A New Automatic Tool Searching for Impossible Differential of NIST Candidate ACE

Abstract

The ACE algorithm is a candidate of the Lightweight Cryptography standardization process started by the National Institute of Standards and Technology (NIST) of the USA that passed the first round and successfully entered the second round. It is designed to achieve a balance between hardware cost and software efficiency for both authenticated encryption with associated data (AEAD) and hashing functionalities. This paper focuses on the impossible differential attack against the ACE permutation, which is the core component of the ACE algorithm. Based on the method of characteristic matrix, we build an automatic searching algorithm that can be used to search for structural impossible differentials and give the optimal permutation for ACE permutation and other SPN ciphers. We prove that there is no impossible differential of ACE permutation longer than 9 steps and construct two 8-step impossible differentials. In the end, we give the optimal word permutation against impossible differential cryptanalysis, which is ${\pi }^{\prime }=(2,4,1,0,3)$, and a safer word XOR structure of ACE permutation.

1. Introduction

In 2015, to standardize lightweight cryptographic algorithms that are used in some specific situations where current standard is not applicable, the National Institute of Standards and Technology (NIST) of the USA started the Lightweight Cryptography (LWC) standardization process. NIST held two workshops in 2015 and 2016 and published the Federal Register Notice in 2018, announcing the final Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process and calling for nominations, which are cryptographic algorithms that provide authenticated encryption with associated data (AEAD) and optional hashing functionalities.

By the end of submission deadline, NIST received 57 submission packages. Among them, 56 were accepted as first round candidates in April 2019, which marks the beginning of the first round of the standardization process [1]. Due to the large number of submissions and the short timeline of the process, NIST has decided to eliminate some of the algorithms from consideration early in the first evaluation phase in order to focus analysis on the more promising submissions. In August 2019, NIST announced the 32 candidates that will be moving on to the second round.

ACE is one of the 32 candidates designed by Aagaard et al. of Department of Electrical and Computer Engineering of University of Waterloo [2]. It is designed to achieve a balance between hardware cost and software efficiency for both authenticated encryption with associated data (AEAD) and hashing functionalities, also providing sufficient security margins. In the submission package of ACE, designers analysis its security, primarily focusing on the diffusion behavior, expected upper bounds on the probabilities of differential and linear characteristics, algebraic properties and self-symmetry-based distinguishers. In this paper, we focus on the security margin of ACE against impossible differential cryptanalysis, which are not considered by any designers and attackers so far.

Impossible differential cryptanalytic method is a variant of differential cryptanalysis [3]. It can be used to build impossible differential distinguishers, distinguishing ciphers from random permutation. Impossible distinguishers can be further used to distinguish correct round keys, which can be used to recover the secret keys. The concept of impossible differential was proposed respectively by Knudsen [4] and Biham et al. [5] When studying the security of DEAL, Knudsen found that if the round function in the Feistel-structure cipher is bijective, then there will be a natural 5-round impossible differential of the cipher. In EUROCRYPTO 1999, Biham et al. proposed the concept of impossible differential in their study of Skipjack and then describe the miss-in-the-middle method of finding impossible differentials in FSE 1999 [6]. Impossible differential cryptanalysis has been used to attack many well-known iterative block ciphers with very good results (see e.g., [7,8,9,10,11,12,13]). Impossible differential distinguishers are generally of higher rounds than other distinguishers, i.e., compared to other cryptanalytic methods, impossible differential cryptanalysis can always be used to attack more rounds (or steps in this paper). For instance, the 3-round Feistel structure with a bijective round function has a provable security against differential cryptanalysis and linear cryptanalysis [14], but there is a 5-round impossible differential characteristic for it [4].

In this paper, we focus on the impossible differential cryptanalysis against ACE permutation, the core component of ACE algorithm, which are not considered by any designers and attackers so far as we know. The contribution of this paper are as follows:

(1)

We use the method of characteristic matrix [15] and propose that the theoretical security margin of ACE permutation against impossible differential cryptanalysis is of 9 steps.

(2)

We build an automatic algorithm that can be used to automatically search structural impossible differentials and apply it on ACE, giving that the actual security margin of ACE permutation against impossible differential cryptanalysis is of 8 steps.

(3)

We further improve our algorithm that can search for impossible differentials for all possible word permutations and XOR structures, giving an optimal permutation ${\pi }^{\prime }=(2,4,1,0,3)$ and an optimal XOR structure.

The automatic algorithm in this paper can further be used for other ciphers whose S-boxes are bijective and permute sub-blocks of states. We separate the step function into two parts (“XOR” and “Pbox”) and begin the automatic algorithm with the characteristic matrices of these two parts. Designers and attackers can use the algorithm by respectively entering the characteristic matrices of “XOR” and “Pbox”. For designers, they can further fix one part and traverse all the possibilities of the other part, by traversing all the possible characteristic matrix of the other part, and search for the longest impossible differentials of each, giving the optimal choice of component against impossible differential cryptanalysis.

This paper is organized as follows. In Section 2, we describe the concrete components of ACE permutation and the methodology of impossible differential cryptanalysis. In Section 3, we prove the security margin of ACE permutation, give two 8-step impossible differentials of it and present our automatic algorithm. In Section 4, by an improved algorithm, we search for the impossible differentials of all possible word permutations and test the security of other word XORing structures. Section 5 concludes the paper.

2. Preliminary

2.1. The ACE Permutation

The ACE permutation is an iterative permutation with 320-bit input and a 320-bit output after iterating the step function for $s=16$ times. During the encryption/decryption process, the 320-bit value is arranged as the state. Each 320-bit state is divided into five 64-bit words, written as A, B, C, D, E, in every step. The step function of ACE consists of a nonlinear function and a linear function. The nonliniear function $\mathit{SB}\text{-}\mathit{64}$ is applied on even indexed words respectively (i.e., A, C and E), where comes the permutation name. The step function is shown in Figure 1.

2.1.1. The Nonlinear Function SB-64

In ACE, the designers take the unkeyed 8-round Simeck block cipher with block size 64 as the nonlinear function. The Simeck block cipher uses Feistel structure, hence the reduced-round version of it is nonlinear and bijective, which meets the basic requirement of an S-box. The nonlinear function, or the S-box of ACE permutation, is denoted by SB-64. The details of SB-64 are shown in Figure 2.

Let $rc=(q_7,q_6,\dots ,q_0)$, where $q_j\in \{0,1\}$ and $o\le j\le 7$. SB-64 iterate the Simeck-64 block cipher for 8 rounds, with round constant ${\gamma }_j=1^{31}\left|\right|q_j$ taking place of key addition.

2.1.2. Round and Step Constants

As Figure 1 shows, the step function of ACE is parameterized by $(r{c}_0^i,r{c}_1^i,r{c}_2^i)$ and $(s{c}_0^i,s{c}_1^i,s{c}_2^i)$. For $j=0,1,2$, $r{c}_j^i$ and $s{c}_j^i$ are both of 8-bit length, which are called round constant(of Speck-64) and step function(of ACE). The hexadecimal values of the round constant and step constant are shown in

Table 1. Step and round constants of ACE.

Step i	Step Constants $({\mathit{sc}}_0^{\mathit{i}},{\mathit{sc}}_1^{\mathit{i}},{\mathit{sc}}_2^{\mathit{i}})$	Round Constants $({\mathit{rc}}_0^{\mathit{i}},{\mathit{rc}}_1^{\mathit{i}},{\mathit{rc}}_2^{\mathit{i}})$
0–3	(50, 28, 14), (5c, ae, 57), (91, 48, 24), (8d, c6, 63)	(07, 53, 43), (0a, 5d, e4), (9b, 49, 5e), (e0, 7f, cc)
4–7	(53, a9, 54), (60, 30, 18), (68, 34, 9a), (e1, 70, 38)	(d1, be, 32), (1a, 1d, 4e), (22, 28, 75), (f7, 6c, 25)
8–11	(f6, 7b, bd), (9d, ce, 67), (40, 20, 10), (4f, 27, 13)	(62, 82, fd), (96, 47, f9), (71, 6b, 76), (aa, 88, a0)
12–15	(be, 5f, 2f), (5b, ad, d6), (e9, 74, ba), (7f, 3f, 1f)	(2b, dc, b0), (e9, 8b, 09), (cf, 59, 1e), (b7, c6, ad)

.

2.1.3. The Linear Function

The linear function of ACE permutation consists of two parts: a word permutation and a word XORing. We denote word permutation by $\pi$. As Figure 1 shows, the origin word permutation is $\pi =\{3,2,0,4,1\}$, i.e., after applying $\pi$, the state $A\Vert B\Vert C\Vert D\Vert E$ will be transformed to $D\Vert C\Vert A\Vert E\Vert B$. Designers choose it as the linear layer for differential cryptanalysis’s sake. This word permutation generates the largest number of active S-boxes per step.

2.2. Impossible Differential

Contrary to differential cryptanalysis, impossible differential cryptanalysis does not use high probability differential characteristics to attack ciphers and recover secret keys. Instead, it uses differential characteristics of probability 0 (i.e., impossible differential characteristics).

Definition 1

([3]).Let f denote a function on Abel group A. If for $\alpha \in A$, for an arbitrary $x\in A$, there is $f(x+\alpha )-f\left(x\right)\ne \beta$, then $(\alpha \nrightarrow \beta )$ is called a impossible differential of function f.

For instance, we denote an S-box on ${\mathbb{F}}_4$ below:

$\mathbf{x}$	00	01	10	11
$S\left(x\right)$	10	11	01	00

When the input difference is 01, we can compute directly: $S\left(00\right)\oplus S(00\oplus 01)=01$, $S\left(01\right)\oplus S(01\oplus 01)=01$, $S\left(10\right)\oplus S(10\oplus 01)=01$, $S\left(11\right)\oplus S(11\oplus 01)=01$. Then $01\nrightarrow 10$, $01\nrightarrow 11$ are called an impossible differential of this S-box.

Definition 2

([3]).For an iterative block cipher, let ${\alpha }_0$ denote the difference $\Delta X$ of input X and $X^{*}$, ${\alpha }_r$ denote the corresponding r-th round difference $\Delta C$ of output C and $C^{*}$. If $Pr(\Delta C={\alpha }_r|\Delta X={\alpha }_0)=0$, then ${\alpha }_0\nrightarrow {\alpha }_r$ is called an r round impossible differential of the cipher.

The miss-in-the-middle method is one of the most efficient methods. For an iterative block cipher, let $\alpha \to {\gamma }_1$ be a differential of probability 1 from the encryption side, and ${\gamma }_2\leftarrow \beta$ be a differential of probability 1 from the decryption side. If ${\gamma }_1\ne {\gamma }_2$, then we can deduce that $\alpha \nrightarrow \beta$ is an impossible differential of the cipher. For different ciphers, the way to find contradiction in the middle is different, which requires more study on the structure of the cipher itself. In this paper, we focus on structural impossible differential characteristics, which we denote by impossible differential in the next sections.

3. Impossible Differential Cryptanalysis of ACE

In this section, we propose our results of impossible differential cryptanalysis against ACE permutation. We prove that there will not be impossible differentials of ACE longer than 10 rounds and then find two 8-round impossible differentials of ACE. We also introduce an automatic algorithm searching for impossible differentials, which can be used in the cryptanalysis in other ciphers. Using the automatic algorithm, we conclude this section that the longest step of impossible differentials of ACE is 8 step, i.e., for ACE, there will not be impossible differentials longer than 9 steps.

3.1. Impossible Differential of ACE

Let F denote an iterative block cipher, and the internal state of encryption/decryption is divided into n sub-blocks. We assume that for one round of encryption, the input is denoted as ($x_0,x_1,\dots ,x_{n-1}$) and the output is denote as ($y_0,y_1,\dots ,y_{n-1}$).

Definition 3

((Characteristic Matrix) [15]).(1) The encryption characteristic matrix A is an $n\times n$ matrix. The (i, j) entry of A is set to 1 in the case that $y_i$ is affected by $x_j$. Otherwise, the (i, j) entry is set to 0. (2) The decryption characteristic matrix B is an $n\times n$ matrix. The (i, j) entry of B is set to 1 if $x_i$ is affected by $y_j$. Otherwise, the (i, j) entry is set to 0.

Definition 4

([15]).Given $n\times n$ characteristic matrix(encryption or decryption) $X={\left(x_{ij}\right)}_{n\times n}$, $Y={\left(y_{ij}\right)}_{n\times n}$, we define: $X·Y={\left(z_{ij}\right)}_{n\times n}$, where $z_{ij}=x_{i0}·y_{0j}|x_{i1}·y_{1j}|\cdots |x_{i,(n-1)}·y_{(n-1),j}$.

The definition of the multiplication between two characteristic matrices implies the transmission of effect. For two characteristic matrices X and Y, let $X·x=y$, $Y·y=z$, where $x=$($x_0,x_1,\dots ,x_{n-1}$), $y=$($y_0,y_1,\dots ,y_{n-1}$) and $z=$($z_0,z_1,\dots ,z_{n-1}$). If the ($m,n$) entry of Y is 1, then $z_m$ would be affected by $y_n$. If the ($n,l$) entry of X is 1, then $y_n$ would be affected by $x_l$. On the basis of these two deductions, it is apparent that after two-step encryption/ decryption, $z_m$ would be affected by $x_l$. On the contrary, if the ($m,n$) entry of Y or the ($n,l$) entry of X is zero (either one of them or both of them), then $z_m$ would not be affected by $x_l$. In general, $z_m$ might be affected by all the n sub-blocks of y whereas $x_l$ might affect all the n sub-blocks of y. As long as there is one sub-block of y that delivers the effect of $x_l$ to $z_m$, despite other sub-blocks, $z_m$ would definitely be affected by $x_l$, which explains the reason it is Bitwise-OR that is used in the multiplication between two characteristic matrices.

The diffusion property of a cipher can be observed through characteristic matrix. An r round encryption procedure can be denoted by the characteristic matrix to the power of r. If after r round’s encryption, every element of characteristic matrix turns to 1, we can deduce that each sub-block can affect 5 sub-blocks after r rounds, i.e., a difference in one sub-block could lead to differences in every 5 sub-blocks after r rounds.

Definition 5.

Given a state difference $a=(a_0,a_1,\dots ,a_{n-1})$, the corresponding difference vector $\alpha =({\alpha }_0,{\alpha }_1,\dots ,{\alpha }_{n-1})$ is defined as follows:

$${\alpha }_i=\left\{\begin{array}{ll}0& if{a}_i=0\\ 1& if{a}_{i}isactive\\ n\in \mathbb{Z},n\ge 2& if{a}_{i}isuncertain\end{array}\right.$$

The diffusion property of one round encryption/decryption can be described by left multiplying the difference vector by characteristic matrix, i.e., the state difference vector $\alpha =({\alpha }_0,{\alpha }_1,\dots ,{\alpha }_{n-1})$ becomes $A·\alpha$/$B·\alpha$ after one round of encryption/decryption. For multi-round (e.g., r-round) encryption/decryption, the state difference vector will become $A·(A·(A\cdots (A·\alpha )\left)\right)$/$B·(B·(B\cdots (B·\alpha )\left)\right)$.

The multiplication between a characteristic matrix and a state difference vector implies the transformation of difference. For ${\alpha }^0$ and ${\alpha }^1$ of ACE permutation, sub-block ${\alpha }_1^1$ and ${\alpha }_2^1$ are respectively affected only by one sub-block of ${\alpha }^0$ (${\alpha }_2^0$ and ${\alpha }_0^0$), whereas ${\alpha }_0^1$, ${\alpha }_3^1$ and ${\alpha }_4^1$ are affected by more than one sub-blocks of ${\alpha }^0$, i.e., if the second and third sub-block of ${\alpha }^0$ are active (${\alpha }_1^0={\alpha }_2^0=1$), the second sub-block of ${\alpha }^1$ is active (${\alpha }_1^1=1$) with probability 1 whereas the fifth sub-block is uncertain. In other words, once a sub-block of the state is affected by more than 1 sub-blocks of the state of the previous round which are all active, then this sub-block will be uncertain. Hence, we use the real number addition in this case so that we can observe the active sub-blocks by the value of difference vector’s entries.

Definition 6.

Given $n\times n$ characteristic matrices(encryption or decryption) X, Y and a state difference vector $\alpha =({\alpha }_0,{\alpha }_1,\dots ,{\alpha }_{n-1})$, there is: $X·\alpha =\delta$, where ${\delta }_i={\sum }_{k=0}^{n-1}{x}_{ik}·{\alpha }_k$

Theorem 1.

If the encryption/decryption characteristic matrix of a cipher reaches $\mathit{all}\text{-}\mathit{one}$ (all the entries of the matrix become 1) after r iterations, the cipher reaches structural total diffusion in the encryption/ decryption direction within r rounds.

Proof. 

The iteration of characteristic matrix is denoted by the power of the matrix, and the addition in the matrix multiplication is defined as Bitwise-OR. If the entries of the encryption characteristic matrix after r iterations are all equal to 1, then any sub-block of an arbitrary input difference can affect all the n sub-blocks. The property of decryption characteristic matrix is of the same reason. □

Theorem 2.

For ACE, there will not be structural impossible differential characteristics longer than 10 steps.

Proof. 

The encryption characteristic matrix of ACE permutation is $\left[\begin{array}{ccccc}0& 0& 0& 1& 1\\ 0& 0& 1& 0& 0\\ 1& 0& 0& 0& 0\\ 1& 0& 0& 0& 1\\ 0& 1& 1& 0& 0\end{array}\right]$, which we denote as $\mathbb{A}$. This matrix reaches $\mathit{all}\text{-}\mathit{one}$ after 5 rounds of iteration. The structure of decryption permutation is depicted in Figure 3, from which we know the decryption characteristic matrix of ACE is $\left[\begin{array}{ccccc}0& 0& 1& 0& 0\\ 0& 1& 0& 0& 1\\ 0& 1& 0& 0& 0\\ 1& 0& 1& 1& 0\\ 0& 0& 1& 1& 0\end{array}\right]$, denoted by $\mathbb{B}$. $\mathbb{B}$ reaches $\mathit{all}\text{-}\mathit{one}$ after 5 rounds of iteration as well. Let $\alpha \to {\gamma }_1$ be a differential of probability 1 from the encryption direction and ${\gamma }_2\leftarrow \beta$ be a differential of probability 1 from the decryption direction. If the i-th sub-block of ${\gamma }_1$ is active whereas the i-th sub-block of ${\gamma }_2$ is 0, then there is ${\gamma }_1\ne {\gamma }_2$ with probability 1. Then $\alpha \nrightarrow \beta$ is an impossible differential. For ACE permutation, there will not be zero difference after 5 rounds in the encryption/decryption direction, which means there will not be contradiction in the middle. □

Theorem 3.

$(0,0,0,\alpha ,0)\to (\beta ,0,0,0,0)$ and $(0,\alpha ,0,0,0)\to (\beta ,0,0,0,0)$ are two 8-step impossible differentials of ACE.

Proof. 

The transformation of encryption/decryption characteristic matrix of ACE is depicted in Figure 4. We can see that the $(0,0)$ entry of decryption characteristic matrix remains zero one step before $\mathit{all}\text{-}\mathit{one}$. For encryption characteristic matrix, it is the $(1,3)$ entry that remains zero, i.e., $b_0^0$ cannot affect $b_0^4$ and $a_3^0$ cannot affect $a_1^4$. If we set $b_0^0$ active and the sub-blocks of $b^0$ except $b_0^0$ to zero, denoting it by $(\beta ,0,0,0,0)$, then after 4 steps, the output difference will be $(0,?,?,?,?)$. Similarly, we set $a_3^0$ active and the sub-blocks of $a^0$ except $a_3^0$ to zero, denoting it by $(0,0,0,\alpha ,0)$. The differential characteristic from $(0,0,0,\alpha ,0)$ is depicted below:

$$(0,0,0,\alpha ,0)\to (\alpha ,0,0,0,0)\to (0,0,{\alpha }_1,{\alpha }_1,0)\to ({\alpha }_1,{\alpha }_2,0,0,{\alpha }_2)\to ({\alpha }_3,0,{\alpha }_4,?,{\alpha }_2)$$

(1)

It is obvious that $({\alpha }_3,0,{\alpha }_4,?,{\alpha }_2)$ has a contradiction with $(0,?,?,?,?)$ in the first sub-block, then $(0,0,0,\alpha ,0)\to (\beta ,0,0,0,0)$ is an 8-step impossible differential of ACE. The proof of $(0,\alpha ,0,0,0)\to (\beta ,0,0,0,0)$ is of the same method. □

3.2. An Automatic Impossible Differential Characteristic Searching Tool

In this section, we propose our automatic impossible differential searching algorithm. By this algorithm, one can both get the number of the longest impossible differential and the actual differential characteristic.

From Section 3.1 we know that there are three circumstances of the sub-blocks of state difference: zero, active and uncertain. In these three circumstances, the value of the corresponding state difference vector’s sub-block are 0, 1 and n. The two intermediate state difference $r_1$ and $r_2$ are unequal with probability 1 when there is i such that the i-th sub-block of one is active while the i-th block of the other is zero. Equally, considering the corresponding difference vectors, this means the i-th sub-block of one equals to 1, whereas the i-th sub-block of the other equals to 0.

Theorem 4.

For two intermediate difference vector ${\gamma }_1$ and ${\gamma }_2$, the existence of an i-th sub-block of ${\gamma }_1+{\gamma }_2$ equaled to 1 implies the existence of an impossible differential.

The proof of Theorem 4 is simple. Because the i-th sub-block of ${\gamma }_1+{\gamma }_2$ equals to 1 if and only if the i-th sub-block of ${\gamma }_1$/${\gamma }_2$ equals to 1 and the i-th sub-block of ${\gamma }_2$/${\gamma }_1$ equals to 0. Both two occasions imply a contradiction in the middle round.

According to Theorem 4, we can tell the existence of impossible differential by observing the sum of two intermediate difference vectors. If there is a sub-block of the sum vector equaled to 1, then there is a contradiction in the middle, which leads to an impossible differential. If not, it means there is no contradiction and no structural impossible differentials.

Theorem 5.

For ACE, there is no impossible differential longer than 9 steps.

Theorem 5 can be proved by practical computer experiment. Using the automatic searching algorithm, we find no 9-step structural impossible differential for ACE permutation. This is the security margin of ACE permutation against impossible differential cryptanalysis. If taking more details of ACE permutation into consideration, such as the details of $\mathit{SB}\text{-}\mathit{64}$,we may get impossible differentials longer than that. Algorithm 1 provides the pseudo-code of the automatic algorithm for searching $m+n$ step impossible differentials.

Algorithm 1. Automatic algorithm for searching $m+n$ step impossible differentials.

Input: The encryption characteristic matrix A; The decryption characteristic matrix B; The step number m from the encryption direction; The step number n from the decryption direction; Output: The ($m+n$)-step impossible differential 1: for all possible input difference vector $\alpha$, output difference vector $\beta$ do 2:     for i=1 to m do        $\alpha =A\times \alpha$ 3:     end for  4:     for j=1 to m do        $\beta =B\times \beta$ 5:     end for  6:     if $\alpha +\beta$ have a sub-block equaled to 1 then        return$\alpha \nrightarrow \beta$ 7:   end if 8: end for

4. Security of ACE Permutation

In this section, we use our algorithm to automatically try every possible word permutation and search for their longest impossible differentials. We give the safest word permutation against impossible differential attack using the improved automatic algorithm. Then we change the structure of word XORing and search for the longest impossible differentials of them. By our automatic algorithm, we give the optimal word permutation, which is ${\pi }^{\prime }=(2,4,1,0,3)$, and a safer word XOR structure of ACE.

4.1. Security of Word Permutations

The step function of ACE consists of word permutation and word XORing. Hence, the characteristic matrix can also be divided to the multiplication of two matrices, and the multiplication rule is the same as the self-multiplication of characteristic matrix.

According to Definition 4, we divide the encryption/decryption characteristic matrix into “XOR” matrix and “Pbox” matrix. We fix “XOR” and traverse all possible “Pbox”. Within every possible “Pbox”, we search for the longest impossible differential, obtaining the optimal word permutation ${\pi }^{\prime }=(2,4,1,0,3)$ who has the minimum length of impossible differentials. Algorithm 2 depicts the pseudo-code of the automatic algorithm searching for the safest permutation.

Algorithm 2. Automatic algorithm searching for the safest permutation.

Input:  The XOR matrix S; The step number r Output:  The characteristic matrix P of the safest permutation “Pbox” 1: for all characteristic matrix of a permutation do   $S=P\times S$, $inverseS=inverseS\times inverseP$; 2:     for all input difference vector $\alpha$, output difference vector $\beta$ do 3:         for i=1 to m do     $\alpha =S\times \alpha$; 4:         end for 5:         for j=1 to m do     $\beta =inverseS\times \beta$; 6:         end for 7:         if $\alpha +\beta$ does not have any sub-block equaled to 1 then 8:            $//$ For this permutation, the algorithm do not have $m+n$-step impossible differentials     return P 9:         end if 10:     end for 11: end for

4.2. Security of XOR Structures

Different XOR structures will bring different diffusion property of the cipher. If chosen improperly, it may give chance for people to attack the cipher. Hence, in this section, we change the structure of XORing in ACE and test the security margin of them, to see if the original one is the safest.

In ACE, the state is divided into five words. The three of them will be transformed by $\mathit{SB}\text{-}\mathit{64}$ and they are structural equivalent. In this section, we consider the cases that the transformed three words being XORed to another three words and give three XOR structures that are safer than the original one as Figure 5 shows.

To test the diffusion property and security margin against impossible differential cryptanalysis, we depict the decryption algorithm corresponding to the three cases in Figure 6 and analyze their properties prospectively.

(1) The encryption characteristic matrix of (a) structure is $\left[\begin{array}{ccccc}1& 1& 0& 0& 0\\ 0& 1& 1& 0& 0\\ 0& 0& 1& 1& 0\\ 0& 0& 0& 1& 0\\ 0& 0& 0& 0& 1\end{array}\right]$. It reaches $\mathit{all}\text{-}\mathit{one}$ in 5 steps whereas the decryption characteristic matrix of structure (a), which is $\left[\begin{array}{ccccc}1& 1& 1& 1& 0\\ 0& 1& 1& 1& 0\\ 0& 0& 1& 1& 0\\ 0& 0& 0& 1& 0\\ 0& 0& 0& 0& 1\end{array}\right]$, reaches $\mathit{all}\text{-}\mathit{one}$ in 4 steps. This means there is also no 9-step impossible differential for (a) structure. By using the automatic algorithm, we search for all the possibilities, finding no 8-step impossible differential but one 7-step impossible differential of (a) structure.

(1) The encryption characteristic matrix of (b) structure is $\left[\begin{array}{ccccc}1& 0& 0& 0& 0\\ 0& 1& 1& 0& 0\\ 0& 0& 1& 0& 0\\ 1& 0& 0& 1& 1\\ 1& 0& 0& 0& 1\end{array}\right]$. It reaches $\mathit{all}\text{-}\mathit{one}$ in 5 steps whereas the decryption characteristic matrix of structure (b), which is $\left[\begin{array}{ccccc}1& 0& 0& 0& 0\\ 0& 1& 1& 0& 0\\ 0& 0& 1& 0& 0\\ 0& 0& 0& 1& 1\\ 1& 0& 0& 0& 1\end{array}\right]$, reaches $\mathit{all}\text{-}\mathit{one}$ in 4 steps. This means there is no 9-step impossible differential for (b) structure. By using the automatic algorithm, we search for all the possibilities, finding no 8-step impossible differential but several 7-step impossible differentials of (b) structure.

(3) The encryption characteristic matrix of (c) structure is $\left[\begin{array}{ccccc}1& 0& 0& 0& 1\\ 1& 1& 0& 0& 1\\ 0& 0& 1& 0& 0\\ 0& 0& 1& 1& 0\\ 0& 0& 0& 0& 1\end{array}\right]$. It reaches $\mathit{all}\text{-}\mathit{one}$ in only 3 steps whereas the decryption characteristic matrix of structure (c), which is $\left[\begin{array}{ccccc}1& 0& 0& 0& 1\\ 1& 1& 0& 0& 0\\ 0& 0& 1& 0& 0\\ 0& 0& 1& 1& 0\\ 0& 0& 0& 0& 1\end{array}\right]$, reaches $\mathit{all}\text{-}\mathit{one}$ in 6 steps. This means there is also no 9-step impossible differential for (c) structure. By using the automatic algorithm, we search for all the possibilities and find several 8-step impossible differential of (c) structure.

We conclude and compare these three new structures in

Table 2. Properties of structures.

Structure	m	n	Theoretical Longest Impossible Differentials	Actual Longest Impossible Differentials (Number)
a	5	4	8 steps	7 steps (1)
b	5	4	8 steps	7 steps (6)
c	3	6	8 steps	8 steps (2)
ACE	5	5	9 steps	8 steps (2)

, where m denotes the step number of reaching $\mathit{all}\text{-}\mathit{one}$ from the encryption direction and n denotes the step number of reaching $\mathit{all}\text{-}\mathit{one}$ from the decryption direction.

In Table 2, it is depicted that structure (a) reaches $\mathit{all}\text{-}\mathit{one}$ after 5 steps from the encryption direction. From the decryption direction, structure (a) reaches $\mathit{all}\text{-}\mathit{one}$ after 5 steps. This implies that the longest impossible differential of structure (a) may be of 8 steps. However, by using the automatic algorithm, we search for all the possibilities, finding no 8-step impossible differential but one 7-step impossible differential. For structure (b), it reaches $\mathit{all}\text{-}\mathit{one}$ after 5 and 4 steps from the encryption direction and decryption direction respectively while the longest impossible differential of it is of 7 steps. As for structure (c), it reaches $\mathit{all}\text{-}\mathit{one}$ after 3 and 6 steps from the encryption direction and decryption direction respectively while the longest impossible differential of it is of 8 steps.

From Table 2, we can observe that structure (a), (b) and (c) all have better diffusion property than ACE. Structure (a) and (b) both have higher security margin than (c) and ACE while the (a) structure have the least amount of 7-step impossible differentials, then we can conclude that among them, structure (a) is the optimal XOR structure for ACE permutation against impossible differential cryptanalysis.

5. Conclusions

In this paper, we focused on the impossible differential attack against ACE permutation, which is the core component of ACE algorithm. We used the method of characteristic matrix and built an automatic algorithm that can be used to search for the longest structural impossible differentials. We gave the security margin of ACE permutation against impossible differential cryptanalysis, which is 10, and searched the impossible differentials of ACE permutation, proving that ACE permutation does not have impossible differentials longer than 9 steps. We further improved our algorithm to search for impossible differentials for all possible word permutations and give a safer permutation ${\pi }^{\prime }=(2,4,1,0,3)$. This improved algorithm can be used by designers to choose permutation with highest security margin against impossible differential cryptanalysis.