Abstract
\(\texttt{ACE}\), a second-round candidate of the NIST Lightweight Cryptography Standardization project, is a 16-step iterative permutation that operates on a 320-bit state. It aims to optimize the software efficiency and hardware cost for authentication encryption (AE) mode and a hashing mode based on sufficient security margins. However, the security of such permutation has not been studied well so far. In this paper, an algorithm is used for searching rebound distinguishers of \(\texttt{ACE}\) permutation. By applying this algorithm, we obtained the first 14-step rebound attack on \(\texttt{ACE}\) permutation. The nonlinear function (ordinary represented as Sbox) of \(\texttt{ACE}\) permutation is based on 8 rounds unkeyed \(\texttt{Simeck}\)-64 abbreviated as \(\texttt{SB}\)-64. By constructing an SMT model, the lower bound on the number of active \(\texttt{SB}\)-64s for the differential characteristics of \(\texttt{ACE}\) has been verified. Then, by making use of \(\texttt{SB}\)-64’s iterative differentials, we construct 128 11-step/13-step rebound distinguishers and 9 14-step rebound distinguishers for \(\texttt{ACE}\) permutation, the complexity of these rebound attacks was also discussed. All these attacks are the best ones so far, and this reduces the security margin of \(\texttt{ACE}\) permutation to \(12.5\%\).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aagaard, M., AlTawy, R., Gong, G., Mandal, K., Rohit, R.: ACE: an authenticated encryption and hash algorithm. Submission to NIST-LWC (Round 2) (2019). https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/ace-spec-round2.pdf
AlTawy, R., Rohit, R., He, M., Mandal, K., Yang, G., Gong, G.: sLiSCP: simeck-based permutations for lightweight sponge cryptographic primitives. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 129–150. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_7
AlTawy, R., Rohit, R., He, M., Mandal, K., Yang, G., Gong, G.: Sliscp-light: towards hardware optimized sponge-specific cryptographic permutations. ACM Trans. Embed. Comput. Syst. 17(4), 81:1–81:26 (2018). https://doi.org/10.1145/3233245
Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK families of lightweight block ciphers. IACR Cryptology ePrint Archive, p. 404 (2013). http://eprint.iacr.org/2013/404
Bogdanov, A., Shibutani, K.: Generalized Feistel networks revisited. Des. Codes Cryptogr. 66(1–3), 75–97 (2013). https://doi.org/10.1007/s10623-012-9660-z
Dong, X., Guo, J., Li, S., Pham, P.: Triangulating rebound attack on AES-like hashing. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part I. LNCS, vol. 13507, pp. 94–124. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15802-5_4
Dong, X., Li, S., Pham, P.: Chosen-key distinguishing attacks on full AES-192, AES-256, Kiasu-BC, and more. IACR Cryptology ePrint Archive, p. 1095 (2023). https://eprint.iacr.org/2023/1095
Gilbert, H., Peyrin, T.: Super-Sbox cryptanalysis: improved attacks for AES-like permutations. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 365–383. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13858-4_21
Hosoyamada, A., Naya-Plasencia, M., Sasaki, Y.: Improved attacks on sLiSCP permutation and tight bound of limited birthday distinguishers. IACR Trans. Symmetric Cryptol. 2020(4), 147–172 (2020). https://doi.org/10.46586/tosc.v2020.i4.147-172
Iwamoto, M., Peyrin, T., Sasaki, Yu.: Limited-birthday distinguishers for hash functions. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 504–523. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42045-0_26
Kölbl, S., Leander, G., Tiessen, T.: Observations on the SIMON block cipher family. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 161–185. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_8
Kullmann, O. (ed.): SAT 2009. LNCS, vol. 5584. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02777-2
Lai, X., Massey, J.L., Murphy, S.: Markov ciphers and differential cryptanalysis. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 17–38. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_2
Lamberger, M., Mendel, F., Schläffer, M., Rechberger, C., Rijmen, V.: The rebound attack and subspace distinguishers: application to whirlpool. J. Cryptol. 28(2), 257–296 (2015). https://doi.org/10.1007/s00145-013-9166-5
Leurent, G., Pernot, C., Schrottenloher, A.: Clustering effect in Simon and Simeck. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021, Part I. LNCS, vol. 13090, pp. 272–302. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_10
Liu, J., Liu, G., Qu, L.: A new automatic tool searching for impossible differential of NIST candidate ACE. Mathematics 8(9), 1576 (2020). Number: 9 Publisher: Multidisciplinary Digital Publishing Institute
Liu, Y., Sasaki, Y., Song, L., Wang, G.: Cryptanalysis of reduced sLiSCP permutation in sponge-hash and duplex-AE modes. In: Cid, C., Jacobson, M., Jr. (eds.) SAC 2018. LNCS, vol. 11349, pp. 92–114. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-10970-7_5
Liu, Z., Li, Y., Wang, M.: Optimal differential trails in Simon-like ciphers. IACR Trans. Symmetric Cryptol. 2017(1), 358–379 (2017). https://doi.org/10.13154/tosc.v2017.i1.358-379
Massacci, F., Marraro, L.: Logical cryptanalysis as a SAT problem. J. Autom. Reason. 24(1/2), 165–203 (2000). https://doi.org/10.1023/A:1006326723002
Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The rebound attack: cryptanalysis of reduced whirlpool and. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03317-9_16
Mironov, I., Zhang, L.: Applications of SAT solvers to cryptanalysis of hash functions. In: Biere, A., Gomes, C.P. (eds.) SAT 2006. LNCS, vol. 4121, pp. 102–115. Springer, Heidelberg (2006). https://doi.org/10.1007/11814948_13
Morawiecki, P., Srebrny, M.: A SAT-based preimage analysis of reduced Keccak hash functions. Inf. Process. Lett. 113(10–11), 392–397 (2013). https://doi.org/10.1016/j.ipl.2013.03.004
Nieuwenhuis, R., Oliveras, A., Tinelli, C.: Solving SAT and SAT modulo theories: From an abstract Davis-Putnam-Logemann-Loveland procedure to DPLL(\(T\)). J. ACM 53(6), 937–977 (2006). https://doi.org/10.1145/1217856.1217859
Nikolić, I., Pieprzyk, J., Sokołowski, P., Steinfeld, R.: Known and chosen key differential distinguishers for block ciphers. In: Rhee, K.-H., Nyang, D.H. (eds.) ICISC 2010. LNCS, vol. 6829, pp. 29–48. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24209-0_3
Nyberg, K.: Generalized Feistel networks. In: Kim, K., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 91–104. Springer, Heidelberg (1996). https://doi.org/10.1007/BFb0034838
Sinz, C.: Towards an optimal CNF encoding of Boolean cardinality constraints. In: van Beek, P. (ed.) CP 2005. LNCS, vol. 3709, pp. 827–831. Springer, Heidelberg (2005). https://doi.org/10.1007/11564751_73
Sun, B., Liu, M., Guo, J., Rijmen, V., Li, R.: Provable security evaluation of structures against impossible differential and zero correlation linear cryptanalysis. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 196–213. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_8
Sun, L., Wang, W., Wang M.: Accelerating the search of differential and linear characteristics with the SAT method. IACR Trans. Symmetric Cryptol. 2021(1), 269–315 (2021). https://doi.org/10.46586/tosc.v2021.i1.269-315
Wang, S., Feng, D., Hu, B., Guan, J., Shi, T., Zhang, K.: The simplest SAT model of combining Matsui’s bounding conditions with sequential encoding method. IACR Cryptology ePrint Archive, p. 626 (2022). https://eprint.iacr.org/2022/626
Yang, G., Zhu, B., Suder, V., Aagaard, M.D., Gong, G.: The Simeck family of lightweight block ciphers. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 307–329. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48324-4_16
Ye, T., Wei, Y., Li, L., Pasalic, E.: Impossible differential cryptanalysis and integral cryptanalysis of the ACE-class permutation. In: Deng, R., et al. (eds.) ISPEC 2021. LNCS, vol. 13107, pp. 306–326. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-93206-0_19
Acknowledgements
The authors would like to thank the reviewers for their valuable comments. This work is supported by the National Natural Science Foundation of China (No. 61702537, No. 62172427).
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
A The Experimental Results on \(\texttt{ACE}\)
A The Experimental Results on \(\texttt{ACE}\)
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Shi, J., Liu, G., Li, C., Li, Y. (2024). Automated-Based Rebound Attacks on ACE Permutation. In: Oswald, E. (eds) Topics in Cryptology – CT-RSA 2024. CT-RSA 2024. Lecture Notes in Computer Science, vol 14643. Springer, Cham. https://doi.org/10.1007/978-3-031-58868-6_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-58868-6_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-58867-9
Online ISBN: 978-3-031-58868-6
eBook Packages: Computer ScienceComputer Science (R0)