Abstract: Addressing the gap in differential-linear security analysis for the LiCi data encryption algorithm, a differential-linear analysis method for the LiCi algorithm is proposed based on constraint programming (CP) modeling and key recovery. First, the algorithm was decomposed into three layers: differential layer, intermediate layer, and linear layer. Constraints for differential and linear mask propagation were established for each layer, including inequality constraints for the S-boxes, branch propagation, and XOR operations of LiCi's differential and linear masks, as well as constraints for the objective function. Subsequently, the Gurobi solver was employed for optimization. Experimental results demonstrate that a 13-round differential-linear distinguisher exists for the LiCi algorithm with a probability of 2^27.4. By adding 4 rounds forward and 3 rounds backward based on this distinguisher, a 20-round key recovery attack can be achieved, recovering 91 bits of key information. The time complexity is 2^114.3 rounds of 20-round encryption, and the data complexity is 2^48 plaintexts. This result advances the number of breakable rounds for LiCi from 17 to 20 and, for the first time, provides the remaining security margin of 11 rounds under a total round count of 31.

Key words: Keywords: LiCi algorithm, differential-linear analysis, key recovery attack, lightweight block cipher, distinguisher

摘要： 摘 要: 针对数据加密算法LiCi在差分-线性安全性分析方面空白的问题，基于约束规划（CP）建模和密钥恢复提出一种对LiCi算法的差分-线性分析方法。首先，将算法拆分为差分层、中间层与线性层三层，并对每一层分别建立差分与线性掩码传播的约束，包括对LiCi算法差分与线性掩码的S盒、分支传播以及异或过程中的不等式约束，以及目标函数的约束，随后使用Gurobi求解器进行搜索。实验结果表明：对于LiCi算法存在概率为2^27.4的13轮差分-线性区分器，在此基础上分别前向添加4轮、向后添加3轮，可实现20轮的密钥恢复攻击，并且可以恢复91比特密钥信息，其中时间复杂度为2^114.3次20轮加密，数据复杂度为2^48个明文。该结果将LiCi可攻破轮数从17轮推进到20轮，并首次给出31轮总轮数下剩余11轮的安全冗余量。

关键词: 关键词: LiCi算法, 差分-线性分析, 密钥恢复攻击, 轻量级分组密码, 区分器