Searching for impossible subspace trails and improved impossible differential characteristics for SIMON-like block ciphers

In this paper, we greatly increase the number of impossible differentials for SIMON and SIMECK by eliminating the 1-bit constraint in input/output difference, which is the precondition to ameliorate the complexity of attacks. We propose an algorithm which can greatly reduce the searching complexity to find such trails efficiently since the search space exponentially expands to find impossible differentials with multiple active bits. There is another situation leading to the contradiction in impossible differentials except for miss-in-the-middle. We show how the contradiction happens and conclude the precondition of it defined as miss-from-the-middle. It makes our results more comprehensive by applying these two approach simultaneously. This paper gives for the first time impossible differential characteristics with multiple active bits for SIMON and SIMECK, leading to a great increase in the number. The results can be verified not only by covering the state-of-art, but also by the MILP model.


Introduction
Due to the continuously growing impact of RFID tags, smart cards and FPGAs, cryptographic algorithms which are suitable for resource-constrained devices become more and more important. During the last decade, a number of lightweight block ciphers, hash functions and stream ciphers were developed by the research community.
The NSA published two lightweight block cipher families SIMON and SPECK in Beaulieu et al. (2015), which are highly optimized and have a better performance for both hardware and software platforms. Although no design rationale or cryptanalysis was given in Beaulieu et al. (2015), SIMON and SPECK draw great attention of researchers, and many cryptanalysis work have been done until now. The designers of SIMON and SPECK gave some *Correspondence: wubaofeng@iie.ac.cn 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China 2 School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China design rationale and summarized existing cryptanalysis results in Beaulieu et al. (2017), e.g., linear cryptanalysis and differential cryptanalysis (Liu et al. 2017;AlKhzaimi and Lauridsen 2013;Abdelraheem et al. 2015;Chen and Wang 2016;Shi et al. 2014;Qiao et al. 2016), impossible differential and zero correlation cryptanalysis (Chen et al. 2015;Wang et al. 2014;Chen and Wang 2016), integral cryptanalysis (Kondo et al. 2016;Todo and Morii 2016;Wang et al. 2014;Xiang et al. 2016) and so on for SIMON. Yang et al. proposed SIMECK in Yang et al. (2015). They use the round function of SIMON with changing the circular-shift parameter (8, 1, 2) into (0, 5, 1), and reuse the round function within the keyschedule. These lead to a better performance than SIMON. Cryptanalysis for SIMECK is similar to that of SIMON when related key is not involved. There are some comparison between them in Kölbl and Roy (2015); ; Qiao et al. (2016); Liu et al. (2017); Wang et al. (2018).
On the basis of NIST's lightweight cryptography project, which aims at electing cryptographic standards suitable for lightweight applications, a lot of candidates have been submitted. There 32 algorithms left in Round 2. These algorithms are based on either lightweight block ciphers or lightweight hash functions, such as PRESENT (Bogdanov et al. 2007), SIMON and SPECK (Beaulieu et al. 2015), SIMECK (Yang et al. 2015), SKINNY (Beierle et al. 2016), GIFT (Banik et al. 2017), Xoodoo (Daemen et al. 2018), PHOTON (Guo et al. 2011), Spongent (Bogdanov et al. 2011)  Our contributions In this paper, we further study the impossible differential characteristics for SIMON-like block ciphers. We provide impossible subspace trails for SIMON and SIMECK by searching subspace trails inversely and applying miss-in-the-middle. We also excavate another situation leading to the contradiction defining as miss-from-the-middle, and supplement impossible differentials by applying it. All impossible differentials and impossible subspace trails given in this paper can be verified by the MILP model. Our contributions are threefold.
First, we raise the concept of inverse subspace trail and give its searching algorithms for SIMON-like block ciphers. By applying miss-in-the-middle to inverse subspace trails, we can obtain impossible subspace trails for SIMON and SIMECK. One trail includes a lot of impossible differential characteristics.
Secondly, we study the contradiction condition of the left ones and define it as miss-from-the-middle, as an analog of the well-known method of miss-in-the-middle, since miss-in-the-middle approach cannot covering the state-of-art for SIMECK.
Thirdly, all the impossible differentials for SIMON and SIMECK by considering miss-in-the-middle and missfrom-the-middle can be obtained efficiently without the 1-bit constraint through our algorithm. The great increase in the number of impossible differentials is the precondition for the better attacks. Biham et al. and Knudsen independently proposed the idea of impossible differential attacks in Biham et al. (1999) and (Knudsen 1998), respectively. In such attacks, the adversary aims to pick out keys which produce differential characteristics with zero probability. All existing impossible differential characteristics of SIMON-like block ciphers are obtained with 1-bit constraint either by combining truncated differential and the miss-in-the-middle approach, or by searching automatically using MILP.
Sun et al. raised an automatic searching tool called MILP for high-probability differential and linear characteristics . Yu Sasaki and Yosuke Todo gave a new impossible differential search tool by MILP in Sasaki and Todo (2017). However, as shown in , for SIMON-like block ciphers, due to their dependencies of their input bits to the AND operation, the trails obtained using MILP are not guaranteed to be valid. It is unadaptable for SIMON-like block ciphers searching impossible differentials by MILP until Wang et al. provided an accurate MILP model for SIMON-like block ciphers in Wang et al. (2018). They gave impossible differentials of 15-round for SIMECK48 and 17-round for SIMECK64 meeting the result in Sadeghi and Bagheri (2018), and two new 13-round for SIMON64. Leander et al. proposed invariant subspace attack for PRINTcipher in Leander et al. (2011). Later on, Grassi et al. raised the concept of subspace trail crytanalysis in Grassi et al. (2016). Leander et al. gave generic algorithms for searching subspace trails, and applied them to several ciphers including SIMON (Leander et al. 2018); specifically, they gave 6/8/12-round subspace trails for SIMON32/64/128 respectively, and the dimensions of subspaces are 30/62/126 respectively.

Preliminaries
Notations We give the description of the symbols used in this paper as following: 0: A 4-bit vector with all entries equal 0, while 0 represents only one bit.
X, Y : X is the plaintext, and Y is the ciphertext after one round. X L , X R represent the left and right blocks of X, respectively. X L [ i] represent the i-th bit of X L (0 to n − 1 from left to right), i ∈ {0, 1, · · · , n − 1}. X L [ i + a] means X L [ (i + a) mod n], omitting (mod n) for simplicity. X, Y : X is the input difference of the round function, and Y for the output.

Description of SIMON and SIMECK
The SIMON and SIMECK families of lightweight block ciphers are both based on Feistel construction, using AND as the nonlinear operation. The round function of SIMON-like block ciphers is shown in Fig. 1, while the rotation parameters are (8, 1, 2) and (0, 5, 1) for SIMON and SIMECK, respectively. We explicit the parameters for all versions of SIMON and SIMECK in Tables 1 and 2, respectively.
In this paper. we focus on the impossible differential characteristics for SIMON-like block ciphers. For simplicity, we recall the rotation invariance of impossible differentials for SIMON in Wang et al. (2014), and only exhibit the impossible subspace trails and impossible differential characteristics for SIMON and SIMECK with contradiction in the i-th bit, i ∈ {0, 1, ..., n − 1}.

Rotational invariance
. Then for any r, where 0 r n − 1, one can construct a set of (j  (Wang et al. 2018), the ROTATION-AND operation from n bits to n bits can be divided into n groups with 3 input difference bits and 2 output bits in each group, ( We use x and d to represent the input and output difference for ROTATION-AND operation respectively, (a, b) for rotation parameters, t=|a − b|, i ∈ {0, 1, ..., n − 1} (from left to right), omitting mod n for simplicity. Then each group should satisfy the inequalities as following, Since constraints imposed by the XOR operation are universal, we do not repeat them here for simplicity. During the verification, we fix the input and output difference for the MILP model and run the Gurobi optimizer, if the model is infeasible, the characteristic with this input and output difference is impossible. We claim that all the impossible differentials exhibited in Tables 3 and 4 have been verified by the MILP. The MILP Model subsection ends. Grassi et al. raised the concept of subspace trails in Grassi et al. (2016), and applied it to AES. Leander et al. gave a generic method for searching subspace trails in Leander et al. (2018). First, we recall the definition of subspace trails.

Subspace trails
Then, we present the definition of essential subspace trail.  of F n 2 the following properties hold, we call U F −→ V an essential subspace trail:

and if for all subspaces U and V
Truncated differential were introduced in Knudsen (1994), and generalized to subspaces of differences in Blondeau et al. (2017). Grassi et al. and Leander et al. discussed the link between subspace trails and truncated differentials in Grassi et al. (2016); Leander et al. (2018), respectively. We represent truncated differentials with subspace trails in this paper as a consequence of their close relationship.
Impossible differential characteristics can be given by applying miss-in-the-middle to truncated differentials. For most block ciphers, existing impossible differential characteristics can be regarded as impossible subspace trails from a dim-1 subspace to a dim-1 subspace. Grassi et al. raised the concept of impossible subspace trail in Grassi et al. (2016) for the first time, and combined two-round subspaces properties of AES to find impossible subspace trails. A natural question is that, are there any impossible subspace trails for other block ciphers? Intuitively, considering miss-in-the-middle approach, if there exist two subspace trails whose holding probabilities are both 1: Leander et al. gave a generic approach for searching subspace trails in Leander et al. (2018). For S-box layers without linear structures, i.e. word-based block ciphers, a subspace trail starting with subspace U 0 which has only one active S-box is provably optimal. For those with linear structures, i.e. bit-based block ciphers, a subspace trail starting with subspace U 0 which has only one active bit is not necessarily optimal. However, since it costs too much time (O(2 n )) to traverse all dim-1 subspaces, existing searching algorithms only consider that U 0 has only one active bit. This highly limits the number of impossible differential characteristics which can be found. To this end, we raise the concept of inverse subspace trail. Similar to subspace trails, we also need to find an essential trail . Their difference is that for subspace trails, it asks us to compute V given U, when V is unique; however, for inverse subspace trials, it asks us to compute U given V, when U has many possibilities. In this paper, we refer these subspace trails which are searched inversely as inverse subspace trails.
An r + 1-tuple of subspaces (U 0 , · · · , U r ) is called an inverse subspace trail (over r rounds), if For two inverse subspace trails (U 0 , · · · , U r a ) and (V 0 , · · · , V r b ), if U 0 ∩ V 0 = ∅, then we have a (r a + r b − 1)round impossible subspace trail. Different with previous work, we consider the case where dim(U r a ), dim(U r b ) ≥ 1, and under this condition, one impossible subspace trail may contain much more impossible differential characteristics, whose input and output difference may have more than one active bits. In this paper, we greatly increase the number of impossible differential characteristics for SIMON and SIMECK. In addition, we reveal another reason leading to the contradiction of impossible differential trails.

Automatic search of impossible subspace trails
For a subspace V of high dimension, there exist possibly multiple essential U, such that dim(U) dim(V ) and U F −→ V . Thus, as the round increasing, branches will increase exponentially. In general, we need to traverse all branches to find the longest trail, of which the complexity is O(2 n ). This is why for most bit-based block ciphers, we cannot find the longest trail by searching inversely. However, for SIMON-like block ciphers, things are different. They show some special property regarding difference (inverse) diffusion, which leads to 2 R possible branches at most for an R-round inverse subspace trail. The reason is that SIMON-like block ciphers have an special difference property and we descript it in Theorem 2. Then it is feasible to traverse inversely all subspace trails to find the longest one, and give the longest impossible subspace trails combing the miss-in-the-middle approach. In this section, we explain the special property of SIMON-like block ciphers in detail, and present results of impossible subspace trails for SIMON and SIMECK.
Search strategy Leander et al. gave a searching algorithm for subspace trails in Leander et al. (2018). They started with a dim-1 subspace, and made the error probability negligible by using plenty of plaintext. Their method was applied to analyzing several block ciphers, and their results of subspace trails met well with existing truncated differentials. Note that for word-based block ciphers, starting searching from a dim-1 subspace with one active S-box will always lead to provable optimal subspace trails. However, it is not the case for bit-based block ciphers. For bit-based block ciphers, the complexity of traversing all dim-1 subspaces is O(2 n ), where n is the block size. The time cost is too high and this is why Leander et al. chose to traverse all dim-1 subspaces with one active bit.
For searching impossible differential characteristics of bit-based block ciphers, similar question exists. Whether applying miss-in-the-middle to truncated differentials or automatically searching by MILP, it will give the trails with only one active bit in the input and output differences. Intuitively, it is seemingly reasonable to search out the longest impossible differential trails on this condition considering the diffusion property of block ciphers. However, do the longest trails only exist under this condition? In this subsection, we go further into this question by searching subspace trails inversely and applying miss-in-the-middle approach.
For searching subspace trails, it takes too much time to traverse all 1-dim subspaces, so we choose to search subspace trails from the opposite direction. To be exact, we start with a subspace V of high dimension, e.g., dim(V ) = n − 1, and as the round increasing, the dimension will decrease. Note that an essential trail from a low-dimension subspace to a high-dimension subspace over the round function is unique, but the inverse is not true. This means there may exist several trails from a high-dimension subspace to a low-dimension one. We refer readers to Fig. 2 which demonstrates the case of SIMON32 and Table 5 which exhibits the value of variables used in Fig. 2.
Straightforwardly, it takes too much time by using either strategy as aforementioned, and this is due to the XOR operation. For the equation a ⊕ b = c, when the value of one variable is fixed, the values of the rest two variables take two possibilities, which leads to two branches.  Thus intuitively, for SIMON-like block ciphers, as the round increasing, the branches will increase exponentially. However, by our observation, for SIMON-like block ciphers, not every fixed bit will lead to branches, as shown in Theorem 2, and to be specific, only a small amount of them do. Assume that the initial subspace has only one fixed bit of difference and we denote the rounds of inverse subspace trail by r, then the branches takes at most 2 r . Hence, we prefer the width first strategy to search the inverse subspace trails for SIMON-like block ciphers, as demonstrated by Algorithm 1, then obtain impossible subspace trails by applying the miss-in-the-middle approach. Theorem 1 (Difference property for ROTATION-AND).
x and d represent the input and output differences for F, respectively. If d i = 0 with probability 1, then x i+a = 0 and x i+b = 0.
Proof We have If P( d i = 0) = 1, then the value of d should not be affected by any bit of the plaintext. It is easy to get that x i+a = 0 and x i+b = 0.
Theorem 2 (Difference property for round function of SIMON-like block ciphers). Let F : F 2n   (1, 0), respectively. Proof The first point is easy to prove according to Theorem 1. Then we prove the second point in the following. We have Finally, According to Theorem 2, we find that the number of the branches of the inverse subspace trails for SIMON-like block ciphers does not increase exponentially. It increases with the number of rounds, reaching 2 R at most which is probably to traverse. Impossible subspace trails found in SIMON and SIMECK Impossible differential characteristics obtained either by searching automatically using MILP, or by applying the miss-in-the-middle method to truncated differentials are limited to the case that both the input and output differential have only one active bit. In this part, we give impossible subspace trails, which yields impossible differential characteristics with multi active bits in input/output difference leading to exponential increase in the number.

Algorithm 1. (Inverse Subspace Trail Searching Algorithm)
We use Algorithm 1 and miss-in-the-middle approach to search impossible subspace trails for SIMON and SIMECK. For SIMON32/48/64/96/128, we give 11/12/13/16/19-round impossible subspace trails respectively, as shown in Table 6. Except those for SIMON64, our results cover the state-of-art and show much more impossible differential trails. For SIMON64, two impossible differential trails in Wang et al. (2018) cannot be included for present, since they do not meet the requirements of miss-in-the-middle. We will show in next section how to search these two trails and much more. Our results of SIMECK are listed in Table 7. For SIMECK32, our results cover the state-of-art (11-round) and shows much more trails as well.  and 17-round impossible differential trails for SIMECK48 and SIMECK64 in Sadeghi and Bagheri (2018); Wang et al. (2018), respectively. We will show in next section how to search these two trails and much more. Due to the rotation invariance of SIMON-like block ciphers, in both tables, we only give impossible subspace trails whose contradiction happens in the 0 th bit in the middle round.

Impossible differential characteristics by applying miss-from-the-middle approach
Two 13-round trails for SIMON64, 15-round trails for SIMECK48 and 17-round trails for SIMECK64 do not meet the requirement of the miss-in-the-middle approach, so they cannot be given by our algorithm in last section. In Sadeghi and Bagheri (2018), impossible differential trails for SIMECK48 and SIMECK64 are manually deduced, and this procedure tells us how the contradiction happens. However, random two properties will not lead to this contradiction. We reveal the precondition and generalize it into miss-from-the-middle as an analog of the miss-in-the-middle approach, which means that the contradiction does not happen right in the middle round but it results from the middle round.
In this section, we give impossible differential characteristics by applying the miss-from-the-middle approach. Our results not only recover the state-of-art, but also give much more trails since we remove the restriction that both the input and output difference have only one active bit.

Miss-from-the-middle
We recall the miss-in-themiddle approach. First, we obtain two truncated differences along the encryption and the decryption Table 6 Impossible subspace trails for SIMON. For simplicities, we denote 0000 by 0 and arbitrary four bits by ?
There are three steps in this procedure, reducing the scope, picking & rebuilding and determining, as shown in Fig. 3. The detailed procedure is in the following: Step 1: Reducing the scope. We construct subspaces V e and V d satisfying the precondition of miss-from-the-middle. We take V e and V d as the starting points of searching subspace trails inversely along the encryption and decryption directions. Then we can obtain longest subspace Note that the subspace trail from U e to U d is not necessarily impossible. However, this step greatly reduces the searching scope, namely from 2 2n to |U e | × |U d |.
Step 2: Picking & Rebuilding. We randomly pick dim-1 subspaces U 0 and U 1 of U e and U d respectively, and take them as the starting points to search subspace trails. We can obtain U 0 Step 3: Determining. We combine V 0 and V 1 , then trace back along two directions to check if any contradiction exists. If so, we obtain an impossible differential characteristic.
We formalize the whole procedure into Algorithm 2.

Algorithm 2. (Impossible Differential Characteristics Sieving Algorithm)
Input: Subspace trail list T, T =[ t 0 , t 1 , · · · ] , t i = [ TF i , TL i ] Output: Impossible differential characteristics list C end if 43: end for 44: return false Impossible differential characteristics for SIMON and SIMECK. We give many impossible differential characteristics whose input and output differences have multiple active bits. Before our work, this cannot be achieved since the high complexity of O(2 2n ). The impossible differentials for SIMON and SIMECK by applying missfrom-the-middle are listed in Tables 3 and 4, respectively. We have verified all the results by MILP model in Wang et al. (2018). To make the verification obviously, we show the 13-round complete impossible differential trail (00000000, 48000083) (40000000, 00000000) for SIMON64 and how the contradiction happens in Fig. 4.

Conclusion
In this paper, we make use of the diffusion property of SIMON-like block ciphers and give a specific approach for searching inverse subspace trials. In contrast to previous work, the low-dimension subspace in our work has dimension no less than one, rather than strictly one. By applying miss-in-the-middle and miss-from-the-middle, we give results of impossible differential characteristics for SIMON and SIMECK. We hope these results can provide support for cryptanalyst or help designers to make better parameter choices.
For future works, here are some interesting questions. First, whether miss-from-the-middle and miss-in-themiddle can cover all possible cases? If this can be proved, then our results turn to be provably optimal. Combining with attacks, we can easily give a security margin. Secondly, Boura derived generic complexity analysis formulas for impossible differential attacks and optimized it Fig. 3 The searching procedure for impossible differential characteristics Impossible differential trail (00000000, 48000083) (40000000, 00000000) for 13-round SIMON64 shows how the contradiction happens by applying miss-from-the-middle by using multiple impossible differentials in Boura et al. (2014). However, for this analysis to be valid, the number of conditions associated to the impossible differential attack should stay the same. Since we have greatly expand the set of candidate trails, how to search those qualified trails automatically seems an attracting question. If this can be achieved, we may hopefully give better attack complexity and rounds. Lastly, we want to know whether miss-from-the-middle or inverse subspace trails can be applied to other block ciphers. A generic method for searching inverse subspace trails automatically would be much desired.