Revisiting Impossible Differential Distinguishers of Two Generalized Feistel Structures

Impossible differential attack is one of the most effective cryptanalytic methods for block ciphers. Its key step is to construct impossible differential distinguishers as long as possible. In this paper, we mainly focus on constructing longer impossible differential distinguishers for two kinds of generalized Feistel structures which are m-dataline CAST256-like and MARS-like structures. When their round function takes Substitution Permutation (SP) and Substitution Permutation Substitution (SPS) types, they are called CAST256SP/CAST256SPS andMARSSP/MARSSPS, respectively. For CAST256SP/CAST256SPS, the best known result for the length of the impossible differential distinguisher was (m2 + m)/(m2 + m − 1) rounds, respectively. With the help of the linear layer P, we can construct (m2 + m + Λ0)/(m + m + Λ1)-round impossible differential distinguishers, where Λ0 and Λ1 are non-negative numbers if P satisfies some restricted conditions. For MARSSPS, the best known result for the length of the impossible differential distinguisher was (3m − 1) rounds. We can construct 3m-round impossible differential distinguishers which are 1 round longer than before. To our knowledge, the results in this paper are the best for the two kinds of generalized Feistel structures.