IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 70, NO.
8, AUGUST 2024
Impossible Differential Cryptanalysis and a Security
Evaluation Framework for AND-RX Ciphers
Kai Zhang , Senpeng Wang , Xuejia Lai, Lei Wang , Jie Guan , Bin Hu, and Tairong Shi
Abstract— In this paper, a security evaluation framework for
AND-RX ciphers against impossible differential cryptanalysis is
proposed. This framework is constructed based on three dif-
ferent methods towards finding the theoretical upper boundary,
theoretical lower boundary, and practical boundary of impos-
sible differential distinguishers (short for ID) respectively. The
provable security boundary (upper boundary) can be calculated
with two round-function-related matrices through a few matrix
multiplications, this calculation is beyond actual input and
output differences. For searching longer IDs (lower boundary),
an automatic method is proposed. With this method, given the
input and output difference, all the possible direct and indirect
contradictions are detected. For the practical boundary, a method
of approximating all the potential longest IDs with concrete
differential trails is introduced. The three boundaries validate the
correctness from each other. According to our result, on the one
hand, the boundaries derived with well-designed ID-construction
methods can already reach the practical boundary for some
block ciphers and it is unlikely to be improved based on known
construction methods or future unknown construction methods.
On the other hand, for those ciphers whose current best result
does not reach our boundary, longer IDs can be discovered
with this framework. The correctness is validated by a series
of applications. For the provable security boundary, four family
ciphers-SIMON, Simeck, Friet-PC and SAND are investigated.
For SIMON and Simeck, the lengths of current longest IDs have
reached their provable security boundaries. For Friet-PC and
SAND, there is a gap between the provable security boundary
and current best results. With the automatic searching method,
some longer IDs on Friet-PC and SAND are discovered. For Friet-
PC, 128 11-round IDs are discovered, while the previous best
differential distinguisher is 9-round. For SAND64, 256 11-round
IDs are proposed. For SAND128, 456 14-round IDs are presented.
Both results extend previous longest IDs by one round and
all these newly proposed distinguishers reached corresponding
provable security boundaries. For Simeck, the length of longest
Manuscript received 28 October 2022; revised 15 May 2023;
accepted 22 June 2023. Date of publication 4 July 2023; date of current
version 16 July 2024. This work was supported in part by the National Natural
Science Foundation of China under Grant 61802437, Grant 61972248, Grant
62102448, Grant 61902428, and Grant 62202493; in part by the National
Key Research and Development Program under Grant 2019YFB2101601;
and in part by the China Post-Doctoral Science Foundation under Grant
2020M681314. (Corresponding authors: Kai Zhang; Xuejia Lai.)
Kai Zhang is with the Department of Applied Mathematics, PLA SSF
Information Engineering University, Zhengzhou 450000, China, and also with
the School of Cyber Science and Engineering, Shanghai Jiao Tong University,
Shanghai 201100, China (e-mail: [email protected]).
Senpeng Wang, Jie Guan, Bin Hu, and Tairong Shi are with the Department
of Applied Mathematics, PLA SSF Information Engineering University,
Zhengzhou 450000, China.
Xuejia Lai and Lei Wang are with the School of Cyber Science and
Engineering, Shanghai Jiao Tong University, Shanghai 201100, China (e-mail:
[email protected]).
Communicated by T. Johansson, Associate Editor for Sequences and
Cryptography.
This article has supplementary material provided by the
authors and color versions of one or more figures available at
https://doi.org/10.1109/TIT.2023.3292241.
Digital Object Identifier 10.1109/TIT.2023.3292241
0018-9448 © 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.
6025
IDs has not been improved. However, more distinguishers of the
same length are discovered. For Simeck64, the increased ratio
for the quantity can reach 300%. Besides, the practical boundary
of SIMON is investigated, the results indicate that for SIMON,
the practical boundary is identical with the provable security
boundary or the boundary derived with the automatic searching
method.
Index Terms— Block cipher, impossible differential cryptanal-
ysis, provable security boundary, automatic searching method,
K3-framework.
I. I NTRODUCTION
A. Background
C RYPTANALYSIS is essential for evaluating the secu-
rity level on newly proposed block ciphers. As one of
the most effective cryptanalytic methods on block cipher,
impossible differential cryptanalysis was originally proposed
by Knudsen [1] and Biham [2] respectively. The basic idea
of impossible differential cryptanalysis is establishing an
impossible differential distinguisher, and filter the wrong key
candidates with this distinguisher in the key recovery phase
until the correct key is recovered. The provable security
boundary investigation and automatic searching method for
IDs are two important approaches for the security evaluation
on block cipher. The former one is to explore the upper
boundary and the latter one is to explore the lower boundary
for the impossible differential distinguishers.
There are many new design strategies for the symmetric
ciphers, AND-RX cipher is a class of notable ones. This kind
of cipher only consists of three operations – AND, Rotation
and XOR. There are many famous AND-RX ciphers, for block
ciphers such as SIMON (NSA, 2013) [3] and Simeck (CHES,
2015) [4], for stream ciphers such as Trivium (eSTREAM
finalist, 2006) [5] and Grain (eSTREAM finalist, 2007) [6], for
hash functions such as Keccak (SHA-3, 2009) [7], for authen-
ticated encryption, such as Friet (EUROCRYPT 2020) [8],
ACORN (CAESAR finalist, 2014) [9] and TinyJAMBU (NIST
Lightweight Cryptography finalist, 2019) [10].
In this paper, as impossible differential cryptanalysis is
mainly used in block ciphers or some specifically designed
permutations, these two kinds of ciphers are our targets. Unlike
traditional block ciphers, for AND-RX ciphers, they do not
have Sbox or modular addition as non-linear components.
As the current security evaluation on impossible differential
cryptanalysis for this kind of cipher is not thorough enough,
this makes the starting point of our research.
B. Previous Work
The security evaluation methods on impossible differential
cryptanalysis are generally classified into three categories:
 6026
1) Automatic Searching Methods for Word-Oriented
Ciphers: There are some literatures modeling the truncated
differential property of the internal states, mostly are in
word level and targeted at impossible differential cryptanaly-
sis, which is represented by U-method [11], [12], UID-
method [13] and WW-method [14]. Precisely speaking,
at INDOCRYPT 2003, Kim et al. proposed a matrix-based
method (U-method) to model the truncated differential
property in word level for impossible differential cryptan-
alysis [11]. There are mainly two limitations on this
matrix-based method. The first one is the matrix is limited
to “1-Property”, which means in each column of the
matrix, the number of “1” is at most one. This limitation
has been removed by UID-method which is proposed
by Luo et al. in [13]. At INDOCRYPT 2012, Wu and
Wang introduced WW-method [14], it can generalize these
two methods using a system of equations to describe
the propagation behavior of the round found and detect
potential contradictions. At CRYPTO 2015, Sun et al. proved
that the WW-method can find all the impossible differential
distinguishers without considering the details of the Sbox [15].
At CRYPTO 2016, Derbez and Fouque used a system of
equations to describe the property of the targeted cipher, this
method is applied to many block ciphers from byte-oriented to
bit-oriented [16]. At ISPEC 2017, Shen et al. used a diffusion
matrix to characterize the differential propagation property of
a SIMON-type block cipher and investigated the dual property
between the impossible differential and zero correlation linear
distinguishers [17]. In 2018, Zhang et al. proposed an auto-
matic searching method on ARX ciphers with a new type of
operation to model the differential propagation property [18].
In 2021, based on MILP, Cui et al. introduced an automatic
searching method considering the details of the differential
property for the Sbox and modular addition [19]. In 2023,
Zhang et al. proposed an automatic searching method for
rotational differential cryptanalysis on AND-RX ciphers [44].
2) Provable Security Boundary for Word-Oriented Ciphers:
At EUROCRYPT 2016, Sun et al. proved the provable secu-
rity boundary of the SPN structure and Feistel structure
with SP-type round functions against impossible differential
distinguishers for word-oriented block ciphers [20]. Their
framework utilizes a characteristic matrix to describe the
propagation property of the round function without consid-
ering the details of the Sbox. With this approach, Han et al.
investigated the provable security boundary of IDs for several
word-oriented block ciphers [21].
3) Practical Boundary for Impossible Differential Distin-
guishers: At EUROCRYPT 2017, Sasaki et al. proposed a
new tool to search impossible differential distinguishers, and
the new tool is slightly modified from the previous differential
search tool [22]. This transfer ingeniously borrows the tool of
differential cryptanalysis to improve the impossible differential
distinguishers. As differential cryptanalysis is complementary
with impossible differential cryptanalysis, this strategy is
regarded as approaching the boundary of impossible differ-
ential distinguishers with concrete differential distinguishers.
And the existence for differential distinguishers is the practical
boundary for impossible differential distinguishers.
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 70, NO. 8, AUGUST 2024
Remark 1: When compared with the method in [22], there
are mainly three differences for our framework. (1) Their
method is designed for Sbox-based block ciphers. As AND-
RX cipher is not Sbox-based, their method cannot be applied
to this kind of ciphers directly. (2) Their method is based
on MILP while our framework does not need any third-party
solver. (3) As claimed by the authors in [22], for some of the
distinguishers constructed with the method in [22], the reason
for the contradiction is unclear, such as ID202, 203, 217 for
Lilliput ([22, pp. 202, Remark]). But the contradictions for the
distinguishers discovered by our framework is clear and it is
bound to exist. However, the idea of calculating the practical
boundary with differential trails used in Section V is originated
from [22].
Remark 2: When compared with the method in [17], there
are mainly three differences for our framework. (1) The
method in [17] is specified for SIMON-like ciphers while
the framework in this paper is designed for a wider range of
block ciphers -“AND-RX ciphers”. (2) Based on the construc-
tion method in [17], some up to date longest distinguishers
cannot be constructed while the framework in this paper
can. For example, in [28], some 15 impossible differential
distinguishers can be constructed for Simeck48 while in [17],
the longest impossible differential distinguisher is 13-round
(Table V, [17]). (3) The construction method in [17] is based
on symbolic computation while ours is based on numeric
computation. However, the idea of using matrix to calculate
the truncated differentials round by round is similar to the
method in [17], which follows the routine of U-method series
such as [11], [12], and [13].
Remark 3: The provable security in this paper is based on
the method of truncated differentials, under the assumption
of single key model without considering the correlations of
multiple AND operations. The “bound” and “tightness” are
also treated under this assumption.
To sum up, there are following several features in the secu-
rity evaluation field for impossible differential cryptanalysis.
• Automatic searching method. As AND-RX block
ciphers are relatively new design strategies, most majority
of previous automatic searching methods are designed
for word-oriented ciphers, if we want to describe it
more accurately, such as in bit level, it is infeasible.
The equation-based method in [16] can be used for bit-
oriented block ciphers, but it is not very intuitive. The
method in [17] is potential for automatic searching, but
the problem is not further investigated.
• Provable security boundary. The provable security
boundaries for some word-oriented block cipher struc-
tures such as SP or Feistel structure with SP-type round
function have been studied clearly in [20]. The provable
security boundary for AND-RX ciphers, which is a typ-
ical bit-oriented block cipher, has not been investigated.
• Practical boundary. For integral cryptanalysis, the auto-
matic method with division property [23], [24], [25]
can already reach some experimental-verified practi-
cal boundaries [26], [27]. The method in [22] can be
viewed as a kind of practical boundary for Sbox-based
block ciphers. But the practical boundary for AND-RX
 ZHANG et al.: IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS AND A SECURITY EVALUATION FRAMEWORK
ciphers against impossible differential cryptanalysis is
still unclear which needs to be further studied.
C. Our Contributions
Our overall contribution is establishing a security evaluation
framework for AND-RX ciphers against impossible differen-
tial cryptanalysis, which is denoted as “K3”. To construct the
framework, the concept of differential propagation matrix
is introduced to model the transfer relationship of truncated
differential according to the round function. The concept of
matrix threshold XOR-multiplication operation is presented
to cooperate with the differential propagation matrix and
realize the calculation of the truncated differentials round by
round.
1) Explore the Provable Security Boundary of IDs: All the
previous ID-construction methods for AND-RX ciphers are
summarized in two contradiction model - “direct contradic-
tion” and “indirect contradiction”. The security boundaries
under these two models are given.
• To calculate the truncated differential round by round,
a concept differential propagation matrix is introduced.
Based on this matrix, the truncated differential reduced
to R-round can be easily calculated with a modi-
fied matrix multiplication (which is denoted as matrix
threshold XOR-multiplication). Alongside, the concept
of truncated differential propagation index is introduced
to roughly estimate the differential propagation prop-
erty of the round function. The truncated differential
propagation index is directly calculated according to the
differential propagation matrix.
• Based on the iteration of the differential propagation
matrix, for direct contradiction model, a tight provable
security boundary is proposed with a detailed deduction
from the iteration. For indirect contradiction model,
a loose provable security boundary is given based on
the truncated differential propagation index. All these
provable security boundaries can be calculated without
actual input or output difference.
• As applications, the provable security boundaries for
four family ciphers - SIMON, Simeck, Friet-PC and
SAND are calculated. For SIMON and Simeck, the
boundary for direct contradiction can match all the
current longest IDs based on direct contradiction. For
Friet-PC and SAND, the provable security boundary is
higher than current longest distinguisher, this inconsis-
tency will be explained and solved in (2).
2) Automatic Search of Longer IDs:
• Based on differential propagation matrix and matrix
threshold XOR-multiplication operation, combing with
a miss-in-the-middle approach, an automatic searching
method is proposed. With this method, given an input
and output difference, all the possible direct contra-
diction and indirect contradiction can be detected. For
indirect contradiction model, the undetermined differ-
ence of the internal states can be determined from the
opposite side, or secondary modification from these
changes.
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.
6027
• The time complexity for this automatic searching
method is analyzed. For direct contradiction, if the block
size is n, the number of active bits for the input/output
difference of the distinguisher is n1 /n2 , the length of the
targeted rounds is R, the total time complexity for the
automatic searching method is O Cnn1 · Cnn2 · R · n3 .


The time complexity for indirect contradiction will be
doubled.
• As applications, the impossible differential distinguish-
ers on SIMON, Simeck, Friet-PC and SAND are
explored. For SIMON and Simeck, lengths of the IDs are
not improved. For Friet-PC, 128 11-round IDs are dis-
covered while the previous best differential distinguisher
is 9-round. For SAND64, 256 11-round IDs are pre-
sented. For SAND128, 456 14-round IDs are presented.
Both the latter results extend previous longest distin-
guishers by one round. For Simeck48/64, the increased
ratio for the newly discovered current longest IDs can
reach 41.2%/300% respectively.
D. Calculate the Practical Boundary of IDs
• To validate whether the practical boundary has been
achieved, a differential cryptanalysis-based method is
introduced to approximate all the potential longest IDs
with concrete differential trails. If an input/output differ-
ence exists at least one concrete differential trail, it must
not be an ID. If all the potential IDs are differential
distinguishers, no impossible differential distinguishers
exist for this round and the practical boundary is thus
derived.
• The practical boundaries for all variants of SIMON
are investigated. For SIMON32/48/64/96/128, all the
potential longest IDs for 12/13/14/17/20 rounds are
concrete differential distinguishers, which means the
practical boundaries for IDs on SIMON32/48/64/96/128
are 11/12/13/16/19. This result exactly matches our
provable security boundaries for direct contradiction on
SIMON. And this boundary is unlikely to be improved
for SIMON.
Relationship Between the Three Boundaries: The prov-
able security boundary is the upper boundary for an
ID-construction method. The boundary derived with automatic
search method is the lower boundary for an ID-construction
method. The practical boundary is the final actual boundary
for IDs. These three boundaries validate the correctness from
each other. However, each one has its own distinction. The
provable security boundary is the most efficient one which
is implemented with only several matrix multiplications. The
automatic searching method is the most direct one which
can reveal the structure and contradiction of ID. The practical
boundary is the most ultimate one beyond any ID-construction
methods and it is unlikely to be further improved.
Compared with previous boundaries and automatic search-
ing methods, our framework has the following advantageous:
1) Bit-oriented. This framework is specifically designed
for AND-RX ciphers and it is very suitable for this kind
of bit-oriented cipher. Due to this property, it is more
 6028
accurate when evaluating the security level on this kind
of ciphers.
2) Tight. The provable security boundary calculated with
this framework is tight. In most cases, it can match
the practical boundary very well. The tightness of the
boundary is validated by the method in Section V.
3) Completeness. For our automatic searching method,
it can discover all the possible direct and indirect
contradictions based on current truncated differential
properties. The contradiction construction method used
in [28] is a special case of our method, and our searching
method is more complete. More IDs discovered for
Simeck in Section IV-C is provided as a proof. After
finding more longest IDs, the attacker could use these
new IDs to improve the cryptanalytic result with multi-
ple impossible differential cryptanalysis.
4) Unified. The calculation of provable security boundary
and automatic searching method are unified in one
framework. It can give a more comprehensive security
evaluation on AND-RX ciphers against impossible dif-
ferential cryptanalysis.
5) Predictable. The time consumption for our automatic
searching method is predictable. As pointed out in
Sec. IV-B, the main time complexity mostly depends
on the exhaustive search of possible input and output
differences. For single bit difference, in direct
contra-
diction model, the time complexity is O R · n5 , which
can be realized by a computer in practical time to
try all the possible impossible differential distinguishers
efficiently.
6) Final. The provable security boundary or the bound-
ary derived with automatic searching is limited to the
ID-construction method. If a more accurate construction
method is introduced, these two boundaries are possible
to be further improved. However, the practical boundary
is final for any ID-construction methods, no matter it is
currently known or not. And the practical boundary for
ID is rarely discussed in previous literatures.
Paper Outline: Section II presents the preliminary.
Section III proposes a method to calculate the provable
security boundaries on AND-RX cipher for IDs in direct and
indirect contradiction model. Section IV presents an automatic
ID-searching method. Section V proposes a method to derive
the practical boundary of IDs. Section VI concludes the paper.
II. P RELIMINARIES
A. Notations
The following notations are used throughout this paper.
P : plaintext;
C: ciphertext;
X i : internal state of the ith round, for the two-branch block
cipher, X i = (XLi , XR i
), for the three-branch block cipher,
i i i i
X = (XL , XM , XR );
RK i : round key of the ith round;
“&”: AND operation;
“⊕”: XOR operation.
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 70, NO. 8, AUGUST 2024
Fig. 1. Comparison of direct contradiction (left) and indirect contradiction
(right).
B. Miss-in-the-Middle Technique for AND-RX Ciphers
For impossible differential cryptanalysis, the distinguisher
is mostly constructed based on the miss-in-the-middle tech-
nique [2]. In this technique, the cipher is divided into two
directions, i.e. the encryption direction and decryption direc-
tion. For some input/output difference, if they do not match
in the middle, it is an impossible differential distinguisher.
Under the miss-in-the-middle technique, there are generally
two kinds of contradiction models for AND-RX cipher. For
simplicity, we denote them as “direct contradiction model”
and “indirect contradiction model”.
• For direct contradiction model, the distinguisher is con-
structed based on two truncated differentials from the
directions of encryption and decryption with direct
“0”-“1” contradiction. If the difference of an internal
state bit is inconsistent in these two directions, a con-
tradiction occur and a distinguisher is thus constructed.
For example, in Fig. 1 (left), the truncated difference
for the second most significant bit of the fourth round
is “0” in encryption direction, but the difference in
decryption direction is “1”, which is a direct contrac-
tion in the middle and the given input difference and
output difference is an impossible differential. In Fig. 1,
“0”/“1” represents actual difference and “2” denotes the
difference is uncertain, which follow the Definition 1 in
Section II-C.
• For indirect contradiction model, the contradiction is
discovered by secondary calculation. In this model, the
direct contradiction is nonexistent and some uncertain dif-
ferences of the internal states are calculated with certain
ones to make a contradiction. This kind of contradiction
is partially revealed in [28]. However, in [28], it only
reveals a specific case. In this paper, the general steps
for this kind of contradiction are illustrated as follows.
Step 1. Two truncated differentials are constructed from
encryption and decryption.
Step 2. Several uncertain bit differences of the internal
states are determined according to the truncated differen-
tial of another direction according to meet-in-the-middle
strategy, e.g. the truncated differential of some internal
state bits in the encryption direction (or decryption direc-
tion) are modified according to the truncated differential
in the decryption direction (or encryption direction).
Step 3. Detect contradictions caused by these modi-
fications, if a contradiction occurs, the input and output
difference is an impossible differential distinguisher with
indirect contradiction.
 ZHANG et al.: IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS AND A SECURITY EVALUATION FRAMEWORK
Example 1: In Fig. 1 (right), there are no direct contra-
dictions on the fourth round. The two-bit differences for the
fifth bits from the left and right are both uncertain from
the encryption direction. However, according to the truncated
differential in the decryption direction, the differences for these
two bits are determined to 0. These modifications may lead to
some potential contradictions. If the difference for the fourth
bit from right side of the third round are calculated to be 0 due
to the previous modifications, while the difference is 1 in the
encryption direction, it will also lead to a contradiction, which
is an indirect contradiction.
The comparison between these two contradictions is illus-
trated in Fig. 1 for better comprehension.
C. Differential Propagation Matrix
1) Differential Traceable Pattern: Previous Notations: Var-
ious differential patterns have been defined and used to
characterize the truncated differential property. For example,
in [29], a set {“0”, “1”} is used to represent (in)active Sboxes,
which is widely used in many other literatures. In [11],
a set {“0”,“1”,“1∗ ”,“2∗ ”, t} is used to characterize various
differential property in word level. In [30], a set {“0”,“1”,“∗ ”}
is used to represent a single bit difference for 0, 1 or uncertain,
which is also a commonly used expression. In [17], a set
{“0”,“1”,“λ”} is used to characterize the truncated property
of a single bit. To keep our framework simple and accurate,
we will follow the last two notations. However, we want to
use a matrix to calculate these truncated differential round
by round, “∗ ”/“λ” is hard to characterize, so “2” is used
instead in our framework to represent “∗ ”/“λ” for further
matrix computation.
To avoid confusion with prior patterns and actual values
of the states, differential traceable pattern is defined as
follows to describe the differential property of the internal
state in bit level, which will be utilized throughout our
framework.
Definition 1 (Differential Traceable Pattern): For a block
cipher, the difference of each state bit is generally repre-
sented by three symbols {“0”, “1”, “2”}, which represent
the difference for this state bit is 0, 1 or uncertain. This
representation is denoted as Differential Traceable Pattern,
which is abbreviated as “DTP”.
The concept of differential traceable pattern is proposed
to model exact truncated differential. If we can calculate the
differential traceable pattern round by round, we can derive
the outline of the truncated differential, which is viewed as
the element basis to calculate the provable security boundary
and search for longer impossible differential distinguishers.
2) Matrix Threshold XOR-Multiplication Operation: In
order to model the calculating rule between the differential
traceable patterns, the concept of matrix threshold XOR-
multiplication operation is defined as follows.
Definition 2 (Matrix Threshold XOR-Multiplication Opera-
tion): Let A = (ai,j ) i ∈ [0, m − 1] , B = (bi,j ) i ∈ [0, n − 1] ,
j ∈ [0, n − 1] j ∈ [0, q − 1]
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.
6029
C = (ci,j ) i ∈ [0, m − 1] be three matrices, ai,j , bi,j , ci,j ∈ F3 .
j ∈ [0, q − 1]
If the relationship between these matrices can be expressed as
follows:
˜
C = A×B, ˜ i,2 · b2,j ⊕
ci,j = ai,1 · b1,j ⊕a ˜ · · · ⊕a
˜ i,n · bn,j
i, j ∈ Z, i ∈ [0, m − 1], j ∈ [0, q − 1] (1)
the calculation rule between the matrices A and B is denoted
as matrix threshold XOR-multiplication operation, where
the operation“ ·” represents integer multiplication and the
operation “⊕”˜ is calculated based on a threshold δ as
follows:
(
a⊕b if a, b < δ
˜ =
c = a⊕b
δ else
To characterize the truncated differential of AND-RX
ciphers, the threshold δ in this paper is defined as 2.
Based on the definitions of differential traceable pattern and
matrix threshold XOR-multiplication operation, the concept
of differential propagation matrix is introduced in the next
section to accurately simulate the transfer property of the
truncated differential between two rounds.
3) Differential Propagation Matrix: In this section, based
on matrix threshold XOR-multiplication operation, we will
use a single matrix to characterize the differential propagation
property of the round function in bit level. This matrix will be
the starting point for computing the provable security boundary
and searching concrete IDs.
Definition 3 (Differential Propagation Matrix): For an n-
bit block cipher, if a matrix A can be generated to calculate
the DTP of the output from the input of the round func-
tion, this matrix A is denoted as differential propagation
matrix.
The differential propagation matrix is uniquely deter-
mined by the round function. According to the direction
of the propagation, if it is in the decryption direction,
this matrix is denoted as negative differential propagation
matrix.
In this part, each bit of the internal state state[i][j] (rep-
resenting the jth bit of the ith round for the internal state)
is assigned to a new state variable bi,j (bi,j ∈ F3 ), bi,j is
actually the DTP of corresponding internal state bit. The key
point is using a matrix to illustrate the relationship of DTPs
between round i and round i + 1. We will introduce the
construction method of the differential propagation matrix as
below.
Construction of the Differential Propagation Matrix: The
differential propagation matrix A can be calculated through
trying all the output bits of the round function as follows.
The block size is denoted as “n” here. For the round function,
[xn−1 , xn−2 , · · · x0 ] is the input and [yn−1 , yn−2 , · · · y0 ] is the
output.
 6030 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 70, NO. 8, AUGUST 2024

follows.
   
U7 0 1 2 2 1 0 0 0

 U6  
  2 0 1 2 0 1 0 0 


 U5  
  2 2 0 1 0 0 1 0 

 U4   1 2 2 0 0 0 0 1 
A= = 

 U3  
  1 0 0 0 0 0 0 0 


 U2  
  0 1 0 0 0 0 0 0 

 U1   0 0 1 0 0 0 0 0 
U0 0 0 0 1 0 0 0 0
T ˜ iT , Bi+1 =
If Bi = [1, 0, 0, 2, 0, 1, 0, 0], Bi+1 = A×B
[2, 2, 2, 1, 1, 0, 0, 2], and this accurately reflects the transfer
property of the concrete truncated differential.
Similarly, the negative differential propagation matrix can
also be uniquely calculated according to the round function.
For the toy cipher, the negative differential propagation matrix
Fig. 2. Round function for an 8-bit block SIMON-type toy cipher. is as below.
 
0 0 0 0 1 0 0 0
 0 0 0 0 0 1 0 0 
 
 0 0 0 0 0 0 1 0 
 
For an output  bit y, consider the following function: M =
 0 0 0 0 0 0 0 1 
 0, if xi is not related with y

 1 0 0 0 0 1 2 2 
ςy : ςy (xi ) = 1, if xi is linearly related with y
 
 0 1 0 0 2 0 1 2 
2, else (xi is non-linearly related with y)
  
 0 0 1 0 2 2 0 1 
The meaning of the notion “related” is as follows: 0 0 0 1 1 2 2 0
Suppose y = f (x0 , x1 , · · · , xn−1 ) ≜
g(x0 , x1 , · · · , xn−1 ) · xi + If the DTP of y is Bi+1 = [0,0,0,0,1,0,0,0]. Given the negative
h(x0 , x1 , · · · , xi−1 , xi+1 , · · · , xn−1 ), differential propagation matrix M, the DTP of Bi can be
if g(x0 , x1 , · · · , xn−1 ) = 0, xi is not related with calculated as follows.
y; if g(x0 , x1 , · · · , xn−1 ) = 1, xi is linearly related BiT = M ×B T
˜ i+1 , Bi = [1, 0, 0, 0, 0, 2, 2, 1]
with y; if the algebraic degree of g(x0 , x1 , · · · , xn−1 ) is
larger than 0, i.e. deg(g) > 0, xi is non-linearly related We can use the differential propagation matrix iteratively to
with y. calculate all the DTPs of the internal states. To make it clearer,
For each output bit yi , an n-bit vector Ui is calculated we describe it in a mathematical form.
as [ςyi (xn−1 ), ςyi (xn−2 ), · · · ςyi (x0 )], which forms the Proposition 1 (Calculating DTPs With the Differential
ith row of the differential propagation matrix. A can be Propagation Matrix): Suppose E is an n-bit block cipher of R
rounds. B is an R × n matrix which is used to store the DTPs
 
Un−1
 ···  of corresponding internal states. Set the DTP of i-th round
constructed as A =   U1
.
 as [bi,n−1 , bi,n−2 , . . . , bi,0 ], given the differential propagation
U0 matrix A, the DTP of j-th round is
[bj,n−1 , · · · , bj,1 , bj,0 ]T
To make the construction process more intuitive, a toy = Aט · · · A×A ˜ ×
˜ [bi,n−1 , · · · , bi,1 , bi,0 ]T .
example on SIMON-type cipher is presented.
| {z }
|j−i| matrix threshold XOR-multiplication
Example 2: Take a two-round SIMON-type toy cipher as
an example (Fig. 2). If the DTP for the input of i-th round If j > i, the matrix A should be the differential propagation
is Bi = [bi,7 , bi,6 , bi,5 , bi,4 , bi,3 , bi,2 , bi,1 , bi,0 ], bi,j ∈ F3 , matrix, and if j < i, the matrix A should be the negative dif-
the differential propagation matrix A can be constructed as ferential propagation matrix. With the differential propagation
follows. matrix, all the DTPs of the internal states can be calculated.
As n = 8, all the positions of output bits y7 to y0 should In this paper, the problems of exploring the provable secu-
be considered. Take y5 as an example, x1 and x4 are linearly rity boundary of IDs and automatic searching of IDs are all
related to y5 , x6 and x7 are non-linearly related to y5 , other based on the differential propagation matrix.
bits are not related.
D. Brief Descriptions on SIMON, Simeck, Friet-PC
and SAND
U5 = [2,2,0,1,0,0,1,0] = [ςy5 (x7 ),ςy5 (x6 ),ςy5 (x5 ), · · · ,ςy5 (x0 )].
In this paper, four family ciphers are investigated. All these
ciphers are AND-RX cipher which is only consist of AND,
Other rows of A can be calculated with a similar approach, Rotation and XOR three operations. Following is a brief
and the differential propagation matrix for the toy cipher is as description on these ciphers.

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.
 ZHANG et al.: IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS AND A SECURITY EVALUATION FRAMEWORK 6031

Fig. 3. Round functions of SIMON (left) and Simeck (right).

• SIMON is a family of lightweight block ciphers which

was proposed by the NSA (U.S. National Security
Agency) in June 2013 [3]. The structure of SIMON is
a typical Feistel network. There are ten different variants
for SIMON whose block sizes range from 32 to 128.
• Simeck is a family of lightweight block ciphers proposed
at CHES 2015 [4]. The round function and key schedule
of Simeck are inspired by SIMON and SPECK [3], which
are proposed by NSA in 2013. Compared with these two
lightweight ciphers, Simeck has more compact hardware
implementation. In 2019, NIST (National Institute of
Standards and Technology) proposed a lightweight cryp-
tography standardization process. In this project, some
proposals use modified Simeck as a basic module, such Fig. 4. Round functions of Friet-PC (up) and SAND (down).
as ACE [31], SPIX [32], SPOC [33], which implies more
practical potential on Simeck. There are three variants for
Simeck whose block sizes are 32, 48 and 64 respectively. applications based on these provable security boundaries are
The round functions on SIMON and Simeck only differ calculated to validate the accuracy.
in the rotation constants.
• Friet is a lightweight authenticated encryption scheme
proposed at EUROCRYPT 2020 [8]. Friet-PC is a cryp- A. Differential Propagation Matrix for Block Cipher
tographic permutation aiming at efficient fault-detecting Reduced to R-Round
implementations. There are three branches of Friet-PC Corollary 1 (Differential Propagation Matrix for R-Round
and each branch is 128 bits. Block Cipher): For an AND-RX block cipher, supposing A is
• SAND is family of lightweight block ciphers proposed
the differential propagation matrix for the round function. The
in DCC 2021 [34]. It admits an equivalent representation differential propagation matrix for the R-round block cipher
based on a 4 × 8 synthetic Sbox and this enables the use can be calculated as follows:
of classical Sbox-based security evaluation approaches.
The structure of SAND is Feistel. There are two variants AR
˜ =
˜ ×
A×A ˜ · · · ×A
˜
×
for SAND whose block sizes are 64 and 128 respectively. | {z }
(R−1) matrix threshold XOR−multiplication
The round functions of these ciphers are illustrated in
Fig. 3 and Fig. 4. For more details, we refer the readers Based on Proposition 1, for any input differential
to [3], [4], [8], and [34] respectively. traceable pattern X, the truncated differential (or
DTP) after R-round encryption can be calculated as
Aט · · · A×A ˜ T
˜ ×X . This means the
III. E XPLORE THE P ROVABLE S ECURITY B OUNDARY OF | {z }
(R) matrix threshold XOR−multiplication
I MPOSSIBLE D IFFERENTIAL D ISTINGUISHERS R-round encryption can be viewed as a whole, and the
In this section, firstly, the relationship between one-round differential propagation matrix for this R-round block cipher
differential propagation matrix and R-round differential propa- is Aט · · · A×A
˜ , which can be
| {z }
gation matrix is illustrated. The truncated differential propaga- (R−1) matrix threshold XOR−multiplication
tion index is introduced to describe the differential propagation denoted as AR ˜ for simplicity.
×
property of the round function. Based on these discussions, Example 3: For SIMON32, the differential propagation
the provable security boundaries for direct contradiction and matrix for one-round to five-round SIMON32 (A1×
˜ to A×
5
˜)
indirect contradiction are explored. Finally, some concrete is illustrated as follows:

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.
 6032 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 70, NO. 8, AUGUST 2024

Based on Definition 3, it can be easily deduced that for TI +

1 rounds, all the elements in the differential propagation matrix
AT×
˜
I +1
are 2. This property means for any input difference X,
the DTPs for all the bits after TI + 1 rounds, i.e. ATט
I +1 ˜
×X T
are all 2 (uncertain).

Fig. 5. Differential propagation matrices of SIMON32 reduced to different C. Provable Security Boundary for Direct Contradiction
rounds.
With the truncated differential propagation index, the propa-
gation property of the round function can be roughly estimated.
Definition 4 (Extracting Set): For a matrix However, a tighter provable security boundary is more mean-
A=(ai,j ) i ∈ [0, m − 1] , the following set ηTδ ES (A) is ingful, which will be discussed in this section.
j ∈ [0, n − 1] Theorem 1 (Provable Security Boundary for Direct Con-
used to extract all the distinct values smaller than the tradiction): For an AND-RX block cipher, if the (negative)
threshold δ in A : differential propagation matrix is (B)A, the upper boundary
ηTδ ES (A) = {ai,j |ai,j < δ, i ∈ [0, m − 1], j ∈ [0, n−1], ai,j ∈ A} for direct contradiction is as follows:

As the differential traceable pattern is useful only when the
pattern is smaller than 2 (It is noted that although all the
traceable patterns are symbols, in this paper, these symbols are
regarded as integers which can be used to add, compare for
simplicity), this function is used to recognize this property, and
the threshold δ in this paper is fixed to 2, which has already
been defined in Definition 2.
B. Truncated Differential Propagation Index
With the R-round differential propagation matrix and
extracting set, the differential propagation property for the
given round function can be roughly characterized with a
fixed number. The truncated differential propagation index is
introduced to solve this problem.
Definition 5 (Truncated Differential Propagation Index):
For an AND-RX block cipher, A is the differential
propagation matrix of the round function. Truncated
differential propagation index TI is defined as follows:
TI (A) = max{i|ηT2 ES (Ai×
˜ ) ̸= ∅, i ∈ N }
Bd (A, B) = max{i + j|∃k ∈ Z, a ∈ ηT2 ES (rowk [Ai×
˜ ]),
j
b ∈ ηT2 ES (rowk [B×
˜ ]),
s.t. 0 < a + b ≤ 2, a < 2, b < 2, i, j ∈ N }
where rowk [A] represents the kth row of the matrix A.
Proof: To lead to a direct contradiction, there must exist
at least one input-output difference pair, which will make
the truncated differential from the encryption direction and
decryption direction contradictory for at least one internal state
bit.
However, whether the contradiction exists can be explored
by a refined analysis on the differential propagation matrix
from the two directions. If i-round encryption and j-round
decryption are considered, the differential propagation matri-
ces for the i-round encryption block cipher can be calculated as
Ai×
˜ and the j-round decryption block cipher can be calculated
j
as B× ˜.
Supposing the input difference is X and output difference is
Y , the truncated differential of the internal state after i-round
encryption is S T = Ai× ˜ T
˜ ×X and j-round decryption is G =
T

To make this definition easier to be understood, a small j ˜ T

Bט ×Y . If a direct contradiction occurs at the kth bit of the
example is illustrated as follows. For the targeted block cipher internal state, it means the following equation must hold.
reduced to R rounds, the differential propagation matrix for j ˜ T
R-round is AR rowk [Ai× ˜ T
˜ ]×X ⊕ rowk [B×
˜ ]×Y =1 (2)
ט according to Corollary 1. If some of the
elements in AR ˜ are smaller than 2, it means for some input
× If the value of i + j is larger, longer impossible differential
difference, the output difference for the block cipher must distinguishers are discovered. Thus, the maximum i + j is the
be 1 or 0. If R is very large, usually, all the elements in target of this theorem for direct contradiction.
ARט will become 2 (For some badly designed block ciphers, Let X = [xn−1 , xn−2 , · · · x0 ], S = [sn−1 , sn−2 , · · · , s0 ],
we have ever discovered some counter-examples that not all Ai× i
˜ = (ap,q )p,q∈[0,n−1] , Y = [yn−1 , yn−2 , · · · y0 ], G =
the elements in AR ˜ are 2 with arbitrary round R. In this i
[gn−1 , gn−2 , · · · , g0 ], B× i
× ˜ = (bp,q )p,q∈[0,n−1] , the following
case, the truncated differential propagation index will be +∞ equations must hold.
and we can easily construct a full round ID based on this
weakness). The maximum number of R is defined as the sk = aik,0 · x0 ⊕a
˜ ik,1 · x1 ⊕ ˜ ik,n−1 · xn−1
˜ · · · ⊕a (3)
truncated differential propagation index which can make AR ˜
×
j
gk = bk,0 · y0 ⊕b j
˜ k,1 · y1 ⊕ ˜ jk,n−1 · yn−1
˜ · · · ⊕b (4)
exists at least one element smaller than 2, and this property is
explained by a extracting set. If the direct contradiction occurs, at least one k exists
Corollary 2 (Truncated Property for TI + 1 Rounds): to make sk ⊕g ˜ k = 1. According to the calculation rule of
For an AND-RX block cipher, if the truncated differential threshold XOR ⊕, ˜ if sk ⊕g˜ k = 1, both sk and gk are smaller
propagation index is TI , for any input difference, the truncated than 2, i.e. all the aik,w ·xw and bjk,w ·yw are not 2. This means
differential properties for all the output bits are uncertain if aik,w or bjk,w equals to 2, corresponding xw or yw should be
after TI + 1 rounds. 0. This will make the first condition for the two differential

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.
 ZHANG et al.: IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS AND A SECURITY EVALUATION FRAMEWORK 6033

propagation matrices Ai× ˜ and B×

i
˜ there exists at least one k,
i j
where rowk [A× ˜ ] and rowk [B× ˜ ] should not be all 2s.
For the three values in the differential propagation matrix,
0 represents corresponding bit difference is non-related with
the output bit difference, 1 represents the bit difference is
linearly-related with the output bit difference, 2 represents the
non-linear relationship between the input bit difference and
output bit difference. This property means 0 in the propagation
matrix can bring in 0 difference and 1 pattern can bring in 1 or
0 difference.
j
Thus, in rowk [Ai× ˜ ] and rowk [B× ˜ ], if two 0-patterns or Fig. 6. An example for the provable security boundary on indirect
at least one 2-pattern exists, no direct contradiction can contradiction.
occur either. Therefore, there should exist at least two pat-
TABLE I
terns smaller than 2 which cannot be 0 simultaneously,
S UMMARY OF ID S BASED ON D IRECT C ONTRADICTIONS AND
they are denoted as a and b, a ∈ ηT2 ES (rowk [Ai× ˜ ]), b ∈ C ORRESPONDING U PPER B OUNDARIES C ALCULATED
2 j W ITH T HEOREM 1
ηT ES (rowk [B× ˜ ]), that 0 < a + b ≤ 2, where a<2, b<2.
The maximum value of i + j to make at least one con-
tradiction above occur is the upper boundary for the direct
contradiction and the proof is complete.
As in Theorem 1, the upper boundary Bd (A, B) is derived,
the provable security boundary for the target cipher is
Bd (A, B)+1. Based on contradiction model, any Bd (A, B)+
1-round impossible distinguishers are non-exist.
Sometimes, only a rough upper boundary is needed to
estimate the security level against impossible differential
cryptanalysis. In Corollary 3, an easier but looser upper bound-
ary is illustrated based on truncated differential propagation
index for inaccurate estimation.
Corollary 3 (Relationship Between Bd (A, B), TI (A) and
Proof: Based on Corollary 3, TI (A) + TI (B) is the
TI (B)): For an AND-RX block cipher, the upper boundary
boundary to reach the longest possible direct contradiction.
for direct contradiction can be upper bounded by truncated
As the cause for the indirect contradiction is the modification
differential propagation indexes as follows:
from another direction, if we add one more round in the
Bd (A, B) ≤ TI (A) + TI (B) middle, all the bit differences are uncertain for this middle
round according to the definition of truncated differential
Proof: Based on Corollary 2, for any input difference, propagation index. Therefore, it is impossible to modify the
the truncated differences for all the bit after TI (A) + 1 rounds uncertain bit differences as the number of all these rounds
are uncertain. In the decryption direction, for any output exceeds the truncated differential propagation index from
difference, the truncated differences for all the bit after another direction. As the modification will not occur, the
TI (B) + 1 rounds are uncertain. This means if an ID can indirect contradiction will not happen either, which makes a
be constructed, the length for the encryption half is TI (A) at provable security boundary for the indirect contradiction.
most, and the length for the decryption half is TI (B) at most. To make Corollary 4 easier to be understood, an example
TI (A)+TI (B) can be viewed as an upper boundary for all the is illustrated in Fig. 6 to explain this process.
possible distinguishers constructed from direct contradiction.

E. Some Applications on the Provable Security Boundary

D. Provable Security Boundary for Indirect Contradiction
For the indirect contradiction, a rough upper boundary is
discussed in this section, but this boundary is not as tight as
the one for direct contradiction in Theorem 1.
Corollary 4 (A Provable Security Boundary for Indirect
Contradiction): For an AND-RX block cipher, if the (negative)
differential propagation matrix is (B)A, an upper boundary for
indirect contradiction is as follows:
Bi (A, B) = TI (A) + TI (B) + 1,
where TI (A) represents the truncated differential propagation
index of A.
To validate the effectiveness of the provable security bound-
ary, four family ciphers SIMON, Simeck, Friet-PC and SAND
are considered. The calculated results for the provable security
boundary on direct (indirect) contradictions are illustrated in
Table I (Table II). As the indirect contradiction-based IDs are
proposed on Simeck48 and Simeck64, only the provable secu-
rity boundaries for these two variants are calculated in Table II.
In practice, our automatic searching method-Algorithm 1 is
used to search for other variants of SIMON and Simeck, more
but no longer distinguishers are discovered. In Section V, some
of these boundaries will be validated to be final and cannot
be improved.

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.
 6034 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 70, NO. 8, AUGUST 2024

TABLE II TABLE III

S UMMARY OF ID S BASED ON I NDIRECT C ONTRADICTION AND S UMMARY OF S OME L ONGER D ISTINGUISHERS ON F RIET-PC
C ORRESPONDING U PPER B OUNDARIES C ALCULATED AND SAND W ITH A LGORITHM 1
W ITH C OROLLARY 4

Algorithm 1 Automatic Searching Method for IDs on

AND-RX Ciphers
Preliminary:
✧ Set the range for the DTPs of the input and output differences;
✧ Set the range of rounds R for the impossible differential distinguisher;
✧ Calculate the differential propagation matrix PT and negative differ-
ential propagation matrix NT according to the round function;
✧ Three R ∗ NB matrices (a ∗ b represents the matrix is consists of a
rows and b columns) M1 , M2 and M3 , M1 represents DTPs of all
the internal state bits from plaintext to ciphertext in the encryption
direction, M 2 represents DTPs of all the internal state bits from
ciphertext to plaintext in the decryption direction, M3 is used to
store the DTPs after the modification from another direction, NB
represents the block size of the targeted block cipher;
✧ M1 , M2 and M3 are initialized to 0.
TABLE IV
General Steps:
Step 1. Select one target round number R and one DTP of the input A N I MPOSSIBLE D IFFERENTIAL D ISTINGUISHER ON 11-ROUND SAND64
and output difference within the ranges of DTPs and Rs.
Step 2. Assign the values of M1 [0] and M2 [R] according to the
selected DTP and R in Step 1.
Step 3. Calculate the remaining parts of M1 (i.e. M1 [1] to M1 [R]).
for i from 1 to R do
Calculate M1 [i]T = PT ×M˜ 1 [i−1]T .
Step 4. Calculate the remaining parts of M2 (i.e. M2 [R−1] to M2 [0]).
for i from R−1 to 0 do
Calculate M2 [i]T = NT ×M ˜ 2 [i + 1]T .
Step 5. Test all the variables for M1 [i][j] and M2 [i][j], 0 ≤ i ≤ R,
0 ≤ j ≤ NB .
if there exists at least one pair (i, j) where
M1 [i][j]+M2 [i][j]=1:
go to Step 7;
else:
go to Step 6 (Or go to Step 1 if the indirect contra-
diction is not considered).
Step 6. Calculate M3 according to M1 and M2 . For all the combina-
tions of (i, j), M3 [i][j]=min{M1 [i][j], M2 [i][j]}.
if the modification of the values can bring in new contradic-
tions:
go to Step 7;
else:
go to Step 1.
Step 7. Output the values of M1 [0] and M2 [R], which is an impossible
differential distinguisher.

After compare the current longest IDs with the direct

contradiction based provable security boundary, it is found that
for SAND, there is a one-round gap between the boundary and
current longest IDs. For Friet-PC, the current best differential
distinguisher is 9-round, while the provable security boundary
for IDs based on direct contradiction is 11-round. If we can
derive concrete IDs on this boundary, on the one hand, this
boundary can be validated. On the other hand, longer IDs can
be derived. Section IV will focus on solving this problem.
IV. AUTOMATIC S EARCH OF I MPOSSIBLE
D IFFERENTIAL D ISTINGUISHERS
In this section, an automatic searching method is proposed
to explore longer impossible differential distinguishers based
on differential propagation matrix. This method can be used
to explore all the possible direct contradictions and indirect
contradictions. Some applications are followed at the end of
this section for validation.
A. An Automatic ID Searching Method With Differential
Propagation Matrix
There are generally four phases in this algorithm: (1) ini-
tialization phase; (2) truncated differential calculating phase;
(3) contradiction detection phase; (4) output phase.

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.
 ZHANG et al.: IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS AND A SECURITY EVALUATION FRAMEWORK 6035

TABLE V TABLE VI
A N I MPOSSIBLE D IFFERENTIAL D ISTINGUISHER ON 14-ROUND SAND128 A N I MPOSSIBLE D IFFERENTIAL D ISTINGUISHER ON 11-ROUND F RIET-PC

➢ In the initialization phase, Step 1 and Step 2 are used to

initialize the number of targeted round, input, and output
differences.
➢ In the truncated differential calculating phase, Step 3 and
Step 4 are used to calculate all the DTPs of the internal
states in the encryption and decryption direction based
on the differential propagation matrix.
➢ In the contradiction detection phase, Step 5 is used to
detect direct contradiction and Step 6 is used to explore
indirect contradiction. More precisely, in Step 5, for an
internal state bit, if the DTP of this bit is definitive but dif-
ferent from two directions (i.e. M1 [i][j]+M2 [i][j]=1),
it must be an ID based on direct contradiction. In Step 6,
an entropy reduction process is conducted based on
meet-in-the-middle strategy, furthermore, potential indi-
rect contradictions are detected based on secondary
calculation.
➢ In the output phase, Step 7 is used to output the impos- TABLE VII
sible differential distinguishers. S UMMARY OF N EWLY D ISCOVERED I MPOSSIBLE D ISTINGUISHERS W ITH
A LGORITHM 1 BASED ON I NDIRECT C ONTRADICTION
The details of this method are illustrated in Algorithm 1.
It is noted that the section in the red box is selectable. For
simplicity and in most cases, Step 6 is useless. Besides, the
range for the DTPs of the input and output differences is
usually categorized with the number of active bits. For AND-
RX ciphers, in most cases, the IDs with single active bit
are likely to be longer than those IDs with more active bits
according to current results.

R is the number of rounds for the impossible differential

B. Time Complexity Estimation for the Automatic
Searching Method
In this section, the time complexity for Algorithm 1 is
analyzed. Set the following parameters: the block size is n, the
number of active bits for the input/output of the distinguisher is
n1 /n2 , the length of the distinguisher is R1 +R2 (R1 is derived
by partial encryption, R2 is derived by partial decryption),
distinguisher (R = R1 + R2 ).
• The basic operation for our framework is the multipli-
cation for the differential propagation matrix. For this
operation,
the current best time complexity is about
O n2.37 [35]. However, for large values of n, this
complexity is not always

achievable. So, we choose to
use the naive O n3 for estimation.

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.
 6036 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 70, NO. 8, AUGUST 2024

Algorithm 2 A General Detecting Method for the Practical TABLE VIII

Boundary of IDs L OWER B OUNDARIES OF D IFFERENTIAL P ROBABILITY FOR
Step 1. Construct a representative set Ω. Ω is used to store all the (or 64 R EPRESENTATIVES ON 12-ROUND SIMON32
partial) input and output differences for those potential longest impossible
differential distinguishers.
Step 2. Select the range of targeted round number R and set the least
number in the range as the initial value of R.
Step 3. Initial a counter v = 0;
Step 4. for i from 1 to |Ω| do
Test whether there is a differential trail for the R-round differential
(∆iin , ∆iout ), which denotes the i-th element of Ω. The ∆iin /∆iout
represents the input/output difference for the distinguisher. If there is a
differential trail, v + +.
if v = |Ω|:
go to Step 5;
else:
go to Step 3.
Step 5. Output R.

• If Step 6 is not considered, the number of combinations

for the input and output difference is Cnn1 · Cnn2 . For each
combination, at least R1 + R2 matrix multiplication is
needed. As R1 + R2 = R, the time complexity is:
O Cnn1 ·Cnn2 · (R1 +R2 ) · n3 = O Cnn1 ·Cnn2 ·R · n3 .

• If Step 6 is considered, for each combination, extra R1 +

R2 matrix multiplication is needed after the modification,
this means it will double the time consumption,

and the
time complexity is O 2 · Cnn1 · Cnn2 · R · n3 .
An Ideal Scenario:

Supposing only single bit difference is considered,

for direct
contradiction model, the time complexity is
O R · n5 .

For most of the cases, the longest impossible differential

distinguisher on AND-RX ciphers belongs to this ideal sce- TABLE IX
nario which can be realized in a polynomial time, such as the C OMPARE OF THE P RACTICAL B OUNDARY AND P ROVABLE S ECURITY
longest IDs proposed in [28], [34], [40], and [41]. B OUNDARY OF D IRECT C ONTRADICTION

C. Some Applications on the Automatic Searching Method

To validate the effectiveness of Algorithm 1, SIMON,
Simeck, Friet-PC and SAND are considered. For SIMON and
Simeck, more distinguishers are discovered based on indirect
contradiction, but the length of the longest distinguishers has
not been improved. For Friet-PC and SAND, many longer
impossible differential distinguishers are discovered and the
longest lengths well match the provable security boundary for
the direct contradiction in Table I, which also validates the
correctness of the provable security boundary. The summary
of discovered longest IDs is presented in Table III. For illustra-
tion, the structures of a concrete 11-round ID on SAND64, a
14-round ID on SAND128 and a 11-round ID on Friet-PC are V. C ALCULATING THE P RACTICAL B OUNDARY OF
presented in Table IV to Table VI respectively. Other distin- I MPOSSIBLE D IFFERENTIAL D ISTINGUISHERS
guishers of the same length are exhibited in the Appendix A,
B and C respectively (see supplementary material). The newly Calculating the practical boundary of impossible differential
discovered IDs on Simeck48 and Simeck64 are summarized in distinguisher is another important topic. If this boundary can
Table VII. The details for these IDs are illustrated in Appendix be derived exactly, it is impossible to derive any longer IDs
E and F in the supplementary material. beyond this boundary, for any known or future unknown

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.
 ZHANG et al.: IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS AND A SECURITY EVALUATION FRAMEWORK
construction methods. This section will introduce a method
to approximate this practical boundary.
A. An Automatic ID Searching Method With Differential
Propagation Matrix
This method is based on the following fact: if an input-
output difference pair (∆in , ∆out ) is a differential, it will
never be an impossible differential distinguisher for any cur-
rent known or future unknown construction methods.
There are two facts to be addressed here. (1) If (∆in , ∆out )
is a differential, at least one differential trail exists from ∆in
to ∆out . (2) If all the potential longest impossible differen-
tial distinguishers are validated to be differentials, for this
round R, it is infeasible to derive any impossible differen-
tial distinguishers. And the practical boundary of impossible
differential distinguisher can thus be obtained which is less
than R.
The details for this method are illustrated in Algorithm 2.
There are generally six steps in this algorithm. Step 1 is used
to construct a representative set Ω for all the (or partial) poten-
tial longest impossible differential distinguishers. Step 2 and
Step 3 are used to initialize the targeted round number R and
a counter. Step 4 and Step 5 are presented to test whether
all the elements in Ω are differential distinguishers, if so,
R is the practical boundary for the impossible differential
distinguishers and output R in Step 6.
There are generally three phases in this algorithm:
(1) initialization phase; (2) differential detection phase;
(3) output phase.
➢ In the initialization phase, Step 1 to 3 are used to
initialize the number of targeted rounds, a counter, and
a representative set Ω. In this set, these input and output
differences are likely to be longest IDs.
➢ In the differential detection phase, Step 4 and Step 5 are
used to test whether all the differences in Ω are differen-
tials. If all the differences are validated to be differentials,
it means all the differences in Ω are not IDs for this round,
the practical boundary of IDs can thus be derived.
➢ In the output phase, Step 5 is used to output the least
number of rounds to make all the differences in Ω become
differentials.
Remark:
(1) In theory, Algorithm 2 is suitable for all the block
ciphers, and it is not limited to AND-RX ciphers.
(2) If the representative set can indeed represent all the
potential longest impossible differential distinguishers, the
practical boundary is final and cannot be improved. However,
if the representative set can only represent partial of the longest
IDs, the derived boundary is only suitable for these partial
ones, whether it is final should be supplemented through trying
all the other non-represented ones. In general, for AND-RX
cipher, most majority of the current longest IDs are constructed
based on low hamming weight input-output differences.
(3) The Step 4 needs the help of an extra differential
trail searching method. It can be implemented with many
approaches, such as traditional branch-and-bound method
or recently solver-based method. It does not matter which
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.
6037
approach is adopted, if a valid differential trail for a given
input-output difference can be discovered efficiently, it is
workable. In our later application on SIMON-type ciphers,
an MILP-based approach is adopted.
B. Some Applications on the Practical Boundary
In this section, the practical boundary for impossible dif-
ferential distinguishers on SIMON is explored based on
Algorithm 2. These practical boundaries have not been pre-
viously investigated.
1) Representatives for the longest IDs on SIMON32:
Proposition 2 (Priority for Single Bit IDs): Under direct
contradiction model, for SIMON32, based on truncated
differential property, the length of multi-bit IDs is no longer
than single-bit IDs.
An exhaustive-searching type strategy is adopted to validate
the correctness of Proposition 2. To calculate all the impossible
differential distinguishers, we have to test all the 232 input
difference and 232 output difference with Algorithm 1. The
overall time complexity is about O(264 ). It is time consuming
and not practical. Two strategies are taken to guarantee the
full-searching space of all the possible input and output
differences.
a) Split the partial encryption and decryption in two
halves: If we split the distinguisher in two halves (encryp-
tion and decryption), each of the differences for the 32-bit
internal state in the middle may be contradiction bit. Taking
partial encryption as an example, if the number of rounds for
partial encryption is R1 , all the 32-bit truncated difference
at round R1 should be considered. This strategy can reduce
the searching space to 2 × 32 × 232 . For this complexity,
“232 ” represents the exhaustive search complexity for all
the input differences, “2” represents the two parts of partial
encryption and decryption, “32” represents all the potential
contradiction bits for the target round, which is identical to
the block size. For each potential contradiction bit, store all
the input differences which will make the DTP of this bit
to be 0 or 1, the same will be done with all the output
differences.
b) Utilize rotational invariant property to reduce the
searching space to 2 × 2 × 232 : Due to the rotation invariant
property for SIMON, any impossible differential distinguisher
(α0 , α1 ) ↛ (β0 , β1 ) is rotational invariant with another one
(α0 ≪≪ r, α1 r) ↛ (β0 ≪≪ r, β1 ≪≪ r). All these
distinguishers are equivalent with each other. If we consider
the contradiction bits for these distinguishers, they are also
equivalent with each other. This property has been revealed
in some previous literatures such as [26] and [38]. Based
on this property, without loss of generality, we just need to
consider the contradictions on the least significant bit of each
branch. This strategy will further reduce the searching space
to 2 × 2 × 232 . When compared this complexity with previous
one, “32” in (1) is changed to “2” in (2). This is because any
contradiction bit at the left or right branch is equivalent from
each other due to the rotational invariant property. So, for the
left and right branch, one case for each branch is enough as
representatives for simplicity and this strategy will reduce the
complexity by a factor of 16 from “32” to “2”.
 6038
c) Simulation result: For SIMON32, all the possible
input and output differences are exhaustively searched with
the above two strategies. The experimental environment is
Microsoft Visual C++(SP6), Intel(R) Core(TM) i7, CPU
3.4GHz, 4.0 Gb RAM. The total time is about 5.6 hours.
According to the truncated property of the middle round,
the longest length is still 11 rounds, which validates the
correctness of Proposition 2.
Proposition 3 (Representatives for IDs on SIMON32):
Under direct contradiction model, for SIMON32,
64 combinations for the single-bit input and output difference
will contain the longest impossible differential distinguishers.
To search all the possible combinations of single-bit differ-
ence for SIMON32, there are 32∗ 32 combinations. However,
according to the rotational invariant property, w.l.o.g., if a
single-bit input difference is fixed to the least significant
bit of the left or right branch, according to the rotational
invariant property, these two circumstances will represent all
the possible combinations. The single-bit output difference
should be exhaustively search and the total number is 32.
This means altogether 2∗ 32=64 combinations are needed as
representatives for potential longest distinguishers.
To sum up, based on Proposition 2, it can be derived
that single bit difference can represent longest impossible
differential distinguishers. With Proposition 3, the number of
combinations for the potential longest distinguishers can be
further decreased. If all these potential longest distinguishers
are validated to be concrete differentials, a practical boundary
for SIMON can be derived.
2) Approaching the Combinations With Concrete Differen-
tial Trails for SIMON32: In this section, all the potential
combinations will be verified with concrete differential trails.
For each combination, if at least one differential trail exists,
it will not be an impossible differential distinguisher. If all
the 64 combinations are validated to be concrete differen-
tial distinguisher and the round is minimum, the practical
boundary of the impossible differential distinguishers is
derived.
As the provable security boundary on SIMON32 under
direct contradiction is 12 and 11-round IDs have been discov-
ered. The experimental verification for SIMON32 starts from
12-round. All the 64 potential representatives are proven to
be valid differentials (the lower boundaries are illustrated in
Table VIII and the concrete details for each differential trail
is presented in Appendix C in the supplementary material),
which means the provable security boundary for 12-round
SIMON32 on ID is practical and cannot be improved.
3) Verifications for Other SIMON Variants: Due to the
similarity of the structure for different variants, supposing
single-bit differences are always the representatives for poten-
tial longest IDs, this approach can also be used by other
SIMON variants. The results are summarized in Table IX.
C. Discussion
For all the 10 variants on SIMON and Simeck32, the
provable security boundary for direct contradiction has already
reached the practical boundary and this boundary is unlikely
to be improved. It is hoped that the provable security boundary
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 70, NO. 8, AUGUST 2024
of direct contradiction is tight for most AND-RX ciphers when
compared with the practical boundary.
For Simeck48 and Simeck64, there is a gap between the
provable security boundary of direct contradiction and prac-
tical boundary. However, this gap has been filled with the
method of indirect contradiction, and the longest impossible
differential distinguishers derived with indirect contradiction
has reached the practical upper bound. We have experimentally
verified that for Simeck48/64, the practical boundary for
longest impossible differential distinguishers is 15/17, which
has been reached by indirect contradiction model.
To validate the effectiveness of our ID automatic searching
method, we output those input-output differences which we
cannot find any valid differential trails on the rounds of the
practical boundary, they perfectly match the IDs derived with
Algorithm 1. This can also be a proof for the accuracy for our
automatic searching method.
However, there are still some issues and open problems to
be addressed as follows.
(1) The transfer of priority for single bit IDs from SIMON32
(Proposition 2) to larger variants is based on the inher-
itance of the same round function. This deduction
is reasonable but maybe not so smooth. Based on a
super computer, some larger variants such as SIMON48
or SIMON64 can be experimentally verified with our
method for SIMON32. However, for SIMON96 or
SIMON128, it seems not achievable at present.
(2) The single-bit priority is based on direct contradiction
model. In most cases, the indirect contradiction will not
occur, however, a method is needed to judge whether
indirect contradiction occurs, which is left as an open
problem.
(3) The provable security boundary for indirect contra-
diction is not as tight as the boundary for direct
contradiction, which is also another potential research
direction.
In the future, for some block ciphers, it seems hard to
derive longer IDs beyond the provable security boundary. But
it is still possible to propose more contradiction construction
methods beyond (in)direct contradiction model, and discover
more distinguishers. In addition, for those block ciphers do not
reach the provable security boundary, the automatic searching
method in Algorithm 1 can be used to derive longer IDs and
better attacks accordingly.
VI. C ONCLUSION
In this paper, a security evaluation framework for AND-RX
ciphers against impossible differential cryptanalysis is pro-
posed. First, a method to calculate the provable security
boundaries on AND-RX ciphers under direct contradiction
and indirect contradiction is proposed. These boundaries
can be efficiently computed without actual input and output
differences. To derive longer impossible differential distin-
guishers, an automatic searching method is proposed, which
can discover all the possible (in)direct contradictions based
on truncated differential property. For validation, four family
ciphers SIMON, Simeck, Friet-PC and SAND are applied
 ZHANG et al.: IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS AND A SECURITY EVALUATION FRAMEWORK
with this security evaluation framework. The results indi-
cate that some ciphers have reached the provable security
boundary but some are not. For Friet-PC and SAND, which
do not reach the boundary, the automatic searching method
is utilized to discover longer impossible differential distin-
guishers. Finally, a method to calculate the practical boundary
is presented. As an application, the practical boundary of
SIMON is investigated, and the result implies that our provable
security boundary has already well matches the practical
boundary.
∗ The core source code is upload to:
https://pan.baidu.com/s/1_OGBsiKaGT5FYqMVCRcvHA?
pwd=yjjb
R EFERENCES
[1] L. Knudsen, “DEAL—A 128-bit block cipher,” Complexity, vol. 258,
no. 2, p. 216, 1998.
[2] E. Biham, A. Biryukov, and A. Shamir, “Cryptanalysis of Skipjack
reduced to 31 rounds using impossible differentials,” in Proc. Int. Conf.
Theory Appl. Cryptograph. Techn. Berlin, Germany: Springer, 1999,
pp. 12–23.
[3] R. Beaulieu, S. Treatman-Clark, D. Shors, B. Weeks, J. Smith, and
L. Wingers, “The Simon and SPECK lightweight block ciphers,” in
Proc. 52nd ACM/EDAC/IEEE Design Autom. Conf. (DAC), Jun. 2015,
pp. 1–6.
[4] G. Yang, B. Zhu, V. Suder, M. D. Aagaard, and G. Gong, “The Simeck
family of lightweight block ciphers,” in Proc. Int. Workshop Cryp-
tograph. Hardw. Embedded Syst. Berlin, Germany: Springer, 2015,
pp. 307–329.
[5] C. D. Canniere, “TRIVIUM: A stream cipher construction inspired by
block cipher design principles,” in Proc. Int. Conf. Inf. Secur. Berlin,
Germany: Springer, 2006, pp. 171–186.
[6] M. Hell, T. Johansson, and W. Meier, “Grain: A stream cipher for
constrained environments,” Int. J. Wireless Mobile Comput., vol. 2, no. 1,
pp. 86–93, 2007.
[7] G. Bertoni, J. Daemen, M. Peeters, and G. Van Assche, “Keccak,”
in Proc. Annu. Int. Conf. Theory Appl. Cryptograph. Techn. Berlin,
Germany: Springer, 2013, pp. 313–314.
[8] T. Simon et al., “FRIET: An authenticated encryption scheme with built-
in fault detection,” in Proc. Annu. Int. Conf. Theory Appl. Cryptograph.
Techn., 2020, pp. 581–611.
[9] H. Wu. (2016). Acorn V3. Submission to CAESAR Compe-
tition. [Online]. Available: https://personal.ntu.edu.sg/wuhj/research/
caesar/acorn/DIAC_2016_ACORN.pdf
[10] H. Wu and T. Huang. (2019). TinyJAMBU: A Family of Lightweight
Authenticated Encryption Algorithms. Submission to the NIST
Lightweight Cryptography Competition. [Online]. Available: https://csrc.
nist.gov/CSRC/media/Projects/Lightweight-Cryptography/documents/
round-1/spec-doc/TinyJAMBU-spec.pdf
[11] J. Kim, S. Hong, J. Sung, S. Lee, J. Lim, and S. Sung, “Impossible
differential cryptanalysis for block cipher structures,” in Proc. Int. Conf.
Cryptol. India. Berlin, Germany: Springer, 2003, pp. 82–96.
[12] J. Kim, S. Hong, and J. Lim, “Impossible differential cryptanalysis
using matrix method,” Discrete Math., vol. 310, no. 5, pp. 988–1002,
2010.
[13] Y. Luo, X. Lai, Z. Wu, and G. Gong, “A unified method for finding
impossible differentials of block cipher structures,” Inf. Sci., vol. 263,
pp. 211–220, Apr. 2014.
[14] S. Wu and M. Wang, “Automatic search of truncated impossible dif-
ferentials for word-oriented block ciphers,” in Proc. Int. Conf. Cryptol.
India. Berlin, Germany: Springer, 2012, pp. 283–302.
[15] B. Sun et al., “Links among impossible differential, integral and zero
correlation linear cryptanalysis,” in Proc. Annu. Cryptol. Conf. Berlin,
Germany: Springer, 2015, pp. 95–115.
[16] P. Derbez and P.-A. Fouque, “Automatic search of meet-in-the-middle
and impossible differential attacks,” in Proc. Annu. Int. Cryptol. Conf.
Berlin, Germany: Springer, 2016, pp. 157–184.
[17] X. Shen, R. Li, B. Sun, L. Cheng, C. Li, and M. Liao, “Dual relationship
between impossible differentials and zero correlation linear hulls of
SIMON-like ciphers,” in Proc. Int. Conf. Inf. Secur. Pract. Exp. Cham,
Switzerland: Springer, 2017, pp. 237–255.
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.
6039
[18] K. Zhang, J. Guan, and B. Hu, “Automatic search of impossible
differentials and zero-correlation linear hulls for ARX ciphers,” China
Commun., vol. 15, no. 2, pp. 54–66, Feb. 2018.
[19] T. Cui, S. Chen, K. Fu, M. Wang, and K. Jia, “New automatic tool for
finding impossible differentials and zero-correlation linear approxima-
tions,” Sci. China Inf. Sci., vol. 64, no. 2, pp. 1–3, Feb. 2021.
[20] B. Sun, M. Liu, J. Guo, V. Rijmen, and R. Li, “Provable security
evaluation of structures against impossible differential and zero cor-
relation linear cryptanalysis,” in Proc. Annu. Int. Conf. Theory Appl.
Cryptograph. Techn. Berlin, Germany: Springer, 2016, pp. 196–213.
[21] G. Han, W. Zhang, and H. Zhao, “An upper bound of the longest
impossible differentials of several block ciphers,” KSII Trans. Internet
Inf. Syst., vol. 13, no. 1, pp. 435–451, 2019.
[22] Y. Sasaki and Y. Todo, “New impossible differential search tool from
design and cryptanalysis aspects,” in Proc. Annu. Int. Conf. The-
ory Appl. Cryptograph. Techn. Cham, Switzerland: Springer, 2017,
pp. 185–215.
[23] Y. Todo and M. Morii, “Bit-based division property and application
to SIMON family,” in Proc. Int. Conf. Fast Softw. Encryption. Berlin,
Germany: Springer, 2016, pp. 357–377.
[24] S. Wang, B. Hu, J. Guan, K. Zhang, and T. Shi, “MILP-aided method
of searching division property using three subsets and applications,” in
Proc. Int. Conf. Theory Appl. Cryptol. Inf. Secur. Cham, Switzerland:
Springer, 2019, pp. 398–427.
[25] Z. Xiang, W. Zhang, Z. Bao, and D. Lin, “Applying MILP method
to searching integral distinguishers based on division property for
6 lightweight block ciphers,” in Proc. Int. Conf. Theory Appl. Cryptol.
Inf. Secur. Berlin, Germany: Springer, 2016, pp. 648–678.
[26] Q. Wang, Z. Liu, K. Varıcı, Y. Sasaki, V. Rijmen, and Y. Todo,
“Cryptanalysis of reduced-round SIMON32 and SIMON48,” in
Proc. Int. Conf. Cryptol. India. Cham, Switzerland: Springer, 2014,
pp. 143–160.
[27] K. Zhang, J. Guan, B. Hu, and D. Lin, “Integral cryptanalysis on
Simeck,” in Proc. 6th Int. Conf. Inf. Sci. Technol. (ICIST), May 2016,
pp. 216–222.
[28] S. Sadeghi and N. Bagheri, “Improved zero-correlation and impossible
differential cryptanalysis of reduced-round SIMECK block cipher,” IET
Inf. Secur., vol. 12, no. 4, pp. 314–325, Jul. 2018.
[29] B.-Z. Su, W.-L. Wu, and W.-T. Zhang, “Security of the SMS4 block
cipher against differential cryptanalysis,” J. Comput. Sci. Technol.,
vol. 26, no. 1, pp. 130–138, Jan. 2011.
[30] S. Sun, L. Hu, P. Wang, K. Qiao, X. Ma, and L. Song, “Automatic
security evaluation and (related-key) differential characteristic search:
Application to SIMON, PRESENT, LBlock, DES(L) and other bit-
oriented block ciphers,” in Proc. Int. Conf. Theory Appl. Cryptol. Inf.
Secur. Berlin, Germany: Springer, 2014, pp. 158–178.
[31] M. Aagaard, R. AlTawy, G. Gong, K. Mandal, and R. Rohit, “ACE: An
authenticated encryption and hash algorithm,” Submission NIST-LWC,
Gaithersburg, MD, USA, Tech. Rep., 2019.
[32] R. AlTawy, G. Gong, M. He, K. Mandal, and R. Rohit, “Spix: An authen-
ticated cipher submission to the NIST LWC competition,” Submitted to
NIST Lightweight Standardization Process, Gaithersburg, MD, USA,
Tech. Rep., 2019.
[33] R. AlTawy. (2019). SpoC: An Authenticated Cipher Submission
to the NIST LWC Competition. [Online]. Available: https://csrc.
nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/
round-2/spec-doc-rnd2/spoc-spec-round2.pdf
[34] S. Chen et al., “SAND: An AND-RX Feistel lightweight block cipher
supporting S-box-based security evaluations,” Des., Codes Cryptogr.,
vol. 90, no. 1, pp. 155–198, Jan. 2022.
[35] F. Le Gall, “Powers of tensors and fast matrix multiplication,” in Proc.
39th Int. Symp. Symbolic Algebr. Comput., Jul. 2014, pp. 296–303.
[36] R. Ito, R. Shiba, K. Sakamoto, F. Liu, and T. Isobe, “Bit-wise crypt-
analysis on AND-RX permutation Friet-PC,” J. Inf. Secur. Appl., vol. 59,
Jun. 2021, Art. no. 102860.
[37] Y. Liu, S. Sun, and C. Li, “Rotational cryptanalysis from a differential-
linear perspective,” in Proc. Annu. Int. Conf. Theory Appl. Cryptograph.
Techn. Cham, Switzerland: Springer, 2021, pp. 741–770.
[38] K. Zhang, “Research on the security evaluation against mixed operation
based cipher model,” Ph.D. dissertation, Dept. Appl. Math., Inf. Eng.
Univ., Henan, China, 2016.
[39] R. AlTawy, R. Rohit, M. He, K. Mandal, G. Yang, and G. Gong,
“sLiSCP: Simeck-based permutations for lightweight sponge crypto-
graphic primitives,” in Proc. Int. Conf. Sel. Areas Cryptogr. Cham,
Switzerland: Springer, 2017, pp. 129–150.
 6040
[40] K. Zhang, X. Lai, L. Wang, J. Guan, and B. Hu, “A revisited
security evaluation of Simeck family ciphers against impossible dif-
ferential cryptanalysis,” Sci. China Inf. Sci., vol. 66, no. 3, Mar. 2023,
Art. no. 139106.
[41] C. Boura, M. Naya-Plasencia, and V. Suder, “Scrutinizing and improv-
ing impossible differential attacks: Applications to CLEFIA, Camellia,
LBlock and Simon,” in Proc. Int. Conf. Theory Appl. Cryptol. Inf. Secur.
Berlin, Germany: Springer, 2014, pp. 179–199.
[42] X. Wang, B. Wu, L. Hou, and D. Lin, “Searching for impossible
subspace trails and improved impossible differential characteristics for
SIMON-like block ciphers,” Cybersecurity, vol. 4, no. 1, pp. 1–14,
Dec. 2021.
[43] S. Wang, D. Feng, B. Hu, J. Guan, and T. Shi, “Practical attacks on
full-round FRIET,” IACR Trans. Symmetric Cryptol., vol. 2022, no. 4,
pp. 105–119, Dec. 2022.
[44] K. Zhang et al., “Rotational-XOR differential cryptanalysis and an
automatic framework for AND-RX ciphers,” IEEE Trans. Inf. Theory,
vol. 69, no. 2, pp. 1282–1294, Feb. 2023.
Kai Zhang received the M.S. and Ph.D. degrees in cryptology from PLA SSF
Information Engineering University, China, in 2013 and 2016, respectively.
He was a Post-Doctoral Fellow with Shanghai Jiao Tong University. He is
currently an Instructor with PLA SSF Information Engineering University. His
works have been published in several refereed journals. He has been serving as
a referee for several international journals in the areas of information security
and cryptology. His research interests include cryptography and cryptanalysis.
Senpeng Wang was born in Henan, China. He received the B.E., M.S., and
Ph.D. degrees from PLA SSF Information and Engineering University in
2014, 2017, and 2020, respectively. His research interests include information
security and cryptology.
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 70, NO. 8, AUGUST 2024
Xuejia Lai received the Ph.D. degree from the Swiss Federal Institute of
Technology, Zurich, in 1992. He is currently a Professor with Shanghai Jiao
Tong University and an IACR Fellow. He is also a co-designer of IDEA block
cipher, proposed the concepts of Markov cipher, higher-order differentials,
free-start attacks on hash functions; developed DNA algorithm for computing
discrete logarithm, and proposed public-key system using DNA-chip. He has
served as the General Chair for Asiacrypt 2012, the PC Chair for Asiacrypt
2006, ISC 2011, and AsiaCCS 2012, a PC member for about 100 conferences,
and an editor for three ISO standards. He is an Editor of JCST and JISE.
Lei Wang received the Ph.D. degree from The University of Electro-
Communications in 2011. He is currently an Associate Professor with
Shanghai Jiao Tong University, China. His research interests are symmetric-
key cryptography, including block cipher, hash function, and message
authentication code.
Jie Guan received the Ph.D. degree in cryptography from PLA SSF Infor-
mation Engineering University in 2004. She is currently a Professor with
PLA SSF Information Engineering University, China. Her main research
interests are cryptography, information systems, the theory of cryptography,
and quantum computation.
Bin Hu received the Ph.D. degree in cryptography from PLA SSF Information
Engineering University, China, in 2008. He is currently a Professor with
PLA SSF Information Engineering University. His main research interests
are boolean function, information security, and cryptology.
Tairong Shi received the Ph.D. degree from PLA SSF Information and
Engineering University, Zhengzhou, China, in 2021. Her research interests
include symmetric cryptography and quantum cryptanalysis.