Revisiting Impossible Differential Distinguishers of Two Generalized Feistel Structures

Shen, Xuan; Cheng, Lei; Sun, Bing; He, Jun

doi:https://doi.org/10.1155/2021/5582711

Security and Communication Networks

On this page

Abstract Introduction Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2021 | Article ID 5582711 | https://doi.org/10.1155/2021/5582711

Revisiting Impossible Differential Distinguishers of Two Generalized Feistel Structures

Xuan Shen,¹Lei Cheng,²Bing Sun,²and Jun He¹

Academic Editor: Stelvio Cimato

Received27 Feb 2021

Accepted19 May 2021

Published01 Jun 2021

Abstract

Impossible differential attack is one of the most effective cryptanalytic methods for block ciphers. Its key step is to construct impossible differential distinguishers as long as possible. In this paper, we mainly focus on constructing longer impossible differential distinguishers for two kinds of generalized Feistel structures which are -dataline CAST256-like and MARS-like structures. When their round function takes Substitution Permutation and Substitution Permutation Substitution types, they are called and , respectively. For , the best known result for the length of the impossible differential distinguisher was rounds, respectively. With the help of the linear layer , we can construct -round impossible differential distinguishers, where and are non-negative numbers if satisfies some restricted conditions. For , the best known result for the length of the impossible differential distinguisher was rounds. We can construct -round impossible differential distinguishers which are 1 round longer than before. To our knowledge, the results in this paper are the best for the two kinds of generalized Feistel structures.

1. Introduction

Block ciphers are significant elements to construct symmetric cryptographic schemes. To design a block cipher, a proper structure needs to be selected carefully. Popular structures for designing block ciphers are Substitution Permutation Network (SPN) structures [1], Feistel structures [2], and generalized Feistel structures [3]. Since the encryption and decryption of generalized Feistel structures share the same round functions and similar structures, it makes the implementation more flexible and economical. Generalized Feistel structures have many types such as CAST256-like structure [4], MARS-like structure [5], and so on. At the same time, many famous block ciphers take generalized Feistel structures as their architectures, for example, CAST256 [6], MARS [7], and SMS4 [8].

Many effective methods were proposed for evaluating the security of block ciphers in the past decades. Among them, impossible differential attack is one of the most effective methods. It was independently proposed by Knudsen [9] and Biham et al. [10]. So far, impossible differential attack has given exciting works for AES [11], Camellia [12], SMS4 [8], etc. Impossible differential attack has two steps. The first one is to construct an impossible differential distinguisher as long as possible. The second one is to exploit the distinguisher to recover the master key. Thus, constructing long impossible differentials is the core step to make this attack. So far, the most popular method to construct impossible differentials is the miss-in-the-middle method [10]. It obtains contradictions from the middle differences which are encrypted and decrypted with probability 1 for the input difference and the output difference, respectively. If the middle differences cannot be matched with each other, the impossible differential distinguisher is constructed. Moreover, some automatic methods were proposed to construct impossible differentials with the help of computers [13–16].

As far as we know, many works paid attention to constructing impossible differential distinguishers of -dataline CAST256-like and MARS-like structures. For -dataline CAST256-like structure, when the round function is any bijective transformation, -round impossible differentials were presented by the method in [13]. Furthermore, when the round function takes type, 19/20-round impossible differentials of -dataline CAST256-like structure were constructed in [17]. Very recently, when the round function takes type and type, there existed -round impossible differentials, respectively [18].

For -dataline MARS-like structure, when the round function is any bijective transformation, -round impossible differentials were presented by the method in [13]. This result was improved to rounds in [19]. Furthermore, when the round function takes type, -round impossible differentials were found in [5]. Very recently, when the round function takes type, -round impossible differentials were constructed for some constrained linear layer [18].

Known results on impossible differentials of -dataline CAST256-like and MARS-like structures are presented in Table 1.

In this paper, we mainly study the impossible differential distinguishers of -dataline CAST256-like and MARS-like structures. For these two structures, we construct longer impossible differential distinguishers with the details of the linear transformation . Note that and the linear transformation is a bijective mapping throughout this paper. Moreover, denotes the primitive index of . Our contributions are presented below.(1)For -dataline CAST256-like structure, when the round function takes type (namely, ), the previous best result was presented in [18]. They showed that -round impossible differentials were constructed for , where denotes the differential branch number of . In this paper, we firstly remove the restricted condition and give -round impossible differentials for any bijective . It expands the range of the linear layer . Furthermore, if satisfies the condition that , -round impossible differentials are constructed. To satisfy the condition , some specific linear transformations are also presented.(2)For -dataline CAST256-like structure, when the round function takes type (namely, ), the previous best result was also presented in [18]. They showed that -round impossible differentials were constructed for . In this paper, if satisfies some conditions, -round impossible differentials are constructed. Moreover, some specific linear transformations are presented for satisfying the restricted conditions.(3)For -dataline MARS-like structure, when the round function takes type (namely, ), the previous best result of was also presented in [19]. They showed that -round impossible differentials were constructed with satisfying the bijective condition. In this paper, if has element in the diagonal line, we can construct -round impossible differentials which are 1 round longer than those in [19].

This paper is organized as follows. In Section 2, we give some notations and definitions that will be used in this paper. Then, with the help of , we construct longer impossible differential distinguishers of -dataline CAST256-like and MARS-like structures in Sections 3 and 4, respectively. Finally, Section 5 concludes this paper.

2. Preliminary

2.1. Notations

In this section, we give some notations used in this paper (Table 2). Note that all vectors used in our paper are column vectors and is the most significant element for a vector , where is defined by the -th element of .

It should be pointed out that when is a nonlinear bijective function, has many possible output difference values when the input difference . Thus, if some XORed each other, take to distinguish them, where . For example,

In addition, similar to the definition of , is defined by the output difference that propagates after continuous rounds of .

2.2. Definitions

Definition 1. (SP networks) (see [1]). Let be nonlinear bijections, be the bijective linear layer, and be the round key. Then, the round function is defined bySimilarly, the round function is defined byIn this paper, the round functions of -dataline CAST256-like and MARS-like structures take type and type.

Definition 2. (Hamming weight) (see [20]). Let be an -dimension vector, and the Hamming weight of is defined byAccording to the definition, is equivalent to . It implies that when . Furthermore, is equivalent to for some .

Definition 3. (differential branch number) (see [1]). Let be a linear mapping, where is a matrix over . Then, the differential branch number of is defined byNote that if is a bijective linear mapping, according to the definition, .

Definition 4. (characteristic matrix) (see [20]). For , denote as the integer ring, and the characteristic matrix of is defined as , whereAccording to the definition of characteristic matrix, for an SPN cipher, means that the -th output block of one-round function is independent of the -th input block. Generally, let ; then, means that the -th output block of the -round SPN cipher is independent of the -th input block.
For a matrix , means that all elements of are positive.

Definition 5. (primitive index of linear transformation) (see [20]). The primitive index of the linear transformation is defined asAccording to the above definition, if , there exists at least one element in for .

3. Revisiting Impossible Differential Distinguishers of -Dataline CAST256-Like Structure

In this section, the brief description of -dataline CAST256-like structure is first presented. Moreover, the differential propagation rules are investigated from the encryption and decryption directions. Furthermore, when the round function takes type and type, respectively, longer impossible differential distinguishers will be constructed for some linear layers .

3.1. -Dataline CAST256-Like Structure

An -dataline CAST256-like structure consists of rounds, and each round is depicted in Figure 1. Let be the input of the -th round and and be the output and the round key of the -th round, respectively. One-round encryption is defined bywhere is the round function and .

To construct impossible differentials, one-round differential propagations from the encryption and decryption directions need to be studied. They are described as follows.

Proposition 1. Let and be the -th round input difference and output difference of -dataline CAST256-like structure. From the encryption direction, one-round differential propagation is given below:From the decryption direction, one-round differential propagation is given below:According to the encryption process of -dataline CAST256-like structure, the above proposition can be proved. In the encryption direction, the input difference is encrypted rounds with probability 1 as described in Table 3. Moreover, in the decryption direction, the output difference is decrypted rounds with probability 1. The differential characteristic is given in Table 4.
From Tables 3 and 4, the following proposition can be obtained.

Proposition 2. For -dataline CAST256-like structure, after encrypting rounds with the input difference , the following differential holds with probability 1:Likewise, after decrypting rounds with the output difference , the following differential holds with probability 1:

3.2. Constructing Impossible Differential Distinguishers of -Dataline CAST256-Like Structure with -Type Round Function

When the round function of -dataline CAST-like structure is made up of type, we exploit the details of the linear layer to construct longer impossible differential distinguishers. Firstly, two lemmas are presented as follows.

Lemma 1. If is a bijective mapping, if and only if .
Since is bijective, according to the bijective property, Lemma 1 can be easily proved. It also means that , . Especially, for layer in type and type which is a nonlinear bijective mapping, it does not change the nonzero difference positions for the differential propagation according to Lemma 1. It also implies that .

Lemma 2. For layer in type and type, if andthe equation holds.

Proof. Firstly, we recall the definition of . It denotes that only the -th element of -dimension vector is nonzero and the others are zero. According to Lemma 1 and According to Lemma 2, for , when , the following equation holds:

Theorem 1. For -dataline CAST256-like structure with -type round function, if , we can construct -round impossible differential distinguishers for any bijective linear layer as follows:

Proof. From the encryption and decryption directions, the differential with the input and the output propagates and rounds, respectively. According to Proposition 2, if the differential is possible, the following equation must hold:Taking into consideration, the above equation becomesSince is a linear bijective mapping,For the left part of equation (20),Since and , Case 1: when , note that according to Lemma 2, and the left and right parts of equation (20) have different Hamming weights. So, equation (20) does not hold. Case 2: when , assume that . Take , where . According to Lemma 2, . The left and right parts of equation (20) could not match each other. So, equation (20) does not hold.Therefore, combined with the above two cases, equation (20) does not hold. It means that the middle differences could not match each other, and the -round differential is impossible.
In [18], -round impossible differential distinguishers were also constructed, but the linear layer is restricted to that satisfying the condition . However, in Theorem 1, the restricted condition of is removed and it is expanded to any bijective linear layer.
To construct longer impossible differential distinguishers, we need to exploit the details of the linear layer . When the primitive index of the linear layer satisfies , the following theorem is given.

Theorem 2. For -dataline CAST256-like structure with -type round function, if and , -round impossible differential distinguishers could be constructed, where

Proof. To prove this theorem, we compare with for two cases. Case 1: when , . From the encryption and decryption directions, the differential with the input and the output propagates and rounds, respectively. According to Proposition 2, if the differential is possible, Taking into consideration, the above equation becomes Since is a linear bijective mapping, In the left part of equation (26), there exists at least one element in the matrix . Assume that , and when we take , the -th element of must be . In the right part of equation (26), since , we take . According to Lemma 2., . So, the -th element of is not equal to . Therefore, equation (26) cannot hold. In this case, we can construct -round impossible differential distinguishers. Case 2: when , . From the encryption and decryption directions, the differential with the input and the output propagates and rounds, respectively. According to Proposition 2, if the differential is possible, Taking into consideration, the above equation becomes Since is a linear bijective mapping, In the left part of equation (29), since , there exists at least one element in the matrix . Assume that , and when we take , the -th element of must be . In the right part of equation (29), it is similar to Case 1. Thus, if we take , the -th element of is not equal to . Therefore, equation (29) does not hold. In this case, we can construct -round impossible differential distinguishers.Combined with the above two cases, we can construct -round impossible differential distinguishers, whereIt is equivalent to .
In [18], -round impossible differential distinguishers were constructed. According to Theorem 2, we can construct -round impossible differentials which are rounds longer than before. The restricted condition can be satisfied easily. We present some specific linear transformations satisfying the condition. For example, we first present of Skinny block cipher [21] below:With the definition of , we calculate for . According to Theorem 2, if the linear transformation takes and , . Therefore, we can construct -round impossible differential distinguishers for -dataline CAST256-like structure with -type round function. They are round longer than those in [18]. Moreover, we present another example. For the linear transformation of Skinny block cipher which is , it is given below:We calculate for . According to Theorem 2, if the linear transformation takes and , . Therefore, we can construct -round impossible differential distinguishers. They are rounds longer than those in [18].
In brief, combined with Theorem 1 and Theorem 2, for -dataline CAST256-like structure with -type round function, the results on the impossible differential distinguishers have been improved. Especially, when , we can construct longer impossible differentials.

3.3. Constructing Impossible Differential Distinguishers of -Dataline CAST256-Like Structure with -Type Round Function

For -dataline CAST256-like structure with -type round function, -round impossible differential distinguishers were constructed for [18]. In this section, we will construct longer impossible differential distinguishers with the details of . We present the following theorem as follows.

Theorem 3. For -dataline CAST256-like structure with -type round function, if and , we can construct -round impossible differential distinguishers , where and

Proof. To prove this theorem, we compare with for two cases. Case 1: when , . From the encryption and decryption directions, the differential with the input and the output propagates and rounds, respectively. According to Proposition 2, if the differential is possible, Taking into consideration, the above equation becomes In the left part of equation (35), there exists at least one element in the matrix . Assume that , and when we take , the -th element of must be . In the right part of equation (35), when one column of is , assume that the -th column of is , i.e., , taking and . Furthermore, according to Lemma 2, So, the -th element of is not equal to . Therefore, equation (35) does not hold. In this case, we can construct -round impossible differential distinguishers. Case 2: when , . From the encryption and decryption directions, the differential with the input and the output propagates and rounds, respectively. According to Proposition 2, if the differential is possible, Taking into consideration, the above equation becomes In the left part of equation (38), since , there exists at least one element in the matrix . It is similar to Case 1, and we can construct -round impossible differential distinguishers.Combined with the above two cases, we can construct -round impossible differential distinguishers, whereIt is equivalent to .
In [18], -round impossible differential distinguishers were constructed. According to Theorem 3, we can construct rounds longer than before. Moreover, we present a specific linear transformation satisfying the restricted condition in Theorem 3. For which is described in Section 3.2, we calculate . and are given below, respectively.When and , we can find that the -th column of is and . Therefore, satisfies the restricted condition in Theorem 3. Moreover, . Thus, for -dataline CAST256-like structure with -type round function, if takes and , we can construct 4-round impossible differentials longer than those in [18].

4. Revisiting Impossible Differential Distinguishers of -Dataline MARS-Like Structure

In this section, we first introduce -dataline MARS-like structure and present the differential propagation rules from the encryption and decryption directions. Then, when the round function takes type, -round impossible differential distinguishers will be constructed. It should be pointed out that and should be even number in this section.

4.1. -Dataline MARS-Like Structure

An -dataline MARS-like structure consists of rounds, and each round is depicted in Figure 2.

Let be the input of the -th round and and be the output and the round key of the -th round, respectively. One-round encryption is defined bywhere is the round function and .

4.2. Constructing Impossible Differential Distinguishers of -Dataline MARS-Like Structure with -Type Round Function

To construct impossible differentials, one-round differential propagations from the encryption and decryption directions need to be studied. They are described as follows.

Proposition 3. Let and be the -th round input difference and output difference of -dataline MARS-like structure. From the encryption direction, one-round differential propagation is presented below:From the decryption direction, one-round differential propagation is presented below:According to the encryption process of MARS-like structure, the above proposition can be proved. Moreover, from the encryption direction, the input difference is encrypted rounds with probability 1 as described in Table 5. In this table, . Similarly, from the decryption direction, the output difference is decrypted rounds with probability 1 as described in Table 6. In this table, .
If -round differential is a possible differential, the middle differences need to match each other. Thus, the following equations need to be satisfied:Solving the above equations,Since is bijective, according to Lemma 1,Thus,When the round function of -dataline MARS-like structure takes type, the impossible differential distinguishers can be constructed with the following theorem.

Theorem 4. For -dataline MARS-like structure with -type round function, if there exists one element in the diagonal line of , -round impossible differential distinguishers can be constructed as follows:where

Proof. When is a -round possible differential, the following equation needs to be satisfied:Given that takes type, the above equation becomesSince , we take where denotes that the -th element of -dimension vector is and the others can be arbitrary values. Moreover, . Furthermore, which conflicts with in the -th element. Therefore, equation (50) does not hold.
In [19], -round impossible differential distinguishers were constructed for -dataline MARS-like structure with -type round function. According to Theorem 4, we can construct 1 round longer than before. Moreover, some specific linear transformations satisfying the condition in Theorem 4 are presented. For example, of Midori block cipher [22] is described below:In this matrix, we can observe that . Therefore, satisfies the restricted condition in Theorem 4. Furthermore, and described in Section 3.2 also satisfy the condition.

5. Conclusions

In this paper, we investigated impossible differential distinguishers of -dataline CAST256-like structure and -dataline MARS-like structure. Longer impossible differentials for them were constructed with the help of the linear transformation . Moreover, given that the dual relationship between impossible differentials and zero correlation linear hulls which is presented by Sun Bing et al. at CRYPTO 2015, our results may also be applied to construct zero correlation linear hulls of these two structures. In brief, our results not only are useful to improve the impossible differential attack on these two structures from the cryptanalysis view but also provide guidance to select better linear transformation for improving the security from the designer’s view.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This study was funded by the National Natural Science Foundation of China (nos. 62002370 and 61772545).

References

J. Daemen and R. Vincent, “The design of Rijndael: AES-the advanced encryption standard,” in Information Security and Cryptography, Springer, Berlin, Germany, 2002.
View at: Google Scholar
Data Encryption Standard, Federal Information Processing Standards Publication 46, vol. 23, National Bureau of Standards, US Department of Commerce, Gaithersburg, MY, USA, 1977.
K. Nyberg, “Generalized feistel networks,” in In Proceedings of the International Conference on the Heory and Application of Cryptology and Information Security, pp. 91–104, Springer, Kolbe, Japan, December 1996.
View at: Publisher Site | Google Scholar
S. Yanagihara and T. Iwata, “Improving the permutation layer of type 1, type 3, source-heavy, and target-heavy generalized Feistel structures,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E96.A, no. 1, pp. 2–14, 2013.
View at: Publisher Site | Google Scholar
L. Cheng and C. Li, “Revisiting impossible differentials of MARS-like structures,” IET Information Security, vol. 11, no. 5, pp. 273–276, 2017.
View at: Publisher Site | Google Scholar
C. Adams and J. Gilchrist, “The CAST-256 encryption algorithm,” Network Working Group, The Internet Society, Reston, VI, USA, 1999.
View at: Google Scholar
C. Burwick, D. Coppersmith, E. DAvignon et al., “MARS-a candidate cipher for AES,” NIST AES Proposal, vol. 268, 1998.
View at: Google Scholar
L. Cheng, B. Sun, and C. Li, “Revised cryptanalysis for SMS4,” Science China Information Science, vol. 60, Article ID 122101, p. 9, 2017.
View at: Publisher Site | Google Scholar
L. R. Knudsen, “Deal—a 128-bit block cipher,” University of Bergen, Department of Informatics, Bergen, Norway, 1998, Technical Report 151.
View at: Google Scholar
E. Biham, A. Biryukov, and A. Shamir, “Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials,” Journal of Cryptology, vol. 18, no. 4, pp. 291–311, 2005.
View at: Publisher Site | Google Scholar
W. Zhang, W. Wu, and D. Feng, “New results on impossible differential cryptanalysis of reduced AES,” in Proceedings of International Conference on Information Security and Cryptology, pp. 239–250, Springer, Seoul, Korea, November 2007.
View at: Google Scholar
W.-L. Wu, W.-T. Zhang, and D.-G. Feng, “Impossible differential cryptanalysis of reduced-round aria and camellia,” Journal of Computer Science and Technology, vol. 22, no. 3, pp. 449–456, 2007.
View at: Publisher Site | Google Scholar
J. Kim, S. Hong, J. Sung et al., “Impossible differential cryptanalysis for block cipher structures,” in Proceedings of the International Conference on Cryptology in India, pp. 82–96, Springer, New Delhi, India, December 2003.
View at: Publisher Site | Google Scholar
Y. Luo, X. Lai, Z. Wu et al., “A unified method for finding impossible differentials of block cipher structures,” Information Science, vol. 263, pp. 211–220, 2014.
View at: Publisher Site | Google Scholar
S. Wu and M. Wang, “Automatic search of truncated impossible differentials for word-oriented block ciphers,” in Proceedings of the International Conference on Cryptology in India, pp. 283–302, Springer, Kolkata, India, December 2012.
View at: Publisher Site | Google Scholar
Y. Sasaki and Y. Todo, “New impossible differential search tool from design and cryptanalysis aspects,” in Advances in Cryptology-EUROCRYPT 2017, J.-S. Coron and J. B. Nielsen, Eds., pp. 185–215, Springer-Verlag, Paris, France, 2017.
View at: Publisher Site | Google Scholar
T. Cui, C. Jin, and J. Ma, “A new Method for finding impossible differentials of Generalized Feistel Structures,” Chinese Journal of Electronics, vol. 27, no. 4, pp. 728–733, 2018.
View at: Publisher Site | Google Scholar
H. Wang, W. Ma, L. Liao et al., “Impossible differential distinguishers of two generalized feistel structures,” Security and Communication Networks, vol. 2020, Article ID 8828504, 9 pages, 2020.
View at: Publisher Site | Google Scholar
W. Xue and X. Lai, “Impossible differential cryptanalysis of MARS-like structures,” IET Information Security, vol. 9, no. 4, pp. 219–222, 2015.
View at: Publisher Site | Google Scholar
B. Sun, M. Liu, J. Guo et al., “Provable security evaluation of structures against impossible differential and zero correlation linear cryptanalysis,” in EUROCRYPT 2016, LNCS, M. Fischlin and J.-S. Coron, Eds., vol. 9665, pp. 196–213, Springer, Heidelberg, Germany, 2016.
View at: Publisher Site | Google Scholar
C. Beierle, J. Jean, S. Kolbl et al., “The SKINNY family of block ciphers and its low-latency variant MANTIS,” in Proceedings of Annual Cryptology Conference, pp. 123–153, Springer, Berlin Heidelberg, August 2016.
View at: Publisher Site | Google Scholar
M. Li, J. Guo, J. Cui et al., “Truncated impossible differential cryptanalysis of Midori-64,” Journal of Software, vol. 30, no. 8, pp. 2337–2348, 2019.
View at: Google Scholar

Copyright

Copyright © 2021 Xuan Shen et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

261

Downloads

513

Citations