Mind the Propagation of States

Hu, Xichao; Li, Yongqiang; Jiao, Lin; Tian, Shizhu; Wang, Mingsheng

doi:10.1007/978-3-030-64837-4_14

Xichao Hu^10,11,
Yongqiang Li^10,11,
Lin Jiao¹²,
Shizhu Tian^10,11 &
…
Mingsheng Wang^10,11

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12491))

Included in the following conference series:

International Conference on the Theory and Application of Cryptology and Information Security

1661 Accesses
7 Citations

Abstract

Impossible differentials cryptanalysis and impossible polytopic cryptanalysis are the most effective approaches to estimate the security of block ciphers. However, the previous automatic search methods of their distinguishers, impossible differentials and impossible polytopic transitions, neither consider the impact of key schedule in the single-key setting and the differential property of large S-boxes, nor apply to the block ciphers with variable rotations.

Thus, unlike previous methods which focus on the propagation of the difference or s-difference, we redefine the impossible differentials and impossible $(s+1)$-polytopic transitions according to the propagation of state, which allow us to break through those limitations of the previous methods. Theoretically, we prove that traditional impossible differentials and impossible $(s+1)$-polytopic transitions are equivalent to part of our redefinitions, which have advantages from broader view. Technically, we renew the automatic search model and design an SAT-based tool to evaluate our redefined impossible differentials and impossible $(s+1)$-polytopic transitions efficiently.

As a result, for GIFT64, we get the 6-round impossible differentials which cannot be detected by all previous tools. For PRINTcipher, we propose the first modeling method for the key-dependent permutation and key-dependent S-box. For MISTY1, we derive 902 4-round impossible differentials by exploiting the differential property of S-boxes. For RC5, we present the first modeling method for the variable rotation and get 2.5-round impossible differentials for each version of it. More remarkable, our tool can be used to evaluate the security of given cipher against the impossible differentials, and we prove that there exists no 5-round 1 input active word and 1 output active word impossible differentials for AES-128 even consider the relations of 3-round keys. Besides, we also get the impossible $(s+1)$-polytopic transitions for PRINTcipher, GIFT64, PRESENT, and RC5, all of which can cover more rounds than their corresponding impossible differentials as far as we know.

You have full access to this open access chapter, Download conference paper PDF

Automatic Search Model for Related-Tweakey Impossible Differential Cryptanalysis

Convexity of Division Property Transitions: Theory, Algorithms and Compact Models

Scrutinizing and Improving Impossible Differential Attacks: Applications to CLEFIA, Camellia, LBlock and Simon

Keywords

1 Introduction

Impossible differential cryptanalysis was proposed by Biham et al. and Knudsen respectively, where Biham et al. used it to analyze the security of Skipjack [4], and Knudsen utilized it to analyze the security of DEAL [14]. Up to now, impossible differential cryptanalysis has been applied to lots of block ciphers, such as AES [18], SIMON [8], XTEA [9], and so on. There is no doubt that it is one of the most effective cryptanalytic approaches to evaluate the security of block ciphers.

In the impossible differential cryptanalysis, attackers derive the right keys by discarding the wrong keys that lead to the impossible differentials inherent to the given cipher. Thus how to find an impossible differential as longer as possible is the most essential and critical problem in regard to this kind of attacks.

Impossible $(s+1)$-polytopic cryptanalysis was proposed by Tiessen [29], which is a generalization of impossible differential cryptanalysis. Unlike the impossible differentials are constructed by considering the interdependencies of the differences of two plaintexts and the accordingly two ciphertexts, the distinguishers of impossible $(s+1)$-polytopic cryptanalysis, named impossible $(s+1)$-polytopic transitions, are constructed by considering the interdependencies between the s-differences of $(s+1)$ plaintexts and $(s+1)$ ciphertexts^{Footnote 1}.

In the last 20 years, using automatic tools to search the distinguishers becomes a new trend. The first automatic tool for the impossible differentials is presented by Kim et al. [13], named $\mathcal {U}$-method. Then, Luo et al. [17] extended it as UID-method. After that, Wu and Wang [31] introduced another method using the idea of solving equations, called $\mathcal {WW}$-method. However, those tools to search impossible differentials cannot describe the details of S-boxes, which waste plenty of differential property of the propagation.

This problem is settled with the application of the Mixed Integer Linear Programming (MILP) method to symmetric cryptography. The MILP problem is a mathematical optimization problem that finds the minimum or maximum value of some objective function under the conditions of linear equations and inequalities of integer variables. Mouha et al. [22] first introduced it to symmetric cryptography to find the lower bound on the number of active S-boxes for both differential and linear cryptanalysis. Later, Sun et al. [28] proposed the modelling method to depict the valid differential propagation of small S-boxes (typically 4 bits), and Fu et al. [12] presented the modelling method to depict all the valid differential/linear characteristics propagations of modular addition. Thus, the differential propagation of any round for the small S-boxes based block ciphers and ARX block ciphers can be modeled by a set of linear inequalities accurately.

On that basis, Cui et al. [10] proposed a MILP-based tool to search the impossible differentials for lightweight block ciphers, and an algorithm to verify the impossible differentials. Soon after, Sasaki and Todo [27] presented a MILP-based tool to search the impossible differential for SPN block ciphers. In particular, they proposed the best search method at present for large S-boxes based block ciphers, named the arbitrary S-box mode, which only treats the large S-boxes as permutations in order to make their tool valid to detect the contradiction in linear components.

However, the previous automatic search tools for impossible differentials have the following limitations in general.

Previous tools cannot take into account the key schedule in the single-key setting.
Previous tools cannot consider the differential property of large S-boxes.
Previous tools cannot be applied to the block ciphers with variable rotation.

As to impossible polytopic transitions, there was only a search method proposed for DES and AES in the original paper [29]. However, due to the limitation that the searching spaces increase rapidly with the number of rounds, this method can only be confined to a small number of rounds. Besides, this tool cannot take into account the key schedule in the single-key setting and be applied to the block ciphers with variable rotations either.

Our Contributions. In this paper, we define a series of new notations, s-polygon to describe a tuple with s states, s-polygonal trail to depict the propagation of s-polygon, possible s-polygons and impossible s-polygons to depict the relations between two s-polygons.

Then, unlike the traditional impossible differentials and impossible $(s+1)$-polytopic transitions that are constituted according to the propagation of difference and s-difference, we redefine the impossible differentials and impossible $(s+1)$-polytopic transitions based on the propagation of the s-polygon^{Footnote 2}. Thus, the key schedule in the single-key setting can be considered in the construction of redefined impossible differentials and impossible $(s+1)$-polytopic transitions. We define the i-impossible differential (resp. i-impossible $(s+1)$-polytopic transition) to represent the redefined impossible differential (resp. impossible $(s+1)$-polytopic transition) which is constituted in the round key independent setting and d-impossible differential (resp. d-impossible $(s+1)$-polytopic transition) to represent the redefined impossible differential (resp. impossible $(s+1)$-polytopic transition) which is constituted by considering the key schedule.

Next, we study the relation between our redefined impossible differential (resp. impossible $(s+1)$-polytopic transition) and traditional impossible differential (resp. impossible $(s+1)$-polytopic transition). We show that the i-impossible differential (resp. i-impossible $(s+1)$-polytopic transition) is equivalent to traditional impossible differential (resp. impossible $(s+1)$-polytopic transition) which is constructed by taking into account the inside property of S-boxes for the block ciphers with SPN or Feistel structures and the block cipher MISTY1.

Finally, we model the propagations of states by the statements in the CVC format of STP^{Footnote 3} (a solver of the SAT problem) for each operation, and design an SAT-based unified automatic tool for searching the redefined impossible differential and impossible $(s+1)$-polytopic transition. Since traditional impossible differential is equivalent to the i-impossible differential and traditional impossible $(s+1)$-polytopic transition is equivalent to the i-impossible $(s+1)$-polytopic transition, our tool can be used to search the traditional impossible differential and traditional impossible $(s+1)$-polytopic transition. Furthermore, our tool has the following advantages.

Able to Search the Distinguishers by Considering the Impact of Key Schedule in the Single-Key Setting. Our automatic search tool focuses on the propagations of states, which are impacted by the value of key. By adding the constraints of key variables according to the key schedule, it can be used to search the impossible differentials and impossible $(s+1)$-polytopic transitions in the single-key setting confirming the key schedule. As far as we know, this is the first automatic search tool that considers the impact of key schedule in the single-key setting for impossible differentials and impossible $(s+1)$-polytopic transitions.
Able to Search the Distinguishers for the Block Ciphers with Variable Rotation. In this paper, by exploiting the conditional term of the CVC format, we propose a novel method to model the propagations of states for variable rotation. This method allows us to search the impossible differentials and impossible $(s+1)$-polytopic transitions for block ciphers with variable rotation automatically. As far as we know, this is the first automatic search method for such type of block ciphers.
Able to Search Impossible Differentials for Block Ciphers with Large S-boxes by Considering the Differential Property of Large S-boxes. We make use of the conditional terms to model the propagations of states for large S-boxes. This way allows us to search the impossible differentials for the block ciphers with large S-boxes by considering the differential property of large S-boxes. As far as we know, this is the first automatic tool to search the impossible differentials for such ciphers taking account in the differential property of large S-boxes.
New Proving Tool for Resisting Impossible Differentials in Aspect of Cipher Design. Our tool not only can be used to evaluate the security of block ciphers against traditional impossible differentials for block ciphers with large S-box in the case of considering the differential property of large S-boxes, but also can be used to evaluate the security of block ciphers (includes block ciphers with key-dependent permutation) against the impossible differentials in the case of considering the key schedule in the single-key setting. It is very favorable in aspect of block ciphers design and assessment.

We apply our tool to various block ciphers, these results can be divided into three aspects^{Footnote 4}.

Deriving New Impossible Differentials

For GIFT64 [2], we get the 6-round impossible differentials, which cannot be detected by Sun et al.’s method or Sasaki et al.’s method. This result shows that, our tool can detect more contradictions than the previous methods.
For PRINTcipher48/96 [15], we can not only give the first modeling method for the key-dependent permutation, but also give the first direct modeling method for the key-dependent S-box, which is consisted of the key-dependent permutation and the fixed S-box. Take either of the two modeling methods, by considering all the details of the key schedule, we found 730 4-round impossible differentials for PRINTcipher48 and 234 5-round impossible differentials for PRINTcipher96.
For MISTY1 [20], we found 902 4-round i-impossible differentials by exploiting the differential property of S-boxes, while only 28 4-round i-impossible differentials were got by implementing the arbitrary S-box mode of Sasaki et al.’s method.
For RC5-32/64/128 [24], we propose the first modeling method for variable rotation, which allows us to get the 2.5-round impossible differentials for them in the key independent setting.

Evaluating the Resistance Against the Impossible Differentials. Besides applying our tool directly, we also propose three phases technique and inside value technique to speed up our proving process.

For GIFT64, PRESENT [6], Midori64 [1], PRINTcipher48, and PRINTcipher96, we prove that, in the search space where the input difference only actives one S-box in the first substitution and the output difference only actives one S-box in the last substitution, there exists no 7-round, 7-round, 6-round, 5-round, and 6-round impossible differentials for GIFT64, PRESENT, Midori64, PRINTcipher48, and PRINTcipher96 even taking account in the details of the key schedule.
For AES [11], by adopting the new proposed three phases technique, we prove that even considering the relations of middle three-round keys, there still exists no 5-round 1 input active word and 1 output active word impossible differentials.
For 5-round MISTY1 [20] with the FL layers placed at the even rounds, by adopting the three phases technique and inside value technique, we prove that there exists no 1 input active bit and 1 output active bit impossible differentials.

Resulting in New Impossible $(s+1)$-Polytopic Transition $(s\ge 2)$. Besides applying our tool directly, we further propose the step by step strategy to speed up the search.

For PRINTcipher, by considering all the details of the key schedule, we obtain the 6-round d-impossible 3-polytopic transition and 7-round d-impossible 4-polytopic transition for PRINTcipher48, and 7-round d-impossible 3-polytopic transition and 8-round d-impossible 4-polytopic transition for PRINTcipher96. Moreover, we investigate the impact of the restraints of the xor keys (i.e. the keys which are xored with the state) and control keys (i.e. the keys which are used to control the key-dependent permutation). The result shows that, both the restraints of the xor keys and control keys will lead to more contradictions.
For GIFT64, we get a 7-round d-impossible 3-polytopic transition.
For RC5-32, we get 108 3-round i-impossible 3-polytopic transitions. Similarly, we get a 3-round i-impossible 3-polytopic transition for RC5-64.
For PRESENT, we get a 7-round i-impossible 4-polytopic transition.

Outline. We introduce the notations and related work in Sect. 2. Our redefined impossible differentials and impossible $(s+1)$-polytopic transitions and the relations between our redefinitions and traditional definitions are shown in Sect. 3. The SAT modeling methods and our search algorithm are detailed in Sect. 4. We apply our method to impossible differentials from the cryptanalysis aspect and design aspect in Sect. 5 and Sect. 6, respectively. In Sect. 7, we apply our method to impossible polytopic transitions. In Sect. 8, we conclude this paper.

2 Preliminaries

2.1 Notations

The following notations are used in this paper.

$\varvec{x^{m,s}}$: the tuple $(x_{0}, \ldots , x_{s-1})$, where $x_{i} \in \mathbb {F}^{m}_{2}\ (0 \le i\le s-1)$.
$\varvec{x_{i}^{m,s}}$: the tuple $(x_{i,0}, \ldots , x_{i,s-1})$, where $x_{i,j} \in \mathbb {F}^{m}_{2}\ (0 \le j\le s-1)$.
$\varvec{x^{m,s}}||\varvec{y^{m,s}}$: the tuple $(x_{0}||y_{0}, \ldots , x_{s-1}||y_{s-1})$, where $x_{i}, y_{i} \in \mathbb {F}^{m}_{2}\ (0 \le i\le s-1)$.
$\varvec{x^{m,s+1}} \rhd \varvec{\alpha ^{m,s}}$: the tuple $\varvec{x^{m,s+1}}$ satisfy $x_{0}\oplus x_{j+1} = \alpha _{j}\ (0\le j\le s-1)$.
$0^{p}1^{q}$: the concatenation of p successive 0s and q successive 1s.
$a^{p}b^{q}$: the concatenation of p-bit constant a and q-bit constant b.
W(a): the hamming weight of a, i.e., the 1’s number in the bit representation of a.
$e^{n}_{I}$: an n bits value, whose i-th bit is 1 for $i\in I$, and 0 otherwise.
BC(n, m, l): the set of all iterated block ciphers whose block size is n-bit, master key size is m-bit, and round key size is l-bit.
$E_{k}^{r}(x)$: the output of encryption $E \in BC(n, m, l)$ on the state $x\in \mathbb {F}_{2}^{n}$ after r-round under $k \in (\mathbb {F}_{2}^{l})^{r}$.
$E_{k}^{r}(\varvec{x^{n,s}})$: the tuple $(E_{k}^{r}(x_{0}), \ldots , E_{k}^{r}(x_{s-1}))$.
$IKS_{r}^{l}$: the set $\{(k_{1}, \ldots , k_{r})|k_{i} \in \mathbb {F}_{2}^{l}, 1 \le i \le r \}$.
$DKS_{r}^{m, l}$: the set $\{(k_{1}, \ldots , k_{r})|k \in \mathbb {F}_{2}^{m}, k_{i}\in \mathbb {F}_{2}^{l}, k_{i} = G_{i}(k), 1 \le i\le r\}$, where $G_{i}$ denotes the key schedule to generate the round key $k_{i}$ from the master key k for a block cipher $E \in BC(n, m, l)$.

2.2 A Brief Introduction of Impossible Differentials and Impossible $(s+1)$-Polytopic Transitions

Impossible differential is the distinguisher of impossible differential cryptanalysis, and impossible $(s+1)$-polytopic transition is the distinguisher of the impossible polytopic cryptanalysis. Here, we only recall the definitions of impossible $(s+1)$-polytopic transition, since impossible differential is the special case of $s=1$. First, let us recall the definition of s-polytope and s-difference.

Definition 1

(s -polytope [29]). An s-polytope in $\mathbb {F}_{2}^{n}$ is an s-tuple of values in $\mathbb {F}_{2}^{n}$.

Definition 2

(s -difference [29]). An s-difference over $\mathbb {F}_{2}^{n}$ is an s-tuple of values in $\mathbb {F}_{2}^{n}$. For an $(s+1)$-polytope $\left( m_{0}, m_{1}, \ldots , m_{s}\right) ,$ the corresponding s-difference is defined as $\left( m_{0} \oplus m_{1}, m_{0} \oplus m_{2}, \ldots , m_{0} \oplus m_{s}\right) $.

Next, we recall the propagation rule of s-difference and the valid $(s+1)$-polytopic trail.

Definition 3

(The Propagation Rule of The s -difference [29]). Let $f: \mathbb {F}_{2}^{n} \rightarrow \mathbb {F}_{2}^{q}$ be a function. For the input s-difference $\varvec{\alpha ^{n,s}}$ and the output s-difference $\varvec{\beta ^{q,s}}$, if there exists x such that, $f(x \oplus \alpha _{i}) \oplus f(x) =\beta _{i} (0\le i \le s-1)$, we call that $\varvec{\alpha ^{n,s}}$ can propagate to $\varvec{\beta ^{q,s}}$, denoted as $\varvec{\alpha ^{n,s}} {\mathop {\rightarrow }\limits ^{f}} \varvec{\beta ^{q,s}}$. Otherwise, we call that $\varvec{\alpha ^{n,s}}$ cannot propagate to $\varvec{\beta ^{q,s}}$, denoted as $\varvec{\alpha ^{n,s}} {\mathop {\nrightarrow }\limits ^{f}} \varvec{\beta ^{q,s}}$.

Definition 4

(Valid $(s+1)$ -polytopic Trail [29]). Let $f: \mathbb {F}_{2}^{n} \rightarrow \mathbb {F}_{2}^{n}$ be a function that is the iterated composition of round functions $f_{i}: \mathbb {F}_{2}^{n} \rightarrow \mathbb {F}_{2}^{n}:$

$$\begin{aligned} f:=f_{r} \circ \cdots \circ f_{2} \circ f_{1}. \end{aligned}$$

Let $\varvec{\alpha }^{n,s}_{0}$ be the input s-difference and $\varvec{\alpha }^{n,s}_{r}$ be the output s-difference. Then, a valid $(s+1)$-polytopic trail for $(\varvec{\alpha }^{n,s}_{0}, \varvec{\alpha }^{n,s}_{r})$ on f is an $(r+1)$-tuple $(\varvec{\alpha }^{n,s}_{0}, \varvec{\alpha }^{n,s}_{1}, \ldots ,$ $\varvec{\alpha }^{n,s}_{r})$, where $\varvec{\alpha }^{n,s}_{i} {\mathop {\rightarrow }\limits ^{f_{i+1}}} \varvec{\alpha }^{n,s}_{i+1} (0 \le i \le r-1)$.

By exploiting the definition of the valid $(s+1)$-polytopic trail, the definitions of possible $(s+1)$-polytopic transition and impossible $(s+1)$-polytopic transition can be re-expressed as follows.

Definition 5

(Possible $(s+1)$ -polytopic Transition [29]). A pair of input and output s-differences $\left( \varvec{\Delta _{i}}^{n,s}, \varvec{\Delta _{0}}^{n,s}\right) $ is called an r-round possible $(s+1)$-polytopic transition if and only if there exists an r-round valid $(s+1)$-polytopic trail for $\left( \varvec{\Delta _{i}}^{n,s}, \varvec{\Delta _{0}}^{n,s}\right) $.

Definition 6

(Impossible $(s+1)$ -polytopic Transition [29]). A pair of input and output s-differences $\left( \varvec{\Delta _{i}}^{n,s}, \varvec{\Delta _{0}}^{n,s}\right) $ is called an r-round impossible $(s+1)$-polytopic transition if and only if there exists no r-round valid $s+1$-polytopic trail for $\left( \varvec{\Delta _{i}}^{n,s}, \varvec{\Delta _{0}}^{n,s}\right) $.

2.3 SAT Problem and STP

The Boolean Satisfiability Problem (SAT) is a classic scientific computation problem aiming to determine whether a given boolean formula has a solution. STP is the openly available solver for the SAT problem, which supports the CVC format as the file-based input formats.

When to solve an SAT problem, we first model it by the statements in CVC format and save those statements as a file. Then, we invoke the STP for this file. If the target SAT problem has no solution, STP will return “Valid.”. Otherwise, it will return a solution of the SAT problem and “Invalid.”.

In particular, it is worth to mention that the CVC format supports the conditional term, i.e., the statement “IF a THEN b ELSE c ENDIF”, where a is a boolean term, and b and c are bitvector terms. By exploiting the conditional term, we give our modeling methods for S-boxes and variable rotation in Sects. 4.1.

3 New Definitions of Impossible Differentials and Impossible $(s+1)$-Polytopic Transitions

In this section, we define the notations of s-polygon, possible s-polygons, and impossible s-polygons. Based on this, we redefine the impossible differentials and impossible $(s+1)$-polytopic transitions. Then, we study the relations between our redefinitions and traditional definitions of impossible differentials and impossible $(s+1)$-polytopic transitions.

3.1 New Definitions of Impossible Differentials and Impossible $(s+1)$-Polytopic Transitions

Let us think over the definitions of traditional impossible differentials and impossible $(s+1)$-polytopic transitions. For $ E \in BC(n, m, l)$, suppose $\left( \varvec{\Delta _{i}}^{n,s}, \varvec{\Delta _{o}}^{n,s}\right) $ is an r-round traditional impossible $(s+1)$-polytopic transition of it. Then, for $\forall k\in (F^{l}_{2})^{r}$, $\forall \varvec{x_{i}}^{n,s+1} \rhd \varvec{\Delta _{i}}^{n,s}$ and $\forall \varvec{y_{i}}^{n,s+1} \rhd \varvec{\Delta _{o}}^{n,s}$, it holds $E_{k}^{r}(\varvec{x_{i}}^{n,s+1}) \ne \varvec{y_{i}}^{n,s+1}$. In particular, if $(\Delta _{i}, \Delta _{0})$ is an r-round impossible differential. Then, for $\forall k\in (F^{l}_{2})^{r}$, $\forall x \in \mathbb {F}_{2}^{n}$ and $\forall y\in \mathbb {F}_{2}^{n}$, it holds $(E^{r}_{k}(x), E^{r}_{k}(x\oplus \Delta _{i})) \ne (y, y\oplus \Delta _{o})$. Thus, it is important to research the relations between two (resp. $s+1$) input states and two (resp.$s+1$) output states for forming the impossible differentials (resp.impossible $(s+1)$-polytopic transitions). To investigate such relations, we define the s-polygon firstly.

Definition 7

(s -polygon). For $\forall E \in BC(n, m, l)$, its s-polygon is a tuple with s elements, where each element belongs to $\mathbb {F}^{n}_{2}$.

For an iterated block cipher, the s-polygon propagates through round by round, which constitutes the s-polygonal trail.

Definition 8

(s -polygonal Trail). Let $E \in BC(n, m, l)$ and $r\in \mathbb {Z}$. For any s-polygon $\varvec{x}^{n,s}$ and $\forall k=(k_{1}, \ldots , k_{r}) \in (\mathbb {F}_{2}^{l})^{r}$, we have the following chain of propagation:

$$\begin{aligned} \varvec{x}^{n,s} \rightarrow E^{1}_{(k_{1})}(\varvec{x}^{n,s})\rightarrow E^{2}_{(k_{1}, k_{2})}(\varvec{x}^{n,s}) \rightarrow \cdots \rightarrow E^{r}_{k}(\varvec{x}^{n,s}). \end{aligned}$$

We call $(\varvec{x}^{n,s},E^{1}_{(k_{1})}(\varvec{x}^{n,s}),\ldots ,E^{r}_{k}(\varvec{x}^{n,s}))$ an r -round s -polygonal trail. Moreover, if $k\in IKS_{r}^{l}$, the trail is called an r -round i -s -polygonal trail; if $k\in DKS_{r}^{m, l}$, the trail is called an r -round d -s -polygonal trail.

Based on the definitions of s-polygon and s-polygonal trail, according to the compatibility of a pair of input and output s-polygons, the possible s-polygon and impossible s-polygon are defined as follows.

Definition 9

(Possible s -polygons). Let $E \in BC(n, m, l)$, a pair of input and output s-polygons $(\varvec{x}^{n,s}, \varvec{y}^{n,s})$ is called r -round possible s -polygons of E, if there exists $k=(k_{1}, \ldots , k_{r}) \in (\mathbb {F}_{2}^{l})^{r}$ and s-polygonal trail $(\varvec{x}^{n,s},E^{1}_{(k_{1})}(\varvec{x}^{n,s}),\ldots ,$ $E^{r}_{k}(\varvec{x}^{n,s}))$ s.t. $y_{i} = E_{k}^{r}(x_{i})(0\le i\le s-1)$. Moreover, if $k\in IKS_{r}^{l}$, $(\varvec{x}^{n,s}, \varvec{y}^{n,s})$ is called r -round i -possible s -polygons; if $k\in DKS_{r}^{m, l}$, $(\varvec{x}^{n,s}, \varvec{y}^{n,s})$ is called r -round d -possible s -polygons.

Definition 10

(Impossible s -polygons). Let $E \in BC(n, m, l)$, a pair of input and output s-polygons $(\varvec{x}^{n,s}, \varvec{y}^{n,s})$ is called r -round i -impossible s -polygons (resp. r -round d -impossible s -polygons) of E, if $(\varvec{x}^{n,s}, \varvec{y}^{n,s})$ is not the r-round i-possible s-polygons (resp. r-round d-possible s-polygons).

Now, based on the definition of impossible s-polygons, we propose two definitions of impossible $(s+1)$-polytopic transitions: i-impossible $(s+1)$-polytopic transition and d-impossible $(s+1)$-polytopic transition.

Definition 11

(The i -impossible (resp.d -impossible) $(s+1)$ -polytopic Transition). Let $E \in BC(n, m, l)$, a pair of input and output tuples $(\varvec{\alpha }^{n,s}, \varvec{\beta }^{n,s})$ is called an r-round i -impossible (resp. d -impossible) $(s+1)$-polytopic transition, if for $\forall \varvec{x^{n,s+1}} \rhd \varvec{\alpha }^{n,s}$ and $\forall \varvec{y^{n,s+1}} \rhd \varvec{\beta }^{n,s}$, $(\varvec{x^{n,s+1}}, \varvec{y^{n,s+1}})$ are r-round i-impossible (resp.d-impossible) $(s+1)$-polygons.

Here, we give the definitions of i-impossible differential and d-impossible differential independently for clarity, while actually impossible differential is a particular case of impossible $(s+1)$-polytopic transition.

Definition 12

(The i -impossible (resp. d -impossible) Differential). Let $E \in BC(n, m, l)$, $\alpha \in \mathbb {F}^{n}_{2}$, and $\beta \in \mathbb {F}^{n}_{2}$, $(\alpha , \beta )$ is called an r -round i -impossible (resp. d -impossible) differential, if for $\forall (x_{0}, x_{1}) \in \{(\alpha _{0}, \alpha _{1}) \in \mathbb {F}^{n}_{2} \times \mathbb {F}^{n}_{2}|\alpha _{0} \oplus \alpha _{1} = \alpha \}$ and $\forall (y_{0}, y_{1}) \in \{(\beta _{0}, \beta _{1}) \in \mathbb {F}^{n}_{2} \times \mathbb {F}^{n}_{2}|\beta _{0} \oplus \beta _{1} = \beta \}$, $(x_{0}, x_{1})$ and $(y_{0}, y_{1})$ are r-round i-impossible (resp. d-impossible) 2-polygons.

According to the definitions of d-possible $(s+1)$-polygons and i-possible $(s+1)$-polygons, the relation between i-impossible $(s+1)$-polytopic transition and d-impossible $(s+1)$-polytopic transition is obviously as follows.

Theorem 1

Let $E \in BC(n, m, l)$. Then an i-impossible $(s+1)$-polytopic transition of E must be a d-impossible $(s+1)$-polytopic transition of E. In particular, an i-impossible differential of E must be a d-impossible differential of E.

3.2 The Equivalence of i-impossible $(s+1)$-Polytopic Transitions and Traditional Impossible $(s+1)$-Polytopic Transitions

SPN structure and Feistel structure are widely used in the design of block ciphers. In this subsection, we show that the i-impossible $(s+1)$-polytopic transitions are equivalent to traditional impossible $(s+1)$-polytopic transitions for the block ciphers with SPN structure or Feistel structure. Moreover, with the same approach, the equivalence also holds for the block cipher MISTY1. Note that, since impossible differentials are the particular case of impossible $(s+1)$-polytopic transitions, we are not going to state the equivalency for impossible differentials solely here.

First, for narrative purposes, we define a class of round function, which is widely used in block ciphers.

Definition 13

(Common Round Function). A function $F_{r}$ is called common round function(CRF), if it can be represented as $F_{r} = (P^{'}_{r}\circ S_{r}\circ P_{r}\circ K_{r})\circ \cdots \circ (P^{'}_{1}\circ S_{1}\circ P_{1}\circ K_{1}) \circ (P^{'}_{0}\circ S_{0}\circ P_{0})$, where $S_{i}(0\le i \le r)$ denotes the substitution layer which is composed of a set of S-boxes in parallel, $P_{i}(0\le i \le r)$ and $P^{'}_{i}(0\le i \le r)$ denote the linear permutation layers, and $K_{i}(1\le i \le r)$ denotes the key mixing layer, where the key is fully Xored with the state. In particular, in the case of $r=0$, denote $F_{0} = (P^{'}_{0}\circ S_{0}\circ P_{0})$.

The above definition of CRF includes a lot of round functions, which are broadly used in block ciphers. For example, the round function of AES [11] is of the “SP” structure, in which the substitution layer precedes the linear layer. It is the CRF in the case of $r=0$ and $P_{0}$ is the identical permutation. The round function of Prince [7] in the last half rounds is of the “PS” structure, in which the linear layer precedes the substitution layer. It is the CRF in the case of $r=0$ and $P^{'}_{0}$ is the identical permutation. The round function of RoadRunneR [3] is of the “SPKSPKSPKS” structure. It is the CRF in the case of $r=3$ and $P^{'}_{3}$ is the identical permutation.

Since the common round function is widely used in block ciphers, we study the relationship between the valid $(s+1)$-polytopic transitions and i-possible $(s+1)$-polygons of it.

Theorem 2

(The Equivalence of CRF) . Let $F_{r}$ be a CRF. Then, $(\varvec{\alpha _{0}}^{n,s}, $ $\varvec{\alpha _{r+1}}^{n,s})$ is a valid polytopic transition of $F_{r}$ if and only if there exist i-possible $(s+1)$-polygons $(\varvec{x_{0}}^{n,s+1}, \varvec{w_{r}}^{n,s+1})$ of $F_{r}$ , where $\varvec{x_{0}}^{n,s+1} \rhd \varvec{\alpha _{0}}^{n,s}$ and $\varvec{w_{r}}^{n,s+1} \rhd \varvec{\alpha _{r+1}}^{n,s}$.

Proof

We only prove this theorem in the case of $r=2$. The other cases can be proved analogously.

Suppose $(\varvec{\alpha _{0}}^{n,s}, \varvec{\alpha _{3}}^{n,s})$ is a valid polytopic transition of $F_{2}$. Then there exists a valid $(s+1)$-polytopic trail $(\varvec{\alpha _{0}}^{n,s}, \varvec{\alpha _{1}}^{n,s}, \varvec{\alpha _{2}}^{n,s}, \varvec{\alpha _{3}}^{n,s})$, as shown in the upper half of Fig. 1. For $0\le i\le 2$, since $(\varvec{\beta _{i}}^{n,s}, \varvec{\gamma _{i}}^{n,s})$ is a possible $(s+1)$-polytopic transition of $S_{i}$, there exists $a_{i}$ such that $S_{i}(a_{i})\oplus S_{i}(a_{i}\oplus \beta _{i,j})=\gamma _{i, j}(0\le j\le s-1)$. Let $\varvec{y_{i}}^{n,s+1}=(y_{i,0},\ldots , y_{i, s})$ and $\varvec{z_{i}}^{n,s+1}=(z_{i,0},\ldots , z_{i, s})$, where $y_{i, 0}=a_{i}$, $y_{i, j+1}=a_{i}\oplus \beta _{i,j}$, $z_{i, 0}=S_{i}(a_{i})$ and $z_{i, j+1}=S(a_{i})\oplus \gamma _{i,j}$, then we have $S(y_{i,j})=z_{i,j}(0\le j\le s)$. Denote $\varvec{x_{i}}^{n,s+1}=(x_{i,0}, \ldots , x_{i, s})$ and $\varvec{w_{i}}^{n,s+1}=(w_{i,0}, \ldots , w_{i, s})$, where $x_{i,j}=P_{i}^{-1}(y_{i,j})$ and $w_{i,j}=P^{'}_{i}(z_{i,j})(0\le j\le s)$. Since $\alpha _{i,j}=P^{-1}_{i}(\beta _{i,j})$, we have $x_{i,0}\oplus x_{i, j+1}= \alpha _{i, j}(0\le j\le s-1)$. Similar, we have $w_{i,0}\oplus w_{i, j+1}= \alpha _{i+1, j}(0\le j\le s-1)$. Thus, for $1\le i\le 2$, we have $w_{i-1,0}\oplus w_{i-1, j+1}= \alpha _{i, j} = x_{i,0}\oplus x_{i, j+1}(0\le j\le s-1)$. Let $K_{i}=w_{i-1,0}\oplus x_{i,0}$, then we have $x_{i, j}= w^{i-1,j}\oplus K_{i}(0\le j\le s)$. Therefore, we have constructed i-possible $(s+1)$-polygons of $F_{2}$, which is $(\varvec{x_{0}}^{n,s+1}, \varvec{w_{2}}^{n,s+1})$ with $\varvec{w_{2}}^{n,s+1} \rhd \varvec{\alpha _{3}}^{n,s}$ and $\varvec{x_{0}}^{n,s+1} \rhd \varvec{\alpha _{0}}^{n,s}$, as shown in the lower half of Fig. 1.

Since all the procedures above are invertible, it is easy to show that if there exist $\varvec{x_{0}}^{n,s+1} \rhd \varvec{\alpha _{0}}^{n,s}$ and $\varvec{w_{2}}^{n,s+1} \rhd \varvec{\alpha _{3}}^{n,s}$, such that $(\varvec{x_{0}}^{n,s+1}, \varvec{w_{2}}^{n,s+1})$ is the i-possible $(s+1)$-polygons of $F_{2}$, then $(\varvec{\alpha _{0}}^{n,s}, \varvec{\alpha _{3}}^{n,s})$ is the valid polytopic transition of $F_{2}$. $\square $

With the same technique, we also can show the equivalence between traditional impossible $(s + 1)$-polytopic transition and the i-impossible $(s + 1)$-polytopic transition for the block ciphers with SPN structure and Feistel structure as follows. The specific process of proofs are shown in the Full Version of our paper in the ePrint because of space cause.

Theorem 3

(The Equivalence of SPN Structure Block Ciphers). Let $E \in BC(n, m, l)$ be an SPN structure block cipher whose round function is a CRF, and the round keys are fully Xored with the state. Then, $(\varvec{\alpha _{0}}^{n,s}, \varvec{\alpha _{r}}^{n,s})$ is an r-round traditional impossible $(s + 1)$-polytopic transition if and only if it is an r-round i-impossible $(s + 1)$-polytopic transition.

Theorem 4

(The Equivalence of Feistel Structure Block Ciphers). Let $E \in BC(2n, m, l)$ be a Feistel structure block cipher whose round function is a CRF and the round keys are fully Xored with the branch. Then, $(\varvec{\alpha _{0}}^{n,s}||\varvec{\beta _{0}}^{n,s}, $ $\varvec{\alpha _{r}}^{n,s}||\varvec{\beta _{r}}^{n,s})$ is an r-round traditional impossible $(s + 1)$-polytopic transition if and only if it is an r-round i-impossible $(s + 1)$-polytopic transition.

The block cipher MISTY1 [20] is designed by adopting the theory of provable security [23]. We can also show that traditional impossible $(s+1)$-polytopic transition is equivalent to the i-impossible $(s + 1)$-polytopic transition for the block cipher MISTY1 as the following theorem. The specific process of proof is also shown in the Full Version of our paper.

Theorem 5

(The Equivalence of The Block Cipher MISTY1). Let E denote the block cipher MISTY1. Then, $(\varvec{\alpha _{0}}^{32,s}||\varvec{\beta _{0}}^{32,s}, \varvec{\alpha _{r}}^{32,s}||\varvec{\beta _{r}}^{32,s})$ is an r-round traditional impossible $(s + 1)$-polytopic transition if and only if it is an r-round i-impossible $(s + 1)$-polytopic transition.

The Avantages of i-Impossible Differentials and i-Impossible $(s + 1)$-Polytopic Transitions. Since i-impossible differentials (resp. i-impossible $(s + 1)$-polytopic transitions) are equivalent to traditional impossible differentials (resp. traditional impossible $(s + 1)$-polytopic transitions), our method gives new view of traditional impossible differentials and impossible $(s + 1)$-polytopic transitions, which allows us to get the distinguishers for the block cipher with large S-boxes or variable rotation in the key independent setting using full knowledge of their differential or s-differential property. In particular, by exploiting this new view, we can evaluate the security of block ciphers against traditional impossible differentials for block ciphers with large S-box in the case of considering the differential property of large S-boxes.

4 Automatic Search Method

In this section, we propose an unified automatic search algorithm for our redefined impossible differentials and impossible $(s + 1)$-polytopic transitions. Firstly, we give the statements in CVC format to model the propagation of the state under each operation.

4.1 Model the Propagation of the State by Statements in CVC Format

Here, we model the propagation of the state under the operations (Generalized-) Copy, (Generalized-) Xor, (Generalized-) Modular Addition, Linear Transformations, S-box and Variable Rotation by statements in CVC format.

Model 1

((Generalized-)Copy). Let F be a (Generalized-)Copy function, where the input x takes value from $\mathbb {F}_{2}^{q}$, and the output is calculated as $(y_{0}, y_{1},\ldots , y_{t-1}) = (x, x, \ldots , x)$. Then, the following statements can describe the propagation of the state under the (Generalized-)Copy operation.

$$\left\{ \begin{array}{l} {\text {ASSERT}(y_{0} = x);}\\ {\text {ASSERT}(y_{1} = x);}\\ {\qquad \vdots } \\ {\text {ASSERT}(y_{t-1} = x)}; \end{array}\right. $$

Model 2

((Generalized-)Xor). Let F be a (Generalized-)Xor function, where the input $(x_{0}, x_{1},\ldots , x_{t-1})$ take values from $(\mathbb {F}_{2}^{q})^{t}$, and the output is calculated as $y = \oplus _{i=0}^{i=t-1}x_{i}$. Then, the following statement can describe the propagation of the state under the (Generalized-)Xor operation.^{Footnote 5}

$$\begin{aligned} \text {ASSERT}(y = \text {BVXOR}(\cdots (\text {BVXOR}(\text {BVXOR}(x_{0}, x_{1}), x_{2}), \ldots , x_{t-1})); \end{aligned}$$

Model 3

((Generalized-)Modular Addition). Let F be a (Generalized-) Modular Addition function, where the input $(x_{0}, x_{1},\ldots , x_{t-1})$ take values from $(\mathbb {\mathbb {F}}_{2}^{q})^{t}$, and the output is calculated as $y = \boxplus _{i=0}^{i=t-1}x_{i}$.^{Footnote 6} Then, the following statement can describe the propagation of the state under the (Generalized-)Modular Addition operation.

$$\begin{aligned} \text {ASSERT}(y = \text {BVPLUS}(q, x_{0},\ldots , x_{t-1})); \end{aligned}$$

The linear transformations of block ciphers have various representations, such as the permutation layer of PRESENT [6], and the MDS matrix in AES [11]. Since all the representations of linear transformations can be converted to the binary matrix multiplication, we only show the modeling method for the binary matrix multiplication here.

Model 4

(Binary Matrix Multiplication). Let $M = (m_{i, j})_{0 \le i\le s-1, 0\le j\le t-1}$ be a binary matrix, where the input $x=(x_{0}, x_{1},\ldots , x_{t-1})$ take values from $\mathbb {F}_{2}^{t}$, and the output of multiplication $y=(y_{0}, y_{1},\ldots , y_{s-1})$ is calculated as

$$y_{i}= \left\{ \begin{array}{ll} {x_{k},} {\text { if } m_{i, k}=1 \text { and } |\{j|m_{i,j}\ne 0\}|=1,}\\ {\oplus _{\{j|m_{i,j}\ne 0\}}x_{j},} {\text { otherwise.}} \end{array}\right. $$

Then, the statements to describe the propagation of the state under binary matrix multiplication operation can be combined by the modeling methods for Copy and (Generalized-) Xor.

S-box is often used to provide confusion for block ciphers. By exploiting the conditional term, we can describe the propagation of the state under it specifically.

Model 5

(S-box). Let S be an S-box which substitutes t-bit to s-bit, where the input x takes values from $\mathbb {F}_{2}^{t}$, and the output $y \in \mathbb {F}_{2}^{s}$ is calculated as $y = S(x)$. Then the statement generated by Algorithm 1 can describe the propagation of the state under S-box operation.

Variable rotation is a novel operation used in some typical block ciphers, such as RC5 [24] and RC6 [25]. Due to the output of variable rotation operation is closely related to the input values, it is hard to model the propagation of difference and s-difference under it. In our new model, we exploit the conditional term to describe the propagation of the state under the variable rotation.

Model 6

(Variable Rotation). Let F be a variable rotation function, the input (x, y) take values from $\mathbb {F}_{2}^{q} \times \mathbb {F}_{2}^{q}$, and the output is calculated as $z = x \lll _{y}\in \mathbb {F}_{2}^{q}$. Then, the statement generated by the Algorithm 2 can describe the propagation of the state under variable rotation operation.

4.2 The Automatic Search Method for Redefined Impossible Differentials and Impossible $(s + 1)$-Polytopic Transitions

In this subsection, we show our automatic search algorithm for the i-impossible (resp. d-impossible) $(s + 1)$-polytopic transitions. Since an i-impossible (resp. d-impossible) differential is an i-impossible (resp. d-impossible) 2-polytopic transition, the automatic search algorithm for i-impossible (resp. d-impossible) differentials can be derived from the algorithm for i-impossible (resp. d-impossible) $(s + 1)$-polytopic transitions with $s=1$. First, we propose our method for determining whether a pair of input and output s-differences is an i-impossible (resp. d-impossible) $(s + 1)$-polytopic transition. Then, we discuss the selection of parameter s and the search space of our method.

The i-Impossible (resp. d-Impossible) $(s + 1)$-Polytopic Transition Determining Method.

Our method for determining whether a pair of input and output s-differences ($\varvec{\alpha }^{n,s}, \varvec{\beta }^{n,s}$) is an i-impossible (resp. d-impossible) $(s + 1)$-polytopic transition can be divided into two phases: statements generated phase and STP invoked phase. In the statements generated phase, we generate a system of statements as a file to describe the $(s+1)$-polygons $\varvec{x}^{n,s+1}$ propagate to $\varvec{y}^{n,s+1}$ with $\varvec{x}^{n,s+1}\vartriangleright \varvec{\alpha }^{n,s}$ and $\varvec{y}^{n,s+1}\vartriangleright \varvec{\beta }^{n,s}$. In the STP invoked phase, we invoke the STP for the file to determine whether ($\varvec{\alpha }^{n,s}, \varvec{\beta }^{n,s}$) is an i-impossible (resp. d-impossible) $(s + 1)$-polytopic transition.

Specification of the statements generated phase.

The algorithm shown in Algorithm 3 generates the statements for judging whether a pair of input and output s-differences ($\varvec{\alpha }^{n,s}, \varvec{\beta }^{n,s}$) is an r-round impossible $(s + 1)$-polytopic transition.

We present certain illustrations for Algorithm 3 as follows.

Line 3–4. Declare the variables which are used in the system of statements, including the variables which are used to represent the input $(s+1)$-polygon and output $(s+1)$-polygon, the intermediate variables and key variables used to describe the propagation from the input $(s+1)$-polygon to the output $(s+1)$-polygon.
Line 5–7. According to the propagation rules for each operation which are given in Sect. 4.1, model the propagation from the input $(s+1)$-polygon $\varvec{x}^{n,s+1}$ to the output $(s+1)$-polygon $\varvec{y}^{n,s+1}$ with the aid of the intermediate variables and key variables.
Line 8–9. Generate the statements in CVC format such that the input $(s+1)$-polygon $\varvec{x}^{n,s+1}$ satisfies the input s-difference $\varvec{\alpha }^{n,s}$ and the output $(s+1)$-polygon $\varvec{y}^{n,s+1}$ satisfies the output s-difference $\varvec{\beta }^{n,s}$.
L ine 10–12. If “keyflag=True”, then the algorithm generates the statements to constraint the key variables according to the key schedule. In this case, the algorithm generates the statements to judge whether a pair of input and output s-differences ($\varvec{\alpha }^{n,s}, \varvec{\beta }^{n,s}$) is an r-round d-impossible $(s + 1)$-polytopic transition; Otherwise, it generates the statements to judge whether a pair of input and output s-differences ($\varvec{\alpha }^{n,s}, \varvec{\beta }^{n,s}$) is an r-round i-impossible $(s + 1)$-polytopic transition.
Line 13. The statements “QUERY(FALSE);” and “COUNTEREXAMPLE;” are added to the system of statements. This is a common method in STP to determine whether an SAT problem has a solution. By adding those two statements, if the SAT problem has solutions, the STP will return one of the solutions and the statement “Invalid.”; Otherwise, it returns “Valid.”.

Specification of the Invoke STP Phase.

We invoke the STP for the file which is consisted of the system of statements. If the statements generated in the case of keyflag=True, then the s-differences ($\varvec{\alpha }^{n,s}, \varvec{\beta }^{n,s}$) is an r-round d-impossible $(s + 1)$-polytopic transition when the STP returns “Valid.”, and ($\varvec{\alpha }^{n,s}, \varvec{\beta }^{n,s}$) is not an r-round d-impossible $(s + 1)$-polytopic transition when the STP returns an r-round d-$(s + 1)$-polygonal trail and “Invalid.”. Similarly, if the statements generated in the case of keyflag=False, then the s-differences ($\varvec{\alpha }^{n,s}, \varvec{\beta }^{n,s}$) is an r-round i-impossible $(s + 1)$-polytopic transition when the STP returns “Valid.”, and ($\varvec{\alpha }^{n,s}, \varvec{\beta }^{n,s}$) is not an r-round i-impossible $(s + 1)$-polytopic transition when the STP returns an r-round i-$(s + 1)$-polygonal trail and “Invalid.”.

Work as a Proof Tool. Once the search space fixed, we can run our tool for all the input and output s-differences in such space. If none of the input and output s-differences is an r-round i-impossible (resp. d-impossible) $(s + 1)$-polytopic transition, we can declare that there exists no r-round i-impossible (resp. d-impossible) $(s + 1)$-polytopic transition in this space.

The Select of Parameter s and Search Space.

In our automatic search method for impossible $(s + 1)$-polytopic transition, the total time cost mainly depends on the size of the search space and the time cost for determining whether an element in the search space is an impossible $(s + 1)$-polytopic transition.

The time cost for determining whether an element in the search space is an impossible $(s + 1)$-polytopic transition is closely related to operations contained in the block cipher and the value of parameter s we selected. In our experiment, we choose s at most 4, since the search time will cost quite a lot if s increases beyond this range.

For the search space, traditional automatic tools focus on search the $\mu $ input active bits (resp. nibbles) and $\nu $ output active bits (resp. nibbles) impossible differentials. Since the impossible $(s + 1)$-polytopic transition is the generation of impossible differential, we define the $(\mu _{0}, \ldots , \mu _{s-1})$ active bits and $(\mu _{0}, \ldots , \mu _{s-1})$ active nibbles to generate the search space.

Definition 14

($(\mu _{0}, \ldots , \mu _{s-1})$ Active Bits). For a block cipher $E \in BC(n, m, l)$, we call the s-difference $\varvec{\alpha }^{n,s}$ satisfied the $(\mu _{0}, \ldots , \mu _{s-1})$ active bits, if there are $\mu _{i}$ bits of the binary representation of $\alpha _{i}(0\le i\le s-1)$ are non-zero.

Definition 15

($(\mu _{0}, \ldots , \mu _{s-1})$ Active Nibbles). For a block cipher $E \in BC(n, m, l)$ whose S-box size is q, for any s-difference $\varvec{\alpha }^{n,s}$, the binary representation of $\alpha _{i}\ (0\le i\le s-1)$ can be divided into $\frac{n}{q}$ pieces, where $\alpha _{i,j}=\{\alpha _{i,q\cdot j}, \ldots , \alpha _{i,q\cdot j + q-1}\}$ $(0\le j\le \frac{n}{q}-1)$. We call the s-difference $\varvec{\alpha }^{n,s}$ satisfied the $(\mu _{0}, \ldots , \mu _{s-1})$ active nibbles, if there are $\mu _{i}$ pieces of $\alpha _{i}(0\le i\le s-1)$ have non-zero items.

Our method focuses on searching the $(\mu _{0}, \ldots , \mu _{s-1})$ input active bits and $(\nu _{0}, \ldots , $ $\nu _{s-1})$ output active bits or $(\mu _{0}, \ldots , \mu _{s-1})$ input active nibbles and $(\nu _{0}, \ldots , \nu _{s-1})$ output active nibbles, or the subset of those two spaces according to the experimental result. Due to the limitation of the size of the executable search space, we mainly search some small values of active bits and active nibbles. Assume the value $\mu '_{i}\ (0\le i\le g)$ appears $\varphi _{i}$ times in the tuple $(\mu _{0}, \ldots , \mu _{s-1})$ and value $\nu '_{i}\ (0\le i\le h)$ appears $\phi _{i}$ times in the tuple $(\nu _{0}, \ldots , \nu _{s-1})$. Then, for a block cipher $E \in BC(n, m, l)$, the number of pairs of input and output s-differences with $(\mu _{0}, \ldots , \mu _{s-1})$ input active bits and $(\nu _{0}, \ldots , \nu _{s-1})$ output active bits is

$$\begin{aligned} \left( {\begin{array}{c}\left( {\begin{array}{c}n\\ \mu '_{0}\end{array}}\right) \\ \varphi _{0}\end{array}}\right) \times \cdots \times \left( {\begin{array}{c}\left( {\begin{array}{c}n\\ \mu '_{g}\end{array}}\right) \\ \varphi _{g}\end{array}}\right) \times \left( {\begin{array}{c}\left( {\begin{array}{c}n\\ \nu '_{0}\end{array}}\right) \\ \phi _{0}\end{array}}\right) \times \cdots \times \left( {\begin{array}{c}\left( {\begin{array}{c}n\\ \nu '_{h}\end{array}}\right) \\ \phi _{h}\end{array}}\right) \thicksim O(n^{\mu '_{0}\varphi _{0}+\cdots +\mu '_{g}\varphi _{g} + \nu '_{0}\phi _{0}+\cdots +\nu '_{h}\phi _{h}}). \end{aligned}$$

For a block cipher $E \in BC(n, m, l)$ whose S-box size is q, let $p=\frac{n}{q}$, the number of pairs of input and output s-differences with $(\mu _{0}, \ldots , \mu _{s-1})$ input active nibbles and $(\nu _{0}, \ldots , \nu _{s-1})$ output active nibbles is

$$\begin{aligned} \left( {\begin{array}{c}\left( {\begin{array}{c}p\\ \mu '_{0}\end{array}}\right) \cdot (2^{q}-1)\\ \varphi _{0}\end{array}}\right) \times \cdots \times \left( {\begin{array}{c}\left( {\begin{array}{c}p\\ \mu '_{g}\end{array}}\right) \cdot (2^{q}-1)\\ \varphi _{g}\end{array}}\right) \times \left( {\begin{array}{c}\left( {\begin{array}{c}p\\ \nu '_{0}\end{array}}\right) \cdot (2^{q}-1)\\ \phi _{0}\end{array}}\right) \times \cdots \times \left( {\begin{array}{c}\left( {\begin{array}{c}p\\ \nu '_{h}\end{array}}\right) \cdot (2^{q}-1)\\ \phi _{h}\end{array}}\right) , \end{aligned}$$

which is $O(p^{\mu '_{0}\varphi _{0}+\cdots +\mu '_{g}\varphi _{g} + \nu '_{0}\phi _{0}+\cdots +\nu '_{h}\phi _{h}}\cdot 2^{q\cdot (\mu '_{0}+\cdots + \mu '_{g}+\nu '_{0}+\cdots + \nu '_{h})})$.

According to the above analysis, the size of the search space is still large even we only search for small values of active bits and active nibbles for impossible $(s+1)$-polytopic transitions with small value of parameter s. For example, if we search the (1, 1) input active bits and (1, 1) output active bits for the impossible 3-polytopic transition of a block cipher whose block size is 64, the number of pairs of input and output s-differences is $\left( {\begin{array}{c}\left( {\begin{array}{c}64\\ 1\end{array}}\right) \\ 2\end{array}}\right) \times \left( {\begin{array}{c}\left( {\begin{array}{c}64\\ 1\end{array}}\right) \\ 2\end{array}}\right) =4064256\approx 2^{22}$. Thus, we propose the following step by step strategy, which is quite helpful to search the impossible $(s+1)$-polytopic transitions when the search space is too large.

Step by Step Strategy. The core of this strategy is to search the impossible $(s + 1)$-polytopic$ (s \ge 2)$ transition based on the result of the impossible s-polytopic transition. To be specific, for a block cipher $E\in BC(n,m,l)$, if we know that ($\varvec{\alpha }^{n,s-1}, \varvec{\beta }^{n,s-1}$) is an impossible s-polytopic transition, then we search the impossible $(s + 1)$-polytopic$(s \ge 2)$ transition in the set

$$\begin{aligned} {\begin{matrix} \{&{}(\alpha _{0},\ldots ,\alpha _{s-2}, \alpha )\times (\beta _{0},\ldots ,\beta _{s-2}, \beta )|\text {the active bits (nibbles) of }\alpha \text { and } \beta \text { is } u \\ {} &{}\text { and } v \text { respectively}\}, \end{matrix}} \end{aligned}$$

where u and v are the predetermined values.

5 Applications to Impossible Differentials from the Aspect of Cryptanalysis

In this section, we apply our method to various block ciphers, including the block cipher GIFT64 [2], the key-dependent permutation (or the key-dependent S-box) based block cipher PRINTcipher [15], the large S-boxes based block cipher MISTY1 [20], and the variable rotation based block cipher RC5 [24]. Only concise descriptions of those block ciphers are specified here. For more details, please refer to their coresponding references. All the experiments in this paper are conducted on this platform: Intel(R) Xeon(R) CPU E5-2650 v2 @2.60 GHz, 64.00G RAM, 64-bit Windows 7 system. The source codes are available in https://github.com/HugeChaos/Impossible-differentials-and-impossible-polytopic-transitions.

5.1 GIFT64

GIFT64 was designed by Banik el at. [2], it is a 64-bit block cipher with 128-bit master key. Interestingly, its round key is 32-bit while it adopts the SPN structure.

Previous Best Result. In [2], they searched the impossible differentials by limiting the input difference activates only one of the first four S-boxes and the output difference activates only one S-box. The maximum number of rounds of impossible differentials they got in this search space is 6.

Advantage of Our Tool. Compared with the previous tools, our tools can search the impossible differentials taking into account the key schedule.

Configurations for the Tool. Firstly, in the search space where the input and output difference activates only one S-box, the maximum number of rounds of the impossible differentials we got is also 6. Then, we try to find the 6-round impossible differentials in which the contradiction cannot be detected by the previous method. To achieve this purpose, we randomly pick the input differences activate at most the right 16 bits and the output differences activate at most the i-th $(i\in \{0, 4, 8, 12, 17, 21, 25, 29, 34, 38, 42, 46, 51, 55, 59, 63\})$ bit. In this way, it allows at most the 0th, 4th, 8th and 12th S-box to be active in the 2nd round by propagating the input difference in the forward direction, and at most the 0th, 1st, 2nd and 3rd S-box to be active in the 5th round by propagating the output difference in the backward direction. After 65536 random tests, we find 3 6-round impossible differentials that the previous tools cannot detect.

Example of 6-Round d-Impossible Differentials. One of the 6-round d-impossible differentials is

$$\begin{aligned} 0x0000000000000600 {\mathop {\nrightarrow }\limits ^{6-round}} 0x0000004020000110. \end{aligned}$$

Automatic Verification for Above Example of Impossible Differential of GIFT64. Since this impossible differential cannot be detected by the propagation of difference, verifying this impossible differential by manual is difficult, we modify the verification algorithm in [10] and apply it to verify this impossible differential. The details of our verification are shown in the Full Version of our paper.

5.2 PRINTcipher

PRINTcipher [15] is proposed by Lars et al. at CHES 2010, consisting of two versions: PRINTcipher48 and PRINTcipher96. PRINTcipher48 is a block cipher with 48-bit block and 80-bit key. PRINTcipher96 is a block cipher with 96-bit block and 160-bit key.

Advantage of Our Tool. Previous tools cannot apply to PRINTcipher directly due to that they cannot handle the operation of key-dependent permutation. By making use of the conditional term, we propose the first modeling method to describe the propagation of state for key-dependent permutation:

ASSERT(y2@y1@y0 = (IF k1@k0 = 0bin11 THEN x0@x1@x2 ELSE (IF k1@k0 = 0bin10 THEN x2@x0@x1 ELSE (IF k1@k0 = 0bin01 THEN x1@x2@x0 ELSE x2@x1@x0 ENDIF) ENDIF) ENDIF));

where x2||x1||x0 is the input variable, y2||y1||y0 is the output variable, and k1||k0 is the control key. This modeling method allows us to search the impossible differentials for PRINTcipher by considering the impact of all the details of key schedule. Besides, the PRINTcipher also can be regarded as the key-dependent S-box based block cipher, where the key-dependent S-box is consisted of the key-dependent permutation and the fixed S-box. We also propose the first modeling method to describe the propagation of state for key-dependent S-box directly, which is shown in the Full Version of our paper.

Configurations for the Tool. By considering all the details of key schedule, we search the impossible differentials for PRINTcipher48 and PRINTcipher96 in the space where the input difference activates only one S-box in the first substitution layer and the output difference activates only one S-box in the last substitution layer . Finally, we found 730 4-round d-impossible differentials for PRINTcipher48 and 234 5-round d-impossible differentials for PRINTcipher96 in total.

Example of d-Impossible Differentials of PRINTcipher. One of the 730 4-round d-impossible differentials of PRINTcipher48 is

$$\begin{aligned} 0x000000000001 {\mathop {\nrightarrow }\limits ^{4-round}} 0x000000000008. \end{aligned}$$

One of the 234 5-round d-impossible differentials of PRINTcipher96 is

$$\begin{aligned} 0x000000000000000200000000 {\mathop {\nrightarrow }\limits ^{5-round}} 0x000000000000000000001000. \end{aligned}$$

Manual Verification for the Above Example of Impossible Differential of PRINTcipher. As the impossible differentials are detected by considering the key schedule, the verification is completely different from the previous impossible differentials. First, we have the following observation for the composition of key-dependent permutation and S-box.

Observation 1

Let $SP_{k}=S\circ P_{k}$, where S denotes the S-box of PRINTcipher and $P_{k}$ denotes the key-dependent permutation. Then, $1 {\mathop {\longrightarrow }\limits ^{SP_{0}}} \{1,3,5,7\}$, $1 {\mathop {\longrightarrow }\limits ^{SP_{1}}} \{1,3,5,7\}$, $1 {\mathop {\longrightarrow }\limits ^{SP_{2}}} \{2,3,6,7\}$, and $1 {\mathop {\longrightarrow }\limits ^{SP_{3}}} \{4,5,6,7\}$. On the contrary, we have $\{1,3,5,7\} {\mathop {\longrightarrow }\limits ^{SP_{0}}} 1$, $\{1,3,5,7\} {\mathop {\longrightarrow }\limits ^{SP_{1}}} 1$, $\{2,3,6,7\} {\mathop {\longrightarrow }\limits ^{SP_{2}}} 1$, and $\{4,5,6,7\} {\mathop {\longrightarrow }\limits ^{SP_{3}}} 1$.

Then, we verify the 4-round example of impossible differential of PRINTcipher48 in case that 0th or 5th S-box in the 3rd round is active. More details of the proof are given in the Full Version of our paper. The 5-round example of PRINTcipher96 can be verified similarly.

5.3 MISTY1

The block cipher MISTY1 was designed by Matsui [20]. It is a 64-bit block cipher which adopts the theory of provable security [23] against differential attack [5] and linear attack [19].

The Result by Sasaki et al.’s Method. Sasaki et al.’s method is the most advanced previous method to search the impossible differentials for block ciphers with large S-boxes. We employ this method to search the 1 input active bit and 1 output active bit impossible differentials by limiting the input difference activates only the right branch and the output difference activates only the left branch. After $32 \times 32 = 1024$ tests, the maximum number of rounds we got is 4 and a total of 28 4-round impossible differentials are found.

Advantage of Our Tool. Compared with previous tools, our tool is the first tool that can search the impossible differentials for large S-boxes based block ciphers taking into account the differential property of the S-boxes in the independent key setting.

Configurations for the Tool. We run our tool to search the i-impossible differentials in the search space as that by Sasaki et al.’s method. Finally, we found 902 4-round i-impossible differentials, and all the 4-round impossible differentials derived by Sasaki et al.’s method are detected by our tool.

List of 4-Round i -Impossible Differentials. All the 4-round impossible differentials we found are shown in the Table 1, where $\mathbb {Z}_{32} = \{0, 1, \ldots , 31\}$ and $A=\{33, 35, 36,46,49, 50, 51,52,53,57,58,62\}$.

Table 1. 4-round impossible differentials of MISTY-1

Full size table

Manual Verification for the 4-Round i-Impossible Differentials $(e^{64}_{i},e^{64}_{52})(i\in \mathbb {Z}_{32})$ of MISTY1. First, we study the property of the FL and FO function of MISTY1.

Observation 2

Let F denote the FL function of MISTY1, if the input difference is one of $e^{32}_{i}$, $e^{32}_{i+16}$, and $e^{32}_{i,i+16}\ (0\le i\le 15)$, all possible output difference of F is $\{e^{32}_{i}, e^{32}_{i+16}, e^{32}_{i,i+16}\}$. Moreover, all possible output difference of $F^{2}$ is also $\{e^{32}_{i}, e^{32}_{i+16}, e^{32}_{i,i+16}\}$, where $F^{2}$ denotes the composition of two FL function.

Proposition 1

Let F denote the FO function of MISTY1 and $\gamma _{i}(0\le i\le 1)$ be the 16-bit variables, for $\forall (\gamma _{1}||\gamma _{0})\in \{\beta |e^{32}_{20}{\mathop {\longrightarrow }\limits ^{F}} \beta \}$, the weight of $\gamma _{1}$ must be greater than 1.

Then, we verify the 4-round i-impossible differentials $(e^{64}_{i},e^{64}_{52})(i\in \mathbb {Z}_{32})$ of MISTY1, which is finished in the Full Version of our paper.

5.4 RC5

RC5 is designed by Rivest in 1994 [24]. The block size of it can be 32, 64, or 128 bits. For each block size n, the version is denoted as RC5-$n(n=32,64,128)$.

Advantage of Our Tool. The operation variable rotation highly depends on the value of state, which cannot be handled by the previous automatic search tools for impossible differentials. In our model, by exploiting the modeling method we proposed in Sect. 4.1, we give the first automatic method for searching the impossible differentials of RC5.

Configurations of Our Tool. The key schedule of RC5 is very complex. Thus, we focus on searching i-impossible differentials. By observing the structure of RC5-n, the difference $e^{n}_{(i,i+\frac{n}{2})}$ propagates to the difference $e^{n}_{(i+\frac{n}{2})}$ after 0.5-round in the encryption direction. Thus, we search the i-impossible differentials for RC5-$n(n=32, 64, 128)$ by limiting the input difference and output difference in the set $(e^{n}_{(i,i+\frac{n}{2})}, e^{n}_{(j)})(0\le i\le \frac{n}{2}-1, 0 \le j \le n-1)$.

List of 2.5-round i -Impossible Differentials. As a result, our tool found 12 i-impossible differentials for RC5-32, 27 i-impossible differentials for RC5-64, and 58 i-impossible differentials for RC5-128. This is the first result of impossible differentials for RC5. All the results are shown in Table 2.

Table 2. 2.5-Round i-impossible Differentials of RC5

Full size table

Manual Verification for the i-Impossible Differential $(e^{n}_{(\frac{n}{2} - 1, n-1)}, e^{n}_{(\frac{n}{2})-1})$ of RC5-n. First, we study the relation of a pair of input values and a pair of output values for the operation variable rotation, and have that the parity of $W(z\oplus w)$ is the same as $W(x\oplus u)$, where $z=x \lll y, w = u \lll v$, $x,y,z,u,v,w \in \mathbb {F}^{m}_{2}$. Then, we verify the 2.5-round i-impossible differential $(e^{32}_{(15, 31)}, e^{32}_{(15)})$ of RC5-32, $(e^{64}_{(31, 63)}, e^{64}_{(31)})$ of RC5-64, and $(e^{128}_{(63, 127)}, e^{128}_{(63)})$ of RC5-128 together. The details of our manual process are shown in the Full Version of our paper.

6 Applications to Impossible Differentials from the Aspect of Design

In this section, we apply our tool to evaluate the security of lightweight block ciphers against the d-impossible differentials directly. For block ciphers with large S-boxes, we propose the three phases technique and inside value technique, which improve the security evaluation efficiency against the impossible differentials.

Three Phases Technique. For a block cipher, proving that all the input differences in $\Lambda $ and output differences in $\Theta $ are the r-round possible differentials may be time-consuming. To overcome this dilemma, we pick two sets $\Phi $ and $\Psi $ satisfied: for $\forall \alpha \in \Lambda $, there exists $\alpha _{0}\in \Phi $ such that $\alpha $ can propagate to $\alpha _{0}$ after $r_{1}$ rounds in the forward direction, and for $\forall \beta \in \Theta $, there exists $\beta _{0}\in \Psi $ such that $\beta $ can propagate to $\beta _{0}$ after $r_{2}$ rounds in the backward direction. In this way, we just need to prove all the difference of the $\Phi $ and $\Psi $ are the $(r-r_{1}-r_{2})$-round possible differentials.

Inside Value Technique. For a block cipher, proving $(\alpha , \beta )$ is an r-round i-possible (resp. d-possible) differential directly may be time-consuming. To solve this problem, we prove that $(0, \alpha )$ and $(0, \beta )$ is an i-possible (resp. d-possible) 2-polygon instead. Our experimental results show that this technique speeds up our proof process.

6.1 Direct Application to GIFT64, PRESENT, Midori64, PRINTcipher48, and PRINTcipher96

By exploiting our tool, we prove that, in the search space where the input difference activates only one S-box in the first substitution and the output difference activates only one S-box in the last substitution, there exists no 7-round, 7-round, 6-round, 5-round, and 6-round impossible differential for GIFT64, PRESENT, Midori64, PRINTcipher48, and PRINTcipher96 even considering the details of the key schedule.

6.2 Three Phases Technique: Apply to AES-128

AES-128 is the most famous standard block cipher designed by Vincent Rijmen and Joan Daemen [11]. It is a 128-bit block cipher with 128-bit key. AES-128 adopts the SPN structure. Its 128-bit internal state s can be represented as a $4 \times 4$ matrix of bytes $s_{i,j}\in \mathbb {F}^{8}_{2}\ (0\le i, j\le 3)$, each values in the finite fields $\mathbb {F}^{8}_{2}$. For more details of AES, please refer to [11].

Previous Result. Wang el at. [30] have proved that there exists no 5-round 1 input active word and 1 output active word impossible differentials for AES-128 without the last MC operation even considering all the details of the S-box in the key independent setting. But, the influence of the key schedule for the impossible differentials about AES-128 is still unknown.

Our Method. Determine whether a pair of input and output differences is the 5-round impossible differential by considering all the details of the relations of the round keys is very time-consuming. To resolve this issue, we adopt the three phases technique to finish our proof. First, according to the following two observations and further the propositions by studying the differential property of the S-box of AES, we propagate the input difference one round in the forward direction and the output difference two rounds in the backward direction. Then, we run our algorithm to show that those differences after the propagation can be connected through two rounds of AES even considering the relation of 3-round keys.

Observation 3

Let S denote the S-box of AES, define $DDT_{in}(\beta ) = \{\alpha |\exists x \in \mathbb {F}^{8}_{2}, s.t. S(x) \oplus S(x\oplus \alpha ) = \beta \}$, then we have $DDT_{in}(0x01)\cup DDT_{in}(0x02)\cup DDT_{in}(0xec) = \mathbb {F}^{8}_{2}$.

Observation 4

Let S denote the S-box of AES, define $DDT_{out}(\alpha ) = \{\beta |\exists x \in \mathbb {F}^{8}_{2}, s.t. \beta = S(x) \oplus S(x\oplus \alpha )\}$, then we have $DDT_{out}(0x01)\cup DDT_{out}(0x02)\cup DDT_{out}(0xf7) = \mathbb {F}^{8}_{2}$. Moreover, we have

$$\begin{aligned} {\begin{matrix} \{0x0d, 0x1a, 0xff\} =\{0x0d \times 0x01, 0x0d \times 0x02, 0x0d \times 0xf7\} \in DDT_{out}(0x01),\\ \{0x0b, 0x16, 0xfb\}=\{0x0b \times 0x01, 0x0b \times 0x02, 0x0b \times 0xf7\} \in DDT_{out}(0x03),\\ \{0x09, 0x12, 0x0e\} =\{0x09 \times 0x01, 0x09 \times 0x02, 0x09 \times 0xf7\} \in DDT_{out}(0x06),\\ \{0x0e, 0x1c, 0xfd\} =\{0x0e \times 0x01, 0x0e \times 0x02, 0x0e \times 0xf7\} \in DDT_{out}(0x09).\\ \end{matrix}} \end{aligned}$$

Proposition 2

Let $F_{1}= MC\circ SR\circ SB \circ ARK$, any difference $D^{i,j}_{\alpha }\ (0\le i \le 3, 0\le j \le 3, \alpha \in \mathbb {F}^{8}_{2}/\{0\})$ can propagate to at least one of the differences of $MC\circ SR(D^{i,j}_{0x01})$, $MC\circ SR(D^{i,j}_{0x02})$, and $MC\circ SR(D^{i,j}_{0xec})$ through $F_{1}$.

Proposition 3

Let $F_{2} = ARK \circ SR \circ SB \circ ARK \circ MC \circ SR\circ SB$ and

$$P = \left( \begin{array}{cccc} 0x09 &{} 0x03 &{} 0x01 &{} 0x06 \\ 0x06 &{} 0x09 &{} 0x03 &{} 0x01 \\ 0x01 &{} 0x06 &{} 0x09 &{} 0x03 \\ 0x03 &{} 0x01 &{} 0x06 &{} 0x09 \\ \end{array} \right) . $$

Let $k = (j + i) \text { mod }4$. Then, for any difference $D^{i,j}_{\alpha }\ (0\le i \le 3, 0\le j \le 3, \alpha \in \mathbb { F}^{8}_{2}/\{0\})$, the difference $G_{i,j}:=D^{0,k}_{P_{0, i}} + D^{1,(k+ 1) mod 4}_{P_{1, i}}+ D^{2,(k+ 2) mod 4}_{P_{2, i}}+ D^{3,(k+ 3) mod 4}_{P_{3, i}}$ can propagate to it through $F_{2}$.

Proof

Let Q be the inverse matrix of the MDS used in AES^{Footnote 7}. According to Observation 4, for $\forall z \in \{0x01, 0x02, 0x7f\}$, we have $G_{i,j} {\mathop {\longrightarrow }\limits ^{SR\circ SB}} D^{0,k}_{Q_{0, i} \times z} + D^{1,k}_{Q_{1, i}\times z}+ D^{2,k}_{Q_{2, i} \times z}+ D^{3,k}_{Q_{3, i} \times z}$, since the S-box is applied to each byte of the state in parallel in the SB operation. Then based on the definition of Q, we have $MC(D^{0,k}_{Q_{0, i} \times z} + D^{1,k}_{Q_{1, i}\times z}+ D^{2,k}_{Q_{2, i} \times z}+ D^{3,k}_{Q_{3, i} \times z}) = D^{i, k}_{z}$. According to Observation 4, for any difference $D^{i,j}_{\alpha }\ (0\le i \le 3, 0\le j \le 3, \alpha \in \mathbb {F}^{8}_{2}/\{0\})$, at least one of $D^{i, k}_{0x01}, D^{i, k}_{0x02}, $ and $ D^{i, k}_{0x7f}$ can propagate to it through $SR \circ SB$. Thus, for any difference $D^{i,j}_{\alpha }\ (0\le i \le 3, 0\le j \le 3, \alpha \in \mathbb {F}^{8}_{2}/\{0\})$, the difference $G_{i,j}$ can propagate to it through $F_{2}$. $\square $

Our Experiment. Let $F_{3} = ARK\circ (MC\circ SR\circ SB \circ ARK)^{2}$. For $0\le i,j,s,t\le 3$, by considering the relations of $K_{1}$, $K_{2}$, and $K_{3}$ according to the key schedule, we run our tool to determine whether all the differences of $MC\circ SR(D^{i,j}_{0x01})$, $MC\circ SR(D^{i,j}_{0x02})$, and $MC\circ SR(D^{i,j}_{0xec})$ can propagate to $G_{s,t}$ through $F_{3}$. After a total of $16\times 16\times 3=768$ tests, our result shows that all the differences of $MC\circ SR(D^{i,j}_{0x01})$, $MC\circ SR(D^{i,j}_{0x02})$, and $MC\circ SR(D^{i,j}_{0xec})$ can propagate to $G_{s,t}$ through $F_{3}$ in our setting, which leads to the following theorem.

Theorem 6

For 5-round AES-128 without the last MC operation, there exists no 1 input active word and 1 output active word impossible differentials by considering the relations of $K_{1}$, $K_{2}$, and $K_{3}$.

6.3 Combination of Three Phases Technique and Inside Value Technique: Application to MISTY1

Previous Result. Since MISTY1 adopts the 7-bit and 9-bit S-boxes, no automatic search tool could be used to evaluate its security taking account into the differential property of S-boxes so far.

Our Approach. We combine the three phases technique and inside value technique to accelerate our tool in this part. Denote $\beta _{0}||\alpha _{0}$ be the 1 input active bit difference and $\beta _{5}||\alpha _{5}$ be the 1 output active bit difference, and $FO_{(KI,KO)}$ be the FO function, where KI and KO are the secret keys in the FO function. Let

$$\begin{aligned} {\begin{matrix} \beta _{1}||\alpha _{1} = \left\{ \begin{array}{ll} {e^{64}_{i+32},} {\text { if } (\beta _{0}||\alpha _{0}) = e^{64}_{i}(0\le i \le 31),}\\ {(FO_{0,0}(0) \oplus FO_{0,0}(e^{32}_{i-32}))||e^{32}_{i-32},} {\text { if } \beta _{0}||\alpha _{0}) = e^{64}_{i}(32\le i \le 63).} \end{array}\right. \\ \beta _{4}||\alpha _{4} = \left\{ \begin{array}{ll} {e^{32}_{i}||(FO_{0,0}(0)\oplus FO_{0,0}(e^{32}_{i})) e^{64}_{i+32},} {\text { if } (\beta _{5}||\alpha _{5}) = e^{64}_{i}(0\le i \le 31),}\\ {e^{64}_{i-32},} {\text { if } \beta _{5}||\alpha _{5}) = e^{64}_{i}(32\le i \le 63).} \end{array}\right. \end{matrix}} \end{aligned}$$

That is, we propagate the difference $\beta _{0}||\alpha _{0}$ through one round to $\beta _{1}||\alpha _{1}$ in the forward direction and the difference $\beta _{5}||\alpha _{5}$ through one round to $\beta _{4}||\alpha _{4}$ in the backward direction. Then, we prove that $(0, \beta _{1}||\alpha _{1})$ and $(0, \beta _{4}||\alpha _{4})$ is the i-possible 2-polygons.

Our Experiment. We run our tool to determine whether the input 2-polygons $(0, \beta _{1}||\alpha _{1})$ and the output 2-polygons $(0, \beta _{4}||\alpha _{4})$ are the i-possible 2-polygons for 3 rounds MISTY1. After a total of $64\times 64 = 4096$ tests, our result shows that all the input 2-polygons $(0, \beta _{1}||\alpha _{1})$ and the output 2-polygons $(0, \beta _{4}||\alpha _{4})$ are the i-possible 2-polygons for 3-round MISTY1, which leads to the following theorem.

Theorem 7

For 5-round MISTY1 in which the FL layers were placed at the even rounds, there exists no 1 input active bit and 1 output active bit impossible differentials in the key independent setting.

7 Applications to Impossible $(s+1)$-Polytopic $(s\ge 2)$ Transitions

In this section, we run our tool to search the impossible $(s+1)$-polytopic$ (s\ge 2)$ transitions for PRINTcipher, GIFT64, PRESENT, and RC5. All the contradictions of the distinguishers in this section can be detected by our verification algorithm, the details are shown in the Full Version of our paper in the supplementary materials. First, for S-boxes based block ciphers, we define some search spaces for the input and output s-differences.

Search Space$_1$: In this space, the input 2-difference $(b_{1}, b_{2})$ is the (1, 1) active bit which only activates the two right S-boxes in the first round, and the output 2-difference $(e_{1}, e_{2})$ is the (1, 1) active bit.

Search Space$_2$: In this space, the input 2-difference $(b_{1}, b_{2})$ is the (1, 1) input active bit which only activates the first right S-box in the first round and the 2-difference $(e_{1}, e_{2})$ is the (1, 1) output active bit which activates the same S-box in the last round.

Search Space$_i(i=3,4)$: In this space, the input 3-difference is of pattern $(b_{1}, b_{2},$ $b_{1}\oplus b_{2})$ and the output 3-difference is of pattern $(e_{1}, e_{2}, e_{1}\oplus e_{2})$, where $(b_{1}, b_{2})$ and $(e_{1}, e_{2})$ are in Search space$_{i-2}$.

7.1 The d-Impossible Polytopic Transitions of PRINTcipher

In this part, we show our method to search the impossible 3-polytopic transitions and impossible 4-polytopic transitions for PRINTcipher48 and PRINTcipher96 by considering all the details of the key schedule. Besides, we also study the influence of the Xor key and control key for the d-impossible 3-polytopic transitions of PRINTcipher48.

For the d-impossible 3-polytopic transitions of PRINTcipher48, we search such distinguishers in the Search space$_{1}$. After a total of $\left( {\begin{array}{c}\left( {\begin{array}{c}6\\ 1\end{array}}\right) \\ 2\end{array}}\right) \times \left( {\begin{array}{c}\left( {\begin{array}{c}48\\ 1\end{array}}\right) \\ 2\end{array}}\right) =16920$ tests, the maximum number of rounds of d-impossible 3-polytopic transitions in this search space is 6, and a total of 1471 6-round d-impossible 3-polytopic transitions are found. One of them is

$$\begin{aligned} (0x000000000001, 0x000000010000) {\mathop {\nrightarrow }\limits ^{6-round}} (0x000000000002, 0x000000000200). \end{aligned}$$

Impact of the constraints of the Xor keys. In our search above, we restrict the Xor keys and control keys according to the key schedule. To investigate the impact of the constraints of the Xor keys, we further release the constraints of the Xor keys and keep the constraints of the control keys. Then, we run our tool to search the 6-round impossible 3-polytopic transitions in Search space$_{1}$. Finally, we get 1448 6-round impossible 3-polytopic transitions. This result shows that, the constraint of the Xor keys leads to more contradictions for constructing the impossible 3-polytopic transitions.

Impact of the Constraints of the Control Keys. Similarly, we keep the constraints of the Xor keys and release the constraints of the control keys over again. Then, we run our tool to search the 6-round impossible 3-polytopic transitions in Search space$_{1}$. Finally, we found that there exists no 6-round impossible 3-polytopic transitions in such search space. This result shows that the constraints of the control keys have a very significant impact on constructing the impossible 3-polytopic transitions.

Those two results show that, both the Xor keys and control keys may have influences on the results of impossible $(s+1)$-polytopic transitions. Thus, in the search of impossible $(s+1)$-polytopic transitions, we should consider the details of key schedule as much as possible if the time cost permits.

For the d-impossible 4-polytopic transitions of PRINTcipher48, we search such distinguishers in Search space$_{3}$. Finally, we found one 7-round d-impossible 4-polytopic transition of PRINTcipher48 as follows and stop our tool due to the limitation of search time.

$$\begin{aligned} {\begin{matrix} (0x000000000001, 0x000000010000, 0x000000010001) {\mathop {\nrightarrow }\limits ^{7-round}} \\ (0x000000000001, 0x000000000200, 0x000000000201). \end{matrix}} \end{aligned}$$

For the d-impossible 3-polytopic transitions of PRINTcipher96, we search such distinguishers in Search space$_{1}$. Finally, we find one 7-round d-impossible 3-polytopic transition of PRINTcipher96 as follows and stop our tool due to the limitation of search time.

$$\begin{aligned} {\begin{matrix} (0x000000000000000000000001, 0x000000000000000100000000){\mathop {\nrightarrow }\limits ^{7-round}} \\ (0x000000000000000000000001, 0x000000000000000008000000) \end{matrix}} \end{aligned}$$

For the d-impossible 4-polytopic transitions of PRINTcipher96, we search such distinguishers in Search space$_{3}$. Finally, we find one 8-round d-impossible 4-polytopic transition of PRINTcipher96 as follows (as the left 48-bit of each value are 0, we only show the right 48 bits here) and stop our tool due to the limitation of search time.

$$\begin{aligned} {\begin{matrix} (0x000000000001, 0x000100000000, 0x000100000001) {\mathop {\nrightarrow }\limits ^{8-round}}\\ (0x000000000001, 0x000000000200, 0x000000000201). \end{matrix}} \end{aligned}$$

7.2 The 7-Round d-Impossible 3-Polytopic Transition of GIFT64

For GIFT64, we search the d-impossible 3-polytopic transitions in Search space$_{2}$ Finally, we find one 7-round d-impossible 3-polytopic transition as follows and stop our tool due to the limitation of search time.

$$\begin{aligned} {\begin{matrix} (0x0000000000000001, 0x0000000000000002) {\mathop {\nrightarrow }\limits ^{7-round}} \\ (0x0000000000000001, 0x0000000000000008). \end{matrix}} \end{aligned}$$

7.3 The 7-Round i-Impossible 4-Polytopic Transition of PRESENT

For the i-impossible 4-polytopic transitions of PRESENT, we search such distinguishers in Search space$_{4}$. Finally, we find one 7-round d-impossible 4-polytopic transition of PRESENT as follows and stop our tool due to the limitation of search time.

$$\begin{aligned} {\begin{matrix} (0x0000000000000001, 0x0000000000000002, 0x0000000000000003) {\mathop {\nrightarrow }\limits ^{7-round}} \\ (0x0000000000000001, 0x0000000000010000, 0x0000000000010001). \end{matrix}} \end{aligned}$$

7.4 The 3-Round i-Impossible 3-Polytopic Transition of RC5-32 and RC5-64

In this subsection, we show our method for searching the i-impossible 3-polytopic transition of RC5-32 and RC5-64 by adopting the step by step strategy.

For RC5-32, since (0x80008000, 0x00008000) is the 2.5-round impossible differential, we search the i-impossible 3-polytopic transitions by limiting the input 2-difference $(b_{1}, b_{2})$ in the set $\{(0x80008000, e^{32}_{i,i+16})|0\le i\le 15\}$ and the output 2-difference $(e_{1}, e_{2})$ in the set $\{(0x00008000, e^{32}_{i})|0\le i\le 31\}$. Finally, we find 108 3-round i-impossible 3-polytopic transitions and result in that there exists no 3.5-round i-impossible 3-polytopic transitions in such search space. One of the transitions is

$$\begin{aligned} (0x80008000, 0x00100010){\mathop {\nrightarrow }\limits ^{3-round}} (0x80000000, 0x00200000). \end{aligned}$$

By adopting the same method for RC5-32, we find one 3-round i-impossible 3-polytopic transition as follows.

$$\begin{aligned} {\begin{matrix} (0x8000000080000000, 0x0000002000000020) {\mathop {\nrightarrow }\limits ^{3-round}}\\ (0x8000000000000000, 0x0000004000000000). \end{matrix}} \end{aligned}$$

8 Conclusion

In this paper, we redefine the impossible differentials and impossible $(s+1)$-polytopic transitions based on the notation of s-polygon, and design a unity SAT-based automatic tool to search them. We apply our tool to various block ciphers. These results show that our tool can not only be used to search the distinguishers by considering the key schedule in the single-key setting, but also make the most of the inside property of large S-boxes or variable rotation for several typical classes of block ciphers.

Moreover, we derive an interesting result that, with the increase of the parameter s, the number of rounds in which the impossible $(s+1)$-polytopic transition exists also increases. Although due to the limitations of computing power, we can only search the impossible $(s+1)$-polytopic transition with a small value of s. But, the result indicates a challenge clearly that the impossible $(s+1)$-polytopic transition may bring threats for block ciphers with the development of the solver of the SAT and the computing power, and it is better to resist this kind of cryptanalysis in a theoretical way of cipher design.

Notes

1.
Convention. In our paper, the impossible $(s+1)$-polytopic transition is uniformly defined for $(s\ge 2)$, excluding the case of the impossible differential, since it has been studied in-depth separately.
2.
This idea can be traced back to [21]. In [21], Mironov et al. used the idea of the transition of states to search two states that satisfy a fixed differential path, which is the critical step to find a collision of the hash function. Recently, two papers [16, 26] that also used the idea of the transition of states appeared in the ePrint. As we understand, [16] applied the transition of two states to the non-linear layer. [26] utilized the idea to determine whether a given differential path of ARX based block ciphers is compatible or not. In our paper, we exploit the idea of the transition of multi-states to search the impossible differential and the impossible $(s+1)$-polytopic transition for block ciphers.
3.
http://stp.github.io/.
4.
Illustrantion. Note that, when to search the r-round distinguishers by considering the key schedule in our model, different beginning round lead to different final models, since the round constants are different from each round. To a common format, we place the distinguishers of our model in the 1st round by default (except GIFT64, since the round key is not XORed with plaintext in the first round, we place the distinguishers in the 2nd). That is, when we say a distinguisher is an r-round distinguisher, it is an r-round distinguisher placed from 1st round to the r-th round. Similarly, when we say there exists no r-round impossible differentials in the search space, it means that for all the input differences and output differences where the input differences placed at the 1st round and the output differences placed at the r-th round, the differences cannot be connected. Actually, in other cases that the distinguishers do not begin with the 1st round, the distinguisher can be searched similarly.
5.
BVXOR: Bitwise XOR function which is supported by the CVC format of STP.
6.
BVPLUS: Bitvector Add function which is supported by the CVC format of STP.
7.
$$ Q = \left( \begin{array}{cccc} 0x0e &{} 0x0b &{} 0x0d &{} 0x09 \\ 0x09 &{} 0x0e &{} 0x0b &{} 0x0d \\ 0x0d &{} 0x09 &{} 0x0e &{} 0x0b \\ 0x0b &{} 0x0d &{} 0x09 &{} 0x0e \\ \end{array} \right) . $$
.

References

Banik, S., et al.: Midori: a block cipher for low energy. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 411–436. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_17
Chapter Google Scholar
Banik, S., Pandey, S.K., Peyrin, T., Sasaki, Yu., Sim, S.M., Todo, Y.: GIFT: a small present. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 321–345. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_16
Chapter Google Scholar
Baysal, A., Şahin, S.: RoadRunneR: a small and fast bitslice block cipher for low cost 8-bit processors. In: Güneysu, T., Leander, G., Moradi, A. (eds.) LightSec 2015. LNCS, vol. 9542, pp. 58–76. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29078-2_4
Chapter MATH Google Scholar
Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_2
Chapter Google Scholar
Biham, E., Shamir, A.: Differential cryptanalysis of des-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991)
Article MathSciNet Google Scholar
Bogdanov, A., et al.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74735-2_31
Chapter Google Scholar
Borghoff, J., et al.: PRINCE – a low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_14
Chapter Google Scholar
Boura, C., Naya-Plasencia, M., Suder, V.: Scrutinizing and improving impossible differential attacks: applications to CLEFIA, Camellia, LBlock and Simon. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 179–199. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_10
Chapter Google Scholar
Chen, J., Wang, M., Preneel, B.: impossible differential cryptanalysis of the lightweight block ciphers TEA, XTEA and HIGHT. In: Mitrokotsa, A., Vaudenay, S. (eds.) AFRICACRYPT 2012. LNCS, vol. 7374, pp. 117–137. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31410-0_8
Chapter Google Scholar
Cui, T., Jia, K., Kai, F., Chen, S., Wang, M.: New automatic search tool for impossible differentials and zero-correlation linear approximations. IACR Cryptology ePrint Archive 2016, p. 689 (2016)
Google Scholar
Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography. Springer, Heidelberg (2002). https://doi.org/10.1007/978-3-662-04722-4
Book MATH Google Scholar
Fu, K., Wang, M., Guo, Y., Sun, S., Hu, L.: MILP-based automatic search algorithms for differential and linear trails for speck. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 268–288. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_14
Chapter Google Scholar
Kim, J., Hong, S., Sung, J., Lee, S., Lim, J., Sung, S.: Impossible differential cryptanalysis for block cipher structures. In: Johansson, T., Maitra, S. (eds.) INDOCRYPT 2003. LNCS, vol. 2904, pp. 82–96. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-24582-7_6
Chapter Google Scholar
Knudsen, L.: Deal - a 128-bit block cipher. In: NIST AES Proposal (1998)
Google Scholar
Knudsen, L., Leander, G., Poschmann, A., Robshaw, M.J.B.: PRINTcipher: a block cipher for IC-printing. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 16–32. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15031-9_2
Chapter Google Scholar
Liu, F., Isobe, T., Meier, W.: Automatic verification of differential characteristics: application to reduced gimli. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 219–248. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_8
Chapter Google Scholar
Luo, Y., Lai, X., Zhongming, W., Gong, G.: A unified method for finding impossible differentials of block cipher structures. Inf. Sci. 263, 211–220 (2014)
Article Google Scholar
Mala, H., Dakhilalian, M., Rijmen, V., Modarres-Hashemi, M.: Improved impossible differential cryptanalysis of 7-round AES-128. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 282–291. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17401-8_20
Chapter Google Scholar
Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_33
Chapter Google Scholar
Matsui, M.: New block encryption algorithm MISTY. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 54–68. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052334
Chapter MATH Google Scholar
Mironov, I., Zhang, L.: Applications of SAT solvers to cryptanalysis of hash functions. In: Biere, A., Gomes, C.P. (eds.) SAT 2006. LNCS, vol. 4121, pp. 102–115. Springer, Heidelberg (2006). https://doi.org/10.1007/11814948_13
Chapter Google Scholar
Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Wu, C.-K., Yung, M., Lin, D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34704-7_5
Chapter MATH Google Scholar
Nyberg, K., Knudsen, L.R.: Provable security against a differential attack. J. Cryptol. 8(1), 27–37 (1995). https://doi.org/10.1007/BF00204800
Article MathSciNet MATH Google Scholar
Rivest, R.L.: The RC5 encryption algorithm. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 86–96. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-60590-8_7
Chapter MATH Google Scholar
Rivest, R.L., Robshaw, M.J.B., Yin, Y.L.: RC6 as the AES. In: The Third Advanced Encryption Standard Candidate Conference, 13–14 April 2000, New York, pp. 337–342. National Institute of Standards and Technology (2000)
Google Scholar
Sadeghi, S., Rijmen, V., Bagheri, N.: Proposing an milp-based method for the experimental verification of difference trails. IACR Cryptol. ePrint Arch. 2020, 632 (2020)
Google Scholar
Sasaki, Yu., Todo, Y.: New impossible differential search tool from design and cryptanalysis aspects. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 185–215. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_7
Chapter Google Scholar
Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_9
Chapter Google Scholar
Tiessen, T.: Polytopic cryptanalysis. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 214–239. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_9
Chapter Google Scholar
Wang, Q., Jin, C.: Upper bound of the length of truncated impossible differentials for AES. Des. Codes Crypt. 86(7), 1541–1552 (2017). https://doi.org/10.1007/s10623-017-0411-z
Article MathSciNet MATH Google Scholar
Wu, S., Wang, M.: Automatic search of truncated impossible differentials for word-oriented block ciphers. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 283–302. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34931-7_17
Chapter Google Scholar

Download references

Acknowledgements

We are very grateful to the anonymous reviewers for their helpful comments. This work is supported by the National Natural Science Foundation of China (No. 61772517, 61902030, 61772516), Beijing Municipal Science & Technology Commission (No. Z191100007119004), and Youth Innovation Promotion Association CAS.

Author information

Authors and Affiliations

State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China
Xichao Hu, Yongqiang Li, Shizhu Tian & Mingsheng Wang
School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China
Xichao Hu, Yongqiang Li, Shizhu Tian & Mingsheng Wang
State Key Laboratory of Cryptology, Beijing, China
Lin Jiao

Authors

Xichao Hu
View author publications
You can also search for this author in PubMed Google Scholar
Yongqiang Li
View author publications
You can also search for this author in PubMed Google Scholar
Lin Jiao
View author publications
You can also search for this author in PubMed Google Scholar
Shizhu Tian
View author publications
You can also search for this author in PubMed Google Scholar
Mingsheng Wang
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yongqiang Li .

Editor information

Editors and Affiliations

Network Security Research Institute (NICT), Tokyo, Japan
Shiho Moriai
Nanyang Technological University, Singapore, Singapore
Huaxiong Wang

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Hu, X., Li, Y., Jiao, L., Tian, S., Wang, M. (2020). Mind the Propagation of States. In: Moriai, S., Wang, H. (eds) Advances in Cryptology – ASIACRYPT 2020. ASIACRYPT 2020. Lecture Notes in Computer Science(), vol 12491. Springer, Cham. https://doi.org/10.1007/978-3-030-64837-4_14

Download citation

DOI: https://doi.org/10.1007/978-3-030-64837-4_14
Published: 06 December 2020
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-64836-7
Online ISBN: 978-3-030-64837-4
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

International Association for Cryptologic Research (opens in a new tab)

Mind the Propagation of States

Abstract

Similar content being viewed by others

Automatic Search Model for Related-Tweakey Impossible Differential Cryptanalysis

Convexity of Division Property Transitions: Theory, Algorithms and Compact Models

Scrutinizing and Improving Impossible Differential Attacks: Applications to CLEFIA, Camellia, LBlock and Simon

Keywords

1 Introduction

2 Preliminaries

2.1 Notations

2.2 A Brief Introduction of Impossible Differentials and Impossible \((s+1)\)-Polytopic Transitions

Definition 1

Definition 2

Definition 3

Definition 4

Definition 5

Definition 6

2.3 SAT Problem and STP

3 New Definitions of Impossible Differentials and Impossible \((s+1)\)-Polytopic Transitions

3.1 New Definitions of Impossible Differentials and Impossible \((s+1)\)-Polytopic Transitions

Definition 7

Definition 8

Definition 9

Definition 10

Definition 11

Definition 12

Theorem 1

3.2 The Equivalence of i-impossible \((s+1)\)-Polytopic Transitions and Traditional Impossible \((s+1)\)-Polytopic Transitions

Definition 13

Theorem 2

Proof

Theorem 3

Theorem 4

Theorem 5

4 Automatic Search Method

4.1 Model the Propagation of the State by Statements in CVC Format

Model 1

Model 2

Model 3

Model 4

Model 5

Model 6

4.2 The Automatic Search Method for Redefined Impossible Differentials and Impossible \((s + 1)\)-Polytopic Transitions

Definition 14

Definition 15

5 Applications to Impossible Differentials from the Aspect of Cryptanalysis

5.1 GIFT64

5.2 PRINTcipher

Observation 1

5.3 MISTY1

Observation 2

Proposition 1

5.4 RC5

6 Applications to Impossible Differentials from the Aspect of Design

6.1 Direct Application to GIFT64, PRESENT, Midori64, PRINTcipher48, and PRINTcipher96

6.2 Three Phases Technique: Apply to AES-128

Observation 3

Observation 4

Proposition 2

Proposition 3

Proof

Theorem 6

6.3 Combination of Three Phases Technique and Inside Value Technique: Application to MISTY1

Theorem 7

7 Applications to Impossible \((s+1)\)-Polytopic \((s\ge 2)\) Transitions

7.1 The d-Impossible Polytopic Transitions of PRINTcipher

7.2 The 7-Round d-Impossible 3-Polytopic Transition of GIFT64

7.3 The 7-Round i-Impossible 4-Polytopic Transition of PRESENT

7.4 The 3-Round i-Impossible 3-Polytopic Transition of RC5-32 and RC5-64

8 Conclusion

Notes

References

Acknowledgements

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information