Cryptanalysis of QTL Block Cipher

QTL is an ultra-lightweight block cipher designed for extremely constrained devices. The cipher has two versions, QLT-64 and QTL-128 supporting key lengths of 64 and 128 bits, respectively. In this paper, we present the first third party cryptanalysis of QTL. We first introduce related key distinguishers for full versions of the cipher. We propose attacks on full QTL in single key model by using the related key distinguishers. With these attacks we are able to reduce the security of QTL-64 and QTL-128 by 16 bits. We also enumerate 2(48) weak keys and propose a practical key recovery attack on full QTL-64 for these keys. This attack requires 2(16) data and recovers the key in a time complexity of 2(32) encryptions. We also give some observations disprove designers' claims about number of active S-boxes and actual value of differential branch number.