Related-key Impossible Boomerang Cryptanalysis on LBlock-s

Abstract

LBlock-s is the core block cipher of authentication encryption algorithm LAC, which uses the same structure of LBlock and an improved key schedule algorithm with better diffusion property. Using the differential properties of the key schedule algorithm and the cryptanalytic technique which combines impossible boomerang attacks with related-key attacks, a 15-round related-key impossible boomerang distinguisher is constructed for the first time. Based on the distinguisher, an attack on 22-round LBlock-s is proposed by adding 4 rounds on the top and 3 rounds at the bottom. The time complexity is about only 2^68.76 22-round encryptions and the data complexity is about 2⁵⁸ chosen plaintexts. Compared with published cryptanalysis results on LBlock-s, there has been a sharp decrease in time complexity and an ideal data complexity.

1. Introduction

 With the rapid development of electronic information technology and the widespread application of technologies such as RFID (Radio Frequency Identification), traditional block ciphers are not suitable for resource constrained environments. Therefore, lightweight block ciphers which are designed with a trade-off between the security and hardware performance for resource constrained environments have become a hot topic.

 As the kernel block cipher of LAC submitted to CAESAR competition [1], LBlock-s is an improved version of LBlock [2] which is proposed by Wu et al. in ACNS 2011. Similar to LBlock, it uses a variant of Feistel structure and consists of 32 rounds. The block length and the key length are 64-bit and 80-bit, respectively. What LBlock-s differs from LBlock is that LBlock-s employs an improved key schedule algorithm with a faster diffusion speed and replaces 10 different S-boxes in LBlock with 10 identical S-boxes to reduce hardware and software costs. In terms of security, Shan et al. [3] showed that there were at least 32 active boxes in the 32-round related-key differential characteristic, that is, the probability must not be higher than 2^(-64), and they gave a 10-round and an 11-round related-key differential characteristics. Xiao [4] used differential cryptanalysis to give a 16-round differential path. Li et al. [5] mounted a 23-round attack on LBlock-s with improved multidimensional zero-correlation linear cryptanalysis. Using the 14-round impossible differential characteristic of LBlock which was given by the designers of LBlock, Jia [6] carried out a 21-round attack on LBlock-s. They gave the results on 22-round and 23-round attacks without the detailed analysis. And the results showed that the time complexity of 22-round attack was 2^78.86 22-round encryptions, which is close to the one in exhaustive search and much higher than the corresponding attack result in this paper.

 Related-key cryptanalysis was independently introduced by Knudsen [7] and Biham [8] respectively. The basic idea of the technique is that the attackers find weaknesses of the key schedule algorithm to choose appropriate relation between keys and then predict the encryptions under these keys. Impossible differential cryptanalysis was proposed by Knudsen [9] and further by Biham against Skipjack [10], in which the attackers try to find a differential characteristic with a probability of 0 to eliminate the wrong keys and then to recover the correct key. Related-key cryptanalysis and impossible differential cryptanalysis are both very powerful techniques for analyzing the security of a wide variety of block ciphers, and there are many satisfactory attack results on a lot of block ciphers such as Hummingbird-2, TEA, LBlock , MIBS and so on [11-17]. Boomerang cryptanalysis was presented by Wagner in 1999 [18], which is a variant of differential cryptanalysis. The basic idea of boomerang cryptanalysis is to use short differential characteristics with relatively large probabilities to form long differential characteristics with high probability. Related-key impossible boomerang cryptanalysis [19] is obtained by using these three attacks in combination. Until now, many satisfying analysis results are obtained on AES and LBlock by using this cryptanalytic technique [19-20].

 In this paper, we study the security of LBlock-s from the aspect of related-key impossible boomerang cryptanalysis for the first time. Through analyzing the property of round function and key schedule function of LBlock-s, a 15-round related-key impossible boomerang distinguisher is carried out, and we get a 22-round related-key impossible boomerang characteristic to recover 68-bit key with time complexity of 2^68.76 and 2^58 chosen plaintexts. Up to now, this is the best attack result on 22-round LBlock-s.

 Outline. In Section 2, a description of LBlock-s and some notations used in this paper are given. In Section 3, we study the related-key impossible boomerang cryptanalysis. In Section 4, a 15-round related-key impossible boomerang distinguisher and attack on 22-round LBlock-s are described, followed by conclusion in Section 5.

 

2. Description of LBlock-s

2.1 Notations

 The following notations are used in this paper. 

 P, C: the 64-bit plaintext and the 64-bit ciphertext;

 𝐾, ∆𝐾: the 80-bit master key and the difference of K;

 𝐾_i, ∆𝐾_𝑖: the i-th round subkey and the difference of 𝐾_𝑖;

 𝐾_𝑖 ^𝑗 , ∆𝐾_𝑖 ^𝑗 : the j-th nibble of 𝐾_𝑖 and the j-th nibble of ∆𝐾_𝑖;

 𝑋_𝑖, ∆X_𝑖: the left half of the i-th round input and the difference of 𝑋_𝑖;

 𝑋₀: the right half of the first round input;

 𝑋_𝑖 ^𝑗 , ∆𝑋_𝑖 ^𝑗 : the j-th nibble of 𝑋_𝑖 and the j-th nibble of ∆X_𝑖;

 𝑋_𝑖||𝑋_𝑗: the concatenation of 𝑋_𝑖 and 𝑋_𝑗;

 X<<< i: a left rotation of X by i bits;

 X>>> i: a right rotation of X by i bits;

 [𝑖]₂: the binary form of an integer i.

 

2.2 Overview of LBlock-s

 LBlock-s is an improved version of LBlock with a variant of Feistel structure. It consists of 32-round iterative, with the block length 64-bit and the master key length 80-bit. The encryption procedure is as follows, and the general structure is illustrated in Fig. 1.

 1. Input P=X₁||X₀;

 2. For i=2,3,⋯33, do the following calculation:
\(X_{i}=F\left(X_{i-1}, K_{i-1}\right) \oplus\left(X_{i-2}<<<8\right)\)

 3. Output C=X₃₃ ||X₃₂;

Fig. 1. Structure of LBlock-s

 The round function F is defined as F(X_i,K_i )=P(S(X_i⨁K_i)) (see Fig. 2), which includes three basic functions: key-addition layer, nonlinear transformation and linear diffusion function. The confusion function S includes 8 identical 4-bit S-boxes in parallel which is the first S-box used in LBlock (see Table 1, in hexadecimal notation), and the function P is a 4-bit word-wise permutation illustrated in Fig. 2 in detail.

Fig. 2. Round function F

Table 1. Contents of the S-box

 The decryption algorithm of LBlock-s is the inverse of the encryption algorithm. Thus, here is only a brief description: Let C=X₃₂ ||X₃₃ denote the ciphertext. For i=31,30,⋯1,0, do the calculation: X_i=F(X_(i+1),K_(i+1))⊕(X_(i+2)>>>8). Finally, output P=X₁ ||X₀ as the plaintext.
 

2.3 Key Schedule Algorithm

 LBlock-s uses an improved key schedule algorithm with better diffusion property against biclique cryptanalysis. The key schedule of LBlock-s updates 16 bits each time, and these updated bits are affected by 32 bits of the key register. In contrast, the original key schedule only updates 13 bits based on 13 bits of the key register. The master key K=(k₇₉ k₇₈ ⋯k₁k₀) is stored in the key register. Output the leftmost 32 bits as the subkey K_1. For i=1,2,⋯,31, update the key register as follows:

 1. \(K<<<24\)；

 2,  \(\begin{aligned}&\left[k_{55} k_{54} k_{53} k_{52}\right]=S\left[k_{79} k_{78} k_{77} k_{76}\right] \oplus\left[k_{55} k_{54} k_{53} k_{52}\right],\\&\left[k_{31} k_{30} k_{29} k_{28}\right]=S\left[k_{75} k_{74} k_{73} k_{72}\right] \oplus\left[k_{31} k_{30} k_{29} k_{28}\right],\\&\left[k_{67} k_{66} k_{65} k_{64}\right]=\left[k_{71} k_{70} k_{69} k_{68}\right] \oplus\left[k_{67} k_{66} k_{65} k_{64}\right],\\&\left[k_{51} k_{50} k_{49} k_{48}\right]=\left[k_{11} k_{10} k_{9} k_{8}\right] \oplus\left[k_{51} k_{50} k_{49} k_{48}\right];\end{aligned}\)

 3. \(\left[k_{54} k_{53} k_{52} k_{51} k_{50}\right]=\left[k_{54} k_{53} k_{52} k_{51} k_{50}\right] \oplus[i]_{2};\)

 4. Output the leftmost 32-bit of the register \(K\) as round subkey \(K_(i+1)\).

Where the S-box is the same as the S-box used in encryption algorithm.

 

3. The Related-key Impossible Boomerang Cryptanalysis

 Related-key impossible boomerang cryptanalysis involves related-key cryptanalysis, impossible differential cryptanalysis and boomerang cryptanalysis. As depicted in Fig. 3, this technique treats a cipher E as two sub-ciphers E₀ and E₁, namely E=E₀∘E₁. Typically, each sub-cipher consists of two related-key differential characteristics with probability 1. They are shown as following:

 • ∆α→∆β is the first related-key differential characteristic for E₀;

 • ∆α'→∆β' is the second related-key differential characteristic for E₀;

 • ∆δ→∆γ  is the first related-key differential characteristic for E₁^-1;

 • ∆δ'→∆γ' is the second related-key differential characteristic for E_1^(-1),

where α,α',β,β',δ,δ',γ and γ' are n-bit blocks. The corresponding keys used in the four characteristics are K_A,K_B,K_C and K_D. When β,β',γ and γ' meet the condition β⨁β'⨁γ⨁γ'≠0, a related-key impossible boomerang distinguisher is constructed. Then an attack could be mounted by adding rounds at the top and at the bottom. Using the extended parts to guess the keys, we can eliminate the keys which satisfy the whole characteristics until only the correct key is left.

 Related-key impossible boomerang cryptanalysis takes full advantage of the three cryptanalysis methods. In this attack, instead of using a single key differential characteristic with a large probability for E, attackers need to find four key differential characteristics and the master key differences are\(K_{A} \oplus K_{B}=\Delta K_{\alpha}, K_{C} \oplus K_{D}=\Delta K_{\alpha^{\prime}} \text { and } K_{A} \oplus K_{C}=\Delta K_{\beta}, K_{B} \oplus K_{D}=\Delta K_{\beta^{\prime}}\)for E₀ and E₁ respectively, which are not necessarily related. In other words, for any possible key difference selected for E₀, the various key differences for E₁ can be chosen. Thus related-key impossible boomerang cryptanalysis is more conducive to find related-key differential characteristics for ciphers with key schedule algorithm with better diffusion property, compared with the related-key impossible differential cryptanalysis.

Fig. 3. Related-key impossible boomerang distinguisher

 

4. Related-key Impossible Boomerang Cryptanalysis on LBlock-s

 This section describes the related-key impossible boomerang attack on LBlock-s in detail. In the rest of the paper, “*” is used to denote a non-zero 4-bit nibble whereas “?” is used to denote a 4-bit nibble that can assume any value. By analyzing the structure and round function of LBlock-s, we take a 15-round related-key impossible boomerang distinguisher: ((00000000,00000000),(00000000,00000000))↛((00000*00,00000000),(*0000000,00000000)) with the key differences ∆K_α=∆K(α' )= (11000000000000000000) and ∆K_β= ∆K_β'= (00000000000000000000). By extending 4 rounds at the top and 3 rounds at the bottom of this distinguisher, an attack on 22-round LBlock-s is achieved.\

 

4.1 15-round related-key impossible boomerang distinguisher

 Through an in-depth study on the key schedule algorithm of LBlock-s, we found that if there is no non-zero difference passing through S-boxes, two zero key differences followed one non-zero key difference will appear for some master key differences. To decrease the number of active S-boxes, we select the key differences ∆K_α=∆K_α' = (110000000000 00000000) to construct low-weight key differential characteristics. Subkey differences for round 1 to 13 generated by ∆K_α are shown in Table 2. Since the key schedule algorithm has a faster diffusion, we choose the other key differences ∆K_β=∆K_β'= (000000000000 00000000) to increase the number of rounds for the attack. That is, we construct a related-key impossible boomerang distinguisher such that K_A=K_C and K_B=K_D, which means that the distinguisher involves two keys.

Table 2. Subkey differences for round 1 to 13

 Combined with the selected key differences, we carefully choose the input differences and output differences. Let the input differences of ∆α→∆β and ∆α'→∆β' for E₀ be both (00000000,00000000), then non-zero difference diffusion will not happen in the fifth and sixth round. While letting the first output difference for E₁ be (00000*00,00000000), and the second output difference for E₁ be (*0000000,00000000), then the positions of some non-zero nibbles for the related-key differential characteristic ∆δ→∆γ will be the same as that for the other related-key differential characteristics ∆δ'→∆γ' in the same round, which makes more quartets be filtered in each step for subkey-recovery.

 In this attack, E denotes the 15-round related-key impossible boomerang distinguisher of LBlock-s, E_0 denotes round 5 to 13, and E_1 denotes round 14 to 19.

 Theorem 1. Let the two related-key differential characteristics ∆α→∆β and ∆α'→∆β' for E₀ be both (00000000,00000000)→(????????,0*????*?) with the key differences ∆K_α=∆K_α'= (11000000000000000000), the first related-key differential characteristic ∆δ→∆γ for E₁^-1 be (00000*00,00000000)→(0***0*0*,0**?****) with the key difference ∆K_β'= (00000000000000000000), and the second related-key differential characteristic ∆δ'→∆γ' for E₁^-1 be (*0000000,00000000)→(*0*0*0**,*?****0*0) with the key difference ∆K_β' = (00000000000000000000). Then the four differential characteristics constitute a 15-round related-key impossible boomerang distinguisher for LBlock-s.

 The detailed related-key differential characteristics for E₀ and E₁^-1 are shown in Table 3 and Table 4 respectively.

 Proof. From the direction of encryption, ∆X₁₃⁷ in ∆α→∆β and ∆α'→∆β' are both 0. As for the direction of decryption, ∆X₁₃⁷ in the first related-key differential ∆δ→∆γ is 0, but in the second related-key differential ∆δ'→∆γ'is *. Obviously, 0⨁0⨁0⨁*=*, which is not equal to 0. Thus, there is a conflict when these four related-key differential characteristics meet in the middle, which satisfy the principle of related-key impossible boomerang cryptanalysis.

Table 3. Related-key differential characteristic for E_0

Table 4. Related-key differential characteristic for E_1^(-1) when ∆X_20^2= * and ∆X_20^7= *

 Therefore, the four related-key differential characteristics described above constitute an 15-round related-key impossible boomerang distinguisher for LBlock-s: ((00000000,0000 0000),(00000000,00000000))↛((00000*00,00000000),(*0000000,00000000)) with the key differences ∆K_α=∆K_α' )= (11000000000000000000) and ∆K_β=∆K_β' = (00000 000000000000000).

 

4.2 Related-key impossible boomerang attacks on 22-round LBlock-s

An attack on 22-round LBlock-s is achieved by adding 4 rounds at the top and 3 rounds at the bottom of the distinguisher described above. The extended differential characteristics are shown in Fig. 4 and Fig. 5. Since the two related-key differential characteristics for E₀ are chosen to be the same, the input differences of the two characteristics are both given as ∆X₁,∆X₀= (0*00000*,*0?0*00*). The attack procedure can be elaborated as follows.

 

Fig. 4. 4 rounds added at the top of the distinguisher

Fig. 5. 3 rounds added at the bottom of the distinguisher

 Step 1. Select a set of 2²⁴ plaintexts to produce a structure, where the nibbles \(X_{0}^{0}, X_{0}^{3}, X_{0}^{5},X_{0}^{7}, X_{1}^{0}\)and \(X_{1}^{6}\) take all possible values of \(\mathbb{F}_{2}^{4}\) and the other nibbles take constants. Thus each structure contains \(2^{24} \times 2^{24} \times 1 / 2=2^{47}\) plaintext pairs. Choose 2ⁿ structures described above, there will be 2ⁿ×2⁴⁷=2^n+46.1  plaintext pairs denoted as ( P,P*). Similarly, choose 2ⁿ more structures which contain 2^(n+47) plaintext pairs denoted as \(\left(\mathrm{P}^{\prime}, \mathrm{P}^{\prime *}\right)\). Then 2²ⁿ⁺⁹⁴ plaintext quartets (\(\left(\left(\mathrm{P}, \mathrm{P}^{*}\right),\left(\mathrm{P}^{\prime}, \mathrm{P}^{\prime *}\right)\right)\) are constructed. We take 2ⁿ⁺¹structures, so there are 2²ⁿ⁺⁹⁴ plaintext quartets in total.

 Step 2. Encrypt these plaintext quartets for 22 rounds with keys\(K_{A}, \quad K_{B}, \quad K_{C}\) and \(K_{D}\)to obtain the corresponding ciphertext quartets denoted as \(\left(\left(\mathrm{C}, \mathrm{C}^{*}\right),\left(\mathrm{C}^{\prime}, \mathrm{C}^{\prime *}\right)\right)\). Then filter the ciphertext quartets by checking if the differences of ciphertext quartets are ((0**0 000*,000*00*0), (**00000*,000*00*0)).

 Then, the number of remaining ciphertext quartets is \(2^{2 n+94} \times 2^{-4 \times 22}=2^{2 n+6}\)

 Step 3. Guess the subkey \(K_{22}^{1}\) and \(K_{22}^{4}\).

 (a) Partially decrypt C and C' of the remaining quartets for one round and filter the quartets by the equation

\(S\left(X_{22}^{1} \oplus K_{22}^{1}\right) \oplus S\left(X_{22}^{1} \oplus K_{22}^{1} \oplus \Delta X_{22}^{1}\right)=\Delta X_{23}^{0}.\)

 Do the same operation on C* and C'* with the subkey \(K_{22}^{1} \oplus \Delta K_{22}^{1}\)

 (b) For the remaining ciphertext quartets, then partially decrypt C and C^' for one round and filter the quartets by the equation

\(S\left(X_{22}^{4} \oplus K_{22}^{4}\right) \oplus S\left(X_{22}^{4} \oplus K_{22}^{4} \oplus \Delta X_{22}^{4}\right)=\Delta X_{23}^{6}.\)

 Do the same operation on C* and C'* with the subkey K_22^4⨁∆K_22^4.

 Thus there remain about \(2^{2 n+6} \times 2^{-4 \times 4}=2^{2 n-10}\) quartets, and the time complexity is \(\left(2^{2 n+6} \times 2^{4}+2^{2 n-2} \times 2^{8}\right) \times 1 / 8 \times 1 / 22 \approx 2^{2 n+2.63}\)

 Step 4. Guess the subkey \(K_{1}^{0}, K_{1}^{6}\) and \(K_{1}^{7}\).

 (a) Partially encrypt P and P*  of the remaining quartets for one round and filter the quartets by the equation

\(S\left(X_{1}^{0} \oplus K_{1}^{0}\right) \oplus S\left(X_{1}^{0} \oplus K_{1}^{0} \oplus \Delta X_{1}^{0} \oplus \Delta K_{1}^{0}\right)=\Delta X_{0}^{0}.\)

 Do the same operation on P^' and P'* with the same subkey.

 (b) For the remaining quartets, partially encrypt P and P^* for one round and filter the quartets by the equation

\(S\left(X_{1}^{6} \oplus K_{1}^{6}\right) \oplus S\left(X_{1}^{6} \oplus K_{1}^{6} \oplus \Delta X_{1}^{6} \oplus \Delta K_{1}^{6}\right)=\Delta X_{0}^{5}.\)

 Do the same operation on P^' and P^('*) with the same subkey.

 (c) Then partially encrypt P and P^* of the remaining plaintext quartets for one round and filter the quartets by the equation

\(S\left(X_{1}^{7} \oplus K_{1}^{7}\right) \oplus S\left(X_{1}^{7} \oplus K_{1}^{7} \oplus \Delta X_{1}^{7} \oplus \Delta K_{1}^{7}\right)=\Delta X_{0}^{3}.\)

 Do the same operation on P^' and P^('*) with the same subkey.

 Thus, there remain about \(2^{2 n-10} \times 2^{-4 \times 6}=2^{2 n-34}\)quartets, and the time complexity is \(\left(2^{2 n-10} \times 2^{12}+2^{2 n-18} \times 2^{16}+2^{2 n-26} \times 2^{20}\right) \times 1 / 8 \times 1 / 22 \approx 2^{2 n-5.37}\).

 Step 5. Guess the subkey \(K_{2}^{1} \text { and } K_{1}^{3}\).

 Partially encrypt P and P^* of remaining plaintext quartets for two rounds and filter the quartets by the equation

\(S\left(X_{2}^{1} \oplus K_{2}^{1}\right) \oplus S\left(X_{2}^{1} \oplus K_{2}^{1} \oplus \Delta X_{2}^{1} \oplus \Delta K_{2}^{1}\right)=\Delta X_{1}^{6},\)

 where \(X_{2}^{1}=S\left(K_{1}^{3} \oplus X_{1}^{3}\right) \oplus X_{0}^{7}\).

 Do the same operation on P^' and P^('*) with the same subkey.

 Thus there are about \(2^{2 n-34} \times 2^{-4 \times 2}=2^{2 n-42}\) remaining quartets, and the time complexity is \(2^{2 n-34} \times 2^{28} \times 2 / 8 \times 1 / 22 \approx 2^{2 n-12.46}\).

 Step 6. Guess the subkey \(K_{3}^{2}, K_{2}^{0}\) and \(K_{1}^{1}\).

 Partially encrypt P and P* of the remaining plaintext quartets for three rounds and filter the quartets by the equation

\(S\left(X_{3}^{2} \oplus K_{3}^{2}\right) \oplus S\left(X_{3}^{2} \oplus K_{3}^{2} \oplus \Delta X_{3}^{2} \oplus \Delta K_{3}^{2}\right)=\Delta X_{2}^{1},\)

 where \(X_{3}^{2}=S\left(K_{2}^{0} \oplus X_{2}^{0}\right) \oplus X_{1}^{0} \text { and } X_{2}^{0}=S\left(K_{1}^{1} \oplus X_{1}^{1}\right) \oplus X_{0}^{6}\) 

 Do the same operation on P^' and P^('*) with the same subkey.

 Thus, there are about \(2^{2 n-42} \times 2^{-4 \times 2}=2^{2 n-50}\) remaining quartets, and the time complexity is \(2^{2 n-42} \times 2^{40} \times 3 / 8 \times 1 / 22 \approx 2^{2 n-7.88}\).

 Step 7. Guess the subkey\(K_{21}^{3}, K_{22}^{7}, K_{21}^{5}\) and \(K_{22}^{6}\).

 (a) Partially decrypt C and C' of the remaining quartets for two rounds and filter the quartets by the equation

\(S\left(X_{21}^{3} \oplus K_{21}^{3}\right) \oplus S\left(X_{21}^{3} \oplus K_{21}^{3} \oplus \Delta X_{21}^{3}\right)=\Delta X_{22}^{1},\)

 where \(X_{21}^{5}=S\left(K_{22}^{6} \oplus \Delta K_{22}^{6} \oplus X_{22}^{6}\right) \oplus X_{23}^{7}\).

 (b) Then partially decrypt C^* and C'* of the remaining quartets for two rounds and filter the quartets by the equation

\(S\left(X_{21}^{5} \oplus K_{21}^{5} \oplus \Delta K_{21}^{5}\right) \oplus S\left(X_{21}^{5} \oplus K_{21}^{5} \oplus \Delta K_{21}^{5} \oplus \Delta X_{21}^{5}\right)=\Delta X_{22}^{4},\)

 where \(X_{21}^{5}=S\left(K_{22}^{6} \oplus \Delta K_{22}^{6} \oplus X_{22}^{6}\right) \oplus X_{23}^{7}\).

 Thus there are about \(2^{2 n-50} \times 2^{-4 \times 2}=2^{2 n-58}\) remaining quartets, and the time complexity is \(\left(2^{2 n-50} \times 2^{48}+2^{2 n-54} \times 2^{56}\right) \times 2 / 8 \times 1 / 22 \approx 2^{2 n-4.37}\).

 Step 8. Guess the subkey \(K_{20}^{2}, K_{21}^{5}, K_{22}^{6}, K_{20}^{7}, K_{21}^{3} \text { and } K_{22}^{7}\). Since the subkey \(K_{21}^{5}, K_{22}^{6}\) \(K_{21}^{3} \text { and } K_{22}^{7}\) have been guessed, thus just need guess the remaining 8-bit key.

 (a) Partially decrypt C and C' of the remaining quartets for three rounds and filter the quartets by the equation

\(S\left(X_{20}^{2} \oplus K_{20}^{2}\right) \oplus S\left(X_{20}^{2} \oplus K_{20}^{2} \oplus \Delta X_{20}^{2}\right)=\Delta X_{21}^{3},\)

 where \( X_{20}^{2}=S\left(K_{21}^{5} \oplus X_{21}^{5}\right) \oplus X_{22}^{4} \text { and } X_{21}^{5}=S\left(K_{22}^{6} \oplus X_{22}^{6}\right) \oplus X_{23}^{7}\)

 (b) Then partially decrypt C* and C'* of the remaining quartets for three rounds and filter the quartets by the equation

\(S\left(X_{20}^{7} \oplus K_{20}^{7} \oplus \Delta K_{20}^{7}\right) \oplus S\left(X_{20}^{7} \oplus K_{20}^{7} \oplus \Delta K_{20}^{7} \oplus \Delta X_{20}^{7}\right)=\Delta X_{21}^{5},\)

 where\(X_{20}^{7}=S\left(K_{21}^{3} \oplus \Delta K_{21}^{3} \oplus X_{21}^{3}\right) \oplus X_{22}^{1} \text { and } X_{21}^{3}=S\left(K_{22}^{7} \oplus \Delta K_{22}^{7} \oplus X_{22}^{7}\right) \oplus X_{23}^{5}\)

 Thus there are about \(2^{2 n-58} \times 2^{-4 \times 2}=2^{2 n-66}\)remaining quartets, and the time complexity is \(\left(2^{2 n-58} \times 2^{60}+2^{2 n-62} \times 2^{64}\right) \times 3 / 8 \times 1 / 22 \approx 2^{2 n-2.88}\) .

 Step 9. Guess the nibble \(X_{4}^{5}\) to determine the subkey \(X_{4}^{5}\). Since there are 2⁴ possible values for \(X_{4}^{5}\) in \(\mathbb{F}_{2}^{4}\), there are\(2^{4} \times 2^{4}=2^{8}\) possible values for \(X_{4}^{5}\) in this attack. Partially encrypt the remaining quartets for four rounds, and keep only the quartets that satisfy the condition\(F\left(\Delta X_{4}^{5} \oplus \Delta K_{4}^{5}\right) \oplus \Delta X_{3}^{2}=0\). According to the difference distribution table of the S-boxes, the equation above holds with probability of 1⁄6, so\(2^{2 n-66} \times 2^{8} \times 1 / 6 \approx 2^{2 n-60.58}\)quartets will be remained. The time complexity is \(2^{2 n-66} \times 2^{8} \times 2^{64} \times 1 / 8 \times 1 / 22 \approx 2^{2 n-1.46}\).

 If there still quartets left after filtering, it shows that these subkeys being guessed satisfy the related-key impossible boomerang distinguisher, so these subkeys need to be removed and  other candidate subkeys should be tried.

 If we choose 2³⁴ structures, that is, n=33, the time complexity of this attack is about \(2^{2 n+2.63}+2^{2 n-5.37}+2^{2 n-12.46}+2^{2 n-7.88}+2^{2 n-4.37}+2^{2 n-2.88}+2^{2 n-1.46}=2^{2 n+2.76} =2^{68.76}\) 22-round encryptions and the data complexity is \(2^{n+1+24}=2^{58}\) chosen plaintexts. Table 5 shows summary of the number of bits guessed in steps 3-9.

Table 5. The number of bits guessed in steps 3-9

 

5. Conclusions

Table 6. Summary of attacks on LBlock-s

 This paper presents a 15-round related-key impossible boomerang distinguisher for the first time, based on which we attack on 22-round LBlock-s by combining the advantages of the related-key impossible boomerang attack with the weaknesses of the structure of encryption and key schedule algorithm. Analysis results indicate this attack only needs 2⁶⁸.76 encryptions and 2⁵⁸ chosen plaintexts. And there are 68 key bits recovered in this attack. Table 6 shows summary of attack results on LBlock-s. Compared with the impossible differential attack on 22-round LBlock-s in [6], the complexity of the attack on 22-round LBlock-s proposed in this paper presents a substantial reduction. And this is the first time to apply related-key impossible boomerang attack on LBlock-s. Thus, our research on LBlock-s could provide some suggestions for the design of lightweight block ciphers and the improvement of key schedule algorithms. For the future work, we will improve the characteristics search algorithm to achieve higher rounds attacks on LBlock-s and other block ciphers, and evaluate the security of the LAC.