# Cryptanalysis on SDDO-Based BM123-64 Designs Suitable for Various IoT Application Targets

^{*}

## Abstract

**:**

## 1. Introduction

^{67}data complexity, 2

^{70}memory bytes, and time complexity of 2

^{67}encryptions with

**Case 1**design. For

**Case 2**and

**Case 3**designs of BM-123-64 constructions, 2

^{51}data complexity, 2

^{54}memory bytes, and time complexity of 2

^{65}are required. This study shows that like lots of other ciphers designed on data-dependent operations, BM123-64 still has weaknesses and is insecure against related-key cryptanalysis. The cipher construction should therefore be based on more secure primitive security approach.

## 2. BM123-64 Block Cipher Description

#### 2.1. Preliminaries

_{1}as the most significant bit and x

_{n}as the least significant bit, a cipher X can be assigned as X = (x

_{1}, x

_{2}, …, x

_{n}).

- -
- r denotes each function round of block cipher.
- -
- ∆
**X**denotes input difference value that occurs in each r._{r} - -
- ∆
**Y**denotes output difference value that occurs in each r._{r} - -
- ∆
**U**, ∆_{r}**Q**denote round key difference values that occur in each r._{r} - -
- e
_{i}denotes the data bit changing within each round function, with i value considered as an active bit; at the i^{th}position, the bit value is “1”, and the remaining bits are “0” in each block data. for instance, e_{1,3}= (1, 0, 1, 0, …, 0)).

#### 2.2. BM123-64 Construction

**Crypt**round function in the cipher structure does the same operation from the first round to the final round to generate output ciphertext.

^{(e)}**Crypt**of BM123-64 covers three types of fixed permutation functions (I, I

^{(e)}_{1}, and I

_{2}), an extension box

**E**, hybrid-controlled substitution–permutation networks

**CSPN**s, and SDDO-based functions ${F}_{n/m}^{V/e}$ (F

_{16/64}, F

^{−1}

_{16/64}, F

_{16/32}, F

^{−1}

_{16/32}) based on basic controlling element F

_{2/2}.

- 64-bit input plaintext splits into two 32-bit block A and block B.
- From rounds r = 1 to 7, they have the same operations for each round:(A, B) =
**Crypt**^{(0)}(A, B, U_{r}, Q_{r})(A, B) = (B, A) - In the last round, there is final transformation to output ciphertext:(A, B) =
**Crypt**^{(0)}(A, B, U_{8}, Q_{8})(A, B) = (L ⊕ U_{FT}, R ⊕ Q_{FT})(A, B) = (A, B).

**Crypt**

^{(0)}round function in detail. Reference [1] contains more description of the BM123-64 construction.

_{16/64}, F

^{−1}

_{16/64}are constructed based on elementary function F

_{2/2}, since F

_{2/2}is described as ((x

_{1}, x

_{2}), [v, z]/(y

_{1}, y

_{2})). For better performance on implementation with the target of a specific application and expansion of encryption space, the function ${F}_{n/m}^{V/e}$ is designed in three different operations with three different description of the basic element F

_{2/2}.

**Case****1:**- y
_{1}= vzx_{1}⊕ vz ⊕ vx_{1}⊕ vx_{2}⊕ v ⊕ z ⊕ x_{1}⊕ 1y_{2}= vzx_{2}⊕ vz ⊕ vx_{1}⊕ vx_{2}⊕ zx_{1}⊕ x_{2}⊕ v ⊕ z ⊕ 1y_{3}= vzx_{1}⊕ vzx_{2}⊕ zx_{1}⊕ x_{1}⊕ x_{2}. **Case****2:**- y
_{1}= vzx_{1}⊕ vzx_{2}⊕ vx_{1}⊕ vx_{2}⊕ zx_{1}⊕ zx_{2}⊕ z ⊕ v ⊕ x_{2}y_{2}= vzx_{1}⊕ vzx_{2}⊕ vz ⊕ vx_{1}⊕ vx_{2}⊕ zx_{1}⊕ zx_{2}⊕ x_{1}y_{3}= vz ⊕ v ⊕ z ⊕ x_{1}⊕ x_{2}. **Case****3:**- y
_{1}= vx_{2}⊕ x_{2}⊕ x_{1}⊕ v ⊕ 1y_{2}= vx_{1}⊕ x_{2}.

_{1}, and I

_{2}are denoted as follows:

_{1}= (1) (2,5) (3,9) (4,13) (5,2) (6) (7,10) (8,14) (9,3) (10,7) (11) (12,15) (13,4) (14,8) (15,12) (16).

_{2}= (1) (2,3) (3,2) (4) (5) (6,7) (7,6) (8) (9) (10,11) (11,10) (12) (13) (14,15) (15,14) (16).

**E**takes a 16-bit input X, since

**E**(X) = (X, X

^{<<<}

^{4}, X

^{<<<}

^{8}, X

^{<<<}

^{12}); it then outputs 64-bit controlled vector (V, Z) = (V

_{1}, V

_{2}, V

_{3}, V

_{4}, Z

_{1}, Z

_{2}, Z

_{3}, Z

_{4}).

**CSPN**construction is designed based on the description of permutation function structure covering eight 4 × 4 S-boxes (S

_{0}, S

_{1}, S

_{2}, S

_{3}and S

^{−1}

_{0}, S

^{−1}

_{1}, S

^{−1}

_{2}, S

^{−1}

_{3}) with SDDO-based function ${F}_{n/m}^{V/e}$. Figure 3 presents the

**CSPN**with its S-boxes in structure.

_{1}, K

_{2}, …, K

_{7}, K

_{8}). The key scheduling is provided with different parameters as shown in Table 1.

## 3. Proposed Attack Methods on BM123-64 Construction

**Crypt**function. Furthermore, the related-key amplified boomerang attacks will be addressed with effective complexity results.

^{(e)}#### 3.1. BM123-64 Crypt^{(e)} Function Properties

**Crypt**

^{(e)}function in BM123-64 cipher consists of several ${F}_{n/m}^{V/e}$ functions having appropriate differential properties to construct the high probability DCs.

#### 3.1.1. Differential Properties of F_{2/2} Function

_{1}and x

_{2}are assumed as input parameters, with a pair (v, z) controlled vector of F

_{2/2}function. Therefore, the controlled element F

_{2/2}can be described as F

_{2/2}(x

_{1}, x

_{2}, [v, z]). Based on different distribution applied to different descriptions of F

_{2/2}in BM123-64, we have differential properties for each case as the following:

**Case****1:**- y
_{1}= vzx_{1}⊕ vz ⊕ vx_{1}⊕ vx_{2}⊕ v ⊕ z ⊕ x_{1}⊕ 1y_{2}= vzx_{2}⊕ vz ⊕ vx_{1}⊕ vx_{2}⊕ zx_{1}⊕ x_{2}⊕ v ⊕ z ⊕ 1Pr [F_{2/2}(x_{1}, x_{2}, [v, z]) ⊕ F_{2/2}(x_{1}⊕ 1, x_{2}, [v, z]) = (1, 0)] = 2^{−2}. **Case****2:**- y
_{1}= vzx_{1}⊕ vzx_{2}⊕ vx_{1}⊕ vx_{2}⊕ zx_{1}⊕ zx_{2}⊕ z ⊕ v ⊕ x_{2}y_{2}= vzx_{1}⊕ vzx_{2}⊕ vz ⊕ vx_{1}⊕ vx_{2}⊕ zx_{1}⊕ zx_{2}⊕ x_{1}Pr [F_{2/2}(x_{1}, x_{2}, [v, z]) ⊕ F_{2/2}(x_{1}⊕ 1, x_{2}, [v, z]) = (1, 0)] = 2^{−1}. **Case****3:**- y
_{1}= vx_{2}⊕ x_{2}⊕ x_{1}⊕ v ⊕ 1;y_{2}= vx_{1}⊕ x_{2}Pr [F_{2/2}(x_{1}, x_{2}, [v, z]) ⊕ F_{2/2}(x_{1}⊕ 1, x_{2}, [v, z]) = (1, 0)] = 2^{−1}.

_{2/2}description, in order to get the (1, 0) output difference with the (x

_{1}⊕ 1, 0) input difference and the (0, 0) controlled vector difference, the probability will be 2

^{−2}, 2

^{−1}, and 2

^{−1}for

**Case 1**,

**Case 2,**and

**Case 3**, respectively.

#### 3.1.2. Differential Properties of F_{16/64} and F ^{−1}_{16/64} Functions

_{16/64}and F

^{−1}

_{16/64}using the properties above. Here, X is the input parameters for F

_{16/64}and F

^{−1}

_{16/64}and (V, Z) is the controlled vector. Based on the properties of F

_{2/2}, we can get the following:

**Case****1:**- Pr [F
_{16/64}(X, V, Z) ⊕ F_{16/64}(X ⊕ e_{16}, V, Z) = e_{16}] = 2^{−8}Pr [F^{−1}_{16/64}(X, V, Z) ⊕ F^{−1}_{16/64}(X ⊕ e_{16}, V, Z) = e_{16}] = 2^{−8} **Case****2:**- Pr [F
_{16/64}(X, V, Z) ⊕ F_{16/64}(X ⊕ e_{16}, V, Z) = e_{16}] = 2^{−4}Pr [F^{−1}_{16/64}(X, V, Z) ⊕ F^{−1}_{16/64}(X ⊕ e_{16}, V, Z) = e_{16}] = 2^{−4} **Case****3:**- Pr [F
_{16/64}(X, V, Z) ⊕ F_{16/64}(X ⊕ e_{16}, V, Z) = e_{16}] = 2^{−4}Pr [F^{−1}_{16/64}(X, V, Z) ⊕ F^{−1}_{16/64}(X ⊕ e_{16}, V, Z) = e_{16}] = 2^{−4}

_{16/64}and F

^{−1}

_{16/64}function designs, we can see that there is a total of four active layers F

_{2/2}within each construction, as shown in Figure 2.

#### 3.2. Related-Key Boomerang of BM123-64

**E**= ($\alpha $ → $\beta $) holds with chosen input difference $\alpha $ = (0, 0) and key difference (0, e

^{0}_{32}) from the first round to the fourth round with output difference $\beta $ = (0, 0). The key difference, based on the key schedule generator given in Table 1, is to control differential propagation and get high probability. The first related-key differential achieves this with probability p = 2

^{−16}, 2

^{−8}, and 2

^{−8}for each case of F

_{2/2}description.

**E**= ($\gamma $ → $\delta $) = (0, e

^{1}_{32}) “ (0, e

_{16}) covering the last four rounds with input difference $\alpha $ = (0, e

_{32}) and key difference (0, e

_{32}) from the fifth round gives output difference $\delta $ = (0, e

_{16}) after the final transformation. The second related-key differential obtains probability q = 2

^{−16}, 2

^{−8}, and 2

^{−8}, respectively. In total, the related-key differential characteristics constructed on a full eight rounds of BM123-64 designs give us the probability of 2

^{−32}for

**Case 1**, 2

^{−16}for

**Case 2,**and 2

^{−16}for

**Case 3**. Figure 2 illustrates the DCs propagation of some specific BM123-64 rounds in

**Case 2**and

**Case 3**.

_{16}, e

_{32}, 0, 0, 0, 0, 0). We can hold the first four rounds related-key boomerang with probability of 2

^{−16}for

**Case 1**, 2

^{−8}for

**Case 2,**and 2

^{−8}for

**Case 3**. Furthermore, by pretending an additional round with intermediate differential values (I, I*, I’, I’*) described as I ⊕ I* = I’ ⊕ I’* = (0, e

_{32}) using another related-key differences ∆K’ = K ⊕ K’ = K* ⊕ K’* = (0, e

_{32}, 0, 0, 0, 0, 0, 0), we can build the second related-key boomerang on the last four rounds of 2

^{−16}probability for

**Case 1**, and 2

^{−8}for both

**Case 2**and

**Case 3**.

**Crypt**

^{(e)}function of BM123-64 with

**Case 2**and

**Case 3**at several rounds.

**Case 1**.

#### 3.3. Related-Key Amplified Boomerang Attack on the BM123-64 Designs

^{2}∙2

^{−128}of encrypted quartets for

**Case 1**is right. For

**Case 2**and

**Case 3**, the expected number is m

^{2}∙2

^{−96}right quartets. Furthermore, in the case of an ideal cipher, the related-key boomerang differentials applied on a full eight rounds of BM123-64 with probabilities of 2

^{−128}, 2

^{−96}, and 2

^{−96}(2

^{−64}∙p

^{2}∙q

^{2}) for each case, respectively. For the least expected right quartets number of 8, we take a set of 2

^{66}pairs of plaintexts (m

^{2}∙2

^{−128}= 2

^{3}) for the attack process in

**Case 1**and 2

^{50}pairs of plaintexts (m

^{2}∙2

^{−96}= 2

^{3}) for the attacks in

**Case 2**and

**Case 3**.

- (1)
- We pick a set of 2
^{66}pairs of plaintexts (P_{j}, P_{j}*), (j = 1, …, 2^{66}), then we expand into another set of 2^{131}quartets of plaintexts, denoted as (P_{i}, P_{i}*, P_{i}’, P_{i}’*), (i = 1, …, 2^{131}) in**Case 1**, or 2^{50}pairs of plaintexts (P_{j}, P_{j}*), (j = 1, …, 2^{50}) and generate 2^{99}quartets of plaintexts (P_{i}, P_{i}*, P_{i}’, P_{i}’*), (i = 1, …, 2^{99}) in**Case 2**and**Case 3**, with input difference $\alpha $ = (0, 0). We ask for encryption of all the quartets (P_{i}, P_{i}*, P_{i}’, P_{i}’*) using the related-keys (K, K*, K’, K’*) difference, described as two terms of relation: ∆K = K ⊕ K* = K’ ⊕ K’* = (0, e_{16}, e_{32}, 0, 0, 0, 0, 0) and ∆K’ = K ⊕ K’ = K* ⊕ K’* = (0, e_{32}, 0, 0, 0, 0, 0, 0) to output respective quartets of ciphertexts (C_{i}, C_{i}*, C_{i}’, C_{i}’*). - (2)
- We do XOR with all possible values of C
_{i}and C_{i}’, C_{i}*, and C_{i}’* for each i value, then check whether the output result is (0, e_{16}) and store all these difference values to apply in the previous eight rounds. - (3)
- By this way, at the final transformation, we expect to hold a 64-bit subkey including K
_{1}and K_{3}, then get the remaining subkeys (K_{1}*, K_{3}*), (K_{1}’, K_{3}’), and (K_{1}’*, K_{3}’*) of the quartets of subkeys.- (a)
- Similarly, at the eighth round, we ask for decryption of all quartets of ciphertexts values obtained from Step 2 with subkey quartets of K
_{1}and K_{3}to hold 64-bit input values (X_{j}, X_{j}*, X_{j}’, X_{j}’*) at the left side process of round function. - (b)
- We do XOR with all possible values of X
_{j}and X_{j}’, X_{j}*, and X_{j}’* for each j value, then check whether the output result is 0.

- (4)
- After passing Step 3, all values of quartets of two subkeys K
_{1}and K_{3}are explored. We can do brute force attacks to obtain the remaining 192-bit subkeys (K_{2}, K_{4}, K_{5}, K_{6}, K_{7}, K_{8}) with all K_{1}and K_{3}.

## 4. Results and Discussion

**Case 1**, the proposed attack requires 2

^{66}pairs of plaintexts and 2

^{67}related-key chosen plaintexts in data complexity, since the related-key DC is 2

^{−32}. Furthermore, it needs about 2

^{70}(=2

^{67}× 8) bytes of memory.

**Case 2**and

**Case 3**, the attack requires 2

^{50}pairs of plaintexts and 2

^{51}related-key chosen plaintexts in data complexity, while the related-key DCs are 2

^{−16}. The attack takes about 2

^{54}(=2

^{51}× 8) bytes of memory.

^{67}encryptions (

**Case 1**), or 2

^{51}encryptions (

**Case 2**and

**Case 3**) of the full eight rounds of BM123-64. Each quartet of ciphertext is planned to achieve Step 2 of the attack with 2

^{−64}probability. In addition, we will get 2

^{67}(=2

^{131}× 2

^{−64}) right quartets of ciphertext (

**Case 1**) or 2

^{35}right quartets of ciphertext (=2

^{99}× 2

^{−64}) (

**Case 2**and

**Case 3**) that will achieve Step 2. At Step 3 and Step 4, the complexity of time is a unit of 2

^{62}(=2

^{64}× 4 × 1/8 × 1/2) and 2

^{65}(=2

^{64}× 1 × 2) for a full eight rounds of BM123-64 encryptions, respectively. Finally, the results show that all the attacks require total time complexity of 2

^{67}(≈2

^{67}+ 2

^{62}+ 2

^{65}) (

**Case 1**) or 2

^{65}(≈2

^{51}+ 2

^{62}+ 2

^{65}) (

**Case 2**and

**Case 3**) for a full eight rounds of BM123-64 encryptions on average. In Table 3, a comparison of cryptanalysis results between the scheme proposed and other data-dependent ciphers in terms of complexity of data and time is given.

^{−64}of probability. With our cryptanalysis methods, the results shown with the output possibility in case of a wrong key is lower than the ideal case. These proposed related-key amplified boomerang attacks can potentially exploit the BM123-64 constructions at all three specific cases.

## 5. Conclusions

**Case 1**, it requires 2

^{66}related-key chosen plaintexts and 2

^{67}encryptions consumptions, and 2

^{50}related-key chosen plaintexts and 2

^{65}encryptions consumptions are required with

**Case 2**and

**Case 3**. The results of this study can be applied on many construction designs of these types of ciphers. Along with some new cryptanalysis techniques like Fr Trust or RARE, our research will further enhance performance and is expected to develop novel approaches for a wide range of applications and devices in the IoT environment.

## Author Contributions

## Funding

## Conflicts of Interest

## Appendix A

**Crypt**

^{(e)}function in

**Case 1**.

**Figure A1.**(

**a**) The differential propagation of F

_{16/64}, F

^{−1}

_{16/64}function and the DCs in

**Crypt**

^{(e)}function at (

**b**) the 1

^{st}round and (

**c**) the eighth round and final transformation of BM123-64 with

**Case 1**.

^{66}pairs of plaintexts (P

_{j}, P

_{j}*) and expand to 2

^{131}quartets of plaintexts (P

_{i}, P

_{i}*, P

_{i}’, P

_{i}’*). The SDDO-based ${F}_{n/m}^{V/e}$ function in BM123-64 structure includes F

_{16/64}and F

^{−1}

_{16/64}, which has four layers with eight F

_{2/2}element function in each. Based on the differential properties mentioned in Section 3.1, we can construct two related-key boomerangs on a full eight rounds of BM123-64 in Case 1 with total probability of 2

^{−32}. The first four rounds of related-key boomerang holds with the probability p = 2

^{−16}; the last four rounds of related-key boomerang also obtains with the probability q = 2

^{−16}. It requires about 2

^{67}chosen plaintexts in complexity of data as input, and the memory required is about 2

^{70}(=2

^{67}× 8) bytes.

## References

- Bac, D.; Minh, N. High-Speed Block Cipher Algorithm Based on Hybrid Method. In Ubiquitous Information Technologies Applications; Lecture Notes in Electrical Engineering; Springer: Berlin/Heidelberg, Germany, 2014; Volume 280, pp. 285–291. [Google Scholar]
- Moldovyan, N. On Cipher Design Based on Switchable Controlled Operations. In MMM-ACNS, LNCS; Springer: Berlin/Heidelberg, Germany, 2003; Volume 2776, pp. 316–327. [Google Scholar]
- Bac, D.; Minh, N.; Duy, H. An Effective and Secure Cipher Based on SDDO. Int. J. Comput. Netw. Inf. Secur.
**2012**, 4, 1. [Google Scholar] - Bac, D.; Minh, N.; Duy, H. New SDDO-Based Block Cipher for Wireless Sensor Network Security. Int. J. Comput. Netw. Inf. Secur.
**2010**, 10, 54–60. [Google Scholar] - Minh, N.; Luan, N.; Dung, L. KT-64: A New Block Cipher Suitable to Efficient FPGA Implementation. IJCSNS Int. J. Comput. Netw. Inf. Secur.
**2010**, 19, 10–18. [Google Scholar] - Minh, N.; Duy, H.; Dung, L. Design and Estimate of a New Fast Block Cipher for Wireless Communication Devices. In Proceedings of the International Conference on Advanced Technologies for Communications, Hanoi, Vietnam, 6–9 October 2008; pp. 409–412. [Google Scholar]
- Moldovyan, N.; Moldovyan, A.; Sklavos. Controlled Elements for Designing Ciphers Suitable to Efficient VLSI Implementation. Telecommun. Syst. J.
**2006**, 32, 149–163. [Google Scholar] [CrossRef] - Kang, J.; Jeong, K.; Lee, C.; Hong, S. Distinguishing attack on SDDO-based block cipher BMD-128. In Ubiquitous Information Technologies and Applications; Springer: Berlin/Heidelberg, Germany, 2014; Volume 280, pp. 595–602. [Google Scholar]
- Phuc, T.S.D.; Lee, C.; Xiong, N. Cryptanalysis of the XO-64 Suitable for Wireless Systems. Wirel. Pers. Commun.
**2017**, 93, 589–600. [Google Scholar] [CrossRef] - Izotov, B.V.; Moldovyan, N.; Moldovyan, A. Controlled Operations as a Cryptographic Primitive. In Information Assurance in Computer Networks; Springer: Berlin/Heidelberg, Germany, 2001; Volume 2052, pp. 230–241. [Google Scholar]
- Kang, J.; Jeong, K.; Yeo, S.; Lee, C. Related-key Attack on the MD-64 Block Cipher Suitable for Pervasive Computing Environment. In Proceedings of the International Conference on Advance Information Networking and Application Workshops, Fukuoka, Japan, 26–29 March 2012; pp. 726–731. [Google Scholar] [CrossRef]
- Lee, C.; Kim, J.; Sung, J.; Hong, S.; Lee, S. Security analysis of the full-round DDO-64 block cipher. J. Syst. Softw.
**2008**, 84, 2328–2335. [Google Scholar] [CrossRef] - Moldovyan, N.; Moldovyan, A. Data-driven Ciphers for Fast Telecommunication Systems. In Auerbach Publication; Talor & Francis Group: New York, NY, USA; London, UK, 2008; pp. 77–185. ISBN 1420054112 9781420054118. [Google Scholar]
- Biham, E.; Dunkelman, O.; Keller, N. Related-key boomerang and rectangle attacks. In Advances in Cryptology—EUROCRYPT’05, LNCS; Springer: Berlin/Heidelberg, Germany, 2005; Volume 3494, pp. 507–525. [Google Scholar]
- Kelsey, J.; Kohno, T.; Schneier, B. Amplified Boomerang Attacks against Reduced-Round MARS and Serpent. In Proceedings of Fast Software Encryption 7; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2000; Volume 1978, pp. 75–93. [Google Scholar] [CrossRef]
- Wagner, D. The Boomerang Attack. In Proceedings of Fast Software Encryption 6; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 1999; Volume 1636, pp. 156–170. [Google Scholar] [CrossRef]

**Figure 2.**(

**a**) Switchable data-dependent operations (SDDO)-based functions F

_{16/64}, F

^{−1}

_{16/64}; and (

**b**) F

_{16/32}, F

^{−1}

_{16/32}.

**Figure 3.**Controlled substitution–permutation network (CSPN) model in (

**a**) left and (

**b**) right of data sub-block; (

**c**) different 4 × 4 S-boxes.

**Figure 4.**Differential characteristics (DCs) in

**Crypt**

^{(e)}function at (

**a**) the first round; (

**b**) the second round; (

**c**) the fifth round; and (

**d**) the eighth round and final transformation of BM123-64 with

**Case 2**and

**Case 3**.

Round O_{r} | O_{1} | O_{2} | O_{3} | O_{4} | O_{5} | O_{6} | O_{7} | O_{8} | O_{FT} |
---|---|---|---|---|---|---|---|---|---|

U_{r} | K_{3} | K_{4} | K_{8} | K_{6} | K_{2} | K_{7} | K_{5} | K_{2} | K_{3} |

Q_{r} | K_{1} | K_{2} | K_{5} | K_{7} | K_{3} | K_{6} | K_{8} | K_{4} | K_{1} |

e’_{1} | 1 | 1 | 1 | 0 | 0 | 1 | 1 | 0 | - |

e’_{2} | 0 | 1 | 1 | 0 | 1 | 1 | 1 | 1 | - |

e’_{3} | 0 | 0 | 0 | 1 | 1 | 0 | 0 | 1 | - |

e’_{4} | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | - |

**O**performs the final transformation.

_{FT}Round (r) | ∆X_{r} | (∆U_{r}, ∆Q_{r}) | Probability | ||
---|---|---|---|---|---|

Case 1 | Case 2 | Case 3 | |||

1 | $\alpha $ = (0, 0) | (0, e_{32}) | 2^{−16} | 2^{−8} | 2^{−8} |

2 | (e_{16}, 0) | (e_{16}, 0) | 1 | 1 | 1 |

3 | (0, 0) | (0, 0) | 1 | 1 | 1 |

4 | (0, 0) | (0, 0) | 1 | 1 | 1 |

Output | $\beta $ = (0, 0) | 2^{−16} | 2^{−8} | 2^{−8} | |

5 | (0, e_{32}) = $\gamma $ | (0, e_{32}) | 1 | 1 | 1 |

6 | (0, 0) | (0, 0) | 1 | 1 | 1 |

7 | (0, 0) | (0, 0) | 1 | 1 | 1 |

8 | (0, 0) | (0, e_{16}) | 2^{−16} | 2^{−8} | 2^{−8} |

FT | (0, e_{16}) | (0, 0) | 1 | 1 | 1 |

Output (∆Y) | $\delta $ = (0, e_{16}) | ||||

Total | 2^{−32} | 2^{−16} | 2^{−16} |

**Table 3.**Cryptanalysis results on constructions based on DDP (Data-Dependent Permutation), DDO (Data-Dependent Operation), and SDDO (switchable data-dependent operation).

Block Cipher | Total Rounds | Complexity Data/Time | Key Bits Recovery |
---|---|---|---|

DDP-64 | 10/10 | 2^{54} RCP/2^{54} | 22 |

CHESS-64 | 8/8 | 2^{44} RCP/2^{44}2 ^{39} RCP/2^{39}2 ^{44} RCP/2^{108}2 ^{39} RCP/2^{122} | 20 6 128 128 |

DDO-64V_{1} | 8/8 | 2^{35.5} RCP/2^{65.5} | |

DDO-64V_{2} | 8/8 | 2^{3} RCP/2^{31} | |

MD-64 | 8/8 | 2^{43.1} RCP/2^{95} | |

BMD-128 | 7/8 | 2^{79} RCP/2^{129} | |

KT-64 | 8/8 | 2^{45.5} RCP/2^{65.17} | |

XO-64 | 8/8 | 2^{44} RCP/2^{65} | |

BM123-64 (Case#1) (*) | 8/8 | 2^{67} RCP/2^{67} | |

BM123-64 (Case#2) (*)BM123-64 ( Case#3) (*) | 8/8 | 2^{51} RCP/2^{65} |

© 2018 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Phuc, T.S.D.; Lee, C.
Cryptanalysis on SDDO-Based BM123-64 Designs Suitable for Various IoT Application Targets. *Symmetry* **2018**, *10*, 353.
https://doi.org/10.3390/sym10080353

**AMA Style**

Phuc TSD, Lee C.
Cryptanalysis on SDDO-Based BM123-64 Designs Suitable for Various IoT Application Targets. *Symmetry*. 2018; 10(8):353.
https://doi.org/10.3390/sym10080353

**Chicago/Turabian Style**

Phuc, Tran Song Dat, and Changhoon Lee.
2018. "Cryptanalysis on SDDO-Based BM123-64 Designs Suitable for Various IoT Application Targets" *Symmetry* 10, no. 8: 353.
https://doi.org/10.3390/sym10080353