Quantum Automated Tools for Finding Impossible Differentials

Abstract

Due to the superiority of quantum computing, traditional cryptography is facing a severe threat. This makes the security evaluation of cryptographic systems in quantum attack models both significant and urgent. For symmetric ciphers, the security analysis heavily relies on cryptanalysis tools. Thus, exploring the use of quantum algorithms in traditional cryptanalysis tools has garnered considerable attention. In this study, we utilize quantum algorithms to improve impossible differential attacks and design two quantum automated tools to search for impossible differentials. The proposed quantum algorithms exploit the idea of miss-in-the-middle and the properties of truncated differentials. We rigorously prove their validity and calculate the quantum resources required for their implementation. Compared to the existing classical automated cryptanalysis, the proposed quantum tools have the advantage of accurately characterizing S-boxes while only requiring polynomial complexity, and can take into consideration the impact of the key schedules in a single-key model.

1. Introduction

The development of quantum computers has progressed steadily. As soon as quantum computers are successfully built, traditional cryptography will be severely threatened. By utilizing Shor’s algorithm [1], adversaries possessing quantum computers can break public key cryptosystems built on the integer factorization problem, such as the RSA scheme widely used in secure communication. Apart from public key cryptography, studies on the cryptanalysis of symmetric cryptography against quantum adversaries have also achieved many outstanding results. By utilizing Grover’s algorithm, one can achieve a quadratic speed-up when searching unordered databases [2]. Therefore, to restore the same ideal security as that in a classical setting, the key lengths of symmetric ciphers must be doubled in the quantum setting.

The exhaustive attack can only evaluate the ideal security margin of cryptographic schemes. To accurately grasp the quantum security of currently used symmetric schemes, we also need to investigate other possible quantum attacks. In this direction, Simon’s algorithm [3] is frequently used. Kuwakado and Morri first applied Simon’s algorithm to attack the Feistel structure and proposed a three-round quantum distinguisher [4]. Then they also attacked the Even–Mansour cipher using a similar idea and successfully recovered the key [5]. The authors of [6] forged messages of the CBC-MAC scheme using the method presented in [4]. Kaplan et al. also further developed the results in [4] and attacked several symmetric systems, including GCM, PMAC, and CLOC [7]. Both [6,7] proved the correctness of the quantum distinguisher even if the Feistel structure has round functions that are not permutations.

Leander and Alexander embedded Simon’s algorithm into Grover’s algorithm in order to identify the correct key of the FX structure [8]. Following this attack strategy, Dong and Wang broke Feistel schemes and obtained the key using the quantum distinguisher shown in [4]. Afterward, they applied the same strategy to extract the key of the generalized Feistel cipher [9,10]. The above attacks were all implemented under the quantum version of the chosen plaintext model, also known as the $Q_2$ model [11,12,13]. In this attack model, the cryptographic oracle can be queried with superposition states. The authors of [14] studied quantum-related-key notions in which quantum adversaries can use superposition states of related keys to query oracles. Hosoyamada et al. then further investigated quantum-related-key notion and recovered the key of the two-round Even–Mansour algorithm [15]. Jaques et al. analyzed the complexity of Grover’s algorithm when attacking AES [16].

Apart from specific quantum attacks, studying quantum versions of cryptanalysis tools (such as integral, differential, and linear analyses) is also essential. Zhou et al. utilized Grover’s algorithm for differential attacks [17]. Kaplan et al. subsequently used Grover’s algorithm to enhance some variants of differential attacks and linear attacks [18]. Xie et al. made use of the Bernstein–Vazirani algorithm to search for high-probability differentials [17]. The authors of [19] implemented quantum collision attacks on Whirlpool and AES-MMO schemes via differential characteristics. Dong et al. enhanced truncated differential analysis through quantum algorithms and broke the Gr$\cancel{o}$stl-512 scheme and the AES-MMO cipher [20].

Our contributions. In this paper, we study the applications of Simon’s algorithm to cryptanalysis tools for symmetric ciphers. We bring the superiority of quantum computing into traditional impossible differential analysis, and design quantum automated tools to search for impossible differentials. First, we propose a basic quantum algorithm that can find impossible differentials by imitating the classical impossible differential technique. Subsequently, by allowing the differentials to be truncated, we present another improved quantum algorithm. We provide the correctness proofs for the proposed algorithms and evaluate their quantum complexities. The proposed quantum tools offer several advantages, as follows:

• The quantum algorithms can be implemented in the Q1 attack model, without any query to the quantum encryption or decryption oracle. In contrast, many other quantum attacks [4,5,6,7,9,10] require adversaries to perform quantum queries with superposition states. Our quantum tools are much easier to realize and, thus, more practical.
• Classical automated impossible differential cryptanalysis tools include the UID tool [21], U-tool [22], WW-tool [23], MILP tool [24], and SAT tool [25]. When faced with large-scale S-boxes, these classical automated tools either do not describe the construction of S-boxes and simply treat them as bijections or only describe the reduced differential distribution table of S-boxes. So far, there is no classical automated tool that can fully characterize large-scale S-boxes. Even in the case where S-boxes are only partially described, the searching space usually expands rapidly as the number of rounds increases, making it impossible to search many rounds. Our quantum automated tools fully leverage the parallel advantages of quantum computing, allowing for the complete characterization of S-boxes while maintaining complexity within polynomial time. They can fully characterize any nonlinear functions, and the complexity increases linearly with respect to the number of rounds.
• Most classical automated impossible differential cryptanalysis tools cannot take the key schedule into account in a single-key model. However, our tools include the key schedule when implementing the quantum circuit of encryption, allowing the impact of the key schedule on differential propagation types to be fully considered. Specifically, in a related-key model [26], the attacker can introduce a key differential so that the propagation of this differential in both the key schedule and encryption process is accounted for when searching for impossible differentials. This approach provides a more accurate characterization of differential propagation and helps identify more or longer impossible differentials. However, the single-key model is more practical and more commonly used since the related key model requires too much power from the attacker. In a single-key model, the master key is not allowed to introduce a differential to the key. Therefore, most classical automated tools for searching distinguishers ignore the impact of the key schedule and simply treat the subkeys of different rounds as independent constants. The process of searching for distinguishers lacks the analysis of key schedules. In contrast, although our quantum tools are also in a single-key model, they treat the entire encryption algorithm, including the key schedule, as a black box, and the state of the master key is a part of the input. The encryption of the input superposition state includes the calculation of the key schedule. All subkeys are obtained by running the key schedule on the master key. Thus, the connection between different subkeys is fully considered, which helps to accurately characterize the differential propagation.

Comparison with related works. A periodic function constructed based on a block cipher will yield a quantum distinguisher when combined with Simon’s algorithm [4,5,6,7]. Owing to this, Xiang et al. proposed a classical algorithm for constructing periodic functions using existing probability-1 truncated differentials and applied this method to two block ciphers [27]. The algorithm they designed to identify periodic functions is a classical algorithm. Their method does not involve searching for truncated differentials, but only uses truncated differentials that already exist to construct periodic functions. In contrast, we study how to utilize quantum algorithms to identify impossible differentials. To achieve this goal, we construct a quantum algorithm for probability-1 truncated differentials based on Simon’s algorithm. Our work has different goals from those of [27]. One is to identify impossible differentials, whereas the other is to construct periodic functions. The methods used are also different. One uses classical algorithms, whereas the other uses quantum algorithms.

2. Preliminaries

We present a simple overview of the necessary concepts and their related results.

2.1. Quantum Attack Models

$n,m$ are two arbitrary positive integers. $F:{\mathbb{F}}_2^n\to {\mathbb{F}}_2^m$ is a Boolean function. If the unitary operation

$$U_F:\sum _{x,y}|x\rangle |y\rangle \to \sum _{x,y}|x\rangle |y\oplus F\left(x\right)\rangle ,$$

(1)

is realized by a quantum circuit, we say that this circuit evaluates F quantumly. Any vectorial Boolean function can be evaluated by a quantum circuit constructed with gates in a finite but universal set of unitary gates. Such a set is referred to as a universal gate set [28]. For example, the phase gate S, Hadamard gate H, non-Clifford gate T, and controlled-NOT quantum gate $CNOT$ form a universal gate set. Each gate in this set is calculated as a single operation. For any vectorial Boolean function F, let the notation $|U_F|$ denote the number of quantum universal gates required to implement $U_F$.

Two common attack models for adversaries are considered when analyzing the quantum security of cryptographic primitives [12]. One is the Q1 attack model, where adversaries can utilize quantum computers to perform offline computations but can only make classical online queries. The other is the Q2 attack model, where adversaries can also execute quantum queries. Specifically, a Q2 adversary can also make queries to cryptographic primitives with inputs in superposition states and obtain the quantum states of their outputs. The Q2 attack model is stricter in terms of the adversaries’ ability because querying the quantum oracles of cryptographic systems is usually not easy to realize in practice.

2.2. Simon’s Algorithm

Given $F:{\mathbb{F}}_2^n\to {\mathbb{F}}_2^m$ and a private vector $s\in {\mathbb{F}}_2^n$ satisfying

$$[F\left(x_1\right)=F\left(x_2\right)]\iff [x_1\oplus x_2\in \{0^n,s\}],\forall x_1,x_2\in {\mathbb{F}}_2^n,$$

Simon’s algorithm [3] was originally used to solve the period s. If a function has such a period, we say that it meets Simon’s promise. Finding s requires at least $O\left(2^{n/2}\right)$ classical queries when using classical algorithms, whereas Simon’s algorithm only requires $O\left(n\right)$ quantum queries. With the quantum circuit of F, Simon’s algorithm requires repeating the steps below:

1.

Prepare an $(n+m)$-qubit quantum state $|0^n\rangle |0^m\rangle$. We apply the Hadamard transform $H^{\otimes n}$ to the left register, obtaining the following:

$${\displaystyle \frac{1}{\sqrt{2^n}}}\sum _{x\in {\mathbb{F}}_2^n}|x\rangle |0^m\rangle .$$

2.

We implement the unitary operator $U_F$ of F and obtain the following state:

$${\displaystyle \frac{1}{\sqrt{2^n}}}\sum _{x\in {\mathbb{F}}_2^n}|x\rangle |F\left(x\right)\rangle .$$

3.

We measure the last register to obtain a vector $F\left(z\right)$; subsequently, the remaining registers will be as follows:

$${\displaystyle \frac{1}{\sqrt{2}}}\left(\right|z\rangle +|z\oplus s\rangle ).$$

4.

We perform Hadamard operators $H^{\otimes n}$ on the above state, obtaining the following:

$${\displaystyle \frac{1}{\sqrt{2^{n+1}}}}\sum _{\gamma \in {\mathbb{F}}_2^n}{(-1)}^{\gamma ·z}[1+{(-1)}^{\gamma ·s}]|\gamma \rangle .$$

5.

We measure this state. If a vector $\gamma$ satisfies $\gamma ·s=1$, its amplitude must be 0. The measurement result $\gamma$ always satisfies $\gamma ·s=0$.

The process of Simon’s algorithm involves repeating the above subroutine $O\left(n\right)$ times, yielding $n-1$ vectors that are perpendicular to s and are linearly independent. Using linear algebraic knowledge, we can easily compute s.

A quantum circuit illustration of Simon’s subroutine (steps 1–5) is shown in Figure 1. Running steps 1–5 requires $2n$ Hadamard operators and 1 execution of the unitary operator $U_F$. Therefore, there are $m+n$ qubits and $O(2n^2+n|U_F\left|\right)$ gates in total in Simon’s algorithm when run on F.

In the cryptanalysis scenario, it is not always easy to construct a Boolean function that satisfies Simon’s promise. Even if a periodic function is constructed, unwanted collisions not caused by this period may occur. Kaplan et al. relaxed Simon’s promise and proved the following theorem [7].

Theorem 1

([7]). If $F:{\mathbb{F}}_2^n\to {\mathbb{F}}_2^n$ satisfies $ϵ(F,s)\le e_0<1$ for a period $s\in {\mathbb{F}}_2^n$ and some constant $e_0$, where we have the following:

$$ϵ(F,s)=\underset{t\in {\mathbb{F}}_2^n\backslash \{0^n,s\}}{max}\underset{x}{Pr}[F(x\oplus t)=F\left(x\right)],$$

then by repeating the subroutine $cn$ times, the probability that Simon’s algorithm returns s is not less than $1-{(2{({\displaystyle \frac{1+e_0}{2}})}^c)}^n$.

2.3. Linear Structure

We will transform the problem of seeking impossible differentials into a problem of seeking linear structures.

Definition 1

([29]). Given a function $F:{\mathbb{F}}_2^n\to {\mathbb{F}}_2^m$, $a\in {\mathbb{F}}_2^n$ is named a linear structure if we have the following:

$$\begin{array}{c}\hfill F(x\oplus a)\oplus F\left(x\right)=b,\forall x\in {\mathbb{F}}_2^n\end{array}$$

(2)

for some vector $b\in {\mathbb{F}}_2^m$. In other words, $F(x\oplus a)\oplus F\left(x\right)$ is constant.

For any $a\in {\mathbb{F}}_2^n$, $b\in {\mathbb{F}}_2^m$ satisfying Equation (2), we refer to the pair $(a,b)$ as F’s linear structure duad. If b is a zero vector $0^m$, then a is called F’s period. If $(a_1,b_1)$, $(a_2,b_2)$ are two linear structure duads of F, then we have the following:

$$F(x\oplus a_1\oplus a_2)\oplus F\left(x\right)=F(x\oplus a_1)\oplus b_2\oplus F\left(x\right)=b_1\oplus b_2.$$

Thus, $(a_1,b_1)\oplus (a_2,b_2)$ remains as one of F’s linear structure duad. All of F’s linear structure duads form a subspace within the vector space ${\mathbb{F}}_2^{n+m}$. This subspace is referred to as the linear structure space and is denoted by $L_F$.

For any vectors $v\in {\mathbb{F}}_2^m,u\in {\mathbb{F}}_2^n$, if there is $x\in {\mathbb{F}}_2^n$ satisfying $F\left(x\right)\oplus F(u\oplus x)=v$, then $(u,v)$ is said to make a “match” of F at x. Being a linear structure duad is equivalent to causing matches of F at all points $x\in {\mathbb{F}}_2^n$.

3. A Basic Quantum Tool for Finding Impossible Differentials

We present a universal quantum algorithm that finds impossible differentials of an arbitrary block cipher. The main idea is to use probability-1 differentials to construct impossible differentials. Since probability-1 differentials of an encryption function are also its linear structure duads, we can find them by constructing a quantum algorithm that finds linear structure duads. We first show a quantum algorithm that finds linear structure duads; based on this algorithm, we propose a basic quantum tool for impossible differentials.

3.1. Finding Linear Structure Duads via Simon’s Algorithm

$L_F$ is the linear structure space of function $F:{\mathbb{F}}_2^n\to {\mathbb{F}}_2^m$ as defined in Section 2.3. Namely,

$$L_F=\{(a,b)\in {\mathbb{F}}_2^n\times {\mathbb{F}}_2^m|F\left(x\right)\oplus F(x\oplus a)=b,\forall x\in {\mathbb{F}}_2^n\}.$$

We aim to obtain $L_F$. The value of m does not need to be equal to n. We define a new function as follows:

$$\begin{array}{cc}\hfill G:{\mathbb{F}}_2^n\times {\mathbb{F}}_2^m& \to {\mathbb{F}}_2^m\hfill \\ \hfill (x,y)& \to F\left(x\right)\oplus y.\hfill \end{array}$$

(3)

For any duad $(a,b)\in {\mathbb{F}}_2^n\times {\mathbb{F}}_2^m$, if $(a,b)$ is G’s period, it will also be F’s linear structure duad. Therefore, F’s linear structure duads can be found using Simon’s algorithm. Based on this analysis, we propose Algorithm 1, referred to as FindStruct, which is used to identify linear structure duads, as follows:

Algorithm 1 Algorithm FindStruct

Input: a parameter c and the access to the quantum unitary operator $U_F$ of a function $F:{\mathbb{F}}_2^n\to {\mathbb{F}}_2^m$. Output: the linear structure space $L_F$.   1: for $i=1$ to $c(n+m)$ do   2:     Prepare an $(n+2m)$-qubit state $|0^n\rangle |0^m\rangle |0^m\rangle$ and implement the Hadamard gate $H^{\otimes (n+m)}$, obtaining $$|{\mathrm{\Psi }}_1\rangle ={\displaystyle \frac{1}{\sqrt{2^{n+m}}}}\sum _{x\in {\mathbb{F}}_2^n,y\in {\mathbb{F}}_2^m}|x\rangle |y\rangle |0^m\rangle .$$   3:     Use the unitary operator $U_F$ to obtain the state $$|{\mathrm{\Psi }}_2\rangle ={\displaystyle \frac{1}{\sqrt{2^{n+m}}}}\sum _{x\in {\mathbb{F}}_2^n,y\in {\mathbb{F}}_2^m}|x\rangle |y\rangle |F\left(x\right)\rangle .$$   4:     Apply CNOT operators to the last two registers to obtain the state $$|{\mathrm{\Psi }}_3\rangle ={\displaystyle \frac{1}{\sqrt{2^{n+m}}}}\sum _{x\in {\mathbb{F}}_2^n,y\in {\mathbb{F}}_2^m}|x\rangle |y\rangle |F\left(x\right)\oplus y\rangle .$$   5:     Measure the rightmost register to obtain a value $z\in {\mathbb{F}}_2^m$, then there exist vectors $x_0\in {\mathbb{F}}_2^n$, $y_0\in {\mathbb{F}}_2^m$ such that $F\left(x_0\right)\oplus y_0=z$. Thus, the two leftmost registers are collapsed into the following: $${\displaystyle \frac{1}{\sqrt{|S_z|}}}\sum _{(x,y)\in S_z}|x\rangle |y\rangle ,$$ (4)  where $S_z=\{(x,y)\in {\mathbb{F}}_2^{n+m}|F\left(x\right)\oplus y=z\}$.   6:     Implement the Hadamard gate $H^{\otimes (n+m)}$ on the above state to obtain $${\displaystyle \frac{1}{\sqrt{|S_z|2^{n+m}}}}\sum _{{\displaystyle \genfrac{}{}{0pt}{}{{\gamma }_1\in {\mathbb{F}}_2^n}{{\gamma }_2\in {\mathbb{F}}_2^m}}}\sum _{(x,y)\in S_z}{(-1)}^{x·{\gamma }_1\oplus y·{\gamma }_2}|{\gamma }_1\rangle |{\gamma }_2\rangle ,$$     then measure this state to obtain a vector ${\gamma }^{\left(i\right)}\in {\mathbb{F}}_2^{n+m}$.   7: end for   8: After obtaining the vectors ${\gamma }^{\left(1\right)},{\gamma }^{\left(2\right)},\cdots ,{\gamma }^{\left(c\right(m+n\left)\right)}\in {\mathbb{F}}_2^{n+m}$ by steps 1–7, solve the following linear equation $$\left\{\begin{array}{c}{\gamma }^{\left(1\right)}·(x,y)=0\hfill \\ {\gamma }^{\left(2\right)}·(x,y)=0\hfill \\ ⋮\hfill \\ {\gamma }^{\left(c\right(m+n\left)\right)}·(x,y)=0,\hfill \end{array}\right.$$ (5) where $(x,y)\in {\mathbb{F}}_2^n\times {\mathbb{F}}_2^m$ are unknowns, and output its solution space.

The quantum computing part of the FindStruct algorithm involves repeating steps 2–6 independently for $c(m+n)$ times. We refer to steps 2–6 as the FindStruct subroutine. Its quantum circuit is shown in Figure 2. Steps 1–7 involve executing Simon’s subroutine $c(m+n)$ times on $G(x,y)=F\left(x\right)\oplus y$ to independently obtain $c(m+n)$ vectors ${\gamma }^{\left(1\right)},\cdots ,{\gamma }^{\left(c\right(m+n\left)\right)}$. We expect that, as with the original Simon’s algorithm, the periods of G are orthogonal to ${\gamma }^{\left(1\right)},\cdots ,{\gamma }^{\left(c\right(m+n\left)\right)}$; thus, we can obtain the periods of G by solving Equation (5), which are also linear structure duads of F. Theorem 1 provides the conditions for Simon’s algorithm to output the periods. Therefore, for the FindStruct algorithm to successfully output $L_F$, the G function must satisfy this condition. However, G may have more than one period since function F may have more than one linear structure duad, or the length of G’s output may not be equal to that of the input. Therefore, simply applying Theorem 1 is insufficient to justify the soundness of the FindStruct algorithm. To address this, we define a new parameter, $\theta (·)$. Function $F:{\mathbb{F}}_2^n\to {\mathbb{F}}_2^m$ is defined as follows:

$$\begin{array}{cc}\hfill \theta \left(F\right)=& {\displaystyle \underset{{\displaystyle \genfrac{}{}{0pt}{}{a\in {\mathbb{F}}_2^{n}b\in {\mathbb{F}}_2^m}{(a,b)\notin L_F}}}{max}}{\mathrm{Pr}}_x\left[F\left(x\right)\oplus F(x\oplus a)=b\right]\hfill \\ \hfill =& {\displaystyle \underset{{\displaystyle \genfrac{}{}{0pt}{}{a\in {\mathbb{F}}_2^{n}b\in {\mathbb{F}}_2^m}{(a,b)\notin L_F}}}{max}}{\displaystyle \frac{1}{2^n}}|\{x\in {\mathbb{F}}_2^n|F\left(x\right)\oplus F(x\oplus a)=b\}|.\hfill \end{array}$$

(6)

It is obvious that $0\le \theta \left(F\right)<1$. If $(a,b)$ is in $L_F$; that is, if it is F’s linear structure duad, then it will cause a match of F at each point $x\in {\mathbb{F}}_2^n$. If $(a,b)\notin L_F$, then the number of matches caused by $(a,b)$ will be less than $2^n$. The closer the value of $\theta \left(F\right)$ is to zero, the fewer matches that the vector $(a,b)$ not in $L_F$ can cause. Theorem 2 shows the validity of Algorithm 1 (FindStruct).

Theorem 2.

Let L be the solution set output by the FindStruct algorithm run on $F:{\mathbb{F}}_2^n\to {\mathbb{F}}_2^m$ with a parameter, c, then $L_F\subseteq L$. Moreover, if there is a constant, $e_0$, such that $\theta \left(F\right)\le e_0<1$, then the probability of $L_F$ being equal to L is no less than $1-{\left(2{({\displaystyle \frac{1+e_0}{2}})}^c\right)}^{n+m}$.

The idea of proving Theorem 2 is almost the same as that of Theorem 1 in [7], with the exception of cases where the function has multiple periods or linear structures, as well as cases where the lengths of the output and input are unequal, need to be considered. The proof is presented in Appendix A.

According to Theorem 2, setting c greater than $3/(1-e_0)$ ensures that the probability of the FindStruct algorithm outputting vectors not in $L_F$ decreases exponentially with n. The condition $\theta \left(F\right)\le e_0<1$ implies that the vectors that are not linear structure duads of F should not cause too many matches, or in other words, vectors that are not periods of G defined in Equation (3) should not cause too many collisions.

3.2. Quantum Tool for Impossible Differentials

The method of finding impossible differentials involves finding probability-1 differential characteristics that propagate, respectively, from the input end and the output end of the cipher but cannot match when they meet [30].

$E^{\left(r\right)}$ is an arbitrary block cipher that has r rounds. E denotes the round function. The block size is n and the key space is $\mathcal{K}={\mathbb{F}}_2^m$. For each $k\in \mathcal{K}$, the output of $E^{\left(r\right)}$ on plaintext x is $E_k^{\left(r\right)}\left(x\right)$. Our goal is to obtain impossible differentials of $E^{\left(r\right)}$. Namely, we find $(\alpha ,\beta )\in {\mathbb{F}}_2^n\times {\mathbb{F}}_2^n$, such that we have the following:

$$E_k^{\left(r\right)}\left(x\right)\oplus E_k^{\left(r\right)}(\alpha \oplus x)\ne \beta ,\forall x\in {\mathbb{F}}_2^n,\forall k\in {\mathbb{F}}_2^m.$$

We divide $E^{\left(r\right)}$ into two functions, $E^{\left(r\right)}=E^{\left(r_2\right)}\circ E^{\left(r_1\right)}$. Here, $1\le r_1,r_2\le r-1$ and $r_1+r_2=r$. Let ${E^{\left(r_2\right)}}^{-1}$ be the inverse function of $E^{\left(r_2\right)}$. As shown in Figure 3, if $(\Delta x_1,\Delta y_1)$ is a differential of $E^{\left(r_1\right)}$, $(\Delta x_2,\Delta y_2)$ is a differential of ${E^{\left(r_2\right)}}^{-1}$, satisfying the following:

$$\begin{array}{cc}\hfill & E_k^{\left(r_1\right)}(x\oplus \Delta x_1)\oplus E_k^{\left(r_1\right)}\left(x\right)=\Delta y_1,\forall x\in {\mathbb{F}}_2^n,\forall k\in {\mathbb{F}}_2^m\hfill \\ \hfill & {E_k^{\left(r_2\right)}}^{-1}(x\oplus \Delta x_2)\oplus {E_k^{\left(r_2\right)}}^{-1}\left(x\right)=\Delta y_2,\forall x\in {\mathbb{F}}_2^n,\forall k\in {\mathbb{F}}_2^m,\hfill \end{array}$$

and $\Delta y_1\ne \Delta y_2$, then $(\Delta x_1,\Delta x_2)$ will be an impossible differential of $E^{\left(r\right)}$. Therefore, to identify impossible differentials of $E^{\left(r\right)}$, we only need to obtain differentials of $E^{\left(r_1\right)}$ and ${E^{\left(r_2\right)}}^{-1}$ with a probability of 1.

For any t-round block cipher $E^{\left(t\right)}$ that has a key length of m and block size n, we treat both the plaintext and key as inputs of $E^{\left(t\right)}$, then the function, i.e.,

$$\begin{array}{cc}\hfill E^{\left(t\right)}:{\mathbb{F}}_2^m\times {\mathbb{F}}_2^n& \to {\mathbb{F}}_2^n\hfill \\ \hfill (k,x)& \to E_k^{\left(t\right)}\left(x\right)\hfill \end{array}$$

is public and completely determined. The Q1 adversaries can construct the unitary operator

$$U_{E^{\left(t\right)}}:\sum _{{\displaystyle \genfrac{}{}{0pt}{}{(k,x)\in {\mathbb{F}}^{m+n}}{y\in {\mathbb{F}}_2^n}}}|k,x\rangle |y\rangle ⟶\sum _{{\displaystyle \genfrac{}{}{0pt}{}{(k,x)\in {\mathbb{F}}^{m+n}}{y\in {\mathbb{F}}_2^n}}}|k,x\rangle |y\oplus E_k^{\left(t\right)}\left(x\right)\rangle$$

themselves. As

$$\begin{array}{c}\hfill E^{\left(t\right)}(k\oplus 0^m,x\oplus \Delta x)\oplus E^{\left(t\right)}(k,x)=\Delta y,\forall (k,x)\in {\mathbb{F}}_2^{m+n}\\ \hfill \iff E_k^{\left(t\right)}(x\oplus \Delta x)\oplus E_k^{\left(t\right)}\left(x\right)=\Delta y,\forall k\in {\mathbb{F}}_2^m,\forall x\in {\mathbb{F}}_2^n,\end{array}$$

if $((0^m,\Delta x),\Delta y)$ is $E^{\left(t\right)}$’s linear structure duad, then $(\Delta x,\Delta y)$ will be identified as $E^{\left(t\right)}$’s differential of probability-1. Thus, we can use the FindStruct algorithm to obtain $E^{\left(t\right)}$’s differentials of probability-1, with the additional requirement that the first m bits of the linear structures be 0. This can be achieved by adding additional equations to Equation (5) when Algorithm 1 (FindStruct) is run on $E^{\left(t\right)}$.

The following Algorithm 2 is designed to search impossible differentials.

Algorithm 2 FindImpoDiff algorithm

Input: a parameter c and a cipher $E^{\left(r\right)}:\mathcal{K}\times {\mathbb{F}}_2^n\to {\mathbb{F}}_2^n$. ($\mathcal{K}={\mathbb{F}}_2^m$ is the key space.) Output: Impossible differentials of $E^{\left(r\right)}$.   1: for $r_1=1$ to $r-1$ do   2:     Let $r_2=r-r_1$, divide $E^{\left(r\right)}$ into two functions $E^{\left(r\right)}=E^{\left(r_2\right)}\circ E^{\left(r_1\right)}$.   3:     Run steps 1–7 of Algorithm 1 (FindStruct) on $E^{\left(r_1\right)}:{\mathbb{F}}_2^m\times {\mathbb{F}}_2^n\to {\mathbb{F}}_2^n$ with parameter c obtaining $c(m+2n)$ vectors ${\gamma }^{\left(1\right)},{\gamma }^{\left(2\right)},\cdots ,{\gamma }^{c(m+2n)}\in {\mathbb{F}}_2^{m+2n}$.   4:     Solve the following equation: $$\left\{\begin{array}{c}{\gamma }^{\left(1\right)}·(k,x,y)=0\hfill \\ {\gamma }^{\left(2\right)}·(k,x,y)=0\hfill \\ ⋮\hfill \\ {\gamma }^{\left(c\right(m+2n\left)\right)}·(k,x,y)=0\hfill \\ k=0^m,\hfill \end{array}\right.$$   (7)     where $(k,x,y)\in {\mathbb{F}}_2^{m+n+n}$ are unknowns, to obtain the solution set $A_{r_1}$.   5:     Run steps 1–7 of Algorithm 1 (FindStruct) on ${E^{\left(r_2\right)}}^{-1}:{\mathbb{F}}_2^m\times {\mathbb{F}}_2^n\to {\mathbb{F}}_2^n$ with parameter c obtaining $c(m+2n)$ vectors ${\tilde{\gamma }}^{\left(1\right)},{\tilde{\gamma }}^{\left(2\right)},\cdots ,{\tilde{\gamma }}^{c(m+2n)}\in {\mathbb{F}}_2^{m+2n}$.   6:     Solve the following equation: $$\left\{\begin{array}{c}{\tilde{\gamma }}^{\left(1\right)}·(k,x,y)=0\hfill \\ {\tilde{\gamma }}^{\left(2\right)}·(k,x,y)=0\hfill \\ ⋮\hfill \\ {\tilde{\gamma }}^{\left(c\right(m+2n\left)\right)}·(k,x,y)=0\hfill \\ k=0^m,\hfill \end{array}\right.$$   (8)     where $(k,x,y)\in {\mathbb{F}}_2^{m+n+n}$ are unknowns, to obtain the solution set $B_{r_2}$.   7:     for $(0^m,\Delta x_1,\Delta y_1)\in A_{r_1}$ do   8:          for $(0^m,\Delta x_2,\Delta y_2)\in B_{r_2}$ do   9:             if $\Delta x_1\ne 0^n$∧$\Delta x_2\ne 0^n$∧$\Delta y_1\ne \Delta y_2$ then   10:                Output $(\Delta x_1,\Delta x_2)$.   11:            end if   12:         end for   13:     end for   14: end for

Figure 4 shows the flowchart of Algorithm 2 (FindImpoDiff). Steps 3–4 are used to identify the differentials of $E^{\left(r_1\right)}$. Steps 5–6 are used to identify the differentials of ${E^{\left(r_2\right)}}^{-1}$. Since $E^{\left(r_1\right)}$ and ${E^{\left(r_2\right)}}^{-1}$ are public and determinate functions, the adversary can execute the unitary operators $U_{E^{\left(r_1\right)}}$ and $U_{{E^{\left(r_2\right)}}^{-1}}$ when invoking the FindStruct subroutine.

Given a block cipher $E^{\left(r\right)}$, we define

$$\mathrm{\Theta }\left(E^{\left(r\right)}\right)=max\left\{\theta \left(E^{\left(t\right)}\right)\right|1\le t\le r-1\},$$

where $E^{\left(t\right)}$ is a t-round reduced version of $E^{\left(r\right)}$ and $\theta \left(E^{\left(t\right)}\right)$ is defined by Equation (6); as follows:

$$\begin{array}{c}\hfill \theta \left(E^{\left(t\right)}\right)=\underset{{\displaystyle \genfrac{}{}{0pt}{}{\genfrac{}{}{0pt}{}{(a_1,a_2)\in {\mathbb{F}}_2^m\times {\mathbb{F}}_2^n}{b\in {\mathbb{F}}_2^n}}{((a_1,a_2),b)\notin L_{E^{\left(t\right)}}}}}{max}{\displaystyle \frac{1}{2^{m+n}}}|\left\{(k,x)\in {\mathbb{F}}_2^m\times {\mathbb{F}}_2^n|E^{\left(t\right)}(k,x)\oplus E^{\left(t\right)}(k\oplus a_1,x\oplus a_2)=b\right\}|,\end{array}$$

where $L_{E^{\left(t\right)}}$ denotes the linear structure space of $E^{\left(t\right)}$. $\theta \left(E^{\left(t\right)}\right)$ denotes the maximum number of matches that vectors not in the linear structure duads of $E^{\left(t\right)}$ can cause. Therefore, the smaller the parameter $\mathrm{\Theta }\left(E^{\left(r\right)}\right)$ is, the fewer matches the vectors not in the linear structure duads of the reduced version of $E^{\left(r\right)}$ can cause. According to Theorem 2, the following theorem holds:

Theorem 3.

Block cipher $E^{\left(r\right)}$ satisfies $\mathrm{\Theta }\left(E^{\left(r\right)}\right)\le e_0<1$ for a constant $e_0$. If executing the FindImpoDiff algorithm on $E^{\left(r\right)}$ with parameter c outputs $(\Delta x_1,\Delta x_2)$, the probability of $(\Delta x_1,\Delta x_2)$ being $E^{\left(r\right)}$’s impossible differential is no less than $1-2{\left(2{({\displaystyle \frac{1+e_0}{2}})}^c\right)}^{2n+m}$, where m is the key length and n is the block size.

According to Theorem 3, setting c greater than $3/(1-e_0)$ guarantees that the probability of the FindImpoDiff algorithm outputting vectors that are not impossible differentials decreases exponentially with n.

Notably, according to Theorem 2, any linear structure duad of $E^{\left(r_1\right)}$ whose first m bits are zero must belong to the solution set $A_{r_1}$. On the other hand, $((0^m,\Delta x_1),\Delta y_1)$ being a linear structure duad of $E^{\left(r_1\right)}$ is equivalent to $(\Delta x_1,\Delta y_1)$ being a probability-1 differential of $E^{\left(r_1\right)}$. Thus, all probability-1 differentials of $E^{\left(r_1\right)}$ must be in the set $A_{r_1}$. Similarly, all probability-1 differentials of ${E^{\left(r_2\right)}}^{-1}$ must be in the set $B_{r_2}$. Therefore, all impossible differentials linked by two differentials of probability-1 as in Figure 3 must be output by the FindImpoDiff algorithm. This holds even if the condition $\mathrm{\Theta }\left(E^{\left(r\right)}\right)\le e_0<1$ is not satisfied. The condition $\mathrm{\Theta }\left(E^{\left(r\right)}\right)\le e_0<1$ is used only to ensure that the probability of incorrectly outputting a vector that is not an impossible differential is exponentially small.

3.3. Complexity of Algorithm 2 (FindImpoDiff)

Since quantum computers have not yet been built, we cannot obtain actual execution results of the proposed quantum tools on specific block ciphers. The corresponding simulation would require, at a minimum, a polynomial quantum execution of a block cipher, which is currently too large for simulation. For quantum attacks, as actual running or simulation of the attacks is not yet possible, validation is often demonstrated by rigorously deriving the success probability and complexity [2,3,7,8]. Theorem 2 establishes the lower bound of the success probability for the FindImpoDiff algorithm. The process of Algorithm 2 (FindImpoDiff) does not involve quantum queries and, thus, can be executed by Q1 adversaries. We evaluate the complexity by calculating the number of qubits and quantum gates needed.

In Algorithm 2 (FindImpoDiff), finding probability-1 differentials of $E^{\left(r_1\right)}$ requires executing the FindStruct subroutine on $E^{\left(r_1\right)}$ for $c(m+2n)$ times. Each execution includes $2m+4n$ Hadamard gates, n CNOT gates, and one unitary operator $U_{E^{\left(r_1\right)}}$. Finding probability-1 differentials of ${E^{\left(r_2\right)}}^{-1}$ requires executing the FindStruct subroutine on ${E^{\left(r_2\right)}}^{-1}$ for $c(m+2n)$ times. Each execution includes $2m+4n$ Hadamard gates, n CNOT gates, and one unitary operator $U_{{E^{\left(r_2\right)}}^{-1}}$. Thus, the number of Hadamard gates in Algorithm 2 (FindImpoDiff) is as follows:

$$\begin{array}{cc}\hfill & \sum _{{\displaystyle \genfrac{}{}{0pt}{}{r_1=1,\cdots ,r-1}{r_2=r-r_1}}}[c(m+2n)(2m+4n)+c(2n+m)(4n+2m)]\hfill \\ \hfill & =\sum _{r_1=1}^{r-1}(4m+8n)c(2n+m)\hfill \\ \hfill & =4c(r-1)(m^2+4n^2+4nm)\in O\left(n^2\right).\hfill \end{array}$$

The number of CNOT gates in Algorithm 2 (FindImpoDiff) is as follows:

$$\begin{array}{cc}\hfill & \sum _{{\displaystyle \genfrac{}{}{0pt}{}{r_1=1,\cdots ,r-1}{r_2=r-r_1}}}[(2n+m)cn+(2n+m)cn]\hfill \\ \hfill & =\sum _{r_1=1}^{r-1}(4c{n}^2+2cmn)\hfill \\ \hfill & =2(r-1)c(2n^2+mn)\in O\left(n^2\right).\hfill \end{array}$$

Algorithm 2 (FindImpoDiff) also requires executing the unitary operators $U_{E^{\left(r_1\right)}}$ and $U_{{E^{\left(r_2\right)}}^{-1}}$$c(m+2n)$ times for each $1\le r_1\le r-1,r_2=r-r_1$. As explained in Section 2.1, $|U_{E^{\left(r_1\right)}}|$ and $|U_{{E^{\left(r_2\right)}}^{-1}}|$ denote the numbers of universal gates required to implement $U_{E^{\left(r_1\right)}}$ and $U_{{E^{\left(r_2\right)}}^{-1}}$, respectively. We have the following:

$$\begin{array}{cc}\hfill & \sum _{{\displaystyle \genfrac{}{}{0pt}{}{r_1=1,\cdots ,r-1}{r_2=r-r_1}}}c(m+2n)|U_{E^{\left(r_1\right)}}|+c(m+2n)|U_{{E^{\left(r_2\right)}}^{-1}}|\hfill \\ \hfill & =c(m+2n)\sum _{{\displaystyle \genfrac{}{}{0pt}{}{r_1=1,\cdots ,r-1}{r_2=r-r_1}}}\left(\right|U_{E^{\left(r_1\right)}}|+|U_{E^{\left(r_2\right)}}\left|\right)\hfill \\ \hfill & =c(m+2n)\sum _{r_1=1}^{r-1}\left|U_{E^{\left(r\right)}}\right|\hfill \\ \hfill & =(r-1)c(m+2n)|U_{E^{\left(r\right)}}|\in O\left(poly\left(n\right)\right),\hfill \end{array}$$

Algorithm 2 (FindImpoDiff) additionally requires executing the quantum circuit of $E^{\left(r\right)}$ for $(r-1)c(m+2n)$ times. The quantum resources used to implement Algorithm 2 (FindImpoDiff) are listed in

Table 1. The quantum resources of Algorithm 2 (FindImpoDiff) and Algorithm 3 (FindImpoDiff2) ¹.

Algorithm	#CNOT	#Hadamard	${\mathit{U}}_{{\mathit{E}}^{(\mathit{r})}}$
Algorithm 2 FindImpoDiff	$2\tau (2n^2+nm)$	$4\tau (m^2+4n^2+4mn)$	$\tau (m+2n)$
Algorithm 3 FindImpoDiff2	$2\tau (n^2+nm+n)$	$4\tau n{(n+m+1)}^2$	$\tau (1+n+m)$

¹ Here, n, m, and r are the block size, length of the key, and the number of rounds, respectively. c is the parameter chosen by the attacker, $\tau =c·(r-1)$.

.

We then calculate the number of qubits needed for Algorithm 2 (FindImpoDiff). Running the FindStruct subroutine on $E^{\left(r_1\right)}$ requires $(m+n)+n+n=m+3n$ qubits. Running the FindStruct subroutine on ${E^{\left(r_2\right)}}^{-1}$ also requires $m+3n$ qubits. Due to the reusability of qubits, $m+3n$ qubits are sufficient to execute the FindImpoDiff algorithm.

In addition to the quantum computing part, Algorithm 2 (FindImpoDiff) also involves solving linear equations. Solving Equation (7) is equivalent to solving the following equation:

$$\left\{\begin{array}{c}({\gamma }_{m+1}^{\left(1\right)},{\gamma }_{m+2}^{\left(1\right)},\cdots ,{\gamma }_{m+2n}^{\left(1\right)})·(x,y)=0\hfill \\ ({\gamma }_{m+1}^{\left(2\right)},{\gamma }_{m+2}^{\left(2\right)},\cdots ,{\gamma }_{m+2n}^{\left(2\right)})·(x,y)=0\hfill \\ ⋮\hfill \\ ({\gamma }_{m+1}^{\left(c\right(m+2n\left)\right)},{\gamma }_{m+2}^{\left(c\right(m+2n\left)\right)},\cdots ,{\gamma }_{m+2n}^{\left(c\right(m+2n\left)\right)})·(x,y)=0.\hfill \end{array}\right.$$

Here, ${\gamma }_i^{\left(j\right)}$ denotes the i-th bit of ${\gamma }^{\left(j\right)}$ ($1\le j\le c(m+2n)$). This linear system contains $2n$ unknowns and $c(m+2n)$ equations. The complexity of solving this linear system using Gaussian elimination is $O\left(c{n}^2(m+2n)\right)$. Similarly, the complexity of solving Equation (8) is also $O\left(c{n}^2(m+2n)\right)$. Thus, by omitting a constant coefficient, the complexity of the classical computing part of Algorithm 2 (FindImpoDiff) is as follows:

$$\begin{array}{cc}\hfill & \sum _{{\displaystyle \genfrac{}{}{0pt}{}{r_1=1,\cdots ,r-1}{r_2=r-r_1}}}[c{n}^2(m+2n)+c{n}^2(m+2n)]\hfill \\ \hfill =& 2c(r-1)n^2(m+2n)\in O\left(n^3\right).\hfill \end{array}$$

Therefore, the classical computing part has a complexity of $O\left(n^3\right)$.

Algorithm 3 Algorithm 2 (FindImpoDiff)

Input:  a parameter c and a block cipher $E^{\left(r\right)}:\mathcal{K}\times {\mathbb{F}}_2^n\to {\mathbb{F}}_2^n$ where $\mathcal{K}={\mathbb{F}}_2^m$. Output: Impossible differentials of $E^{\left(r\right)}$.   1: for $r_1=1$ to $r-1$ do   2:     Let $r_2=r-r_1$, divide $E^{\left(r\right)}$ into two parts $E^{\left(r\right)}=E^{\left(r_2\right)}\circ E^{\left(r_1\right)}$.   3:     for $i=1$ to n do   4:         Run steps 1–7 of the FindStruct algorithm on $E^{\left(r_1\right)}\left[i\right]:{\mathbb{F}}_2^m\times {\mathbb{F}}_2^n\to {\mathbb{F}}_2$ with parameter c, obtaining $c(1+n+m)$ vectors ${\gamma }^{\left(1\right)},{\gamma }^{\left(2\right)},\cdots ,{\gamma }^{\left(c\right(1+n+m\left)\right)}\in {\mathbb{F}}_2^m\times F_2^n\times F_2^1$.   5:         Solve the following equation: $$\left\{\begin{array}{c}{\gamma }^{\left(1\right)}·(k,x,y)=0\hfill \\ {\gamma }^{\left(2\right)}·(k,x,y)=0\hfill \\ ⋮\hfill \\ {\gamma }^{\left(c\right(1+n+m\left)\right)}·(k,x,y)=0\hfill \\ k=0^m,\hfill \end{array}\right.$$   (9)         where $(k,x,y)\in {\mathbb{F}}_2^{m+n+1}$ are unknowns, to obtain the solution set $A_{r_1}^i$.   6:         Run steps 1–7 of the FindStruct algorithm on ${E^{\left(r_2\right)}}^{-1}\left[i\right]:{\mathbb{F}}_2^m\times {\mathbb{F}}_2^n\to {\mathbb{F}}_2$ with parameter c, obtaining $c(1+n+m)$ vectors ${\tilde{\gamma }}^{\left(1\right)},{\tilde{\gamma }}^{\left(2\right)},\cdots ,{\tilde{\gamma }}^{\left(c\right(1+n+m\left)\right)}\in {\mathbb{F}}_2^{m+n+1}$.   7:         Solve the following equation: $$\left\{\begin{array}{c}{\tilde{\gamma }}^{\left(1\right)}·(k,x,y)=0\hfill \\ {\tilde{\gamma }}^{\left(2\right)}·(k,x,y)=0\hfill \\ ⋮\hfill \\ {\tilde{\gamma }}^{\left(c\right(1+n+m\left)\right)}·(k,x,y)=0\hfill \\ k=0^m,\hfill \end{array}\right.$$   (10)         where $(k,x,y)\in {\mathbb{F}}_2^{m+n+1}$ are unknowns, to obtain the solution set $B_{r_2}^i$.   8:         for $(0^m,\Delta x_1,\Delta y_1)\in A_{r_1}^i$ do   9:            for $(0^m,\Delta x_2,\Delta y_2)\in B_{r_2}^i$ do   10:                if $\Delta x_1\ne 0^n$∧ $\Delta x_2\ne 0^n$∧ $\Delta y_1\ne \Delta y_2$ then   11:                    Output $(\Delta x_1,\Delta x_2)$.   12:                end if   13:            end for   14:         end for   15:     end for   16: end for

4. Quantum Attacks Based on Truncated Differentials

For some block ciphers, it is almost impossible to identify a differential of which the probability is strictly 1. Thus, many attacks that have been proposed consider the truncated probability-1 differentials. For truncated differentials [31], only partial bits instead of the full differentials are certain. For many block ciphers, such as SAFERK64 [32] and Camellia [33], truncated differential analysis can attack more rounds than traditional differential analysis, or the attack complexity is greatly reduced when attacking the same number of rounds. In this section, we improve the FindImpoDiff algorithm by allowing the differentials with a probability of 1 to be truncated differentials.

4.1. Improved Algorithm for Impossible Differentials

To improve Algorithm 2 (FindImpoDiff), we allow the unmatched probability-1 differentials to be truncated differentials when applying the miss-in-the-middle method. That is, only partial bits of the probability-1 differentials are predicted.

Let $(\alpha ,\beta )$ denote a truncated differential of $E^{\left(r\right)}:\mathcal{K}\times {\mathbb{F}}_2^n\to {\mathbb{F}}_2^n$, where $\alpha ,\beta \in {\{0,1,\ast \}}^n$. Suppose $\beta =({\beta }_1,{\beta }_2,\cdots ,{\beta }_n)$, $\alpha =({\alpha }_1,{\alpha }_2,\cdots ,{\alpha }_n)$, then ${\beta }_i,{\alpha }_i,\in \{0,1,\ast \}$ for $i=1,\cdots ,n$. The notation “∗” indicates that the corresponding bits of the input or output differences are undetermined. If ${\alpha }_i$/${\beta }_i$$\in \{0,1\}$, then we refer to the i-th bit (the determined bit of $\alpha$/$\beta$), otherwise, we refer to it as the undetermined bit of $\alpha$/$\beta$. A truncated difference can actually be regarded as a set of full differences. Let

$${\mathrm{\Omega }}_{\alpha }=\left\{\Delta x=(\Delta x_1,\Delta x_2,\cdots ,\Delta x_n)\in {\mathbb{F}}_2^n|\Delta x_i={\alpha }_i\mathrm{if}{\alpha }_i\ne \ast ,i=1,2,\cdots ,n\right\},$$

$${\mathrm{\Omega }}_{\beta }=\left\{\Delta y=(\Delta y_1,\Delta y_2,\cdots ,\Delta y_n)\in {\mathbb{F}}_2^n|\Delta y_i={\beta }_i\mathrm{if}{\beta }_i\ne \ast ,i=1,2,\cdots ,n\right\}.$$

The truncated input difference $\alpha$ is equivalent to the set ${\mathrm{\Omega }}_{\alpha }$, and the truncated output difference $\beta$ is equivalent to the set ${\mathrm{\Omega }}_{\beta }$. If a full input difference $\Delta x=(\Delta x_1,\cdots ,\Delta x_n)\in {\mathbb{F}}_2^n$ is included in the set ${\mathrm{\Omega }}_{\alpha }$; that is, $\Delta x_i={\alpha }_i$ for all $i\in \{1,\cdots ,n\}$ where ${\alpha }_i\ne \ast$, then $\Delta x$ is said to coincide with the truncated input difference $\alpha$, and denoted as $\Delta x\sim \alpha$. Similarly, if a full output difference $\Delta y$ is in the set ${\mathrm{\Omega }}_{\beta }$, then $\Delta y$ coincides with the truncated output difference $\beta$, and is denoted as $\Delta y\sim \beta$. Two truncated differentials, $\alpha ,{\alpha }^{\prime }\in {\{0,1,\ast \}}^n$, are said to contradict each other if there exists an $i\in \{1,\dots ,n\}$ satisfying ${\alpha }_i\ne \ast$, ${\alpha }_i^{\prime }\ne \ast$ and ${\alpha }_i\ne {\alpha }_i^{\prime }$.

The probability of the truncated differential $(\alpha ,\beta )$ is the conditional probability, expressed as follows:

$$\begin{gathered} \begin{array}{cc}\hfill {\displaystyle \underset{k\leftarrow \mathcal{K} \\ x\leftarrow {\mathbb{F}}_2^n}{Pr}}\left[\alpha \stackrel{E^{\left(r\right)}}{\to }\beta \right]& ={\displaystyle \underset{k\leftarrow \mathcal{K} \\ x\leftarrow {\mathbb{F}}_2^n}{Pr}}[E_k^{\left(r\right)}(x\oplus \Delta x)\oplus E_k^{\left(r\right)}\left(x\right)\sim \beta |\Delta x\sim \alpha ]\hfill \\ \hfill & ={\displaystyle \underset{k\leftarrow \mathcal{K} \\ x\leftarrow {\mathbb{F}}_2^n}{Pr}}[E_k^{\left(r\right)}(x\oplus \Delta x)\oplus E_k^{\left(r\right)}\left(x\right)\in {\mathrm{\Omega }}_{\beta }|\Delta x\in {\mathrm{\Omega }}_{\alpha }].\hfill \end{array} \end{gathered}$$

If this differential probability is equal to one, we refer to $(\alpha ,\beta )$ as a probability-1 truncated differential of $E^{\left(r\right)}$.

We still divide $E^{\left(r\right)}=E^{\left(r_2\right)}\circ E^{\left(r_1\right)}$, where $r_1+r_2=r$. Let $E^{\left(r_1\right)}\left[i\right]$ be the i-th component function of $E^{\left(r_1\right)}$, as follows:

$$\begin{array}{c}\hfill E_k^{\left(r_1\right)}\left(x\right)=(E_k^{\left(r_1\right)}\left[1\right]\left(x\right),E_k^{\left(r_1\right)}\left[2\right]\left(x\right),\cdots ,E_k^{\left(r_1\right)}\left[n\right]\left(x\right)).\end{array}$$

Similarly, ${E^{\left(r_2\right)}}^{-1}\left[i\right]$ denotes the i-th component function of ${E^{\left(r_2\right)}}^{-1}$. If the truncated differential $(\alpha ,\beta )$ of $E^{\left(r_1\right)}$ has probability-1, the truncated differential $({\alpha }^{\prime },{\beta }^{\prime })$ of ${E^{\left(r_2\right)}}^{-1}$ also has probability-1, and $\beta$ contradicts with ${\beta }^{\prime }$, then $(\alpha ,{\alpha }^{\prime })$ will be $E^{\left(r\right)}$’s impossible differential. These conditions imply that there exists $i\in \{1,\cdots ,n\}$ such that $(\alpha ,{\beta }_i)$ and $({\alpha }^{\prime },{\beta }_i^{\prime })$ are probability-1 differentials of $E^{\left(r_1\right)}\left[i\right]$ and ${E^{\left(r_2\right)}}^{-1}\left[i\right]$, respectively, and ${\beta }_i\ne {\beta }_i^{\prime }$ (${\beta }_i,{\beta }_i^{\prime }\ne \ast$). In this case, $(\alpha ,{\alpha }^{\prime })$ will be $E^{\left(r\right)}$’s impossible differential, as shown in Figure 5. Thus, we only need to traverse i to identify the differentials of $E^{\left(r_1\right)}\left[i\right]$ and ${E^{\left(r_2\right)}}^{-1}\left[i\right]$ with probability-1. This can be performed using the FindStruct algorithm to identify their linear structures. According to these analyses, we designed an improved algorithm that finds impossible differentials, which is named Algorithm 3 (FindImpoDiff2).

Figure 6 shows the flowchart of Algorithm 3 (FindImpoDiff2). Algorithm 3 (FindImpoDiff2) traverses $r_1$ from 1 to $r-1$, dividing $E^{\left(r\right)}$ into $E^{\left(r\right)}=E^{\left(r_2\right)}\circ E^{\left(r_1\right)}$, and then traverses i from 1 to n to obtain differentials of $E^{\left(r_1\right)}\left[i\right]$ and ${E^{\left(r_2\right)}}^{-1}\left[i\right]$, which have probability-1 but lead to a contradiction in the middle. We define the following:

$$\begin{array}{c}\hfill \overline{\mathrm{\Theta }}\left(E^{\left(r\right)}\right)=max\left\{\theta \left(E^{\left(t\right)}\left[i\right]\right)\right|1\le t\le r-1,1\le i\le n\},\end{array}$$

where $E^{\left(t\right)}$ is the t-round reduced cipher of $E^{\left(r\right)}$, $E^{\left(t\right)}\left[i\right]$ is the i-th component function of $E^{\left(t\right)}$, and $\theta \left(E^{\left(t\right)}\left[i\right]\right)$ is defined as Equation (6). That is, we have the following:

$$\begin{array}{c}\hfill \theta \left(E^{\left(t\right)}\left[i\right]\right)=\underset{{\displaystyle \genfrac{}{}{0pt}{}{\genfrac{}{}{0pt}{}{(a_1,a_2)\in {\mathbb{F}}_2^m\times {\mathbb{F}}_2^n}{b=0,1}}{((a_1,a_2),b)\notin L_{E^{\left(t\right)}\left[i\right]}}}}{max}{\displaystyle \frac{1}{2^{m+n}}}|\{(k,x)\in {\mathbb{F}}_2^m\times {\mathbb{F}}_2^n|E^{\left(t\right)}\left[i\right](k,x)\oplus \\ \hfill E^{\left(t\right)}\left[i\right](k\oplus a_1,x\oplus a_2)=b\left\}\right|,\end{array}$$

where $L_{E^{\left(t\right)}\left[i\right]}$ is the linear structure space of $E^{\left(t\right)}\left[i\right]$. According to Theorem 2, the following theorem holds.

Theorem 4.

$E^{\left(r\right)}$ is the block cipher whose round number is r, the block size is n, and the key length is m. $\overline{\mathrm{\Theta }}\left(E^{\left(r\right)}\right)\le e_0<1$ denotes the constant $e_0$. If $(\Delta x_1,\Delta x_2)$ is output by Algorithm 3 (FindImpoDiff2) when running on $E^{\left(r\right)}$, then the probability of $(\Delta x_1,\Delta x_2)$ being an impossible differential of $E^{\left(r\right)}$ is no less than $1-2{\left(2{({\displaystyle \frac{1+e_0}{2}})}^c\right)}^{m+n+1}$.

According to Theorem 4, setting c greater than $3/(1-e_0)$ guarantees that Algorithm 3 (FindImpoDiff2) outputs impossible differentials of $E^{\left(r\right)}$.

4.2. Complexity of Algorithm 3 (FindImpoDiff2)

The process of the FindImpoDiff algorithm does not involve quantum queries and, thus, can be executed by Q1 adversaries. We still evaluate the complexity by calculating the amounts of qubits and quantum gates.

In Algorithm 3 (FindImpoDiff2), finding probability-1 differentials of $E^{\left(r_1\right)}\left[i\right]$ requires executing steps 1–7 of Algorithm 1 (FindStruct) on $E^{\left(r_1\right)}\left[i\right]$ with parameter c. This requires $2c{(1+n+m)}^2$ Hadamard gates, $c(1+n+m)$ CNOT gates, and $c(1+n+m)$ executions of the unitary operator $U_{E^{\left(r_1\right)}\left[i\right]}$. Similarly, finding probability-1 differentials of ${E^{\left(r_2\right)}}^{-1}$ requires $2c{(1+n+m)}^2$ Hadamard gates, $c(1+n+m)$ CNOT gates, and $c(1+n+m)$ executions of the unitary operator $U_{{E^{\left(r_2\right)}}^{-1}\left[i\right]}$. Thus, the number of Hadamard gates in Algorithm 3 (FindImpoDiff2) is as follows:

$$\begin{array}{cc}\hfill & \sum _{{\displaystyle \genfrac{}{}{0pt}{}{r_1=1,\cdots ,r-1}{r_2=r-r_1}}}\sum _{i=1}^n[2c{(1+n+m)}^2+2c{(1+n+m)}^2]\hfill \\ \hfill & =\sum _{r_1=1}^{r-1}\sum _{i=1}^n\left[4c{(1+n+m)}^2\right]\hfill \\ \hfill & =4(r-1)cn{(1+n+m)}^2\in O\left(n^3\right).\hfill \end{array}$$

The number of CNOT gates in Algorithm 3 (FindImpoDiff2) is as follows:

$$\begin{array}{cc}\hfill & \sum _{{\displaystyle \genfrac{}{}{0pt}{}{r_1=1,\cdots ,r-1}{r_2=r-r_1}}}\sum _{i=1}^n[c(1+n+m)+c(1+n+m)]\hfill \\ \hfill & =2(r-1)cn(1+n+m)\in O\left(n^2\right).\hfill \end{array}$$

Algorithm 3 (FindImpoDiff2) also requires the execution of the unitary operators $U_{E^{\left(r_1\right)\left[i\right]}}$ and $U_{{E^{\left(r_2\right)}}^{-1}\left[i\right]}$$c(m+n+1)$ times for each $1\le r_1\le r-1$, $r_2=r-r_1$ and $1\le i\le n$. We have the following:

$$\begin{array}{cc}\hfill & \sum _{{\displaystyle \genfrac{}{}{0pt}{}{r_1=1,\cdots ,r-1}{r_2=r-r_1}}}\sum _{i=1}^n\left[c(m+n+1)|U_{E^{\left(r_1\right)}\left[i\right]}|+c(1+n+m)|U_{{E^{\left(r_2\right)}}^{-1}\left[i\right]}|\right]\hfill \\ \hfill & =c(1+n+m)\sum _{{\displaystyle \genfrac{}{}{0pt}{}{r_1=1,\cdots ,r-1}{r_2=r-r_1}}}\sum _{i=1}^n\left(|U_{E^{\left(r_1\right)}\left[i\right]}|+\sum _{i=1}^n|U_{{E^{\left(r_2\right)}}^{-1}\left[i\right]}|\right)\hfill \\ \hfill & =c(1+n+m)\sum _{{\displaystyle \genfrac{}{}{0pt}{}{r_1=1,\cdots ,r-1}{r_2=r-r_1}}}\left(|U_{E^{\left(r_1\right)}}|+|U_{E^{\left(r_2\right)}}|\right)\hfill \\ \hfill & =(r-1)c(1+n+m)|U_{E^{\left(r\right)}}|\in O\left(poly\left(n\right)\right),\hfill \end{array}$$

Algorithm 3 (FindImpoDiff2) additionally requires executing the quantum circuit of $E^{\left(r\right)}$ for $(r-1)c(1+n+m)$ times. The quantum resources used to implement Algorithm 2 (FindImpoDiff) are listed in Table 1.

Running the FindStruct subroutine on $E^{\left(r_1\right)}\left[i\right]$ requires $(m+n)+1+1=m+n+2$ qubits. Running the FindStruct subroutine on ${E^{\left(r_2\right)}}^{-1}\left[i\right]$ also requires $m+n+2$ qubits. Because of the reusability of qubits, $m+n+2$ qubits are enough for Algorithm 3 (FindImpoDiff2).

We compare classical automated tools to search for impossible differentials with the proposed quantum tools in Table 2, where the SAT problem is the Boolean satisfiability problem and MILP is the abbreviation for mixed-integer linear programming. As shown in Table 2, the UID tool, U-tool, and WW-tool cannot characterize the impact of S-boxes. The MILP tool can only describe small S-boxes. The SAT tool can describe big S-boxes but the impact of S-boxes can only be partially characterized. In contrast, the quantum algorithms we propose can fully characterize nonlinear functions, including S-boxes of any size. The MILP tool and SAT tool need to solve the MILP problem and SAT problem, respectively, both of which are NP-complete. In contrast, the proposed quantum algorithms only need to solve linear equations, which cost polynomial complexity using Gaussian elimination.

It is difficult to directly compare the complexity of classical tools for searching impossible differentials with quantum tools on specific block ciphers. The search for impossible differentials does not constitute a complete attack in itself. The identified impossible differentials are used to eliminate incorrect keys during the subsequent key recovery phase. The complexity of a classical attack is generally measured by the number of calculations and the number of chosen plaintexts required in the online key recovery phase, rather than by the calculations or time needed to identify the distinguishers in the early phase. In fact, the practicality of classical tools for searching impossible differentials on specific ciphers is determined by whether the search can be completed within a reasonable timeframe, rather than by adhering to a strict complexity formula. For example, the authors of [34] show that searching for impossible differentials of 14-round PRESENT-80 can be accomplished, but the search for 15 rounds could not be completed even after 20 days, leading the authors to finally terminate the search for 15 rounds. Classical automated tools for searching various distinguishers are usually compared using the number of rounds of specific ciphers that can be searched. However, in quantum attacks, since quantum computers have not been built yet, we cannot obtain the actual execution results of the quantum tools. Thus in quantum attacks, the success probability and complexity (the number of qubits and gates) are rigorously computed to measure the efficiency. Although the cost of a quantum operation is different from that of a classical operation, it is generally believed that polynomial-level quantum complexity is far superior to exponential classical complexity. This is why Shor’s algorithm has attracted widespread attention and even led to research on post-quantum cryptography.

Block cipher Camellia has 24 rounds [35]. The longest impossible differential of Camellia found so far has eight rounds [36]. It is found through theoretical derivation and does not involve any construction of S-boxes. Since the scale of the S-boxes in Camellia is 8-bit, no classical automated tool has yet been able to find longer impossible differentials by characterizing the S-boxes. AES-128 cipher has 10 rounds [37]. By the partial description of S-boxes, the SAT tool can accomplish a five-round search for impossible differentials of AES-128 [38]. However, the full description of S-boxes or the search for more rounds cannot be realized in an affordable time. Block cipher Midori-128 has 20 rounds [39]. The S-boxes applied by Midori-128 have eight bits. But each eight-bit S-box is actually constructed by two four-bit S-boxes. By the full description of four-bit S-boxes, the MILP tool can accomplish an eight-round search for impossible differentials of Midori-128 [40]. The search for more rounds cannot be realized in an affordable time. From the above examples, it can be seen that classical automated tools have difficulty increasing the number of rounds since they need to solve problems like MILP or SAT. However, our quantum tools only require polynomial complexity when applied to all the block ciphers mentioned above, even if the S-boxes are fully characterized. Moreover, as shown in Table 1, the number of qubits and gates required increases linearly with the number of rounds. This shows the superiority of quantum tools.

Some prior works have also investigated the use of quantum algorithms to enhance classical analytic tools. We list some representative examples in Table 3 for comparison. The goals of the second and third quantum tools in Table 3 are not to identify differentials or linear approximations, but to use Grover’s algorithm to accelerate the search for subkeys in the key recovery stage of traditional differential analysis and linear analysis.

Table 2. Comparisons with classical automated tools.

Tools	Description of Nonlinear Components	Problems Need to Solve	Ref.
UID tool	No	/	[21]
U-tool	No	/	[22]
WW-tool	No	Linear equations system	[23]
MILP-tool	Full description of small S-boxes (≤ 6-bit)	MILP problem	[40,41]
SAT-tool	Partial description of big S-boxes (8-bit)	SAT problem	[38]
Quantum tools	Any nonlinear functions	Linear equations system	This paper

Table 2. Comparisons with classical automated tools.

Tools	Description of Nonlinear Components	Problems Need to Solve	Ref.
UID tool	No	/	[21]
U-tool	No	/	[22]
WW-tool	No	Linear equations system	[23]
MILP-tool	Full description of small S-boxes (≤ 6-bit)	MILP problem	[40,41]
SAT-tool	Partial description of big S-boxes (8-bit)	SAT problem	[38]
Quantum tools	Any nonlinear functions	Linear equations system	This paper

Table 3. Quantum cryptanalysis tools.

Cryptanalysis Tool to Be Enhanced	Goal of Quantum Algorithms	Underlying Quantum Algorithm Used	Ref.
Differential cryptanalysis	Find high-probability differentials	Bernstein–Vazirani algorithm	[42,43]
Differential cryptanalysis	Accelerate the key search	Grover’s algorithm	[18]
Linear cryptanalysis	Accelerate the key search	Grover’s algorithm	[18]
Zero correlation linear cryptanalysis	Find zero correlation linear approximations	Bernstein–Vazirani algorithm	[44]
Impossible differential cryptanalysis	Find impossible differentials	Simon’s algorithm	This paper

Table 3. Quantum cryptanalysis tools.

Cryptanalysis Tool to Be Enhanced	Goal of Quantum Algorithms	Underlying Quantum Algorithm Used	Ref.
Differential cryptanalysis	Find high-probability differentials	Bernstein–Vazirani algorithm	[42,43]
Differential cryptanalysis	Accelerate the key search	Grover’s algorithm	[18]
Linear cryptanalysis	Accelerate the key search	Grover’s algorithm	[18]
Zero correlation linear cryptanalysis	Find zero correlation linear approximations	Bernstein–Vazirani algorithm	[44]
Impossible differential cryptanalysis	Find impossible differentials	Simon’s algorithm	This paper

4.3. Simulation

We use a simple Boolean function as an example to simulate the process of using the FindStruct algorithm to identify linear structure duads (i.e., probability-1 differentials). This demonstrates the validity of the FindStruct algorithm. The main process of Algorithm 2 (FindImpoDiff) involves repeating the FindStruct algorithm multiple times. According to the principle of miss-in-the-middle, as long as the outputs of the FindStruct algorithm are indeed probability-1 differentials, then the outputs of Algorithm 2 (FindImpoDiff) must be impossible differentials. Therefore, the validity of Algorithm 2 (FindImpoDiff) is also justified.

Specifically, we choose function $F:{\mathbb{F}}_2^4\to {\mathbb{F}}_2$ as an example, whose truth table is shown in

Table 4. Truth table of F.

${\mathit{x}}_1$	${\mathit{x}}_2$	${\mathit{x}}_3$	${\mathit{x}}_4$	F	${\mathit{x}}_1$	${\mathit{x}}_2$	${\mathit{x}}_3$	${\mathit{x}}_4$	F
0	0	0	0	0	1	0	0	0	1
0	0	0	1	1	1	0	0	1	0
0	0	1	0	1	1	0	1	0	0
0	0	1	1	0	1	0	1	1	1
0	1	0	0	1	1	1	0	0	0
0	1	0	1	0	1	1	0	0	0
0	1	1	0	0	1	1	0	0	0
0	1	1	1	1	1	1	0	0	0

. We use Qiskit to simulate the FindStruct algorithm on F. This requires repeating the FindStruct subroutine to obtain measurement results ${\gamma }_i^{\prime }s$. The corresponding quantum circuit diagram generated by Qiskit is shown in Figure 7. The middle part of the circuit realizes the unitary operator of F.

Because the number of simulations for quantum algorithms is often set at 1024 or 2048, we chose to simulate 1024 times. As shown in Figure 8, the measurement results only yield two values: 00000 or 11111. Computing the following equation, i.e.,

$$\left\{\begin{array}{c}\left(00000\right)·(x,y)=0\hfill \\ \left(11111\right)·(x,y)=0\hfill \end{array}\right.$$

yields a fundamental solution system, as follows:

$$\left(\begin{array}{c}1\hfill \\ 0\hfill \\ 0\hfill \\ 0\hfill \\ 1\hfill \end{array}\right),\left(\begin{array}{c}1\hfill \\ 0\hfill \\ 0\hfill \\ 1\hfill \\ 0\hfill \end{array}\right),\left(\begin{array}{c}1\hfill \\ 0\hfill \\ 1\hfill \\ 0\hfill \\ 0\hfill \end{array}\right),\left(\begin{array}{c}1\hfill \\ 1\hfill \\ 0\hfill \\ 0\hfill \\ 0\hfill \end{array}\right),$$

where $(x,y)\in {\mathbb{F}}_2^4\times {\mathbb{F}}_2$ are the unknowns. Therefore, {(0000,0), (1100,0), (1010,0), (1001,0) (0110,0), (0011,0), (0101,0), (1111,0), (1000,1), (0100,1), (0010,1), (0001,1) (1110,1), (1011,1), (1101,1), (0111,1)} should all be probability-1 differentials (linear structure duals) of F. It is easy to verify that these pairs are indeed probability-1 differentials of F.

5. Results and Discussion

In this work, we developed quantum automated cryptanalysis tools to search for impossible differentials. Our tools combine the impossible differential attack with Simon’s algorithm. We rigorously prove that, if an impossible differential of the block cipher is linked by two truncated differentials with probability-1, the proposed quantum algorithms must be able to output these impossible differentials in polynomial time. To analyze the complexity, we calculate the number of various quantum operators required in the quantum algorithms and summarized them in Table 1. Since the round number, r, as shown in each dataset in Table 1, has a degree of 1, the complexity of the proposed algorithms increases linearly with the number of rounds.

Our quantum cryptanalysis tools do not require any query to the encryption or decryption oracle and can be implemented in the Q1 model. Thus, they can be easily realized using quantum computers. Compared with the classical automated impossible differential cryptanalysis, our quantum automated tools fully utilize the superiority of quantum computing, allowing for complete characterization of any nonlinear functions while maintaining complexity within polynomial time. Moreover, the proposed quantum cryptanalysis tools take the key schedule into account in a single-key model, thereby compensating for the shortcomings of traditional tools.

A natural direction for further research is to enhance the cryptanalysis tools proposed in this study to reduce quantum resource consumption, or to enhance other cryptanalysis methods with quantum algorithms, such as integral and linear attacks. Combining cryptanalysis tools with Grover’s algorithm may also be a direction worth exploring.