Revisiting Impossible Differential Distinguishers of Two Generalized Feistel Structures

Impossible differential attack is one of the most effective cryptanalytic methods for block ciphers. Its key step is to construct impossible differential distinguishers as long as possible. In this paper, we mainly focus on constructing longer impossible differential distinguishers for two kinds of generalized Feistel structures which are m -dataline CAST256-like and MARS-like structures. When their round function takes Substitution Permutation SP and Substitution Permutation Substitution SPS types, they are called CAST 256 SP / CAST 256 SPS and MARS SP / MARS SPS , respectively. For CAST 256 SP / CAST 256 SPS , the best known result for the length of the impossible differential distinguisher was m 2 + m / m 2 + m − 1 rounds, respectively. With the help of the linear layer P , we can construct m 2 + m + Λ 0 / m 2 + m + Λ 1 -round impossible differential distinguishers, where Λ 0 and Λ 1 are non-negative numbers if P satisfies some restricted conditions. For MARS SPS , the best known result for the length of the impossible differential distinguisher was 3 m − 1 rounds. We can construct 3 m -round impossible differential distinguishers which are 1 round longer than before. To our knowledge, the results in this paper are the best for the two kinds of generalized Feistel structures.