Improvements for Finding Impossible Differentials of Block ...downloads.hindawi.com/journals/scn/2017/5980251.pdf · SecurityandCommunicationNetworks 3 Forexample,iftheaugmentedmatrix𝐵ofalinearsystemin

Research ArticleImprovements for Finding Impossible Differentials ofBlock Cipher Structures

Yiyuan Luo1 and Xuejia Lai23

1School of Electronics and Information Shanghai Dian Ji University Shanghai China2Department of Computer Science and Engineering Shanghai Jiao Tong University Shanghai China3Westone Cryptologic Research Center Beijing 100070 China

Correspondence should be addressed to Yiyuan Luo luoyysdjueducn

Received 30 March 2017 Accepted 17 July 2017 Published 29 August 2017

Academic Editor Jesus Dıaz-Verdejo

Copyright copy 2017 Yiyuan Luo and Xuejia Lai This is an open access article distributed under the Creative Commons AttributionLicense which permits unrestricted use distribution and reproduction in any medium provided the original work is properlycited

We improve Wu and Wangrsquos method for finding impossible differentials of block cipher structures This improvement is moregeneral than Wu andWangrsquos method where it can find more impossible differentials with less time We apply it on Gen-CAST256Misty Gen-Skipjack Four-Cell Gen-MARS SMS4 MIBS Camellialowast LBlock E2 and SNAKE block ciphers All impossibledifferentials discovered by the algorithm are the same as Wursquos method Besides for the 8-round MIBS block cipher we find 4 newimpossible differentials which are not listed in Wu and Wangrsquos results The experiment results show that the improved algorithmcan not only find more impossible differentials but also largely reduce the search time

1 Introduction

Impossible differential cryptanalysis introduced by Biham etal [1] and Knudsen [2] independently is a special case of dif-ferential cryptanalysis that uses differentials with probabilityzero to sieve the right keys from the wrong keys It is one ofthe most powerful attacks for block ciphers and is consideredin many block cipher designs [3ndash10] The best cryptanalyticresults for some block ciphers are obtained by impossibledifferential cryptanalysis [1 11] For example the currentlybest attack on the 31-round Skipjack is still the impossibledifferential cryptanalysis by Biham et al [1]

The key step in impossible differential cryptanalysis ofa block cipher is to find the longest impossible differentialGiven two variables 1199091 1199092 isin F1198992 the difference of 1199091 and1199092 is usually denoted as Δ119909 = 1199091 oplus 1199092 An impossibledifferential for an 119899-subblock block cipher is in the form(Δin999424999426999456119903Δout) where Δin = (Δ1199091 Δ119909119899) and Δout =(Δ1199101 Δ119910119899) (Δin999424999426999456119903Δout) means the probability of theoutput difference is Δout after 119903 rounds of a block cipher foran input difference Δin is zero At the first glance impossibledifferentials are obtained manually by observing the blockcipher structure However since the emergence of impossible

differential cryptanalysis automated techniques for findingimpossible differentials have been introduced

The first automated technique is called the Shrinking

method introduced by Biham et al [1]This method is simplebut very useful It only considers truncated differentialswhose differences distinguish only between zero and arbi-trary nonzero difference Given a block cipher the adversaryfirst designs a mini version of this block cipher which scalesdown the block cipher but preserves the global structureThen the adversary exhaustively searches for this mini cipherand obtains some truncated impossible differentials Usuallythese truncated impossible differentials of the mini cipherremain impossible differentials in the normal version Thismethod can deal with most block ciphers in the real worldHowever it becomes very slow if the number of subblocks ofa block cipher is as large as 16 since exhaustive search on themini version of this type of cipher is still a heavy load formostcomputers

The second automated technique is based on the miss inthe middle approach This method combines two differen-tials one from the input and the other from the output bothwith probability 1 However these two differentials cannotmeet in the middle since they can never be equal in the

HindawiSecurity and Communication NetworksVolume 2017 Article ID 5980251 9 pageshttpsdoiorg10115520175980251

2 Security and Communication Networks

middle The U method [12 13] and the UID method [14]both belong to this category In the U method and the UIDmethod the adversary first represents the block cipher struc-ture as a matrix then given a differential pair (Δin Δout)he calculates the 119898-round intermediate difference from Δinforwardly and the (119903 minus 119898)-round intermediate differencefrom Δout backwardly by the matrix method If there is acontradiction for these two intermediate differences then animpossible differential (Δin999424999426999456119903Δout) is verified Representinga block cipher by the matrix has been a popular methodin impossible differential and integral and zero correlationlinear cryptanalysis [8 10 15ndash20]

In [21] Wu and Wang extend the U-method and UIDmethod to a more generalized method which does not usethemiss in themiddle approachThey treat the 119903-round blockcipher structure as a system of equations which describe thepropagation behavior of differences in the inner primitivesespecially sbox permutations or branch swapping of theblock cipher structure To judge if a truncated differential(Δin Δout) is impossible they predict information aboutunknown variables from the known ones iteratively Finally atruncated differential is verified by checking the constrainedconditions in the system This method is similar to a linearprogramming method for solving optimization problems

In [22] Sun et al show that Wu and Wangrsquos automaticsearchmethod can find all impossible differentials of a cipherthat are independent of the choices of the inner primitivesHowever Wu andWangrsquos method can only find all truncatedimpossible differentials since the choice of truncated differ-ence may result in missing some impossible differentialsWu and Wangrsquos method only considers differences Δin =(1199091 119909119899) and Δout = (1199101 119910119899) where 119909119894 and 119910119894are zero or nonzero values They assign an indicator toindicate the choice of 119909119894 and 119910119894 representing by 0 a subblockwithout difference and by 1 a subblock with a difference Therelationships between nonzero differences have been omittedFor example 119910119894 may be equal to some 119909119895 where 1 le 119894 119895 le 119899If some linear constraints between nonzero variables in Δinand Δout are needed Wu and Wang claimed their methodcould still work by translating all linear constraints into thesystem of equations However this method increases the runcomplexity and implementation of the search method Sinceit changes the equation system for every value of (Δin Δout)and if the relationship between Δin and Δout is complicatedthe matrix will be very large

The idea of the UID method is that it represents thedifferential with symbols and utilizes the propagation prop-erty of the linear accumulated symbols The idea of theWu-Wang method is to utilize solving linear equations todetermine an impossible differential We show that the Wu-Wang method can be improved by combining the idea ofthe UID method and Wu-Wang method Instead of using 1to represent the nonzero difference we use a letter symbolto represent a difference and different symbols representdifferent nonzero values This method can represent morerelationships between these subblocks For example if Δin =(119886 0 0 119886) and Δout = (119886 0 0 119887) for a 4-subblock structurewhere 119886 and 119887 are different nonzero values then we have1199091 = 1199094 = 1199101 and 1199104 = 1199091 In our method the matrix of

the system does not need to be changed with (Δin Δout) Wealso improve theWu-Wang method by simplifying the test ofwhether there are solutions for linear systems Since the mosttime consuming part is the matrix operation our improvedmethod can find more impossible differentials in less time

We implement themethod in java language and apply it tomany block cipher structures including Gen-CAST256 [15]Gen-Skipjack [23] Four-Cell [24] Gen-MARS [12] Gen-RC6 [23] SMS4 [14] Misty [25] MIBS [26] Camellialowast [27]LBlock [28] E2 [29] and SNAKE [30] ones For these blockciphers we rediscover all known impossible differentialsEspecially for the 8-round MIBS cipher we find 4 newimpossible differentials which are not listed in Wu andWangrsquos work Our improvement largely reduced the run timefor finding impossible differentials In [31] the results forMIBS LBlock and E2 are obtained in a few hours on a266GHz processor with MAGMA package However ourresults for MIBS LBlock and E2 are obtained within 10seconds on a 220GHz processor

2 Preliminaries

In this section we introduce some basic concepts and notionsused in this paper We first introduce the block cipherstructures Next we review the solvability of a system of linearequations

21 Block Cipher Structures There are mainly two blockcipher structures which are the Feistel structure and its gen-eralizations and the substitute permutation network (SPN)The round function of most of those structures consistsof three basic operations the sbox look-up the exclusive-or addition (Xor) and the branch swapping where theonly nonlinear component is the sbox look-up operationIn differential cryptanalysis the Xor differences of plain-textciphertext pairs are considered we omit the key andconstant addition since they have no relevance to ouranalysis We assume that a block cipher structure has 119899subblocks (branches) and the input and output differ-ences are denoted by (Δ1199091 Δ119909119899) and (Δ1199101 Δ119910119899)respectively

22 The Solvability of a Linear System Now we reviewthe basics in linear algebra of determining the solvabilityof a system of linear equations Let 119898 119899 be two positiveintegers 119898 lt 119899 let 119860119909 = 119887 be a system of 119898 linearequations with 119899 variables where 119860 is 119898 times 119899 matrix overF2 and 119909 = (1199091 119909119899) and 119887 = (1198871 119887119898) aretwo bit vectors then the augmented 119898 times (119899 + 1) matrix119861 = [119860 | 119887] can determine the solvability of the linearsystem

A regular method is to deduce the reduced row echelonform (aka row canonical form) ofmatrix119861 byGauss-Jordanelimination algorithm The reduced row echelon form of amatrix is unique and denoted by 1198611015840 One starts to check 1198611015840from the last row to the first to see if there exists a row inwhich the first 119899 entries are zeros and the last entry is nonzeroIf there are such rows then the linear system has no solution

Security and Communication Networks 3

For example if the augmented matrix 119861 of a linear system inreduced row echelon form is

1198611015840 = (1 0 0 11988710 1 0 11988720 0 0 1198873) (1)

where 1198873 is nonzero then the linear system has no solution

3 Mathematical Models for Finding IDs ofBlock Cipher Structures

Our improvement is based onWu andWangrsquos method If thenonlinear sbox 119878119894 in a block cipher structure is a permutationthen there is a constraint on the input difference119909119894 and outputdifference 119910119894 for 119878119894 that is 119909119894 and 119910119894 can only both be zeroor both be nonzero denoted by 119909119894 sim 119910119894 The intermediatevalue of a block cipher structure is called the stateThe state isupdated with the round structure In order to find impossibledifferential for an 119903-round block cipher structure we first setdifferential variables for the states and then transform the 119903-round block cipher structure into a system of linear equationsand constraints denoted by S Then for a given differential(Δin Δout) where Δin = (1198861 119886119899) and Δout = (1198871 119887119899)we can check if it is impossible by solvingSwith initial values(1198861 119886119899 1198871 119887119899) if S has no solution then Δin999424999426999456119903Δout

Here we take the 5-round Feistel structure as an exampleWe first assign differential variables for 5-round Feistelstructure In Figure 1 119865119894 1 le 119894 le 5 are permutations theoutput difference of 119865119894 for input difference119883119894 is 119884119894 thus119883119894 sim119884119894 According to the computation graph of 5-round Feistelstructure we obtain the following systemS of equations andconstraints 1198830 oplus 1198832 oplus 1198841 = 0 1198831 sim 11988411198831 oplus 1198833 oplus 1198842 = 0 1198832 sim 11988421198832 oplus 1198834 oplus 1198843 = 0 1198833 sim 11988431198833 oplus 1198835 oplus 1198844 = 0 1198834 sim 11988441198834 oplus 1198836 oplus 1198845 = 0 1198835 sim 1198845

(2)

In order to check if (119886 0) rarr (119886 0) is an impossible differentialwhere 119886 is a nonzero value we solve the above system with1198830 = 119886 1198831 = 0 1198835 = 0 and 1198836 = 119886 Since 1198831 sim 1198841 and1198835 sim 1198845 we have 1198841 = 0 and 1198845 = 0 From linear equations ofS we get 1198843 = 0 thus1198833 = 0 since1198833 sim 1198843 next from linearequations S we obtain 1198842 = 0 however 1198832 = 119886 and 1198832 sim 1198842thus the system S has no solution and (119886 0) rarr (119886 0) is animpossible differential for 5-round Feistel structure

Now we want to find all impossible differentials for 5-round Feistel structure we enumerate all the possible dif-ferential pairs (Δin Δout) isin (0 119886) (119886 0) (119886 119886) (0 119887) (119887 0)(119887 119887) (119887 119886) (119886 119887) where 119886 and 119887 are two different nonzerovalues For each value of (Δin Δout) we judge if it is animpossible differential after all cases are tested we will findall impossible differentials

X0

X1

X1

X2

X3

X4

X5X6

X2

X3

X4

Y1

Y2

Y3

Y4

Y5

F1

F2

F3

F4

F5

Figure 1 State variables for 5-round Feistel structure

Thus the general algorithm for finding all 119903-round impos-sible differentials for a block cipher structure is outlined asfollows

(1) Generate all the possible differential pairs (Δin Δout)in a setD

(2) Assign differential variables according to the compu-tation figure of the 119903-round block cipher structureGenerate the system S of linear equations and con-straints with the differential variables

(3) For each (Δin Δout) isin D solve the system Swith initial value (Δin Δout) and check if S has nosolution If there is no solution then (Δin rarr Δout) isan impossible differential After all cases are checkedwe obtain all impossible differentials

4 The Detailed Algorithm

In this section we describe the detailed algorithm andimplementation details

41 Generate All Possible Differential Pairs We use symbols119886119894 119887119894 1 le 119894 le 119899 to denote different 2119899 as the nonzerovalues For a block cipher structure the input difference is(Δ1198681 Δ119868119899) where Δ119868119894 isin 0 1198861 119886119899 and the outputdifference is (Δ1198741 Δ119874119899) where Δ119874119894 isin 0 1198861 119886119899 1198871 119887119899 Note that the input difference and output difference


Table 1 The 5 times 13 augmented matrix of 5-round Feistel structure0 1 2 3 4 5 6 7 8 9 10 11 121198830 1198831 1198832 1198833 1198834 1198835 1198836 1198841 1198842 1198843 1198844 1198845 01 1 0 1 0 0 0 0 1 0 0 0 0 02 0 1 0 1 0 0 0 0 1 0 0 0 03 0 0 1 0 1 0 0 0 0 1 0 0 04 0 0 0 1 0 1 0 0 0 0 1 0 05 0 0 0 0 1 0 1 0 0 0 0 1 0

will not be zero since this will be trivial in differentialcryptanalysisThus there are total ((119899+1)119899minus1) sdot ((2119899+1)119899minus1)differential pairs This value is large for many block cipherstructures

However an impossible differential (Δ1198681 Δ119868119899) 999424999426999456(Δ1198741 Δ119874119899) for a block cipher structure is usually simplethat is there are very few nonzero values in (Δ1198681 Δ119868119899)and (Δ1198741 Δ119874119899) Since the input or output differential arecomplicate it will propagate fast due to the round structure ofthe cipherThus it is reasonable to consider simple differentialpairs Actually all the impossible differentials found for blockcipher structures in the literature are simple

In this paper we only consider the input difference(Δ1198681 Δ119868119899) where Δ119868119894 isin 0 119886 and the output difference(Δ1198741 Δ119874119899) where Δ119874119894 isin 0 119886 119887 Thus there are total(2119899 minus 1)(3119899 minus 1) differential pairs that need to be checked

42 Generate the System S Given a block cipher structurewe first need to draw the computational figure and assigndifferential variables as introduced in the analysis of 5-round Feistel structure This step is varying according todifferent block cipher structures However since most blockcipher structures iterate the same round structure for severaltimes these variables are regular and easy to implement ina computer program As in the analysis of 5-round Feistelstructure the input difference of a nonlinear permutation isdenoted by variable 119883119894 and the output difference is denotedby variable 119884119894 Thus if we see a variable 119884119894 it must be someoutput difference of a nonlinear permutation

For a block cipher structure with 119903 rounds there are 119901variables 119883119894 0 le 119894 le 119901 and 119902 numbers of variables 119884119894 1 le119894 le 119902 The numbers 119901 and 119902 are determined by the roundstructure and the round number 119903 For the 119903-round Feistelstructure 119901 = 119903 + 2 and 119902 = 119903 We first denote all variables ina variable vector as119883 = (1198830 119883119901minus1 1198841 119884119902) (3)

and then linear equations in systemS can bewritten as119872119883 =0 where119872 is a 119896119903 times (119901 + 119902)matrix over 1198652 and 0 is a (119901 + 119902)-dimensional zero vector where 119896 is the number of linearequations in one round of the block cipher structure Theaugmented matrix of these linear equations is 119861 = [119872 | 0]For the 5-round Feistel structure the augmented matrix 119861 isdenoted in Table 1

The set of constraints in S can be maintained as a mapN Let id(119883119894) denote the index of the variable 119883119894 in vector119883 given a constraint 119883119894 sim 119884119894 we add (id(119883119894) id(119884119894)) into

the map N For the 5-round Feistel structure N =⟨1 7⟩ ⟨2 8⟩ ⟨3 9⟩ ⟨4 10⟩ ⟨5 11⟩ In the real implemen-tation it is noted that for most block cipher structuresthe distance between constraints 119883119894 and 119884119894 is fixed anddetermined by the round structure and the round numberthat is id(119884119894) minus id(119883119894) is a constant For example the distanceof constraints 119883119894 and119884119894 for a 119903-round Feistel structure is 119903+1Thus themapN is not needed to be implemented but only thefixed index distance is neededThis observation facilitates thereal implementation of the algorithm

43 Determine the Solvability of S In the beginning weassign a symbol ldquordquo to each variable in the variable vector119883 which means every variable is undetermined Given adifferential pair (Δin Δout) we need to check if there existsolutions of the system S with the initial value (Δin Δout)We first need to initialize the variable vector 119883 accordingto (Δin Δout) As in the 5-round Feistel structure for adifferential pair Δin = (119886 0) Δout = (119886 0) the variablevector119883 is initialized as follows1198830 1198831 1198832 1198833 1198834 1198835 1198836 1198841 1198842 1198843 1198844 1198845a 0 0 a For a constraint 119883119894 sim 119884119894 the algorithm updates (119883119894 119884119894)

and detects contradictions as follows

(i) The value119883119894 is updated(a) If119883119894 = 0 and 119884119894 = then 119884119894 is set to 0(b) If 119883119894 is a nonzero symbol and 119884119894 = then 119884119894 is

set to the nonzero symbol ldquolowastrdquo(c) If 119883119894 = 0 and 119884119894 is an nonzero symbol then we

obtain a contradiction

(ii) The value 119884119894 is updated(a) If 119884119894 = 0 and119883119894 = then119883119894 is set to 0(b) If 119884119894 = 0 and 119883119894 is an nonzero symbol then we


We use oplus to denote the symmetrical difference (Xor) of1198831 and 1198832 For example if 1198831 = 1198861 and 1198832 = 1198871 then1198831 oplus1198832 = 1198861 1198871 if1198831 = 1198861 and1198832 = 0 then1198831 oplus1198832 =1198861 if1198831 = 1198861 and1198832 = 1198861 1198871 then1198831 oplus 1198832 = 1198871The function UpdateMatrix(119861119883) updates the augmen-

ted matrix 119861 according to the variable vector 119883 If the 119894thvariable in 119883 is 0 then the corresponding 119894th column of 119861is set to a zero vector As in [21] this method keeps solutions


Update the augmented matrix 119861 according to the variable vector 119883(1)119870 larr the size of119883(2) for 119894 larr 0 to 119870 minus 1 do(3) 119905 larr 119883[119894](4) if 119905 is 0 then(5) Every element of the 119894th column of 119861 is set to 0(6) else if 119905 is not ldquordquo and 119905 is not ldquolowastrdquo then(7) 119871 larr the number of rows of 119861(8) for 119903 larr 0 to 119871 minus 1 do(9) if 119861[119903 119894] is 1 then(10) 119861[119903 119894] larr 0(11) 119861[119903 119870 minus 1] larr 119861[119903 119870 minus 1] oplus 119905(12) end(13) end(14) end(15) end

Algorithm 1 Function UpdateMatrix(119861119883)of the augmented matrix 119861 unchanged If 119883119894 is not in the set0 lowast we check each row of 119861 if the value of the 119894th columnat the 119903th row 119861119903119894 is 1 then we set Xor 119883i to the last elementof the 119903th row of 119861 and set 119861119903119894 to 0 (Algorithm 1)

The function UpdateVector(119883N 119895 119869) updates the 119895thvariable 119883119895 with the value 119869 at the same time all constraintsin N are maintained As described in the beginning of thissubsection the function updates 119883119895 with the value 119869 bychecking each constraint inN and returns true if it succeedsor false if there is a contradiction There are many subcasesas described in the detailed algorithm During the updatingprocess theremay be contradictions For example if119883119895 = 119886and 119869 = 119886 119887 which means 119869 = 119886 oplus 119887 there is a contradictionsince 119886 oplus 119887 can never be 119886 If 119869 is 0 but the correspondingvariable which is the sbox output of 119883119895 is nonzero or 119869 is 0but the corresponding variable which is the sbox input of119883119895is nonzero there will be contradictions (Algorithm 2)

The function ReducedRowEchelon(119861) transforms the 120580 times120581 matrix 119861 into the reduced row echelon form by Gauss-Elimination algorithmNote that every element in the first 120581minus1 columns of 119861 is in F2 while elements in the last column of 119861are represented by a set of symbolsThus the Xor operation inthe last column of 119861 is the symmetrical difference operationThe readers can refer to [32] for the detailed algorithm oftransforming a matrix into the reduced row echelon form

The detailed algorithm for checking if a differential isimpossible is described in Algorithm 3 In Algorithm 3the variable vector 119883 is first initialized according to thedifferential pair (Δin Δout) and the constraint array NThen the algorithm continues checks if there is a contra-diction with a loop test until 119861 and 119883 are not updatedany more During the loop the algorithm first updates 119861according to 119883 by the UpdateMatrix(119861119883) function andthen transforms 119861 into the reduced row echelon formby the ReducedRowEchelon(119861) function to see if 119861 hassolutions If 119861 has no solutions the algorithm obtains a

contradiction and stops Otherwise if there exists a solutionfor a variable from the reduced row echelon form theindex and the value of the variable are denoted as (119895 119869)The algorithm updates the variable vector 119883 with (119895 119869)by the UpdateVector(119883N 119895 119869) function if the updatingprocess returns false a contradiction is obtained and thealgorithm stops otherwise the algorithm continues to run

44 Complexity For the 120580 times 120581 matrix 119861 and the 120581 minus 1 di-mension vector 119883 the time complexity of the func-tion UpdateMatrix is 120580 sdot 120581 the time complexity of the func-tion ReducedRowEchelon is 1205802 sdot 120581 and the time complexityof the function UpdateVector is a constant 119888 while loopcontinues running 1205812 times since there at most 120581 minus 1 valuesin119883 and in each loop either 2 variables are updated or there isa contradictionThus the total complexity of the algorithm is(1198882) sdot 12058021205812 where 119888 is a small constant The space complexityis dominated by storing the matrix 119861 and is about 120580 sdot 120581 Thetime complexity of the Wu-Wang method is 119879 sdot 12058021205812 and this119879 is much larger than our 119888 The Wu-Wang method stores3 matrices thus its space complexity is at least triple ourmethod

45 Comparison with Previous Method In [31] Wu andWang proved that the U-method and the UID method arespecific cases of theWu-Wang methodThey found that theirmethod can find longer impossible differential for the MIBScipher than by U-method and the UID method Howeverin the UID method for an impossible differential pair((Δ1198681 Δ119868119899) (Δ1198741 Δ119874119899)) the relationship betweeninput variables and output variables is considered since UIDmethod uses symbols to denote values For example the UIDmethod considers the relation between Δ119868119894 and Δ119874119895 andchecks if they are equal however the U-method and Wu-Wang method only use 0 and 1 to denote zero and nonzero


Update the variable vector 119883 according to the variable (119895 119869) where 119869 is the value

of the 119895th variable in 119883N is the array of constraintsinput the variable vector119883 the constraint arrayN (119895 119869)output A boolean flag indicates if the update procedure success

(1) flaglarrtrue(2) foreach 119886 isin N do(3) 1198960 larr 119886[0] 1198961 larr 119886[1](4) if 119895 is equal to 1198960 then(5) if 119869 oplus 1198831198960 is not 0 then(6) flaglarrfalse Ex 119869 = 119886 oplus 119887 but 1198831198960 = 119886 a contradiction(7) return flag(8) else if 119869 is 0 and 1198831198960 is then(9) if 119883[1198961] is not 0 then flaglarrfalse(10) return flag(11) end(12) 1198831198960 larr 0 1198831198961 larr 0(13) else if 119869 is a nonzero value then(14) 1198831198960 larr 119869 1198831198961 larr lowast(15) end(16) else if 119895 is equal to 1198961 then(17) if 119869 oplus 1198831198961 is not 0 then flaglarrfalse(18) return flag(19) else if 1198831198961 is and 119869 is 0 then(20) 1198831198961 larr 0 1198831198960 larr 0(21) end(22) end(23) end(24) return flag

Algorithm 2 Function UpdateVector(119883N 119895 119869)values which omit the relationship between input and outputdifferentials

Our improved method combines the advantages of theUID method and Wu-Wang method Every impossible dif-ferential found by the UID method and Wu-Wang methodcan be found by our improved method As Wu and Wangrsquosmethod impossible differentials found by our improvedmethod must be correct if the algorithm is implementedcorrectly Compared with Wu and Wangrsquos method ourimproved method is more complete The symbol representa-tion of a difference can represent more relationships betweendifferent difference values Thus it can find more impossibledifferentials and the matrix 119861 does not change with differentvalues of (Δin Δout) in the beginning of the algorithm whilein theWu-Wang method to add linear relationships betweennonzero values in (Δin Δout) thematrix 119861must change withdifferent values of (Δin Δout) This will consume more timeduring the run of the algorithm

The most time consuming part in the algorithm is thematrix operation To check if the augmented matrix has anysolutions theWu-Wangmethodneeds to compute the rank ofthe matrices119872 and 119861 We show that this step is not requiredsince we can check the solvability of the system from thereduced row echelon form of the matrix 119861 as introduced

in the preliminaries section Thus our improvement largelyreduces the search time of finding impossible differentials ofa block cipher structure

5 Applications and Experiment Results

We implement the algorithm in java language and apply itto many block cipher structures including Gen-CAST256[33] Misty [25] Gen-Skipjack [23] Four-Cell [24] Gen-MARS [33] Gen-RC6 [33] SMS4 [34] MIBS [26] Camellialowast[27 31] LBlock [28] E2 [29] and SNAKE [30] We presentthe java code of this algorithm and complete impossibledifferential results in GitHub [35] To reduce the space of thispaper we present some of the impossible differential resultsin Table 2 The file Impossible Differentialtxt in [35] lists thecomplete impossible differential results for these block cipherstructures Most impossible differentials discovered by ouralgorithm are the same as the Wu-Wang method

Moreover for the 8-round MIBS we find new 4 impos-sible differentials which are not found by the Wu-Wangmethod since these 4 new impossible differentials are notsimple truncated impossible differentials MIBS is a 16-subblock Feistel structure with substitution and permutation


input A differential pair (Δin Δout) and the system S

output A boolean flag indicates if (Δin Δout) is an impossible differential(1) 119861 is the 120580 times 120581 augmented matrix of S(2)119883 is the 120581 minus 1 dimension variable vector(3)N is the map of constraints of S(4) flaglarrfalse(5) indexlarrtrue(6) Initialize every variable in119883 according to (Δin Δout) and the constraints inN(7) while index do(8) UpdateMatrix (119861119883) Update 119861 according to 119883lowast Transform 119861 into the reduced-row-echelon form by Gauss-Jordan Elimination lowast(9) ReducedRowEchelon (119861)(10) if 119861 has no solution then(11) flaglarrtrue(12) break(13) else(14) indexlarr false(15) countlarr 0(16) for 119894 larr 120580 to 1 do(17) 997888rarrV larr Row 119894 of 119861(18) if the sum of the first 120581 minus 1 elements of 997888rarrV is 1 then(19) 119895 larr the index of the element 1 in 997888rarrV (20) 119869 larr the last element of 997888rarrV the solution of the 119895th variable in 119883(21) lowast update the variable vector 119883 with (119895 119869) and return true if there is

no contradiction and return false otherwise lowast(22) 119887 larrUpdateVector (119883N 119895 119869)(23) if 119887 is false then(24) flaglarr true(25) return flag(26) else(27) indexlarr true(28) end(29) end(30) end(31) end(32) end(33) return flag

Algorithm 3 The algorithm for checking an impossible differential

Table 2 Summary of impossible differentials (IDs) of some well-known block ciphers structures found by different methods

Block cipher UID [14] Wu-Wang [31] This paperGen-Skipjack 16 (0 0 0 119886)99942499942699945616(119887 0 0 119887) mdash Same as UIDGen-CAST256 19 (0 0 0 119886)99942499942699945619(119886 0 0 0) mdash Same as UIDFour-Cell 18 (119886 0 0 0)99942499942699945618(119887 119887 0 0) mdash Same as UIDGen-MARS 11 (0 0 0 119886)99942499942699945611(119886 0 0 0) mdash Same as UID

Gen-RC6 9 (0 0 119886 0)9994249994269994569(0 119886 0 0) mdash Same as UID9 (119886 0 0 0)9994249994269994569(0 0 0 119886)

SMS4 11 (0 0 0 119886)99942499942699945611(119886 0 0 0) mdash Same as UIDMisty mdash mdash 4 (0 119886)9994249994269994564(119887 119887)SNAKE mdash mdash 11 (0 0 0 0 0 0 119886 0)99942499942699945611(0 0 119887 0 0 0 0 0)Camellialowast mdash 8-round 4 IDs Same as Wu-WangMIBS mdash 8-round 6 IDs 8-round 10 IDsLBlock mdash 14-round 80 IDs Same as Wu-WangE2 mdash 6-round 56 IDs Same as Wu-Wang


Table 3 Impossible differentials for 8-round MIBS There are 4 new found impossible differentials 119886 and 119887 are nonzero values and 119886 and 119887can have the same value

Number Δin Δout Reference1 (0 0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0) (119887 0 0 0 0 0 0 119887 0 0 0 0 0 0 0 0)

This paper2 (0 0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0) (0 0 0 0 119887 0 0 119887 0 0 0 0 0 0 0 0)3 (0 0 0 0 0 0 0 0 119886 0 0 0 0 0 0 119886) (0 0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0)4 (0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0 119886) (0 0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0)5 (0 0 0 0 0 0 0 0 0 0 119886 0 0 0 0 0) (0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0 0)6 (0 0 0 0 0 0 0 0 0 0 119886 0 0 0 0 0) (0 0 0 0 0 0 0 119887 0 0 0 0 0 0 0 0)7 (0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0 0) (0 0 119887 0 0 0 0 0 0 0 0 0 0 0 0 0) [31]

8 (0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0 0) (0 0 0 0 0 0 119887 0 0 0 0 0 0 0 0 0)9 (0 0 0 0 0 0 0 0 0 0 0 0 0 0 119886 0) (0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0 0)10 (0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 119886) (0 0 119887 0 0 0 0 0 0 0 0 0 0 0 0 0)(SP) round function In the SP round function the 8 sub-blocks are first substituted by 8 sboxes then an 8 times 8 matrixis applied as the permutation The permutation matrix 119875 is

((((((((((((

1 1 0 1 1 0 1 10 1 1 1 1 1 1 01 1 1 0 1 1 0 10 1 1 1 0 0 1 11 0 1 1 1 0 0 11 1 0 1 1 1 0 01 1 1 0 0 1 1 01 0 1 1 0 1 1 1

))))))))))))

(4)

There are total 10 impossible differentials found for 8-roundMIBS by our improved algorithm The new four 8-roundimpossible differentials found are listed in Table 3

Compare with Wu and Wangrsquos algorithm this improve-ment is more general since it not only finds more impossibledifferentials for a block cipher structures but also has betterefficiency The results for MIBS are obtained on a 266GHzprocessor with MAGMA package in a few hours by Wu andWangrsquos algorithm [31] However our results for MIBS areobtained on a 220GHz processor in java language in lessthan 10 seconds Thus the algorithm presented in this paperis more efficient than Wu and Wangrsquos algorithm

6 Conclusion

In this paper we improve Wu and Wangrsquos algorithm forfinding impossible differentials of block cipher structuresThe improved method is more general than Wu and Wangrsquosmethod where it can find more impossible differentials withless time We apply this method to many block cipher struc-turesThe experiment results show that this improvement canlargely reduce the search time for the impossible differentialsof a block cipher since there are known relationships betweenimpossible differential and integral and zero correlationlinear cryptanalysis [22 36 37] This method can be used asa cryptanalytic tool to evaluate the security of a block cipheragainst these kinds of cryptanalysis

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

Yiyuan Luo was supported by NSFC (61402280) and Aca-demic Discipline Project of Shanghai Dianji University(16YSXK04) Xuejia Lai was supported by NSFC (6127244061472251 and U1536101) China Postdoctoral Science Foun-dation (2013M531174 2014T70417) National CryptographyDevelopment Fund MMJJ20170105 and Science and Tech-nology on Communication Security Laboratory

References

[1] E Biham A Biryukov and A Shamir ldquoCryptanalysis ofSkipjack reduced to 31 rounds using impossible differentialsrdquoJournal of Cryptology The Journal of the International Associa-tion for Cryptologic Research vol 18 no 4 pp 291ndash311 2005

[2] L R Knudsen ldquoDEAL-A 128-bit block cipherrdquo Tech Rep 151Department of Informatics University of Bergen 1998

[3] R Zong X Dong andXWang ldquoImpossibleDifferential Attackon Simpira v2rdquo Science China Information Sciences 2017

[4] L Cheng B Sun and C Li ldquoRevised cryptanalysis for sms4rdquoScience China Information Sciences vol 60 no 12 article 1221012017

[5] Y Dai and S Chen ldquoCryptanalysis of full PRIDE block cipherrdquoScience China Information Sciences vol 60 no 5 052108 12pages 2017

[6] W Zhang Z Bao D Lin V Rijmen B Yang and I Ver-bauwhede ldquoRECTANGLE a bit-slice lightweight block ciphersuitable for multiple platformsrdquo Science China InformationSciences pp 1ndash15 2015

[7] G-Q Liu and C-H Jin ldquoAlgebraic techniques in slender-setdifferential cryptanalysis of PRESENT-like cipherrdquo ScienceChina Information Sciences vol 59 no 9 Article ID 99104 2016

[8] T Lin X Lai W Xue and G Huang ldquoDiscussion on thetheoretical results of white-box cryptographyrdquo Science ChinaInformation Sciences vol 59 no 11 Article ID 112101 2016

[9] Y Ding J Zhao L Li and H Yu ldquoImpossible differentialanalysis on round-reduced PRINCErdquo Journal of InformationScience and Engineering vol 33 no 4 pp 1041ndash1053 2017


[10] W Wu L Zhang and X Yu ldquoThe DBlock family of block ci-phersrdquo Science China Information Sciences vol 58 no 3 2015

[11] C Boura M a Naya-Plasencia and V Suder ldquoScrutinizingand improving impossible differential attacks applicationsto CLEFIA Camellia LBlock and Simonrdquo in Advances incryptologymdashASIACRYPT 2014 Part I vol 8873 of Lecture Notesin Comput Sci pp 179ndash199 Springer Berlin Germany 2014

[12] J Kim S Hong J Sung S Lee J Lim and S Sung ldquoImpos-sible differential cryptanalysis for block cipher structuresrdquo inProgress in cryptologymdashINDOCRYPT 2003 vol 2904 of LectureNotes in Comput Sci pp 82ndash96 Springer Berlin Germany2003

[13] J Kim S Hong and J Lim ldquoImpossible differential cryptanal-ysis using matrix methodrdquoDiscrete Mathematics vol 310 no 5pp 988ndash1002 2010

[14] Y Luo X Lai Z Wu and G Gong ldquoA unified method forfinding impossible differentials of block cipher structuresrdquoInformation Sciences vol 263 pp 211ndash220 2014

[15] H Yap ldquoImpossible differential characteristics of extendedfeistel networks with provable security against differentialcryptanalysisrdquo Communications in Computer and InformationScience vol 29 pp 103ndash121 2009

[16] G Liu C Jin and Z Kong ldquoKey recovery attack for PRESENTusing slender-set linear cryptanalysisrdquo Science China Informa-tion Sciences vol 59 no 3 Article ID 32110 2016

[17] R Zhao R Zhang Y Li and B Wu ldquoConstruction of MDSblock diffusion matrices for block ciphers and hash functionsrdquoScience China Information Sciences vol 59 no 9 Article ID99101 099101 3 pages 2016

[18] T P Berger M Minier and G Thomas ldquoExtended generalizedFeistel networks using matrix representationrdquo in Selected areasin cryptographymdashSAC 2013 vol 8282 of Lecture Notes inComput Sci pp 289ndash305 Springer Berlin Germany 2014

[19] T P Berger andMMinier ldquoSome results using thematrixmeth-ods on impossible integral and zero-correlation distinguishersfor Feistel-like ciphersrdquo inProgress in cryptologymdashINDOCRYPT2015 vol 9462 of Lecture Notes in Comput Sci pp 180ndash197Springer 2015

[20] C Blondeau and M Minier ldquoAnalysis of impossible integraland zero-correlation attacks on type-II generalized feistel net-works using the matrix methodrdquo Lecture Notes in ComputerScience (including subseries LectureNotes inArtificial Intelligenceand Lecture Notes in Bioinformatics) vol 9054 pp 92ndash113 2015

[21] S Wu andMWang ldquoAutomatic search of truncated impossibledifferentials for word-oriented block ciphersrdquo in Progress incryptologymdashINDOCRYPT 2012 vol 7668 of Lecture Notes inComput Sci pp 283ndash302 Springer Heidelberg 2012

[22] B Sun Z Liu V Rijmen et al ldquoLinks among impossibledifferential integral and zero correlation linear cryptanalysisrdquoin Advances in cryptologymdashCRYPTO 2015 Part I vol 9215of Lecture Notes in Comput Sci pp 95ndash115 Springer BerlinGermany 2015

[23] J Sung S Lee J Lim S Hong and S Park ldquoProvable secu-rity for the Skipjack-like structure against differential crypt-analysis and linear cryptanalysisrdquo in Advances in cryptologymdashASIACRYPT 2000 (Kyoto) vol 1976 of Lecture Notes in ComputSci pp 274ndash288 Springer Berlin Germany 2000

[24] J Choy G Chew K Khoo and H Yap ldquoCryptographicproperties and application of a generalized unbalanced feistelnetwork structurerdquo Lecture Notes in Computer Science (includ-ing subseries Lecture Notes in Artificial Intelligence and LectureNotes in Bioinformatics) vol 5594 pp 73ndash89 2009

[25] M Matsui ldquoNew block encryption algorithm MISTYrdquo in FastSoftware Encryption vol 1267 of Lecture Notes in ComputerScience pp 54ndash68 Springer-Verlag 1997

[26] M Izadi B Sadeghiyan S S Sadeghian and H A KhanookildquoMIBS A new lightweight block cipherrdquo Lecture Notes inComputer Science (including subseries Lecture Notes in ArtificialIntelligence and Lecture Notes in Bioinformatics) vol 5888 pp334ndash348 2009

[27] K Aoki T Ichikawa M Kanda et al ldquoCamellia a 128-bit blockcipher suitable for multiple platformsmdashdesign and analysisrdquo inSelected areas in cryptography (Waterloo ON 2000) vol 2012of Lecture Notes in Comput Sci pp 39ndash56 Springer BerlinGermany 2001

[28] WWu and L Zhang ldquoLBlock A lightweight block cipherrdquo Lec-tureNotes in Computer Science (including subseries LectureNotesin Artificial Intelligence and LectureNotes in Bioinformatics) vol6715 pp 327ndash344 2011

[29] M Kanda S Moriai K Aoki et al ldquoE2-A new 128-bit blockcipherrdquo IEICE Transactions Fundamentals - Special Section onCryptography and Information Security vol E83-A no 1 pp48ndash59 2000

[30] C Lee and Y Cha ldquoThe block cipher SNAKE with provableresistance against DC and LC attacksrdquo in JW-ISC 1997 pp 3ndash171997

[31] S Wu andMWang ldquoAutomatic search of truncated impossibledifferentials for word-oriented block ciphersrdquo httpeprintiacrorg2012214pdf

[32] RosettacodeOrg How to compute the reduced row echelonform of a matrix httprosettacodeorgwikiReduced rowechelon form

[33] S Moriai and S Vaudenay ldquoOn the pseudorandomness of top-level schemes of block ciphersrdquo in Advances in cryptologymdashASIACRYPT 2000 (Kyoto) vol 1976 of Lecture Notes in ComputSci pp 289ndash302 Springer Berlin Germany 2000

[34] SMS4 Specication of SMS4 block cipher for WLAN productsSMS4 Avaiable at httpwwwosccagovcnUpFile200621016-423197990pdf

[35] Y Luo Source codes and results for finding impossible differen-tials for block cipher structures httpsgithubcomianrooim-possibledifferential

[36] A Bogdanov L R Knudsen G Leander F-X Standaert JSteinberger and E Tischhauser ldquoKey-alternating ciphers in aprovable setting encryption using a small number of publicpermutations (extended abstract)rdquo in Advances in cryptologymdashEUROCRYPT 2012 vol 7237 of Lecture Notes in Comput Scipp 45ndash62 Springer Berlin Germany 2012

[37] C Blondeau A Bogdanov and M Wang ldquoOn the (in)equi-valence of impossible differential and zero-correlation distin-guishers for Feistel- and Skipjack-type ciphersrdquo in AppliedCryptography and Network Security vol 8479 of Lecture Notesin Computer Science pp 271ndash288 Springer-Verlag 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Active and Passive Electronic Components

Control Scienceand Engineering

Journal of


International Journal of

RotatingMachinery


Hindawi Publishing Corporation httpwwwhindawicom

Journal of

Volume 201

Submit your manuscripts athttpswwwhindawicom

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics


Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation



DistributedSensor Networks



middle The U method [12 13] and the UID method [14]both belong to this category In the U method and the UIDmethod the adversary first represents the block cipher struc-ture as a matrix then given a differential pair (Δin Δout)he calculates the 119898-round intermediate difference from Δinforwardly and the (119903 minus 119898)-round intermediate differencefrom Δout backwardly by the matrix method If there is acontradiction for these two intermediate differences then animpossible differential (Δin999424999426999456119903Δout) is verified Representinga block cipher by the matrix has been a popular methodin impossible differential and integral and zero correlationlinear cryptanalysis [8 10 15ndash20]

In [21] Wu and Wang extend the U-method and UIDmethod to a more generalized method which does not usethemiss in themiddle approachThey treat the 119903-round blockcipher structure as a system of equations which describe thepropagation behavior of differences in the inner primitivesespecially sbox permutations or branch swapping of theblock cipher structure To judge if a truncated differential(Δin Δout) is impossible they predict information aboutunknown variables from the known ones iteratively Finally atruncated differential is verified by checking the constrainedconditions in the system This method is similar to a linearprogramming method for solving optimization problems

In [22] Sun et al show that Wu and Wangrsquos automaticsearchmethod can find all impossible differentials of a cipherthat are independent of the choices of the inner primitivesHowever Wu andWangrsquos method can only find all truncatedimpossible differentials since the choice of truncated differ-ence may result in missing some impossible differentialsWu and Wangrsquos method only considers differences Δin =(1199091 119909119899) and Δout = (1199101 119910119899) where 119909119894 and 119910119894are zero or nonzero values They assign an indicator toindicate the choice of 119909119894 and 119910119894 representing by 0 a subblockwithout difference and by 1 a subblock with a difference Therelationships between nonzero differences have been omittedFor example 119910119894 may be equal to some 119909119895 where 1 le 119894 119895 le 119899If some linear constraints between nonzero variables in Δinand Δout are needed Wu and Wang claimed their methodcould still work by translating all linear constraints into thesystem of equations However this method increases the runcomplexity and implementation of the search method Sinceit changes the equation system for every value of (Δin Δout)and if the relationship between Δin and Δout is complicatedthe matrix will be very large

The idea of the UID method is that it represents thedifferential with symbols and utilizes the propagation prop-erty of the linear accumulated symbols The idea of theWu-Wang method is to utilize solving linear equations todetermine an impossible differential We show that the Wu-Wang method can be improved by combining the idea ofthe UID method and Wu-Wang method Instead of using 1to represent the nonzero difference we use a letter symbolto represent a difference and different symbols representdifferent nonzero values This method can represent morerelationships between these subblocks For example if Δin =(119886 0 0 119886) and Δout = (119886 0 0 119887) for a 4-subblock structurewhere 119886 and 119887 are different nonzero values then we have1199091 = 1199094 = 1199101 and 1199104 = 1199091 In our method the matrix of

the system does not need to be changed with (Δin Δout) Wealso improve theWu-Wang method by simplifying the test ofwhether there are solutions for linear systems Since the mosttime consuming part is the matrix operation our improvedmethod can find more impossible differentials in less time

We implement themethod in java language and apply it tomany block cipher structures including Gen-CAST256 [15]Gen-Skipjack [23] Four-Cell [24] Gen-MARS [12] Gen-RC6 [23] SMS4 [14] Misty [25] MIBS [26] Camellialowast [27]LBlock [28] E2 [29] and SNAKE [30] ones For these blockciphers we rediscover all known impossible differentialsEspecially for the 8-round MIBS cipher we find 4 newimpossible differentials which are not listed in Wu andWangrsquos work Our improvement largely reduced the run timefor finding impossible differentials In [31] the results forMIBS LBlock and E2 are obtained in a few hours on a266GHz processor with MAGMA package However ourresults for MIBS LBlock and E2 are obtained within 10seconds on a 220GHz processor

2 Preliminaries

In this section we introduce some basic concepts and notionsused in this paper We first introduce the block cipherstructures Next we review the solvability of a system of linearequations

21 Block Cipher Structures There are mainly two blockcipher structures which are the Feistel structure and its gen-eralizations and the substitute permutation network (SPN)The round function of most of those structures consistsof three basic operations the sbox look-up the exclusive-or addition (Xor) and the branch swapping where theonly nonlinear component is the sbox look-up operationIn differential cryptanalysis the Xor differences of plain-textciphertext pairs are considered we omit the key andconstant addition since they have no relevance to ouranalysis We assume that a block cipher structure has 119899subblocks (branches) and the input and output differ-ences are denoted by (Δ1199091 Δ119909119899) and (Δ1199101 Δ119910119899)respectively

22 The Solvability of a Linear System Now we reviewthe basics in linear algebra of determining the solvabilityof a system of linear equations Let 119898 119899 be two positiveintegers 119898 lt 119899 let 119860119909 = 119887 be a system of 119898 linearequations with 119899 variables where 119860 is 119898 times 119899 matrix overF2 and 119909 = (1199091 119909119899) and 119887 = (1198871 119887119898) aretwo bit vectors then the augmented 119898 times (119899 + 1) matrix119861 = [119860 | 119887] can determine the solvability of the linearsystem

A regular method is to deduce the reduced row echelonform (aka row canonical form) ofmatrix119861 byGauss-Jordanelimination algorithm The reduced row echelon form of amatrix is unique and denoted by 1198611015840 One starts to check 1198611015840from the last row to the first to see if there exists a row inwhich the first 119899 entries are zeros and the last entry is nonzeroIf there are such rows then the linear system has no solution



1198611015840 = (1 0 0 11988710 1 0 11988720 0 0 1198873) (1)





(2)



X0

X1

X1

X2

X3

X4

X5X6

X2

X3

X4

Y1

Y2

Y3

Y4

Y5

F1

F2

F3

F4

F5




























































This paper2 (0 0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0) (0 0 0 0 119887 0 0 119887 0 0 0 0 0 0 0 0)3 (0 0 0 0 0 0 0 0 119886 0 0 0 0 0 0 119886) (0 0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0)4 (0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0 119886) (0 0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0)5 (0 0 0 0 0 0 0 0 0 0 119886 0 0 0 0 0) (0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0 0)6 (0 0 0 0 0 0 0 0 0 0 119886 0 0 0 0 0) (0 0 0 0 0 0 0 119887 0 0 0 0 0 0 0 0)7 (0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0 0) (0 0 119887 0 0 0 0 0 0 0 0 0 0 0 0 0) [31]


((((((((((((

1 1 0 1 1 0 1 10 1 1 1 1 1 1 01 1 1 0 1 1 0 10 1 1 1 0 0 1 11 0 1 1 1 0 0 11 1 0 1 1 1 0 01 1 1 0 0 1 1 01 0 1 1 0 1 1 1

))))))))))))

(4)



6 Conclusion




Acknowledgments


References







































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











1198611015840 = (1 0 0 11988710 1 0 11988720 0 0 1198873) (1)





(2)



X0

X1

X1

X2

X3

X4

X5X6

X2

X3

X4

Y1

Y2

Y3

Y4

Y5

F1

F2

F3

F4

F5




























































This paper2 (0 0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0) (0 0 0 0 119887 0 0 119887 0 0 0 0 0 0 0 0)3 (0 0 0 0 0 0 0 0 119886 0 0 0 0 0 0 119886) (0 0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0)4 (0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0 119886) (0 0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0)5 (0 0 0 0 0 0 0 0 0 0 119886 0 0 0 0 0) (0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0 0)6 (0 0 0 0 0 0 0 0 0 0 119886 0 0 0 0 0) (0 0 0 0 0 0 0 119887 0 0 0 0 0 0 0 0)7 (0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0 0) (0 0 119887 0 0 0 0 0 0 0 0 0 0 0 0 0) [31]


((((((((((((

1 1 0 1 1 0 1 10 1 1 1 1 1 1 01 1 1 0 1 1 0 10 1 1 1 0 0 1 11 0 1 1 1 0 0 11 1 0 1 1 1 0 01 1 1 0 0 1 1 01 0 1 1 0 1 1 1

))))))))))))

(4)



6 Conclusion




Acknowledgments


References







































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation




























































This paper2 (0 0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0) (0 0 0 0 119887 0 0 119887 0 0 0 0 0 0 0 0)3 (0 0 0 0 0 0 0 0 119886 0 0 0 0 0 0 119886) (0 0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0)4 (0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0 119886) (0 0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0)5 (0 0 0 0 0 0 0 0 0 0 119886 0 0 0 0 0) (0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0 0)6 (0 0 0 0 0 0 0 0 0 0 119886 0 0 0 0 0) (0 0 0 0 0 0 0 119887 0 0 0 0 0 0 0 0)7 (0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0 0) (0 0 119887 0 0 0 0 0 0 0 0 0 0 0 0 0) [31]


((((((((((((

1 1 0 1 1 0 1 10 1 1 1 1 1 1 01 1 1 0 1 1 0 10 1 1 1 0 0 1 11 0 1 1 1 0 0 11 1 0 1 1 1 0 01 1 1 0 0 1 1 01 0 1 1 0 1 1 1

))))))))))))

(4)



6 Conclusion




Acknowledgments


References







































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation









































This paper2 (0 0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0) (0 0 0 0 119887 0 0 119887 0 0 0 0 0 0 0 0)3 (0 0 0 0 0 0 0 0 119886 0 0 0 0 0 0 119886) (0 0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0)4 (0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0 119886) (0 0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0)5 (0 0 0 0 0 0 0 0 0 0 119886 0 0 0 0 0) (0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0 0)6 (0 0 0 0 0 0 0 0 0 0 119886 0 0 0 0 0) (0 0 0 0 0 0 0 119887 0 0 0 0 0 0 0 0)7 (0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0 0) (0 0 119887 0 0 0 0 0 0 0 0 0 0 0 0 0) [31]


((((((((((((

1 1 0 1 1 0 1 10 1 1 1 1 1 1 01 1 1 0 1 1 0 10 1 1 1 0 0 1 11 0 1 1 1 0 0 11 1 0 1 1 1 0 01 1 1 0 0 1 1 01 0 1 1 0 1 1 1

))))))))))))

(4)



6 Conclusion




Acknowledgments


References







































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation
































This paper2 (0 0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0) (0 0 0 0 119887 0 0 119887 0 0 0 0 0 0 0 0)3 (0 0 0 0 0 0 0 0 119886 0 0 0 0 0 0 119886) (0 0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0)4 (0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0 119886) (0 0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0)5 (0 0 0 0 0 0 0 0 0 0 119886 0 0 0 0 0) (0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0 0)6 (0 0 0 0 0 0 0 0 0 0 119886 0 0 0 0 0) (0 0 0 0 0 0 0 119887 0 0 0 0 0 0 0 0)7 (0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0 0) (0 0 119887 0 0 0 0 0 0 0 0 0 0 0 0 0) [31]


((((((((((((

1 1 0 1 1 0 1 10 1 1 1 1 1 1 01 1 1 0 1 1 0 10 1 1 1 0 0 1 11 0 1 1 1 0 0 11 1 0 1 1 1 0 01 1 1 0 0 1 1 01 0 1 1 0 1 1 1

))))))))))))

(4)



6 Conclusion




Acknowledgments


References







































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation





















This paper2 (0 0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0) (0 0 0 0 119887 0 0 119887 0 0 0 0 0 0 0 0)3 (0 0 0 0 0 0 0 0 119886 0 0 0 0 0 0 119886) (0 0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0)4 (0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0 119886) (0 0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0)5 (0 0 0 0 0 0 0 0 0 0 119886 0 0 0 0 0) (0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0 0)6 (0 0 0 0 0 0 0 0 0 0 119886 0 0 0 0 0) (0 0 0 0 0 0 0 119887 0 0 0 0 0 0 0 0)7 (0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0 0) (0 0 119887 0 0 0 0 0 0 0 0 0 0 0 0 0) [31]


((((((((((((

1 1 0 1 1 0 1 10 1 1 1 1 1 1 01 1 1 0 1 1 0 10 1 1 1 0 0 1 11 0 1 1 1 0 0 11 1 0 1 1 1 0 01 1 1 0 0 1 1 01 0 1 1 0 1 1 1

))))))))))))

(4)



6 Conclusion




Acknowledgments


References







































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation












This paper2 (0 0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0) (0 0 0 0 119887 0 0 119887 0 0 0 0 0 0 0 0)3 (0 0 0 0 0 0 0 0 119886 0 0 0 0 0 0 119886) (0 0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0)4 (0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0 119886) (0 0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0)5 (0 0 0 0 0 0 0 0 0 0 119886 0 0 0 0 0) (0 0 0 0 119887 0 0 0 0 0 0 0 0 0 0 0)6 (0 0 0 0 0 0 0 0 0 0 119886 0 0 0 0 0) (0 0 0 0 0 0 0 119887 0 0 0 0 0 0 0 0)7 (0 0 0 0 0 0 0 0 0 0 0 0 119886 0 0 0) (0 0 119887 0 0 0 0 0 0 0 0 0 0 0 0 0) [31]


((((((((((((

1 1 0 1 1 0 1 10 1 1 1 1 1 1 01 1 1 0 1 1 0 10 1 1 1 0 0 1 11 0 1 1 1 0 0 11 1 0 1 1 1 0 01 1 1 0 0 1 1 01 0 1 1 0 1 1 1

))))))))))))

(4)



6 Conclusion




Acknowledgments


References







































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation






































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation









RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation









Documents

Improvements for Finding Impossible Differentials of Block ...downloads.hindawi.com/journals/scn/2017/5980251.pdf · SecurityandCommunicationNetworks 3 Forexample,iftheaugmentedmatrix𝐵ofalinearsystemin