 Research
 Open Access
 Published:
Searching for impossible subspace trails and improved impossible differential characteristics for SIMONlike block ciphers
Cybersecurity volume 4, Article number: 17 (2021)
Abstract
In this paper, we greatly increase the number of impossible differentials for SIMON and SIMECK by eliminating the 1bit constraint in input/output difference, which is the precondition to ameliorate the complexity of attacks. We propose an algorithm which can greatly reduce the searching complexity to find such trails efficiently since the search space exponentially expands to find impossible differentials with multiple active bits. There is another situation leading to the contradiction in impossible differentials except for missinthemiddle. We show how the contradiction happens and conclude the precondition of it defined as missfromthemiddle. It makes our results more comprehensive by applying these two approach simultaneously. This paper gives for the first time impossible differential characteristics with multiple active bits for SIMON and SIMECK, leading to a great increase in the number. The results can be verified not only by covering the stateofart, but also by the MILP model.
Introduction
Due to the continuously growing impact of RFID tags, smart cards and FPGAs, cryptographic algorithms which are suitable for resourceconstrained devices become more and more important. During the last decade, a number of lightweight block ciphers, hash functions and stream ciphers were developed by the research community.
The NSA published two lightweight block cipher families SIMON and SPECK in Beaulieu et al. (2015), which are highly optimized and have a better performance for both hardware and software platforms. Although no design rationale or cryptanalysis was given in Beaulieu et al. (2015), SIMON and SPECK draw great attention of researchers, and many cryptanalysis work have been done until now. The designers of SIMON and SPECK gave some design rationale and summarized existing cryptanalysis results in Beaulieu et al. (2017), e.g., linear cryptanalysis and differential cryptanalysis (Liu et al. 2017; AlKhzaimi and Lauridsen 2013; Abdelraheem et al. 2015; Chen and Wang 2016; Shi et al. 2014; Qiao et al. 2016), impossible differential and zero correlation cryptanalysis (Chen et al. 2015; Wang et al. 2014; Chen and Wang 2016), integral cryptanalysis (Kondo et al. 2016; Todo and Morii 2016; Wang et al. 2014; Xiang et al. 2016) and so on for SIMON.
Yang et al. proposed SIMECK in Yang et al. (2015). They use the round function of SIMON with changing the circularshift parameter (8, 1, 2) into (0, 5, 1), and reuse the round function within the keyschedule. These lead to a better performance than SIMON. Cryptanalysis for SIMECK is similar to that of SIMON when related key is not involved. There are some comparison between them in Kölbl and Roy (2015); Kölbl et al. (2015); Qiao et al. (2016); Liu et al. (2017); Wang et al. (2018).
On the basis of NIST’s lightweight cryptography project, which aims at electing cryptographic standards suitable for lightweight applications, a lot of candidates have been submitted. There 32 algorithms left in Round 2. These algorithms are based on either lightweight block ciphers or lightweight hash functions, such as PRESENT (Bogdanov et al. 2007), SIMON and SPECK (Beaulieu et al. 2015), SIMECK (Yang et al. 2015), SKINNY (Beierle et al. 2016), GIFT (Banik et al. 2017), Xoodoo (Daemen et al. 2018), PHOTON (Guo et al. 2011), Spongent (Bogdanov et al. 2011) and so on. Three of the candidates ACE, SPIX and SpoC are based on the sLiSCP family permutations proposed in AlTawy et al. (2018a); AlTawy et al. (2018b) using SIMECK Sbox (AlTawy et al. 2017). The security evaluation of SIMONlike block ciphers becomes more important.
Our contributions In this paper, we further study the impossible differential characteristics for SIMONlike block ciphers. We provide impossible subspace trails for SIMON and SIMECK by searching subspace trails inversely and applying missinthemiddle. We also excavate another situation leading to the contradiction defining as missfromthemiddle, and supplement impossible differentials by applying it. All impossible differentials and impossible subspace trails given in this paper can be verified by the MILP model. Our contributions are threefold.
First, we raise the concept of inverse subspace trail and give its searching algorithms for SIMONlike block ciphers. By applying missinthemiddle to inverse subspace trails, we can obtain impossible subspace trails for SIMON and SIMECK. One trail includes a lot of impossible differential characteristics.
Secondly, we study the contradiction condition of the left ones and define it as missfromthemiddle, as an analog of the wellknown method of missinthemiddle, since missinthemiddle approach cannot covering the stateofart for SIMECK.
Thirdly, all the impossible differentials for SIMON and SIMECK by considering missinthemiddle and missfromthemiddle can be obtained efficiently without the 1bit constraint through our algorithm. The great increase in the number of impossible differentials is the precondition for the better attacks.
Related work Biham et al. and Knudsen independently proposed the idea of impossible differential attacks in Biham et al. (1999) and (Knudsen 1998), respectively. In such attacks, the adversary aims to pick out keys which produce differential characteristics with zero probability. All existing impossible differential characteristics of SIMONlike block ciphers are obtained with 1bit constraint either by combining truncated differential and the missinthemiddle approach, or by searching automatically using MILP.
In Wang et al. (2014); Chen et al. (2015); AlKhzaimi and Lauridsen (2013); Abed et al. (2013); Kondo et al. (2016); Boura et al. (2014); Derbez and Fouque (2016); AlTawy et al. (2017); Yang et al. (2015), the impossible differential characteristics for SIMON and SIMECK are all obtained by applying missinthemiddle to truncated differentials. The longest impossible differentials include 11/12/13/16/19 rounds for SIMON32/48/64/96/128, respectively; and 11/13/15 for SIMECK32/48/64, respectively. While in Sadeghi and Bagheri (2018) gave 15round and 17round impossible differential characteristics for SIMECK48 and SIMECK64 respectively by manually finding the contradiction between two truncated differentials.
Sun et al. raised an automatic searching tool called MILP for highprobability differential and linear characteristics (Sun et al. 2014; Sun et al. 2014). Yu Sasaki and Yosuke Todo gave a new impossible differential search tool by MILP in Sasaki and Todo (2017). However, as shown in Sun et al. (2014), for SIMONlike block ciphers, due to their dependencies of their input bits to the AND operation, the trails obtained using MILP are not guaranteed to be valid. It is unadaptable for SIMONlike block ciphers searching impossible differentials by MILP until Wang et al. provided an accurate MILP model for SIMONlike block ciphers in Wang et al. (2018). They gave impossible differentials of 15round for SIMECK48 and 17round for SIMECK64 meeting the result in Sadeghi and Bagheri (2018), and two new 13round for SIMON64. Leander et al. proposed invariant subspace attack for PRINTcipher in Leander et al. (2011). Later on, Grassi et al. raised the concept of subspace trail crytanalysis in Grassi et al. (2016). Leander et al. gave generic algorithms for searching subspace trails, and applied them to several ciphers including SIMON (Leander et al. 2018); specifically, they gave 6/8/12round subspace trails for SIMON32/64/128 respectively, and the dimensions of subspaces are 30/62/126 respectively.
Preliminaries
Notations We give the description of the symbols used in this paper as following:
0: A 4bit vector with all entries equal 0, while 0 represents only one bit.
?: A 4bit vector with any value.
*: The value of one bit is arbitrary.
\(U_{i} \rightarrow U_{i+1}^{j}\) (in Fig. 2): Inverse subspace trail from U_{i} to \(U_{i+1}^{j}\), j ∈J = {0,1,...}, which means there are J possiblities for U_{i+1}; arbitrary \(U_{i+1}^{j} \rightarrow U_{i}\) is an 1round essential subspace trail.
X, Y: X is the plaintext, and Y is the ciphertext after one round. X^{L},X^{R} represent the left and right blocks of X, respectively. X^{L}[i] represent the ith bit of X^{L} (0 to n−1 from left to right), i∈{0,1,⋯,n−1}. X^{L}[i+a] means X^{L}[(i+a) mod n], omitting (mod n) for simplicity.
ΔX,ΔY: ΔX is the input difference of the round function, and ΔY for the output.
Description of SIMON and SIMECK The SIMON and SIMECK families of lightweight block ciphers are both based on Feistel construction, using AND as the nonlinear operation. The round function of SIMONlike block ciphers is shown in Fig. 1, while the rotation parameters are (8, 1, 2) and (0, 5, 1) for SIMON and SIMECK, respectively. We explicit the parameters for all versions of SIMON and SIMECK in Tables 1 and 2, respectively.
In this paper. we focus on the impossible differential characteristics for SIMONlike block ciphers. For simplicity, we recall the rotation invariance of impossible differentials for SIMON in Wang et al. (2014), and only exhibit the impossible subspace trails and impossible differential characteristics for SIMON and SIMECK with contradiction in the ith bit, i∈{0,1,...,n−1}.
Rotational invariance Assume that \((0,\Delta R_{i}) \nrightarrow (\Delta L_{j},0)\) is a (j−i)round impossible differential for SIMON where \(\Delta R_{i}, \Delta L_{j} \in \mathbb {F}_{2}^{n} \backslash \{0\}\). Then for any r, where 0≤r≤n−1, one can construct a set of (j−i)round impossible differentials as \((0,\Delta R_{i} \lll r) \nrightarrow (\Delta L_{j} \lll r,0)\).
The MILP model Sun et al. proposed an automatic method to evaluate the security of block ciphers using Mixedinteger Linear Programming (MILP) technique in Sun et al. (2014). While for SIMONlike block ciphers, the dependencies of the input bits to the AND operation are not considered. The characteristics for SIMON obtained by MILP in Sun et al. (2014) is not guaranteed to be valid and need a check after solving the model. Sasaki and Todo proposed a new tool searching for impossible differentials using MILP in Sasaki and Todo (2017). Wang et al. gave the accurate MILP model for SIMONlike block ciphers in Wang et al. (2018) which can also be used to search impossible differentials. We verify all the results in this paper by using this MILP model. If the impossible differential characteristic holds, the Gurobi optimizer outputs ‘Model is infeasible!’. In this section, we briefly introduce the MILP model for SIMONlike block ciphers.
Constraints imposed by ROTATIONAND Operation. According to (Wang et al. 2018), the ROTATIONAND operation from n bits to n bits can be divided into n groups with 3 input difference bits and 2 output bits in each group, (Δx_{i},Δx_{i+t},Δx_{i+2t}) → (Δd_{i−b},Δd_{i+t−b}). We use Δx and Δd to represent the input and output difference for ROTATIONAND operation respectively, (a, b) for rotation parameters, t= a−b, i ∈{0,1,...,n−1} (from left to right), omitting mod n for simplicity. Then each group should satisfy the inequalities as following,
Since constraints imposed by the XOR operation are universal, we do not repeat them here for simplicity. During the verification, we fix the input and output difference for the MILP model and run the Gurobi optimizer, if the model is infeasible, the characteristic with this input and output difference is impossible. We claim that all the impossible differentials exhibited in Tables 3 and 4 have been verified by the MILP. The MILP Model subsection ends.
Subspace trails Grassi et al. raised the concept of subspace trails in Grassi et al. (2016), and applied it to AES. Leander et al. gave a generic method for searching subspace trails in Leander et al. (2018). First, we recall the definition of subspace trails.
Definition 1.
(Subspace Trail) Let \(F: \mathbb {F}^{n}_{2} \leftarrow \mathbb {F}^{n}_{2}\). Linear subspaces \(U, V \subseteq \mathbb {F}^{n}_{2}\) are called a (one round) subspace trail, if
An r+1tuple of subspaces (U_{0},⋯,U_{r}) is called a subspace trail (over r rounds), if
Then, we present the definition of essential subspace trail.
Definition 2.
(Essential Subspace Trail) Let \(F: \mathbb {F}^{n}_{2} \leftarrow \mathbb {F}^{m}_{2}\) and \(U \subseteq \mathbb {F}^{n}_{2}, V\subseteq \mathbb {F}^{m}_{2}\). If U→FV forms a subspace trail, i.e. F(U+a)⊆V+b, and if for all subspaces U^{′} and V^{′} of \(\mathbb {F}^{n}_{2}\) the following properties hold, we call U→FV an essential subspace trail:
Truncated differential were introduced in Knudsen (1994), and generalized to subspaces of differences in Blondeau et al. (2017). Grassi et al. and Leander et al. discussed the link between subspace trails and truncated differentials in Grassi et al. (2016); Leander et al. (2018), respectively. We represent truncated differentials with subspace trails in this paper as a consequence of their close relationship.
Impossible differential characteristics can be given by applying missinthemiddle to truncated differentials. For most block ciphers, existing impossible differential characteristics can be regarded as impossible subspace trails from a dim1 subspace to a dim1 subspace. Grassi et al. raised the concept of impossible subspace trail in Grassi et al. (2016) for the first time, and combined tworound subspaces properties of AES to find impossible subspace trails. A natural question is that, are there any impossible subspace trails for other block ciphers? Intuitively, considering missinthemiddle approach, if there exist two subspace trails whose holding probabilities are both 1: X→FY,Z→F^{−1}W such that Y∩W=∅, then there exists an impossible subspace trail from X to Z.
Leander et al. gave a generic approach for searching subspace trails in Leander et al. (2018). For Sbox layers without linear structures, i.e. wordbased block ciphers, a subspace trail starting with subspace U_{0} which has only one active Sbox is provably optimal. For those with linear structures, i.e. bitbased block ciphers, a subspace trail starting with subspace U_{0} which has only one active bit is not necessarily optimal. However, since it costs too much time (O(2^{n})) to traverse all dim1 subspaces, existing searching algorithms only consider that U_{0} has only one active bit. This highly limits the number of impossible differential characteristics which can be found. To this end, we raise the concept of inverse subspace trail. Similar to subspace trails, we also need to find an essential trail U→FV such that dim(U)≤dim(V). Their difference is that for subspace trails, it asks us to compute V given U, when V is unique; however, for inverse subspace trials, it asks us to compute U given V, when U has many possibilities. In this paper, we refer these subspace trails which are searched inversely as inverse subspace trails.
An r+1tuple of subspaces (U_{0},⋯,U_{r}) is called an inverse subspace trail (over r rounds), if
For two inverse subspace trails \(\phantom {\dot {i}\!}(U_{0},\cdots,U_{r_{a}})\) and \(\phantom {\dot {i}\!}(V_{0},\cdots,V_{r_{b}})\), if U_{0}∩V_{0}=∅, then we have a (r_{a}+r_{b}−1)round impossible subspace trail. Different with previous work, we consider the case where \(\phantom {\dot {i}\!}dim(U_{r_{a}}), dim(U_{r_{b}}) \geq 1\), and under this condition, one impossible subspace trail may contain much more impossible differential characteristics, whose input and output difference may have more than one active bits. In this paper, we greatly increase the number of impossible differential characteristics for SIMON and SIMECK. In addition, we reveal another reason leading to the contradiction of impossible differential trails.
Automatic search of impossible subspace trails
For a subspace V of high dimension, there exist possibly multiple essential U, such that dim(U)≤dim(V) and U→FV. Thus, as the round increasing, branches will increase exponentially. In general, we need to traverse all branches to find the longest trail, of which the complexity is O(2^{n}). This is why for most bitbased block ciphers, we cannot find the longest trail by searching inversely. However, for SIMONlike block ciphers, things are different. They show some special property regarding difference (inverse) diffusion, which leads to 2^{R} possible branches at most for an Rround inverse subspace trail. The reason is that SIMONlike block ciphers have an special difference property and we descript it in Theorem 2. Then it is feasible to traverse inversely all subspace trails to find the longest one, and give the longest impossible subspace trails combing the missinthemiddle approach. In this section, we explain the special property of SIMONlike block ciphers in detail, and present results of impossible subspace trails for SIMON and SIMECK.
Search strategy Leander et al. gave a searching algorithm for subspace trails in Leander et al. (2018). They started with a dim1 subspace, and made the error probability negligible by using plenty of plaintext. Their method was applied to analyzing several block ciphers, and their results of subspace trails met well with existing truncated differentials. Note that for wordbased block ciphers, starting searching from a dim1 subspace with one active Sbox will always lead to provable optimal subspace trails. However, it is not the case for bitbased block ciphers. For bitbased block ciphers, the complexity of traversing all dim1 subspaces is O(2^{n}), where n is the block size. The time cost is too high and this is why Leander et al. chose to traverse all dim1 subspaces with one active bit.
For searching impossible differential characteristics of bitbased block ciphers, similar question exists. Whether applying missinthemiddle to truncated differentials or automatically searching by MILP, it will give the trails with only one active bit in the input and output differences. Intuitively, it is seemingly reasonable to search out the longest impossible differential trails on this condition considering the diffusion property of block ciphers. However, do the longest trails only exist under this condition? In this subsection, we go further into this question by searching subspace trails inversely and applying missinthemiddle approach.
For searching subspace trails, it takes too much time to traverse all 1dim subspaces, so we choose to search subspace trails from the opposite direction. To be exact, we start with a subspace V of high dimension, e.g., dim(V)=n−1, and as the round increasing, the dimension will decrease. Note that an essential trail from a lowdimension subspace to a highdimension subspace over the round function is unique, but the inverse is not true. This means there may exist several trails from a highdimension subspace to a lowdimension one. We refer readers to Fig. 2 which demonstrates the case of SIMON32 and Table 5 which exhibits the value of variables used in Fig. 2.
Straightforwardly, it takes too much time by using either strategy as aforementioned, and this is due to the XOR operation. For the equation a⊕b=c, when the value of one variable is fixed, the values of the rest two variables take two possibilities, which leads to two branches.
Thus intuitively, for SIMONlike block ciphers, as the round increasing, the branches will increase exponentially. However, by our observation, for SIMONlike block ciphers, not every fixed bit will lead to branches, as shown in Theorem 2, and to be specific, only a small amount of them do. Assume that the initial subspace has only one fixed bit of difference and we denote the rounds of inverse subspace trail by r, then the branches takes at most 2^{r}. Hence, we prefer the width first strategy to search the inverse subspace trails for SIMONlike block ciphers, as demonstrated by Algorithm 1, then obtain impossible subspace trails by applying the missinthemiddle approach.
Theorem 1.
(Difference property for ROTATIONAND) Let \(F: \mathbb {F}_{2}^{n} \rightarrow \mathbb {F}_{2}^{n}, F=S^{a}(x) \odot S^{b}(x)\). Δx and Δd represent the input and output differences for F, respectively. If Δd_{i}=0 with probability 1, then Δx_{i+a}=0 and Δx_{i+b}=0.
Proof
We have
If P(Δd_{i}=0)=1, then the value of Δd should not be affected by any bit of the plaintext. It is easy to get that Δx_{i+a}=0 and Δx_{i+b}=0. □
Theorem 2.
(Difference property for round function of SIMONlike block ciphers) Let \(F: \mathbb {F}_{2}^{2n} \rightarrow \mathbb {F}_{2}^{2n}, F\left (X^{L},X^{R}\right)=\left (S^{a}(X^{L})\odot S^{b}(X^{L})\oplus S^{c}(X^{L})\oplus X^{R}, X^{L}\right)=\left (Y^{L},Y^{R}\right)\). ΔX and ΔY represent the input and output differences for function F, respectively. Superscript L and R represent the left and right block, respectively.1. If the value of ΔY^{L}[i] is fixed with probability 1, then ΔX^{L}[i+a]=0,ΔX^{L}[i+b]=0 and ΔX^{L}[i+c]⊕ΔX^{R}[i]=ΔY^{L}[i],i∈{0,1,⋯,n−1}. 2. If ΔY^{L}[i+a],ΔY^{L}[i+b] and ΔY^{L}[i+c] are all fixed with probability 1, then there exist 2 branches for the value of ΔX instead of 2^{3}. ΔX^{L}[i+2a,i+a+b,i+2b,i+a+c,i+b+c]=0,ΔX^{R}[i+a]=ΔY^{L}[i+a],ΔX^{R}[i+b]=ΔY^{L}[i+b]. If ΔY^{L}[i+c]=0, the two branches are (ΔX^{R}[i+c],ΔX^{L}[i+2c])=(0,0) and (ΔX^{R}[i+c],ΔX^{L}[i+2c])=(1,1), respectively; If ΔY^{L}[i+c]=1, the two branches are (ΔX^{R}[i+c],ΔX^{L}[i+2c])=(0,1) and (ΔX^{R}[i+c],ΔX^{L}[i+2c])=(1,0), respectively.
Proof
The first point is easy to prove according to Theorem 1. Then we prove the second point in the following. We have
If ΔY^{L}[i+a],ΔY^{L}[i+b] and ΔY^{L}[i+c] are all fixed with probability 1, it is easy to know that ΔX^{L}[i+2a,i+a+b,i+2b,i+a+c,i+b+c]=0.
Finally,
□
According to Theorem 2, we find that the number of the branches of the inverse subspace trails for SIMONlike block ciphers does not increase exponentially. It increases with the number of rounds, reaching 2^{R} at most which is probably to traverse.
Impossible subspace trails found in SIMON and SIMECK Impossible differential characteristics obtained either by searching automatically using MILP, or by applying the missinthemiddle method to truncated differentials are limited to the case that both the input and output differential have only one active bit. In this part, we give impossible subspace trails, which yields impossible differential characteristics with multi active bits in input/output difference leading to exponential increase in the number.
We use Algorithm 1 and missinthemiddle approach to search impossible subspace trails for SIMON and SIMECK. For SIMON32/48/64/96/128, we give 11/12/13/16/19round impossible subspace trails respectively, as shown in Table 6. Except those for SIMON64, our results cover the stateofart and show much more impossible differential trails. For SIMON64, two impossible differential trails in Wang et al. (2018) cannot be included for present, since they do not meet the requirements of missinthemiddle. We will show in next section how to search these two trails and much more. Our results of SIMECK are listed in Table 7. For SIMECK32, our results cover the stateofart (11round) and shows much more trails as well. Sadeghi et al. and Wang et al. gave 15round and 17round impossible differential trails for SIMECK48 and SIMECK64 in Sadeghi and Bagheri (2018); Wang et al. (2018), respectively. We will show in next section how to search these two trails and much more. Due to the rotation invariance of SIMONlike block ciphers, in both tables, we only give impossible subspace trails whose contradiction happens in the 0^{th} bit in the middle round.
Impossible differential characteristics by applying missfromthemiddle approach
Two 13round trails for SIMON64, 15round trails for SIMECK48 and 17round trails for SIMECK64 do not meet the requirement of the missinthemiddle approach, so they cannot be given by our algorithm in last section. In Sadeghi and Bagheri (2018), impossible differential trails for SIMECK48 and SIMECK64 are manually deduced, and this procedure tells us how the contradiction happens. However, random two properties will not lead to this contradiction. We reveal the precondition and generalize it into missfromthemiddle as an analog of the missinthemiddle approach, which means that the contradiction does not happen right in the middle round but it results from the middle round.
In this section, we give impossible differential characteristics by applying the missfromthemiddle approach. Our results not only recover the stateofart, but also give much more trails since we remove the restriction that both the input and output difference have only one active bit.
Missfromthemiddle We recall the missinthemiddle approach. First, we obtain two truncated differences along the encryption and the decryption direction respectively. Then, if there exists some contradiction between the ends of them, we obtain an impossible differential trail. In contrast, the missfromthemiddle approach does not require such direct contradictions. To be exact, first, we combine two truncated differentials, then from the middle, we check downup and updown to find whether the combining leads to contradictions with two properties; if so, an impossible differential trail is obtained.
While two random truncated differentials will not cause this kind of contradictions, the combined middle round should satisfy some conditions. Here, we give the precondition of missfromthemiddle approach, through which we can greatly reduce the searching space.
Precondition of missfromthemiddle Let T_{1} = (\(\phantom {\dot {i}\!}U_{0}, U_1,\cdots, U_{r_a})\) and T_{2} = (\(\phantom {\dot {i}\!}V_{0}, V_1,\cdots, V_{r_b})\), which are inverse subspace trails of round function F and its inverse F^{−1}, respectively. Denote M = U_{0}∩V_{0} = (L[0, 1, ⋯,n−1],R[0, 1, ⋯,n−1]). If

1
L[i+a,i+b]=0,L[i+c] and R[i] are fixed for some i∈{0, 1, ⋯,n−1}, there may exist contradictions between M and T_{2}; or

2
R[i+a,i+b]=0,R[i+c] and L[i] are fixed for some i∈{0, 1, ⋯,n−1}, there may exist contradictions between M and T_{1}
Determining algorithm We introduce the searching and determining algorithms in details for impossible differential characteristics satisfying missfromthemiddle. There are three steps in this procedure, reducing the scope, picking & rebuilding and determining, as shown in Fig. 3. The detailed procedure is in the following:

Step 1:
Reducing the scope. We construct subspaces V_{e} and V_{d} satisfying the precondition of missfromthemiddle. We take V_{e} and V_{d} as the starting points of searching subspace trails inversely along the encryption and decryption directions. Then we can obtain longest subspace trails U_{e}→FV_{e} and U_{d}→F^{−1}V_{d}. Note that the subspace trail from U_{e} to U_{d} is not necessarily impossible. However, this step greatly reduces the searching scope, namely from 2^{2n} to U_{e}×U_{d}.

Step 2:
Picking & Rebuilding. We randomly pick dim1 subspaces U_{0} and U_{1} of U_{e} and U_{d} respectively, and take them as the starting points to search subspace trails. We can obtain U_{0}→FV_{0} and U_{1}→F^{−1}V_{1} such that V_{0}⊆V_{e} and V_{1}⊆V_{d}.

Step 3:
Determining. We combine V_{0} and V_{1}, then trace back along two directions to check if any contradiction exists. If so, we obtain an impossible differential characteristic.
We formalize the whole procedure into Algorithm 2.
Impossible differential characteristics for SIMON and SIMECK. We give many impossible differential characteristics whose input and output differences have multiple active bits. Before our work, this cannot be achieved since the high complexity of O(2^{2n}). The impossible differentials for SIMON and SIMECK by applying missfromthemiddle are listed in Tables 3 and 4, respectively. We have verified all the results by MILP model in Wang et al. (2018). To make the verification obviously, we show the 13round complete impossible differential trail \((00000000, 48000083) \nrightarrow (40000000, 00000000)\) for SIMON64 and how the contradiction happens in Fig. 4.
Conclusion
In this paper, we make use of the diffusion property of SIMONlike block ciphers and give a specific approach for searching inverse subspace trials. In contrast to previous work, the lowdimension subspace in our work has dimension no less than one, rather than strictly one. By applying missinthemiddle and missfromthemiddle, we give results of impossible differential characteristics for SIMON and SIMECK. We hope these results can provide support for cryptanalyst or help designers to make better parameter choices.
For future works, here are some interesting questions. First, whether missfromthemiddle and missinthemiddle can cover all possible cases? If this can be proved, then our results turn to be provably optimal. Combining with attacks, we can easily give a security margin. Secondly, Boura derived generic complexity analysis formulas for impossible differential attacks and optimized it by using multiple impossible differentials in Boura et al. (2014). However, for this analysis to be valid, the number of conditions associated to the impossible differential attack should stay the same. Since we have greatly expand the set of candidate trails, how to search those qualified trails automatically seems an attracting question. If this can be achieved, we may hopefully give better attack complexity and rounds. Lastly, we want to know whether missfromthemiddle or inverse subspace trails can be applied to other block ciphers. A generic method for searching inverse subspace trails automatically would be much desired.
Availability of data and materials
Not applicable.
References
Abdelraheem, MA, Alizadeh J, AlKhzaimi HA, Aref MR, Bagheri N, Gauravaram P (2015) Improved linear cryptanalysis of reducedround SIMON32 and SIMON48. In: Biryukov A Goyal V (eds)16th International Conference on Cryptology in India, 153–179. https://doi.org/10.1007/9783319266176_9.
Abed, F, List E, Lucks S, Wenzel J (2013) Differential and linear cryptanalysis of reducedround SIMON. IACR Cryptol ePrint Arch 2013:526.
AlKhzaimi, H, Lauridsen MM (2013) Cryptanalysis of the SIMON family of block ciphers. IACR Cryptol ePrint Arch 2013:543.
AlTawy, R, Rohit R, He M, Mandal K, Yang G, Gong G (2017) sLiSCP: Simeckbased permutations for lightweight sponge cryptographic primitives. In: Adams C Camenisch J (eds)24th International Conference on Selected Areas in Cryptography, 129–150. https://doi.org/10.1007/9783319725659_7.
AlTawy, R, Rohit R, He M, Mandal K, Yang G, Gong G (2018) Towards a cryptographic minimal design: The sLiSCP family of permutations. IEEE Trans Comput 67(9):1341–1358. https://doi.org/10.1109/TC.2018.2811467.
AlTawy, R, Rohit R, He M, Mandal K, Yang G, Gong G (2018) sLiSCPlight: Towards hardware optimized spongespecific cryptographic permutations. ACM Trans. Embedded Comput Syst 17(4):1–26. https://doi.org/10.1145/3233245.
Banik, S, Pandey SK, Peyrin T, Sasaki Y, Sim SM, Todo Y (2017) GIFT: A small present  towards reaching the limit of lightweight encryption. In: Fischer W Homma N (eds)19th International Conference on Cryptographic Hardware and Embedded Systems, 321–345. https://doi.org/10.1007/9783319667874_16.
Beaulieu, R, Shors D, Smith J, TreatmanClark S, Weeks B, Wingers L (2015) The SIMON and SPECK families of lightweight block ciphers In: Proceedings of the 52nd Annual Design Automation Conference, 1–6.
Beaulieu, R, Shors D, Smith J, TreatmanClark S, Weeks B, Wingers L (2017) Notes on the design and analysis of SIMON and SPECK. IACR Cryptol ePrint Arch 2017:560.
Beierle, C, Jean J, Kölbl S, Leander G, Moradi A, Peyrin T, Sasaki Y, Sasdrich P, Sim SM (2016) The SKINNY family of block ciphers and its lowlatency variant MANTIS. In: Robshaw M Katz J (eds)36th Annual International Cryptology Conference, 123–153. https://doi.org/10.1007/9783662530085_5.
Biham, E, Biryukov A, Shamir A (1999) Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: Stern J (ed)International Conference on the Theory and Application of Cryptographic Techniques, 12–23. https://doi.org/10.1007/354048910X_2.
Blondeau, C, Leander G, Nyberg K (2017) Differentiallinear cryptanalysis revisited. J Cryptol 30(3):859–888. https://doi.org/10.1007/s0014501692375.
Bogdanov, A, Knezevic M, Leander G, Toz D, Varici K, Verbauwhede I (2011) spongent: A lightweight hash function. In: Preneel B Takagi T (eds)13th International Workshop on Cryptographic Hardware and Embedded Systems, 312–325. https://doi.org/10.1007/9783642239519_21.
Bogdanov, A, Knudsen LR, Leander G, Paar C, Poschmann A, Robshaw MJB, Seurin Y, Vikkelsoe C (2007) PRESENT: an ultralightweight block cipher. In: Paillier P Verbauwhede I (eds)9th International Workshop on Cryptographic Hardware and Embedded Systems, 450–466. https://doi.org/10.1007/9783540747352_31.
Boura, C, NayaPlasencia M, Suder V (2014) Scrutinizing and improving impossible differential attacks: applications to CLEFIA, Camellia, LBlock and Simon. In: Sarkar P Iwata T (eds)20th International Conference on the Theory and Application of Cryptology and Information Security, 179–199. https://doi.org/10.1007/9783662456118_10.
Chen, H, Wang X (2016) Improved linear hull attack on roundreduced Simon with dynamic keyguessing techniques. In: Peyrin T (ed)23rd International Conference on Fast Software Encryption, 428–449. https://doi.org/10.1007/9783662529935_22.
Chen, Z, Wang N, Wang X (2015) Impossible differential cryptanalysis of reduced round SIMON. IACR Cryptol. ePrint Arch 2015:286.
Daemen, J, Hoffert S, Assche GV, Keer RV (2018) The design of Xoodoo and Xoofff. IACR Trans Symmetric Cryptol 2018(4):1–38. https://doi.org/10.13154/tosc.v2018.i4.138.
Derbez, P, Fouque P (2016) Automatic search of meetinthemiddle and impossible differential attacks. In: Robshaw M Katz J (eds)36th Annual International Cryptology Conference, 157–184. https://doi.org/10.1007/9783662530085_6.
Grassi, L, Rechberger C, Rønjom S (2016) Subspace trail cryptanalysis and its applications to AES. IACR Trans Symmetric Cryptol 2016(2):192–225. https://doi.org/10.13154/tosc.v2016.i2.192225.
Guo, J, Peyrin T, Poschmann A (2011) The PHOTON family of lightweight hash functions. In: Rogaway P (ed)31st Annual Cryptology Conference, 222–239. https://doi.org/10.1007/9783642227929_13.
Knudsen, LR (1994) Truncated and higher order differentials. In: Preneel B (ed)Second International Workshop on Fast Software Encryption, 196–211. https://doi.org/10.1007/3540605908_16.
Knudsen, L (1998) DEALA 128bit block cipher. Complexity 258(2):216.
Kölbl, S, Leander G, Tiessen T (2015) Observations on the SIMON block cipher family. In: Gennaro R Robshaw M (eds)35th Annual Cryptology Conference, 161–185. https://doi.org/10.1007/9783662479896_8.
Kölbl, S, Roy A (2015) A brief comparison of simon and simeck. IACR Cryptol ePrint Arch 2015:706.
Kondo, K, Sasaki Y, Iwata T (2016) On the design rationale of SIMON block cipher: Integral attacks and impossible differential attacks against SIMON variants. In: Manulis M, Sadeghi A, Schneider SA (eds)14th International Conference on Applied Cryptography and Network Security, 518–536. https://doi.org/10.1007/9783319395555_28.
Leander, G, Abdelraheem MA, AlKhzaimi H, Zenner E (2011) A cryptanalysis of printcipher: The invariant subspace attack. In: Rogaway P (ed)31st Annual Cryptology Conference, 206–221. https://doi.org/10.1007/9783642227929_12.
Leander, G, Tezcan C, Wiemer F (2018) Searching for subspace trails and truncated differentials. IACR Trans Symmetric Cryptol 2018(1):74–100. https://doi.org/10.13154/tosc.v2018.i1.74100.
Liu, Z, Li Y, Wang M (2017) Optimal differential trails in SIMONlike ciphers. IACR Trans Symmetric Cryptol 2017(1):358–379. https://doi.org/10.13154/tosc.v2017.i1.358379.
Qiao, K, Hu L, Sun S (2016) Differential analysis on SIMECK and SIMON with dynamic keyguessing techniques. In: Camp O, Furnell S, Mori P (eds)Second International Conference Information Systems Security and Privacy, 64–85. https://doi.org/10.1007/9783319544335_5.
Sadeghi, S, Bagheri N (2018) Improved zerocorrelation and impossible differential cryptanalysis of reducedround SIMECK block cipher. IET Inf Secur 12(4):314–325. https://doi.org/10.1049/ietifs.2016.0590.
Sasaki, Y, Todo Y (2017) New impossible differential search tool from design and cryptanalysis aspects  revealing structural properties of several ciphers. In: Coron J Nielsen JB (eds)36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, 185–215. https://doi.org/10.1007/9783319566177_7.
Shi, D, Hu L, Sun S, Song L, Qiao K, Ma X (2014) Improved linear (hull) cryptanalysis of roundreduced versions of SIMON. IACR Cryptol ePrint Arch 2014:973.
Sun, S, Hu L, Wang P, Qiao K, Ma X, Song L (2014) Automatic security evaluation and (relatedkey) differential characteristic search: application to SIMON, PRESENT, LBlock, DES (L) and other bitoriented block ciphers. In: Sarkar P Iwata T (eds)20th International Conference on the Theory and Application of Cryptology and Information Security, 158–178. https://doi.org/10.1007/9783662456118_9.
Sun, S, Hu L, Wang M, Wang P, Qiao K, Ma X, Shi D, Song L (2014) Automatic enumeration of (relatedkey) differential and linear characteristics with predefined properties and its applications. IACR Cryptol ePrint Arch 2014:747.
Todo, Y, Morii M (2016) Bitbased division property and application to Simon family. In: Peyrin T (ed)23rd International Conference on Fast Software Encryption, 357–377. https://doi.org/10.1007/9783662529935_18.
Wang, Q, Liu Z, Varici K, Sasaki Y, Rijmen V, Todo Y (2014) Cryptanalysis of reducedround SIMON32 and SIMON48. In: Meier W Mukhopadhyay D (eds)15th International Conference on Cryptology in India, 143–160. https://doi.org/10.1007/9783319130392_9.
Wang, X, Wu B, Hou L, Lin D (2018) Automatic search for relatedkey differential trails in SIMONlike block ciphers based on MILP. In: Chen L, Manulis M, Schneider SA (eds)21st International Conference on Information Security, 116–131. https://doi.org/10.1007/9783319991368_7.
Xiang, Z, Zhang W, Bao Z, Lin D (2016) Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers. In: Cheon JH Takagi T (eds)22nd International Conference on the Theory and Application of Cryptology and Information Security, 648–678. https://doi.org/10.1007/9783662538876_24.
Yang, G, Zhu B, Suder V, Aagaard MD, Gong G (2015) The Simeck family of lightweight block ciphers. In: Güneysu T Handschuh H (eds)17th International Workshop on Cryptographic Hardware and Embedded Systems, 307–329. https://doi.org/10.1007/9783662483244_16.
Acknowledgements
Not applicable.
Funding
This research is supported by the National Natural Science Foundation of China (61972393, 61872359).
Author information
Affiliations
Contributions
Xuzi Wang proposed the impossible subspace trails searching algorithm for SIMONlike block ciphers. Xuzi Wang, Baofeng Wu and Lin Hou drafted the manuscript. Baofeng Wu proofread the theorems and algorithms in the manuscript. Dongdai Lin participated in improvements of the manuscript. All authors read and approved the final manuscript.
Corresponding author
Ethics declarations
Competing interests
The authors declare that they have no competing interests.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Wang, X., Wu, B., Hou, L. et al. Searching for impossible subspace trails and improved impossible differential characteristics for SIMONlike block ciphers. Cybersecur 4, 17 (2021). https://doi.org/10.1186/s4240002100081x
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s4240002100081x
Keywords
 Impossible differential characteristics
 Impossible subspace trails
 Missfromthemiddle
 SIMON
 SIMECK