A New Automatic Tool Searching for Impossible Differential of NIST Candidate ACE

: The ACE algorithm is a candidate of the Lightweight Cryptography standardization process started by the National Institute of Standards and Technology (NIST) of the USA that passed the ﬁrst round and successfully entered the second round. It is designed to achieve a balance between hardware cost and software efﬁciency for both authenticated encryption with associated data (AEAD) and hashing functionalities. This paper focuses on the impossible differential attack against the ACE permutation, which is the core component of the ACE algorithm. Based on the method of characteristic matrix, we build an automatic searching algorithm that can be used to search for structural impossible differentials and give the optimal permutation for ACE permutation and other SPN ciphers. We prove that there is no impossible differential of ACE permutation longer than 9 steps and construct two 8-step impossible differentials. In the end, we give the optimal word permutation against impossible differential cryptanalysis, which is π (cid:48) = ( 2, 4, 1, 0, 3 ) , and a safer word XOR structure of ACE permutation.


Introduction
In 2015, to standardize lightweight cryptographic algorithms that are used in some specific situations where current standard is not applicable, the National Institute of Standards and Technology (NIST) of the USA started the Lightweight Cryptography (LWC) standardization process. NIST held two workshops in 2015 and 2016 and published the Federal Register Notice in 2018, announcing the final Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process and calling for nominations, which are cryptographic algorithms that provide authenticated encryption with associated data (AEAD) and optional hashing functionalities.
By the end of submission deadline, NIST received 57 submission packages. Among them, 56 were accepted as first round candidates in April 2019, which marks the beginning of the first round of the standardization process [1]. Due to the large number of submissions and the short timeline of the process, NIST has decided to eliminate some of the algorithms from consideration early in the first evaluation phase in order to focus analysis on the more promising submissions. In August 2019, NIST announced the 32 candidates that will be moving on to the second round.
ACE is one of the 32 candidates designed by Aagaard et al. of Department of Electrical and Computer Engineering of University of Waterloo [2]. It is designed to achieve a balance between hardware cost and software efficiency for both authenticated encryption with associated data (AEAD) and hashing functionalities, also providing sufficient security margins. In the submission package of ACE, designers analysis its security, primarily focusing on the diffusion behavior, expected upper bounds on the probabilities of differential and linear characteristics, algebraic properties and self-symmetry-based distinguishers. In this paper, we focus on the security margin of ACE against impossible differential cryptanalysis, which are not considered by any designers and attackers so far.
(1) We use the method of characteristic matrix [15] and propose that the theoretical security margin of ACE permutation against impossible differential cryptanalysis is of 9 steps. (2) We build an automatic algorithm that can be used to automatically search structural impossible differentials and apply it on ACE, giving that the actual security margin of ACE permutation against impossible differential cryptanalysis is of 8 steps. (3) We further improve our algorithm that can search for impossible differentials for all possible word permutations and XOR structures, giving an optimal permutation π = (2, 4, 1, 0, 3) and an optimal XOR structure.
The automatic algorithm in this paper can further be used for other ciphers whose S-boxes are bijective and permute sub-blocks of states. We separate the step function into two parts ("XOR" and "Pbox") and begin the automatic algorithm with the characteristic matrices of these two parts. Designers and attackers can use the algorithm by respectively entering the characteristic matrices of "XOR" and "Pbox". For designers, they can further fix one part and traverse all the possibilities of the other part, by traversing all the possible characteristic matrix of the other part, and search for the longest impossible differentials of each, giving the optimal choice of component against impossible differential cryptanalysis. This paper is organized as follows. In Section 2, we describe the concrete components of ACE permutation and the methodology of impossible differential cryptanalysis. In Section 3, we prove the security margin of ACE permutation, give two 8-step impossible differentials of it and present our automatic algorithm. In Section 4, by an improved algorithm, we search for the impossible differentials of all possible word permutations and test the security of other word XORing structures. Section 5 concludes the paper.

The ACE Permutation
The ACE permutation is an iterative permutation with 320-bit input and a 320-bit output after iterating the step function for s = 16 times. During the encryption/decryption process, the 320-bit value is arranged as the state. Each 320-bit state is divided into five 64-bit words, written as A, B, C, D, E, in every step. The step function of ACE consists of a nonlinear function and a linear function. The nonliniear function SB-64 is applied on even indexed words respectively (i.e., A, C and E), where comes the permutation name. The step function is shown in Figure 1. In ACE, the designers take the unkeyed 8-round Simeck block cipher with block size 64 as the nonlinear function. The Simeck block cipher uses Feistel structure, hence the reduced-round version of it is nonlinear and bijective, which meets the basic requirement of an S-box. The nonlinear function, or the S-box of ACE permutation, is denoted by SB-64. The details of SB-64 are shown in Figure 2.

Round and Step Constants
As Figure 1 shows, the step function of ACE is parameterized by (rc i 0 , rc i 1 , rc i 2 ) and (sc i 0 , sc i 1 , sc i 2 ). For j = 0, 1, 2, rc i j and sc i j are both of 8-bit length, which are called round constant(of Speck-64) and step function(of ACE). The hexadecimal values of the round constant and step constant are shown in Table 1.

The Linear Function
The linear function of ACE permutation consists of two parts: a word permutation and a word XORing. We denote word permutation by π. As Figure 1 shows, the origin word permutation is π = {3, 2, 0, 4, 1}, i.e., after applying π, the state A B C D E will be transformed to D C A E B. Designers choose it as the linear layer for differential cryptanalysis's sake. This word permutation generates the largest number of active S-boxes per step.

Impossible Differential
Contrary to differential cryptanalysis, impossible differential cryptanalysis does not use high probability differential characteristics to attack ciphers and recover secret keys. Instead, it uses differential characteristics of probability 0 (i.e., impossible differential characteristics).

Definition 1 ([3]
). Let f denote a function on Abel group A. If for α ∈ A, for an arbitrary x ∈ A, there is is called a impossible differential of function f .

Definition 2 ([3]).
For an iterative block cipher, let α 0 denote the difference ∆Xof input X and X * , α r denote the corresponding r-th round difference ∆C of output C and C * . If Pr(∆C = α r |∆X = α 0 ) = 0, then α 0 α r is called an r round impossible differential of the cipher.
The miss-in-the-middle method is one of the most efficient methods. For an iterative block cipher, let α → γ 1 be a differential of probability 1 from the encryption side, and γ 2 ← β be a differential of probability 1 from the decryption side. If γ 1 = γ 2 , then we can deduce that α β is an impossible differential of the cipher. For different ciphers, the way to find contradiction in the middle is different, which requires more study on the structure of the cipher itself. In this paper, we focus on structural impossible differential characteristics, which we denote by impossible differential in the next sections.

Impossible Differential Cryptanalysis of ACE
In this section, we propose our results of impossible differential cryptanalysis against ACE permutation. We prove that there will not be impossible differentials of ACE longer than 10 rounds and then find two 8-round impossible differentials of ACE. We also introduce an automatic algorithm searching for impossible differentials, which can be used in the cryptanalysis in other ciphers. Using the automatic algorithm, we conclude this section that the longest step of impossible differentials of ACE is 8 step, i.e., for ACE, there will not be impossible differentials longer than 9 steps.

Impossible Differential of ACE
Let F denote an iterative block cipher, and the internal state of encryption/decryption is divided into n sub-blocks. We assume that for one round of encryption, the input is denoted as (x 0 , x 1 , ..., x n−1 ) and the output is denote as (y 0 , y 1 , ..., y n−1 ). [15]). (1) The encryption characteristic matrix A is an n × n matrix. The (i, j) entry of A is set to 1 in the case that y i is affected by x j . Otherwise, the (i,j) entry is set to 0.

Definition 3 ((Characteristic Matrix)
(2) The decryption characteristic matrix B is an n × n matrix. The (i, j) entry of B is set to 1 if x i is affected by y j . Otherwise, the (i, j) entry is set to 0.

Definition 4 ([15]
). Given n × n characteristic matrix(encryption or decryption) X = (x ij ) n×n , Y = (y ij ) n×n , we define: The definition of the multiplication between two characteristic matrices implies the transmission of effect. For two characteristic matrices X and Y, let X · x = y, Y · y = z, where x =(x 0 , x 1 , ..., x n−1 ), y =(y 0 , y 1 , ..., y n−1 ) and z =(z 0 , z 1 , ..., z n−1 ). If the (m, n) entry of Y is 1, then z m would be affected by y n . If the (n, l) entry of X is 1, then y n would be affected by x l . On the basis of these two deductions, it is apparent that after two-step encryption/ decryption, z m would be affected by x l . On the contrary, if the (m, n) entry of Y or the (n, l) entry of X is zero (either one of them or both of them), then z m would not be affected by x l . In general, z m might be affected by all the n sub-blocks of y whereas x l might affect all the n sub-blocks of y. As long as there is one sub-block of y that delivers the effect of x l to z m , despite other sub-blocks, z m would definitely be affected by x l , which explains the reason it is Bitwise-OR that is used in the multiplication between two characteristic matrices.
The diffusion property of a cipher can be observed through characteristic matrix. An r round encryption procedure can be denoted by the characteristic matrix to the power of r. If after r round's encryption, every element of characteristic matrix turns to 1, we can deduce that each sub-block can affect 5 sub-blocks after r rounds, i.e., a difference in one sub-block could lead to differences in every 5 sub-blocks after r rounds.
The multiplication between a characteristic matrix and a state difference vector implies the transformation of difference. For α 0 and α 1 of ACE permutation, sub-block α 1 1 and α 1 2 are respectively affected only by one sub-block of α 0 (α 0 2 and α 0 0 ), whereas α 1 0 , α 1 3 and α 1 4 are affected by more than one sub-blocks of α 0 , i.e., if the second and third sub-block of α 0 are active (α 0 1 = α 0 2 = 1), the second sub-block of α 1 is active (α 1 1 = 1) with probability 1 whereas the fifth sub-block is uncertain. In other words, once a sub-block of the state is affected by more than 1 sub-blocks of the state of the previous round which are all active, then this sub-block will be uncertain. Hence, we use the real number addition in this case so that we can observe the active sub-blocks by the value of difference vector's entries. Definition 6. Given n × n characteristic matrices(encryption or decryption) X, Y and a state difference vector α = (α 0 , α 1 , ..., α n−1 ), there is: X · α = δ, where δ i = ∑ n−1 k=0 x ik · α k Theorem 1. If the encryption/decryption characteristic matrix of a cipher reaches all-one (all the entries of the matrix become 1) after r iterations, the cipher reaches structural total diffusion in the encryption/ decryption direction within r rounds.
Proof. The iteration of characteristic matrix is denoted by the power of the matrix, and the addition in the matrix multiplication is defined as Bitwise-OR. If the entries of the encryption characteristic matrix after r iterations are all equal to 1, then any sub-block of an arbitrary input difference can affect all the n sub-blocks. The property of decryption characteristic matrix is of the same reason.
Theorem 2. For ACE, there will not be structural impossible differential characteristics longer than 10 steps.
Proof. The encryption characteristic matrix of ACE permutation is , which we denote as A. This matrix reaches all-one after 5 rounds of iteration. The structure of decryption permutation is depicted in Figure 3, from which we know the decryption characteristic matrix of ACE , denoted by B. B reaches all-one after 5 rounds of iteration as well. Let α → γ 1 be a differential of probability 1 from the encryption direction and γ 2 ← β be a differential of probability 1 from the decryption direction. If the i-th sub-block of γ 1 is active whereas the i-th sub-block of γ 2 is 0, then there is γ 1 = γ 2 with probability 1. Then α β is an impossible differential. For ACE permutation, there will not be zero difference after 5 rounds in the encryption/decryption direction, which means there will not be contradiction in the middle.

An Automatic Impossible Differential Characteristic Searching Tool
In this section, we propose our automatic impossible differential searching algorithm. By this algorithm, one can both get the number of the longest impossible differential and the actual differential characteristic.
From Section 3.1 we know that there are three circumstances of the sub-blocks of state difference: zero, active and uncertain. In these three circumstances, the value of the corresponding state difference vector's sub-block are 0, 1 and n. The two intermediate state difference r 1 and r 2 are unequal with probability 1 when there is i such that the i-th sub-block of one is active while the i-th block of the other is zero. Equally, considering the corresponding difference vectors, this means the i-th sub-block of one equals to 1, whereas the i-th sub-block of the other equals to 0. Theorem 4. For two intermediate difference vector γ 1 and γ 2 , the existence of an i-th sub-block of γ 1 + γ 2 equaled to 1 implies the existence of an impossible differential.
The proof of Theorem 4 is simple. Because the i-th sub-block of γ 1 + γ 2 equals to 1 if and only if the i-th sub-block of γ 1 /γ 2 equals to 1 and the i-th sub-block of γ 2 /γ 1 equals to 0. Both two occasions imply a contradiction in the middle round.
According to Theorem 4, we can tell the existence of impossible differential by observing the sum of two intermediate difference vectors. If there is a sub-block of the sum vector equaled to 1, then there is a contradiction in the middle, which leads to an impossible differential. If not, it means there is no contradiction and no structural impossible differentials.

Theorem 5.
For ACE, there is no impossible differential longer than 9 steps.
Theorem 5 can be proved by practical computer experiment. Using the automatic searching algorithm, we find no 9-step structural impossible differential for ACE permutation. This is the security margin of ACE permutation against impossible differential cryptanalysis. If taking more details of ACE permutation into consideration, such as the details of SB-64,we may get impossible differentials longer than that. Algorithm 1 provides the pseudo-code of the automatic algorithm for searching m + n step impossible differentials.

Algorithm 1
Automatic algorithm for searching m + n step impossible differentials.

Input:
The encryption characteristic matrix A; The decryption characteristic matrix B; The step number m from the encryption direction; The step number n from the decryption direction; Output: The (m + n)-step impossible differential 1: for all possible input difference vector α, output difference vector β do 2: for i=1 to m do α = A × α; 3: end for 4: for j=1 to m do β = B × β; 5: end for 6: if α + β have a sub-block equaled to 1 then return α β 7: end if 8: end for

Security of ACE Permutation
In this section, we use our algorithm to automatically try every possible word permutation and search for their longest impossible differentials. We give the safest word permutation against impossible differential attack using the improved automatic algorithm. Then we change the structure of word XORing and search for the longest impossible differentials of them. By our automatic algorithm, we give the optimal word permutation, which is π = (2, 4, 1, 0, 3), and a safer word XOR structure of ACE.

Security of Word Permutations
The step function of ACE consists of word permutation and word XORing. Hence, the characteristic matrix can also be divided to the multiplication of two matrices, and the multiplication rule is the same as the self-multiplication of characteristic matrix.
According to Definition 4, we divide the encryption/decryption characteristic matrix into "XOR" matrix and "Pbox" matrix. We fix "XOR" and traverse all possible "Pbox". Within every possible "Pbox", we search for the longest impossible differential, obtaining the optimal word permutation π = (2, 4, 1, 0, 3) who has the minimum length of impossible differentials. Algorithm 2 depicts the pseudo-code of the automatic algorithm searching for the safest permutation. Algorithm 2 Automatic algorithm searching for the safest permutation.

Input:
The XOR matrix S; The step number r Output: The characteristic matrix P of the safest permutation "Pbox" 1: for all characteristic matrix of a permutation do S = P × S, inverseS = inverseS × inverseP;

Security of XOR Structures
Different XOR structures will bring different diffusion property of the cipher. If chosen improperly, it may give chance for people to attack the cipher. Hence, in this section, we change the structure of XORing in ACE and test the security margin of them, to see if the original one is the safest.
In ACE, the state is divided into five words. The three of them will be transformed by SB-64 and they are structural equivalent. In this section, we consider the cases that the transformed three words being XORed to another three words and give three XOR structures that are safer than the original one as Figure 5 shows.

Aⁱ
Bⁱ Cⁱ Dⁱ Eⁱ To test the diffusion property and security margin against impossible differential cryptanalysis, we depict the decryption algorithm corresponding to the three cases in Figure 6 and analyze their properties prospectively. all-one in 4 steps. This means there is also no 9-step impossible differential for (a) structure. By using the automatic algorithm, we search for all the possibilities, finding no 8-step impossible differential but one 7-step impossible differential of (a) structure.

SB-64
(1) The encryption characteristic matrix of (b) structure is all-one in 4 steps. This means there is no 9-step impossible differential for (b) structure. By using the automatic algorithm, we search for all the possibilities, finding no 8-step impossible differential but several 7-step impossible differentials of (b) structure.
(3) The encryption characteristic matrix of (c) structure is , reaches all-one in 6 steps. This means there is also no 9-step impossible differential for (c) structure. By using the automatic algorithm, we search for all the possibilities and find several 8-step impossible differential of (c) structure. We conclude and compare these three new structures in Table 2, where m denotes the step number of reaching all-one from the encryption direction and n denotes the step number of reaching all-one from the decryption direction. In Table 2, it is depicted that structure (a) reaches all-one after 5 steps from the encryption direction. From the decryption direction, structure (a) reaches all-one after 5 steps. This implies that the longest impossible differential of structure (a) may be of 8 steps. However, by using the automatic algorithm, we search for all the possibilities, finding no 8-step impossible differential but one 7-step impossible differential. For structure (b), it reaches all-one after 5 and 4 steps from the encryption direction and decryption direction respectively while the longest impossible differential of it is of 7 steps. As for structure (c), it reaches all-one after 3 and 6 steps from the encryption direction and decryption direction respectively while the longest impossible differential of it is of 8 steps.
From Table 2, we can observe that structure (a), (b) and (c) all have better diffusion property than ACE. Structure (a) and (b) both have higher security margin than (c) and ACE while the (a) structure have the least amount of 7-step impossible differentials, then we can conclude that among them, structure (a) is the optimal XOR structure for ACE permutation against impossible differential cryptanalysis.

Conclusions
In this paper, we focused on the impossible differential attack against ACE permutation, which is the core component of ACE algorithm. We used the method of characteristic matrix and built an automatic algorithm that can be used to search for the longest structural impossible differentials. We gave the security margin of ACE permutation against impossible differential cryptanalysis, which is 10, and searched the impossible differentials of ACE permutation, proving that ACE permutation does not have impossible differentials longer than 9 steps. We further improved our algorithm to search for impossible differentials for all possible word permutations and give a safer permutation π = (2, 4, 1, 0, 3). This improved algorithm can be used by designers to choose permutation with highest security margin against impossible differential cryptanalysis.

Conflicts of Interest:
The authors declare that they have no conflict of interest regarding this work.

Abbreviations Notation
Description word a 64-bit binary string step one round of ACE s number of steps SB-64 nonlinear function of ACE permutation A encryption characteristic matrix of ACE permutation B decryption characteristic matrix of ACE permutation a i the state difference in the i-th step of encryption b i the state difference in the i-th step of decryption α i the difference vector of a i β i the difference vector of b i α i j , β i j , a i j and b i j the j-th sub-block of α i , β i , a i and b i