Integral Cryptanalysis of Reduced-Round IIoTBC-A and Full IIoTBC-B

Abstract

This paper delves into the realm of cryptographic analysis by employing mixed-integer linear programming (MILP), a powerful tool for automated cryptanalysis. Building on this foundation, we apply the division property method alongside MILP to conduct a comprehensive cryptanalysis of the IIoTBC (industrial Internet of Things block cipher) algorithm, a critical cipher in the security landscape of industrial IoT systems. Our investigation into IIoTBC System A has led to identifying a 14-round integral distinguisher, further extended to a 22-round key recovery. This significant finding underscores the cipher’s susceptibility to sophisticated cryptanalytic attacks and demonstrates the profound impact of combining the division property method with MILP in revealing hidden cipher weaknesses. In the case of IIoTBC System B, our innovative approach has uncovered a full-round distinguisher. We provide theoretical validation for this distinguisher and uncover a pivotal structural issue in the System B algorithm, specifically the non-diffusion of its third branch. This discovery sheds light on inherent security challenges within System B and points to areas for potential enhancement in its design. Our research, through its methodical examination and analysis of the IIoTBC algorithm, contributes substantially to the field of cryptographic security, especially concerning industrial IoT applications. By uncovering and analyzing the vulnerabilities within IIoTBC, we enhance the understanding of cipher robustness and pave the way for advancements in securing industrial IoT communications.

1. Introduction

1.1. Background

The rapid evolution of the industrial Internet of Things (IIoT) [1,2,3] heralds a new era in industrial automation and data exchange. This advancement, however, brings with it a heightened need for robust security solutions, particularly in cryptographic algorithms that can operate efficiently in resource-constrained environments. The industrial Internet of Things block cipher (IIoTBC) algorithm, specifically designed for IIoT applications [4,5,6,7,8], emerges as a pivotal innovation in this context. It strikes a crucial balance between computational efficiency and the stringent security requirements of industrial systems, ensuring data integrity and confidentiality in environments where traditional cryptographic solutions may prove infeasible.

IIoTBC [9] is primarily intended for securing industrial IoT environments, where it can be deployed at the sensor node level. It provides a first line of defense by allowing sensor data to circulate as ciphertext, thus enhancing privacy and security in industrial settings. Recognizing the rapid increase in industrial IoT users, IIoTBC is developed as a lightweight cipher to protect user privacy. It aims to fully realize its functions while minimizing the use of hardware devices. The round function of IIoTBC involves AddRoundkey, S-box permutation, and 1-bit left rotation. These operations are designed to be simple and consume fewer resources, making IIoTBC suitable for hardware implementation, particularly in resource-constrained environments. The IIoTBC algorithm is a strategically designed cipher that addresses the specific security requirements of the industrial IoT sector. Its lightweight design, flexible structure, and efficient hardware implementation make it an ideal solution for protecting data in resource-constrained IoT devices, especially in industrial settings where data security is paramount.

Despite its innovative design and promising applications, the security analysis of the IIoTBC algorithm remains incomplete. While IIoTBC is engineered to be lightweight and efficient, the robustness of its cryptographic mechanisms under various attack vectors has not been thoroughly evaluated. Conducting such an analysis is crucial for identifying potential vulnerabilities and validating the algorithm’s efficacy in providing secure data transmission within industrial IoT environments. By systematically investigating IIoTBC’s security properties, researchers can ensure that it meets the stringent security standards required for protecting sensitive industrial data.

1.2. Related Works

Integral cryptanalysis is a method of cryptanalysis that is used to attack symmetric key block ciphers [10,11,12,13]. This form of analysis is crucial for evaluating the strength of cryptographic algorithms against structured attacks. Integral cryptanalysis typically involves examining the behavior of algorithmic transformations over sets of plaintexts and observing specific patterns in the resulting ciphertexts. The discovery of these patterns, or distinguishers, can be instrumental in uncovering vulnerabilities within the cipher, thus providing valuable insights into its security profile [14,15,16].

The division property, introduced by Todo at EUROCRYPT 2015 [17] as a generalized integral property, is currently recognized as the most efficient and accurate method for detecting integral distinguishers. This property can effectively exploit algebraic degree information to identify balanced output bits, as evidenced by its successful application in breaking the full MISTY1 cipher. However, the initial version of the division property was word-oriented, focusing solely on the algebraic degree of nonlinear exponents and lacking the ability to utilize the internal structure of ciphers in a detailed manner.

Todo and Morii introduced the bit-based division property at FSE 2016 to address this limitation. This included both the conventional bit-based division property and the three-subset bit-based division property. Wang et al. later demonstrated that the three-subset bit-based division property could be used to recover the exact superpoly in cube attacks. This concept was further refined by Hao et al., leading to the three-subset bit-based division property without unknown subsets (3SDPwoU). Recently, Hebborn et al. pointed out that the 3SDPwoU, viewed from the perspective of the parity set actually determines the presence or absence of certain monomials in the polynomial representation of the cipher output [17,18,19].

At ASIACRYPT 2020, Hu et al. introduced the concept of monomial prediction, which reinterprets division properties directly from the polynomial viewpoint. By counting monomial trails, they could ascertain whether a monomial from the plaintext or initialization vector (IV) appears in the cipher output polynomial. It was subsequently demonstrated that monomial prediction and the 3SDPwoU are equivalent in their application [20,21,22,23,24,25,26].

Mixed-integer linear programming (MILP) has emerged as a groundbreaking tool in the realm of automated cryptanalysis. MILP’s ability to model complex cryptographic operations through linear inequalities offers a systematic and efficient approach to uncovering potential weaknesses in cipher algorithms [27,28,29,30,31]. By translating cryptographic structures into MILP models, researchers can leverage powerful computational techniques to analyze and break ciphers in ways that were previously unfeasible, making it an indispensable tool in modern cryptanalysis [32,33,34,35,36].

Despite the robustness of MILP in integral cryptanalysis, the design of the IIoTBC algorithm did not specifically account for resistance to such analysis. Therefore, assessing IIoTBC’s resilience against integral cryptanalysis using MILP is essential for ensuring its security in industrial IoT environments.

1.3. Our Contributions

Application of Division Property and MILP. We have innovatively applied the division property method and mixed-integer linear programming (MILP) to conduct a comprehensive automated cryptanalysis of the IIoTBC algorithm.

Discovery of Integral Distinguishers. Our analysis has unveiled a 14-round integral distinguisher for IIoTBC System A and a full-round distinguisher for System B, revealing crucial insights into the structural strengths and vulnerabilities of these systems.

Extended Cryptanalysis and Structural Insights. For System A, we extended our findings to a 22-round key recovery, demonstrating the practical impact of the discovered vulnerabilities. In System B, we identified a significant structural issue—the lack of diffusion in its third branch—which highlights a critical area for potential improvement.

Our work represents a significant stride in the automated cryptanalysis of IIoTBC, offering a deeper understanding of its security aspects and potential areas for improvement. By systematically exposing and scrutinizing the algorithm’s vulnerabilities, this research contributes significantly to the advancement of cryptographic security in industrial IoT applications, a domain that is becoming increasingly crucial in our digitally connected world.

1.4. Organization

In Section 2, we review the basics of the $\mathsf{IIoTBC}$ cipher, division property, and MILP-based cryptanalysis. In Section 3, we present the details of constructing the MILP automatic search model and the distinguisher for IIoTBC. The process of key recovery for IIoTBC-A is detailed in Section 4, which is followed by a theoretical elucidation of the distinguisher for IIoTBC-B in Section 5. Finally, Section 6 provides a concise conclusion of our findings.

2. Preliminaries

2.1. Notations

In this subsection, we present the notations used throughout this paper. Let ${\mathbb{F}}_2=\{0,1\}$ and denote ${\mathbb{F}}_2^n$ as the n-bit string over ${\mathbb{F}}_2$. Let $\mathbb{Z}$ denote the integer ring and ${\mathbb{Z}}^n$ denote the set of all n-dimensional vectors with coordinates over $\mathbb{Z}$. For easier expression, we give the description of notations used in this paper in

Table 1. Definition of notation.

Notation	Definition
${\mathbb{F}}_2^n$	the n-bit string over ${\mathbb{F}}_2$
$\mathbb{Z}$	the integer ring
${\mathbb{Z}}^n$	the set of all n-dimensional vectors with coordinates over $\mathbb{Z}$
$a\left[i\right]$	the i-th bit of a
$wt\left(a\right)$	the Hamming weight of a calculated by $wt\left(a\right)={\sum }_{i=0}^{n-1}a\left[i\right]$
${\mathcal{A}}^s$	s successive active bits
${\mathcal{C}}^s$	s successive constant bits
${\mathcal{B}}^s$	s successive balanced bits
${\mathcal{U}}^s$	s successive unknown bits

.

For any $a\in {\mathbb{F}}_2^n$, we define $a\left[i\right]$ as the i-th bit of a, and the Hamming weight $wt\left(a\right)$ is calculated by $wt\left(a\right)={\sum }_{i=0}^{n-1}a\left[i\right]$. Furthermore, for any $\mathit{a}=(a_0,a_1,\cdots ,a_{m-1})\in {\mathbb{F}}_2^{{\ell }_0}\times {\mathbb{F}}_2^{{\ell }_1}\times \cdots \times {\mathbb{F}}_2^{{\ell }_{m-1}}$, the vectorial Hamming weight of $\mathit{a}$ is defined as $Wt\left(\mathit{a}\right)=(wt\left(a_0\right),wt\left(a_1\right),\cdots ,wt(a_{m-1}\left)\right)$.

For any $\mathit{k}\in {\mathbb{Z}}^m$ and ${\mathit{k}}^{\prime }\in {\mathbb{Z}}^m$, we define $\mathit{k}⪰{\mathit{k}}^{\prime }$ if $k_i\ge k_i^{\prime }$ for all i. Otherwise, $\mathit{k}⪰̸{\mathit{k}}^{\prime }$. For an integral distinguisher, ${\mathcal{A}}^s$ denotes s successive active bits, ${\mathcal{C}}^s$ denotes s successive constant bits, ${\mathcal{B}}^s$ denotes s successive balanced bits, and ${\mathcal{U}}^s$ denotes s successive unknown bits.

Definition 1 

(Bit Product Function). Let ${\pi }_u\left(x\right)$ be a function from ${\mathbb{F}}_2^n$ to ${\mathbb{F}}_2$. For any $u\in {\mathbb{F}}_2^n$ and $x\in {\mathbb{F}}_2^n$, the bit product function ${\pi }_u\left(x\right)$ is defined as

$${\pi }_u\left(x\right)=\prod _{i=0}^{n-1}x{\left[i\right]}^{u\left[i\right]}.$$

Let ${\mathit{\pi }}_{\mathit{u}}\left(\mathit{x}\right)$ be a function from $({\mathbb{F}}_2^{{\ell }_0}\times {\mathbb{F}}_2^{{\ell }_1}\times \cdots \times {\mathbb{F}}_2^{{\ell }_{m-1}})$ to ${\mathbb{F}}_2$. For any $\mathit{u}=(u_0,u_1,\cdots ,u_{m-1})\in ({\mathbb{F}}_2^{{\ell }_0}\times {\mathbb{F}}_2^{{\ell }_1}\times \cdots \times {\mathbb{F}}_2^{{\ell }_{m-1}})$, $\mathit{x}=(x_0,x_1,\cdots ,x_{m-1})\in ({\mathbb{F}}_2^{{\ell }_0}\times {\mathbb{F}}_2^{{\ell }_1}\times \cdots \times {\mathbb{F}}_2^{{\ell }_{m-1}})$, the bit product function ${\mathit{\pi }}_{\mathit{u}}\left(\mathit{x}\right)$ is defined as

$${\mathit{\pi }}_{\mathit{u}}\left(\mathit{x}\right)=\prod _{i=0}^{m-1}{\pi }_{u\left[i\right]}\left(x\right[i\left]\right).$$

2.2. IIoTBC Block Cipher

The $\mathsf{IIoTBC}$ algorithm [9] is a lightweight block cipher designed for the security of industrial IoT (IIoT). It features a variable system structure that adapts to different security requirements and is particularly suited for environments with limited hardware resources, such as sensor nodes in IIoT. $\mathsf{IIoTBC}$ works with 128-bit keys and has a block size of 64 bits. It offers two system structures, System A and System B, catering to different microcontroller unit (MCU) capabilities.

2.2.1. System A Structure (IIoTBC-A)

IIoTBC-A is optimized for 8-bit MCUs, which are commonly used in industrial IoT settings. It is based on an eight-branch generalized Feistel structure, as shown in Figure 1.

Each branch undergoes a transformation that involves the use of a function $f_1$, which incorporates steps like AddRoundkey, S-box permutation, and a 1-bit left rotation, as shown in Figure 2. The S-box is as follows.

x	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
S(x)	5	D	9	4	6	3	F	1	B	8	E	0	7	2	C	A

Functions PA1 and PA2 are utilized for the exchange of branch data positions. This is crucial in ensuring data diffusion across the branches.

The algorithm executes these steps for 32 rounds, enhancing the security with each iteration.

2.2.2. System B Structure (IIoTBC-B)

IIoTBC-B is designed for 16-bit MCUs, which offer better data processing capabilities and more memory compared to 8-bit MCUs. Unlike IIoTBC-A, IIoTBC-B uses a four-branch generalized Feistel structure, as shown in Figure 3. This reflects a more complex and secure approach, suitable for the enhanced capabilities of 16-bit MCUs.

A notable feature is its reliance on bit-slice technology. Each of the four branches in IIoTBC-B is represented as a $4\times 4$ matrix. The 64-bit input data are transformed into four slices, setting the stage for branch-specific processing. PB1 is to rearrange the 64-bit data and convert them to the input of four branches.

The function $f_2$ is applied to each branch, with its operation process adding to the cipher’s complexity and security, as shown in Figure 4. Different permutation functions (PB2 and PB3) are used for processing in odd and even rounds, individually. These operation processes of PB1, PB2, and PB3 are shown in Figure 5.

2.3. Bit-Based Division Property

The division property, as introduced in [17], represents an advanced form of the integral property. Its primary function is to leverage the underlying relationships between traditional integral properties like ALL and BALANCE, thereby serving as a potent tool for developing enhanced integral distinguishers. In this subsection, we aim to succinctly revisit the concepts of the division property and outline the key propagation rules associated with the bit-based division property.

Definition 2 

(Division Property). Let $\mathbb{X}$ be a multiset whose elements take values from ${\mathbb{F}}_2^{{\ell }_0}\times {\mathbb{F}}_2^{{\ell }_1}\times \cdots \times {\mathbb{F}}_2^{{\ell }_{m-1}}$ and let $\mathbb{K}$ denote a set of m-dimensional vectors whose i-th element takes a value between 0 and ${\ell }_i$; this fulfills the following conditions:

$$\underset{x\in \mathbb{X}}{⨁}{\mathit{\pi }}_{\mathit{u}}\left(\mathit{x}\right)=\left\{\begin{array}{ccc}unknown\hfill & & \mathit{if}\mathit{there}\mathit{is}\mathit{k}\in \mathbb{K}s.t.\mathit{u}⪰\mathit{k},\hfill \\ 0\hfill & & otherwise.\hfill \end{array}\right.$$

If two vectors ${\mathit{k}}_1$ and ${\mathit{k}}_2$ in $\mathbb{K}$ satisfy that ${\mathit{k}}_1⪰{\mathit{k}}_2$, then ${\mathit{k}}_1$ is redundant and will be removed from $\mathbb{K}$. It is worth noting that, for the bit-based division property, ${\ell }_0,{\ell }_1,\cdots ,{\ell }_{m-1}$ are restricted to 1.

Propagation Rules of Bit-Based Division Property

For the bit-based division property, the rules governing operations such as COPY, XOR, AND, and Rotation are described as follows [37].

Proposition 1 

(COPY [38]). Let F be a COPY function, where the input is $x\in {\mathbb{F}}_2$ and the output is calculated as $(y_0,y_1)=(x,x)$. Let $\mathbb{X}$ and $\mathbb{Y}$ be the input multiset and output multiset, respectively. Assuming that the multiset $\mathbb{X}$ has the division property ${\mathcal{D}}_k^1$, then the multiset $\mathbb{Y}$ has the division property ${\mathcal{D}}_{{\mathbb{K}}^{\prime }}^{1,1}$, where ${\mathbb{K}}^{\prime }$ is computed as

$$\left\{\begin{array}{ccc}{\mathbb{K}}^{\prime }=\left\{(0,0)\right\},\hfill & & \mathit{if}k=0\hfill \\ {\mathbb{K}}^{\prime }=\{(0,1),(1,0)\},\hfill & & \mathit{if}k=1\hfill \end{array}.\right.$$

Proposition 2 

(XOR [38]). Let F be an XOR function, where the input is $(x_0,x_1)\in {\mathbb{F}}_2\times {\mathbb{F}}_2$ and the output is calculated as $y=x_0\oplus x_1$. Let $\mathbb{X}$ and $\mathbb{Y}$ be the input multiset and output multiset, respectively. Assuming that the multiset $\mathbb{X}$ has the division property ${\mathcal{D}}_{\mathit{k}}^{1,1}$, then the multiset $\mathbb{Y}$ has the division property ${\mathcal{D}}_{{\mathbb{K}}^{\prime }}^1$, where ${\mathbb{K}}^{\prime }$ is computed as

$$\left\{\begin{array}{ccc}{\mathbb{K}}^{\prime }=\left\{\left(0\right)\right\},\hfill & & \mathit{if}\mathit{k}=(0,0)\hfill \\ {\mathbb{K}}^{\prime }=\left\{\left(1\right)\right\},\hfill & & \mathit{if}\mathit{k}=(0,1)\mathit{or}(1,0)\hfill \\ {\mathbb{K}}^{\prime }=\varnothing ,\hfill & & \mathit{if}\mathit{k}=(1,1)\hfill \end{array}.\right.$$

Proposition 3 

(AND [38]). Let F be an AND function, where the input is $(x_0,x_1)\in {\mathbb{F}}_2\times {\mathbb{F}}_2$ and the output is calculated as $y=x_0\wedge x_1$. Let $\mathbb{X}$ and $\mathbb{Y}$ be the input multiset and output multiset, respectively. Assuming that the multiset $\mathbb{X}$ has the division property ${\mathcal{D}}_{\mathit{k}}^{1,1}$, then the multiset $\mathbb{Y}$ has the division property ${\mathcal{D}}_{{\mathbb{K}}^{\prime }}^1$, where ${\mathbb{K}}^{\prime }$ is computed as

$$\left\{\begin{array}{ccc}{\mathbb{K}}^{\prime }=\left\{\left(0\right)\right\},\hfill & & \mathit{if}\mathit{k}=(0,0)\hfill \\ {\mathbb{K}}^{\prime }=\left\{\left(1\right)\right\},\hfill & & otherwise\hfill \end{array}.\right.$$

Proposition 4 

(Rotation). Let F be a Left Rotation function, where the input is $(x_0,x_1,\cdots ,x_{m-1})\in {\mathbb{F}}_2^m$ and the output is calculated as $(x_t,\cdots ,x_{m-1},x_0,\cdots ,x_{t-1})$. Let $\mathbb{X}$ and $\mathbb{Y}$ be the input multiset and output multiset, respectively. Assuming that the multiset $\mathbb{X}$ has the division property ${\mathcal{D}}_{\mathit{k}}^{1,1}$, then the multiset $\mathbb{Y}$ has the division property ${\mathcal{D}}_{{\mathbb{K}}^{\prime }}^1$, where ${\mathbb{K}}^{\prime }$ is computed as

$$\begin{array}{cc}& {\mathbb{K}}^{\prime }=(k_t,\cdots ,k_{m-1},k_0,\cdots ,k_{t-1}),\hfill \\ & \mathit{from}\mathit{all}\mathit{k}=(k_0,k_1,\cdots ,k_{m-1})\in \mathbb{K}.\hfill \end{array}.$$

Todo, in [39], posited that analyzing the propagation of the division property through a block cipher essentially involves the transition of vectors. Let $f_r$ represent the round function of a block cipher and $D_{\mathit{k}}^{n,m}$ denote a given initial division property. Following the rules detailed in [39], the initial division property $D_{\mathit{k}}^{n,m}$ propagates through the round function $f_r$ to yield the division property $D_{\mathbb{K}}^{n,m}$, where $\mathbb{K}$ comprises a set of vectors in ${\mathbb{Z}}^m$. Therefore, the process of division property propagation through $f_r$ fundamentally constitutes a transition from $\mathit{k}$ to the vectors within $\mathbb{K}$.

Definition 3 

(Division Trail). Let $f_r$ denote the round function of an iterated block cipher. Assume that the input multiset to the block cipher has initial division property $D_{\mathit{k}}^{n,m}$, and denote the division property after i-round propagation through $f_r$ by $D_{{\mathbb{K}}_i}^{n,m}$. Thus, we have the following chain of division property propagations:

$$\left\{\mathit{k}\right\}\stackrel{def}{=}{\mathbb{K}}_0\stackrel{f_r}{⟶}{\mathbb{K}}_1\stackrel{f_r}{⟶}{\mathbb{K}}_2\stackrel{f_r}{⟶}\cdots$$

Moreover, for any vector ${\mathit{k}}_i^{*}$ in ${\mathbb{K}}_i$ ($i\ge 1$), there must exist a vector ${\mathit{k}}_{i-1}^{*}$ in ${\mathbb{K}}_{i-1}$ such that ${\mathit{k}}_{i-1}^{*}$ can propagate to ${\mathit{k}}_i^{*}$ by division property propagation rules. Furthermore, for $({\mathit{k}}_0,{\mathit{k}}_1,\cdots ,{\mathit{k}}_r)\in {\mathbb{K}}_0\times {\mathbb{K}}_1\times \cdots \times {\mathbb{K}}_r$, if ${\mathit{k}}_{i-1}^{*}$ can propagate to ${\mathit{k}}_i^{*}$ for all $i\in \{1,2,\cdots ,r\}$, we call $({\mathit{k}}_0,{\mathit{k}}_1,\cdots ,{\mathit{k}}_r)$ an r-round division trail.

2.4. MILP Automatic Cryptanalysis

MILP automates the process of identifying weak points in cryptographic algorithms. It can efficiently handle large, complex systems, making it an invaluable tool in assessing modern cryptographic methods, which are often too complex for manual analysis. Central to MILP are the following key elements:

• Objective Function: The cornerstone of any MILP problem is its objective function, a linear expression that the solution process seeks to maximize or minimize. This function encapsulates the goal of the optimization, such as cost minimization or profit maximization.

  Maximize: $20x+30y$
• Decision Variables: These are the variables whose values need to be determined. In MILP problems, these variables can be integers, binary (0 or 1), or continuous.

  $x,y$
• Constraints: Constituting the backbone of the problem, constraints are linear equations or inequalities that limit the values of decision variables. They ensure that the solution adheres to practical conditions or business rules.

  $2x+y\le 100$, and $x+2y\le 40$
• Parameters: These are known numerical values within the problem, used to define the constraints and the objective function. Variable Bounds: These define the permissible range (upper and lower limits) for the decision variables.

  $x,y\ge 0$ and $x,y$ are integers

Together, these components form the basis of MILP, enabling it to tackle a wide range of optimization problems by finding the best possible solution under given constraints. Within the domain of MILP, Gurobi 10.0.3 http://www.gurobi.com/ (accessed on 10 December 2023) stands out as a pivotal optimization solver, offering a robust and efficient platform for tackling MILP problems. Solving an MILP problem using Gurobi involves a structured process. An outline of the typical workflow is given as follows

• Setup and Initialization
  • Import the Gurobi library in your programming environment:
    from gurobipy import Model, GRB.
  • Initialize a new model:
    m = Model("model_name").
  • Define variables with types (integer, binary, continuous) and bounds:
    x = m.addVar(vtype=GRB.INTEGER, name="x"),
    y = m.addVar(vtype=GRB.INTEGER, name="y").
• Objective Function
  • Set the objective (maximization or minimization):
    m.setObjective(20*x + 30*y, GRB.MAXIMIZE).
• Adding Constraints
  • Formulate and add constraints to the model:
    m.addConstr(2*x + 3*y <= 100, "constraint_name1"),
    m.addConstr(x + 2*y <= 40, "constraint_name2").
• Optimization
  • Optimize the model using: m.optimize().
  • Optionally, tune parameters for complex problems.
• Solution Extraction and Analysis
  • Check the solution status and ensure an optimal solution is found:
    m.status == GRB.Status.OPTIMAL
  • Retrieve and analyze the results ("x.x", "y.x", the objective function value "m.objVal").

.

MILP provides the theoretical and practical framework for complex optimization problems, while Gurobi offers the technological prowess and computational efficiency to solve these problems effectively. This synergy is integral to the field of optimization, driving both academic research and practical applications forward.

3. Automatic Search Model for IIoTBC

3.1. Initial Bit-Based Division Property and Stop Rules

3.1.1. Initial Division Property

In the context of integral distinguisher search algorithms, an initial division property denoted as $D_{\mathit{k}}^{1,n}$, symbolized by a vector $\mathit{k}=(k_0,\dots ,k_{n-1})$, is often provided. Consider a division trail over r rounds, expressed as

$$(a_0^0,\dots ,a_{n-1}^0)\to \dots \to (a_0^r,\dots ,a_{n-1}^r).$$

(1)

Here, $\mathcal{L}$ represents a system of linear inequalities defined on the variables $a_i^j$ (where $i=0,\dots ,n-1$ and $j=0,\dots ,r$) along with some auxiliary variables. It is necessary to incorporate the conditions $a_i^0=k_i$ (for $i=0,\dots ,n-1$) into the system $\mathcal{L}$. Consequently, all feasible solutions of $\mathcal{L}$ are division trails commencing from the vector $\mathit{k}$.

In the case of $\mathsf{IIoTBC}$ ciphers, the data complexity of the cipher should be lower than $2^{64}$. To ascertain the longest integral distinguisher within the $\mathsf{IIoTBC}$ framework, we commence by initializing the vector $\mathit{k}$. This vector is configured such that its Hamming weight, denoted by $wt\left(\mathit{k}\right)$, is precisely 63. This initialization results in an initial division property comprising 64 distinct vectors.

3.1.2. Stop Rule

Consider a set $\mathbb{X}$ with the division property $D_{{\mathbb{K}}^{\prime }}^{1,n}$. If $\mathbb{X}$ does not exhibit any integral property, for any $x\in \mathbb{X}$, the projection ${\pi }_u\left(x\right)$ remains unknown for any unit vector $u\in {\left({\mathbb{F}}_2\right)}^n$. Since $\mathbb{X}$ has the division property $D_{{\mathbb{K}}^{\prime }}^{1,n}$, there must exist a vector ${\mathit{k}}^{\prime }\in {\mathbb{K}}^{\prime }$ such that $u⪰{\mathit{k}}^{\prime }$. Given that u is a unit vector, we have $u={\mathit{k}}^{\prime }$, which implies that the set ${\mathbb{K}}^{\prime }$ contains all n unit vectors.

Given a specific initial division vector $\mathit{k}$, our analysis focuses on the division property $D_{{\mathbb{K}}^r}^{1,n}$, which describes the output divisions $(a_0^r,\dots ,a_{n-1}^r)$ after r rounds in a cryptographic cipher. If ${\mathbb{K}}^r$ includes all n unit vectors, it signals the point at which the algorithm should be terminated. This implies that, under the stipulated conditions, an r-round distinguisher is not found. Consequently, the longest possible integral distinguisher, based on the initial division vector $\mathit{k}$, is confined to a maximum of $r-1$ rounds.

Thus, the objective function is

$$Minmize:a_0^r+a_1^r+\dots +a_{n-1}^r$$

(2)

3.2. Modeling Division Propagation Using Linear Inequalities

The IIoTBC algorithm incorporates several fundamental operations, including COPY, XOR, rotation, and S-box. In the following subsections, we introduce models for the propagation of the bit-based division property associated with S-box operations.

Model S-Box

To construct the linear inequality system for an S-box, we first apply the table-aided bit-based division property, generating the S-box’s propagation table. Following this, the inequality_generator() function within the Sage 10.2 http://www.sagemath.org/ (accessed on 10 December 2023) framework is employed to derive a set of linear inequalities [38]. It is noteworthy, however, that the resultant number of linear inequalities can be substantial, occasionally to the extent that their complete integration into the MILP model leads to computational impracticality.

To mitigate this challenge, Sun et al. [40] introduced a method termed the greedy algorithm, aimed at reducing the size of this inequality set. In the context of the $\mathsf{IIoTBC}$ S-box analyzed using Sage, the initial count of linear inequalities stands at 84. Application of the greedy algorithm (as described in Algorithm 1 of [38]) effectively reduces this number to 10. The following inequalities are 10 inequalities used to describe the $\mathsf{IIoTBC}$ S-box, where $(a_0,a_1,a_2,a_3)⟶(b_0,b_1,b_2,b_3)$ denotes a division trial.

$$\left\{\begin{array}{ccc}1a_0+4a_1+1a_2+1a_3-2b_0-2b_1-2b_2-2b_3\hfill & >=\hfill & -1\hfill \\ 0a_0+0a_1+3a_2+0a_3-1b_0-1b_1-1b_2-1b_3\hfill & >=\hfill & -1\hfill \\ -2a_0+0a_1-1a_2-1a_3+4b_0+2b_1+3b_2+3b_3\hfill & >=\hfill & 0\hfill \\ 3a_0+0a_1+0a_2+0a_3-1b_0-1b_1-1b_2-1b_3\hfill & >=\hfill & -1\hfill \\ -6a_0-4a_1-3a_2-3a_3+2b_0-1b_1+2b_2+2b_3\hfill & >=\hfill & -11\hfill \\ 0a_0+0a_1+0a_2+3a_3-1b_0-1b_1-1b_2-1b_3\hfill & >=\hfill & -1\hfill \\ -2a_0-2a_1-4a_2-4a_3+1b_0+1b_1+2b_2-1b_3\hfill & >=\hfill & -9\hfill \\ -1a_0-1a_1-2a_2-2a_3+5b_0+5b_1+5b_2+4b_3\hfill & >=\hfill & 0\hfill \\ -1a_0+0a_1+0a_2-1a_3+0b_0-1b_1+1b_2+0b_3\hfill & >=\hfill & -2\hfill \\ 0a_0+1a_1+0a_2+0a_3-1b_0+0b_1-1b_2+0b_3\hfill & >=\hfill & -1\hfill \end{array}\right.$$

3.3. Model and Distinguisher of IIoTBC-A and IIoTBC-B

Up to this point, for block ciphers based on the three operations (COPY, AND, XOR) and S-boxes, we can construct a set of linear inequalities that characterize the division property propagation for one round. By iterating this process r times, a linear inequality system L can be formulated, describing r rounds of division property propagation. All feasible solutions of L correspond to all possible r-round division trails. Let $\mathcal{A}$, $\mathcal{C}$, $\mathcal{B}$, and $\mathcal{U}$ represent ACTIVE, CONSTANT, BALANCE, and UNKNOWN bits, respectively.

3.3.1. 1-Round Description of IIoTBC-A

Consider a one-round division trail of IIoTBC-A, denoted as $(a_0^i,\cdots ,a_{63}^i)\to (a_0^{i+1},\cdots ,a_{63}^{i+1})$. IIoTBC-A utilizes an eight-branch generalized Feistel structure, and thus the first modeling step addresses the COPY operation for the four left branches. The outputs of this COPY operation serve as inputs to the round function $f_1$ and the permutations (PA1 or PA2), guiding the division property propagation. This is represented by the set of following equations:

$${\mathcal{L}}_1:\left\{\begin{array}{c}{a}_j^i-b_j^i-c_j^i=0,\hfill \\ \mathrm{where}j\in \{0,\cdots ,7,16,\cdots ,23,32,\cdots ,39,48,\cdots ,55\}.\hfill \end{array}\right.$$

Here, $b_j^i$ and $c_j^i$ correspond to the inputs for the round function $f_1$ and the permutations, respectively. The function $f_1$ in IIoTBC-A consists of two parallel S-boxes coupled with a left rotation. The division trails for these S-boxes are calculated as detailed in Section 3.2 and modeled through a series of linear inequalities. Considering the presence of four parallel instances of $f_1$ in IIoTBC-A, we introduce 10 inequalities for each S-box, leading to a total of $10\times 8=80$ inequalities for the eight S-boxes, collectively denoted as ${\mathcal{L}}_2$. The output of the S-boxes is denoted by $d_j^i$, and the division trails for these eight S-boxes are defined as

$${\mathcal{L}}_2:\left\{\begin{array}{c}(b_j^i,b_{j+1}^i,b_{j+2}^i,b_{j+3}^i)\stackrel{\text{S-box}}{\to }(d_j^i,d_{j+1}^i,d_{j+2}^i,d_{j+3}^i)\hfill \\ \mathrm{where}j\in \{0,4,16,20,32,36,48,52\}.\hfill \end{array}\right.$$

Post-processing through four instances of $f_1$ involves an XOR operation with the four right branches, integrated with the left rotation of $f_1$. The output of this XOR operation then becomes the input for the permutation, leading to the following division propagation model:

$${\mathcal{L}}_3:\left\{\begin{array}{c}{a}_j^i+d_{j-7}^i-c_j^i=0,\hfill \\ \mathrm{where}j\in \{8,\cdots ,14,24,\cdots ,30,40,\cdots ,46,56,\cdots ,62\}\hfill \\ a_j^i+d_{j-15}^i-c_j^i=0,\hfill \\ \mathrm{where}j\in \{15,31,47,63\}.\hfill \end{array}\right.$$

The permutation layers in IIoTBC-A (PA1 and PA2) simply permute the bits, thereby transforming the vector coordinates $(c_0^i,\cdots ,c_{63}^i)\stackrel{\mathrm{coordinates}}{\to }(a_0^{i+1},\cdots ,a_{63}^{i+1})$.

Consequently, we have formulated a linear inequality system to characterize the division propagation in one round of IIoTBC-A. Iteratively applying this model for r rounds constructs a comprehensive linear inequality system. Integrating a given initial division property $D_{\mathit{k}}^{1,64}$ into this system allows us to use Gurobi to assess the potential existence of an integral distinguisher.

3.3.2. Distinguisher of IIoTBC-A

The longest integral distinguisher that we found for IIoTBC-A is 14 rounds, and the number of chosen plaintexts is $2^{63}$. Some distinguishers are listed as follows, where $\left[{\mathcal{C}}^1{\mathcal{A}}^7\right]$ represents that there is a one-bit CONSTANT in an arbitrary position of these eight bits and that the other seven bits are ACTIVE.

$$(\left[{\mathcal{C}}^1{\mathcal{A}}^7\right]{\mathcal{A}}^8,{\mathcal{A}}^{16},{\mathcal{A}}^{16},{\mathcal{A}}^{16})\stackrel{14\mathrm{Round}}{\to }({\mathcal{U}}^{16},{\mathcal{U}}^8{\mathcal{B}}^8,{\mathcal{U}}^8{\mathcal{B}}^8,{\mathcal{U}}^8{\mathcal{B}}^8)$$

$$({\mathcal{A}}^{16},\left[{\mathcal{C}}^1{\mathcal{A}}^7\right]{\mathcal{A}}^8,{\mathcal{A}}^{16},{\mathcal{A}}^{16})\stackrel{14\mathrm{Round}}{\to }({\mathcal{U}}^8{\mathcal{B}}^8,{\mathcal{U}}^8{\mathcal{B}}^8,{\mathcal{U}}^8{\mathcal{B}}^8,{\mathcal{U}}^{16})$$

$$({\mathcal{A}}^{16},{\mathcal{A}}^{16},\left[{\mathcal{C}}^1{\mathcal{A}}^7\right]{\mathcal{A}}^8,{\mathcal{A}}^{16})\stackrel{14\mathrm{Round}}{\to }({\mathcal{U}}^8{\mathcal{B}}^8,{\mathcal{U}}^8{\mathcal{B}}^8,{\mathcal{U}}^{16},{\mathcal{U}}^8{\mathcal{B}}^8)$$

$$({\mathcal{A}}^{16},{\mathcal{A}}^{16},{\mathcal{A}}^{16},\left[{\mathcal{C}}^1{\mathcal{A}}^7\right]{\mathcal{A}}^8)\stackrel{14\mathrm{Round}}{\to }({\mathcal{U}}^8{\mathcal{B}}^8,{\mathcal{U}}^{16},{\mathcal{U}}^8{\mathcal{B}}^8,{\mathcal{U}}^8{\mathcal{B}}^8)$$

3.3.3. 1-Round Description of IIoTBC-B

Consider the scenario of a one-round division trail in IIoTBC-B. Analogous to IIoTBC-A, IIoTBC-B is structured upon a four-branch Feistel architecture. The initial phase involves the modeling of the COPY operation, which is represented by the set of following equations:

$${\mathcal{L}}_1:\left\{\begin{array}{c}{a}_j^i-b_j^i-c_j^i=0,\hfill \\ \mathrm{where}j\in \{0,\cdots ,7,16,\cdots ,23,32,\cdots ,39,48,\cdots ,55\}.\hfill \end{array}\right.$$

Here, $b_j^i$ and $c_j^i$ correspond to the inputs for the round function $f_2$ and the permutations, respectively. The function $f_2$ in IIoTBC-B consists of four parallel S-boxes coupled with a left rotation and a right rotation. Considering the presence of two parallel instances of $f_2$ in IIoTBC-B, we introduce 10 inequalities for each S-box, leading to a total of $10\times 8=80$ inequalities for the eight S-boxes, collectively denoted as ${\mathcal{L}}_2$. The output of the S-boxes is denoted by $d_j^i$, and the division trails for these eight S-boxes are defined as

$${\mathcal{L}}_2:\left\{\begin{array}{c}(b_j^i,b_{j+4}^i,b_{j+16}^i,b_{j+20}^i)\stackrel{\text{S-box}}{\to }(d_j^i,d_{j+4}^i,d_{j+16}^i,d_{j+20}^i)\hfill \\ \mathrm{where}j\in \{0,1,2,3,32,33,34,35\}.\hfill \end{array}\right.$$

Post-processing through two instances of $f_2$ involves an XOR operation with the two right branches, integrated with the left rotation and right rotation of $f_2$. The output of this XOR operation then becomes the input for the permutation, leading to the following division propagation model:

$${\mathcal{L}}_{31}:\left\{\begin{array}{c}{a}_j^i+d_{j-7}^i-c_j^i=0,\hfill \\ \mathrm{where}j\in \{8,\cdots ,14,40,\cdots ,46\}\hfill \\ a_j^i+d_{j-15}^i-c_j^i=0,\hfill \\ \mathrm{where}j\in \{15,47\}.\hfill \end{array}\right.$$

$${\mathcal{L}}_{32}:\left\{\begin{array}{c}{a}_j^i+d_{j-9}^i-c_j^i=0,\hfill \\ \mathrm{where}j\in \{25,\cdots ,31,57,\cdots ,62\}\hfill \\ a_j^i+d_{j-1}^i-c_j^i=0,\hfill \\ \mathrm{where}j\in \{24,56\}.\hfill \end{array}\right.$$

The permutation layers in IIoTBC-B transform the vector coordinates $(c_0^i,\cdots ,c_{63}^i)\stackrel{\mathrm{coordinates}}{\to }(a_0^{i+1},\cdots ,a_{63}^{i+1})$. Consequently, we have formulated a linear inequality system to characterize the division propagation in one round of IIoTBC-B.

3.3.4. Distinguisher of IIoTBC-B

Initially, the data complexity was set to $2^{63}$ to identify the longest possible distinguisher. Subsequent experimentation, however, revealed a noteworthy observation: regardless of the number of rounds, even extending to as many as 100, integral distinguishers were consistently discovered. This led to a strategic adjustment in our approach, where the data complexity was reduced to $2^8$. This alteration in methodology culminated in the identification of several distinguishers. Selected results from this investigative process are presented below.

$$({\mathcal{C}}^{16},{\mathcal{C}}^{16},{\mathcal{C}}^{16},{\mathcal{C}}^8{\mathcal{A}}^8)\stackrel{8\mathrm{Round}}{\to }({\mathcal{U}}^{16},{\mathcal{U}}^{16},{\mathcal{U}}^8{\mathcal{B}}^2{\mathcal{U}}^2{\mathcal{B}}^2{\mathcal{U}}^2,{\mathcal{U}}^{16})$$

$$({\mathcal{C}}^{16},{\mathcal{C}}^{16},{\mathcal{C}}^{16},{\mathcal{A}}^8{\mathcal{C}}^8)\stackrel{9\mathrm{Round}}{\to }({\mathcal{U}}^{16},{\mathcal{U}}^{16},{\mathcal{U}}^{16},{\mathcal{U}}^8{\mathcal{B}}^1{\mathcal{U}}^1{\mathcal{B}}^1{\mathcal{U}}^1{\mathcal{B}}^1{\mathcal{U}}^1{\mathcal{B}}^1{\mathcal{U}}^1)$$

$$({\mathcal{A}}^8\left[{\mathcal{C}}^1{\mathcal{A}}^7\right],{\mathcal{C}}^8{\mathcal{A}}^8,{\mathcal{A}}^{16},{\mathcal{A}}^{16})\stackrel{17\mathrm{Round}}{\to }({\mathcal{U}}^{16},{\mathcal{U}}^{12}{\mathcal{B}}^2{\mathcal{U}}^2,{\mathcal{U}}^8{\mathcal{B}}^8,{\mathcal{U}}^8{\mathcal{B}}^8)$$

It was observed that when the 16th to 23rd bits remained continuously active, integral distinguishers were invariably identified. This consistent finding underscores the significance of these particular bit positions in the context of the distinguisher’s effectiveness. A comprehensive explanation for this phenomenon is elaborated in Section 5, where we delve into the specifics of this observation and its implications.

$$({\mathcal{C}}^{16},{\mathcal{A}}^8{\mathcal{C}}^8,{\mathcal{C}}^{16},{\mathcal{C}}^{16})\stackrel{\mathrm{Always}}{\to }({\mathcal{B}}^{16},{\mathcal{B}}^{16},{\mathcal{B}}^{16},{\mathcal{B}}^{16})$$

4. Key Recovery of IIoTBC-A

In this section, we focus on key recovery attacks for 22-round IIoTBC-A based on the 14-round distinguisher described in Section 3.

• Integral Distinguisher Utilization. For a set of $2^{63}$ plaintexts, denoted as P, with the form $(\left[{\mathcal{C}}^1{\mathcal{A}}^7\right]{\mathcal{A}}^8,{\mathcal{A}}^{16},{\mathcal{A}}^{16},{\mathcal{A}}^{16})$, the intermediate state after 14 rounds, denoted as $x^{14}$, is of the form $({\mathcal{U}}^{16},{\mathcal{U}}^8{\mathcal{B}}^8,{\mathcal{U}}^8{\mathcal{B}}^8,{\mathcal{U}}^8{\mathcal{B}}^8)$.

It is well established that once an integral characteristic is identified, it can be employed for a key recovery attack. Let f be the Boolean function representing the mapping from the ciphertext of IIoTBC-A to one of the balanced intermediate bits of $x^{14}$ (the output of the integral distinguisher). Our focus is on the following equation:

$$\underset{p\in P}{⨁}{x}^{14}\left[i\right]=\underset{c\in C}{⨁}f\left(c\right)=0$$

(3)

where $x^{14}\left[i\right]$ is any one balanced bit and C is the corresponding set of ciphertexts encrypted from P. In evaluating this equation, we guess the involved subkey bits used in f and check whether the equation holds. Subkey values that violate this equation are filtered out and discarded, leaving the remaining candidates for the correct subkeys.

• Data Preparation We selected a set P of $2^{63}$ plaintexts from the structure $(\left[{\mathcal{C}}^1{\mathcal{A}}^7\right]{\mathcal{A}}^8,{\mathcal{A}}^{16},{\mathcal{A}}^{16},{\mathcal{A}}^{16})$. Each plaintext $p_i\in P$ (for $0\le i\le 2^{63}$) undergoes encryption under the 22-round IIoTBC-A algorithm, yielding the corresponding ciphertext denoted as $x^{22}$. The output, corresponding to these specific inputs after 14 rounds of the encryption process, manifests a distinct characteristic $({\mathcal{U}}^{16},{\mathcal{U}}^8{\mathcal{B}}^8,{\mathcal{U}}^8{\mathcal{B}}^8,{\mathcal{U}}^8{\mathcal{B}}^8)$, wherein 24 bits maintain a balanced state. Capitalizing on this phenomenon, particularly the equilibrium observed in the final 4 bits, we advance into the phases of subkey guessing and recovery.
• Subkey Guessing. We initiate our analysis from the starting point of $x^{14}$ [28–30] and continue to trace forward to determine the positions where key guessing is required. The process of deduction is illustrated in Figure 6, where all the yellow-colored $f_1$ functions represent the computations required for reverse decryption. The subkeys used in these $f_1$ functions must either be guessed or deduced.

This process is complemented by considering the structure of the key generation algorithm, and we halt our examination at the round where the total number of guessed key bits is less than 128. The subkey generation is detailed in Appendix A. For rounds 5 to r, the subkey generation method satisfies the following equation:

$$re{g}_u=f_3\left(re{g}_{u-4}\right)\oplus re{g}_{u-5},\mathrm{for}5\le u\le r$$

(4)

where $re{g}_i$ is the subkey for the i-th round.

Consequently, the subkeys required for subsequent rounds can be inferred from the subkeys guessed in earlier rounds, implying that not all necessary subkeys require independent guessing. The subkeys for rounds 15, 16, 17, and 18 necessitate guessing. However, starting from round 19, some subkeys can be computed based on those deduced in previous rounds. By integrating the subkey generations algorithm, we start our deduction from round 15 and proceed to identify the subkeys that need to be guessed. The specific subkeys required for each round, along with the positions of the subkeys that need to be guessed, are detailed in

Table 2. The position of guessing subkey in 15 to 22 rounds.

Round	Guessing Subkey	Computed Subkey
15	28, 29, 30, 31
16	16, 17, 18, 19, 20, 21, 22, 23
17	8, 9, 10, 11, 12, 13, 14, 15, 24, 25, 26, 27, 28, 29, 30, 31
18	0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23
19	0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 24, 25, 26, 27, 28, 29, 30, 31
20	0, 1, 3, 4, 5, 7, 8, 9, 11, 12, 13, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 27, 28, 29, 31	2, 6, 10, 14, 26, 30
21	0, 2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24, 26, 28, 30	1, 3, 5, 7, 9, 11, 13, 15, 17, 19, 21, 23, 25, 27, 29, 31
22	3, 7, 11, 15, 19, 23, 27, 31	0, 1, 2, 4, 5, 6, 8, 9, 10, 12, 13, 14, 16, 17, 18, 20, 21, 22, 24, 25, 26, 28, 29, 30
Sum	126	46

.

For instance, in the case of the 20th round, it is necessary to conjecture the following set of register values:

$$\begin{array}{cc}\{re{g}_{20}\left[i\right]\mid i\in \{\hfill & 0,1,3,4,5,7,8,9,11,12,13,15,16,17,18,19,20,\hfill \\ & 21,22,23,24,25,27,28,29,31\left\}\right\},\hfill \end{array}$$

whereas the remaining values in the set

$$\{re{g}_{20}\left[i\right]\mid i\in \{2,6,10,14,26,30\}\}$$

can be derived using certain subkeys from $re{g}_{16}$ and $re{g}_{19}$, as explained in the following:

$$\begin{array}{ccc}re{g}_{20}\left[2\right]\hfill & =\hfill & S(re{g}_{16}\left[16\right],re{g}_{16}\left[17\right],re{g}_{16}\left[18\right],re{g}_{16}\left[19\right])\oplus re{g}_{19}\left[2\right]\hfill \\ re{g}_{20}\left[6\right]\hfill & =\hfill & S(re{g}_{16}\left[16\right],re{g}_{16}\left[17\right],re{g}_{16}\left[18\right],re{g}_{16}\left[19\right])\oplus re{g}_{19}\left[6\right]\hfill \\ re{g}_{20}\left[10\right]\hfill & =\hfill & S(re{g}_{16}\left[16\right],re{g}_{16}\left[17\right],re{g}_{16}\left[18\right],re{g}_{16}\left[19\right])\oplus re{g}_{19}\left[10\right]\hfill \\ re{g}_{20}\left[14\right]\hfill & =\hfill & S(re{g}_{16}\left[16\right],re{g}_{16}\left[17\right],re{g}_{16}\left[18\right],re{g}_{16}\left[19\right])\oplus re{g}_{19}\left[4\right]\hfill \\ re{g}_{20}\left[26\right]\hfill & =\hfill & S(re{g}_{16}\left[20\right],re{g}_{16}\left[21\right],re{g}_{16}\left[22\right],re{g}_{16}\left[23\right])\oplus re{g}_{19}\left[26\right]\hfill \\ re{g}_{20}\left[30\right]\hfill & =\hfill & S(re{g}_{16}\left[20\right],re{g}_{16}\left[21\right],re{g}_{16}\left[22\right],re{g}_{16}\left[23\right])\oplus re{g}_{19}\left[30\right]\hfill \end{array}$$

The aggregate number of subkeys that require guessing amounts to 126 bits. Specifically, for the 21-round and 20-round scenarios, the bit counts for the guessed subkeys are 118 and 102, respectively. In the context of the 22-round key, 46 subkeys can be computed based on previously guessed keys, necessitating the use of 46 S-boxes.

• Verification and Elimination. Let $f^{-1}$ be the Boolean function representing the mapping from the 22-round ciphertext of IIoTBC-A to the partially balanced intermediate bits of $x^{14}$. After that partial decryption, the $x^{14}\left[28\right]$, $x^{14}\left[29\right]$, and $x^{14}\left[30\right]$ should be balanced.

  $$\begin{array}{c}\underset{c\in C}{⨁}{f}^{-1}\left(c\right)\left[i\right]=\underset{p\in P}{⨁}{x}^{14}\left[i\right]\hfill \end{array}$$

  where $i\in \{28,29,30\}$.

For each ciphertext $c\in C$, the procedure involves using the guessed keys to partially decrypt the ciphertexts, transforming the 22-round ciphertext back to its state after the 14th round. This process requires executing 22 instances of $f_1$.

The integrity of the decrypted data is then assessed against the expected integral property. Should this property be observed, it suggests the possibility of the guessed key bits being correct. Conversely, if the property does not hold, those key bits are discarded, prompting a new set of guesses. The key space under consideration entails a 126-bit guess.

• Complexity Analysis. The number of plaintext–ciphertext pairs required to reliably observe the integral property is $2^{63}$, and the complexity is calculated as $2^{63}$ 22-round IIoTBC-A. Each decryption operation, translating the 22-round ciphertext back to its state after the 14th round, necessitates 22 invocations of $f_1$. In comparison, a full 22-round encryption process requires 88 instances of $f_1$. For the last four rounds, we can conjecture the round key and execute partial decryption, storing the results in a table. The numbers of guessed key bits for these rounds are 32, 32, 32, and 24, with the corresponding requirements of four, four, four, and three instances of $f_1$, respectively. Thus, the complexity is calculated as $2^{32}\times (4/88)\times 3+2^{24}\times (3/88)\approx 2^{29.1}$ IIoTBC-A encryptions. This part can be managed using four tables.

For the remaining four rounds, it is only necessary to guess $126-120$ bits; the rest of the 46 subkeys can be computed from the subkeys above. The number of $f_1$ instances in these rounds is seven, resulting in a complexity of $2^6\times 7/88$ IIoTBC-A encryptions. Therefore, the total complexity is calculated as

$$2^{63}+2^{120}\times (2^6\times 7/88)\approx 2^{122.3}.$$

5. Integral Cryptanalysis of Full IIoTBC-B

In Section 3.3, we present our experimental results, which indicate that when the 16th to 23rd bits of the input are ACTIVE, a distinguisher can invariably be found, irrespective of the number of rounds.

$$({\mathcal{C}}^{16},{\mathcal{A}}^8{\mathcal{C}}^8,{\mathcal{C}}^{16},{\mathcal{C}}^{16})\stackrel{\mathrm{Always}}{\to }({\mathcal{B}}^{16},{\mathcal{B}}^{16},{\mathcal{B}}^{16},{\mathcal{B}}^{16})$$

To theoretically elucidate and substantiate these results, we will next describe the propagation through two rounds of the IIoTBC-B round function. Here, we denote an 8-bit ACTIVE input as x and an 8-bit constant as $C_i$.

• Input: Denote the initial input as $X^1=(C_0,C_2,x,C_3)\left|\right|(C_4,C_5,C_6,C_7)$.
• After S-box and XOR: The output of the first round function is

  $$(C_0,C_1,A^1,C_3^1,C_4,C_5,C_6^1,C_7^1),$$

  where $A^1=f_2(C_0,C_1)[0:8]\oplus x$, $C_3^1=f_2(C_0,C_1)[8:16]\oplus C_3$, $C_6^1=f_2(C_4,C_5)[0:8]\oplus C_6$, and $C_7^1=f_2(C_4,C_5)[8:16]\oplus C_7$.
• Permutation: The output after permutation becomes

  $$Y^1=(C_7^1,C_1,A^1,C_4,C_3^1,C_5,C_6^1,C_0).$$
• Second Round—S-box and XOR: The output after the second-round S-box and XOR operation is

  $$(C_7^1,C_1,A^2,C_4^1,C_3^1,C_5,C_6^2,C_0^1),$$

  where $A^2=f_2(C_7^1,C_1)[0:8]\oplus A^1$, $C_4^1=f_2(C_7^1,C_1)[8:16]\oplus C_4$, $C_6^2=f_2(C_3^1,C_5)[0:8]\oplus C_6^1$, and $C_0^1=f_2(C_3^1,C_5)[8:16]\oplus C_0$.
• Final Output: The final output after the second permutation step is

  $$Y^2=(C_1,C_4^1,A^2,C_7^1,C_6^2,C_3^1,C_5,C_0^1).$$

After two rounds of encryption, the third branch becomes $A^2$, which can be expressed as

$$\begin{array}{cc}\hfill A^2& =f_2(C_7^1,C_1)[0:8]\oplus A^1\hfill \\ & =f_2(C_7^1,C_1)[0:8]\oplus f_2(C_0,C_1)[0:8]\oplus x.\hfill \end{array}$$

Notably, apart from x, all operations within this branch involve constants or operations between constants, thereby ensuring that the third branch exhaustively explores all $2^8$ possible scenarios. As for the other branches, they persistently engage in operations amongst constants, which implies that their outputs also remain CONSTANT. This phenomenon is depicted in Figure 7, where the red lines illustrate the diffusion pattern of the third branch. It is observed that even after two rounds involving PB2 and PB3 operations, the third branch does not diffuse into other branches. Consequently, as long as the eight bits of the third branch are ACTIVE at the input, a distinguisher can consistently be identified, regardless of the number of encryption rounds.

6. Conclusions

This paper has presented a comprehensive cryptanalysis of the IIoTBC algorithm, a cipher paramount in securing industrial IoT environments. Through meticulous research and application of MILP-based automated cryptanalysis, we have successfully unveiled integral distinguishers for both IIoTBC-A and System B, highlighting their respective cryptographic strengths and vulnerabilities.

For IIoTBC-A, the discovery of a 14-round integral distinguisher, followed by a successful 22-round key recovery attack, marks a significant achievement. This finding not only demonstrates the cipher’s susceptibilities but also emphasizes the need for continued vigilance in the design and analysis of cryptographic solutions for IoT systems. The 14-round distinguisher indicates potential weaknesses in the cipher’s structure, which could be exploited in real-world attacks. The subsequent 22-round key recovery further underscores the necessity of evaluating and enhancing the robustness of IIoTBC-A to safeguard sensitive industrial data.

In the case of IIoTBC-B, our identification of a full-round distinguisher represents a substantial advancement in understanding this variant’s security profile. The full-round distinguisher signifies that the entire cipher can be analyzed in a manner that reveals underlying patterns or correlations, which could compromise its security. This discovery is crucial for informing future designs and updates to the IIoTBC-B algorithm, ensuring that it remains a reliable component in IoT security frameworks.

The use of the division property method and MILP-based cryptanalysis in this study has proven to be highly effective. These techniques have allowed for a deeper exploration of the block cipher’s structure and potential security issues, illustrating the power of modern cryptanalytic methods in assessing and enhancing cipher security. By leveraging these advanced methods, we have provided a thorough evaluation of the IIoTBC algorithm, contributing valuable insights that can guide the development of more secure cryptographic solutions for industrial IoT environments.

Moreover, our findings have broader implications for the field of cryptography. They underscore the importance of continuous and rigorous cryptanalysis in the lifecycle of cryptographic algorithms. As the landscape of IoT continues to evolve, so too must the cryptographic methods used to protect it. Our research highlights the necessity for ongoing assessment and innovation to pre-emptively address potential vulnerabilities and ensure the robustness of encryption methods in increasingly complex digital ecosystems.