Impossible Differential Cryptanalysis of the FBC Block Cipher

Abstract

The FBC block cipher is an award-winning algorithm of the recent Cryptographic Algorithm Design Competition in China. It employs a generalised Feistel structure and has three versions FBC128-128, FBC128-256 and FBC256, which have a 128-bit block size with a 128- or 256-bit user key and a 256-bit block size with a 256-bit user key, respectively. The best previously published cryptanalysis results on FBC are Zhang et al.’s impossible differential attack on 13-round FBC128-128 and Ren et al.’s boomerang attack on 13-round FBC128-256. In this paper, we observe that when conducting impossible differential cryptanalysis of FBC, both inactive and active nibble differences on plaintext and ciphertext as well as a few intermediate states may be exploited for some refined sorting conditions on plaintexts and ciphertexts to filter out preliminary satisfying plaintext/ciphertext pairs efficiently. Taking advantage of this observation, we use Zhang et al.’s 9-round impossible differentials of FBC128 to make key-recovery attacks on 14-round FBC128-128 and 15-round FBC128-256, and similarly we exploit 13-round impossible differentials on FBC256 and make a key-recovery attack on 19-round FBC256. Our results are better than any previously published cryptanalytic results on FBC in terms of the numbers of attacked rounds.

Appendix: Filtering Details of the 100-Bit Index on FBC128-128

Under a structure, a pair of plaintexts \((P^{j_0},P^{j_1})\) with the same 100-bit index (1)–(18) have the following features:

• Indexes (1) and (2) guarantee that \(P^{j_0}_1 \oplus P^{j_1}_1 =\varDelta X^0_1 = 0x\gamma ^0_00000(\gamma ^0_0\lll 1)(\gamma ^0_0\lll 2)0\), where \(\gamma ^0_0\) is an indeterminate nibble difference. This is because

  $$\begin{aligned} \begin{array}{ccl} &{}\text {Index}~(1):&{}(P^{j_0}_1[0] \lll 1) \oplus P^{j_0}_1[5]=(P^{j_1}_1[0] \lll 1) \oplus P^{j_1}_1[5] \\ &{}\Rightarrow &{} \varDelta P_1[5] =\varDelta P_1[0] \lll 1, \\ &{}\text {Index}~(2):&{}(P^{j_0}_1[0] \lll 2) \oplus P^{j_0}_1[6]=(P^{j_1}_1[0] \lll 2) \oplus P^{j_1}_1[6] \\ &{}\Rightarrow &{} \varDelta P_1[6]=\varDelta P_1[0] \lll 2, \end{array} \end{aligned}$$

  so under a plaintext structure we have the above guarantee after letting

  $$\begin{aligned} &\gamma ^0_0= P^{j_0}_1[0] \oplus P^{j_1}_1[0]=\varDelta P_1[0]. \end{aligned}$$

• Indexes (3)–(5) guarantee that \(P^{j_0}_0 \oplus P^{j_1}_0 =\varDelta X^0_0 =0x\widehat{\alpha }0000000\) and \(P^{j_0}_2 \oplus P^{j_1}_2 =\varDelta X^0_2 = 0x(\widehat{\alpha }\oplus \gamma ^0_1)0\gamma ^0_2(\gamma ^0_3\oplus (\gamma ^0_2\lll 1))(\gamma ^0_3\lll 1) (\gamma ^0_2\oplus (\gamma ^0_1\lll 1))(\gamma ^0_3\oplus (\gamma ^0_1\lll 2))0\), where \(\widehat{\alpha }\), \(\gamma ^0_1, \gamma ^0_2,\gamma ^0_3\) are indeterminate nibble differences. This is because

  $$\begin{aligned} \begin{array}{ccl} &{}\text {Index}~(3):&{}(P^{j_0}_2[2] \lll 1)\oplus P^{j_0}_2[3] \oplus (P^{j_0}_2[4] \ggg 1)=\\ &{}&{}(P^{j_1}_2[2] \lll 1)\oplus P^{j_1}_2[3] \oplus (P^{j_1}_2[4] \ggg 1) \\ &{}\Rightarrow &{} \varDelta P_2[3] = (\varDelta P_2[4] \ggg 1) \oplus (\varDelta P_2[2] \lll 1), \\ &{}\text {Index}~(4):&{}(P^{j_0}_0[0] \lll 1)\oplus (P^{j_0}_2[0] \lll 1)\oplus P^{j_0}_2[2] \oplus P^{j_0}_2[5]=\\ &{}&{}(P^{j_1}_0[0] \lll 1)\oplus (P^{j_1}_2[0] \lll 1)\oplus P^{j_1}_2[2] \oplus P^{j_1}_2[5] \\ &{}\Rightarrow &{} \varDelta P_2[5]= \varDelta P_2[2] \oplus ((\varDelta P_0[0]\oplus \varDelta P_2[0]) \lll 1), \\ &{}\text {Index}~(5):&{}(P^{j_0}_0[0] \lll 2)\oplus (P^{j_0}_2[0] \lll 2)\oplus (P^{j_0}_2[4] \ggg 1) \oplus P^{j_0}_2[6]=\\ &{}&{}(P^{j_1}_0[0] \lll 2)\oplus (P^{j_1}_2[0] \lll 2)\oplus (P^{j_1}_2[4] \ggg 1) \oplus P^{j_1}_2[6] \\ &{}\Rightarrow &{} \varDelta P_2[6] =(\varDelta P_2[4] \ggg 1) \oplus ((\varDelta P_0[0]\oplus \varDelta P_2[0]) \lll 2), \end{array} \end{aligned}$$

  so under a plaintext structure we have the above guarantees after letting

  $$\begin{aligned} &\widehat{\alpha } =P^{j_0}_0[0] \oplus P^{j_1}_0[0]= \varDelta P_0[0], \\ &\gamma ^0_1 =(P^{j_0}_2[0] \oplus P^{j_1}_2[0]) \oplus \widehat{\alpha }=\varDelta P_2[0] \oplus \widehat{\alpha }, \\ &\gamma ^0_2 = P^{j_0}_2[2] \oplus P^{j_1}_2[2]= \varDelta P_2[2], \\ &\gamma ^0_3 = (P^{j_0}_2[4] \oplus P^{j_1}_2[4])\ggg 1= \varDelta P_2[4] \ggg 1. \end{aligned}$$

• Indexes (6) and (7) guarantee that \(P^{j_0}_3 \oplus P^{j_1}_3 =\varDelta X^0_3 = 0x\gamma ^1_00000(\gamma ^1_0\lll 1)(\gamma ^1_0\lll 2)0\), where \(\gamma ^1_0\) is an indeterminate nibble difference. This is because

  $$\begin{aligned} \begin{array}{ccl} &{}\text {Index}~(6):&{}(P^{j_0}_3[0] \lll 1) \oplus P^{j_0}_3[5]= (P^{j_1}_3[0] \lll 1) \oplus P^{j_1}_3[5] \\ &{}\Rightarrow &{} \varDelta P_3[5]= \varDelta P_3[0]\lll 1, \\ &{}\text {Index}~(7):&{}(P^{j_0}_3[0] \lll 2) \oplus P^{j_0}_3[6]=(P^{j_1}_3[0] \lll 2) \oplus P^{j_1}_3[6] \\ &{}\Rightarrow &{} \varDelta P_3[6] = \varDelta P_3[0] \lll 2, \end{array} \end{aligned}$$

  so under a plaintext structure we have the above guarantee after letting

  $$\begin{aligned} & \gamma ^1_0= P^{j_0}_3[0] \oplus P^{j_1}_3[0]=\varDelta P_3[0]. \end{aligned}$$

• Indexes (8)–(10) guarantee that \(C^{j_0}_0 \oplus C^{j_1}_0 =\varDelta X^{14}_0 = 0x0\star 0\star \star \star \star \star =0x0\eta _00\eta _1(\eta _2 \oplus (\eta _1\lll 1))(\eta _2\lll 1)((\eta _3 \lll 1) \oplus \eta _1)((\eta _3 \lll 2) \oplus \eta _2)\), where \(\eta _0,\eta _1,\eta _2,\eta _3\) are indeterminate nibble differences. This is because

  $$\begin{aligned} \begin{array}{ccl} &{}\text {Index}~(8):&{}C^{j_0}_0[0,2] =C^{j_1}_0[0,2] \Rightarrow \varDelta X^{14}_0[0,2]=0, \\ &{}\text {Index}~(9):&{}(C^{j_0}_0[3] \lll 1) \oplus C^{j_0}_0[4] \oplus (C^{j_0}_0[5] \ggg 1)=\\ &{}&{}(C^{j_1}_0[3] \lll 1) \oplus C^{j_1}_0[4] \oplus (C^{j_1}_0[5] \ggg 1) \\ &{}\Rightarrow &{} \varDelta C_0[4]=(\varDelta C_0[5] \ggg 1) \oplus (\varDelta C_0[3] \lll 1), \\ &{}\text {Index}~(10):&{}(C^{j_0}_0[3] \lll 1) \oplus (C^{j_0}_0[5] \ggg 1) \oplus (C^{j_0}_0[6]\lll 1) \oplus C^{j_0}_0[7]=\\ &{}&{}(C^{j_1}_0[3] \lll 1) \oplus (C^{j_1}_0[5] \ggg 1) \oplus (C^{j_1}_0[6]\lll 1) \oplus C^{j_1}_0[7] \\ &{}\Rightarrow &{} \varDelta C_0[7] = (\varDelta C_0[3] \lll 1) \oplus (\varDelta C_0[5] \ggg 1) \oplus (\varDelta C_0[6] \lll 1), \end{array} \end{aligned}$$

  so under a plaintext structure we have the above guarantee after letting

  $$\begin{aligned} & \eta _0= C^{j_0}_0[1]\oplus C^{j_1}_0[1]= \varDelta C_0[1], \\ & \eta _1= C^{j_0}_0[3]\oplus C^{j_1}_0[3]= \varDelta C_0[3], \\ & \eta _2= (C^{j_0}_0[5]\oplus C^{j_1}_0[5])\ggg 1= \varDelta C_0[5] \ggg 1, \\ & \eta _3= (C^{j_0}_0[6]\oplus C^{j_1}_0[6] \oplus \eta _1)\ggg 1= (\varDelta C_0[6] \oplus \eta _1)\ggg 1. \end{aligned}$$

• Index (11) guarantees that \(C^{j_0}_2[0,2] \oplus C^{j_1}_2[0,2] =\varDelta X^{14}_2[0,2]=0\), because

  $$\begin{aligned} \begin{array}{ccl} &\text {Index}~(11):&C^{j_0}_2[0,2] =C^{j_1}_2[0,2] \Rightarrow \varDelta X^{14}_2[0,2]=0. \end{array} \end{aligned}$$

• Indexes (12)–(13) guarantee that \(C^{j_0}_3 \oplus C^{j_1}_3 =\varDelta X^{14}_3= 0x\gamma ^{13}_1(\eta _4\oplus \gamma ^{13}_2\oplus (\gamma ^{13}_1\lll 1)) (\gamma ^{13}_3\oplus (\gamma ^{13}_2\lll 1))(\gamma ^{13}_1\oplus \gamma ^{13}_4\oplus (\gamma ^{13}_3\lll 1)) (\gamma ^{13}_2\oplus \gamma ^{13}_5\oplus (\gamma ^{13}_4\lll 1))(\gamma ^{13}_3\oplus (\gamma ^{13}_5\lll 1)) (\gamma ^{13}_4\oplus (\eta _4\lll 1)) (\gamma ^{13}_5\oplus (\eta _4\lll 2))\), where \(\eta _4,\gamma ^{13}_1,\gamma ^{13}_2,\gamma ^{13}_3,\) \(\gamma ^{13}_4,\gamma ^{13}_5\) are indeterminate nibble differences. This is because

  $$\begin{aligned} \begin{array}{ccl} &{}\text {Index}~(12):&{}C^{j_0}_3[0] \oplus C^{j_0}_3[3]\oplus C^{j_0}_3[6]\oplus ((C^{j_0}_3[1]\oplus C^{j_0}_3[2]\oplus C^{j_0}_3[4]\oplus \\ &{}&{}C^{j_0}_3[7]) \lll 1)\oplus ((C^{j_0}_3[0]\oplus C^{j_0}_3[4]\oplus C^{j_0}_3[6]\oplus C^{j_0}_3[7]) \lll 2)\oplus \\ &{}&{}(C^{j_0}_3[6] \lll 3)= C^{j_1}_3[0] \oplus C^{j_1}_3[3]\oplus C^{j_1}_3[6]\oplus ((C^{j_1}_3[1]\oplus \\ &{}&{}C^{j_1}_3[2]\oplus C^{j_1}_3[4]\oplus C^{j_1}_3[7]) \lll 1)\oplus ((C^{j_1}_3[0]\oplus C^{j_1}_3[4]\oplus C^{j_1}_3[6]\\ &{}&{}\oplus C^{j_1}_3[7]) \lll 2)\oplus (C^{j_1}_3[6] \lll 3)\\ &{}\Rightarrow &{} \varDelta C_3[3]= \varDelta C_3[0] \oplus \varDelta C_3[6] \oplus (\varDelta C_3[6] \lll 3)\oplus \\ &{}&{}((\varDelta C_3[1] \oplus \varDelta C_3[2] \oplus \varDelta C_3[4] \oplus \varDelta C_3[7]) \lll 1) \oplus \\ &{}&{} ((\varDelta C_3[0] \oplus \varDelta C_3[4] \oplus \varDelta C_3[6] \oplus \varDelta C_3[7])\lll 2), \\ &{}\text {Index}~(13):&{}C^{j_0}_3[2] \oplus (C^{j_0}_3[4] \lll 1)\oplus C^{j_0}_3[5]\oplus (C^{j_0}_3[6] \lll 2)\oplus \\ &{}&{}((C^{j_0}_3[1]\oplus C^{j_0}_3[4]\oplus C^{j_0}_3[7]) \lll 3)\oplus ((C^{j_0}_3[0]\oplus C^{j_0}_3[6]) \lll 4)\\ &{}&{}=C^{j_1}_3[2] \oplus (C^{j_1}_3[4] \lll 1)\oplus C^{j_1}_3[5]\oplus (C^{j_1}_3[6] \lll 2)\oplus \\ &{}&{}((C^{j_1}_3[1]\oplus C^{j_1}_3[4]\oplus C^{j_1}_3[7]) \lll 3)\oplus ((C^{j_1}_3[0]\oplus C^{j_1}_3[6]) \lll 4) \\ &{}\Rightarrow &{} \varDelta C_3[5]\!=\! \varDelta C_3[2] \!\oplus \! (\varDelta C_3[4]\lll 1) \!\oplus \! (\varDelta C_3[6]\lll 2) \oplus ((\varDelta C_3[1] \\ &{}&{} \oplus \varDelta C_3[4] \oplus \varDelta C_3[7])\lll 3)\oplus ((\varDelta C_3[0]\oplus \varDelta C_3[6])\lll 4), \end{array} \end{aligned}$$

  so under a plaintext structure we have the above guarantee after letting

  $$\begin{aligned} \eta _4 = & {} C^{j_0}_3[1] \oplus C^{j_1}_3[1] \oplus C^{j_0}_3[4] \oplus C^{j_1}_3[4] \oplus C^{j_0}_3[7] \oplus C^{j_1}_3[7] \oplus \\ {} & {} ((C^{j_0}_3[0] \oplus C^{j_1}_3[0] \oplus C^{j_0}_3[6] \oplus C^{j_1}_3[6]) \lll 1) \\ = & {} \varDelta C_3[1] \oplus \varDelta C_3[4] \oplus \varDelta C_3[7] \oplus ((\varDelta C_3[0] \oplus \varDelta C_3[6]) \lll 1), \\ \gamma ^{13}_1 = & {} C^{j_0}_3[0] \oplus C^{j_1}_3[0]=\varDelta C_3[0], \\ \gamma ^{13}_2 = & {} C^{j_0}_3[4] \oplus C^{j_1}_3[4] \oplus ((C^{j_0}_3[6] \oplus C^{j_1}_3[6]) \lll 1) \oplus C^{j_0}_3[7] \oplus C^{j_1}_3[7] \\ = & {} \varDelta C_3[4] \oplus (\varDelta C_3[6] \lll 1) \oplus \varDelta C_3[7], \\ \gamma ^{13}_3 = & {} C^{j_0}_3[2] \oplus C^{j_1}_3[2] \oplus ((C^{j_0}_3[4] \oplus C^{j_1}_3[4] \oplus C^{j_0}_3[7] \oplus C^{j_1}_3[7]) \lll 1) \oplus \\ {} & {} ((C^{j_0}_3[6] \oplus C^{j_1}_3[6]) \lll 2)\\ = & {} \varDelta C_3[2] \oplus ((\varDelta C_3[4] \oplus \varDelta C_3[7]) \lll 1) \oplus (\varDelta C_3[6]\lll 2), \\ \gamma ^{13}_4 = & {} C^{j_0}_3[6] \oplus C^{j_1}_3[6] \oplus ((C^{j_0}_3[0] \oplus C^{j_1}_3[0] \oplus C^{j_0}_3[6] \oplus C^{j_1}_3[6]) \lll 2)\oplus \\ {} & {} ((C^{j_0}_3[1] \oplus C^{j_1}_3[1] \oplus C^{j_0}_3[4] \oplus C^{j_1}_3[4] \oplus C^{j_0}_3[7] \oplus C^{j_1}_3[7]) \lll 1) \\ = & {} \varDelta C_3[6] \oplus ((\varDelta C_3[0] \oplus \varDelta C_3[6]) \lll 2)\oplus \\ {} & {} ((\varDelta C_3[1] \oplus \varDelta C_3[4]\oplus \varDelta C_3[7]) \lll 1), \\ \gamma ^{13}_5 = & {} C^{j_0}_3[7] \oplus C^{j_1}_3[7] \oplus ((C^{j_0}_3[0] \oplus C^{j_1}_3[0] \oplus C^{j_0}_3[6] \oplus C^{j_1}_3[6]) \lll 3)\oplus \\ {} & {} ((C^{j_0}_3[1] \oplus C^{j_1}_3[1] \oplus C^{j_0}_3[4] \oplus C^{j_1}_3[4] \oplus C^{j_0}_3[7] \oplus C^{j_1}_3[7]) \lll 2) \\ = & {} \varDelta C_3[7] \oplus ((\varDelta C_3[0] \oplus \varDelta C_3[6]) \lll 3)\oplus \\ {} & {} ((\varDelta C_3[1] \oplus \varDelta C_3[4]\oplus \varDelta C_3[7]) \lll 2). \end{aligned}$$

• Indexes (14)–(16) guarantee that \(C^{j_0}_0 \oplus C^{j_1}_0 \oplus C^{j_0}_2 \oplus C^{j_1}_2 =\varDelta X^{13}_3 = 0x0\gamma ^{12}_00\gamma ^{12}_1\) \((\gamma ^{12}_2\oplus (\gamma ^{12}_1\lll 1)) (\gamma ^{12}_2\lll 1)((\gamma ^{12}_0\lll 1)\oplus \gamma ^{12}_1)(\gamma ^{12}_2\oplus (\gamma ^{12}_0\lll 2))\), where \(\gamma ^{12}_0,\gamma ^{12}_1,\gamma ^{12}_2\) are indeterminate nibble differences. This is because

  $$\begin{aligned} \begin{array}{ccl} &{}\text {Index}~(14):&{}((C^{j_0}_0[3] \oplus C^{j_0}_2[3]) \lll 1)\oplus C^{j_0}_0[4] \oplus C^{j_0}_2[4] \oplus \\ &{}&{}((C^{j_0}_0[5] \oplus C^{j_0}_2[5])\ggg 1) = ((C^{j_1}_0[3] \oplus C^{j_1}_2[3]) \lll 1)\oplus \\ &{}&{} C^{j_1}_0[4] \oplus C^{j_1}_2[4] \oplus ((C^{j_1}_0[5] \oplus C^{j_1}_2[5])\ggg 1) \\ &{}\Rightarrow &{}\varDelta C_0[4] \oplus \varDelta C_2[4]=((\varDelta C_0[3] \oplus \varDelta C_2[3])\lll 1)\oplus \\ &{}&{} ((\varDelta C_0[5] \oplus \varDelta C_2[5])\ggg 1),\\ &{}\text {Index}~(15):&{} ((C^{j_0}_0[1] \oplus C^{j_0}_2[1])\lll 1)\oplus C^{j_0}_0[3] \!\oplus \! C^{j_0}_2[3] \!\oplus \! C^{j_0}_0[6] \!\oplus \! C^{j_0}_2[6]\!= \\ &{}&{} ((C^{j_1}_0[1] \oplus C^{j_1}_2[1])\lll 1)\oplus C^{j_1}_0[3] \oplus C^{j_1}_2[3] \oplus C^{j_1}_0[6] \oplus C^{j_1}_2[6]\\ &{}\Rightarrow &{} \varDelta C_0[6]\oplus \varDelta C_2[6]=((\varDelta C_0[1] \oplus \varDelta C_2[1])\lll 1)\oplus \\ &{}&{} \varDelta C_0[3] \oplus \varDelta C_2[3],\\ &{}\text {Index}~(16):&{} ((C^{j_0}_0[1] \oplus C^{j_0}_2[1])\lll 2) \oplus ((C^{j_0}_0[5] \oplus C^{j_0}_2[5])\ggg 1) \oplus \\ &{}&{}C^{j_0}_0[7] \oplus C^{j_0}_2[7]= ((C^{j_1}_0[1] \oplus C^{j_1}_2[1])\lll 2) \oplus \\ &{}&{} ((C^{j_1}_0[5] \oplus C^{j_1}_2[5])\ggg 1) \oplus C^{j_1}_0[7] \oplus C^{j_1}_2[7]\\ &{}\Rightarrow &{} \varDelta C_0[7] \oplus \varDelta C_2[7]=((\varDelta C_0[1] \oplus \varDelta C_2[1])\lll 2) \oplus \\ &{}&{} ((\varDelta C_0[5] \oplus \varDelta C_2[5])\ggg 1), \end{array} \end{aligned}$$

  so under a plaintext structure we have the above guarantee after letting

  $$\begin{aligned} \gamma ^{12}_0 = & {} C^{j_0}_0[1] \oplus C^{j_1}_0[1] \oplus C^{j_0}_2[1] \oplus C^{j_1}_2[1]= \varDelta C_0[1] \oplus \varDelta C_2[1],\\ \gamma ^{12}_1 = & {} C^{j_0}_0[3] \oplus C^{j_1}_0[3] \oplus C^{j_0}_2[3] \oplus C^{j_1}_2[3]= \varDelta C_0[3] \oplus \varDelta C_2[3],\\ \gamma ^{12}_2 = & {} (C^{j_0}_0[5] \oplus C^{j_1}_0[5] \oplus C^{j_0}_2[5] \oplus C^{j_1}_2[5])\ggg 1 = (\varDelta C_0[5] \oplus \varDelta C_2[5])\ggg 1. \end{aligned}$$

• Index (17) guarantees that \(C^{j_0}_1[0,2,3,4,5] \oplus C^{j_1}_1[0,2,3,4,5] =\varDelta X^{14}_1[0,2,\) \(3,4,5]= \varDelta X^{14}_3[0,2,3,4,5]= C^{j_0}_3[0,2,3, 4,5]\oplus C^{j_1}_3[0,2,3,4,5]\), because

  $$\begin{aligned} \begin{array}{ccl} &{}\text {Index}~(17):&{} C^{j_0}_1[0,2,3,4,5] \oplus C^{j_0}_3[0,2,3,4,5] =\\ &{}&{}C^{j_1}_1[0,2,3,4,5] \oplus C^{j_1}_3[0,2,3,4,5]\\ &{}\Rightarrow &{} \varDelta C_1[0,2,3,4,5]= \varDelta C_3[0,2,3,4,5]. \end{array} \end{aligned}$$

• Indexes (18) and (19) guarantee that \(C^{j_0}_1 \oplus C^{j_1}_1 \oplus C^{j_0}_3 \oplus C^{j_1}_3 =\varDelta X^{13}_0= 0x0\eta _50000(\eta _5\lll 1)(\eta _5\lll 2)\), where \(\eta _5\) is an indeterminate nibble difference. This is because

  $$\begin{aligned} \begin{array}{ccl} &{}\text {Index}~(18):&{} C^{j_0}_1[1] \oplus C^{j_0}_3[1] \oplus (C^{j_0}_1[6] \ggg 1)\oplus (C^{j_0}_3[6] \ggg 1)=\\ &{}&{} C^{j_1}_1[1] \oplus C^{j_1}_3[1] \oplus (C^{j_1}_1[6] \ggg 1)\oplus (C^{j_1}_3[6] \ggg 1)\\ &{}\Rightarrow &{} \varDelta C_1[6]\oplus \varDelta C_3[6]= (\varDelta C_1[1] \oplus \varDelta C_3[1]) \lll 1,\\ &{} \text {Index}~(19&{} C^{j_0}_1[1] \oplus C^{j_0}_3[1] \oplus (C^{j_0}_1[7] \ggg 2)\oplus (C^{j_0}_3[7] \ggg 2)=\\ &{}&{} C^{j_1}_1[1] \oplus C^{j_1}_3[1] \oplus (C^{j_1}_1[7] \ggg 2)\oplus (C^{j_1}_3[7] \ggg 2)\\ &{}\Rightarrow &{} \varDelta C_1[7] \oplus \varDelta C_3[7] = (\varDelta C_1[1] \oplus \varDelta C_3[1]) \lll 2, \end{array} \end{aligned}$$

  so under a plaintext structure we have the above guarantee after letting

  $$\begin{aligned} \eta _5 = & {} C^{j_0}_1[1] \oplus C^{j_1}_1[1] \oplus C^{j_0}_3[1] \oplus C^{j_1}_3[1] = \varDelta C_1[1] \oplus \varDelta C_3[1]. \end{aligned}$$