Cryptanalysis of the Lightweight Block Cipher BORON

­is paper provides security evaluations of a lightweight block cipher called BORON proposed by Bansod et al. ­ere is no thirdparty cryptanalysis towards BORON. Designers only provided coarse and simple security analysis. To ll this gap, security bounds of BORON against dierential and linear cryptanalysis are presented in this paper. By automatic models based on the SMTsolver STP, we search for dierential and linear trails with the minimal number of active S-boxes and trails with optimal probability and bias. ­en, we present key-recovery attacks towards round-reduced BORON. ­is paper is the rst third-party cryptanalysis towards BORON.


Introduction
Lightweight cryptography is one of the most actively discussed topics in the current cryptographic community.For the last decade, a great number of lightweight block ciphers have been proposed, such as PRESENT [1], CLEFIA [2], PRINCE [3], SIMON [4], SPECK [4], SKINNY [5], GIFT [6], QARMA [7], and so on, which draw plenty of researchers' attention.
Meanwhile, there are some unknown lightweight block ciphers.BORON [8] is one of them.BORON, a substitutionpermutation network cipher, supports 64-bit messages and 80/128-bit keys, which has a total of 25 rounds.e substitution layer is made up of 16 same 4-bit S-Boxes, and the permutation layer includes nibble shift, bit rotation, and block XOR operation.
Except for simple security analysis illustrated by designers, there is no third-party security evaluation in the open literature.To ll this gap, di erential [9] and linear cryptanalysis [10] towards BORON are presented in this paper.Di erential and linear cryptanalysis are one of the most fundamental and powerful techniques for security evaluations of cryptographic primitives.
Di erential cryptanalysis discusses how di erences propagate through the objective cryptographic primitives.If input di erences and output di erences occur in some regular patterns, these could be used to build distinguishers or even to recover secret keys.
Linear cryptanalysis focuses on the linear equation between plaintexts, ciphertexts, and keys.If this linear equation happens with a high probability, the distinguishing attack or key-recovery attack could be presented.erefore, nding good distinguishers is the rst step to evaluate security against di erential and linear cryptanalysis.
ere are many methods to nd di erential and linear trails, such as Matsui's algorithm, SAT/SMT and MILP, which are widely used to analyse the security of cryptographic primitives [11][12][13][14][15].In this paper, we utilize the SMT solver STP (http://stp.github.io) to search for good trails, which is suitable for dealing with bit vectors.

Contributions.
is paper analyses the security of BO-RON against di erential and linear cryptanalysis.Security bounds are depicted in Table 1.
e minimal number of active S-boxes of di erential and linear trails could describe approximate security bounds resistance to di erential and linear cryptanalysis.We nd that the minimal number of active S-boxes proposed by designers is incorrect and intact.en, differential and linear trails with the accurate minimal number of active S-boxes are found.Our results are listed in Table 2.
We also search for (related-key) differential and linear trails with the optimal probability and bias.Details about the optimal probability and bias are illustrated in Table 3. Specific trails with the optimal probability and bias are listed in Tables4-6.We figure out that there is no effective 9-round differential trail and 10-round linear trail.We also try to find impossible differential trails of BORON, and 7-round BO-RON impossible differential trails are obtained.
Utilizing the 8-round differential trail with the optimal probability of 2 − 62 , we depict a key-recovery attack towards 9round BORON with the 80-bit key schedule, whose time complexity is 2 56 , data complexity is 2 63 , and memory complexity is 2 24 .By the 9-round linear trail with the optimal bias of 2 − 30 , a key-recovery attack towards 11-round BORON with the 128-bit key schedule is described, whose time complexity is 2 123 , data complexity is 2 63 , and memory complexity is 2 42 .
And, in this paper, we assume that BORON is the Markov cipher.

Outline.
is paper is organized as follows.Section 2 introduces the description of BORON.In Section 3, automatic models for finding trials are illustrated.Key-recovery attacks towards BORON are presented in Section 4. Section 5 concludes this paper.e S-box is described in Table 7. e Permutation Layer includes three parts, nibble shift, bit rotation, and block XOR operation.And, the round function is described in Figure 1.For more details, refer [8].

Description of BORON
In Figure 1, we regard 4 bits as a nibble and 16 bits as a block.Note that nibble shift is the permutation between nibbles, while bit rotation and block XOR operation are ones in term of blocks.

Key Schedule.
e key schedule of BORON is inspired by the one of PRESENT [1].ere are two versions, 80-bit and 128-bit.In total, 26 subkeys are generated by the key schedule in the whole procedure of encryption.Each subkey has 64 bits.
For the 80-bit version, the master key could be stored in a key register and denoted as K � k 79 k 78 . . .k 0 .First, extract the least significant 64 bits of the master key as the first subkey, that is, the whitening key K 0 � k 63 k 62 . . .k 0 .In the jth round (j � 0, 1, . . ., 24), after extracting the least significant 64 bits, the key register is updated as follows: (3) k 63 ‖k 62 ‖k 61 ‖k 60 ‖k 59 ⟵ (k 63 ‖k 62 ‖k 61 ‖k 60 ‖k 59 ) ⊕ j For the 128-bit version, the master key could be stored in a key register and denoted as K � k 127 k 126 . . .k 0 .Extract the least significant 64 bits of the master key as the first subkey, that is, the whitening key K 0 � k 63 k 62 . . .k 0 .In the jth round (j � 0, 1, . . ., 24), after extracting the least significant 64 bits, the key register is updated as follows:

Automatic Models for Searching Trails
In this paper, we use STP [16], an SMT solver, to search for good differential and linear trails.STP uses CVC and SMTLIB2 languages to encode constraints and then invokes an SAT solver to check for the satisfiability of these constraints.In this paper, the CVC language is used to encode difference and linear mask propagations of BORON.Inspired by models in [11][12][13][14][15][17][18][19][20], we present automatic models for finding differential and linear trails of BORON.All intermediate states of BORON are represented by variables which are used to build constraints.Searching for good trails is transformed into checking for the satisfiability of constraints.For different searching problems, there are different constraints.We show constraints for all operations used in BORON as follows.
3.1.Finding Differential Trails.First, we give some notations about variables.We count from the right side and zero.
(i) before_sbox_vaule1_i_j: input value of the jth Sbox in the ith round (ii) after_sbox_vaule1_i_j: output value of the jth Sbox in the ith round whose input value is before_sbox_vaule1_i_j (iii) before_sbox_vaule2_i_j: input value of the jth Sbox in the ith round

Substitution Layer. Constraints built in Algorithm 4 describe di erence propagations through S-boxes, which include initializing variables by values of S-boxes and showing relationships among variables.
Other constraints should be added in Algorithm 4, when searching for di erential trails with the minimal number of active S-boxes.
ese constraints of searching for the minimal number of active S-boxes are illustrated in Algorithm 5. e variable ag_i_j is used to explain whether an Sbox is active or not.When the jth S-box in the ith round is active, flag _ i _ j 1; otherwise, flag _ i _ j 0.
We need to check whether total _ num n is satis ed or not under constraints from Algorithm 4 and 5, where n is the expected number of active S-boxes in the whole di erential trail, and total _ num n is regarded as the objective constraints.
We rst search for 3-round trails with the minimal number of active S-boxes, and set n 1.Put all constraints including Algorithm 1-5 into STP and check the satisfaction of these objective constraints.If STP returns invalid, gradually adjust the value of n by adding 1 till STP returns a trail.When searching for r-round trails with the minimal number of active S-boxes, we set the value of n equal to the minimal number of active S-boxes of (r − 1)-round trails.Repeat the above steps.
When searching for the optimal di erential trail, we need to consider probabilities of di erence propagations through S-boxes.Probabilities of S-boxes could be described by the di erence distribution table (DDT).
For any input di erence x and output di erence y of the S-box, the probability of the S-box, named p _ sbox(x, y), is equal to the corresponding value in the DDT divided by 16, which is We can write that p _ sbox(x, y) 2 − probability(x,y) .In our model, we use the parameter probability(x, y) to present the probability of the S-box and probability(x, y) − log 2 value _ in _ DDT(x, y) 16 . ( Values of probability(x, y) for all x and y are stored in a table called Di _dist.
Denote the probability of the whole di erential trail as 2 − total _ probability and total _ probability i r,j 15 i 0,j 0 probability _ i _ j. ( e parameter total_probability is used to represent the probability of the whole trail in the constraints.Constraints of nding the optimal di erential trail are presented in Algorithm 6. Let that the value of total_probability starts from doubling the minimal number of active S-boxes because r: the number of rounds (1)  It is little complicated that linear masks propagate through block XOR operation due to the property of linear masks.Detailed constraints are described in Algorithm 7. Figure 2 illustrates the variables which are used in tracking linear masks through block XOR operation.

Substitution Layer.
Similar to finding differential trails, we also use flag_i_j to represent whether an S-box is active or not when finding linear trails with the minimal number of active S-boxes.And, the objective constraint is total _ num � n, where n is the expected number of active Sboxes in the whole linear trail.e choice of n is the same as above.Detailed constraints are illustrated in Algorithm 8.
When searching for the optimal linear trail, we need to consider biases of S-boxes which could be described by the linear approximation table (LAT).
For any input mask α and output mask ß of the S-box, the bias of the S-box, named b _ sbox(α, β) is equal to the corresponding value in the LAT divided by 16, which is We can write that b _ sbox(α, β) � 2 − bias(α,β) .Use the parameter bias(α, β) to present the bias of the Sbox in the constraints and r: the number of rounds S[x]: output of the S-box with the input x (1) for i ⟵ 1 to r do (2) for j ⟵ 0 to 15 do (3) end for (7) end for (8) end for (9) (10) for i ⟵ 1 to r do (11) for j ⟵ 0 to 15 do (12) before_sbox_difference_i_j ( 13) � before_sbox_value1_i_j ⊕ before_sbox_value2_i_j ( 14) after_sbox_difference_i_j (15) � after_sbox_value1_i_j ⊕ after_sbox_value2_i_j (16) end for (17) end for ALGORITHM 4: Difference propagations through S-boxes.r: the number of rounds n: the expected number of active S-boxes in the whole trail (1) end if (8) end for (9) end for ( Values of bias(α, β) for all α and ß are stored in a table named linear_dist.
Denote the bias of the whole linear trail as 2 − total _ bias and due to the Piling-up Lemma [10] ) end for (5) end for (6) (7) for i ⟵ 1 to r do (8) for j ⟵ 0 to 4 do (9) xor _ i _ j _ up � xor _ i _ j _ down � xor _ i _ j _ another (10) end for (11) end for (12) (13) for i ⟵ 1 to r do (14)   Security and Communication Networks Constraints of nding linear trails with the optimal bias are presented in Algorithm 9.
Set the initial value of total_bias by considering all Sboxes with the optimal bias.Adjust the value of total_bias by adding 1 till obtaining the trail with the optimal bias.

Finding Related-Key Di erential Trails.
When searching for di erential trails in related-key setting, some constraints are given in Algorithm 10 to illustrate the related-key relationship.And we also need to construct some constraints which describe di erence propagations through the key schedule.Operations in the key schedule are similar to those in the encryption algorithm and constraints could refer to Algorithm 2, 3, and 6.
Detailed codes are presented in the GitHub and the optimal trails are illustrated in Table 6.

Finding Impossible Di erential Trails.
In order to nd impossible di erential trails, we need to set the pattern of input and output di erences and check the satisfaction of constraints.If the solver returns a trail, there is no impossible di erential trail under this pattern.If returns invalid, an impossible differential trails are found.Constraints are listed in Algorithm 11.
As a result, we obtain 4 di erent 7-round impossible di erential trails, which are 0x0000000000010000 ⟶ 0x0001000000000000, 0x0000000000100000 ⟶ 0x0010000000000000, 0x0000000001000000 ⟶ 0x0100000000000000, 0x0000000010000000 ⟶ 0x1000000000000000.(7) e former is the input pattern, and the latter is the output pattern of the 7-round BORON, where "1" represents the active nibble and "0" represents the inactive nibble.4, a key-recovery attack towards 9-round BORON is presented in the following by adding one more round on the tail of the distinguisher.We omit the permutation layer of the last round due to linearity.We adopt the 80-bit key schedule in this key-recovery attack.

Key-Recovery Attacks
e input di erence of this distinguisher is 0x0000080000100000, and the output di erence is 0x0041004100080009.We choose 2 62 plaintext pairs whose di erences are equal to 0x0000080000100000.Filter these plaintext pairs and keep ones whose ciphertext di erences are equal to 0x00??00??000?000?, where ?represents the For the right candidate subkey, one plaintext pair satisfies the distinguisher.However, for wrong candidate subkeys, 2 − 24 plaintext pair satisfies the distinguisher on average.We pick the candidate subkey whose counter is maximum as the right subkey.e time complexity is 2 46 , the memory complexity is 2 24 , and the data complexity is 2 63 .
For the 80-bit master key, we have already guessed 24 bits.To obtain the left 56 bits, we use a brute-force search.
e time complexity is 2 56 .e memory and data complexity could be omitted.
Hence, we give a key-recovery attack towards 9-round BORON with time complexity 2 56 , memory complexity 2 24 , and data complexity 2 63 .
We use the method in [21] to evaluate the success probability of this attack.
e success probability P S is computed as follows: where μ � pN, p is the probability of the differential trail, N is the number of plaintext pairs, a is the advantage, and S N is the signal-to-noise ratio.In our differential cryptanalysis, 4.2.Linear Cryptanalysis.Based on the 9-round optimal linear trail listed in Table 5, we could present a key-recovery attack against 11-round BORON by linking one more round at the head and tail of this 9-round linear trail.e number of plaintexts required in the key-recovery attack is equal to cε − 2 , where ε is the bias of the linear approximation and c is a constant [10].Set c � 8, and then we need 2 63 plaintexts to achieve this attack and the success probability of this attack is 96.7%.
We need to guess 28 bits of subkey K 0 and 24 bits of subkey K 11 .Considering the 128-bit key schedule, there are 10 same bits between K 0 and K 11 .In total, we need to guess 42 bits to obtain 5-bit key information.is key-recovery attack requires 2 63 • 2 42 � 2 105 one-round encryptions, which is equivalent to 2 101.54 11-round encryptions.e left 123 bits need to be searched by brute-force.
Hence, the time complexity is 2 123 , memory complexity is 2 42 , and data complexity is 2 63 .

Conclusion
In this paper, we present the first third-party cryptanalysis of the lightweight block cipher BORON against differential and linear cryptanalysis.By the automatic tool, we search for differential and linear trails with the minimal number of active S-boxes and trails with the optimal probability and bias.Considering the optimal trails as distinguishers, we mount key-recovery attacks.Utilizing the 8-round differential trail with the optimal probability 2 − 62 , we give a key-recovery attack towards 9-round BORON whose time complexity is 2 56 , data complexity is 2 63 , and memory complexity is 2 24 .By the 9-round linear trail with the optimal bias 2 − 30 , we describe the key-recovery attack towards 11-round BORON whose time complexity is 2 123 , data complexity is 2 63 , and memory complexity is 2 42 .Besides differential and linear cryptanalysis, there are other powerful cryptanalysis techniques.Further security evaluations could be made in future work.

Data Availability
e codes and trails used to support the findings of this study have been deposited in the GitHub (https://github.com/CatherineLiang/Cryptanalysis-of-BORON).

X 0 1
2 3 4 5 6 7 8 9 a b c d e f S[x] e 4 b 1 7 9 c a d 2 0 f 8 5 3 6 4 before_rotation_di erence_i_j: di erence of the jth block before bit rotation of the ith round (viii) after_rotation_di erence_i_j: di erence of the jth block after bit rotation of the ith round (ix) after_blockxor_di erence_i_j: di erence of the jth block after block XOR operation of the ith round (x) ag_i_j: represents whether the jth S-box in the ith round is active or not (xi) total_num: the total number of active S-boxes in the trail (xii) probability_i_j: probability parameter of the jth Sbox in the ith round (xiii) total_probability: probability parameter of the whole di erential trail 3.1.1.Permutation Layer.

ALGORITHM 7 :
Linear mask propagations through block XOR operation.

4. 1 .
Di erential Cryptanalysis.Considering the 8-round di erential trail with the probability of 2 − 62 as a distinguisher illustrated in Table

Table 1 :
Security bounds of BORON.

Table 2 :
Minimal number of active S-boxes.

Table 3 :
Optimal probability and bias.

Table 4 :
Differential trails with the optimal probability.

Table 5 :
Linear trails with the optimal bias.
(iv) after_sbox_vaule2_i_j: output value of the jth Sbox in the ith round whose input value is before_sbox_vaule2_i_j

Table 6 :
Related-key differential trails with the optimal probability.