Evaluating the security of a block cipher against impossible differential cryptanalysis, is an important aspect during the design process. The maximum length of impossible differentials is often used to evaluate this security. There have been many methods on giving upper bounds on the length of impossible differentials or finding longer impossible differentials. Two notable examples are the “Primitive Index” method proposed by Sun et al. at EUROCRYPT2016 and the MILP method proposed by Sasaki et al. at EUROCRYPT2017. However, these existing methods can only give upper bounds for some special SPN block ciphers or cannot give upper bounds due to the high time complexity. In this paper, we show that when ignoring the differential property of the underlying S-box, giving upper bounds on the length of impossible differentials is a linear problem. By using linear algebra, we propose the Expansion Index of the linear layer, with which we can give upper bounds on the length of impossible differentials for any SPN block cipher with the detail of the S-box omitted. The core of this method is establishing and solving systems of linear equations, thus the verification of a single differential has linear time complexity. What’s more, to give upper bounds with this method, we only need to establish and solve systems for differentials whose input and output differences have only one active S-box, which greatly reduces its time complexity from \(O(2^t)\) to O(t) (here t denotes the number of S-boxes in the S-layer). The method in this paper is implemented in C and encapsulated into a tool freely available to readers. By applying our method on some SPN block ciphers, we give, for the first time, upper bounds on the length of impossible differentials for Midori, Skinny, CRYPTON, mCrypton, Minalpher.

针对不可能的差分密码分析评估分组密码的安全性是设计过程中的一个重要方面。通常使用不可能差异的最大长度来评估这种安全性。有很多方法可以给出不可能微分长度的上限或找到更长的不可能微分。两个值得注意的例子是 Sun 等人提出的“原始索引”方法。在 EUROCRYPT2016 和 Sasaki 等人提出的 MILP 方法。在 EUROCRYPT2017。然而，这些现有的方法只能给一些特殊的 SPN 分组密码给出上限，或者由于时间复杂度高而无法给出上限。在本文中，我们表明，当忽略底层 S 盒的微分属性时，给出不可能微分长度的上限是一个线性问题。通过使用线性代数，我们提出了线性层的扩展指数，我们可以用它给出任何 SPN 块密码的不可能差分长度的上限，而忽略了 S 盒的细节。该方法的核心是建立和求解线性方程组，因此单微分的验证具有线性时间复杂度。更重要的是，为了给出这种方法的上界，我们只需要建立和求解输入和输出差异只有一个活动 S-box 的微分系统，这大大降低了它的时间复杂度 该方法的核心是建立和求解线性方程组，因此单微分的验证具有线性时间复杂度。更重要的是，为了给出这种方法的上界，我们只需要建立和求解输入和输出差异只有一个活动 S-box 的微分系统，这大大降低了它的时间复杂度 该方法的核心是建立和求解线性方程组，因此单微分的验证具有线性时间复杂度。更重要的是，为了给出这种方法的上界，我们只需要建立和求解输入和输出差异只有一个活动 S-box 的微分系统，这大大降低了它的时间复杂度\(O(2^t)\)到O ( t ) （这里t表示 S 层中 S 盒的数量）。本文的方法是用C语言实现的，封装成一个工具，读者可以免费使用。通过将我们的方法应用于一些 SPN 分组密码，我们首次给出了 Midori、Skinny、CRYPTON、mCrypton、Minalpher 的不可能差分长度的上限。