Bit-Based Evaluation of Lightweight Block Ciphers SLIM, LBC-IoT, and SLA by Mixed Integer Linear Programming

Abstract

Many lightweight block ciphers have been proposed for IoT devices that have limited resources. SLIM, LBC-IoT, and SLA are lightweight block ciphers developed for IoT systems. The designer of SLIM presented a 7-round differential distinguisher and an 11-round linear trail using a heuristic method. We have comprehensively sought the longest distinguisher for linear cryptanalysis, zero-correlation linear cryptanalysis, impossible differential attack, and integral attack using the mixed integer linear Programming (MILP) on SLIM, LBC-IoT, and SLA. The search led to discovery of a 16-round linear trail on SLIM, which is 5-round longer than the earlier result. We have also discovered 7-, 7-, and 9-round distinguishers for zero-correlation linear cryptanalysis, impossible differential attack, and integral attack, which are new results for SLIM. We have revealed 9-, 8-, and 11-round distinguishers on LBC-IoT for zero-correlation linear cryptanalysis, impossible differential attack, and integral attack. We have presented full-round distinguishers on SLA for integral attack using only two chosen plaintexts. We performed a key recovery attack on 16-round SLIM with an experimental verification. This verification took 106 s with a success rate of 93%. Moreover, we present a key recovery attack on 19-round SLIM using 16-round linear trail with correlation 2⁻¹⁵: the necessary number of known plaintext–ciphertext pairs is 2³¹; the time complexity is 2^64.4 encryptions; and the memory complexity is 2³⁸ bytes. Results show that this is the current best key recovery attack on SLIM. Because the recommended number of rounds is 32, SLIM is secure against linear cryptanalysis, as demonstrated herein.