Cryptanalysis on SDDO-Based BM123-64 Designs Suitable for Various IoT Application Targets

: BM123-64 block cipher, which was proposed by Minh, N.H. and Bac, D.T. in 2014, was designed for high speed communication applications factors. It was constructed in hybrid controlled substitution–permutation network (CSPN) models with two types of basic controlled elements (CE) in distinctive designs. This cipher is based on switchable data-dependent operations (SDDO) and covers dependent-operations suitable for efﬁcient primitive approaches for cipher constructions that can generate key schedule in a simple way. The BM123-64 cipher has advantages including high applicability, ﬂexibility, and portability with different algorithm selection for various application targets with internet of things (IoT) as well as secure protection against common types of attacks, for instance, differential attacks and linear attacks. However, in this paper, we propose methods to possibly exploit the BM123-64 structure using related-key attacks. We have constructed a high probability related-key differential characteristics (DCs) on a full eight rounds of BM123-64 cipher. The related-key ampliﬁed boomerang attack is then proposed on all three different cases of operation-speciﬁc designs with effective results in complexity of data and time consumptions. This study can be considered as the ﬁrst cryptographic results on BM123-64 cipher.


Introduction
The BM123-64 [1] has a 64-bit block size covering 256-bit secret key size and a total of eight function rounds.This cipher is based on switchable data-dependent operations (SDDO) [2], which is designed to combine data-dependent operations in functions and new feature of hybrid-controlled substitution-permutation network (CSPN) models.By this way, BM123-64 is considered as a solution for a more flexible and suitable approach for appropriate application targets with each specific design.The cipher has advantages including better suitability, applicability with different algorithm designs for specific targets, and high reliability of securing against well-known attacks, for instance, linear attacks and differential attacks.
Although lots of researchers have focused on how to enhance the security of construction designs using different operations and functions, for instance, DDP (Data-Dependent Permutation) -based ciphers (such as DDP-64 [3], Cobra-family [3] and SCO (Switchable Controlled Operation) -family [2]), DDO (Data-Dependent Operation) -based ciphers (such as MD-64 [4], KT-64 [5], CTPO (Controlled Two-Place Operation) [6] and DDO-64 [7]), and SDDO-based ciphers (such as XO-64 [8] or BMD-128 [9]), their weaknesses have been recently explored with common related attacks.A simple key schedule generator for high speed transformation and lightweight targets can lead to an attack possibility for cryptanalysis using common related-key attack methods.Related-key amplified boomerang attack [10] is an extension of the related-key boomerang attack proposed by Biham et al., 2005 [11] and Wagner, 1999 [12].The idea of this attack is that it explores two distinctive related-key differentials to construct the related-key boomerang with high probability.Compared to other attacks, the attack was designed as an adaptive chosen plaintext attack that has become a popular and effective method to exploit many types of block ciphers.Previous studies that have applied this attack on various SDDO-based ciphers -such as COCONUT98, IDEA [11], MARS, Serpent [12], DDO-64 [13], MD-64 [14], BMD-128 [15], XO-64 [16], etc.-showed efficiency and high probabilities in cryptanalytic results.
In this paper, we propose attack methods on BM123-64 constructions with related-key approach.By constructing high probability differentials with two related-key boomerangs in distinctive designs, this attack expects to exploit a full eight rounds of BM123-64 with effective cryptanalytic results.The proposed attack requires about 2 67 data complexity, 2 70 memory bytes, and time complexity of 2 67 encryptions with Case 1 design.For Case 2 and Case 3 designs of BM-123-64 constructions, 2 51 data complexity, 2 54 memory bytes, and time complexity of 2 65 are required.This study shows that like lots of other ciphers designed on data-dependent operations, BM123-64 still has weaknesses and is insecure against related-key cryptanalysis.The cipher construction should therefore be based on more secure primitive security approach.
The rest of this paper is organized as follows: The BM123-64 construction is briefly reviewed in Section 2. In Section 3, the proposed attacks on BM123-64 cipher is discussed, including differential characteristics (DCs), analysis methods, and security assessments.Finally, in Section 4, conclusions of the paper are presented.

Preliminaries
This section explains notations used in this paper.With x 1 as the most significant bit and x n as the least significant bit, a cipher X can be assigned as X = (x 1 , x 2 , . . ., x n ).
The DCs applied to the attack methods include descriptions of differential relation of block ciphers, such as input, output, and function round key.
r denotes each function round of block cipher.-∆X r denotes input difference value that occurs in each r.
-∆Y r denotes output difference value that occurs in each r.
-∆U r , ∆Q r denote round key difference values that occur in each r.
e i denotes the data bit changing within each round function, with i value considered as an active bit; at the i th position, the bit value is "1", and the remaining bits are "0" in each block data.for instance, e 1,3 = (1, 0, 1, 0, . . ., 0)).

BM123-64 Construction
BM123-64 [1] is described as a 64-bit SDDO-based block cipher with 256-bit secret key and eight function rounds in total.Each Crypt (e) round function in the cipher structure does the same operation from the first round to the final round to generate output ciphertext.

1.
64-bit input plaintext splits into two 32-bit block A and block B.

2.
From rounds r = 1 to 7, they have the same operations for each round: Figures 1 and 2 illustrate the Crypt (0) round function in detail.Reference [1] contains more description of the BM123-64 construction.
The SDDO-based functions F 16/64 , F −1 16/64 are constructed based on elementary function F 2/2 , since F 2/2 is described as ((x 1 , x 2 ), [v, z]/(y 1 , y 2 )).For better performance on implementation with the target of a specific application and expansion of encryption space, the function F V/e n/m is designed in three different operations with three different description of the basic element F 2/2 .

Case 1:
Case 2: Symmetry 2018, 10, x FOR PEER REVIEW 3 of 11 (A, B) = (B, A) 3. In the last round, there is final transformation to output ciphertext: Figures 1 and 2 illustrate the Crypt (0) round function in detail.Reference [1] contains more description of the BM123-64 construction.
The SDDO-based functions F 16/64 , F −1 16/64 are constructed based on elementary function F 2/2 , since F 2/2 is described as ((x 1 , x 2 ), [v, z]/(y 1 , y 2 )).For better performance on implementation with the target of a specific application and expansion of encryption space, the function  / / is designed in three different operations with three different description of the basic element F 2/2 .

3
) with SDDO-based function  / / .Figure 3 presents the CSPN with its S-boxes in structure.Like other data-dependent ciphers, BM123-64 is constructed with a very simple key schedule for high-speed transformation target.To generate function keys used in each round, 256-bit secret key K is divided into eight 32-bit subkeys K = (K 1 , K 2 , . . ., K 7 , K 8 ).The key scheduling is provided with different parameters as shown in Table 1.
* O FT performs the final transformation.

Proposed Attack Methods on BM123-64 Construction
Differential properties of operations in each round function are fundamental features to build differential characteristics and explore the related-key attack methods.Based on these properties, we can construct high probability DCs on a full eight rounds of BM123-64 with Crypt (e) function.Furthermore, the related-key amplified boomerang attacks will be addressed with effective complexity results.

BM123-64 Crypt (e) Function Properties
The Crypt (e) function in BM123-64 cipher consists of several F V/e n/m functions having appropriate differential properties to construct the high probability DCs.

Differential Properties of F 2/2 Function
x 1 and x 2 are assumed as input parameters, with a pair (v, z) controlled vector of F 2/2 function.Therefore, the controlled element F 2/2 can be described as F 2/2 (x 1 , x 2 , [v, z]).Based on different distribution applied to different descriptions of F 2/2 in BM123-64, we have differential properties for each case as the following: Case 1: Case 2: Case 3: For each case of F 2/2 description, in order to get the (1, 0) output difference with the (x 1 ⊕ 1, 0) input difference and the (0, 0) controlled vector difference, the probability will be 2 −2 , 2 −1 , and 2 −1 for Case 1, Case 2, and Case 3, respectively.In the same way, we can get the properties of SDDO-based functions F 16/64 and F −1 16/64 using the properties above.Here, X is the input parameters for F 16/64 and F −1 16/64 and (V, Z) is the controlled vector.Based on the properties of F 2/2 , we can get the following: Case 2: Case 3: With the F 16/64 and F −1 16/64 function designs, we can see that there is a total of four active layers F 2/2 within each construction, as shown in Figure 2.

Related-Key Boomerang of BM123-64
Here, we describe the way to generate related-key differential boomerangs on a full eight rounds of BM123-64 using the obtained properties in Section 3.1 with the key schedule generator.
We construct two related-key differentials as follows: The first four rounds of related-key differential E 0 = (α → β) holds with chosen input difference α = (0, 0) and key difference (0, e 32 ) from the first round to the fourth round with output difference β = (0, 0).The key difference, based on the key schedule generator given in Table 1, is to control differential propagation and get high probability.The first related-key differential achieves this with probability p = 2 −16 , 2 −8 , and 2 −8 for each case of F 2/2 description.
The differential amplified boomerang can be explored based on the two related-key differentials above.
In Table 2, the detailed DCs of a full eight rounds of BM123-64 with corresponding probabilities is shown.And, Figure 4 illustrates the DCs in Crypt (e) function of BM123-64 with Case 2 and Case 3 at several rounds.than the ideal case.These proposed related-key amplified boomerang attacks can potentially exploit the BM123-64 constructions at all three specific cases.

Conclusions
This paper proposes effective attacks on one of the recent SDDO-based constructions, BM123-64.The methods addressed in the study present main issues in security mechanisms of ciphers based on data-dependent operations that is used in many cipher designs for high speed transformation and lightweight targets.The simple key schedule generator with basic parameters when changed and substituted leads to a possibility of exploiting the structure weaknesses by related-key cryptanalysis.The work presented related-key amplified boomerang attacks on a full eight rounds of BM123-64 in distinctive designs with effective complexity results.This shows that with Case 1, it requires 2 66 related-key chosen plaintexts and 2 67 encryptions consumptions, and 2 50 related-key chosen plaintexts and 2 65 encryptions consumptions are required with Case 2 and Case 3. The results of this study can be applied on many construction designs of these types of ciphers.Along with some new cryptanalysis techniques like Fr Trust or RARE, our research will further enhance performance and is expected to develop novel approaches for a wide range of applications and devices in the IoT environment.q = 2 −16 .It requires about 2 67 chosen plaintexts in complexity of data as input, and the memory required is about 2 70 (=2 67 × 8) bytes.We pick a set of 2 66 pairs of plaintexts (P j , P j * ) and expand to 2 131 quartets of plaintexts (P i , P i * , P i ' , P i '* ).The SDDO-based  / / function in BM123-64 structure includes F 16/64 and F −1 16/64, which has four layers with eight F 2/2 element function in each.Based on the differential properties mentioned in Section 3.1, we can construct two related-key boomerangs on a full eight rounds of BM123-64 in Case 1 with total probability of 2 −32 .The first four rounds of related-key boomerang holds with the probability p = 2 −16 ; the last four rounds of related-key boomerang also obtains with the probability q = 2 −16 .It requires about 2 67 chosen plaintexts in complexity of data as input, and the memory required is about 2 70 (=2 67 × 8) bytes.

Symmetry 2018 , 11 Figure 5 Figure 5 .
Figure 5 illustrates the differential propagation at several rounds of BM123-64 cipher with Crypt (e) function in Case 1.

Figure A1 .
Figure A1.(a) The differential propagation of F 16/64 , F −1 16/64 function and the DCs in Crypt (e) function at (b) the 1 st round and (c) the eighth round and final transformation of BM123-64 with Case 1.
(*) our proposed attack results; RCP denotes the Related-key Chosen Plaintext.