See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/369972802

On the resistance of new lightweight block ciphers against differential

cryptanalysis

Article in Heliyon · April 2023

DOI: 10.1016/j.heliyon.2023.e15257

CITATION READS

1 69

6 authors, including:

Yen Yee Chan Je Sen Teh

Universiti Sains Malaysia Deakin University
2 PUBLICATIONS 4 CITATIONS 52 PUBLICATIONS 1,484 CITATIONS

SEE PROFILE SEE PROFILE

Norziana Jamil
Universiti Tenaga Nasional (UNITEN)
127 PUBLICATIONS 985 CITATIONS

SEE PROFILE

All content following this page was uploaded by Je Sen Teh on 16 June 2023.

The user has requested enhancement of the downloaded file.

 Heliyon 9 (2023) e15257

Contents lists available at ScienceDirect

Heliyon
journal homepage: www.cell.com/heliyon

Research article

On the resistance of new lightweight block ciphers against

differential cryptanalysis
Yen Yee Chan a , Cher-Yin Khor a , Boo Tap Khoo a , Je Sen Teh a,∗ , Wei Jian Teng a ,
Norziana Jamil b
a
School of Computer Sciences, Universiti Sains Malaysia, 11800 Gelugor, Malaysia
b
Department of Computing, College of Computing and Informatics, Universiti Tenaga Nasional, Malaysia

A R T I C L E I N F O A B S T R A C T

Dataset link: https://github.com/CryptoUSM/ Many recently proposed lightweight block ciphers lack security evaluation against generic
cryptanalysis-lightweight-ciphers cryptanalytic attacks such as differential cryptanalysis. In this paper, we contribute towards
security evaluation efforts by investigating four lightweight Feistel-based block ciphers including
Keywords:
SLIM SLIM, LBC-IoT, SCENERY, and LCB. SLIM claims resistance to differential cryptanalysis since,
LBC-IoT using a heuristic technique, its designers could only find a 7-round differential trail. Despite
SCENERY having no analysis of security against attacks such as differential cryptanalysis, the designers
LCB of LBC-IoT and LCB claimed that their ciphers are secure. Meanwhile, the designers of
Differential cryptanalysis SCENERY claim that the best 11-round differential trail for the cipher has a probability of
Lightweight block cipher 2−66 . To substantiate these claims, we propose attacks on all four ciphers based on differential
SMT cryptanalysis. We presented practical key recovery attacks on SLIM which can retrieve the final
round key for up to 14 rounds with a time complexity of 232 . LBC-IoT was found to be weaker
against differential cryptanalysis despite sharing many similarities with SLIM, whereby a key
recovery attack of up to 19 rounds is possible with time complexity 231 . For SCENERY, we found
a differential trail of up to 12 rounds with probability 2−60 , which was used as the distinguisher for
a 13-round key recovery attack. We also discovered that LCB’s design lacks nonlinearity, allowing
us to easily derive deterministic differential trails regardless of the number of rounds. This flaw
allowed us to perform a trivial distinguishing attack using a single known ciphertext. By using a
different S-box to address this flaw, LCB is now more resilient to differential cryptanalysis than
SLIM and LBC-IoT when using the same number of rounds. Our paper presents new independent
cryptanalysis results for these ciphers.

1. Introduction

The increased frequency of reported data breaches has led to personal information protection becoming a major priority for
many organizations. The inadvertent transmission or storing of sensitive information in cleartext is a significant contributor to these
breaches. In one recent example, it was discovered that an Internet-of-Things (IoT) software management company was maintaining a
database consisting of 2 billion of its user data records in cleartext [1]. This highlights the importance of properly encrypting personal
information to protect against potential breaches. However, traditional encryption algorithms that require significant computational

* Corresponding author.
E-mail address: jesen_teh@usm.my (J.S. Teh).

https://doi.org/10.1016/j.heliyon.2023.e15257

Available online 6 April 2023

2405-8440/© 2023 Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND license
(http://creativecommons.org/licenses/by-nc-nd/4.0/).
Y.Y. Chan, C.-Y. Khor, B.T. Khoo et al. Heliyon 9 (2023) e15257

resources are not practical for devices with limited processing and memory capabilities, such as IoT devices [2]. To address this
issue, there is a need for lightweight cryptographic solutions that can efficiently secure data while also requiring minimal computing
resources.
To address the need for efficient cryptographic solutions for resource-constrained devices, the field of lightweight cryptography
has gained traction among cryptographers. Compared to conventional ciphers, a lightweight cipher usually processes messages in
smaller blocks, uses shorter keys, and consumes less energy [3,4]. Some well-known examples of lightweight block ciphers include
PRESENT [5], Piccolo [6], and LED [7]. The challenge of designing lightweight ciphers is finding the right balance between latency
and functionality [8]. For instance, substitution-permutation network (SPN) ciphers such as GIFT and AES tend to require more
resources. In contrast, ciphers that rely on other types of nonlinear operations like AND (e.g. KATAN [9]) are more lightweight but
require more iterations to achieve a similar security margin.
Generally, we consider a block cipher to be secure if, over the years, it has shown to be resistant to attacks. Resistance to
differential and linear cryptanalysis are the minimum requirements that a cipher needs to fulfill. In differential cryptanalysis, an
attacker looks for an input (usually XOR) difference that leads to an output difference after 𝑟 rounds of the cipher. The propagation
of differences is statistical in nature, so the goal of an attacker is to maximize the probability (known as differential probability) that
this propagation holds. The propagation of an input difference to an output difference is known as a differential trail, which is used
as a statistical distinguisher for key guessing. In the past, these differential trails were found manually, using pen-and-paper methods.
These days, however, we have automated searching tools based on various approaches such as constraint programming that greatly
ease the task of a cryptanalyst.
In addition to the well-known block ciphers mentioned earlier, many others have been proposed in recent years, some of which
were published in well-regarded venues [10–15]. However, many of these lesser-known ciphers have not received the same level
of third-party cryptanalysis as compared to their more well-known counterparts. A thorough examination of these ciphers could
potentially uncover secure or efficient designs that may have been overlooked by cryptographers or discover major security problems.
This paper contributes towards this effort by providing new third-party cryptanalysis results for four newer block ciphers, SLIM [10],
LBC-IoT [16], SCENERY [17] and LCB [14].

1.1. Contributions

SLIM, LBC-IoT, SCENERY, and LCB are lightweight block ciphers designed for use in resource-constrained devices, with block
sizes ranging from 32 to 64 bits and key sizes from 64 to 80 bits. The designers of SLIM claim that their cipher was secure against
differential cryptanalysis after discovering a 7-round trail using a nested tree search. However, this trail is not necessarily optimal
because of the heuristic approach used by authors to perform the attack. On the basis of this result, they inferred that 32 rounds of
the cipher would be adequate to withstand differential cryptanalysis. On the other hand, the designers of LBC-IoT and LCB did not
provide any definitive cryptanalysis findings for their ciphers, however, claimed that 32 rounds and 10 rounds, respectively, were
adequate to resist security attacks. The designers of SCENERY, on the other hand, analyzed their cipher using various cryptanalytic
methods and found an 11-round differential trail with a probability of 2−66 .
We present differential cryptanalysis on all four ciphers to evaluate the designers’ claims about their security in our current work.
An SMT solver is used to identify optimal differential trails for three of the ciphers, which are SLIM, LBC-IoT, and SCENERY. For
SLIM and LBC-IoT, we retrieved provably optimal trails for all 32 rounds, while for SCENERY, due to its larger block size of 64
bits, we were only able to identify trails that were proven to be optimal for a maximum of 11 rounds. In order to find a 12-round
differential trail for SCENERY with probability 2−60 , we imposed additional constraints on the search space to speed up the search.
As such, the 12-round trail may not be optimal but is a valid distinguisher. We then proposed key recovery attacks for SLIM, LBC-IoT,
and SCENERY for up to 14, 19, and 13 rounds, respectively, which reduced their security to around 56%, 41%, and 54% (based on
the maximum number of cipher rounds). While our findings do not compromise the security of the entire ciphers, they offer a more
precise estimate of their robustness when it comes to differential attacks.
Next, a manual pen-and-paper method is used to perform the analysis on LCB. This was possible due to the linearity of its design,
which is caused by a weakness in its substitution component (S-box). This flaw allows an attacker to construct a deterministic
distinguisher for any number of rounds and is exploitable in a ciphertext-only attack. To enhance the security of LCB, we replaced
its S-box with the one used in PRESENT (an ISO-standardized block cipher) and found that the improved cipher is more resistant to
differential cryptanalysis compared to SLIM and LBC-IoT. To date, there have been no other independent cryptanalysis findings for
these ciphers apart from ours.

2. Preliminaries

2.1. Paper notation

Throughout this paper, we use little-endian notation, where the rightmost nibble has an index of 0 and the indices increase as we
move toward the left-most nibble. Table 1 provides a summary of the frequently-used notations in this paper.

2.2. Specifications of SLIM

SLIM is a block cipher which designed for use on devices with limited resources, such as RFID tags [10]. It operates on 32-bit
blocks of data, which are equally divided into two halves, 𝐿𝑖 and 𝑅𝑖 (16-bit for each half) for the 𝑖th round of the cipher. The round

2
Y.Y. Chan, C.-Y. Khor, B.T. Khoo et al. Heliyon 9 (2023) e15257

Table 1
Notations and abbreviations.

Symbol Definition

𝑛 Block length (bits)

𝑘 Key length (bits)
⊕ Exclusive-OR (XOR)
Δ𝑃 Plaintext (𝑃 ) XOR difference
Δ𝐶 Ciphertext (𝐶) XOR difference
𝐿𝑖 Left half of a message block at the 𝑖𝑡ℎ round
𝑅𝑖 Right half of a message block at the 𝑖𝑡ℎ round
𝐾𝑖 𝑖𝑡ℎ round key

Table 2
PRESENT’s S-box used in SLIM.

𝑥 0 1 2 3 4 5 6 7 8 9 A B C D E F

𝑆(𝑥) C 5 6 B 9 0 A D 3 E F 8 4 7 1 2

Fig. 1. 1 round of SLIM.

Table 3
SLIM’s P-box.

𝑥 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

𝑃 (𝑥) 7 13 1 8 11 14 2 5 4 10 15 0 3 6 9 12

function of the cipher employs four 4-bit S-boxes (see Table 2) and a bitwise permutation (P-box). The overall encryption procedure
can be mathematically described in Equation (1) and Equation (2):

𝐿𝑖 = 𝑅𝑖−1 , (1)

𝑅𝑖 = 𝐿𝑖−1 ⊕ 𝑃 (𝑆(𝐾𝑖 ⊕ 𝑅𝑖−1 )). (2)

In SLIM, the P-box (as shown in Table 3) is designed to have no fixed points, meaning that every input bit is moved to a different
position. The authors claim that this property improves the performance of SLIM against linear attacks. Fig. 1 illustrates a single
round of SLIM.
The key schedule of SLIM is complicated and was not clearly defined in its documentation. However, according to the test vectors
provided by the designers, the key schedule can be described as follows: From the 80-bit secret key, we can directly obtain the first
five round keys, {𝐾1 ,...,𝐾5 }. To produce the remaining round keys, the following key schedule is adopted: The master key is first

3
Y.Y. Chan, C.-Y. Khor, B.T. Khoo et al. Heliyon 9 (2023) e15257

Fig. 2. 1 round of LBC-IoT.

Table 4
LBC-IoT’s S-box.

𝑥 0 1 2 3 4 5 6 7 8 9 A B C D E F

𝑆(𝑥) 0 8 6 D 5 F 7 C 4 E 2 3 9 1 B A

divided equally into two halves, KeyMSB and KeyLSB, both of which contain 40 bits (or 10 nibbles). The four right-most nibbles
(indexed from 0 to 3) of KeyMSB and KeyLSB are denoted as 𝑀𝑆𝐵[0,15] and 𝐿𝑆𝐵[0,15] , respectively. 𝐿𝑆𝐵[0,15] undergoes a left rotation
of two bits and is XORed with 𝑀𝑆𝐵[0,15] , and the result is transformed using four S-boxes applied simultaneously, yielding 16-bit
value 𝑆𝑈 𝐵[0,15] . 𝑀𝑆𝐵[0,15] undergoes a left rotation of three bits and is XORed with 𝑆𝑈 𝐵[0,15] , the result of which is used as the sixth
subkey, 𝐾6 .
The first 16 bits (nibbles 0, 1, 2, 3) of KeyMSB and KeyLSB are replaced with 𝐾6 and 𝑆𝑈 𝐵[0,15] , respectively. This process is
repeated on non-overlapping windows of nibbles and wraps around back to the least significant nibbles once all nibbles are exhausted.
For example, the computation of 𝐾7 is based on nibbles (4, 5, 6, 7), while 𝐾8 is computed using nibbles (8, 9, 0, 1), and so forth. The
key generation process for one round can be summarized by Equation (3):

𝐾𝑖 = 𝑆(𝑀𝑆𝐵[0,15] ⊕ (𝐿𝑆𝐵[0,15] << 2)) ⊕ (𝐿𝑆𝐵[0,15] << 3). (3)

2.3. Specifications of LBC-IoT

The LBC-IoT cipher, a 32-bit block cipher, is also intended for operation on resource-constrained devices, as detailed in [16].
It was designed by the same team that created SLIM. Like SLIM, LBC-IoT also follows the Feistel structure, and utilizes four 4-bit
S-boxes in the substitution layer, as illustrated in Fig. 2. The S-box is described in Table 4. The encryption process can be summarized
in the following Equation (4) and Equation (5):

𝐿𝑖 = 𝑃2 (𝑅𝑖−1 ). (4)

𝑅𝑖 = 𝑃1 [𝐿𝑖−1 ⊕ 𝐾𝑖 ⊕ 𝑆(𝑅𝑖−1 << 7)]. (5)

LBC-IoT uses two P-boxes (P1 and P2) for its permutation layer (see Table 5). The P-boxes were designed to move every input bit
to a different position, a property that the designers claim enhances resistance against linear cryptanalysis. It can be observed that
the only similarity between P1 and P2 is that the input bit in position 3 is mapped to the output bit in position 11.
Similar to SLIM, the key schedule for LBC-IoT is also not clearly described in its original specification. However, given that the
design is similar to SLIM, LBC-IoT’s key schedule follows a similar procedure: 𝐾1 through 𝐾5 , the first five round keys, are derived
directly from the 80-bit master key. The remaining subkeys are generated through a nonlinear key schedule algorithm. The master
key is divided equally into two halves, KeyMSB and KeyLSB, both of which contain 40 bits (or 10 nibbles). The four right-most

4
Y.Y. Chan, C.-Y. Khor, B.T. Khoo et al. Heliyon 9 (2023) e15257

Table 5
LBC-IoT P-box.

𝑥 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

𝑃 1(𝑥) 12 9 6 11 8 13 2 1 4 15 14 3 0 5 10 7
𝑃 2(𝑥) 4 7 15 11 2 10 1 12 3 0 13 5 8 14 6 9

Table 6
SCENERY S-box.

𝑥 0 1 2 3 4 5 6 7 8 9 A B C D E F

𝑆(𝑥) 6 5 C A 1 E 7 9 B 0 3 D 8 F 4 2

Table 7
LCB S-box.

𝑥 0 1 2 3 4 5 6 7 8 9 A B C D E F

𝑆(𝑥) 0 4 1 5 2 6 3 7 8 C 9 D A E B F

nibbles (indexed from 0 to 3) of KeyMSB and KeyLSB are denoted as 𝑀𝑆𝐵[0,15] and 𝐿𝑆𝐵[0,15] , respectively. 𝐿𝑆𝐵[0,15] is rotated to the
left by three bits and XOR-ed with 𝑀𝑆𝐵[0,15] . The result is then substituted using four S-boxes applied simultaneously. The output
of this 16-bit replacement process is denoted as 𝑆𝑈 𝐵[0,15] . 𝑀𝑆𝐵[0,15] is then permuted using the P1 permutation and XOR-ed with
𝑆𝑈 𝐵[0,15] , resulting in the sixth round key, 𝐾6 .
The first 16 bits (nibbles 0, 1, 2, 3) of KeyMSB and KeyLSB are replaced by 𝐾6 (sixth round key), and 𝑆𝑈 𝐵[0,15] , respectively. The
whole procedure is performed on windows of non-overlapping nibbles. If the nibbles are exhausted, the procedure wraps around to
the beginning (least significant nibbles). The process of generating one round key can be summarized by Equation (6):

𝐾𝑖 = 𝑆[𝑀𝑆𝐵[0,15] ⊕ (𝐿𝑆𝐵[0,15] << 3)] ⊕ 𝑃 1(𝐿𝑆𝐵[0,15] ). (6)

2.4. Specifications of SCENERY

SCENERY is a 64-bit block cipher that follows a balanced Feistel structure with 28 rounds. It is designed to provide both strong
security and performance improvements for software and hardware implementations. The designers of SCENERY claim that it is the
first Feistel cipher to use a bit-sliced technique, which improves computing performance and resistance against cache-timing attacks.
In each round, the plaintext block goes through a round function, 𝐹 that includes three main operations: adding the round key
(AddRoundKey), column-wise substitution (SubColumns), and linear mixing that can be represented by XOR and shift operations
(MixColumns). The S-boxes used in SCENERY are the same as those used in the RECTANGLE block cipher [18], and there are eight
4x4 S-boxes that were constructed using the bit-sliced technique, with the 4-bit columns of each S-box processed in parallel. The
S-box for SCENERY is shown in Table 6.
SCENERY uses an 80-bit master key. The key generation algorithm of SCENERY uses a nonlinear transformation that involves
two S-boxes, a bitwise left rotation of 11 bits, the addition of a round constant, and a dynamic permutation operation to generate
the next round key. For more details about SCENERY, readers are referred to its original specification [12].

2.5. Specifications of LCB

Light Cipher Block (LCB) was designed to incorporate design elements of Feistel and SPN ciphers in an effort to overcome
the limitations of each paradigm [14]. However, this defeats the purpose of using the Feistel structure which allows reusing the
encryption circuit for decryption. It has a block size of 32 bits and requires only 10 rounds of encryption, the fewest number of
rounds among the four ciphers analyzed in this paper.
The round function of LCB, known as the F-block, operates on 16-bit halves of the plaintext block, denoted as 𝐿𝑖 and 𝑅𝑖 , in each
encryption round. The operations in F-block supposedly include substitutions (S-boxes), permutations (P-boxes), and linear mixing
(L-box). After going through the F-block, a Feistel-like swap is performed on both halves of the internal state. The overall encryption
process can be summarized in Equation (7) and Equation (8):

𝐿𝑖 = 𝐿(𝑃 (𝑆(𝐾𝑖 ⊕ 𝑅𝑖−1 ))), (7)

𝑅𝑖 = 𝐿(𝑃 (𝑆(𝐾𝑖 ⊕ 𝐿𝑖−1 ))). (8)

Upon further analysis, we discovered that the S-box in LCB is actually a 4-bit permutation, making LCB a linear cipher. This was
confirmed by using the test vectors included in the cipher’s design documentation, as provided by the authors [14]. The hexadecimal
form of the S-box for LCB is shown in Table 7.

5
Y.Y. Chan, C.-Y. Khor, B.T. Khoo et al. Heliyon 9 (2023) e15257

Fig. 3. LCB’s S-box, P-box and L-box pattern.

Fig. 4. 1 round of LCB.

The P-box and L-box in LCB are 8-bit and 16-bit permutations, respectively. Even though the S-box, P-box, and L-box in LCB have
varying sizes, they exhibit a similar pattern of interleaved bits. This pattern involves the alternation of the left and right bits with
each other, as illustrated in Fig. 3. An illustration of one round of LCB can be found in Fig. 4. The 64-bit master key in LCB is used
to generate 16-bit subkeys through a simple process: it is divided into 4 equal parts, 𝐾1 through 𝐾4 . These subkeys are used in a
sequential manner as round keys during the encryption process.

3. Cryptanalysis results

3.1. Cryptanalysis of SLIM

We analyzed the security of SLIM using differential cryptanalysis to confirm the claims made by its designers. To do this, we
constructed an SMT model [19] for SLIM that represents its differential behavior. This allowed us to obtain optimal differential trails
for the entire cipher. The solver identified differential trails that have the lowest possible weight (optimal), where the term “weight”
is denoted as − log2 (𝑝), and 𝑝 represents the differential probability of the trail.
The input differences, Δ𝑃 , output differences, Δ𝐶, and weights, 𝑤, for each round of SLIM are listed in Table 8. From these
results, we found that differential trails up to 13 rounds (with a weight of 𝑤 = 31) are valid differential distinguishers, as they satisfy
the condition 2−𝑤 > 2−𝑛 , where 𝑛 is the block size. The length of the differential trail that we found is almost twice as long as the
one discovered by SLIM’s creators. Furthermore, we noted that the differential characteristics of SLIM do not exhibit a significant
differential effect, since the alternative 13-round trails with the same input (Δ𝑃 ) and output (Δ𝐶) differences as the optimal 13-round
trail have weights (𝑤) of 32 or greater. As such, the inclusion of these additional trails in a differential cluster does not significantly

6
Y.Y. Chan, C.-Y. Khor, B.T. Khoo et al. Heliyon 9 (2023) e15257

Table 8
Differential trails of SLIM.

Rounds (R) Δ𝑃 Δ𝐶 Probability (𝑝)

1 0020 0000 0000 0020 1

2 4024 0090 0000 0090 2−2
3 8D10 0400 0000 0D00 2−4
4 1000 B000 1000 A008 2−6
5 D804 0040 0040 D804 2−8
6 0208 4700 8000 1D48 2−12
7 09A6 001A 001A 4982 2−16
8 9024 0090 9000 02D0 2−18
9 0B82 000A 000A 0A82 2−21
10 0020 00B0 0080 4823 2−24
11 4827 0080 0020 08B4 2−26
12 0B82 000A 0A00 801B 2−28
13 A208 A000 A000 B208 2−31
14 0290 9000 0090 9004 2−34
15 0B82 000A 000B 0A00 2−36
16 02D0 9000 0090 D004 2−36
17 02D0 9000 9000 0290 2−41
18 8900 0900 0900 8900 2−44
19 0090 00B0 0090 00B4 2−46
20 801B 0A00 000A 0B82 2−48
21 9004 0090 0090 D004 2−51
22 0900 0D00 0D00 0900 2−54
23 0B82 000A 000B 0A00 2−56
24 D004 0090 9000 02D0 2−58
25 0109 000B 000B 010B 2−61
26 D000 00D0 9000 02D0 2−64
27 0090 D000 9000 02D0 2−66
28 D004 0090 9000 02D0 2−68
29 0B82 000A 000A 0A82 2−71
30 D000 00D0 9000 1290 2−74
31 A000 B000 A000 B208 2−76
32 0B82 000A 0A00 801B 2−78

improve the overall differential probability. In summary, our findings demonstrate that 32 rounds of SLIM have sufficient security
against differential cryptanalysis, as the optimal trail we found has a weight greater than twice the block size (𝑤 = 78).

3.1.1. Key recovery attack on 13-round SLIM

12
By using the optimal 12-round differential trail (0B82 000A ←←←←→← 0A00 801B) with a probability of 2−28 , we performed a key
recovery attack on 13 rounds of SLIM, where the input and output differences of the trail are represented by 𝛼 = Δ𝑃 = 0B82 000A
and 𝛽 = 0A00 801B, respectively. We denote the plaintext (input) difference as 𝛼 = Δ𝑃 = 0B82 000A, while 𝛽 = 0A00 801B denotes
the output difference. To extend this trail to 13 rounds, we added another round and denoted the output difference as Δ𝐶. Δ𝐶 has
12 active bits, the exact values of which cannot be determined since they have been modified in a nonlinear manner due to the
application of S-boxes and linear masking by a round key. On the other hand, there are 20 inactive bits which are bits that are fixed
(known bits) and thus, can be used to discard incorrect pairs. This process is also known as linear filtering. The attack procedure is
as follows:

1. Encrypt 230 pairs of plaintexts and expect to find at least 230−28 = 22 right pairs (4 pairs of plaintexts that follow the differential
trail).
2. There are 20 bits in the 13-round ciphertext that are fixed and can be used to filter out incorrect pairs. 230−20 = 210 pairs remain
after filtration.
3. Prepare 212 counters and guess the 12 subkey bits that match with to the 12 active bits of the output difference.
4. We increment the key counter for a specific subkey guess if the result of a 1-round partial decryption using the guessed key
22
matches 𝛽. In total, 210+12 ⋅ 2 = 223 partial decryptions (or 213 ≈ 218.3 full encryptions) were performed on the ciphertext pairs.
5. Around 4 right pairs are expected to increment the counter for the correct 12-bit subkey while the remaining pairs will increment
random key counters with a probability of 210−12 = 2−2 .

The attack time is primarily determined by the need to encrypt 231 chosen plaintexts (𝐷 = 231 ), which takes approximately 𝑇 = 231
full encryptions. The size of the key counters determines the amount of memory required for the attack – 𝑀 = 12 ⋅ 212 ∕8 ≈ 212.58 bytes
to store the 212 possible 12-bit keys. With 4 correct pairs, the correct 1-round subkey can be successfully recovered with a probability
30−28
of 1 − 𝑒−2 × 100 = 98.2%. Other key bits can be identified accordingly through exhaustive search or by using other approaches,
such as performing the same attack on 12 rounds after partially decrypting the 13𝑡ℎ round with the recovered subkey.

7
Y.Y. Chan, C.-Y. Khor, B.T. Khoo et al. Heliyon 9 (2023) e15257

Table 9
Differential trails of LBC-IoT.

Rounds (R) Δ𝑃 Δ𝐶 Probability (𝑝) Active S-Boxes

1 5A34 0000 0000 A549 1 0

2 00C0 0001 0000 0100 2−2 1
3 0010 0000 2000 0A40 2−4 2
4 0020 0000 0000 0800 2−4 2
5 0002 0000 4000 0002 2−6 3
6 0002 0400 0000 2000 2−8 4
7 0002 0000 0000 0800 2−8 4
8 0002 0000 0020 1000 2−10 5
9 2000 0040 0020 1000 2−12 6
10 0006 0400 0020 1000 2−14 7
11 0006 0400 0120 3800 2−16 8
12 2000 0040 0120 3000 2−18 9
13 0006 0400 0000 0800 2−20 10
14 0006 0400 0020 1800 2−22 11
15 0006 0400 0000 0800 2−24 12
16 0006 0400 0020 1000 2−26 13
17 0006 0400 0100 2040 2−28 14
18 6000 0040 0000 0800 2−30 15
19 0006 0400 0000 0800 2−32 16
20 6000 0040 0000 0800 2−34 17
21 6000 0040 0020 1000 2−36 18
22 6000 0040 0100 2040 2−38 19
23 6000 0040 0020 1000 2−40 20
24 2000 0040 0100 2040 2−42 21
25 6000 0040 0020 1000 2−44 22
26 6000 0040 0100 2040 2−46 23
27 0006 0400 0120 3000 2−48 24
28 6000 0040 0000 0800 2−50 25
29 0006 0400 0100 2040 2−52 26
30 0006 0040 0020 1000 2−54 27
31 6000 0040 0020 1000 2−56 28
32 6000 0040 0120 3000 2−58 29

We performed experimental verification of the key-recovery procedure for SLIM. Since the same procedure will be used in the
remaining sections of the paper, this experimental verification also serves as proof of correctness for the other attacks.

3.1.2. Key recovery attack on 14-round SLIM

13
Furthermore, we demonstrate that the 13-round differential trail (A208 A000 ←←←←→ ← A000 B208) with probability 2−31 can be
applied to attack 14 rounds of SLIM, although the success rate of this attack is lower compared to the 13-round attack. The input
(plaintext) difference for this trail is denoted as 𝛼 = Δ𝑃 = A208 A000, and the output difference is denoted as 𝛽 = 0A00 B208. To
extend this trail to 14 rounds, we added another round and denoted the output difference as Δ𝐶. Similar to the 13-round attack, Δ𝐶
has 12 active bits while 20 inactive bits that can be used to identify and discard incorrect pairs.
We adopt the same attack procedure as Section 3.1.1. Attack time consists primarily of the encryption of 𝐷 = 231 ⋅ 2 = 232 chosen
plaintexts (full codebook), which takes approximately 𝑇 = 232 time. As with the other attacks, memory complexity is dictated by the
size of the key counters which requires 𝑀 = 12 ⋅ 212 ∕8 ≈ 212.58 bytes. With 1 correct pair, the attack can obtain the final round key
0
with probability 1 − 𝑒−2 × 100 = 63.2%.

3.2. Cryptanalysis of LBC-IoT

Although it is crucial to thoroughly assess the security of block ciphers against various cryptanalytic attacks, this was unfortunately
not performed for LBC-IoT. In its specification [16], the designers claim the cipher’s immunity to various types of attacks without
providing any evidence. To fill this gap in the security analysis of LBC-IoT, we have conducted an evaluation of the cipher’s security
against differential cryptanalysis.
Aided by an SMT solver, we found optimal differential trails for rounds 1 through 32 of LBC-IoT. These differential trails are
shown in Table 9, whereby trails of up to 18 rounds (𝑤 = 30) are feasible differential distinguishers. This means that LBC-IoT’s
security margin against distinguishing attacks is less than 50% (18 out of 32 rounds). Even though the current security of 32 rounds
of LBC-IoT is still sufficient, it would be ideal for the designers to aim for a larger security margin, such as 36 rounds (double the
number of rounds of the best attack found). This would provide sufficient protection against potential attacks.

3.2.1. Key recovery attack on 18-round LBC-IoT

17
According to Table 9, the optimal 17-round differential trail (0006 0400 ←←←←→
← 0100 2040) has a probability of 2−28 , which allows
for a straightforward key recovery attack to be performed on 18 rounds of LBC-IoT. The input and output differences of the trail

8
Y.Y. Chan, C.-Y. Khor, B.T. Khoo et al. Heliyon 9 (2023) e15257

Table 10
Differential trails of SCENERY.

Rounds (R) Δ𝑃 Δ𝐶𝐶 Probability (𝑝)

1 00000000 00000001 00000001 00000000 2−0

2 00000000 00000008 10181810 00000008 2−2
3 02020002 C0400604 C4460604 02020002 2−4
4 00003020 2A261305 00003020 00101000 2−8
5 00000206 E84C0C48 69CC0C48 00000206 2−12
6 10181810 00002838 3F2DAAB7 00002838 2−18
7 0000080C 0F0B8A8D 0F0B8A8D 0000080C 2−22
8 1C12121C 1B152A30 0F0B8A8D 0000080C 2−31
9 000080C0 F0B0A8D8 E0A80000 08282000 2−37
10 81A18101 2121E144 C3C2A263 00000203 2−45
11 00008080 37170712 E7A555F6 00000507 2−52
12∗ 00008080 37170712 C341377B 080C0604 2−60
13∗ 00008080 37170712 07078F8B 0301090F 2−69
∗ Differential probability not confirmed to be optimal

are represented as 𝛼 = Δ𝑃 = 0006 0400 and 𝛽 = 0100 2040, respectively. When an additional round is added to the 17-round
differential trail, the output difference of this extended trail is denoted as Δ𝐶. Δ𝐶 has 24 inactive bits that can be directly used for
linear filtering.
The attack procedure is the same as the one used for SLIM (Section 3.1.1). The time complexity of the attack is dominated by
the encryption of the 𝐷 = 230 ⋅ 2 ≈ 231 chosen plaintexts, which takes approximately 231 full encryptions. The memory complexity is
8⋅28
determined by the size of the key counters, which requires 𝑀 = 8
= 28 bytes. We expect the attack to correctly recover the final
30−28
round subkey with probability 1 − 𝑒−2 × 100 = 98.2% when 4 correct pairs are used.

3.2.2. Key recovery attack on 19-round LBC-IoT

18
By using the optimal 18-round differential trail (6000 0040 ←←←←→ ← 0000 0800) from Table 9 with a probability of 2−30 , a key
recovery attack can be performed on 19 rounds of LBC-IoT. However, the likelihood of success is decreased in contrast to the 18-
round attack, with a probability of 2−30 . The output difference (Δ𝐶) after adding one round to the 18-round differential trail has 28
fixed or inactive bits (32 − 4 = 28) that can be used for linear filtering. The time, data, and memory complexities of the 19-round
attack are 𝑇 = 231 , 𝐷 = 231 , and 𝑀 = 23 bytes, respectively. Using just 1 correct pair, the attack is expected to have a success rate of
63.2% in obtaining the final round subkey.

3.3. Cryptanalysis of SCENERY

Using an SMT solver, we found optimal differential trails up to 11 rounds of SCENERY. After this point, the trails found are
not guaranteed to be optimal as additional constraints were added to the SMT model to reduce the search space and speed up the
search process. These additional constraints fixed the differences of the first few rounds to the best 11-round trail found so far. Since
an 𝑟-round optimal trail may not share the same intermediate differences of an (𝑟 − 1)-round’s optimal trail, this heuristic cannot
guarantee optimality. The results of our search are shown in Table 10. We stopped searching for trails at 13 rounds of SCENERY due
to time constraints and the fact that the differential trails obtained could no longer be used as a valid distinguisher (𝑝 < 2−64 ).
Our results showed that the differential trails we found have higher differential probabilities than those found by the designers,
as shown in Table 11. For example, at 11 rounds, the differential probability of the trail we found was 2−52 , while the best trail found
by the designers was only 2−66 . Even with just 6 rounds, the differential probability of the trail we found was already higher at 2−18 ,
compared to the designers’ at 2−22 .

3.3.1. Key recovery attack on 12-round SCENERY

The best 11-round differential trail we found, with a probability of 2−52 , was used to perform a 12-round key-recovery
attack on SCENERY. The input and output differences of this trail are denoted as 𝛼 = Δ𝑃 = 00008080 37170712 and 𝛽 =
E7A555F6 00000507, respectively. For the key-recovery attack, we added one round to the 11-round differential and denoted
the output difference of this round as Δ𝐶. Δ𝐶 has 36 inactive bits that can be used to discard incorrect pairs.
Based on the same attack procedure in Section 3.1.1, the attack time complexity is dominated by the need to encrypt the 𝐷 = 253
chosen plaintexts, which is 𝑇 = 253 full encryptions. The memory complexity is constrained by the space required to store the key
28⋅228
counters, which requires 8
=≈ 229.81 bytes. With 1 right pair, the key-recovery attack would succeed with the probability of
1−𝑒 −20 × 100 = 63.2%.

3.3.2. Key recovery attack on 13-round SCENERY

While the 12-round differential trail obtained cannot be guaranteed to be an optimal 12-round trail, a key-recovery attack
can still be performed due to its high differential probability of 2−60 . A more efficient attack could be achieved if an opti-

9
Y.Y. Chan, C.-Y. Khor, B.T. Khoo et al. Heliyon 9 (2023) e15257

Table 11
Comparison of SCENERY differential trails.

Rounds (R) Probability (𝑝) Designer’s claim (𝑝)

1 2−0 2−0
2 2−2 2−2
3 2−4 2−4
4 2−8 2−8
5 2−12 2−12
6 2−18 2−22
7 2−22 2−30
8 2−31 2−40
9 2−37 2−50
10 2−45 -
11 2−52 2−66
12 2−60 -
13 2−69 -

Table 12
10-round LCB Trail with 𝑝 = 1.

Rounds (R) Δ𝑃 Probability (𝑝)

1 A1F6 0000 1
2 0000 D1E5 1
3 D372 0000 1
4 0000 836F 1
5 957C 0000 1
6 0000 B563 1
7 A1F6 0000 1
8 0000 D1E5 1
9 D372 0000 1
10 0000 836F 1

mal differential trail with a higher probability than the one identified exists. Nevertheless, we use the 12-round differential trail
12
(00008080 37170712 ←←←←→ ← C341377B 080C0604) from Table 10 to attack 13 rounds of SCENERY.
Denote the input difference of the trail as 𝛼 = Δ𝑃 = 00008080 37170712 and the output difference of the trail as 𝛽 =
C341377B 080C0604. One round is added to the 12-round differential where the output difference is denoted by Δ𝐶. There
are 32 active bits which are bits of Δ𝐶 which have been masked by the adding of subkey and substitution operation. This leaves 32
inactive bits which can be used as a linear filter to discard wrong pairs, thus reducing the number of pairs to 260−32 = 228 .
The attack procedure for 13 rounds of SCENERY follows the same steps as before. The time complexity of the attack is 𝑇 = 261
32⋅232
full encryptions, data complexity is 𝐷 = 260 x 2 = 261 chosen plaintexts, and memory complexity is 8
= 234 bytes. Similarly, with
1 correct pair, we expect the attack to succeed with a probability of 1 − 𝑒 −20 × 100 = 63.2%.

3.4. Cryptanalysis of LCB

In differential cryptanalysis, the goal is usually to identify a differential trail that exhibits a high probability that can subsequently
be used in a key recovery attack. However, it turns out that LCB is completely linear, whereby a deterministic distinguisher can be
trivially constructed for any number of rounds and used in a distinguishing attack. A distinguishing attack is a type of attack that
aims to differentiate encrypted data originating from a target cipher from data generated from a random function. If an effective
distinguisher can be found, especially one that works for all rounds of a cipher, it suggests that the block cipher is insecure [20].
In the case of LCB, any given input difference Δ𝑃 will always produce the same output difference Δ𝐶. The implication of this is
that the task of finding differential trails for LCB can be accomplished through manual calculations, without relying on automated
tools. An example of a 10-round differential trail is shown in Table 12. This means that a successful distinguishing attack on the full
LCB can be performed using just one known ciphertext as follows:

1. Given any 10-round ciphertext, 𝐶1 and calculate 𝐶2 = 𝐶1 ⊕ Δ𝐶.

2. Using an arbitrary master key, request the corresponding plaintext pair, (𝑃1 , 𝑃2 ) from a decryption oracle.
3. We expect that 𝑃1 ⊕ 𝑃2 = Δ𝑃 with probability 1.

3.4.1. Improving LCB

To fix LCB’s linearity, we substitute its S-box with a nonlinear one and then reexamine its resistance to differential attacks. We
chose to use the S-box from the PRESENT cipher because it also allows us to directly compare LCB to the SLIM cipher.

10
Y.Y. Chan, C.-Y. Khor, B.T. Khoo et al. Heliyon 9 (2023) e15257

Table 13
Differential trails for the improved LCB.

Rounds (R) Δ𝑃 Δ𝐶 Probability (𝑝)

1 0000 0030 0101 0000 2−2

2 0000 0070 0000 0041 2−4
3 000D 0000 0000 4168 2−8
4 0000 F009 0000 003C 2−12
5 000F 0000 0000 0101 2−15
6 0090 0000 4040 0000 2−18
7 0090 0000 0000 0155 2−22
8 0090 0000 1051 0000 2−26
9 00F0 0000 0000 0101 2−29
10 0000 0090 0000 1004 2−32
11 0090 0000 0000 1055 2−36
12 7009 0000 1055 0000 2−40
13 0000 00F0 1010 0000 2−43
14 0000 0009 0000 0041 2−46
15 0790 0000 0000 0041 2−50
16 700F 0000 00C3 0000 2−54
17 0000 0090 0101 0000 2−57
18 0090 0000 0404 0000 2−60
19 0000 0009 0154 0000 2−64
20 0009 0000 1051 0000 2−68

After replacing the S-box in LCB, we found that LCB with 10 rounds now has an optimal differential trail of 2−32 . Based on this
result, we suggest that LCB double its number of rounds to 20 to have sufficient security against differential attacks. As shown in
Table 13, at 20 rounds, the best differential trail for LCB has a probability of 2−68 . This means that LCB requires fewer rounds to
be equally as secure as SLIM with respect to differential cryptanalysis (20 rounds of LCB are equivalent to 28 rounds of SLIM).
Furthermore, by using the same S-box design as SLIM, the improved 20-round LCB is more secure than 20 rounds of SLIM by a factor
of 220 . When compared to 20 rounds of LBC-IoT, the improved LCB cipher is more secure by a factor of 234 .

4. Conclusion

In our work, we propose differential attacks on SLIM, LBC-IoT, SCENERY, and LCB. For SLIM, we identified optimal differential
trails for all 32 rounds and found that a valid differential distinguisher exists for up to 13 rounds. Our best attack on SLIM was a
14-round key recovery attack with practical time/data/memory complexities of 232 ∕232 ∕212.58 , which reduced the security of SLIM
to around 56% (18/32).
Similarly, for LBC-IoT, we employed an SMT solver to obtain optimal trails for all 32 rounds. Valid distinguishers were found for
up to 18 rounds. We also demonstrated a key recovery attack on 19 rounds of LBC-IoT with practical time/data/memory complexities
of 231 ∕231 ∕23 . This significantly reduced the security of LBC-IoT to around 41% (13/32).
For SCENERY, the differential trails were obtained only for 13 out of 28 rounds, with a valid distinguisher found up to 12
rounds. We show that the key recovery attack performed on 13 rounds of SCENERY resulted has time/data/memory complexities of
257 ∕261 ∕234 , which reduced the security of SCENERY to around 54% (15/28).
Additionally, we have identified a critical weakness in the S-box of LCB, rendering the entire cipher linear. Consequently, the
security of LCB is compromised because deterministic trails (with probability 1) can be derived for any input difference. The trails
can then be used in distinguishing attacks on any number of rounds in a ciphertext-only setting. As such, LCB in its current form has
been completely broken. However, by instead adopting a nonlinear S-box (from PRESENT), we found that 20 rounds of LCB were
more secure than 20 rounds of SLIM and LBC-IoT by a factor of 220 and 234 , respectively.

CRediT authorship contribution statement

Yen Yee Chan; Cher-Yin Khor; Boo Tap Khoo: Performed the experiments; Analyzed and interpreted the data; Wrote the paper.
Je Sen Teh: Conceived and designed the experiments; Analyzed and interpreted the data; Contributed reagents, materials, analysis
tools or data; Wrote the paper.
Wei Jian Teng; Norziana Jamil: Analyzed and interpreted the data; Contributed reagents, materials, analysis tools or data.

Declaration of competing interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to
influence the work reported in this paper.

Data availability

Data associated with this study has been deposited at https://github.com/CryptoUSM/cryptanalysis-lightweight-ciphers.

11
Y.Y. Chan, C.-Y. Khor, B.T. Khoo et al. Heliyon 9 (2023) e15257

Acknowledgements

Norziana Jamil was supported by Kementerian Pendidikan Malaysia [20190102LRGS].

References

[1] M. Burkhalter, Recent data leak highlights the importance of IoT back-end security, https://www.perle.com/articles/recent-data-leak-highlights-the-importance-
of-iot-back-end-security-40185881.shtml, 2019.
[2] M.A.F. Al-Husainy, B. Al-Shargabi, S. Aljawarneh, Lightweight cryptography system for IoT devices using DNA, Comput. Electr. Eng. 95 (2021) 107418.
[3] C. Beierle, J. Jean, S. Kölbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki, P. Sasdrich, S.M. Sim, The SKINNY family of block ciphers and its low-latency variant
MANTIS, in: Annual International Cryptology Conference, Springer, 2016, pp. 123–153.
[4] J.S. Teh, L.J. Tham, N. Jamil, W.-S. Yap, New differential cryptanalysis results for the lightweight block cipher BORON, J. Inf. Secur. Appl. 66 (2022) 103129.
[5] A. Bogdanov, L.R. Knudsen, G. Leander, C. Paar, A. Poschmann, M.J. Robshaw, Y. Seurin, C. Vikkelsoe, PRESENT: an ultra-lightweight block cipher, in:
International Workshop on Cryptographic Hardware and Embedded Systems, Springer, 2007, pp. 450–466.
[6] K. Shibutani, T. Isobe, H. Hiwatari, A. Mitsuda, T. Akishita, T. Shirai, Piccolo: an ultra-lightweight blockcipher, in: International Workshop on Cryptographic
Hardware and Embedded Systems, Springer, 2011, pp. 342–357.
[7] J. Guo, T. Peyrin, A. Poschmann, M. Robshaw, The LED block cipher, in: International Workshop on Cryptographic Hardware and Embedded Systems, Springer,
2011, pp. 326–341.
[8] S. Banik, A. Bogdanov, T. Isobe, K. Shibutani, H. Hiwatari, T. Akishita, F. Regazzoni, Midori: a block cipher for low energy, in: International Conference on the
Theory and Application of Cryptology and Information Security, Springer, 2015, pp. 411–436.
[9] C.D. Cannière, O. Dunkelman, M. Knežević, KATAN and KTANTAN—a family of small and efficient hardware-oriented block ciphers, in: International Workshop
on Cryptographic Hardware and Embedded Systems, Springer, 2009, pp. 272–288.
[10] B. Aboushosha, R.A. Ramadan, A.D. Dwivedi, A. El-Sayed, M.M. Dessouky, SLIM: a lightweight block cipher for Internet of health things, IEEE Access 8 (2020)
203747–203757.
[11] S. Chen, Y. Fan, L. Sun, Y. Fu, H. Zhou, Y. Li, M. Wang, W. Wang, C. Guo, SAND: an AND-RX Feistel lightweight block cipher supporting S-box-based security
evaluations, Des. Codes Cryptogr. 90 (1) (2022) 155–198.
[12] J. Feng, L. Li, SCENERY: a lightweight block cipher based on Feistel structure, Front. Comput. Sci. 16 (3) (2021), https://doi.org/10.1007/s11704-020-0115-9.
[13] Y. Guo, L. Li, B. Liu, Shadow: a lightweight block cipher for IoT nodes, IEEE Int. Things J. 8 (16) (2021) 13014–13023.
[14] S. Roy, S. Roy, A. Biswas, K. Baishnab, LCB: light cipher block an ultrafast lightweight block cipher for resource constrained IoT security applications, KSII Trans.
Int. Inf. Syst. 15 (11) (2021), https://doi.org/10.3837/tiis.2021.11.014.
[15] W.-Z. Yeoh, J.S. Teh, M.I.S.B.M. Sazali, μ2: a lightweight block cipher, in: Lecture Notes in Electrical Engineering, Springer, Singapore, 2020, pp. 281–290.
[16] R.A. Ramadan, B.W. Aboshosha, K. Yadav, I.M. Alseadoon, M.J. Kashout, M. Elhoseny, LBC-IoT: lightweight block cipher for IoT constraint devices, Comput.
Mater. Continua 67 (3) (2021) 3563–3579, https://doi.org/10.32604/cmc.2021.015519, http://www.techscience.com/cmc/v67n3/41626.
[17] J. Feng, L. Li, SCENERY: a lightweight block cipher based on Feistel structure, Front. Comput. Sci. 16 (3) (2022) 163813.
[18] W. Zhang, Z. Bao, D. Lin, V. Rijmen, B. Yang, I. Verbauwhede, RECTANGLE: a bit-slice lightweight block cipher suitable for multiple platforms, Sci. China Inf.
Sci. 58 (12) (2015) 1–15.
[19] Stefan Kölbl, CryptoSMT: an easy to use tool for cryptanalysis of symmetric primitives, https://github.com/kste/cryptosmt.
[20] L.R. Knudsen, W. Meier, Correlations in RC6 with a reduced number of rounds, in: B. Schneier (Ed.), Fast Software Encryption, 7th International Workshop, FSE
2000, New York, NY, USA, in: Proceedings, vol. 10–12, 2000, Lecture Notes in Computer Science, vol. 1978, Springer, 2000, pp. 94–108.

12

View publication stats