Differential, Linear, and Meet-in-the-Middle Attacks on the Lightweight Block Cipher RBFK

. Randomized butter ﬂ y architecture of fast Fourier transform for key cipher (RBFK) is the lightweight block cipher for Internet of things devices in an edge computing environment. Although the authors claimed that RBFK is secure against differential crypt-analysis, linear cryptanalysis, impossible differential attack, and zero correlation linear cryptanalysis, the details were not explained in the literature. Therefore, we have evaluated the security of RBFK by application of differential cryptanalysis, linear cryptanalysis, and meet-in-the-middle (MITM) attack and have found that RBFK is not secure against these attacks. This paper introduces not only a distinguish attack but also key recovery attacks on full-round RBFK. In the distinguish attack scenario, data for differential cryptanalysis are two, and the time complexity is one for an exclusive-OR operation. In the key recovery attack scenario, the data for linear cryptanalysis are one pair of known plaintext – ciphertext. The time complexity is one operation for a linear sum. Data for an MITM attack are two. The time complexity is 2 48 encryptions; the memory complexity is 2 45 bytes. Because the vulnerabilities are identi ﬁ ed in the round function and the key scheduling part, we propose some improvements for RBFK against these attacks.


Introduction
Edge computing is a concept of distributed computing that processes data at a location close to the data source, such as Internet of things (IoT) devices or edge servers.Edge computing provides benefits such as real-time performance and security by processing data quickly on devices or servers and sending only necessary data to the cloud.In this context, it is important to evaluate the security of cryptography on IoT devices in edge computing environments because many IoT devices are used.In fact, IoT devices have limited communication and computing capabilities, making it difficult to apply a conventional cryptographic algorithm such as AES [1] or Camellia [2].Moreover, in edge computing, IoT devices of various types can mutually collaborate to create new services and values.At the same time, security threats also increase.
In recent years, many lightweight cryptographic algorithms have been proposed for IoT devices.Lightweight cryptography is aimed at providing security for devices with limited resources, such as low power consumption, small circuit size, and low computational complexity.An example of lightweight cryptographic algorithms is Ascon [3], a family of authenticated encryption and hashing algorithms with added countermeasures against side-channel attacks.Ascon has been selected as a new standard for lightweight cryptography in the NIST lightweight cryptography competition [4].
The security of the lightweight block ciphers is evaluated by the application of various cryptanalytic attacks such as differential cryptanalysis [5], linear cryptanalysis [6], meetin-the-middle (MITM) attack [7], impossible differential attack [8], and zero correlation linear cryptanalysis [9], Randomized Butterfly architecture of fast Fourier transform for key cipher (RBFK) and was developed by Rana et al. [10].It is a lightweight block cipher for IoT devices in an edge computing environment.For key generation, RBFK has a randomized butterfly architecture of fast Fourier transform.The block size is 64-bit.The secret key sizes are 64-bit and 128-bit.RBFK has two algorithms, named RBFK-64 and RBFK-128, which adopt a 64-bit (or 128-bit) secret key size.The recommended numbers of rounds for RBFK-64 and RBFK-128 are, respectively, 5 and 5.
Although the authors have claimed that RBFK is secure against differential cryptanalysis, linear cryptanalysis, impossible differential attack, and zero correlation linear cryptanalysis, the relevant details were not explained in the literature.Therefore, the purpose of our research is to evaluate the security of RBFK from a third-party perspective.
In this paper, we not only evaluated the security of lightweight block cipher RBFK but also proposed how to design secure cryptographic algorithms using our results and surveys Note.Zakaia et al. [53] have made some recommendations from the developer's insight from their surveys.

IET Information Security
shown in Table 1.Table 2 provides an explicit comparison of this paper against existing works from different aspects and highlights the aspects in which this paper is novel.
1.2.Our Contributions.The contributions of this paper are presented below: (1) We reveal some vulnerabilities in the round function and the key scheduling part.The former is that the output of round function can be expressed with a linear form of the input.The latter is that the round keys of RBFK are used only 16-bit (or 32-bit) per round.
(2) We apply differential, linear, and MITM attacks to RBFK-n n ð ¼ 64; 128Þ using the above vulnerabilities and show the distinguish attacks and key recovery attacks.The necessary number of chosen plaintextciphertext pairs and the time complexity for each attack are presented in Table 3.
(3) We propose some improvements for RBFK-n n ð ¼ 64; 128Þ against differential, linear and MITM attacks.We also make recommendations from the point of cryptographic algorithm design.
1.3.Organization of the Paper.The remainder of this paper is organized as explained below.Section 2 explains the preliminary.Section 3 introduces some cryptanalytic methods used for this study.Section 4 explains the algorithms of RBFK-64 and RBFK-128.Section 5 presents the distinguish attack by application of differential cryptanalysis.Section 6 demonstrates the key recovery attacks by application of linear cryptanalysis.Section 7 presents key recovery attacks by application of MITM attack.We discuss some improvements for RBFK in Section 8 and summarize the contents of this paper in Section 9.

Preliminary
Table 4 lists notations used for this study.

Methodology
3.1.Differential Cryptanalysis.Differential cryptanalysis has been introduced by Biham and Shamir [5].It works with a chosen plaintext scenario.Let ΔP ¼ P ⊕ P * be an exclusive-OR differential with respect to plaintexts pair P; ð P * Þ.The exclusive-OR differential ΔX with respect to inputs X ¼ P ⊕ K and X * ¼ P * ⊕ K is presented below: Let ΔX be the input differential, and ΔY be the output differential.The differential probability (DP) of S-box is defined as shown below: ΔYg represents the number of times that the equation S X ð Þ ⊕ S X ⊕ ΔX ð Þ¼ ΔY is satisfied when 2 n values of X are inputted to S-box under given ΔX and ΔY.Equation (2) is independent of K, which is inserted into the S-box.When plaintext P is distributed uniformly, the output difference ΔY is expected with probability DP for the input difference ΔP.

Linear Cryptanalysis.
Linear cryptanalysis [6], which was introduced by Matsui, works with a known plaintext scenario.It recovers the secret key using linear correlation between plaintexts and ciphertexts.Let Then, the probability of the linear approximation between the input X and output Y is given by the following equation: The vectors Γ X and Γ Y , which choose the bit positions of S-box, are called linear masks, respectively, the input mask This symbol shows a hexadecimal number IET Information Security and output masks.The expression values of X are inputted to S-box under given Γ X and Γ Y .The linear probability (LP) of the linear mask transitioning from Γ X to Γ Y is defined by the following equation: 3.3.MITM Attack.The MITM attack [7] was introduced by Diffie and Hellman.It works in a known plaintext scenario.We explain how to launch an MITM attack on the block ciphers.Let E X; K ð Þ be an encryption function with key Consider an encryption that repeats E twice, as presented below: Denote the secret key K ¼ K 1 j jK 2 for which the length is 2s bits.An MITM attack is a cryptanalytic method for deriving the secret key K ¼ K 1 j jK 2 using the probabilistic coincidence of the intermediate values obtained by partially encrypting a known plaintext P with K 1 and partially decrypting a ciphertext C with K 2 .

RBFK
RBFK [10] is one of the lightweight block ciphers developed in an edge computing IoT devices.RBFK is a 64-bit block cipher with 64, 128-bit secret keys.RBFK has two variants, named RBFK-64 and RBFK-128, which adopt a 64-bit (or 128-bit) secret key size.The recommended numbers of rounds for RBFK-64 and RBFK-128 are, respectively, 5 and 5.
4.1.Algorithm.The structures of RBFK-64 and RBFK-128 are, respectively, shown in Figures 1 and 2. The difference between RBFK-64 and RBFK-128 is only the extended keys that encrypt with XNOR operations.Also, for both RBFK-64 and RBFK-128, the swap operation of the four blocks is not performed in the final round.
Let X i and X iþ1 be 64-bit input and 64-bit output, respectively.Let X i j , (j ¼ 1; 2; 3; 4) be a 16-bit sub-block of X i and the upper sub-block is denoted as X i 1 and the lower sub-block is denoted as X i 4 .Let the most significant bit (MSB) be x i 0 in X i 1 , and the least significant bit be x i 63 in X i 4 .Let the ith round extended key be G function is a nonlinear function whose input size is 16bit.Figure 3 shows the algorithm of the G function.
Figure 4 shows the scan pattern permutation.The values are read from the left (upper) in the first row and from the right (lower) in the second row.The same applies to the third and fourth rows.For example, 16 bits written in binary (1011, 1100, 0010, 0101) become (1011, 0011, 0010, 1010) by the scan pattern permutation.
S-box in the G function is shown in Table 5.The middle four bits of the eight bits are replaced by S-box.
The coin flip operation and the output are calculated as follows: 4.2.Key Generation Part.From Figures 1 and 2, the round keys are used 16-bit (or 32-bit) per one round.Because the key generation part is not used in our paper, we omit the

4
IET Information Security explanation of it.For details, refer to the study of Rana et al. [10].Because both the scan pattern permutation and the coin flip operation are linear operations, the corresponding 8-bit output can be expressed with a linear form of the input.By letting X ¼ x 0 ; ð x 1 ; ⋯; x 15 Þ be input and by letting Y ¼ y 0 ; ð y 1 ; ⋯; y 15 Þ be the output of G function, the following equations hold:

Differential Cryptanalysis of RBFK
Let ΔX G ¼ δx 0 ; ð δx 1 ; ⋯; δx 15 Þ be the input difference of the G function and let ΔY G ¼ δy 0 ; ð δy 1 ; ⋯; δy 15 Þ be the output difference.In addition, let 1 and 0, respectively, represent the presence and absence of difference in each bit.From Equation ( 9), the following equations hold with probability 1: There are two S-boxes in the G function.We have evaluated DP of S-box.Letting ΔX S be the input difference of S-box and letting ΔY S be the output difference of S-box.The maximum DP, DP max ¼ 1 when

IET Information Security
Table 6 presents one of the differential paths.Figure 5 shows the result obtained from applying the differential path in Table 6 to RBFK-64.
The differential path shown in Figure 5 holds with probability 1 and allows an attacker to perform a distinguishing attack on RBFK-64.The number of chosen plaintext-ciphertext pairs is two; the computational complexity is one for exclusive-OR operation.
An attacker can also perform a distinguishing attack on RBFK-64 using differential characteristics of S-box.For example, when the input differential is set ΔX 0 ¼ 0x3300; ð 0x0000; 0x003C; 0x0000Þ, the output differential always becomes ΔX 5 ¼ 0x3300; ð ð 0x0000; 0x00??; 0x??00ÞÞ.The symbol ?denotes unknown.Table 7 presents the differential path using ΔX S ; ð ΔY S Þ ¼ 0xF; ð 0xFÞ.The differential path shown in Table 7 holds with probability 1 and allows an attacker to perform a distinguishing attack on RBFK-64.The number of chosen plaintext-ciphertext pairs is two; the computational complexity is one for exclusive-OR operation.
Because RBFK-128 has the same structure except for the extended round keys used, as shown in Figure 2, an attacker can perform the distinguishing attack on RBFK-128 using cryptanalysis in the same way.

Linear Cryptanalysis of RBFK
6.1.Linear Characteristics of G Function.As described in Section 5, a part of the output of the G function can be expressed with a linear form of the input.Let Γ X G ¼ γx 0 ; ð γx 1 ; ⋯; γx 15 Þ be the input mask of the G function and let Γ Y G ¼ γy 0 ; ð γy 1 ; ⋯; γy 15 Þ be the output mask.In addition, let 1 and 0, respectively, represent the presence and absence of a mask in each bit.From Equation (9), the following equations hold with probability 1: We also have evaluated the LP of S-box.Letting Γ X S be the input mask of S-box and letting Γ Y S be the output difference of S-box.The maximum LP, LP max ¼ 1 when
In addition, from Figure 2, the following equations hold with probability 1 on RBFK-128.
Table 8 shows the propagation of linear masks, particularly addressing the MSB of the ciphertext.Figures 6 and 7, respectively, present the results of application of the linear masks in Table 8 to RBFK-n n ð ¼ 64; 128Þ.From Figure 6, an attacker obtains the following linear equation: In Equation ( 17), x 1 40 and x 1 48 are 2 bits of plaintext; x 6 0 is 1 bit of ciphertext.If an attacker has one pair of known plaintext-ciphertext, then an attacker can uniquely ascertain the linear sum of the extended key of RBFK-64.
Because an attacker can obtain the following linear equation from Figure 7, an attacker can uniquely ascertain the linear sum of the extended key of RBFK-128.
The data for linear cryptanalysis are one pair of known plaintext-ciphertext.The time complexity is one for a linear sum operation.

MITM Attacks on RBFK
Because RBFK-64 only uses 16-bit key K i for each round (32bit for RBFK-128), an attacker can perform key recovery attacks by the application of an MITM attack.As described in this paper, we do not evaluate the improved techniques of MITM attacks, such as the splice-and-cut technique [54] and the three-subset technique [55], but apply an MITM attack as described in Section 3.

Application to RBFK-64.
Assume that an attacker obtains, in advance, two pairs of known plaintext-ciphertext The attack procedure is presented below:

IET Information Security
(1) Encrypt the plaintext P 1 for all values of round keys K f ¼ K 1 j jK 2 j jK 3 and obtain a 64-bit intermediate value Z K f .In addition, create a table M 1 that stores K f , whose memory address is Z K f .(2) Decrypt ciphertext C 1 for all values of round keys K b ¼ K 4 j jK 5 and obtain a 64-bit intermediate value Z K b .In addition, create a table M 2 that stores K b , for which the memory address is Z K b .(3) There are one or more candidates of an extended key in the tables M 1 and M 2 , which have the same address (i.e., Z K f = Z K b ).In this case, the number of candidates of the extended key is reduced to 2 80 × 2 −64 ¼ 2 16 .Ascertain whether C 2 ¼ RBFK-64 P 2 ; K ð Þ holds, or not, for each candidate of extended key K ¼ K f j jK b .If the equation holds, then it is the correct key; otherwise, check another candidate.
Because the probability that a false key remains in Step (3) is 2 16 × 2 −64 ≪ 1, it is possible to eliminate all false keys by preparing two pairs of known plaintext-ciphertext.The number of data required for an MITM attack is 2. The computational complexity is

8
IET Information Security of RBFK-64 encryptions.The memory necessary for two tables is M ¼ 2 48  ð þ 2 32 Þ=8 ≈ 2 45 bytes.Because the secret key size of RBFK-64 is 64, an attacker can recover the 80-bit extended key faster than when using the brute-force search method.ð C 1 Þ, P 2 ; ð C 2 Þ, and P 3 ; ð C 3 Þ in advance.Also, RBFK-128 might be attacked using an MITM attack in an equivalent manner to that explained in the preceding subsection.However, Steps (1) and ( 2) are performed using two pairs of known plaintext-ciphertext P 1 ; ð C 1 Þ and P 2 ; ð C 2 Þ to eliminate false keys.The numbers of extended key candidates in Steps ( 1) and ( 2) are reduced to 2 128 × 2 −128 ¼ 1.Because the probability that a false key remains in Step ( 3) is 1 × 2 −64 ≪ 1, it is possible to eliminate all false keys by preparing three known plaintext-ciphertext pairs.Therefore, the number of data is three.The computational complexity is 97 times of RBFK-128 encryptions.The memory which is necessary for two tables is

Discussions
RBFK is vulnerable to differential, linear, and MITM attacks, as demonstrated in the explanation presented above.Using the current RBFK in IoT devices for edge computing might pose a considerable risk of information leakage and other threats.Therefore, we propose some improvements to enhance RBFK security.
8.1.Improvement of S-Box.Because S-box defined in Table 5 is not secure against differential cryptanalysis and linear cryptanalysis, it must be improved.As described in this paper, we propose the replacement of the RBFK S-box with the PRESENT S-box shown in Table 9.By adopting PRESENT S-box, the maximum DP and the maximum LP are both 2 −2 , which is expected to improve security against differential cryptanalysis and linear cryptanalysis.8.2.Improvement of the Round Function.Eight bits of the output of the G function are expressed with a linear form of the input.Therefore, we propose an application of the PRESENT S-box, shown in the preceding section, to these 8 bits.Specifically, we replace a part of Figure 3   higher-order differential attack [59,60], integral attack [61][62][63], and the division property [64][65][66][67].Therefore, the designers should make DP max and LP max low and should make the algebraic degree of S-box large.For example, the S-box of AES [1] is well-designed against these cryptanalyses.The round functions are composed of S-box and permutation layer.The permutation layers are designed with bitwise [19], nibble-wise [30], and byte-wise [1,2].The designer should make the permutation layers as diffusive as possible.8.5.2.Number of Rounds.The number of rounds should be set to larger necessary to ensure security as long as the computational cost, speed, gate size, etc., are within an acceptable range.
Recently, the cryptographic evaluation tools have been proposed.Mouha et al. [56] proposed the MILP-based tool, which can evaluate the number of active S-box by the application of word-level truncated differential paths and truncated linear masks.Sun et al. [68] improved the tool proposed by Mouha et al. [56] by applying bit-based differential characteristics.Sasaki et al. [69] introduced the impossible differential search tool from design and cryptanalysis aspects.The designer should use these tools to determine the necessary number of rounds on the original cipher.

Key Generation Part.
The key generation part is used to generate round keys from the secret key.A lot of key generation parts have been proposed.We introduce some key generation parts.The key generation part of KASUMI [70] is only composed of linear functions such as shift rotations and XOR with constants.The key generation part of MISTY [71] uses the FI-function, which is a part of the round function.The key generation parts of AES [1] and Camellia [2] use round functions.The designer should make the key generation part secure against MITM attack [7] and related-key attack [72] as long as the designer manages tradeoffs [73].

Conclusion
As described in this paper, we have demonstrated that differential cryptanalysis, linear cryptanalysis, and MITM attacks are applicable to RBFK-64 and RBFK-128.We have also proposed some improvement methods for the G function and key generation part as countermeasures against these attacks.
Although the lightweight cryptography must be implemented on devices with scarce computing resources, such as IoT devices for edge computing, it is necessary to provide security against typical cryptographic attacks.

5. 1 .
Differential Characteristics of G Function.As shown in Figure 3, each bit of input undergoes one of the following processes: (i) Scan pattern permutation.(ii) Scan pattern permutation and the coin flip operation.(iii) Scan pattern permutation and S-box operation.

FIGURE 4 :
FIGURE 4: Scan pattern with 16 bits input and 16 bits output.

TABLE 1 :
Lightweight block cipher components and the results of cryptanalysis.
Note.The abbreviations DC and LC denote differential cryptanalysis and linear cryptanalysis.

TABLE 2 :
Comparison of this paper against existing works.

TABLE 3 :
Results of attacks on full-round RBFK.

TABLE 6 :
Example of differential path.

TABLE 7 :
The differential path using ΔX S ;

TABLE 8 :
Propagation of linear masks.

Table 1 .
[56] says "Replace intermediate 4 bits with S-box" with "Replace intermediate 4 bits and another 4 bits, respectively, with PRESENT S-box."Thisimprovementeliminates the differential paths and linear masks that hold with probability 1, which is expected to improve security against differential cryptanalysis and linear cryptanalysis.8.3.Improvement of the Number of Rounds.Although the numbers of rounds for RBFK-n n ð ¼ 64; 128Þ are 5 and 5,they are insufficient for the attacks described herein.Therefore, we applied the evaluation method based on the estimation of the minimum number of active S-box using mixed integer linear programing (MILP) proposed by Mouha et al.[56]to RBFK with improved G function.Then, we estimated the number of rounds that are resistant to differential cryptanalysis and to linear cryptanalysis.Because Mouha et al.[56] evaluated the number of active S-box by the application of word-level truncated differential paths and truncated linear masks, we performed the analysis while assuming 1 word = 1 byte.Results are presented in Table10.From Table10, it is apparent that more than 34 rounds are secure against differential cryptanalysis and linear cryptanalysis (i.e., 2 −2×N A <2 −64 ).This result is based on truncated differential paths and truncated linear masks, which represent the presence or absence of differential or linear masks at the byte level.It does not reflect consideration of whether differential paths or linear masks exist.We hope that the following recommendations will contribute to the secure design of cryptography.
[6].1.S-Box and Round Function.The nonlinear function S-box is a critical component for the symmetric-key block ciphers.It is important for the designers to make S-box secure against differential cryptanalysis[5], linear cryptanalysis[6],

TABLE 10 :
Number of active S-box (N A ).