In this study, we present the first yoyo attack to recover the secret round function of the 4-round Lai-Massey scheme with an affine orthomorphism. We first perform a yoyo attack on 3-round Lai-Massey scheme. However, the original method for constructing plaintext equations is not sufficiently effective. To solve this problem, we partition the ciphertext and plaintext spaces into \(2^{n}\) subsets, which provides a fresh perspective on our yoyo attack. From this perspective, our study presents two improvements. One is that we devise an improved yoyo game in which the established ciphertext pool significantly narrows the search of good pairs compared with random selection, and the inserted filter can eliminate all wrong pairs using simple XOR calculations. Consequently, the yoyo game is advantageous for reducing the complexity of seeking good pairs, and we can avoid the complexity involved in solving equations generated using wrong pairs. The other is that we present a valid method for solving equations, which helps to reduce the number of yoyos required to recover the first-round function. After removing the first round, the look-up tables of the remaining two round functions of the 3-round Lai-Massey scheme can be retrieved by selecting the inputs and accessing the outputs. On the basis of this attack, we mount a yoyo attack on the 4-round Lai-Massey scheme to recover the fourth-round function and then apply the above attack to the remaining three rounds. In general, the complete recovery of the 4-round Lai-Massey scheme requires time complexity O\((k_{1}2^{2n})\) and memory O\((2^{2n})\), where \(n\le k_{1}<2^{n}\).

在本研究中，我们提出了第一个 yoyo 攻击，以利用仿射同态恢复 4 轮 Lai-Massey 方案的秘密轮函数。我们首先对 3 轮 Lai-Massey 方案进行 yoyo 攻击。然而，构造明文方程的原始方法不够有效。为了解决这个问题，我们将密文和明文空间划分为\(2^{n}\)子集，这为我们的 yoyo 攻击提供了一个新的视角。从这个角度来看，我们的研究提出了两个改进。一是我们设计了一种改进的溜溜球游戏，其中建立的密文池与随机选择相比显着缩小了好对的搜索范围，并且插入的过滤器可以使用简单的异或计算消除所有错误对。因此，溜溜球游戏有利于降低寻找好对的复杂性，并且我们可以避免使用错误对生成的方程求解所涉及的复杂性。另一个是我们提出了一种有效的方程求解方法，这有助于减少恢复首轮函数所需的悠悠球数量。移除第一轮之后，可以通过选择输入并访问输出来检索3轮Lai-Massey方案的剩余两个轮函数的查找表。在此攻击的基础上，我们对4轮的Lai-Massey方案进行yoyo攻击，以恢复第四轮的功能，然后将上述攻击应用于剩余的3轮。一般来说，4轮Lai-Massey方案的完全恢复需要时间复杂度 O \((k_{1}2^{2n})\)和内存 O \((2^{2n})\)，其中\(n\le k_{1}<2^{n}\)。