An Upper Bound of the Longest Impossible Differentials of Several Block Ciphers

Abstract

Impossible differential cryptanalysis is an essential cryptanalytic technique and its key point is whether there is an impossible differential path. The main factor of influencing impossible differential cryptanalysis is the length of the rounds of the impossible differential trail because the attack will be more close to the real encryption algorithm with the number becoming longer. We provide the upper bound of the longest impossible differential trails of several important block ciphers. We first analyse the national standard of the Russian Federation in 2015, Kuznyechik, which utilizes the 16-byte LFSR to achieve the linear transformation. We conclude that there is no any 3-round impossible differential trail of the Kuznyechik without the consideration of the specific S-boxes. Then we ascertain the longest impossible differential paths of several other important block ciphers by using the matrix method which can be extended to many other block ciphers. As a result, we show that, unless considering the details of the S-boxes, there is no any more than or equal to 5-round, 7-round and 9-round impossible differential paths for KLEIN, Midori64 and MIBS respectively.

1. Introduction

Block ciphers play a large part in the process of constructing numerous symmetric cryptographic plans whose core security is determined by the ability of the underlying block ciphers to fight the existing cryptanalytic technologies. Differential cryptanalysis (DC) is one of the most essential cryptanalytic techniques [1]. Most block ciphers are currently designed to be resilient to the attack of the differential cryptanalysis. In order to verify the security of a block cipher resistance differential cryptanalysis, the usual way is to find a longest differential characteristics path which is able to differentiate from a random permutation. To a certain degree, the success of this attack depends chiefly on the opponents careful analysis of the internal structure of the encryption algorithm.

Impossible differential cryptanalysis (IDC) was first proposed by Biham et al. to attack Skipjack [2] and applied by Knudsen against DEAL [3]. It is a filtering way which utilizes differentials with probability zero to find the correct key by throwing away the wrong keys. Until now, a lot of well-known lightweight block ciphers being attacked using IDC, have been published, such as AES, Camellia [4], CLEFIA [5],ARIA[6] and Zodiac[7].

IDC is generally composed of two steps. To begin with, the adversary attempts to find out an impossible differential trail, i.e., the probability of the trail is zero. Next, after obtaining a serial of plaintext-ciphertext pairs, the opponent supposes some subkey sets involved in the outer rounds of the impossible differential path, and then encrypts/decrypts partially each pair of plaintext-ciphertext to verify whether the corresponding internal difference states are identical. Once the input and output differences of the impossible differentials are identical, the supposed subkey will be abandoned. The correct key must be found if we get rid of all incorrect keys.

The success of IDC is mainly depended on the number of the rounds of the impossible differential paths, the detail of input/output difference patterns and the strength of complexity of one-round encryption/decryption. Among them, one important aspect is the detail of input/output difference, because we can improve attacks [8] in the time/data complexities with higher possibilities. However, the core aspect of influencing IDC is the length of the rounds because the attack will be more close to the real encryption algorithm with the number becoming longer and has more practical significance, and this paper is aimed to explore an upper bound of the longest impossible differentials.

An important approach, which can be used to search for differential characteristics of the block cipher, is proposed by Sun et al. in ASIACRYPT 2014 [9] and it is based on MILP which can evaluate the security (obtain security bound) of a block cipher against the differential attacks. They successfully proved that they attained the security bounds for LBlock and PRESENT-80 against related-key differential attacks. Also, they presented a new approach to find characteristics for DESL, LBlock and PRESENT-128, which involved more rounds or higher probability than the previous results. There are several other automatic methods of the block ciphers to get the truncated impossible differentials effciently, such as U-method [10], UID-method [11] and WW-method [12]. The U-method was proposed by Kim et al. in Indocrypt 2003. Its goal is to search the impossible differentials through the miss-in-the-middle technique and the matrix operations. However, it has drawbacks in ascertaining some types of contradictions and several longer impossible differentials. The UID-method improved the evaluation of impossible differentials by removing some conditions in the U-method and making full use of more contradictory conditions. The WW-method was proposed by Wu et al. in Indocrypt 2012 and improved and extended the approach of the above two methods. The above methods are mainly used to search the differential characteristics or impossible differentials as more as possible.

In CRYPTO 2015, Sun et al. have proved that they found almost all impossible differentials of a block cipher [13]. And they first proposed the concept of structure, the independent of the choices of the S-boxes and the dual structure. The dual structure is used to link zero correlation linear hulls and impossible differentials. Constructing zero correlation linear hulls of the dual structure is equal with building impossible differentials of a structure.

In EUROCRYPT 2016, Sun et al. chiefly researched the security of structures resistance impossible differential [14]. They first proposed the problem whether there exists an r-round impossible differential. As a result, there does not exist any 5-round impossible differentials of AES or ARIA, and any 9-round independent impossible differentials of the Camellia without F L/F L-1 layer unless the details of the non-linear layer of them are considered.

Our Contribution. This paper aims to find an upper bound of the longest impossible differentials of Several Block Ciphers. We analyze several important block ciphers of the SPN and feistel structure in detail. Then, we apply the matrix to express the linear transformation layer of these block ciphers and give a detailed process.

We first analyse the national standard of the Russian Federation in 2015, Kuznyechik, which utilizes the 16-byte LFSR to achieve the linear transformation. By the analysis, we conclude that there is no any 3-round impossible differential of the Kuznyechik without the consideration of the specific S-boxes. We next ascertain the longest impossible differentials of several other important block ciphers by using the matrix method which can be extended to many other block ciphers. Finally, we provide technical support about IDC for a lot of block ciphers because we can quickly find the longest impossible differentials.

As a result, we show that, unless considering the details of the S-boxes, there is no impossible differential path more than or equal to 3-round, 5-round, 7-round and 9-round impossible differentials for Kuznyechik[15], KLEIN[16] [17], Midori64[18] and MIBS[19] [20] respectively.

Organization of the paper. Section 2 describes some notations used in this paper such as SPN structure, Feistel structure, the matrix of linear transformation and impossible differentials. Section 3 presents the impossible differentials cryptanalysis of the SPN structure and proves the upper bound of the longest impossible differential paths of Kuznyechik, KLEIN and Midori64. Then, Section 4 depicts the impossible differentials cryptanalysis of the Feistel structure and gives the upper bound of the longest impossible differential trails of MIBS. Finally, we draw our conclusion in Section 5.

2. Preliminaries

These notations and basic knowledge are used in this article. Notations. F_2^b : a vector with length b.

\(F_{2^{b}}^{n}\) : the vector space over F_2^b with dimension n.

Z : the integer ring.

\(\chi(X)\) : the truncated characteristic of X .

P : the matrix of the linear layer of the block ciphers, where \(P=\left(p_{i j}\right) \in F_{2^{b}}^{n \times n}\)

P^* : the characteristic matrix of P, where \(P^{*}=\left(p_{i j}^{*}\right) \in Z^{n \times n}\).

|| : concatenation.

\(\mathcal{E}_{S P}^{(r)}\) : an r-round SPN structure.

\(F_{S P}^{(r)}\) : an r-round Feistel structure with SP-type round function.

Fig. 1. The round structure of SPN and Feistel

The Block Ciphers of SPN Structure. The SPN structure is broadly used in cryptographic primitives’ composition. One round of an SPN cipher typically has three layers (Fig. 1, Left): the SubkeyAddition layer, the nonlinear transformation Sbox-layer and the linear permutation layer P. The SubkeyAddition layer is omitted in this paper because it does not cause the propagation of differences. The Sbox-layer can accomplish confusion and P-layer can achieve diffusion. We divide the input a of Sbox-layer into n parts, i.e., \({a}=\left({a}_{0}, \dots, {a}_{{n}-1}\right)\), where a_i(0 <=i <= n - 1) is a b-bit byte.

To begin with, ai is implemented by the non-linear transformation si as follows:

\(y=S(a)=\left(s_{0}\left(a_{0}\right), \ldots, s_{n-1}\left(a_{n-1}\right)\right) \in F_{2^{b}}^{n}\)       (1)

Then, y is transformed by \(P\left(F_{2^{b}}^{m} \rightarrow F_{2^{b}}^{m}\right)\). Additionally, we omit the last round linear permutation layer P since it does not influence the length of an impossible differential, i.e., an r-round SPN structure can be signified by \((S \circ P)^{(r-1)} \circ S\).

Specifically, the SP-type function is denoted as : \(f: F_{2^{b}}^{m} \rightarrow F_{2^{b}}^{m}\) in this paper.

The Block Ciphers of Feistel Structure. The Feistel structure is depicted on the right of Fig.1. Let \(\left(L_{i} \| R_{i}\right) \in F_{2^{b}}^{n}\) and \(\left(L_{i+1} \| R_{i+1}\right) \in F_{2^{b}}^{n}\) be the input and output of the round function F of the i-th round, respectively, where \(0 \leq i \leq r-1\).

\(\left\{\begin{array}{l}L_{i+1}=F\left(L_{i}\right) \oplus R_{i} \\R_{i+1}=L_{i}\end{array}\right.\)       (2)

Similar to the SPN structure, the SubkeyAddition is omitted. In order to keep the consistency of encryption and decryption process, the left and the right are not exchanged in the last round. Notice that the speed of encryption is slow since every bit can be encrypted with two rounds.

Impossible Differentials. Let \(G: F_{2}^{n} \rightarrow F_{2}^{m}, \delta \in F_{2}^{n}\) and \(\Delta \in F_{2}^{m}\) . The probability of δ→∆ is defined as

\(p(\delta \rightarrow \Delta)=\#\left\{x \in F_{2}^{n} | G(x) \oplus G(x \oplus \delta)=\Delta\right\} / 2^{n}\)       (3)

If \(p(\delta \rightarrow \Delta)=0\), then δ→∆ is called an impossible differential of G.

Definition 1([14]). Let \(E: F_{2}^{n} \rightarrow F_{2}^{n}\) be a encryption algorithm of a block cipher, whose non-linear components are the bijective S-boxes. A structure \(\varepsilon^{E} \in F_{2}^{n}\) is denoted as a group of block ciphers E′ which is equal to E, besides the S-boxes of E′ can take all possible bijective transformations. Let \(\alpha, \beta \in F_{2}^{n}\) . If for any \(\mathrm{E}^{\prime} \in \varepsilon^{E}, \alpha \mapsto \beta\) is an impossible differential of E′.

Then \(\alpha \mapsto \beta\) is called an impossible differential of \(\mathbf{D}_{r_{0}}\) .

Truncated Characteristic. \(X=\left(x_{0}, \ldots, x_{n-1}\right)\), where \(X \in F_{2^{b}}^{n}\) and \(x_{i} \in F_{2^{b}}(0 \leq i \leq n-1)\). Let \(\theta: F_{2^{b}} \rightarrow F_{2}\) be defined as

\(\theta\left(x_{i}\right)=\left\{\begin{array}{ll}0 & x_{i}=0 \\1 & x_{i} \neq 0\end{array}\right.\)       (4)

Then, \(\chi(X)\) denotes the truncated characteristic of X, as follows:

\(\chi(X)=\left(\theta\left(x_{0}\right), \ldots, \theta\left(x_{n-1}\right)\right) \in F_{2}^{n}\)       (5)

The Matrix of Linear Permutation. Let the matrix P represent the linear permuation of the block cipher, where \(P=\left(p_{i j}\right) \in F_{2^{b}}^{n x}\). For the block ciphers of SPN structure, the matrix P represents the linear permutation layer P, i.e., not including the SubkeyAddition layer and the nonlinear transformation Sbox-layer. For the block ciphers of Feistel structure, the matrix P represents the linear permutation layer P of the round function.

AES is one of the most popular SPN ciphers so far. The SubBytes(SB) is the only non-linear transformation. The linear permutation includes ShiftRows(SR) and MixColumns(MC). Let the state after SB be S which consists of a_i , where i = 0,1,2,…,15 and the length of a_i is 8 bits. The state after SR and MC can be described as follows:

\(S=\left[\begin{array}{llll}a_{0} & a_{4} & a_{8} & a_{12} \\a_{1} & a_{5} & a_{9} & a_{13} \\a_{2} & a_{6} & a_{10} & a_{14} \\a_{3} & a_{7} & a_{11} & a_{15}\end{array}\right] \overset{SR}\longrightarrow\left[\begin{array}{llll}a_{0} & a_{4} & a_{8} &a_{12} \\a_{5} & a_{9} & a_{13} & a_{1} \\a_{10} & a_{14} & a_{2} & a_{6} \\a_{15} & a_{3} & a_{7} & a_{11}\end{array}\right] \overset{MC}\longrightarrow\left[\begin{array}{llll}02 & 03 & 01 & 01 \\01 & 02 & 03 & 01 \\01 & 01 & 02 & 03 \\03 & 01 & 01 & 02\end{array}\right] \cdot\left[\begin{array}{llll}a_{0} & a_{4} & a_{8} & a_{12} \\a_{5} & a_{9} & a_{13} & a_{1} \\a_{10} & a_{14} & a_{2} & a_{6} \\a_{15} & a_{3} & a_{7} & a_{11}\end{array}\right]\)

\(=\left[\begin{array}{llll}2 a_{0}+3 a_{5}+a_{10}+a_{15} & 2 a_{4}+3 a_{9}+a_{14}+a_{3} & 2 a_{8}+3 a_{13}+a_{2}+a_{7} & 2 a_{12}+3 a_{1}+a_{6}+a_{11} \\a_{0}+2 a_{5}+3 a_{10}+a_{15} & a_{4}+2 a_{9}+3 a_{14}+a_{3} & a_{8}+2 a_{13}+3 a_{2}+a_{7} & a_{12}+2 a_{1}+3 a_{6}+a_{11} \\a_{0}+a_{5}+2 a_{10}+3 a_{15} & a_{4}+a_{9}+2 a_{14}+3 a_{3} & a_{8}+a_{13}+2 a_{2}+3 a_{7} & a_{12}+a_{1}+2 a_{6}+3 a_{11} \\3 a_{0}+a_{5}+a_{10}+2 a_{15} & 3 a_{4}+a_{9}+a_{14}+2 a_{3} & 3 a_{8}+a_{13}+a_{2}+2 a_{7} & 3 a_{12}+a_{1}+a_{6}+2 a_{11}\end{array}\right]\)

If we consider the 4 × 4 state S as a vector S′ in \(\boldsymbol{F}_{2^{8}}^{16}\), the linear permutation which includes the SR and the MC can be also written as the following P× S′, where the linear permutation matrix P is in \(F_{2^{8}}^{16 \times 16}\) as follows:

\(P\times S'= \left[\begin{array}{c}2000030000100001 \\1000020000300001 \\1000010000200003 \\3000010000100002 \\0001200003000010 \\0001100002000030 \\0003100001000010 \\0002300001000010 \\0010000120000300 \\0030000110000200 \\0020000310000100 \\0010000230000100 \\0300001000012000 \\0200003000011000 \\0100002000031000 \\0100001000023000\end{array}\right]\cdot \left[\begin{array}{l}a_{0} \\a_{1} \\a_{2} \\a_{3} \\a_{4} \\a_{5} \\a_{6} \\a_{7} \\a_{8} \\a_{9} \\a_{10} \\a_{11} \\a_{12} \\a_{13} \\a_{14} \\a_{15}\end{array}\right]=\left[\begin{array}{l}2 a_{0}+3 a_{5}+a_{10}+a_{15} \\a_{0}+2 a_{5}+3 a_{10}+a_{15} \\a_{0}+a_{5}+2 a_{10}+3 a_{15} \\3 a_{0}+a_{5}+a_{10}+2 a_{15} \\2 a_{4}+3 a_{9}+a_{14}+a_{3} \\a_{4}+2 a_{9}+3 a_{14}+a_{3} \\a_{4}+a_{9}+2 a_{14}+3 a_{3} \\3 a_{4}+a_{9}+a_{14}+2 a_{3} \\2 a_{8}+3 a_{13}+a_{2}+a_{7} \\a_{8}+2 a_{13}+3 a_{2}+a_{7} \\a_{8}+a_{13}+2 a_{2}+3 a_{7} \\3 a_{8}+a_{13}+a_{2}+2 a_{7} \\2 a_{12}+3 a_{1}+a_{6}+a_{11} \\a_{12}+2 a_{1}+3 a_{6}+a_{11} \\a_{12}+a_{1}+2 a_{6}+3 a_{11} \\3 a_{12}+a_{1}+a_{6}+2 a_{11}\end{array}\right],P^*=\left[\begin{array}{cccccccccccccc}1 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 1 \\1 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 1 \\1 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 1 \\1 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 1 \\0 & 0 & 0 & 1 & 1 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 1 & 0 \\0 & 0 & 0 & 1 & 1 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 1 & 0 \\0 & 0 & 0 & 1 & 1 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 1 & 0 \\0 & 0 & 0 & 1 & 1 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 1 & 0 \\0 & 0 & 1 & 0 & 0 & 0 & 0 & 1 & 1 & 0 & 0 & 0 & 0 & 1 & 0 & 0 \\0 & 0 & 1 & 0 & 0 & 0 & 0 & 1 & 1 & 0 & 0 & 0 & 0 & 1 & 0 & 0 \\0 & 0 & 1 & 0 & 0 & 0 & 0 & 1 & 1 & 0 & 0 & 0 & 0 & 1 & 0 & 0 \\0 & 0 & 1 & 0 & 0 & 0 & 0 & 1 & 1 & 0 & 0 & 0 & 0 & 1 & 0 & 0 \\0 & 1 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 1 & 1 & 0 & 0 & 0 \\0 & 1 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 1 & 1 & 0 & 0 & 0 \\0 & 1 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 1 & 1 & 0 & 0 & 0 \\0 & 1 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 1 & 1 & 0 & 0 & 0\end{array}\right]\)

Similar to SPN, we can use the matrix P to represent the linear permutation operations of the round function of Feistel strucures with SP-type round functions.

Characteristic Matrix. Let \(P^{*}=\left(p_{i j}^{*}\right) \in Z^{n \times n}\) denote the characteristic matrix of \(P=\left(p_{i j}\right) \in F^{n \times n}\) for \(0 \leq i, j \leq n-1\), where \(p_{i j}^{*}=\theta\left(p_{i j}\right)\), i.e., \(p_{i j}^{*}=0\) if \(p_{i j}=0\) and \(p_{i j}^{*}=1\) otherwise. Let the matrix \(B=\left(b_{i j}\right) \in Z^{n \times n}\) . B be non-negative if all b_ij are non-negative, and positive if all b_ij are positive. Obviously, P^* is always non-negative. Then the characteristic matrix P^* of AES as shown above.

3. Impossible Differentials of the SPN Structure

We use the matrix method to ascertain the upper bound of the longest impossible differentials for several SPN ciphers.

3.1 An Upper Bound for the Rounds of Impossible Differentials

Definition 2. Let \(P \in F_{2^{b}}^{n \times n}, P^{*}\) be the characteristic matrix of P , and 

\(f_{m}\left(P^{*}\right)=\left(P^{*}\right)^{m}\)       (6)

Then the smallest integer m is called type 1 primitive index of P (for SPN structure), s.t. \(f_{m}\left(P^{*}\right)\) is a positive matrix. For example, if m = 3, then \(f_{3}\left(P^{*}\right)=\left(P^{*}\right)^{3}\) is a positive matrix, but \(f_{2}\left(P^{*}\right)=\left(P^{*}\right)^{2}\) is not positive matrix.

Assume µ→ν is a possible differential of \(\mathcal{E}_{S P}^{(r)}\). So, there is always a few α' and β', s.t.,

\(\mu \stackrel{\varepsilon^{S}}{\longrightarrow} \mu^{\prime} \stackrel{\varepsilon^{P S \cdots S P}}{\longrightarrow} \nu^{\prime} \stackrel{\varepsilon^{S}}{\longrightarrow} \nu\)       (7)

is a possible differential of \(\mathcal{E}_{S P}^{(r)}\). Thus for any µ^* and ν^* ,s.t., \(\chi\left(\mu^{*}\right)=\chi(\mu)\) and \(\chi\left(v^{*}\right)=\chi(v)\),

\(\mu^{*} \stackrel{\varepsilon^{S}}{\longrightarrow} \mu^{\prime} \stackrel{\varepsilon^{P S \cdots S P}}{\longrightarrow} \nu^{\prime} \stackrel{\varepsilon^{S}}{\longrightarrow} \nu^{*}\)       (8)

is also a possible differential.

As discussed previously, we can ascertain the longest of impossible differentials. Next, we will present an upper bound for the length of impossible differentials with considering merely the property of the P layer for an SPN structure.

Fig. 2. ( R₁(P) + R_-1(P) + 1)-round differential for ε_SP

Fig.2 describes the maximal length of impossible differential trail of an SPN cipher. Let the intermediate µ₁ be m bytes. If anyone byte of µ₁ has a difference, then each byte of ν₁ has a difference after encrypting \(R_{1}(P)\) rounds, i.e., \(\left|\chi\left(\mu_{1}\right)\right|=1\) and \(\left|\chi\left(\nu_{1}\right)\right|=m\). In a similar way, if anyone byte of µ₂ has a difference, then each byte of ν₂ has a difference after decrypting \(R_{-1}(P)\) rounds, i.e., \(\left|\chi\left(\mu_{2}\right)\right|=1\) and \(\left|\chi\left(v_{2}\right)\right|=m\). Since \(\left|\chi\left(v_{1}\right)\right|=\left|\chi\left(v_{2}\right)\right|=m\), \(V_{1} \rightarrow V_{2}\) is a one-round possible differential. So the following theorem holds.

Theorem 1( [14]). Let \(R_{1}(P)\) and \(R_{-1}(P)\) be the type 1 primitive indexes of P and P⁻¹ respectively. There is no any impossible differential r of \(\mathcal{E}_{S P}^{(r)}\) for \(r \geq R(P)+R_{-1}(P)+1\) (As shown in Fig.2).

For AES, we only consider the property of the P layer. The state is S₀ which consists of ia for i =0,1,2,…15, where the length of a_i is 8 bits. The state after the Matrix P of Linear Permutation (one round) is S₁ which consists of ib for i = 0,1,2,… ,15. Then the state after the Matrix P again is S₂ which consists of ic for i = 0,1,2,…,15. S₀, S₁ and S₂ are depicted as follows.

\(S_0=\left[\begin{array}{l}a_{0} \\a_{1} \\a_{2} \\a_{3} \\a_{4} \\a_{5} \\a_{6} \\a_{7} \\a_{8} \\a_{9} \\a_{10} \\a_{11} \\a_{12} \\a_{13} \\a_{14} \\a_{15}\end{array}\right],S_1=\left[\begin{array}{l}b_{0} \\b_{1} \\b_{2} \\b_{3} \\b_{4} \\b_{5} \\b_{6} \\b_{7} \\b_{8} \\b_{9} \\b_{10} \\b_{11} \\b_{12} \\b_{13} \\b_{14} \\b_{15}\end{array}\right]=\left[\begin{array}{l}2 a_{0}+3 a_{5}+a_{10}+a_{15} \\a_{0}+2 a_{5}+3 a_{10}+a_{15} \\a_{0}+a_{5}+2 a_{10}+3 a_{15} \\3 a_{0}+a_{5}+a_{10}+2 a_{15} \\2 a_{4}+3 a_{9}+a_{14}+a_{3} \\a_{4}+2 a_{9}+3 a_{14}+a_{3} \\a_{4}+a_{9}+2 a_{14}+3 a_{3} \\3 a_{4}+a_{9}+a_{14}+2 a_{3} \\2 a_{8}+3 a_{13}+a_{2}+a_{7} \\a_{8}+2 a_{13}+3 a_{2}+a_{7} \\a_{8}+a_{13}+2 a_{2}+3 a_{7} \\3 a_{8}+a_{13}+a_{2}+2 a_{7} \\2 a_{12}+3 a_{1}+a_{6}+a_{11} \\a_{12}+2 a_{1}+3 a_{6}+a_{11} \\a_{12}+a_{1}+2 a_{6}+3 a_{11} \\3 a_{12}+a_{1}+a_{6}+2 a_{11}\end{array}\right],S_2=\left[\begin{array}{l}c_{0} \\c_{1} \\c_{2} \\c_{3} \\c_{4} \\c_{5} \\c_{6} \\c_{7} \\c_{8} \\c_{9} \\c_{10} \\c_{11} \\c_{12} \\c_{13} \\c_{14} \\c_{15}\end{array}\right]=\left[\begin{array}{l}2 b_{0}+3 b_{5}+b_{10}+b_{15} \\b_{0}+2 b_{5}+3 b_{10}+b_{15} \\b_{0}+b_{5}+2 b_{10}+3 b_{15} \\3 b_{0}+b_{5}+b_{10}+2 b_{15} \\2 b_{4}+3 b_{9}+b_{14}+b_{3} \\b_{4}+2 b_{9}+3 b_{14}+b_{3} \\b_{4}+b_{9}+2 b_{14}+3 b_{3} \\3 b_{4}+b_{9}+b_{14}+2 b_{3} \\2 b_{8}+3 b_{13}+b_{2}+b_{7} \\b_{8}+2 b_{13}+3 b_{2}+b_{7} \\b_{8}+b_{13}+2 b_{2}+3 b_{7} \\3 b_{8}+b_{13}+b_{2}+2 b_{7} \\2 b_{12}+3 b_{1}+b_{6}+b_{11} \\b_{12}+2 b_{1}+3 b_{6}+b_{11} \\b_{12}+b_{1}+2 b_{6}+3 b_{11} \\3 b_{12}+b_{1}+b_{6}+2 b_{11}\end{array}\right]\)

Obviously, if \(\left|\chi\left(S_{0}\right)\right|=1\), then \(\left|\chi\left(S_{1}\right)\right|=4\) and \(\left|\chi\left(S_{2}\right)\right|=16\). In other words, P^* is not a positive matrix, however, (P^*)² is a positive matrix. So R₁(P)=2. Similarly, R_-1(P)=2.

3.2 Cryptanalysis of Kuznyechik Cipher

Kuznyechik [15] is the national standard [GOST R 34.12-2015] of the Russian Federation in 2015. It applies cryptographic techniques to process and protect information, including the confidentiality, authenticity, and integrity of data. The Standard complies with modern cryptographic requirements and is designed for efficient implementation of hardware and software.

Kuznyechik(see Fig.3) is a 128-bit block cipher with 256 bits key. The encryption algorithm is a replacement \(E_{K_{1}, \cdots, K_{10}}\) which is defined on F_2¹²⁸ , as shown below:

\(E_{K_{1}, \cdots, K_{10}}(a)=X\left[K_{10}\right] L \circ S \circ X\left[K_{9}\right] \cdots L \circ S \circ X\left[K_{2}\right] L \circ S \circ X\left[K_{1}\right](a)\)       (9)

where \(a=a_{15}\left\|a_{14}\right\| a_{13} \cdots\left\|a_{2}\right\| a_{1} \| a_{0}\) and \(a_{i} \in F_{2^{8}}(0 \leq i \leq 15)\).

Fig. 3. The round function of Kuznyechik

Moreover, X denotes AddRoundKey, and S represents the bijective nonlinear mapping, i.e., \(S(a)=S\left(a_{15}\left\|a_{14}\right\| a_{13} \cdots\left\|a_{2}\right\| a_{1} \| a_{0}\right)=b_{15}\left\|b_{14}\right\| b_{13} \cdots\left\|b_{2}\right\| b_{1} \| b_{0}\), where \(b_{i}=\pi\left(a_{i}\right)(0 \leq i \leq 15)\). L means R¹⁶, i.e., the linear transformation layer, where \(R(b)=R\left(b_{15}\left\|b_{14}\right\| b_{13} \cdots\left\|b_{2}\right\| b_{1} \| b_{0}\right)=l\left(b_{15}, \cdots, b_{0}\right)\left\|b_{15}\right\| b_{14}\left\|b_{13} \cdots\right\| b_{2} \| b_{1}\) is a 16-byte LFSR. The register moves 8 bits each time, and the new state is denoted by the state of LFSR after moving 16 times. The detailed descriptions of LFSR are in Fig. 4.

Fig. 4. The LFSR of the round function of Kuznyechik

For Kuznyechik, the P layer means the L operation, i.e., P = R¹⁶. Then we consider the 16 states as a vector in \(F_{2^{8}}^{16}\) and the irreducible polynomial over this finite fields is \(x^{8}+x^{7}+x^{6}+x+1\) . By calculation, the following matrix can be used to represent R, R² and R¹⁶.

\(R(b)=\left[\begin{array}{cccccccccccccccc}148 & 32 & 133 & 16 & 194 & 192 & 1 & 251 & 192 & 194 & 6 & 133 & 32 & 148 & 1 \\1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 \\0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 \\0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 \\0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 \\0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 \\0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0\end{array}\right]\cdot\left[\begin{array}{l}b_{15} \\b_{14} \\b_{13} \\b_{12} \\b_{11} \\b_{10} \\b_{9} \\b_{8} \\b_{7} \\b_{6} \\b_{5} \\b_{4} \\b_{3} \\b_{2} \\b_{1} \\b_{0}\end{array}\right],\)

\(R^2(b)=\left[\begin{array}{cccccccccccccccc}132 & 45 & 116 & 150 & 93 & 119 & 111 & 222 & 84 & 180 & 141 & 209 & 68 & 60 & 165 & 148 \\148 & 32 & 133 & 16 & 194 & 192 & 1 & 251 & 1 & 192 & 194 & 6 & 133 & 32 & 148 & 1 \\1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 \\0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 \\0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 \\0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 \\0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0\end{array}\right] \cdot\left[\begin{array}{l}b_{15} \\b_{14} \\b_{13} \\b_{12} \\b_{11} \\b_{10} \\b_{9} \\b_{8} \\b_{7} \\b_{6} \\b_{5} \\b_{4} \\b_3\\b_2\\b_1\\ b_0\end{array}\right]\)

For R, the 16 elements in row 0 are non-zero, and there are 15 zeros and one 1 in the other 15 rows. For R², the 16 elements in row 0 and row 1 are non-zero, and there are 15 zeros and one 1 in the other 14 rows. Note that the multiplication of any two nonzero numbers is still nonzero in the finite field.

\(R^{16}(b)=\left[\begin{array}{llllllllllllllll}207 & 152 & 116 & 191 & 147 & 142 & 242 & 243 & 10 & 191 & 246 & 169 & 234 & 142 & 77 & 110 \\110 & 32 & 198 & 218 & 144 & 72 & 137 & 156 & 193 & 100 & 184 & 45 & 134 & 68 & 208 & 162 \\162 & 200 & 135 & 112 & 104 & 67 & 28 & 43 & 161 & 99 & 48 & 107 & 159 & 48 & 227 & 118 \\118 & 51 & 16 & 12 & 28 & 17 & 214 & 106 & 166 & 215 & 246 & 73 & 70 & 20 & 232 & 114 \\114 & 242 & 107 & 202 & 32 & 235 & 2 & 164 & 141 & 212 & 196 & 1 & 101 & 221 & 76 & 108 \\108 & 118 & 236 & 12 & 197 & 188 & 175 & 110 & 163 & 225 & 144 & 88 & 14 & 2 & 195 & 72 \\72 & 213 & 98 & 23 & 6 & 45 & 196 & 231 & 213 & 235 & 153 & 120 & 82 & 245 & 22 & 122 \\122 & 230 & 78 & 26 & 187 & 46 & 241 & 190 & 212 & 175 & 55 & 177 & 212 & 42 & 110 & 184 \\184 & 73 & 135 & 20 & 203 & 141 & 171 & 73 & 9 & 108 & 42 & 1 & 96 & 142 & 75 & 93 \\93 & 212 & 184 & 47 & 141 & 18 & 238 & 246 & 8 & 84 & 15 & 243 & 152 & 200 & 127 & 39 \\39 & 159 & 190 & 104 & 26 & 124 & 173 & 201 & 132 & 47 & 235 & 254 & 198 & 72 & 162 & 189 \\189 & 149 & 94 & 48 & 233 & 96 & 191 & 16 & 239 & 57 & 236 & 145 & 127 & 72 & 137 & 16 \\16 & 233 & 208 & 217 & 243 & 148 & 61 & 175 & 123 & 255 & 100 & 145 & 82 & 248 & 13 & 221 \\221 & 153 & 117 & 202 & 151 & 68 & 90 & 224 & 48 & 166 & 49 & 211 & 223 & 72 & 100 & 132 \\132 & 45 & 116 & 150 & 93 & 119 & 111 & 222 & 84 & 180 & 141 & 209 & 68 & 60 & 165 & 148 \\148 & 32 & 133 & 16 & 194 & 192 & 1 & 251 & 1 & 192 & 194 & 16 & 133 & 32 & 148 & 1\end{array}\right]\cdot\left[\begin{array}{l}b_{15} \\b_{14} \\b_{13} \\b_{12} \\b_{11} \\b_{10} \\b_{9} \\b_{8} \\b_{7} \\b_{6} \\b_{5} \\b_{4} \\b_{3} \\b_{2} \\b_{1} \\b_{0}\end{array}\right],\)

\(P^{*}=\left[\begin{array}{llllllllllll}1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 \\1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1\\1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1\\1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1\\1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1\\1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1\\1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1\\1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1\\1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1\\1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1\\1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1\\1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1\\1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1\\1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1\\1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1\\1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1& 1\end{array}\right]\)

By computing, there is no 0 element in R¹⁶, i.e., R¹⁶ is a positive matrix. For Kuznyechik, the linear transformation of each round is iterated 16 times, which is equivalent to 16 rounds of other block cipher algorithms. Therefore, the characteristic matrix of R¹⁶ (i.e. P^* ) is also the positive matrix. Then we have R(P)=1.. In a similar way, R_-1(P)= 1. Then we get the following conclusion:

Proposition 1. There is no any more than or equal to 3-round impossible differential of ε^Kuznyechik . Or equivalently, there is no any 3-round impossible differential of the Kuznyechik unless considering the details of the S-boxes.

3.3 Cryptanalysis of KLEIN Cipher

KLEIN family [16] is proposed by Gong et al. at RFIDSec 2011, with a fixed 64-bit block size. It supports three key of 64-bit, 80-bit and 96-bit, along with 12,16 and 20 rounds respectively. The experimental implementation results of hardware and software show that KLEIN has a good performance in constrained resource environments.

KLEIN uses 4-bit Sboxes and AES MixColumn in a SPN structure. Such a combination is low memory implementation in both hardware and software, but KLEIN family may exists serious risks and they are not validated with further external analysis. The present cryptanalysis results of KLEIN, shown by designers, are about 4-round differential and linear attacks, 5-round integral attack. The designers also considered the Key schedule attack, algebraic attack and side-channel attack. And we can apply the high order differential and the high order integral properties to improve the result of the integral analysis. Ahmadian et al. shown a full round attack on KLEIN by using a biclique [17].

Fig. 5. The structure of the block cipher KLEIN

KLEIN supports 64-bit, 80-bit and 96-bit three key sizes but all of them are 64-bit block sizes. In this paper we focuse only on KLEIN-64 (see Fig. 5) whose round function consists of four steps as below.

(1) AddRoundKey(AK), the 64-bit state is XORed with a 64-bit round key.

(2) SubNibbles(SN), which divides the 64-bit intermediate state into sixteen 4-bit nibbles and puts them into the same sixteen 4 × 4 S-boxes.

(3) RotateNibbles(RN), the 64-bit state are rotated left 16 bits in every round.

(4) MixNibbles(MN), two AES MixColumn are applied concurrently, each 32-bit is operated by one AES Mix-Column.

The AES MixColumn operation is the following matrix(M1) multiplication in GF(28 ) and multiply modulo x4 + 1. The corresponding irreducible polynomial is : x⁸ + x⁴ + x³ + x + 1.

Let the state after SN be S which consists of a_i for i = 0,1,2,…,7, where the length of a_i is 8 bits. These two operations of RN and MN can be denoted as follows:

\(S=\left[\begin{array}{l}a_{0} a_{4} \\a_{1} a_{5} \\a_{2} a_{6} \\a_{3} a_{7}\end{array}\right] \stackrel{R N}{\longrightarrow}\left[\begin{array}{l}a_{2} a_{6} \\a_{3} a_{7} \\a_{4} a_{0} \\a_{5} a_{1}\end{array}\right] \stackrel{MN}\longrightarrow\left[\begin{array}{llll}02 & 03 & 01 & 01 \\01 & 02 & 03 & 01 \\01 & 01 & 02 & 03 \\03 & 01 & 01 & 02\end{array}\right] \cdot\left[\begin{array}{l}a_{2} \\a_{3} \\a_{4} \\a_{5}\end{array}\right] \|\left[\begin{array}{llll}02 & 03 & 01 & 01 \\01 & 02 & 03 & 01 \\01 & 01 & 02 & 03 \\03 & 01 & 01 & 02\end{array}\right] \cdot\left[\begin{array}{l}a_{6} \\a_{7} \\a_{0} \\a_{1}\end{array}\right]\)

\(=\left[\begin{array}{ll}2 a_{2}+3 a_{3}+a_{4}+a_{5} & 2 a_{6}+3 a_{7}+a_{0}+a_{1} \\a_{2}+2 a_{3}+3 a_{4}+a_{5} & a_{6}+2 a_{7}+3 a_{0}+a_{1} \\a_{2}+a_{3}+2 a_{4}+3 a_{5} & a_{6}+a_{7}+2 a_{0}+3 a_{1} \\3 a_{2}+a_{3}+a_{4}+2 a_{5} & 3 a_{6}+a_{7}+a_{0}+2 a_{1}\end{array}\right]\)

If we consider the state S as a vector S' in \(F_{2^{8}}^{8}\), the linear permutation, which includes RN and MN, can be also written as the following P×S' , where the linear permutation matrix P is

in \({F}_{2^{8}}^{8 \times 8}\).

\(P\times S'=\left[\begin{aligned}&00231100\\&00123100\\&00112300\\&00311200\\&11000023\\&31000012\\&23000011\\&12000031\end{aligned}\right]\cdot\left[\begin{array}{l}a_{0} \\a_{1} \\a_{2} \\a_{3} \\a_{4} \\a_{5} \\a_{6} \\a_{7}\end{array}\right]=\left[\begin{array}{l}2 a_{2}+3 a_{3}+a_{4}+a_{5} \\a_{2}+2 a_{3}+3 a_{4}+a_{5} \\a_{2}+a_{3}+2 a_{4}+3 a_{5} \\3 a_{2}+a_{3}+a_{4}+2 a_{5} \\2 a_{6}+3 a_{7}+a_{0}+a_{1} \\a_{6}+2 a_{7}+3 a_{0}+a_{1} \\a_{6}+a_{7}+2 a_{0}+3 a_{1} \\3 a_{6}+a_{7}+a_{0}+2 a_{1}\end{array}\right]\)

So,

\(P=\left[\begin{aligned}&00231100\\&00123100\\&00112300\\&00311200\\&11000023\\&31000012\\&23000011\\&12000031\end{aligned}\right],p^*=\left[\begin{aligned}&00111100\\&00111100\\&00111100\\&00111100\\&11000011\\&11000011\\&\begin{array}{l}11000011 \\11000011\end{array}\end{aligned}\right],(P^*)^2=\left[\begin{aligned}&22222222\\&22222222\\&22222222\\&22222222\\&22222222\\&22222222\\&22222222\\&22222222\end{aligned}\right]\)

Since P^* is negative and (P^*)² is positive, we have R(P) = 2. Similarly, R_-1(P)= 2. Then we get the following conclusion:

Proposition 2. There is no any more than or equal to 5-round impossible differential of ε^KLEIN . Or equivalently, there is no any 5-round impossible differential of the KLEIN unless considering the details of the S-boxes.

3.4 Cryptanalysis of Midori64 Cipher

The Midori64 [18] is another popular SPN ciphers and designed by Banik et al. at A SIACRYPT 2015. Midori family is also a lightweight block ciphe. Midori-64 support 64-bit block sizes and 128-bit keys along with 16 rounds. The designers try to optimize every part of the circuit in order to decrease the energy consumption and make both encryption and decryption achieved by a little adjustment in the circuit. The designers declared that there does not exist any more than 7-round impossible differential trail for Midori64.

Fig. 6. The round function of Midori64

In this paper, we focus on Midori64(see Fig.6) whose round function consists of four steps as below.

(1) SubCell(SC), apply the same 16 non-linear S-boxes on the state in parallel.

(2) ShuffeCell(SFC), the shuffe is as follows: (\({a}_{0}, {a}_{1}, {a}_{2}, \ldots, {a}_{13}, {a}_{14}, {a}_{15}\)) ← ( \({a}_{0}, {a}_{10}, {a}_{5}, {a}_{15}, {a}_{14}, {a}_{4}, {a}_{11}, {a}_{1}, {a}_{9}, {a}_{3}, {a}_{12}, {a}_{6}, {a}_{7}, {a}_{13}, {a}_{2}, {a}_{8}\)).

(3) MixColumn(MC), Midori-64 utilizes the matrix M2 to confuse every 4-nibble column of the state S , i.e.\(^{t}\left(a_{i}, a_{i+1}, a_{i+2}, a_{i+3}\right) \leftarrow M_{2} \cdot^{t}\left(a_{i}, a_{i+1}, a_{i+2}, a_{i+3}\right)\), where i = 0,4,8,12.

\(M_{2}=\left[\begin{array}{llll}0 & 1 & 1 & 1 \\1 & 0 & 1 & 1 \\1 & 1 & 0 & 1 \\1 & 1 & 1 & 0\end{array}\right], \quad S=\left[\begin{array}{llll}a_{0} & a_{4} & a_{8} & a_{12} \\a_{1} & a_{5} & a_{9} & a_{13} \\a_{2} & a_{6} & a_{10} & a_{14} \\a_{3} & a_{7} & a_{11} & a_{15}\end{array}\right]\)

(4) AddKey(AK), the 64-bit state is XORed with a 64-bit round key.

Similar to KLEIN, we consider the 4 ×4 matrix of Midori-64 as the state \(S \in F_{2^{4}}^{16}\), where the size of each cell of S is 4 bits. Let the state S after SC be described as shown above, and the state after SFC and MC can be written as follows.

\(S=\overset{SFC}\longrightarrow\left[\begin{array}{l}a_{0} a_{14} a_{9} a_{7} \\a_{10} a_{4} a_{3} a_{13} \\a_{5} a_{11} a_{12} a_{2} \\a_{15} a_{1} a_{6} a_{8}\end{array}\right]\overset{MC} \longrightarrow\left[\begin{array}{lll}a_{5}+a_{10}+a_{15} & a_{1}+a_{4}+a_{11} & a_{3}+a_{6}+a_{12} & a_{2}+a_{8}+a_{13} \\a_{5}+a_{0}+a_{15} & a_{1}+a_{11}+a_{14} & a_{6}+a_{9}+a_{12} & a_{2}+a_{7}+a_{8} \\a_{0}+a_{10}+a_{15} & a_{1}+a_{4}+a_{14} & a_{3}+a_{6}+a_{9} & a_{7}+a_{8}+a_{13} \\a_{0}+a_{5}+a_{10} & a_{4}+a_{11}+a_{14} & a_{3}+a_{9}+a_{12} & a_{2}+a_{7}+a_{13}\end{array}\right]\)

The matix P of linear permutation can be written as the following 16 × 16 matrix over \(F_{2^{4}}^{16 \times 16}\). It is clear that the characteristic matrix P^* of P equals P. By calculating, (P^*)² is negative, but (P^*)³ is positive. So, we get R(P) = 3. Similarly, R_-1(P) = 3. Then we get the following conclusion:

Proposition 3. There is no any more than or equal to 7-round impossible differential of ε^Midori64 . Or equivalently, there is no any 7-round impossible differential of the Midori64 unless considering the details of the S-boxes.

In 2016, Chen et al. used the path \((0, \mathrm{a}, 0,0,0,0,0,0,0,0,0, \mathrm{a}, 0,0,0,0) \rightarrow(0,0,0,0,0, *,0,0,0,0,0,0,0,0,0,0)\), a 6-round impossible differential path, to attack 10-round Midori64, where 0 denotes zero difference, a and * denote non-zero difference [21]. The impossible difference path is consistent with our conclusion in proposition 3.

4. Impossible Differentials of the Feistel Structures with SP-Type Round Functions

We use the matrix method to ascertain the upper bound of the longest impossible differentials of the Feistel Structures with SP-Type Round Functions.

4.1 An Upper Bound for the Rounds of Impossible Differentials

The principle to study the Feistel structure with SP-type round functions are almost the same as that of the SPN structure(As shown in Fig. 7).

Fig. 7. (2R₂(P) + 5)-round differential for F_SP

Definition 3. Let \(P \in F_{2^{b}}^{n \times n}, P^{*}\) be the characteristic matrix of P , and

\(g_{m}\left(P^{*}\right)=\left\{\begin{array}{ll}\sum_{i=0}^{j}\left(P^{*}\right)^{2 * i} & n=2 * j \\\sum_{i=0}^{j}\left(P^{*}\right)^{2 * i-1} & n=2 * j-1\end{array}\right.\)       (10)

Then the smallest integer m is called type 2 primitive index of P, s.t. \(g_{m}\left(P^{*}\right)\) is positive. For example, if m = 5, then j = 3. Thus \(g_{m}\left(P^{*}\right)=\left(P^{*}\right)^{1}+\left(P^{*}\right)^{3}+\left(P^{*}\right)^{5}\) is a positive matrix, whereas \(\left(P^{*}\right)^{0}+\left(P^{*}\right)^{2}+\left(P^{*}\right)^{4}\)+ and \(\left(P^{*}\right)^{1}+\left(P^{*}\right)^{3}\) are not positive matrix. if m = 6, then j = 3. Thus \(g_{m}\left(P^{*}\right)=\left(P^{*}\right)^{0}+\left(P^{*}\right)^{2}+\left(P^{*}\right)^{4}+\left(P^{*}\right)^{6}\) is a positive matrix, whereas \(\left(P^{*}\right)^{1}+\left(P^{*}\right)^{3}+\left(P^{*}\right)^{5}\) and \(\left(P^{*}\right)^{0}+\left(P^{*}\right)^{2}+\left(P^{*}\right)^{4}\) are not positive matrix.

Theorem 2. Let R₂(P) be the type 2 primitive indexes of P. Then, there is no any independent impossible differential r of \({F}_{S P}^{(r)}\) for \(r \geq 2 R_{2}(P)+5\) (detailed proof, see P12-14[14]).

4.2 Cryptanalysis of MIBS Cipher

MIBS [19] is proposed by M.Izadi et al. in CANS 2009. It is a lightweight block cipher with 64-bit block size and 32-round. MIBS supports two key sizes 64-bit and 80-bit. The experimental results show that MIBS has a good performance in constrained resource environments such as RFID tags and sensor networks. MIBS is a typical block cipher of the Feistel structure and its round function(Fig. 8) includes three steps:

Fig. 8. The structure of the block cipher MIBS

(1) addroundkey, the 32-bit L_i-1, the left half of the state , is XORed with a 32-bit round key.

(2) S layer, the nonlinear S -boxes transformations, divides the 32-bit intermediate state into eight 4-bit nibbles and puts them into the same eight 4 × 4 S-boxes.

(3) P layer, linear transformations layer(with branch number 5).

Let the \(b_{i} \in F_{2^{4}}\) and \(c_{i} \in F_{2^{4}}\) be the input and output of the P layer, respectively, for i = 1,…,8. The linear permutations(Fig. 9) is as follows.

Fig. 9. The round function of MIBS

So, P can be also written 8 × 8 matrix over \({F}_{2^{4}}^{8 \times 8}\) and \((P^*)^2\) as followins.

\(P^{*}=P=\left[\begin{array}{lllllll}1 & 1 & 0 & 1 & 1 & 0 & 1 & 1 \\0 & 1 & 1 & 1 & 1 & 1 & 1 & 0 \\1 & 1 & 1 & 0 & 1 & 1 & 0 & 1 \\0 & 1 & 1 & 1 & 0 & 0 & 1 & 1 \\1 & 0 & 1 & 1 & 1 & 0 & 1 & 1 \\1 & 1 & 0 & 1 & 1 & 1 & 0 & 0 \\1 & 1 & 1 & 0 & 0 & 1 & 1 & 0 \\1 & 0 & 1 & 1 & 0 & 1 & 1 & 1\end{array}\right],\left(P^{*}\right)^{2}=\left[\begin{array}{ccccccc}4 & 4 & 5 & 5 & 3 & 3 & 5 & 4 \\4 & 5 & 5 & 4 & 4 & 4 & 3 & 3 \\5 & 4 & 4 & 5 & 5 & 4 & 3 & 4 \\3 & 4 & 5 & 3 & 2 & 4 & 4 & 3 \\4 & 3 & 4 & 4 & 3 & 2 & 3 & 5 \\3 & 4 & 3 & 5 & 4 & 2 & 3 & 3 \\4 & 5 & 3 & 3 & 4 & 4 & 3 & 2 \\5 & 5 & 4 & 4 & 3 & 4 & 4 & 4\end{array}\right]\)

Obviously, if \(|\chi(Y)|=1\), then \(|\chi(Z)|=8\). In other words, P^* is not a positive matrix, however, (P^*)² is a positive matrix. So, \(\left(P^{*}\right)^{2}+\mathrm{I}\) is positive, where I is the identity matrix. Then we have \(R_{2}(P)=2\) and get the following conclusion:

Proposition 4. There is no any more than or equal to 9-round \((2 R(P)+5)\) independent impossible differential of ε^MIBS . Or equivalently, there is no any 9-round independent impossible differential of the MIBS unless considering the details of the S-boxes.

In EUROCRYPT 2017, Yu Sasaki and Yosuke Todo presented a new tool searching for impossible differentials of MIBS [22]. They found an impossible difference path with a maximum of 8 rounds, such as (00000000, 000a0000)->(00000b00, 00000000). The impossible difference path is consistent with our conclusion in proposition 4.

5. Conclusion

In this paper, we mainly explored the security of structures against impossible differential and determined whether there exists an r-round impossible differential of an SPN structure or an independent impossible differential of a Feistel structure with SP-type round functions. The main factor of influencing impossible differential cryptanalysis is the length of the rounds of the impossible differentials because the attack will be more close to the real encryption algorithm with the number becoming longer.

We first analyse Kuznyechik, which is the national standard of the Russian Federation in 2015, and draw the conclusion that there is no any 3-round impossible differential of the Kuznyechik with only considering the linear permutations.

Although we are only interested in the truncated impossible differentials, we apply the matrix to express the linear transformation layer and use the matrix method to quickly ascertain the upper bound of the longest impossible differentials for several block ciphers ignoring the nonlinear transformations. The matrix method can be extended to many other block cipher.

As a result, we show that, unless considering the details of the S-boxes, there is no any 3-round, 5-round and 7-round impossible differentials for Kuznyechik, KLEIN and Midori64 respectively and there is no any 9-round independent impossible differential for MIBS.