LBlock-s算法的不可能差分分析

LBlock-s算法是CAESAR竞赛候选认证加密算法LAC中的主体算法，算法结构与LBlock算法基本一致，只是密钥扩展算法采用了扩散效果更好的增强版设计.利用新密钥扩展算法中仍然存在的子密钥间的迭代关系，通过选择合适的14轮不可能差分特征，我们给出了对21轮LBlock-s算法的不可能差分分析.攻击需要猜测的子密钥比特数为72比特，需要的数据量为2⁶³个选择明文，时间复杂度约为2^67.61次21轮加密.利用部分匹配技术，我们也给出了直到23轮LBlock-s算法低于密钥穷举量的不可能差分分析结果.这些研究可以为LAC算法的整体分析提供参考依据.

Impossible Differential Cryptanalysis of Reduced-Round LBlock-s

LBlock-s is the kernel block cipher of the authentication encryption algorithm LAC submitted to CAESAR competition.The general structure of LBlock-s is almost the same as that of LBlock,but LBlock-s adopts an improved key schedule algorithm with better diffusion property.Using the shifting relation of subkeys derived by the key schedule algorithm,an impossible differential cryptanalysis on 21-round LBlock-s was presented based on a 14-round impossible differential.The time and data complexities are 2.67.61 21-round encryptions and 2.63 chosen plaintexts respectively,and the number of subkey bits needed to be guessed is 72.Using partial-matching method,an impossible differential cryptanalysis on LBlock-s up to 23-round was also presented with time complexity less than exhaustion of all key bits.This work is useful for the security analysis of LAC algorithm.