Cryptanalysis on SDDO-Based BM123-64 Designs Suitable for Various IoT Application Targets

Abstract

BM123-64 block cipher, which was proposed by Minh, N.H. and Bac, D.T. in 2014, was designed for high speed communication applications factors. It was constructed in hybrid controlled substitution–permutation network (CSPN) models with two types of basic controlled elements (CE) in distinctive designs. This cipher is based on switchable data-dependent operations (SDDO) and covers dependent-operations suitable for efficient primitive approaches for cipher constructions that can generate key schedule in a simple way. The BM123-64 cipher has advantages including high applicability, flexibility, and portability with different algorithm selection for various application targets with internet of things (IoT) as well as secure protection against common types of attacks, for instance, differential attacks and linear attacks. However, in this paper, we propose methods to possibly exploit the BM123-64 structure using related-key attacks. We have constructed a high probability related-key differential characteristics (DCs) on a full eight rounds of BM123-64 cipher. The related-key amplified boomerang attack is then proposed on all three different cases of operation-specific designs with effective results in complexity of data and time consumptions. This study can be considered as the first cryptographic results on BM123-64 cipher.

1. Introduction

The BM123-64 [1] has a 64-bit block size covering 256-bit secret key size and a total of eight function rounds. This cipher is based on switchable data-dependent operations (SDDO) [2], which is designed to combine data-dependent operations in functions and new feature of hybrid-controlled substitution–permutation network (CSPN) models. By this way, BM123-64 is considered as a solution for a more flexible and suitable approach for appropriate application targets with each specific design. The cipher has advantages including better suitability, applicability with different algorithm designs for specific targets, and high reliability of securing against well-known attacks, for instance, linear attacks and differential attacks.

Although lots of researchers have focused on how to enhance the security of construction designs using different operations and functions, for instance, DDP (Data-Dependent Permutation) -based ciphers (such as DDP-64 [3], Cobra-family [3] and SCO (Switchable Controlled Operation) -family [2]), DDO (Data-Dependent Operation) -based ciphers (such as MD-64 [4], KT-64 [5], CTPO (Controlled Two-Place Operation) [6] and DDO-64 [7]), and SDDO-based ciphers (such as XO-64 [8] or BMD-128 [9]), their weaknesses have been recently explored with common related attacks. A simple key schedule generator for high speed transformation and lightweight targets can lead to an attack possibility for cryptanalysis using common related-key attack methods.

Related-key amplified boomerang attack [10] is an extension of the related-key boomerang attack proposed by Biham et al., 2005 [11] and Wagner, 1999 [12]. The idea of this attack is that it explores two distinctive related-key differentials to construct the related-key boomerang with high probability. Compared to other attacks, the attack was designed as an adaptive chosen plaintext attack that has become a popular and effective method to exploit many types of block ciphers. Previous studies that have applied this attack on various SDDO-based ciphers - such as COCONUT98, IDEA [11], MARS, Serpent [12], DDO-64 [13], MD-64 [14], BMD-128 [15], XO-64 [16], etc.—showed efficiency and high probabilities in cryptanalytic results.

In this paper, we propose attack methods on BM123-64 constructions with related-key approach. By constructing high probability differentials with two related-key boomerangs in distinctive designs, this attack expects to exploit a full eight rounds of BM123-64 with effective cryptanalytic results. The proposed attack requires about 2⁶⁷ data complexity, 2⁷⁰ memory bytes, and time complexity of 2⁶⁷ encryptions with Case 1 design. For Case 2 and Case 3 designs of BM-123-64 constructions, 2⁵¹ data complexity, 2⁵⁴ memory bytes, and time complexity of 2⁶⁵ are required. This study shows that like lots of other ciphers designed on data-dependent operations, BM123-64 still has weaknesses and is insecure against related-key cryptanalysis. The cipher construction should therefore be based on more secure primitive security approach.

The rest of this paper is organized as follows: The BM123-64 construction is briefly reviewed in Section 2. In Section 3, the proposed attacks on BM123-64 cipher is discussed, including differential characteristics (DCs), analysis methods, and security assessments. Finally, in Section 4, conclusions of the paper are presented.

2. BM123-64 Block Cipher Description

2.1. Preliminaries

This section explains notations used in this paper. With x₁ as the most significant bit and x_n as the least significant bit, a cipher X can be assigned as X = (x₁, x₂, …, x_n).

The DCs applied to the attack methods include descriptions of differential relation of block ciphers, such as input, output, and function round key.

-

r denotes each function round of block cipher.

-

∆X_r denotes input difference value that occurs in each r.

-

∆Y_r denotes output difference value that occurs in each r.

-

∆U_r, ∆Q_r denote round key difference values that occur in each r.

-

e_i denotes the data bit changing within each round function, with i value considered as an active bit; at the i^th position, the bit value is “1”, and the remaining bits are “0” in each block data. for instance, e_1,3 = (1, 0, 1, 0, …, 0)).

2.2. BM123-64 Construction

BM123-64 [1] is described as a 64-bit SDDO-based block cipher with 256-bit secret key and eight function rounds in total. Each Crypt^(e) round function in the cipher structure does the same operation from the first round to the final round to generate output ciphertext.

The Crypt^(e) of BM123-64 covers three types of fixed permutation functions (I, I₁, and I₂), an extension box E, hybrid-controlled substitution–permutation networks CSPNs, and SDDO-based functions $F_{n/m}^{V/e}$ (F_16/64, F ⁻¹_16/64, F_16/32, F ⁻¹_16/32) based on basic controlling element F_2/2.

The process of BM123-64 encryption is described in the algorithm below.

• 64-bit input plaintext splits into two 32-bit block A and block B.
• From rounds r = 1 to 7, they have the same operations for each round:
        (A, B) = Crypt⁽⁰⁾ (A, B, U_r, Q_r)
        (A, B) = (B, A)
• In the last round, there is final transformation to output ciphertext:
        (A, B) = Crypt⁽⁰⁾ (A, B, U₈, Q₈)
        (A, B) = (L ⊕ U_FT, R ⊕ Q_FT)
        (A, B) = (A, B).

Figure 1 and Figure 2 illustrate the Crypt⁽⁰⁾ round function in detail. Reference [1] contains more description of the BM123-64 construction.

The SDDO-based functions F_16/64, F ⁻¹_16/64 are constructed based on elementary function F_2/2, since F_2/2 is described as ((x₁, x₂), [v, z]/(y₁, y₂)). For better performance on implementation with the target of a specific application and expansion of encryption space, the function $F_{n/m}^{V/e}$ is designed in three different operations with three different description of the basic element F_2/2.

Case 1:

y₁ = vzx₁ ⊕ vz ⊕ vx₁ ⊕ vx₂ ⊕ v ⊕ z ⊕ x₁ ⊕ 1

y₂ = vzx₂ ⊕ vz ⊕ vx₁ ⊕ vx₂ ⊕ zx₁ ⊕ x₂ ⊕ v ⊕ z ⊕ 1

y₃ = vzx₁ ⊕ vzx₂ ⊕ zx₁ ⊕ x₁ ⊕ x₂.

Case 2:

y₁ = vzx₁ ⊕ vzx₂ ⊕ vx₁ ⊕ vx₂ ⊕ zx₁ ⊕ zx₂ ⊕ z ⊕ v ⊕ x₂

y₂ = vzx₁ ⊕ vzx₂ ⊕ vz ⊕ vx₁ ⊕ vx₂ ⊕ zx₁ ⊕ zx₂ ⊕ x₁

y₃ = vz ⊕ v ⊕ z ⊕ x₁ ⊕ x₂.

Case 3:

y₁ = vx₂ ⊕ x₂ ⊕ x₁ ⊕ v ⊕ 1

y₂ = vx₁ ⊕ x₂.

The three fixed permutations I, I₁, and I₂ are denoted as follows:

 I₁ = (1) (2,5) (3,9) (4,13) (5,2) (6) (7,10) (8,14) (9,3) (10,7) (11) (12,15) (13,4) (14,8) (15,12) (16).

 I₂ = (1) (2,3) (3,2) (4) (5) (6,7) (7,6) (8) (9) (10,11) (11,10) (12) (13) (14,15) (15,14) (16).

 I = (1) (2,18) (3) (4,20) (5) (6,22) (7) (8,24) (9) (10,26) (11) (12,28) (13) (14,30) (15) (16,32) (17)

 (18,2) (19) (20,4) (21) (22,6) (23) (24,8) (25) (26,10) (27) (28,12) (29) (30,14) (31) (32,16).

The expansion function E takes a 16-bit input X, since E(X) = (X, X^<<<4, X^<<<8, X^<<<12); it then outputs 64-bit controlled vector (V, Z) = (V₁, V₂, V₃, V₄, Z₁, Z₂, Z₃, Z₄).

The hybrid CSPN construction is designed based on the description of permutation function structure covering eight 4 × 4 S-boxes (S₀, S₁, S₂, S₃ and S⁻¹₀, S⁻¹₁, S⁻¹₂, S⁻¹₃) with SDDO-based function $F_{n/m}^{V/e}$. Figure 3 presents the CSPN with its S-boxes in structure.

Like other data-dependent ciphers, BM123-64 is constructed with a very simple key schedule for high-speed transformation target. To generate function keys used in each round, 256-bit secret key K is divided into eight 32-bit subkeys K = (K₁, K₂, …, K₇, K₈). The key scheduling is provided with different parameters as shown in

Table 1. Key schedule of BM123-64.

Round Or	O1	O2	O3	O4	O5	O6	O7	O8	OFT
Ur	K3	K4	K8	K6	K2	K7	K5	K2	K3
Qr	K1	K2	K5	K7	K3	K6	K8	K4	K1
e’1	1	1	1	0	0	1	1	0	-
e’2	0	1	1	0	1	1	1	1	-
e’3	0	0	0	1	1	0	0	1	-
e’4	1	0	0	1	0	0	0	0	-

* O_FT performs the final transformation.

.

3. Proposed Attack Methods on BM123-64 Construction

Differential properties of operations in each round function are fundamental features to build differential characteristics and explore the related-key attack methods. Based on these properties, we can construct high probability DCs on a full eight rounds of BM123-64 with Crypt^(e) function. Furthermore, the related-key amplified boomerang attacks will be addressed with effective complexity results.

3.1. BM123-64 Crypt^(e) Function Properties

The Crypt^(e) function in BM123-64 cipher consists of several $F_{n/m}^{V/e}$ functions having appropriate differential properties to construct the high probability DCs.

3.1.1. Differential Properties of F_2/2 Function

x₁ and x₂ are assumed as input parameters, with a pair (v, z) controlled vector of F_2/2 function. Therefore, the controlled element F_2/2 can be described as F_2/2 (x₁, x₂, [v, z]). Based on different distribution applied to different descriptions of F_2/2 in BM123-64, we have differential properties for each case as the following:

Case 1:

y₁ = vzx₁ ⊕ vz ⊕ vx₁ ⊕ vx₂ ⊕ v ⊕ z ⊕ x₁ ⊕ 1

y₂ = vzx₂ ⊕ vz ⊕ vx₁ ⊕ vx₂ ⊕ zx₁ ⊕ x₂ ⊕ v ⊕ z ⊕ 1

Pr [F_2/2 (x₁, x₂, [v, z]) ⊕ F_2/2 (x₁ ⊕ 1, x₂, [v, z]) = (1, 0)] = 2⁻².

Case 2:

y₁ = vzx₁ ⊕ vzx₂ ⊕ vx₁ ⊕ vx₂ ⊕ zx₁ ⊕ zx₂ ⊕ z ⊕ v ⊕ x₂

y₂ = vzx₁ ⊕ vzx₂ ⊕ vz ⊕ vx₁ ⊕ vx₂ ⊕ zx₁ ⊕ zx₂ ⊕ x₁

Pr [F_2/2 (x₁, x₂, [v, z]) ⊕ F_2/2 (x₁ ⊕ 1, x₂, [v, z]) = (1, 0)] = 2⁻¹.

Case 3:

y₁ = vx₂ ⊕ x₂ ⊕ x₁ ⊕ v ⊕ 1;

y₂ = vx₁ ⊕ x₂

Pr [F_2/2 (x₁, x₂, [v, z]) ⊕ F_2/2 (x₁ ⊕ 1, x₂, [v, z]) = (1, 0)] = 2⁻¹.

For each case of F_2/2 description, in order to get the (1, 0) output difference with the (x₁ ⊕ 1, 0) input difference and the (0, 0) controlled vector difference, the probability will be 2⁻², 2⁻¹, and 2⁻¹ for Case 1, Case 2, and Case 3, respectively.

3.1.2. Differential Properties of F_16/64 and F ⁻¹_16/64 Functions

In the same way, we can get the properties of SDDO-based functions F_16/64 and F ⁻¹_16/64 using the properties above. Here, X is the input parameters for F_16/64 and F ⁻¹_16/64 and (V, Z) is the controlled vector. Based on the properties of F_2/2, we can get the following:

Case 1:

Pr [F_16/64 (X, V, Z) ⊕ F_16/64 (X ⊕ e₁₆, V, Z) = e₁₆] = 2⁻⁸

Pr [F⁻¹_16/64 (X, V, Z) ⊕ F⁻¹_16/64 (X ⊕ e₁₆, V, Z) = e₁₆] = 2⁻⁸

Case 2:

Pr [F_16/64 (X, V, Z) ⊕ F_16/64 (X ⊕ e₁₆, V, Z) = e₁₆] = 2⁻⁴

Pr [F⁻¹_16/64 (X, V, Z) ⊕ F⁻¹_16/64 (X ⊕ e₁₆, V, Z) = e₁₆] = 2⁻⁴

Case 3:

Pr [F_16/64 (X, V, Z) ⊕ F_16/64 (X ⊕ e₁₆, V, Z) = e₁₆] = 2⁻⁴

Pr [F⁻¹_16/64 (X, V, Z) ⊕ F⁻¹_16/64 (X ⊕ e₁₆, V, Z) = e₁₆] = 2⁻⁴

With the F_16/64 and F ⁻¹_16/64 function designs, we can see that there is a total of four active layers F_2/2 within each construction, as shown in Figure 2.

3.2. Related-Key Boomerang of BM123-64

Here, we describe the way to generate related-key differential boomerangs on a full eight rounds of BM123-64 using the obtained properties in Section 3.1 with the key schedule generator.

We construct two related-key differentials as follows:

The first four rounds of related-key differential E⁰ = ($\alpha$ → $\beta$) holds with chosen input difference $\alpha$ = (0, 0) and key difference (0, e₃₂) from the first round to the fourth round with output difference $\beta$ = (0, 0). The key difference, based on the key schedule generator given in Table 1, is to control differential propagation and get high probability. The first related-key differential achieves this with probability p = 2⁻¹⁶, 2⁻⁸, and 2⁻⁸ for each case of F_2/2 description.

The second related-key differential E¹ = ($\gamma$ → $\delta$) = (0, e₃₂) “ (0, e₁₆) covering the last four rounds with input difference $\alpha$ = (0, e₃₂) and key difference (0, e₃₂) from the fifth round gives output difference $\delta$ = (0, e₁₆) after the final transformation. The second related-key differential obtains probability q = 2⁻¹⁶, 2⁻⁸, and 2⁻⁸, respectively. In total, the related-key differential characteristics constructed on a full eight rounds of BM123-64 designs give us the probability of 2⁻³² for Case 1, 2⁻¹⁶ for Case 2, and 2⁻¹⁶ for Case 3. Figure 2 illustrates the DCs propagation of some specific BM123-64 rounds in Case 2 and Case 3.

The differential amplified boomerang can be explored based on the two related-key differentials above.

We can take any chosen plaintexts, namely (P, P*, P’, P’*) with input difference $\alpha$ = (0, 0) described as ∆P = P ⊕ P* = P’ ⊕ P’*, to give respective ciphertexts with output difference $\beta$ = (0, 0) using related-keys (K, K*, K’, K’*) defined as ∆K = K ⊕ K* = K’ ⊕ K’* = (0, e₁₆, e₃₂, 0, 0, 0, 0, 0). We can hold the first four rounds related-key boomerang with probability of 2⁻¹⁶ for Case 1, 2⁻⁸ for Case 2, and 2⁻⁸ for Case 3. Furthermore, by pretending an additional round with intermediate differential values (I, I*, I’, I’*) described as I ⊕ I* = I’ ⊕ I’* = (0, e₃₂) using another related-key differences ∆K’ = K ⊕ K’ = K* ⊕ K’* = (0, e₃₂, 0, 0, 0, 0, 0, 0), we can build the second related-key boomerang on the last four rounds of 2⁻¹⁶ probability for Case 1, and 2⁻⁸ for both Case 2 and Case 3.

In

Table 2. Related-key DCs of a full eight rounds of BM123-64 in distinctive designs.

Round (r)	∆Xr	(∆Ur, ∆Qr)	Probability
			Case 1	Case 2	Case 3
1	$\alpha$ = (0, 0)	(0, e32)	2−16	2−8	2−8
2	(e16, 0)	(e16, 0)	1	1	1
3	(0, 0)	(0, 0)	1	1	1
4	(0, 0)	(0, 0)	1	1	1
Output	$\beta$ = (0, 0)		2−16	2−8	2−8
5	(0, e32) = $\gamma$	(0, e32)	1	1	1
6	(0, 0)	(0, 0)	1	1	1
7	(0, 0)	(0, 0)	1	1	1
8	(0, 0)	(0, e16)	2−16	2−8	2−8
FT	(0, e16)	(0, 0)	1	1	1
Output (∆Y)	$\delta$ = (0, e16)
Total			2−32	2−16	2−16

, the detailed DCs of a full eight rounds of BM123-64 with corresponding probabilities is shown. And, Figure 4 illustrates the DCs in Crypt^(e) function of BM123-64 with Case 2 and Case 3 at several rounds.

See (Appendix A) for more descriptions of DCs with Case 1.

3.3. Related-Key Amplified Boomerang Attack on the BM123-64 Designs

With the two obtained differentials, we expect that having m²∙2⁻¹²⁸ of encrypted quartets for Case 1 is right. For Case 2 and Case 3, the expected number is m²∙2⁻⁹⁶ right quartets. Furthermore, in the case of an ideal cipher, the related-key boomerang differentials applied on a full eight rounds of BM123-64 with probabilities of 2⁻¹²⁸, 2⁻⁹⁶, and 2⁻⁹⁶ (2⁻⁶⁴∙p²∙q²) for each case, respectively. For the least expected right quartets number of 8, we take a set of 2⁶⁶ pairs of plaintexts (m²∙2⁻¹²⁸ = 2³) for the attack process in Case 1 and 2⁵⁰ pairs of plaintexts (m²∙2⁻⁹⁶ = 2³) for the attacks in Case 2 and Case 3.

The attacker follows the below steps for a full related-key attack method on BM123-64:

(1)

We pick a set of 2⁶⁶ pairs of plaintexts (P_j, P_j *), (j = 1, …, 2⁶⁶), then we expand into another set of 2¹³¹ quartets of plaintexts, denoted as (P_i, P_i *, P_i ’, P_i ’*), (i = 1, …, 2¹³¹) in Case 1, or 2⁵⁰ pairs of plaintexts (P_j, P_j *), (j = 1, …, 2⁵⁰) and generate 2⁹⁹ quartets of plaintexts (P_i, P_i *, P_i ’, P_i ’*), (i = 1, …, 2⁹⁹) in Case 2 and Case 3, with input difference $\alpha$ = (0, 0). We ask for encryption of all the quartets (P_i, P_i *, P_i ’, P_i ’*) using the related-keys (K, K*, K’, K’*) difference, described as two terms of relation: ∆K = K ⊕ K* = K’ ⊕ K’* = (0, e₁₆, e₃₂, 0, 0, 0, 0, 0) and ∆K’ = K ⊕ K’ = K* ⊕ K’* = (0, e₃₂, 0, 0, 0, 0, 0, 0) to output respective quartets of ciphertexts (C_i, C_i *, C_i ’, C_i ’*).

(2)

We do XOR with all possible values of C_i and C_i’, C_i *, and C_i’* for each i value, then check whether the output result is (0, e₁₆) and store all these difference values to apply in the previous eight rounds.

(3)

By this way, at the final transformation, we expect to hold a 64-bit subkey including K₁ and K₃, then get the remaining subkeys (K₁*, K₃*), (K₁’, K₃’), and (K₁’*, K₃’*) of the quartets of subkeys.

(a)

Similarly, at the eighth round, we ask for decryption of all quartets of ciphertexts values obtained from Step 2 with subkey quartets of K₁ and K₃ to hold 64-bit input values (X_j, X_j*, X_j’, X_j’*) at the left side process of round function.

(b)

We do XOR with all possible values of X_j and X_j’, X_j *, and X_j’* for each j value, then check whether the output result is 0.

(4)

After passing Step 3, all values of quartets of two subkeys K₁ and K₃ are explored. We can do brute force attacks to obtain the remaining 192-bit subkeys (K₂, K₄, K₅, K₆, K₇, K₈) with all K₁ and K₃.

4. Results and Discussion

With Case 1, the proposed attack requires 2⁶⁶ pairs of plaintexts and 2⁶⁷ related-key chosen plaintexts in data complexity, since the related-key DC is 2⁻³². Furthermore, it needs about 2⁷⁰ (=2⁶⁷ × 8) bytes of memory.

With Case 2 and Case 3, the attack requires 2⁵⁰ pairs of plaintexts and 2⁵¹ related-key chosen plaintexts in data complexity, while the related-key DCs are 2⁻¹⁶. The attack takes about 2⁵⁴ (=2⁵¹ × 8) bytes of memory.

At Step 1 of the attack, the complexity of time is a unit of 2⁶⁷ encryptions (Case 1), or 2⁵¹ encryptions (Case 2 and Case 3) of the full eight rounds of BM123-64. Each quartet of ciphertext is planned to achieve Step 2 of the attack with 2⁻⁶⁴ probability. In addition, we will get 2⁶⁷ (=2¹³¹ × 2⁻⁶⁴) right quartets of ciphertext (Case 1) or 2³⁵ right quartets of ciphertext (=2⁹⁹ × 2⁻⁶⁴) (Case 2 and Case 3) that will achieve Step 2. At Step 3 and Step 4, the complexity of time is a unit of 2⁶² (=2⁶⁴ × 4 × 1/8 × 1/2) and 2⁶⁵ (=2⁶⁴ × 1 × 2) for a full eight rounds of BM123-64 encryptions, respectively. Finally, the results show that all the attacks require total time complexity of 2⁶⁷ (≈2⁶⁷ + 2⁶² + 2⁶⁵) (Case 1) or 2⁶⁵ (≈2⁵¹ + 2⁶² + 2⁶⁵) (Case 2 and Case 3) for a full eight rounds of BM123-64 encryptions on average. In

Table 3. Cryptanalysis results on constructions based on DDP (Data-Dependent Permutation), DDO (Data-Dependent Operation), and SDDO (switchable data-dependent operation).

Block Cipher	Total Rounds	Complexity Data/Time	Key Bits Recovery
DDP-64	10/10	254 RCP/254	22
CHESS-64	8/8	244 RCP/244 239 RCP/239 244 RCP/2108 239 RCP/2122	20 6 128 128
DDO-64V1	8/8	235.5 RCP/265.5
DDO-64V2	8/8	23 RCP/231
MD-64	8/8	243.1 RCP/295
BMD-128	7/8	279 RCP/2129
KT-64	8/8	245.5 RCP/265.17
XO-64	8/8	244 RCP/265
BM123-64 (Case#1) (*)	8/8	267 RCP/267
BM123-64 (Case#2) (*) BM123-64 (Case#3) (*)	8/8	251 RCP/265

(*) our proposed attack results; RCP denotes the Related-key Chosen Plaintext.

, a comparison of cryptanalysis results between the scheme proposed and other data-dependent ciphers in terms of complexity of data and time is given.

At Step 4 of the attack, outputting a wrong quartet of subkey takes 2⁻⁶⁴ of probability. With our cryptanalysis methods, the results shown with the output possibility in case of a wrong key is lower than the ideal case. These proposed related-key amplified boomerang attacks can potentially exploit the BM123-64 constructions at all three specific cases.

5. Conclusions

This paper proposes effective attacks on one of the recent SDDO-based constructions, BM123-64. The methods addressed in the study present main issues in security mechanisms of ciphers based on data-dependent operations that is used in many cipher designs for high speed transformation and lightweight targets. The simple key schedule generator with basic parameters when changed and substituted leads to a possibility of exploiting the structure weaknesses by related-key cryptanalysis. The work presented related-key amplified boomerang attacks on a full eight rounds of BM123-64 in distinctive designs with effective complexity results. This shows that with Case 1, it requires 2⁶⁶ related-key chosen plaintexts and 2⁶⁷ encryptions consumptions, and 2⁵⁰ related-key chosen plaintexts and 2⁶⁵ encryptions consumptions are required with Case 2 and Case 3. The results of this study can be applied on many construction designs of these types of ciphers. Along with some new cryptanalysis techniques like Fr Trust or RARE, our research will further enhance performance and is expected to develop novel approaches for a wide range of applications and devices in the IoT environment.