Eds., vol. 6715, pp. 327–344, Nerja, Spain, June 2011, Lecture Notes in Computer Science.
View at: Publisher Site | Google Scholar
R. Beaulieu, D. Shors, J. Smith, S. Treatman-Clark, B. Weeks, and L. Wingers, “The SIMON and SPECK families of lightweight block ciphers,” IACR Cryptol. ePrint Arch., p. 404, 2013.
View at: Google Scholar
C. Beierle, J. Jean, S. Kölbl et al., “The SKINNY family of block ciphers and its low-latency variant MANTIS,” IACR Cryptol. ePrint Arch., vol. 9815, p. 660, 2016.
View at: Google Scholar
L. Zhang, W. Wu, Y. Wang, S. Wu, and J. Zhang, “Lac: A lightweight authenticated encryption cipher. Submission to CAESAR,” 2014, http://competitions.cr.yp.to/round1/lacv1.pdf.
View at: Google Scholar
E. Biham and A. Shamir, “Differential cryptanalysis of des-like cryptosystems,” Journal of Cryptology, vol. 4, no. 1, pp. 3–72, 1991.
View at: Publisher Site | Google Scholar
A. D. Dwivedi, P. Morawiecki, and G. Srivastava, “Differential cryptanalysis of round-reduced SPECK suitable for internet of things devices,” IEEE Access, vol. 7, pp. 16476–16486, 2019.
View at: Publisher Site | Google Scholar
L. R. Knudsen and D. A. Wagner, “Integral cryptanalysis,” in Proceedings of the Fast Software Encryption, 9th International Workshop, FSE 2002, J. Daemen and V. Rijmen, Eds., vol. 2365, pp. 112–127, Springer, Leuven, Belgium, February 2002, Lecture Notes in Computer Science.
View at: Publisher Site | Google Scholar
E. Biham, A. Biryukov, and A. Shamir, “Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials,” Journal of Cryptology, vol. 18, no. 4, pp. 291–311, 2005.
View at: Publisher Site | Google Scholar
D. A. Wagner, “The boomerang attack,” in Proceedings of the Fast Software Encryption, 6th International Workshop, FSE ’99, L. R. Knudsen, Ed., vol. 1636, pp. 156–170, Springer, Rome, Italy, March 1999, Lecture Notes in Computer Science.
View at: Publisher Site | Google Scholar
Y. Liu, D. Gu, Z. Liu, and W. Li, “Impossible differential attacks on reduced-round lblock,” in Proceedings of the Information Security Practice and Experience - 8th International Conference, ISPEC 2012, M. D. Ryan, B. Smyth, and G. Wang, Eds., vol. 7232, pp. 97–108, Springer, Hangzhou China, April 2012, Lecture Notes in Computer Science.
View at: Publisher Site | Google Scholar
F. Karakoç, H. Demirci, and A. E. Harmanci, “Impossible differential cryptanalysis of reduced-round lblock,” in Proceedings of the Information Security Theory and Practice. Security, Privacy and Trust in Computing Systems and Ambient Intelligent Ecosystems - 6th IFIP WG 11.2 International Workshop, WISTP 2012, I. G. Askoxylakis, H. C. Pöhls, and J. Posegga, Eds., vol. 7322, pp. 179–188, Springer, Egham, UK, June 2012.
View at: Publisher Site | Google Scholar
S. Sun, L. Hu, P. Wang, K. Qiao, X. Ma, and L. SongP. Sarkar and T. Iwata, “Automatic security evaluation and (related-key) differential characteristic search: application to simon, present, lblock, DES(L) and other bit-oriented block ciphers,” Advances in Cryptology - ASIACRYPT 2014 - 20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, Springer, USA, vol. 8873, pp. 158–178, Proceedings, Part I. Lecture Notes in Computer Science.
View at: Publisher Site | Google Scholar
S. Sun, L. Hu, M. Wang et al., Towards Finding the Best Characteristics of Some Bit-Oriented Block Ciphers and Automatic Enumeration of (Related-key) Differential and Linear Characteristics with Predefined Properties, Cryptology ePrint Archive, 2014, https://eprint.iacr.org/2014/747.
M. Minier and M. Naya-Plasencia, “A related key impossible differential attack against 22 rounds of the lightweight block cipher lblock,” Information Processing Letters, vol. 112, no. 16, pp. 624–629, 2012.
View at: Publisher Site | Google Scholar
L. Wen, M. Q. Wang, and J. Y. Zhao, “Related-key impossible differential attack on reduced-round lblock,” Journal of Computer Science and Technology, vol. 29, no. 1, pp. 165–176, 2014.
View at: Publisher Site | Google Scholar
G. Vijay, H. Trevor, S. Mate, L. Dan, and G. Ryan, “STP,” 2014, https://stp.github.io/.
View at: Google Scholar
C. Zhou, W. Zhang, T. Ding, and Z. Xiang, “Improving the milp-based security evaluation algorithm against differential/linear cryptanalysis using A divide-and-conquer approach,” IACR Transactions on Symmetric Cryptology, vol. 2019, no. 4, pp. 438–469, 2020.
View at: Publisher Site | Google Scholar
J. Chen and A. Miyaji, “Differential cryptanalysis and boomerang cryptanalysis of lblock,” in Proceedings of the Security Engineering and Intelligence Informatics - CD-ARES 2013 Workshops: MoCrySEn and SeCIHD, Regensburg, A. Cuzzocrea, C. Kittl, D. E. Simos, E. R. Weippl, and L. Xu, Eds., vol. 8128, pp. 1–15, Springer, Germany, September 2013, Proceedings Lecture Notes in Computer Science.
View at: Publisher Site | Google Scholar
A. Khalesi, H. Bahramgiri, and D. Mansuri, “A new method for accelerating impossible differential cryptanalysis and its application on lblock,” ISC Int. J. Inf. Secur., vol. 8, no. 1, pp. 73–84, 2016.
View at: Publisher Site | Google Scholar
S. Liu, Z. Gong, and L. Wang, “Improved related-key differential attacks on reduced-round lblock,” in Proceedings of the Information and Communications Security - 14th International Conference, ICICS 2012, T. W. Chim and T. H. Yuen, Eds., vol. 7618, pp. 58–69, Springer, Hong Kong, China, October 2012, Proceedings. Lecture Notes in Computer Science.
View at: Publisher Site | Google Scholar
R. Ankele and S. Kölbl, “Mind the gap - a closer look at the security of block ciphers against differential cryptanalysis,” in Proceedings of the Selected Areas in Cryptography - SAC 2018 - 25th International Conference, C. Cid and M. J. J. Jr, Eds., vol. 11349, pp. 163–190, Springer, Calgary AB Canada, August 2018, Revised Selected Papers. Lecture Notes in Computer Science.
View at: Publisher Site | Google Scholar
S. A. Azimi, A. Ranea, M. Salmasizadeh, J. Mohajeri, M. R. Aref, and V. Rijmen, “A bit-vector differential model for the modular addition by a constant and its applications to differential and impossible-differential cryptanalysis,” IACR Cryptol. ePrint Arch. p., vol. 512, 2022.
View at: Google Scholar
S. Kölbl, G. Leander, and T. Tiessen, “Observations on the SIMON block cipher family,” in Proceedings of the Advances in Cryptology - CRYPTO 2015 - 35th Annual Cryptology Conference, R. Gennaro and M. Robshaw, Eds., vol. 9215, pp. 161–185, Springer, Santa Barbara, CA, USA, August 2015, Proceedings, Part I. Lecture Notes in Computer Science.
View at: Publisher Site | Google Scholar
Y. Liu, H. Liang, M. Li et al., “STP models of optimal differential and linear trail for s-box based ciphers,” Science China Information Sciences, vol. 64, no. 5, p. 159103, 2021.
View at: Publisher Site | Google Scholar
A. A. Selçuk, “On probability of success in linear and differential cryptanalysis,” Journal of Cryptology, vol. 21, no. 1, pp. 131–147, 2008.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Tianling Weng et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

244

Downloads

323

Citations

Security and Communication Networks

Related-Key Differential Attacks on Reduced-Round LBlock

Abstract

1. Introduction

1.1. Propose More Accurate Bounds of Security against Related-Key Differential Attack on LBlock

1.2. Propose 22- and 23-Round Related-Key Differential Attacks on LBlock

1.2.1. Outline

2. Preliminaries

2.1. Notations

2.2. Specification of LBlock

2.2.1. Key Schedule Algorithm

2.3. Simple theorem Prover

3. Evaluate the Resistance of LBlock against Related-Key Differential Attack by Bounds

3.1. Lower Bounds on the Minimal Number of Active S-Boxes

3.2. Upper Bounds of the Maximal Probabilities

4. Related-Key Differential Attacks on LBlock

4.1. Automatic Search for Suitable Related-Key Differential Distinguishers on LBlock

4.2. Related-Key Differential Attack on 22-Round LBlock

4.2.1. Data Collection

4.2.2. Filtering on Ciphertext

4.2.3. Filtering on Rounds

4.2.4. Filtering on Rounds

4.2.5. Exhaustive Search of Remained Key Bits

4.2.6. Complexity Analysis

4.3. Related-Key Differential Attack on 23-Round LBlock

4.3.1. Data Collection

4.3.2. Filtering on Ciphertext

4.3.3. Filtering on Rounds

4.3.4. Filtering on Rounds

4.3.5. Exhaustive Search of Remained Key Bits

4.3.6. Complexity Analysis

5. Conclusion

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright