Revisiting Impossible Differential Distinguishers of Two Generalized Feistel Structures

Abstract

Impossible differential attack is one of the most effective cryptanalytic methods for block ciphers. Its key step is to construct impossible differential distinguishers as long as possible. In this paper, we mainly focus on constructing longer impossible differential distinguishers for two kinds of generalized Feistel structures which are $m$ -dataline CAST256-like and MARS-like structures. When their round function takes Substitution Permutation $\left(\text{SP}\right)$ and Substitution Permutation Substitution $\left(\text{SPS}\right)$ types, they are called $\text{CAST}{256}_{\text{SP}}/\text{CAST}{256}_{\text{SPS}}$ and ${\text{MARS}}_{\text{SP}}/{\text{MARS}}_{\text{SPS}}$ , respectively. For $\text{CAST}{256}_{\text{SP}}/\text{CAST}{256}_{\text{SPS}}$ , the best known result for the length of the impossible differential distinguisher was $\left(m^2+m\right)/\left(m^2+m-1\right)$ rounds, respectively. With the help of the linear layer $P$ , we can construct $\left(m^2+m+{\mathrm{\Lambda }}_0\right)/\left(m^2+m+{\mathrm{\Lambda }}_1\right)$ -round impossible differential distinguishers, where ${\mathrm{\Lambda }}_0$ and ${\mathrm{\Lambda }}_1$ are non-negative numbers if $P$ satisfies some restricted conditions. For ${\text{MARS}}_{\text{SPS}}$ , the best known result for the length of the impossible differential distinguisher was $\left(3m-1\right)$ rounds. We can construct $3m$ -round impossible differential distinguishers which are 1 round longer than before. To our knowledge, the results in this paper are the best for the two kinds of generalized Feistel structures.