#### Abstract

Generalized Feistel structures are widely used in the design of block ciphers. In this paper, we focused on retrieving impossible differentials for two kinds of generalized Feistel structures: CAST256-like structure with Substitution-Permutation (SP) or Substitution-Permutation-Substitution (SPS) round functions (named and , respectively) and MARS-like structure with SP/SPS round function (named and , respectively). Known results show that for bijective round function, CAST256-like structures and MARS-like structures have () and () rounds impossible differentials, respectively. By our observation, there existed () rounds impossible differentials in and () rounds impossible differentials in (this result does not require the P layer to be invertible). When the diffusion layer satisfied some special conditions, had () rounds impossible differentials and had () rounds impossible differentials.

#### 1. Introduction

The architecture is one of the most important parts of a block cipher. It will directly affect the implementation performance and the round number. Among them, SP structure [1], Feistel structure [2], and generalized Feistel structure [3] are the most often used architectures. The SP structure is a simple and clear block cipher model which is designed to implement Shannon’s suggestions of confusion and diffusion. This architecture was adopted by the famous block cipher AES [1]. Besides, many block ciphers, including Camellia, E2, and CLEFIA [4–6] adopt such kind of round functions. Except for the SP structure, the Feistel structure is another important structure, and there are a lot of block ciphers employing this architecture, such as DES, GOST, E2, and Camellia [2, 4, 6, 7]. In [3], Nyberg first introduced generalized Feistel structures. The generalized Feistel structures are generalized forms of the classical Feistel cipher. These structures reserve some advantages of the classical Feistel cipher such as encryption-decryption similarity and flexibility in the design of round functions. A large number of ciphers like CAST256, MARS, CLEFIA [5, 8, 9], etc. use these structures as their architectures.

Impossible differential cryptanalysis was first proposed by Knudsen [10] and Biham et al. [11]. This cryptanalysis uses impossible differentials to discard the wrong keys. This cryptanalysis has been used to attack Skipjack, AES, Camellia, ARIA [11–14], etc. and get many good results. The key step of impossible differential cryptanalysis is to find the longest impossible differentials [15]. For generalized Feistel structures, since only part of the data was processed in each round, there always exist long rounds impossible differentials, and this makes these ciphers vulnerable to impossible differential cryptanalysis.

Since the powerful efficiencies of impossible differential cryptanalysis, many experts work on finding impossible differential distinguisher for several block cipher structures, and lots of remarkable results are achieved. In [16], *u*-method was provided by Kim et al. to find impossible differentials of block ciphers structures and was later extended by Bouillaguet et al. [17]; this method uses the inconsistencies of the elements in set *u* to find impossible differentials. It is worthwhile for the declaration that several longest impossible differentials of some famous block cipher structures are obtained by this method. As is mentioned in [16], for m-dataline CAST256-like structure and m-dataline MARS-like structure, existed the longest round number of impossible differentials are and respectively. However, *u*-method is too general and some important longer impossible differentials are ignored [12], and the longest differential distinguishers of several architectures like GF-NLFSR [18, 19], Feistel ciphers [15], SPN [20], and MISTY [21] are obtained by other methods. In [22], a new automatic method was proposed to find more impossible differentials.

It is well known that nonzero linear combinations of several linearly independent vectors cannot be zero. Based on this matter of fact, we present some new inconsistencies to construct impossible distinguishers of CAST256-like structures and MARS-like structures with SP and SPS round function. To our knowledge, the best result is m-dataline CAST256-like cipher has rounds impossible differential distinguisher and m-dataline MARS-like cipher has rounds impossible differential distinguisher. Our results show that for m-dataline and , there exists () rounds impossible differential distinguishers and for and , there exists () rounds impossible differential distinguishers.

This paper is organized as follows: Section 2 introduces some preliminaries. Section 3 focuses on finding impossible differential distinguisher of m-dataline CAST256-like structures with SP/SPS round function. Section 4 works on finding impossible differential distinguisher of m-dataline MARS-like structures with SP/SPS round function. Section 5 concludes this paper.

#### 2. Guidelines for Manuscript Preparation

Throughout this paper, we will use the symbols, described in Table 1.

It is well known that if is a linear bijection, then , else may have several possible values; in this case, we can choose any one for further discussion, and we will use to distinguish them.

Next, we will first describe these two structures, and then lay out some basic definitions and notations.

##### 2.1. CAST256-like Structure

An -dataline CAST256-like network consists of rounds, each round is defined as follows.

Let be the input of the -th round, and be the output and the round key of the -th round, resp.

is defined aswhere is the round function (Figure 1 describes one round of 4-dataline CAST256-like network).

##### 2.2. Mars-like Structure

An -daaline MARS-like network consists of rounds; each round is defined as follows.

Let be the input of the -th round, and be the output and the round key of the -th round, resp.

is defined aswhere is the round function (Figure 2 describes one round of 4-dataline CAST256-like network).

##### 2.3. Notations

According to the definition of round function *f*, these two cipher structures can be classified into many substructures. Major round functions under study are based on SP structure and SPS structure, which are two basic structures of modern ciphers.

*Definition 1 (See [1]) (SP network). *Let :be nonlinear bijections, Pbe a linear transformation (*there is no limit that P is a bijection*), is the round key, then the round function of SP *network* (*SPN*) is defined byWe use (resp. ) to denote CAST256-like structure with SP(resp. SPS) type round function and (resp. ) for MARS-like structure with SP(resp. SPS) type round function.

*Definition 2 (See [15]). *() is defined aswhere is defined byLet , function is defined by .

*Definition 3 . *Let ; then is defined as .

*Definition 4 (See [1]) (differential branch number). *Let be a linear mapping, where *M* is a matrix over . Then the differential branch number of is defined by

#### 3. Impossible Differential Distinguishers of Cast256-like Structure

##### 3.1. Two Important Differential Characteristics of CAST256-like Structure

Lemma 1 (See [23]). *For the -dataline CAST256-like structure, any nontrivial differential characteristic of the round function must be with the following form:*

And denotes the output difference of the round function. From Lemma 1, we have.

Proposition 1. *Let be one round differential characteristic of -dataline CAST256-like structure, then the following equations hold with probability 1.*(1)* for *(2)*(3)*

Proposition 1 can be verified directly from Lemma 1. In the following, we concentrate on two special differences which will help us to find the impossible differentials.

*Observation 1. *Let and be the same as in the previous observation, if , then

*Observation 2. *Let and be the output difference of the round, if , thenWe can conclude the following Lemma.

Lemma 2. *For the -dataline CAST256-like structure, there exists a rounds differential characteristicfrom encryption direction and an rounds differential characteristicfrom the decryption direction, both with probability 1.*

*Proof. *If the input difference is chosen as , according to Observation 1,Applying Proposition 1 repeatedly, the following equations must holdThen we arrive towhich implies the differentialexists.

From the decryption direction, if the output difference is set as , then by Observation 2, after rounds decryption, the input difference (from the encryption direction) is , and applying Observation times, we may clarify this Lemma (in Tables 2 and 3, we listed the whole procedure).

##### 3.2. Impossible Differentials for CAST256-like Structure with SP/SPS Round Function

Theorem 1. *Assume is the permutation layer of , where is a matrix over . Let , , if , are linearly independent, then for any -dimension vector , ,is an rounds impossible differential of .*

*Proof. *According to Lemma 2, we have from the encryption direction and from the decryption direction.

By the definition of , we getSimilarly,Since , are linearly independent and , we haveThis indicates , which means is an () rounds impossible differential of .

For most designs of permutation layer, we can easily find these , , which satisfy the condition of Theorem 1.

Corollary 1. *Assume is the diffusion layer of , if is a invertible matrix, , and , then for any -dimension vector , , is an () rounds impossible differential of .*

By considering the rounds differential proposed in Lemma 2, we can find an round impossible differential. And the result is concluded as follows.

Theorem 2. *Assume matrix is the permutation layer of and , then for any -dimension vector , if , then is an () rounds impossible differential of .*

*Proof. *Let the input and output difference of () rounds be and , respectively. By Lemma 2, we can conclude that from the encryption direction, the difference of the 2nd left most branch of round is , while from the decryption direction, this difference is .

If differential is possible, then equation is possible; then equationis possible.

Since for any , , so is at most 1. We also notice ; thus, , which means that is an () rounds impossible differential.

For , we have similar results.

Theorem 3. *Assume matrix is the diffusion layer of , if has entry “0”, then there exists () rounds impossible differentials of .*

*Proof. *Without loss of generality, we can assume that there exists , such that and . Let the input and output difference of () rounds be and , respectively. Since and , we haveFor , we have , since layer are parallel bijections and , we may obtain , so . And for , we haveso we concludeFor , we have , which implies ; thus, the two equations below hold:This means , which leads contradiction. This implies is an () rounds impossible differential of .

Now we consider a special case, when permutation layer is designed as a binary matrix.

Corollary 2. *Assume is the permutation layer of , where is a binary matrix with ; then for some , there exists () rounds impossible differential , where denotes the rank of matrix .*

*Proof. *Since , we know there exist some , such that and . This means or . Thus, by Theorem 3, we can conclude the result.

Corollary 2 indicates that for binary permutation layer, if its rank exceeds 2, then we can find such impossible differentials. Obviously, this condition is compatible for almost every design.

#### 4. Impossible Differential Distinguishers of MARS-like Structure

##### 4.1. Two Important Differential Characteristics of MARS-like Structure

The following lemma is trivial.

Lemma 3. *For the m-dataline MARS-like cipher, any nontrivial differential characteristic of the round function must be with the form , and denotes the output difference of the round function.**From Lemma 3, we can verify the properties as below.*

Proposition 2. *Let be one round differential characteristic of m-dataline MARS-like structure, then we have*(1)* for *(2)

*Observation 3. *Let , then for the -dataline MARS-like structure, there exists the following 1 round differential characteristic with probability 1:where .

*Observation 4. *Let and be the same as in the previous propositions; following this, ifthenBased on these two Observations, we can conclude the Lemma below.

Lemma 4. *For the m-dataline MARS-like structure, there exists a rounds differential characteristic from encryption direction and an rounds differential characteristic from the decryption direction, both with probability 1, where denotes one fixed difference and denotes some uncertain difference(s).*

*Proof. *Let be the input difference, then according to Proposition 3, after () rounds cascade, the output difference is turned into , then by Proposition 2, it holds applying Proposition 3 recursively, we have .

From the decryption direction, if the output difference is chosen as , then by Observation 4, we have . According to Proposition 2, we may obtain (in Tables 4 and 5, we listed the whole procedure).

##### 4.2. Retrieving Impossible Differential for MARS-Like Structure with SP/SPS Round Function

Before we start this section, we will introduce the definition of collect set.

*Definition 5. *(*collect set*) Let be an matrix over , is a binary vector. Then the *collect set* is defined as , the *characteristic function* of is defined asThe *pattern* of is defined as

Theorem 4. *Assume matrix over is the permutation layer of , if there exists nonzero -dimension vector over such that then is a rounds impossible differential of , where represents any nonzero vector.*

*Proof. *By Lemma 4 we havefrom the decryption direction.

We assume , thenThis indicates are linearly dependent, which is contradictory with . So , i.e., . However, by Lemma 4, we have from the encryption direction, and this leads to a contradiction. Thus is an impossible differential of .

Corollary 3. *Assume matrix over is the permutation layer of , if the branch number of is , then for any nonzero -dimension vector over such that , then is a rounds impossible differential of , where represents any nonzero vector.*

*Proof. *According to Definition 4, for any , which implies ; thus, is an impossible differential of .

Theorem 5. *Assume matrix over is the permutation layer of , if there exists nonzero -dimension vector over such that then is an rounds impossible differential of , where represents any nonzero vector.*

*Proof. *By Lemma 4 we have,from the decryption direction.

Since and , we can conclude . Thus, is a rounds impossible differential of .

According to Theorem 5, the case that the binary matrix employment is characterized as follows.

Corollary 4. *Assume binary matrix is the diffusion layer of , if exists and , such that andthen for any and nonzero vector is a rounds impossible differential of .*

*Proof. *We haveWhich tells . However, by the definition of , we have www and . Thus, .

Compared with other designs, binary diffusion layer has an obvious advantage in implementation and thus is a very common design, and for this case, the conditions of Corollary 4 are satiable for most of the time.

For , we can tell that if , then and . One can see can be represented by . Notice , we can change “” by “” in Corollary 3.

Corollary 5. *Assume matrix over is the diffusion layer of , if the branch number of is , then for any nonzero -dimension vector over such that , then is a rounds impossible differential of , where represents any nonzero -dimension vector.*

#### 5. Conclusion

Generalized Feistel structures are of great importance in modern block cipher design. Evaluating the strength of these structures can help us in constructing a security cipher. Among all the cryptanalysis technologies, impossible differential cryptanalysis is one of the most powerful attacks. This paper provides an improvement in finding the longest impossible differentials for two generalized Feistel structures named the CAST256-like structure and the MARS-like structure.

This paper bridges some links between impossible differentials and linear transformations. We provide some sufficient conditions on the linear transformations. By our results, people may find the possible longer impossible differentials by verifying some properties of the linear transformations. Thus, the properties we list in this paper should be considered carefully when using these two structures.

#### Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

#### Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

#### Acknowledgments

This study was funded by National Key R&D Program of China (2018YFB0803905).