#### Abstract

Impossible differential attack is one of the most effective cryptanalytic methods for block ciphers. Its key step is to construct impossible differential distinguishers as long as possible. In this paper, we mainly focus on constructing longer impossible differential distinguishers for two kinds of generalized Feistel structures which are -dataline CAST256-like and MARS-like structures. When their round function takes Substitution Permutation and Substitution Permutation Substitution types, they are called and , respectively. For , the best known result for the length of the impossible differential distinguisher was rounds, respectively. With the help of the linear layer , we can construct -round impossible differential distinguishers, where and are non-negative numbers if satisfies some restricted conditions. For , the best known result for the length of the impossible differential distinguisher was rounds. We can construct -round impossible differential distinguishers which are 1 round longer than before. To our knowledge, the results in this paper are the best for the two kinds of generalized Feistel structures.

#### 1. Introduction

Block ciphers are significant elements to construct symmetric cryptographic schemes. To design a block cipher, a proper structure needs to be selected carefully. Popular structures for designing block ciphers are Substitution Permutation Network (SPN) structures [1], Feistel structures [2], and generalized Feistel structures [3]. Since the encryption and decryption of generalized Feistel structures share the same round functions and similar structures, it makes the implementation more flexible and economical. Generalized Feistel structures have many types such as CAST256-like structure [4], MARS-like structure [5], and so on. At the same time, many famous block ciphers take generalized Feistel structures as their architectures, for example, CAST256 [6], MARS [7], and SMS4 [8].

Many effective methods were proposed for evaluating the security of block ciphers in the past decades. Among them, impossible differential attack is one of the most effective methods. It was independently proposed by Knudsen [9] and Biham et al. [10]. So far, impossible differential attack has given exciting works for AES [11], Camellia [12], SMS4 [8], etc. Impossible differential attack has two steps. The first one is to construct an impossible differential distinguisher as long as possible. The second one is to exploit the distinguisher to recover the master key. Thus, constructing long impossible differentials is the core step to make this attack. So far, the most popular method to construct impossible differentials is the miss-in-the-middle method [10]. It obtains contradictions from the middle differences which are encrypted and decrypted with probability 1 for the input difference and the output difference, respectively. If the middle differences cannot be matched with each other, the impossible differential distinguisher is constructed. Moreover, some automatic methods were proposed to construct impossible differentials with the help of computers [13â€“16].

As far as we know, many works paid attention to constructing impossible differential distinguishers of -dataline CAST256-like and MARS-like structures. For -dataline CAST256-like structure, when the round function is any bijective transformation, -round impossible differentials were presented by the method in [13]. Furthermore, when the round function takes type, 19/20-round impossible differentials of -dataline CAST256-like structure were constructed in [17]. Very recently, when the round function takes type and type, there existed -round impossible differentials, respectively [18].

For -dataline MARS-like structure, when the round function is any bijective transformation, -round impossible differentials were presented by the method in [13]. This result was improved to rounds in [19]. Furthermore, when the round function takes type, -round impossible differentials were found in [5]. Very recently, when the round function takes type, -round impossible differentials were constructed for some constrained linear layer [18].

Known results on impossible differentials of -dataline CAST256-like and MARS-like structures are presented in Table 1.

In this paper, we mainly study the impossible differential distinguishers of -dataline CAST256-like and MARS-like structures. For these two structures, we construct longer impossible differential distinguishers with the details of the linear transformation . Note that and the linear transformation is a bijective mapping throughout this paper. Moreover, denotes the primitive index of . Our contributions are presented below.(1)For -dataline CAST256-like structure, when the round function takes type (namely, ), the previous best result was presented in [18]. They showed that -round impossible differentials were constructed for , where denotes the differential branch number of . In this paper, we firstly remove the restricted condition and give -round impossible differentials for any bijective . It expands the range of the linear layer . Furthermore, if satisfies the condition that , -round impossible differentials are constructed. To satisfy the condition , some specific linear transformations are also presented.(2)For -dataline CAST256-like structure, when the round function takes type (namely, ), the previous best result was also presented in [18]. They showed that -round impossible differentials were constructed for . In this paper, if satisfies some conditions, -round impossible differentials are constructed. Moreover, some specific linear transformations are presented for satisfying the restricted conditions.(3)For -dataline MARS-like structure, when the round function takes type (namely, ), the previous best result of was also presented in [19]. They showed that -round impossible differentials were constructed with satisfying the bijective condition. In this paper, if has element in the diagonal line, we can construct -round impossible differentials which are 1 round longer than those in [19].

This paper is organized as follows. In Section 2, we give some notations and definitions that will be used in this paper. Then, with the help of , we construct longer impossible differential distinguishers of -dataline CAST256-like and MARS-like structures in Sections 3 and 4, respectively. Finally, Section 5 concludes this paper.

#### 2. Preliminary

##### 2.1. Notations

In this section, we give some notations used in this paper (Table 2). Note that all vectors used in our paper are column vectors and is the most significant element for a vector , where is defined by the -th element of .

It should be pointed out that when is a nonlinear bijective function, has many possible output difference values when the input difference . Thus, if some XORed each other, take to distinguish them, where . For example,

In addition, similar to the definition of , is defined by the output difference that propagates after continuous rounds of .

##### 2.2. Definitions

*Definition 1. *(SP networks) (see [1]). Let be nonlinear bijections, be the bijective linear layer, and be the round key. Then, the round function is defined bySimilarly, the round function is defined byIn this paper, the round functions of -dataline CAST256-like and MARS-like structures take type and type.

*Definition 2. *(Hamming weight) (see [20]). Let be an -dimension vector, and the Hamming weight of is defined byAccording to the definition, is equivalent to . It implies that when . Furthermore, is equivalent to for some .

*Definition 3. *(differential branch number) (see [1]). Let be a linear mapping, where is a matrix over . Then, the differential branch number of is defined byNote that if is a bijective linear mapping, according to the definition, .

*Definition 4. *(characteristic matrix) (see [20]). For , denote as the integer ring, and the characteristic matrix of is defined as , whereAccording to the definition of characteristic matrix, for an SPN cipher, means that the -th output block of one-round function is independent of the -th input block. Generally, let ; then, means that the -th output block of the -round SPN cipher is independent of the -th input block.

For a matrix , means that all elements of are positive.

*Definition 5. *(primitive index of linear transformation) (see [20]). The primitive index of the linear transformation is defined asAccording to the above definition, if , there exists at least one element in for .

#### 3. Revisiting Impossible Differential Distinguishers of -Dataline CAST256-Like Structure

In this section, the brief description of -dataline CAST256-like structure is first presented. Moreover, the differential propagation rules are investigated from the encryption and decryption directions. Furthermore, when the round function takes type and type, respectively, longer impossible differential distinguishers will be constructed for some linear layers .

##### 3.1. -Dataline CAST256-Like Structure

An -dataline CAST256-like structure consists of rounds, and each round is depicted in Figure 1. Let be the input of the -th round and and be the output and the round key of the -th round, respectively. One-round encryption is defined bywhere is the round function and .

To construct impossible differentials, one-round differential propagations from the encryption and decryption directions need to be studied. They are described as follows.

Proposition 1. *Let and be the -th round input difference and output difference of -dataline CAST256-like structure. From the encryption direction, one-round differential propagation is given below:**From the decryption direction, one-round differential propagation is given below:**According to the encryption process of -dataline CAST256-like structure, the above proposition can be proved. In the encryption direction, the input difference is encrypted rounds with probability 1 as described in Table 3. Moreover, in the decryption direction, the output difference is decrypted rounds with probability 1. The differential characteristic is given in Table 4.**From Tables 3 and 4, the following proposition can be obtained.*

Proposition 2. *For -dataline CAST256-like structure, after encrypting rounds with the input difference , the following differential holds with probability 1:**Likewise, after decrypting rounds with the output difference , the following differential holds with probability 1:*

##### 3.2. Constructing Impossible Differential Distinguishers of -Dataline CAST256-Like Structure with -Type Round Function

When the round function of -dataline CAST-like structure is made up of type, we exploit the details of the linear layer to construct longer impossible differential distinguishers. Firstly, two lemmas are presented as follows.

Lemma 1. *If is a bijective mapping, if and only if .**Since is bijective, according to the bijective property, Lemma 1 can be easily proved. It also means that , . Especially, for layer in type and type which is a nonlinear bijective mapping, it does not change the nonzero difference positions for the differential propagation according to Lemma 1. It also implies that .*

Lemma 2. *For layer in type and type, if andthe equation holds.*

*Proof. *Firstly, we recall the definition of . It denotes that only the -th element of -dimension vector is nonzero and the others are zero. According to Lemma 1 and According to Lemma 2, for , when , the following equation holds:

Theorem 1. *For -dataline CAST256-like structure with -type round function, if , we can construct -round impossible differential distinguishers for any bijective linear layer as follows:*

*Proof. *From the encryption and decryption directions, the differential with the input and the output propagates and rounds, respectively. According to Proposition 2, if the differential is possible, the following equation must hold:Taking into consideration, the above equation becomesSince is a linear bijective mapping,For the left part of equation (20),Since and ,â€‰Case 1: when , note that according to Lemma 2, and the left and right parts of equation (20) have different Hamming weights. So, equation (20) does not hold.â€‰Case 2: when , assume that . Take , where . According to Lemma 2, . The left and right parts of equation (20) could not match each other. So, equation (20) does not hold.Therefore, combined with the above two cases, equation (20) does not hold. It means that the middle differences could not match each other, and the -round differential is impossible.

In [18], -round impossible differential distinguishers were also constructed, but the linear layer is restricted to that satisfying the condition . However, in Theorem 1, the restricted condition of is removed and it is expanded to any bijective linear layer.

To construct longer impossible differential distinguishers, we need to exploit the details of the linear layer . When the primitive index of the linear layer satisfies , the following theorem is given.

Theorem 2. *For -dataline CAST256-like structure with -type round function, if and , -round impossible differential distinguishers could be constructed, where*

*Proof. *To prove this theorem, we compare with for two cases.â€‰Case 1: when , . From the encryption and decryption directions, the differential with the input and the output propagates and rounds, respectively. According to Proposition 2, if the differential is possible,â€‰Taking into consideration, the above equation becomesâ€‰Since is a linear bijective mapping,â€‰In the left part of equation (26), there exists at least one element in the matrix . Assume that , and when we take , the -th element of must be .â€‰In the right part of equation (26), since , we take . According to Lemma 2., . So, the -th element of is not equal to .â€‰Therefore, equation (26) cannot hold. In this case, we can construct -round impossible differential distinguishers.â€‰Case 2: when , . From the encryption and decryption directions, the differential with the input and the output propagates and rounds, respectively. According to Proposition 2, if the differential is possible,â€‰Taking into consideration, the above equation becomesâ€‰Since is a linear bijective mapping,â€‰In the left part of equation (29), since , there exists at least one element in the matrix . Assume that , and when we take , the -th element of must be .â€‰In the right part of equation (29), it is similar to Case 1. Thus, if we take , the -th element of is not equal to .â€‰Therefore, equation (29) does not hold. In this case, we can construct -round impossible differential distinguishers.Combined with the above two cases, we can construct -round impossible differential distinguishers, whereIt is equivalent to .

In [18], -round impossible differential distinguishers were constructed. According to Theorem 2, we can construct -round impossible differentials which are rounds longer than before. The restricted condition can be satisfied easily. We present some specific linear transformations satisfying the condition. For example, we first present of Skinny block cipher [21] below:With the definition of , we calculate for . According to Theorem 2, if the linear transformation takes and , . Therefore, we can construct -round impossible differential distinguishers for -dataline CAST256-like structure with -type round function. They are round longer than those in [18]. Moreover, we present another example. For the linear transformation of Skinny block cipher which is , it is given below:We calculate for . According to Theorem 2, if the linear transformation takes and , . Therefore, we can construct -round impossible differential distinguishers. They are rounds longer than those in [18].

In brief, combined with Theorem 1 and Theorem 2, for -dataline CAST256-like structure with -type round function, the results on the impossible differential distinguishers have been improved. Especially, when , we can construct longer impossible differentials.

##### 3.3. Constructing Impossible Differential Distinguishers of -Dataline CAST256-Like Structure with -Type Round Function

For -dataline CAST256-like structure with -type round function, -round impossible differential distinguishers were constructed for [18]. In this section, we will construct longer impossible differential distinguishers with the details of . We present the following theorem as follows.

Theorem 3. *For -dataline CAST256-like structure with -type round function, if and , we can construct -round impossible differential distinguishers , where and*

*Proof. *To prove this theorem, we compare with for two cases.â€‰Case 1: when , . From the encryption and decryption directions, the differential with the input and the output propagates and rounds, respectively. According to Proposition 2, if the differential is possible,â€‰Taking into consideration, the above equation becomesâ€‰In the left part of equation (35), there exists at least one element in the matrix . Assume that , and when we take , the -th element of must be .â€‰In the right part of equation (35), when one column of is , assume that the -th column of is , i.e., , taking and . Furthermore, according to Lemma 2,â€‰So, the -th element of is not equal to .â€‰Therefore, equation (35) does not hold. In this case, we can construct -round impossible differential distinguishers.â€‰Case 2: when , . From the encryption and decryption directions, the differential with the input and the output propagates and rounds, respectively. According to Proposition 2, if the differential is possible,â€‰Taking into consideration, the above equation becomesâ€‰In the left part of equation (38), since , there exists at least one element in the matrix . It is similar to Case 1, and we can construct -round impossible differential distinguishers.Combined with the above two cases, we can construct -round impossible differential distinguishers, whereIt is equivalent to .

In [18], -round impossible differential distinguishers were constructed. According to Theorem 3, we can construct rounds longer than before. Moreover, we present a specific linear transformation satisfying the restricted condition in Theorem 3. For which is described in Section 3.2, we calculate . and are given below, respectively.When and , we can find that the -th column of is and . Therefore, satisfies the restricted condition in Theorem 3. Moreover, . Thus, for -dataline CAST256-like structure with -type round function, if takes and , we can construct 4-round impossible differentials longer than those in [18].

#### 4. Revisiting Impossible Differential Distinguishers of -Dataline MARS-Like Structure

In this section, we first introduce -dataline MARS-like structure and present the differential propagation rules from the encryption and decryption directions. Then, when the round function takes type, -round impossible differential distinguishers will be constructed. It should be pointed out that and should be even number in this section.

##### 4.1. -Dataline MARS-Like Structure

An -dataline MARS-like structure consists of rounds, and each round is depicted in Figure 2.

Let be the input of the -th round and and be the output and the round key of the -th round, respectively. One-round encryption is defined bywhere is the round function and .

##### 4.2. Constructing Impossible Differential Distinguishers of -Dataline MARS-Like Structure with -Type Round Function

To construct impossible differentials, one-round differential propagations from the encryption and decryption directions need to be studied. They are described as follows.

Proposition 3. *Let and be the -th round input difference and output difference of -dataline MARS-like structure. From the encryption direction, one-round differential propagation is presented below:**From the decryption direction, one-round differential propagation is presented below:**According to the encryption process of MARS-like structure, the above proposition can be proved. Moreover, from the encryption direction, the input difference is encrypted rounds with probability 1 as described in Table 5. In this table, . Similarly, from the decryption direction, the output difference is decrypted rounds with probability 1 as described in Table 6. In this table, .**If -round differential is a possible differential, the middle differences need to match each other. Thus, the following equations need to be satisfied:**Solving the above equations,**Since is bijective, according to Lemma 1,**Thus,**When the round function of -dataline MARS-like structure takes type, the impossible differential distinguishers can be constructed with the following theorem.*