New Search Method for Sbox-Related Impossible Differentials

College of Liberal Arts and Sciences, National University of Defense Technology, Changsha 410073, China College of Information and Communication, National University of Defense Technology, Wuhan 430010, China Hunan Engineering Research Center of Commercial Cryptography)eory and Technology Innovation, Changsha 410073, China State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China


Introduction
Block ciphers play a fundamental role in symmetric-key cryptography. Apart from encryption, it could also be used as primitives in stream ciphers, hash functions, authenticated encryption schemes, and so on. e confidence in the security of a block cipher is largely derived from its resistance against known attacks, among which the differential attack and its variants might be one of the most well-known instances. e differential attack has been successfully applied to many block ciphers, stream ciphers, and hash functions, and numerous variants have been derived, including impossible differential cryptanalysis, truncated differential cryptanalysis, higher order differential cryptanalysis, multiple differential cryptanalysis, and differentiallinear cryptanalysis. Among them, the impossible differential attack is one of the most basic tools for block cipher analysis. e impossible differential attack was proposed by Knudsen [1] and Biham et al. [2] independently and has been applied to large numbers of block ciphers successfully, such as AES, Skipjack, and HIGHT [2][3][4].
As a variant of differential attack, impossible differential attack exploits differentials, which occur with probability zero. Usually, two steps are taken to recover keys in a typical impossible differential attack. e first step is to detect a differential for the reduced-round target block cipher with probability zero. e second step is to guess some key materials and eliminate those that satisfy a probability-zero differential distinguisher. During the attack procedure, constructing impossible differentials in the first step is the key point and foundation of impossible differential attacks.

Construction of Impossible
Differentials. An impossible differential is usually constructed by the miss-in-the-middle strategy. First, it propagates the input difference forward and the output difference backward with probability 1 for some rounds. en, if a contradiction is detected in the middle state, the differential is supposed to be impossible.
With ad hoc approaches for a specific cipher being studied extensively, generic search models for impossible differentials have been developed. In [5], Kim et al. proposed a matrix-based search method called U-method. ey first convert the differential propagation for one round encryption or decryption by a matrix, which identifies the relationship between the input and output blocks. en, a matrix operation is defined and applied to describe round iteration. If contradictions are found in the middle state matrix, an impossible differential is detected and could further be specified. is method is extended to the UID [6] and Wu and Wang [7] method with a more detailed description of the structure and contradiction afterward. When applied to a specific block cipher of structure, this method could utilize the properties of those structures, and better results are acquired [8][9][10]. ose matrix-based methods are easy to implement and require little computational and space resources. However, information on the nonlinear component is hardly used except that the Sboxes are bijective.
A generic and systematic method to take detailed information on Sboxes into consideration in impossible differential construction has not appeared until the automatic analytical model was introduced to cryptanalysis. In 2011, Mouha et al. [11] used the mixed-integer linear programming (MILP) model to search the security bounds against differential and linear attacks. en, these kinds of automatic tools are widely applied to integral, meet-in-the-middle, rotational-XOR differential attacks and so on [12][13][14]. In EUROCRYPT 2017, an MILP-based automatic search model was developed [15] for impossible differential attack. In this method, the differential properties of linear and nonlinear components are expressed as linear inequalities, and the differential search process is modeled as an inequality system and then fed to a third-party solver. If some error codes indicating the system is infeasible are returned, then the differential is expected to be impossible. In ASIACRYPT 2020 [16], another automatic search model was put forward to search for impossible differentials by describing the propagation of values instead of differences. With those automatic tools, the precision of analytical results is improved. However, when the size of the Sbox is large (e.g., ≥8 bits), modeling the properties of the Sbox usually involves large numbers of inequalities, which is a tough task for the third-party solvers to handle.

Our Contributions.
In this paper, we proposed an Sboxrelated impossible differential search method and further improved it by introducing the guess-and-determine and the early-abort technique to reduce the complexity. To demonstrate the effectiveness of our method, we applied it to CSA-BC and FOX64 whose Sboxes are both of 8-bit size. Our main contributions are as follows: (i) Based on the guess-and-determine strategy and early-abort technique, a new search method for Sbox-related impossible differentials was developed. Compared with previous matrix-based search methods, ours could exploit more detailed information on the nonlinear primitives. At the same time, our search method is independent of thirdparty solvers and possesses high performance in dealing with large size Sboxes. (ii) For CSA-BC, 23/24/25-round impossible differentials were found with our search method in less than 5 seconds, which improved previous works by 1/2/3 rounds. en, we mounted a 25-round impossible differential attack against CSA-BC using the impossible differentials found by our method. Finally, the key recovery attack is extended to 25-round CSA. And those key recovery attacks are the longest impossible differential attacks against CSA-BC and CSA by now. e results are listed in Table 1. (iii) For FOX64, the relationship between 4-round impossible differentials and its round function is discovered. en, a framework is derived to verdict whether a 4-round differential is possible or not, which allows more flexibility in differential patterns compared with previous works. And for the first time, detailed information on Sboxes is taken into consideration in the construction of impossible differentials for FOX64. As a result, new types of impossible differentials were able to be identified. e results are listed in Table 2. e rest of this paper is organized as follows. In Section 2, we will introduce the basics. Method to construct impossible differential is introduced in Section 3. e results of CSA-BC and FOX64 are presented in Sections 4 and 5, respectively. Section 6 concludes this paper.

Preliminaries
is section will describe the impossible differential and some techniques to reduce complexity in cryptanalysis. Before that, we will first introduce some notations used throughout this paper.
Denote by F q the finite fields with q elements, and F * q contains all nonzero elements of F q . Numbers over F 2 8 are expressed in hexadecimal, and the prefix 0x is omitted. e number of elements in set A is denoted by #A. For simplicity, consecutive variables v i , v i+1 , . . . , v j are denoted as v i−j .
2.1. Impossible Differential. e difference for x, y ∈ F 2 n is defined as u � x⊕y. A differential (u, v) for F (r) is that the input difference of F (r) is u, and its output difference is v. When there does not exist any plaintext that satisfies the differential, that is, then this differential is said to be impossible. To simplify the probability evaluation of differentials, differential characteristic is proposed.
An r-round differential characteristic for iterated block cipher is defined as (u 0 , u 1 , . . . , u r ) that the input difference is u 0 and the output difference after round i is u i . en, the probability of the differential is the sum of all its differential characteristics. A differential is impossible, implying that all characteristics are impossible. Otherwise, there exists at least one characteristic whose probability is greater than zero. at is, denote by Pr(u 0 , u 1 , . . . , u r ) the probability for differential characteristic (u 0 , u 1 , . . . , u r ), and then an Otherwise, the differential is possible, and there exists a set of u i such that

Guess-and-Determine
Technique. e guess-and-determine technique is a commonly used technique to decrease the computational workload in cryptanalysis, and it also has wide application in stream cipher cryptanalysis [19][20][21]. e guess-and-determine technique exploits the relationship among internal values. It guesses certain bits and makes use of the relationship to determine the remaining bits, thus decreasing the complexity of trying the remaining bits. A typical procedure of the guess-and-determine technique is to derive the relationship first and then exhaustively guess over a relatively small proportion of state to recover the whole state. Finally, the attacker checks the correctness by comparing it with known conditions. Assume that the exploited internal relationship f maps t-bit (t < n) state s t to other (n − t)-bit state s n−t ; say where c ∈ F 2 n . en the internal state can be divided into two parts s t and s n−t accordingly. Hereinafter, bits in s t are called free variables as they should be enumerated, and those in s n−t are called controlled variables as they are deduced by the free variables. To recover an n-bit state, the original complexity is O(2 n ). After such partition, the complexity could be reduced to O(2 t ), (t < n). In our search model, the internal relationship f is constructed by the fact that possible characteristics shall meet in the middle states. And the candidate state is determined by whether it is in accordance with the Differential Distribution Table (DDT) of the Sboxes.

Early-Abort Technique.
e early-abort technique is noticed as early as in the differential attack against DES [22]; it has numerous successful applications in key recovery attacks against block ciphers and public-key encryption schemes designing [23,24]. Instead of guessing all the required unknown bits at a time, it partially checks whether a candidate pair could produce the expected difference by guessing only a small fraction of keys. Since some useless pairs are discarded before the next guess, the computational workload could be decreased consequently. When this idea is applied to the search for impossible differential, according to (3) and (4), if one possible characteristic is detected, then this differential must be possible, and the check process for other characteristics could be terminated. In addition, when testing whether a single characteristic is possible or not, if one condition is found to be dissatisfied, this characteristic is impossible, and the cost of computing other variables would be saved.

Construction of Impossible Differentials
In this section, we will propose a generic framework to search for Sbox-related impossible differentials. en the guess-and-determine and the early-abort techniques are introduced to improve the performance of the search algorithm. Our method puts no constraints on the structure of block ciphers, and it could be applied to SPN, Feistel, Lai-Massey, or other structures of block ciphers.
In order to explain our techniques better, in the following, we will use the small-scale AES proposed by Cid et al. r Key /r Dist � length of key recovery attack/distinguisher. * e key recovery attack may be invalid since not enough data could be collected.
as an example. is variant inherits the design features of AES and provides a suitable instance for different cryptanalytic methods. e small-scale version [25] parameterized by (2,2,2,8), also called miniAES for short in this section, has 2 rounds and a block size of 32 bits, where the data block is viewed as an array of 2 × 2 words of 8 bits. e encryption of miniAES is similar to AES. In the SP type round functions, an 8-bit Sbox is applied to each word first, which is the SB operation. en the SR operation shifts the second row for 1 word. Finally, the MC operation multiplies a matrix over F 2 8 and the state array. e matrix is specified as Note that the MC operation in the last round is omitted. Since the impossible differential properties are regarded as independent of round key addition, the AK operation is omitted here.
In the following, we will study whether the 2-round differential is possible or not for miniAES, where u i , v i ∈ F * 2 8 . e differential propagation is presented in Figure 1. Since the output difference of Sbox is hard to predict, new variables u 2 , u 3 , v 2 , v 3 are introduced to show the propagation of Sboxes. When the details of Sboxes are taken into consideration, the impossible differential studied may not be in the truncated form. It is impossible for some specific instances, and its value is closely related to the choice of Sbox; this is what we called Sbox-related impossible differentials in our paper. It should also be pointed out that the input and output difference pattern is chosen empirically or by analyzing the structure of the target cipher.

A Straightforward Search Method for Impossible
Differentials. To verify whether a differential is possible or not, according to the definition, that is, (8), all differential characteristics are impossible if the differential is impossible. erefore, all characteristics should be checked. e conditions used in the check procedure could be divided into two parts. e first is that the differences in the middle state from both encryption and decryption should match where a linear equation system is built. For miniAES, this equation e second is that new variables are introduced for active Sboxes; therefore, they should be in accordance with the propagation rules of Sboxes; that is to say, the corresponding entries in DDT are nonzero. Denote the entry of DDT as For miniAES, it is required that In the search for impossible differentials, all variables are enumerated first, where each set of u i , v i corresponds to a differential characteristic. If both (8) and (10) are satisfied, then this characteristic is possible.
is definition-based method is shown in Algorithm 1.
Remark 1. Algorithm 1 provides an efficient way to take the DDT of Sbox into consideration. In our method, the information on Sbox is exploited by checking whether the differential propagation is in accordance with the DDT as in equation (10), while for the MILP-based search method, modeling a single 8-bit Sbox involves thousands of inequalities. And in our method, the DDT is accessed by table lookup, which is more effective. Moreover, when the size of Sboxes increases, the computation complexity of table lookup would still remain effective.

Remark 2.
In the matrix-based method and its derivatives, the propagation rule of n-bit Sbox is that a nonzero input difference δ * ∈ F 2 n will propagate to a nonzero output difference Δ * ∈ F 2 n , where Δ * could be any value over F * 2 n . However, the exact value of the output difference usually is not considered. erefore, the middle state conditions are built, and the attackers detect contradictions where the difference from one side is nonzero while it is zero from the other side of the equations. In fact, for an Sbox over a finite field with characteristic 2, the proportion of possible output difference Δ * for a given input difference is less than 50%, and treating Δ * as any nonzero value might cause inaccuracy consequently. In our method, only the output difference with DDT[δ * , Δ * ] > 0 is taken into consideration, resulting in a more accurate description of the differential propagation. Furthermore, for the middle state conditions, it is checked whether the exact value of the differences from both sides matches.
ough the definition-based search method could take more detailed differential properties into consideration, checking all characteristics will require excessive time and memory sources. erefore, in the following, the guess-anddetermine and the early-abort technique will be introduced to improve its performance in the enumerating process and the checking process.

Improvement with Guess-and-Determine Technique.
e guess-and-determine technique exploits the relationship among internal values to reduce the complexity of enumerating all variables. For miniAES, there are eight 8-bit variables u 0 , u 1 , u 2 , u 3 , v 0 , v 1 , v 2 , v 3 , that is, 8 × 8 � 64 bits in total. erefore, 2 64 guesses would be needed to search for this type of impossible differentials. However, v 2 and v 3 could be expressed as functions of other variables as in (8). By exploring this relationship, instead of guessing all the 64 bits and then checking (8) and (10), the search could be performed by guessing computing v 2 and v 3 by (8), and finally checking by (10). By exploiting the linear relationship among variables, the guesses of v 2 and v 3 could be saved. Furthermore, the resultant state will match the middle state since they are derived from it. erefore, the checking process will also be reduced.
e above process could be generalized as follows. Assume that the input difference is encrypted by r 1 rounds, and the output difference is decrypted by r 2 rounds. To precisely describe the differential propagation, a variable is introduced if its difference is not determined. Usually, new variables are introduced for the output of an active Sbox or the input of the inverse of an active Sbox. Assuming that there are l-bit variables in total introduced for the (r 1 + r 2 )-round differentials, to check whether there exist (r 1 + r 2 )-round impossible differentials, enumeration of all the 2 l possible states is required. Using the guess-and-determine technique, when checking the possibility for every characteristic, the middle state computed from encryption and decryption direction shall match, resulting in a linear equation system. By Gaussian elimination, the controlled variables could be expressed by free variables. In the example of miniAES, the equation system is (3), and the controlled variables are v 2 and v 3 , which are expressed by u 2 and u 3 . If n-bit (n < l) controlled variables could be derived by the equation system, then only 2 l− n states are required to try through instead of enumerating all 2 l states. is decreases the complexity by a factor of 2 n . Taking all those conditions into consideration, an algorithm is derived by combining the definition-based method and the guess-and-determine technique, which could reduce the complexity of enumerating and is shown in Algorithm 2.
e difference lies in that, in Algorithm 1, all variables are guessed as in Line 3, and the conditions are checked for Sbox and middle state in Line 4, while in Algorithm 2, the equation system is first derived in Line 2-4. en only the free variables are enumerated in Line 5, and the controlled variables are computed accordingly in Line 6. Finally, only the conditions of the Sbox need to be checked in Line 7. e time-consuming step for the search process is the loop in Line 5. Taking CSA-BC as an example, to search for r-round (r � r 1 + r 2 and r ≥ 20) impossible differentials, (r − 12) 8-bit variables will be introduced. Among them, there are 8 controlled 8-bit variables, and the remaining (r − 20) 8-bit variables are free. erefore, the complexity for searching r-round impossible differential is O (2 8(r− 20) ).
at is to say, the complexity of searching for 25-round and 26-round distinguishers is 2 40 and 2 48 , respectively, where hours or days are needed for personal computers to cover the workload; thus, further improvement is needed.

Improvement with Early-Abort
Technique. Back to the example of miniAES, according to (3) and (4), while all differential characteristics are required to be impossible for an impossible differential, it is enough to deny it if there exists one possible, meaning that the checking process could be terminated when a possible differential is detected. at is to say, when a set of (u 0 , u 1 , u 2 , u 3 , v 0 , v 1 ) is detected to satisfy the conditions of Sbox, meaning the corresponding differential characteristic in Figure 1 is possible, then the differential (u 0 , 0, 0, u 1 ) ⟶ (v 0 , 0, 0, v 1 ) is possible, and there is no need to guess other u 2 and u 3 candidates. Moreover, there is no need to compute all controlled variables at a time. Instead, we compute one and check immediately. If the conditions are not satisfied, then this characteristic would be impossible, and we continue with another. For miniAES, the checking conditions for the middle state are guaranteed by the guess-and-determine technique, and the checking conditions for Sboxes are shown in (10). After guessing u 0 and u 2 , whether DDT[u 0 , u 2 ] > 0 is checked immediately. If this is not satisfied, this characteristic is impossible, and there is no need to guess or compute other variables. Similarly, computing v 2 is followed by checking whether DDT[v 0 , v 2 ] > 0 immediately. Performing the check procedure in advance would save much effort in guessing and computing those useless candidates. Based on those, an improved search algorithm combining the early-abort technique is proposed as shown in Algorithm 3, where the free variables are distinguished by whether they are involved in the first or last round. e improvement by the early-abort technique is that there is no need to compute all characteristic or controlled variables. In one trial, if some checking conditions are not satisfied (Line 7 and Line 15), indicating that this characteristic is impossible, then this loop is terminated. If one characteristic is found to be possible (Line 10), that is, all controlled variables are computed and passed the check procedure, then this differential is possible, and the loop for testing other characteristics is stopped. us, the computation and determination could be saved. e application of this algorithm will be presented in the next sections.
To prove the validity of our algorithm, we performed comparative experiments on a personal computer. e device is equipped with an Intel Core i7-6500U processor, and the running time for finding an impossible differential for CSA-BC is shown in Table 3. e results show that, for Algorithm 2, time consumed grows sharply with the increase of rounds, while the impossible differential for 22-26 rounds could be acquired in less than 5 seconds with Algorithm 3. Moreover, it is interesting to notice that the running time decreases when the length of differentials increases from 25 is is attributed to the effect of the early-abort technique. e proportion of possible characteristics grows exponentially with the increase of length; therefore, the search process would be terminated in advance, and much effort is saved thanks to the early-abort technique.

Constructing Impossible Differentials for CSA-BC
In this section, we will first give a brief introduction of CSA-BC and then present the results of impossible differentials constructed by our method. e impact of Sbox on impossible differentials will also be discussed. Finally, key recovery attacks will be mounted using the impossible differentials found.

Description of CSA-BC. Digital Video Broadcast (DVB)
is a series of standards for digital television. It is widely applied in most countries and regions in the world. e Digital Video Broadcast Common Scrambling Algorithm (DVB-CSA, or CSA for short) is mainly specified to guarantee the secure transmitting of MPEG-2 signal in Pay-TV and was adopted by the DVB consortium in 1994. e encryption process of CSA can be divided into two parts, the block cipher part (CSA-BC) and the stream cipher part (CSA-SC).
CSA-BC is a 64-bit block cipher with a 64-bit key size. e state could be regarded as an 8-byte vector. And the plaintext is updated by the round function F for 56 rounds. e round function F is depicted in Figure 2 and works as follows. Denote its input and output as (x 0 , x 1 , . . . , x 7 ) and (y 0 , y 1 , . . . , y 7 ), respectively; then where k is the round key, S is the 8-bit to 8-bit Sbox (see [18,26]), and P is a linear transformation that permutes the i-th bit in a byte into position P(i) � (1, 7, 5, 4, 2, 6, 0, 3). As our attack is independent of the key schedule and stream cipher, we omit that in this paper. Readers interested are referred to [18,26] for more details.
For CSA-BC, current works mainly focus on its security evaluation against impossible differential attacks. [17,18] In 2016, Zhang et al. [17] proposed the first structural impossible differential attack. en it is improved to 22 rounds by taking the DDT of the Sbox into consideration [18]. e analytical results of CSA-BC are listed in Table 1.

Impossible Differentials for CSA-BC.
In [17,18], impossible differentials with the pattern are considered. In this section, we will still study impossible differentials of this type as it diffuses relatively slower. Since more variables are involved in longer impossible differentials, we combined various search strategies as in Section 3, and better results were obtained. According to Figure 2, one byte is nonlinearly transformed after one round; therefore, only one new variable needs to be introduced to describe the differential propagation. From the encryption direction, the 16-round propagation is shown in Table 4, where u ∈ F * 2 8 and u i ∈ F 2 8 , 1 ≤ i ≤ 9. e constraints are DDT u, u 1 > 0, DDT u 1 , u 2 > 0, DDT u⊕u 2 , u 3 > 0, (1) Initiate impossible differential set T and possible differential set T to empty (2) Derive differential propagation by introducing new variables (3) for all the variables do (4) if all conditions of middle state and Sboxes are satisfied then (5) Add this differential to T (6) end if (7) end for (8) Return T � (F * 2 8 × F * 2 8 )/T ALGORITHM 1: A straightforward way to find impossible differentials.
x 0 Because one variable is introduced in the beginning and new variables are brought from the 8-th round, there are (r 1 − 6) variables in total for an r 1 -round (r 1 > 7) encryption.
Using a similar strategy, the 10-round propagation from the decryption direction could be obtained, and it is shown in Table 5, where v ∈ F * 2 8 and v i ∈ e number of variables needed to describe the differential propagation for an r 2 -round decryption is also (r 2 − 6) when r 2 > 7.
To search for r-round (r � r 1 + r 2 and r ≥ 20) impossible differentials, (r − 12) 8-bit variables will be introduced. Given the differential state from both sides, 8 equations could be built by assuming they match in all positions, and 8 controlled variables will be deduced correspondingly. erefore, only (r − 20) bytes need to be guessed instead of (r − 12). At the same time, those variables are input and output differences of the Sbox; hence, they are also required to satisfy the DDT of the Sbox. It should be pointed out that the work of both [17,18] are special cases of our algorithm. e 23-round impossible differential is built by concatenating 15 rounds from the encryption direction and 8 rounds from the decryption direction. If they match in every byte, then the equation system for the middle state is built as (1) Initiate impossible differential set T to empty (2) Derive differential propagation by introducing new variables (3) Represent controlled variables by free variables from the equations (4) for all the free variables in the first and last round do (5) for all remaining free variables do (6) if the checking condition of Sbox for free variables is not satisfied then (7) Turn to Line 5 ⊳ checking process early-aborted (8) end if (9) if all controlled variables are computed then (10) Turn to Line 4 ⊳ possible characteristic found, differential early-aborted (11) else (12) Compute a controlled variable (13) end if (14) if check condition of Sbox for controlled variables is not satisfied then (15) Turn to Line 5 ⊳ checking process early-aborted (16) else (17) Turn to Line 9 ⊳ continue checking Sbox conditions (18) end if (19) end for (20) Add this differential into T ⊳ Execute this line unless Line 10 is executed (21) end for (22) Return T ALGORITHM 3: Improved search algorithm with early-abort technique.
(1) Initiate impossible differential set T and possible differential set T to empty (2) Derive differential propagation by introducing new variables (3) Build equations for the intermediate state (4) Represent controlled variables by free variables from the equations (5) for all the free variables do (6) Compute the controlled variables (7) if all conditions of Sboxes are satisfied then (8) Add this differential to T (9) end if (10) end for (11) Return T � (F * 2 8 × F * 2 8 )∖T ALGORITHM 2: Find impossible differentials with the guess-and-determine technique.

Security and Communication Networks
Since the controlled variables could be expressed as linear functions of free variables, the equation system is transformed by the Gaussian elimination method to where P − 1 is the inverse of P and P (N) is the sum of power of P for short; that is, For example, P (236) u � (P 2 ⊕P 3 ⊕P 6 )u. It is deduced that there are 3 free variables u, v, u 1 . Given a pair of candidates (u, v), all u 1 should be enumerated to check whether this correspondent characteristic is possible or not. If there exists a set of (u, v, u 1 ) such that all conditions are satisfied, then (u, v) is a possible differential, and we do not need to guess the remaining candidate u 1 . e results from Algorithm 3 show that there are 61814 23-round impossible differentials with input difference (0, 0, 0, 0, 0, 0, u, 0) and output difference (0, v, v, v, 0, 0, 0, v). e 24-round impossible differential is constructed by concatenating 15 rounds forward and 9 rounds backward. e equation system is built and simplified as Here, the free variables are u, v, u 1 , v 1 , and 738 impossible differentials are acquired totally. e 25-round impossible differential combines 15 rounds from the top and 10 rounds from the bottom. e equation system after simplification is e free variables are chosen to be u, v, u 1 , v 1 , v 2 . By running through all candidate pairs, only 1 impossible differential is found, which is (0, 0, 0, 0, 0, 0, ea, 0)↛ (0, e8, e8, e8, 0, 0, 0, e8), where the numbers are presented in hexadecimal, and the prefix 0x is omitted.
Note that this method is also applied to 22-round and 26-round. For CSA-BC reduced to 22 rounds, the same results are obtained as in [18], which verified the correctness of our method. For 26-round CSA-BC consisting of 16round encryption and 10-round decryption, the results confirmed the nonexistence of impossible difference of this considered type.

Effect of Sbox on Impossible Differentials.
Since the information on Sbox is involved in our search algorithm for impossible differentials, to verify the dependency of impossible differentials and Sboxes, the Sbox of CSA-BC is replaced by the AES Sbox. AES Sbox [27] is constructed by the inversion function, and it possesses the optimal differential property among 8-bit permutations found so far. e experiment is carried out to the modified cipher, which adopts an identical structure but uses AES Sbox in round function F instead. en, the same search procedure is repeated. e comparative results are listed in Table 6.
When the original Sbox of CSA-BC is replaced by the AES Sbox, the number of 23/24/25-round impossible Security and Communication Networks differentials decreased significantly, which means that our search algorithm is indeed closely related to the detail of the Sbox. An example is that (0, 0, 0, 0, 0, 0, ea, 0)↛ (0, e8, e8, e8, 0, 0, 0, e8) is a 25-round impossible differential for CSA. However, it is possible when the Sbox is replaced by the AES Sbox. Since there are few results on Sbox-related impossible differential, our method may be a possible tool to search for Sbox-related impossible differentials of similar block ciphers. In addition, as far as the number of impossible differentials is concerned, replacing the Sbox of CSA-BC with AES Sbox might improve its resistance against impossible differential attack for CSA-BC.

Key Recovery Attacks against 25-Round CSA-BC and CSA.
Hereinbefore, impossible differential distinguishers have been constructed for CSA-BC reduced to 23/24/25 rounds. As there is only one impossible differential for 25 rounds, to achieve better attack performance, we will mount the key recovery attack against 25-round CSA-BC and CSA using the 24-round impossible differentials found above.
As is presented in Figure 3, 1 round is appended at the end of the 24-round impossible differentials. e detailed attack procedure is as follows: (1) Define a plaintext structure whose 7-th byte takes all possible values and others constant where c i (0 ≤ i ≤ 6) are constants over F 2 8 . For any two plaintexts in Λ, their difference will be of the form (0, 0, 0, 0, 0, 0, * , 0). (2) Choose 2 N structures, and then 2 N+15 pairs will be generated with the desired input difference. Choose pairs whose difference of the ciphertext is e probability that the difference of ciphertext pairs is of this expected form is 2 − 48 . As there are 738 24round impossible differentials, that is, 738 (u, v) candidates, the proportion of pairs in accordance with the input and output difference of the attack scenario is 738/2 16 ≈ 2 − 6.47 . erefore, the probability that a plaintext pair from Step (1) results in the desired difference in ciphertext is 2 − 48 × 2 − 6.47 � 2 − 54.47 , and the number of pairs satisfying the attack scenario is 2 N+15 × 2 − 54.47 � 2 N− 39.47 .
(3) Guess the round keys in the last round and decrypt for 1 round. If the difference after decryption is (0, v, v, v, 0, 0, 0, v), discard this key candidate and try another. Repeat this process until only the right key is left. e remaining key bits could be recovered by brute force attack.
e probability that a wrong key leads to the required difference in the key recovery process is (1 − 2 − 8 ); then there would be (2 8 wrong keys left. When we take N � 50.5, the expected wrong key left after filtering is approximately 0.07. In this case, all wrong keys are thought to be removed. Hence, the data complexity is 2 50.5 × 2 8 � 2 58.5 chosen plaintexts. According to the quick-sort method, the time complexity of the data filtration phase is 2 50.5 × 2 8 × log 2 (2 8 ) � 2 61.5 comparison. In the worst case, 2 N− 39.47 × 2 8 � 2 20.03 1-round decryption will be needed, which is neglectable compared with the date filtration phase. As a counter is used in data filtration and should be kept for the key candidate and the pairs after filtration, the memory complexity is 2 8 + 2 11.03 + 2 8 ≈ 2 11.35 memory units.
As is pointed out in [17], a structural flaw could be exploited to extend the attack of block cipher CSA-BC to the whole algorithm CSA. Here, a similar method could be adopted where the first block is active and others are inactive. Choose the plaintext of the first block as in Step (1) and mount the same procedures of its ciphertext as in Steps (2) and (3); the keys could be recovered with data complexity 2 58.5 chosen plaintexts, time complexity 2 61.5 comparison, and memory complexity 2 11.35 memory units. e results are listed in Table 1.

Constructing Impossible Differentials for FOX64
In this section, we will first introduce the FOX64 block cipher, then our search method will be applied, and the improved results will be discussed.

FOX64 Block
Cipher. e block cipher FOX, also known as IDEA-NXT, was proposed by Junod and Vaudenay in 2004 [28]. It was designed to have a high-security level, large implementation flexibility, and high performance on various platforms. FOX employs the Lai-Massey structure and an SPS-type round function, and it proved to be immune to differential and linear attacks. e 64-bit block length and 128-bit key length version of FOX is called FOX64, and it has 16 rounds in total.

Security and Communication Networks
where rk is the round key. e orthomorphism or uses a 1round Feistel transformation. Denote the 32-bit input as (l, r) ∈ F 2 2 16 ; then or(l, r) � (r, l⊕r). (22) e round function F employs an SPS-type design. It is composed of three parts: substitution part (sigma4), diffusion part (mu4), and round key addition part. e round function F takes a 32-bit input x and a 64-bit round key rk � rk 1 � � � �rk 2 ; then e substitution layer consists of 4 identical 8-bit Sboxes. e detailed permutation of the Sbox and its construction is discussed in [28]. e diffusion layer is a matrix multiplication over a finite field. e 32-bit input is regarded as a 4dimensional vector over F 2 8 , and the 4 × 4 matrix is where F 2 8 � F 2 〈α〉, α is a root of polynomial x 8 ⊕x 7 ⊕x 6 ⊕x 5 ⊕x 4 ⊕x 3 ⊕1, and z � α − 1 ⊕1. e security of FOX64 and its high-level structure are extensively studied [29][30][31][32]. For the impossible differential attack, Wu et al. [33] presented an impossible differential for 4-round FOX64 of the following form is distinguisher is further improved and generalized in [34]. In 2016, Li et al. used multiple impossible differentials and various techniques to mount an 8-round key recovery attack using similar 4-round impossible differentials [35]. e analytical results of FOX are listed in Table 2.

Impossible Differentials for FOX64.
e impossible differentials are constructed using the method in Section 3. Using Algorithm 3, the relationship between FOX64 and its round function F is first observed as the following theorem by exploiting the middle state conditions. Theorem 1. Verifying a differential of the following form for 4-round FOX64 is equivalent to verifying a differential of its round function where u i , v i ∈ F 2 8 . Furthermore, an impossible differential for its round function will always imply an impossible differential for 4-round FOX64.
e determining process could be further separated into two independent parts. According to the structure of FOX64, those u i 's are only involved in the second round function, and v i 's are only involved in the third. erefore, the determining process could be divided into checking the validity of the following two differentials for the round function F u 1 ⊕u 3 , u 2 ⊕u 4 , u 1 , u 2 ⟶ F u 9 , u 10 , u 11 , u 12 at is, verifying a differential for 4-round FOX64 is equivalent to verifying one differential of its round function.
If the differential is impossible for F, it implies one impossible differential for 4-round FOX64. □ Remark 3. In eorem 1 and its proof, the relationship between 4-round FOX and its round functions is derived by exploiting the middle state conditions only. It indicates when an impossible differential for F is detected, it could be extended to FOX64 by equations (27) and (28). en the search for impossible differential of 4-round FOX is transformed to checking the possibility of differentials of round function F, which corresponds to the Sbox conditions in Algorithm 3, and the early-abort technique will also work. According to equation (27), the controlled variables are u i , v i (9 ≤ i ≤ 12), the free variables in the difference pattern are u i , v i (1 ≤ i ≤ 4), and the remaining free variables are To check the possibility of (u 1 ⊕u 3 , u 2 ⊕u 4 , u 1 , u 2 ) ⟶ F (u 9 , u 10 , u 11 , u 12 ) as in equation (28), all u i , v i (5 ≤ i ≤ 8) are required to be enumerated. Assuming the difference after mu4 is (x 1 , x 2 , x 3 , x 4 ) � mu4(u 5 , u 6 , u 7 , u 8 ), then the Sbox conditions are When all those Sbox conditions are satisfied, then this characteristic is possible, indicating the 4-round differential is also possible. And this differential is impossible only when at least one Sbox condition is not satisfied for each characteristic, that is, each set of u i , v i (5 ≤ i ≤ 8).
is theorem indicates that the search of impossible differentials for FOX64 is equivalent to that of its round function. e complexity is reduced to O(2 33 ), which is practical for current personal computers. e experimental results indicate that verifying one difference for FOX64 requires approximately 10 − 6 seconds on average. Moreover, previous works could also be obtained by our method.
Using the above method, we are capable of finding new impossible differentials for FOX64 with a more freedom degree.
e results show that the number of impossible differentials of the following form for round function F (01, 00, 00, 00 where v i ∈ F * 2 8 , is 1197321873, accounting for 28.31% of the whole space approximately. And the time taken is 2133 seconds. When the input difference of F is (01, 02, 00, 00), this proportion is reduced to 2 − 18.85 , 8941 impossible differentials in total.

Conclusion
In this paper, we proposed a new Sbox-related impossible differential search method combining the guess-and-determine and early-abort techniques. Our method is able to exploit more detailed information on Sboxes, and the impossible differentials found are closely related to the choice of Sboxes. Besides, our method is independent of a thirdparty solver and applicable to ciphers with Sboxes of large size (≥8 bits). en this method is applied to CSA-BC and FOX64. With our method, 23/24/25-round impossible differentials for CSA-BC were found in less than 5 seconds. ose results are the longest impossible differentials for CSA-BC so far.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.