Revisiting Impossible Differential Distinguishers of Two Generalized Feistel Structures

Impossible differential attack is one of the most effective cryptanalytic methods for block ciphers. Its key step is to construct impossible differential distinguishers as long as possible. In this paper, we mainly focus on constructing longer impossible differential distinguishers for two kinds of generalized Feistel structures which are m-dataline CAST256-like and MARS-like structures. When their round function takes Substitution Permutation (SP) and Substitution Permutation Substitution (SPS) types, they are called CAST256SP/CAST256SPS andMARSSP/MARSSPS, respectively. For CAST256SP/CAST256SPS, the best known result for the length of the impossible differential distinguisher was (m2 + m)/(m2 + m − 1) rounds, respectively. With the help of the linear layer P, we can construct (m2 + m + Λ0)/(m + m + Λ1)-round impossible differential distinguishers, where Λ0 and Λ1 are non-negative numbers if P satisfies some restricted conditions. For MARSSPS, the best known result for the length of the impossible differential distinguisher was (3m − 1) rounds. We can construct 3m-round impossible differential distinguishers which are 1 round longer than before. To our knowledge, the results in this paper are the best for the two kinds of generalized Feistel structures.


Introduction
Block ciphers are significant elements to construct symmetric cryptographic schemes. To design a block cipher, a proper structure needs to be selected carefully. Popular structures for designing block ciphers are Substitution Permutation Network (SPN) structures [1], Feistel structures [2], and generalized Feistel structures [3]. Since the encryption and decryption of generalized Feistel structures share the same round functions and similar structures, it makes the implementation more flexible and economical. Generalized Feistel structures have many types such as CAST256-like structure [4], MARS-like structure [5], and so on. At the same time, many famous block ciphers take generalized Feistel structures as their architectures, for example, CAST256 [6], MARS [7], and SMS4 [8].
Many effective methods were proposed for evaluating the security of block ciphers in the past decades. Among them, impossible differential attack is one of the most effective methods. It was independently proposed by Knudsen [9] and Biham et al. [10]. So far, impossible differential attack has given exciting works for AES [11], Camellia [12], SMS4 [8], etc. Impossible differential attack has two steps. e first one is to construct an impossible differential distinguisher as long as possible. e second one is to exploit the distinguisher to recover the master key. us, constructing long impossible differentials is the core step to make this attack. So far, the most popular method to construct impossible differentials is the miss-in-the-middle method [10]. It obtains contradictions from the middle differences which are encrypted and decrypted with probability 1 for the input difference and the output difference, respectively. If the middle differences cannot be matched with each other, the impossible differential distinguisher is constructed. Moreover, some automatic methods were proposed to construct impossible differentials with the help of computers [13][14][15][16].
As far as we know, many works paid attention to constructing impossible differential distinguishers of m-dataline CAST256-like and MARS-like structures. For m-dataline CAST256-like structure, when the round function is any bijective transformation, m 2 -round impossible differentials were presented by the U method in [13]. Furthermore, when the round function takes SP type, 19/20round impossible differentials of (m � 4)-dataline CAST256-like structure were constructed in [17]. Very recently, when the round function takes SP type and SPS type, there existed (m 2 + m)/(m 2 + m − 1)-round impossible differentials, respectively [18].
For m-dataline MARS-like structure, when the round function is any bijective transformation, (2m − 1)-round impossible differentials were presented by the U method in [13]. is result was improved to (3m − 1) rounds in [19]. Furthermore, when the round function takes SP type, 3m-round impossible differentials were found in [5]. Very recently, when the round function takes SPS type, (3m − 3)-round impossible differentials were constructed for some constrained linear layer P [18].
Known results on impossible differentials of m-dataline CAST256-like and MARS-like structures are presented in Table 1.
In this paper, we mainly study the impossible differential distinguishers of m-dataline CAST256-like and MARS-like structures. For these two structures, we construct longer impossible differential distinguishers with the details of the linear transformation P. Note that m ≥ 4 and the linear transformation P is a bijective mapping throughout this paper. Moreover, R denotes the primitive index of P. Our contributions are presented below.
(1) For m-dataline CAST256-like structure, when the round function takes SP type (namely, CAST256 SP ), the previous best result was presented in [18]. ey showed that (m 2 + m)-round impossible differentials were constructed for B(P) > 2, where B(P) denotes the differential branch number of P. In this paper, we firstly remove the restricted condition and give (m 2 + m)-round impossible differentials for any bijective P. It expands the range of the linear layer P. Furthermore, if P satisfies the condition that R ≥ 2, To satisfy the condition R ≥ 2, some specific linear transformations P are also presented.
(2) For m-dataline CAST256-like structure, when the round function takes SPS type (namely, CAST256 SPS ), the previous best result was also presented in [18]. ey showed that (m 2 + m − 1)-round impossible differentials were constructed for R ≥ 2. In this paper, if P satisfies some conditions, (Λ 1 + 1 � min R − 3, m − 3 { } + 1)-round impossible differentials are constructed. Moreover, some specific linear transformations P are presented for satisfying the restricted conditions.
(3) For m-dataline MARS-like structure, when the round function takes SPS type (namely, MARS SPS ), the previous best result of MARS SPS was also presented in [19]. ey showed that (3m − 1)-round impossible differentials were constructed with P satisfying the bijective condition. In this paper, if P has 0 element in the diagonal line, we can construct 3m-round impossible differentials which are 1 round longer than those in [19].
is paper is organized as follows. In Section 2, we give some notations and definitions that will be used in this paper. en, with the help of P, we construct longer impossible differential distinguishers of m-dataline CAST256like and MARS-like structures in Sections 3 and 4, respectively. Finally, Section 5 concludes this paper.

Notations.
In this section, we give some notations used in this paper ( Table 2). Note that all vectors used in our paper are column vectors and X 0 is the most significant element for a vector X � (X 0 , X 1 , . . . , X n−2 , X n−1 ), where X i is defined by the i-th element of X.
It should be pointed out that when F is a nonlinear bijective function, Δ F (ΔX) has many possible output difference values when the input difference ΔX ≠ O. us, if some Δ F (ΔX) XORed each other, take Δ (l) F (ΔX) to distinguish them, where l ≥ 1. For example, In addition, similar to the definition of Δ F (ΔX), Δ F t (ΔX) is defined by the output difference that ΔX propagates after continuous t rounds of F.
Similarly, the round function Round SPS is defined by 2 Security and Communication Networks In this paper, the round functions of m-dataline CAST256-like and MARS-like structures take SP type and SPS type.
Definition 2 (Hamming weight) (see [20]). Let x be an n-dimension vector, and the Hamming weight of x is defined by According to the definition, Definition 3 (differential branch number) (see [1]). Let f(x) � Mx be a linear mapping, where M is a matrix over GF(2 d ). en, the differential branch number of f is defined by Note that if f is a bijective linear mapping, according to the definition, B(f) ≥ 2.
Definition 4 (characteristic matrix) (see [20]). For P � (p i,j ) ∈ F n×n 2 d , denote Z as the integer ring, and the characteristic matrix of P is defined as P * � (p * i,j ) ∈ Z n×n , where According to the definition of characteristic matrix, for an SPN cipher, p * i,j � 0 means that the i-th output block of one-round function is independent of the j-th input block. Generally, let (P * ) t � (q i,j ) n×n ; then, q i,j � 0 means that the i-th output block of the t-round SPN cipher is independent of the j-th input block.
For a matrix M, M > 0 means that all elements of M are positive.
Definition 5 (primitive index of linear transformation) (see [20]). e primitive index of the linear transformation P is defined as According to the above definition, if R ≥ 2, there exists at least one 0 element in (P * ) t for 1 ≤ t ≤ R − 1.

Revisiting Impossible Differential
Distinguishers of m-Dataline CAST256-Like Structure In this section, the brief description of m-dataline CAST256like structure is first presented. Moreover, the differential propagation rules are investigated from the encryption and decryption directions. Furthermore, when the round function takes SP type and SPS type, respectively, longer impossible differential distinguishers will be constructed for some linear layers P.

m-Dataline CAST256-Like
Structure. An m-dataline CAST256-like structure consists of r rounds, and each round is depicted in Figure 1.
. , X i m−1 ) and K i− 1 be the output and the round key of the i-th round, respectively. One-round encryption is defined by where F is the round function and To construct impossible differentials, one-round differential propagations from the encryption and decryption directions need to be studied. ey are described as follows.

Proposition 1.
Let ΔX i− 1 and ΔX i be the i-th round input difference and output difference of m-dataline CAST256-like structure. From the encryption direction, one-round differential propagation is given below: From the decryption direction, one-round differential propagation is given below: Only the i-th element of vector e is nonzero and the others are zero e t e t-th element of vector e is zero and the others are arbitrary values Δ F (ΔX) e output difference of F when the given input difference is ΔX According to the encryption process of m-dataline CAST256-like structure, the above proposition can be proved. In the encryption direction, the input difference rounds with probability 1 as described in Table 3. Moreover, in the decryption direction, the output difference is decrypted m(m − 1) rounds with probability 1. e differential characteristic is given in Table 4.
From Tables 3 and 4, the following proposition can be obtained.

Constructing Impossible Differential Distinguishers of m-Dataline CAST256-Like Structure with SP-Type Round
Function. When the round function F of m-dataline CASTlike structure is made up of SP type, we exploit the details of the linear layer P to construct longer impossible differential distinguishers. Firstly, two lemmas are presented as follows.
Since G is bijective, according to the bijective property, Lemma 1 can be easily proved. It also means that α ≠ O, Δ G (α) ≠ O. Especially, for S layer in SP type and SPS type which is a nonlinear bijective mapping, it does not change the nonzero difference positions for the differential propagation according to Lemma 1. It also implies that H(Δ S (α)) � H(α).

Lemma 2. For S layer in SP type and SPS type, if t ≥ 1 and
Proof. Firstly, we recall the definition of e i . It denotes that only the i-th element of n-dimension vector e is nonzero and the others are zero. According to Lemma 1 and According to Lemma 2, for H(α) � 1⇔α � e i , when ⊕ t l�1 Δ (l) S (α) ≠ O, the following equation holds: Figure 1: One-round encryption of m-dataline CAST256-like structure. Table 3: (3m − 3)-round differential characteristic of m-dataline CAST256-like structure from the encryption direction. Table 4: m(m − 1)-round differential characteristic of m-dataline CAST256-like structure from the decryption direction.
Security and Communication Networks construct (m 2 + m)-round impossible differential distinguishers for any bijective linear layer P as follows: Proof. From the encryption and decryption directions, the differential with the input rounds, respectively. According to Proposition 2, if the differential is possible, the following equation must hold: Taking F � P ∘ S into consideration, the above equation becomes Since P is a linear bijective mapping, For the left part of equation (20), Since H(Δ S (α)) � H(α) � 1 and B(P) ≥ 2, Case 1: when H(Δ S ∘ P ∘ S (α)) > 1, note that H(⊕ m−1 l�1 Δ (l) S (β)) � H(β) � 1 according to Lemma 2, and the left and right parts of equation (20) have different Hamming weights. So, equation (20) does not hold. Case 2: when H(Δ S ∘ P ∘ S (α)) � 1, assume that Δ S ∘ P ∘ S (α) � e t . Take β � e j , where j ≠ t. According to Lemma 2, ⊕ m−1 l�1 Δ (l) S (β) � e j ≠ e t . e left and right parts of equation (20) could not match each other. So, equation (20) does not hold. erefore, combined with the above two cases, equation (20) does not hold. It means that the middle differences could not match each other, and the (2m + m(m − 1) � m 2 + m)-round differential is impossible.
In [18], (m 2 + m)-round impossible differential distinguishers were also constructed, but the linear layer P is restricted to that satisfying the condition B(P) > 2. However, in eorem 1, the restricted condition of P is removed and it is expanded to any bijective linear layer.
To construct longer impossible differential distinguishers, we need to exploit the details of the linear layer P. When the primitive index of the linear layer P satisfies R ≥ 2, the following theorem is given.
Proof. To prove this theorem, we compare R with m − 1 for two cases.
From the encryption and decryption directions, the differential with the input (α, O, O, . . . , O, O) and the output (O, O, . . . , O, O, β) propagates 2m + R − 2 and m(m − 1) rounds, respectively. According to Proposition 2, if the differential is possible, Taking F � P ∘ S into consideration, the above equation becomes Since P is a linear bijective mapping, In the left part of equation (26), there exists at least one 0 element in the matrix (P * ) R− 1 � (q i,j ) n×n . Assume that q i,j � 0, and when we take α � e j , the i-th element of In the right part of equation (26), since H(β) � 1, we take β � e i . According to Lemma 2., ⊕ m−1 l�1 Δ (l) S (β) � e i . So, the i-th element of ⊕ m−1 l�1 Δ (l) S (β) is not equal to 0. erefore, equation (26) cannot hold. In this case, we can construct Taking F � P ∘ S into consideration, the above equation becomes Since P is a linear bijective mapping,

Security and Communication Networks 5
In the left part of equation (29), since R > (m − 1), there exists at least one 0 element in the matrix (P * ) m− 2 � (q i,j ) n×n . Assume that q i,j � 0, and when we take α � e j , the i-th element of In the right part of equation (29), it is similar to Case 1.
Combined with the above two cases, we can construct L-round impossible differential distinguishers, where In [18], (m 2 + m)-round impossible differential distinguishers were constructed. According to eorem 2, we can construct { } rounds longer than before. e restricted condition R ≥ 2 can be satisfied easily. We present some specific linear transformations P satisfying the condition. For example, we first present MC of Skinny block cipher [21] below: With the definition of R, we calculate R � 3 for P MC . According to eorem 2, if the linear transformation P takes P MC and m ≥ 4, Λ 0 � min R − 2, m − 3 { } � 1. erefore, we can construct (m 2 + m + 1)-round impossible differential distinguishers for m-dataline CAST256-like structure with SP-type round function. ey are (Λ 0 � 1) round longer than those in [18]. Moreover, we present another example. For the linear transformation of Skinny block cipher which is SR ∘ MC, it is given below: We calculate R � 6 for P Skinny . According to eorem 2, if the linear transformation P takes P Skinny and m ≥ 7, erefore, we can construct (m 2 + m + 4)-round impossible differential distinguishers. ey are (Λ 0 � 4) rounds longer than those in [18].
In brief, combined with eorem 1 and eorem 2, for m-dataline CAST256-like structure with SP-type round function, the results on the impossible differential distinguishers have been improved. Especially, when R > 2, we can construct longer impossible differentials.

Constructing Impossible Differential Distinguishers of m-Dataline CAST256-Like Structure with SPS-Type Round
Function. For m-dataline CAST256-like structure with SPS-type round function, (m 2 + m − 1)-round impossible differential distinguishers were constructed for R ≥ 2 [18]. In this section, we will construct longer impossible differential distinguishers with the details of P. We present the following theorem as follows.
Proof. To prove this theorem, we compare R with m for two cases.
In the right part of equation (35), when one column of P is e i , assume that the t-th column of P is e i , i.e., P (t) � e i , taking β � e t and Δ S ∘ P ∘ S (β) � Δ S ∘ P ∘ S (e t ) � Δ S ∘ P (e t ) � Δ S (e i ) � e i . Furthermore, according to Lemma 2, So, the i-th element of ⊕ m−1 l�1 Δ (l) S ∘ P ∘ S (β) is not equal to 0. erefore, equation (35) does not hold. In this case, we can construct (2m From the encryption and decryption directions, the differential with the input (α, O, O, . . . , O, O) and the output (O, O, . . . , O, O, β) propagates 3m − 3 and m(m − 1) rounds, respectively. According to Proposition 2, if the differential is possible, Taking F � S ∘ P ∘ S into consideration, the above equation becomes In the left part of equation (38), since R > m, there exists at least one 0 element in the matrix (P * ) m− 1 . It is similar to Case 1, and we can construct Combined with the above two cases, we can construct L-round impossible differential distinguishers, where In [18], (m 2 + m − 1)-round impossible differential distinguishers were constructed. According to eorem 3, we can construct } rounds longer than before. Moreover, we present a specific linear transformation P satisfying the restricted condition in eorem 3. For P Skinny which is described in Section 3.2, we calculate R � 6. P Skinny and (P * Skinny ) R− 1 � (P * Skinny ) 5 are given below, respectively.
When m ≥ 6 and (P * Skinny ) (min R,m , we can find that the 4-th column of P Skinny is e 9 and 0 � q 9,12 ∈ (P * Skinny ) 5 . erefore, P Skinny satisfies the restricted condition in eorem 3. Moreover, us, for m-dataline CAST256-like structure with SPS-type round function, if P takes P Skinny and m ≥ 6, we can construct 4-round impossible differentials longer than those in [18].

Revisiting Impossible Differential Distinguishers of m-Dataline MARS-Like Structure
In this section, we first introduce m-dataline MARS-like structure and present the differential propagation rules from the encryption and decryption directions. en, when the round function takes SPS type, 3m-round impossible differential distinguishers will be constructed. It should be pointed out that m ≥ 4 and m should be even number in this section.

m-Dataline MARS-Like
Structure. An m-dataline MARS-like structure consists of r rounds, and each round is depicted in Figure 2.
be the input of the i-th round and (X i 0 , X i 1 , . . . , X i m−1 ) and K i− 1 be the output and the round key of the i-th round, respectively. One-round encryption is defined by where F is the round function and

Constructing Impossible Differential Distinguishers of m-Dataline MARS-Like Structure with SPS-Type Round
Function. To construct impossible differentials, one-round differential propagations from the encryption and decryption directions need to be studied. ey are described as follows.

Proposition 3.
Let ΔX i− 1 and ΔX i be the i-th round input difference and output difference of m-dataline MARS-like structure. From the encryption direction, one-round differential propagation is presented below: From the decryption direction, one-round differential propagation is presented below: According to the encryption process of MARS-like structure, the above proposition can be proved. Moreover, from the encryption direction, the input difference (O, O, . . . , O, O, α) is encrypted 3m/2 rounds with probability 1 as described in Table 5. In this table, a 0 ∈ Δ F (α), a i ∈ Δ F (a 0 ⊕a 1 ⊕ · · · ⊕a i−1 ), i ≥ 1, A � a 0 ⊕a 1 ⊕ · · · ⊕a m/2 . Similarly, from the decryption direction, the output difference (α, O, O, . . . , O, O) is decrypted 3m/2 rounds with probability 1 as described in Table 6. In this us, the following equations need to be satisfied: Solving the above equations, b m/2 � b m/2−1 � · · · � b 2 � a 2 � · · · � a m/2−1 � a m/2 � O, Since F is bijective, according to Lemma 1, Table 5: 3m/2-round differential characteristic of m-dataline MARS-like structure from the encryption direction. Figure 2: One-round encryption of m-dataline MARS-like structure.

Security and Communication Networks
Thus, When the round function F of m-dataline MARS-like structure takes SPS type, the impossible differential distinguishers can be constructed with the following theorem.

Proof. When
Given that F takes SPS type, the above equation becomes Since ∃p t,t � 0, p t,t ∈ P, we take α � e t , Δ S (α) � e t , Δ P°S (α) � e t , where e t denotes that the t-th element of n-dimension vector e is 0 and the others can be arbitrary values. Moreover, Δ S°P°S (α) � e t . Furthermore, Δ (1) S°P°S (α)⊕ Δ (2) S°P°S (α) � e t which conflicts with α � e t in the t-th element. erefore, equation (50) does not hold.
In [19], (3m − 1)-round impossible differential distinguishers were constructed for m-dataline MARS-like structure with SPS-type round function. According to eorem 4, we can construct 1 round longer than before. Moreover, some specific linear transformations P satisfying the condition in eorem 4 are presented. For example, MC of Midori block cipher [22] is described below: (51) In this matrix, we can observe that p 0,0 � p 1,1 � p 2,2 � p 3,3 � 0. erefore, P MC * satisfies the restricted condition in eorem 4. Furthermore, P MC and P Skinny described in Section 3.2 also satisfy the condition.

Conclusions
In this paper, we investigated impossible differential distinguishers of m-dataline CAST256-like structure and m-dataline MARS-like structure. Longer impossible differentials for them were constructed with the help of the linear transformation P. Moreover, given that the dual relationship between impossible differentials and zero correlation linear hulls which is presented by Sun Bing et al. at CRYPTO 2015, our results may also be applied to construct zero correlation linear hulls of these two structures. In brief, our results not only are useful to improve the impossible differential attack on these two structures from the cryptanalysis view but also provide guidance to select better linear transformation for improving the security from the designer's view.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.