Automated-Based Rebound Attacks on ACE Permutation

Abstract

\(\texttt{ACE}\), a second-round candidate of the NIST Lightweight Cryptography Standardization project, is a 16-step iterative permutation that operates on a 320-bit state. It aims to optimize the software efficiency and hardware cost for authentication encryption (AE) mode and a hashing mode based on sufficient security margins. However, the security of such permutation has not been studied well so far. In this paper, an algorithm is used for searching rebound distinguishers of \(\texttt{ACE}\) permutation. By applying this algorithm, we obtained the first 14-step rebound attack on \(\texttt{ACE}\) permutation. The nonlinear function (ordinary represented as Sbox) of \(\texttt{ACE}\) permutation is based on 8 rounds unkeyed \(\texttt{Simeck}\)-64 abbreviated as \(\texttt{SB}\)-64. By constructing an SMT model, the lower bound on the number of active \(\texttt{SB}\)-64s for the differential characteristics of \(\texttt{ACE}\) has been verified. Then, by making use of \(\texttt{SB}\)-64’s iterative differentials, we construct 128 11-step/13-step rebound distinguishers and 9 14-step rebound distinguishers for \(\texttt{ACE}\) permutation, the complexity of these rebound attacks was also discussed. All these attacks are the best ones so far, and this reduces the security margin of \(\texttt{ACE}\) permutation to \(12.5\%\).

A The Experimental Results on \(\texttt{ACE}\)

Table 7. The 5-round characteristic of \(\texttt{ACE}\) permutation with 4 active \(\texttt{SB}\)-64s

Table 8. The 5-step characteristic of \(\texttt{ACE}\) permutation with optimal probability \(2^{-80}\)

Table 9. The iterative differentials of \(\texttt{SB}\)-64

Table 10. The distribution of characteristics in the iterative differentials \(\alpha \rightleftharpoons \beta \) with probability \(2^{-18.69}\) of \(\texttt{SB}\)-64

Table 11. 13-step rebound distinguishers of \(\texttt{ACE}\) permutation

Table 12. 14-step rebound distinguishers of \(\texttt{ACE}\) permutation

Table 13. The distribution of characteristics in \(S^{0}_{C}\), \(S^3_A\) and \(S^4_A\) with probabilities \(2^{-18.28}\) for the 14-step rebound distinguisher \(\varOmega ^{14}_0\)

Table 14. The distribution of characteristics in \(S^{2}_{E}\) with probability \(2^{-21.94}\) for the 14-step rebound distinguisher \(\varOmega ^{14}_0\)

Fig. 6.

14-step rebound distinguisher \(\varOmega ^{14}_0\) of \(\texttt{ACE}\) permutation

Table 15. The distribution of characteristics in \(S^{4}_{C}\) with probability \(2^{-21.46}\) for the 14-step rebound distinguisher \(\varOmega ^{14}_0\)

Table 16. The distribution of characteristics in \(S^{5}_{A}\) with probability \(2^{-26.44}\) for the 14-step rebound distinguisher \(\varOmega ^{14}_0\)

Table 17. The distribution of characteristics in \(S^{5}_{C}\) with probability \(2^{-21.54}\) for the 14-step rebound distinguisher \(\varOmega ^{14}_0\)

Table 18. The distribution of characteristics in \(S^{5}_{E}\) with probability \(2^{-25.72}\) for the 14-step rebound distinguisher \(\varOmega ^{14}_0\)

Table 19. The distribution of characteristics in \(S^{6}_{C}\) with probability \(2^{-20.70}\) for the 14-step rebound distinguisher \(\varOmega ^{14}_0\)