While impossible differential attack is one of the most well-known and familiar techniques for symmetric-key cryptanalysts, its subtlety and complicacy make the construction and verification of such attacks difficult and error-prone. We introduce a new set of notations for impossible differential analysis. These notations lead to unified formulas for estimation of data complexities of ordinary impossible differential attacks and attacks employing multiple impossible differentials. We also identify an interesting point from the new formulas: in most cases, the data complexity is only related to the form of the underlying distinguisher and has nothing to do with how the differences at the beginning and the end of the distinguisher propagate in the outer rounds. We check the formulas with some examples, and the results are all matching. Since the estimation of the time complexity is flawed in some situations, in this work, we show under which condition the formula is valid and give a simple time complexity estimation for impossible differential attack which is always achievable.
Scrutinizing and Improving Impossible Differential Attacks: Applications to CLEFIA, Camellia, LBlock and Simon