New Impossible Differential Search Tool from Design and Cryptanalysis Aspects
 30 Citations
 2.4k Downloads
Abstract
In this paper, a new tool searching for impossible differentials is presented. Our tool can detect any contradiction between input and output differences. It can also take into account the property inside the Sbox when its size is small e.g. 4 bits. This is natural for ciphers with bitwise diffusion like PRESENT, while finding such impossible differentials for ciphers with wordwise diffusion is novel. In addition, several techniques are proposed to evaluate 8bit Sbox. The tool improves the number of rounds of impossible differentials from the previous best results for Midori128, Lilliput, and Minalpher. The tool also finds new impossible differentials for ARIA and MIBS. We manually verify the impossibility of the searched results, which reveals new structural properties of those designs. The tool can be implemented by slightly modifying the previous differential search tool using Mixed Integer Linear Programming (MILP). This motivates us to discuss the usage of our tool particular for the design process. With this tool, the maximum number of rounds of impossible differentials can be proven under reasonable assumptions and the tool is applied to various concrete designs.
Keywords
Symmetrickey Impossible differential Mixed integer linear programming Midori Lilliput Minalpher ARIA MIBS1 Introduction
Designing symmetrickey primitives becomes more and more complicated to simultaneously satisfy various goals such as security against many notions, efficiency in highend software, lowimplementation cost in hardware, and so on.
A popular design approach is substitutionpermutation network (SPN), in which a state is composed of small words, and is updated by iteratively applying a round function consisting of a nonlinear layer and a linear layer. In the nonlinear layer, the state is updated by looking up a wordwise precomputed table called Sbox. In the linear layer, the state is mixed with some linear operations.
A lot of designs were proposed in the last decade. It is now necessary for the community to carefully but quickly evaluate their security. Automated evaluation tools are useful to evaluate various designs in short term. Regarding the differential cryptanalysis and linear cryptanalysis, automated tools have been welldeveloped. In particular, evaluating the lower bound of the number of active Sboxes with mixedintegerlinear programming (MILP) is becoming popular in the design of SPN primitives [1]. Meanwhile, automated tools for other cryptanalytic approaches are not as sophisticated as differential and linear cryptanalysis.
Impossible differential cryptanalysis [2, 3] is one of the most major and effective cryptanalytic approaches. In short, for a target keyed cipher \(E_K\), it exploits a pair of input and output differences \((\varDelta _i,\varDelta _o)\) that cannot be connected for any K. Namely, two input values \(x,x'\) satisfying \(x \oplus x' = \varDelta _i\) never satisfy \(E_K(x)\oplus E_K(x') = \varDelta _o\).
Such \((\varDelta _i,\varDelta _o)\) are detected by the missinthemiddle approach [4]. The first automated search attempt was done in [3] with a technique called shrink. It shrinks the word size to 3 bits and finds impossible differentials of the global structure of the cipher by exhaustively testing all possible differences and values. The shrink technique is useful when the cipher consists of small number of words with big word size, e.g. 4 words of 32 bits in Skipjack, while the recent design trend is using many words with small word size, e.g. 16 words of 8 bits in AES.
Kim et al. [5] presented the automated tool called \(\mathcal {U}\)method. Suppose that one wants to examine if \((\varDelta _i,\varDelta _o)\) is impossible. First it propagates \(\varDelta _i\) in forwards (with F) by \(r_f\) rounds, and checks if the difference of each word is known active, active, inactive, or unknown. Then, it propagates \(\varDelta _o\) in backwards (with \(F^{1}\)) by \(r_b\) rounds and checks the same information. Finally, it finds contradiction in the middle, detecting that \((\varDelta _i,\varDelta _o)\) is impossible for \(r_f + r_b\) rounds.
Several researches extended the \(\mathcal {U}\)method, e.g. UIDmethod by Luo et al. [6, 7] or some extension by Wu and Wang [8]. Those detect more complicated contradiction than the \(\mathcal {U}\)method. Although some advancement was made, usability of the previous tools is limited as explained below.

To be as generic as possible, the recent tools consider complicated differential impact through the linear layer, which requires more sensitive implementation. Even with this effort, only particular contradictions can be analyzed.

Most of the previous tools cannot take into account differential property inside the Sbox. Several analysis against a particular Sbox in a particular primitive may analyze its differential property [9, 10], however such an analysis cannot be extended to a generic tool.

Most of the previous tools for impossible differential cryptanalysis cannot be used to evaluate other cryptanalytic approaches, e.g. differential and linear cryptanalysis. Derbez and Fouque proposed a tool for the meetinthemiddle attack that can also be used for impossible differential cryptanalysis [11]. However, it cannot find better impossible pairs compared to [5, 6, 8].
In the differential search with MILP, the attacker describes possible differential propagation patterns in a round function by using linear inequalities. Then, the attacker runs a solver for MILP, which returns the minimum number of active Sboxes under the given propagation patterns. In this research, to examine the impossibility of \((\varDelta _i,\varDelta _o)\), we simply add constraints to fix the input and output differences to \((\varDelta _i,\varDelta _o)\). Due to the added constraints, the lower bound of the number of active Sboxes usually increases. In some case, \((\varDelta _i,\varDelta _o)\) cannot be satisfied, thus the MILP solver returns an error code implying that no solution exists. In other words, \(\varDelta _i\) and \(\varDelta _o\) are impossible pairs.
We then iterate this test to examine multiple pairs of \((\varDelta _i,\varDelta _o)\) e.g. all pairs with 1 active word both in input and output. We note that, for all existing ciphers, the longest impossible differentials have only 1 active word in both input and output. Thus, it is reasonable to conjecture that if such impossible differentials do not exist, any impossible differentials do not.
Our tool leads to stronger cryptanalytic results than the previous tools owing to the following advantages.

Analyzing inside Sboxes: The previous differentialbound search using MILP [12] can model the possible differential propagation patterns in the differential distribution table (DDT) of the Sbox. Our tool inherits this advantage. Thus impossible differentials taking into account DDT can be found.

Arbitrary Contradiction: The MILP solver automatically judges whether or not the solution exists. Thus, the attacker does not have to predict the mechanism of contradiction in advance, which significantly increases the versatility of the tool.

Multipurpose Tool: We convert the previous MILPbased differential search into impossible differential search by just adding constraints to fix input and output differences. Thus only with a single tool, security against differential cryptanalysis and impossible differential cryptanalysis can be evaluated. This feature is especially useful for future primitive designers who need to evaluate both cryptanalyses.

Arbitrary Sbox Mode: MILP requires too many inequalities to represent differential propagations in DDT of 8bit Sboxes. Thus, the tool is infeasible for 8bit Sboxes in a straightforward manner. Here, we introduce an arbitrary Sbox where impossible differentials for the arbitrary Sbox are always valid for arbitrary Sbox choice. The arbitrary Sbox can be described efficiently, which enables us to evaluate 8bit Sboxes. We note that previous work on MILP based tool aimed to model DDT precisely. One can see the catchphrase “MILP whose feasible region is exactly the set of all valid differential” in [13, 15], while modeling 8bit Sbox precisely is infeasible. Our approach is opposite of previous work, which describes DDT only roughly but can be executed in practice.

Quick Search for Truncated Impossible Differential: A single pair of input and output differences can be impossible for more rounds than truncated differentials. Meanwhile, evaluating all the pairs is infeasible and the search range is often limited to singleactive word. Here we present a technique to make the tool more efficient only by aiming truncated impossible differentials, which can be implemented only by changing the constraints of input and output differences.
Application results. ‘KR’ denotes ‘key recovery.’
Target  Ref  #Rounds  Search mode  Goal  Remarks  

Prev.  Ours  
Midori128  [16]  6  7  Specific Sbox  Characteristic  
Lilliput  [17]  8  9  Specific Sbox  Characteristic  
Minalpher  [18]  6.5  7.5  Arbitrary Sbox  Truncated  Large state 
ARIA  [19]  4  4  Arbitrary Sbox  Truncated  8bit Sbox, improve KR 
MIBS  [20]  8  8  Specific Sbox  Characteristic  New impossible differentials 
We apply the proposed tool to various designs. The results improving the existing impossible differentials are summarized in Table 1. Although one of the advantages of the tool is that the attacker can detect impossible differentials without analyzing contradicting reasons, we manually analyze why the detected \((\varDelta _i,\varDelta _o)\) is impossible. The manual verification not only demonstrates the correctness of the tool, but also reveals the structural properties of the target designs that have not been known before. We believe that the contradicting reasons analyzed in this paper for Midori128, Lilliput, and Minalpher lead to new understanding about their designs.
Our automated tool is useful to test many design choices during the design process of new primitives. Thus, we also discuss the usage of the tool for the design. For example, when the tool finds several impossible pairs of \((\varDelta _i,\varDelta _o)\), the designers may want to patch the design to avoid such \((\varDelta _i,\varDelta _o)\). By using the arbitrary Sbox mode, we can easily check whether \((\varDelta _i,\varDelta _o)\) is dependent on the Sbox. If it is dependent on the Sbox, it may be prevented by replacing the Sbox. If it is independent, it needs to modify the linear layer to prevent it.
Moreover, because it catches any contradiction, the tool provides a certain level of provable security about the existence of impossible differentials with reasonable assumptions and reasonable search range. In details, provable security can be discussed when a single word is active in the input and output differences, and we can set twolevel of the assumption; (1) Sbox is public and each subkey is chosen independently and uniformly at random and (2) keyed Sbox is used and for each key the Sbox is chosen uniformly at random. We apply the tool to various designs to prove the maximum number of rounds of impossible differentials. Finally, we propose an optimal pick technique which dramatically reduces the execution time only when the tool is used for obtaining the proof.
Paper Outline. Notations and related work are introduced in Sect. 2. Framework of our tool is introduced in Sect. 3. Application on various designs improving previous impossible differentials are shown in Sect. 4. A technique to reduce the search complexity is explained in Sect. 5. Advantages of our tool in the design process are explained in Sect. 6. Our research is partially overlapped with [21]. The relationship between [21] and this paper is explained in Appendix A.
2 Related Work
2.1 Terminologies in Impossible Differential Cryptanalysis

We call a pair of input and output differences \((\varDelta _i,\varDelta _o)\) that cannot be connected an impossible differential characteristic or impossible characteristic.

We call a pair of a closed set of input differences and a closed set of output differences in which any pair cannot be connected as a truncated impossible differential.

When we do not distinguish the above two, we call it impossible differential.
2.2 Differential Search with Mixed Integer Linear Programming
Here we explain an automated tool for differential cryptanalysis, not impossible differential cryptanalysis, which will be a base of our tool.
Mouha et al. [1] showed that the problem to search for the minimum number of active Sboxes can be modeled with mixed integer linear programming (MILP). The approach is now very popular for designing a new primitive. For example, resistance against differential and linear cryptanalysis of Skinny [22] recently proposed at CRYPTO 2016 was evaluated by MILP.
The approach by Mouha et al. [1] is effective for evaluating wordoriented ciphers, while several ciphers are not wordoriented. For example, PRESENT [23] applies 4bit Sbox, then the bitpermutation moves four bits from a single Sbox to four different Sboxes. In order to apply MILP to such a structure, Sun et al. [12] developed a method to model all possible differential propagations bit by bit even for the Sbox.
Modeling Differential Propagations with MILP. We explain how to model valid differential propagations of PRESENT in bitwise. Note that one round of PRESENT consists of subkey addition, Sbox applications, and bitpermutation.
Fact 1
Linear inequalities to constrain input and output variables of the Sbox only to valid patterns can be generated by using either the computation tool called SageMath or several logical operations.
How to use SageMath is well explained in [12] and more details of logical computations can be seen in [14]. We rely on Fact 1 about the description of Sbox, and the choice of SageMath and logical operations does not impact to our tool. Meanwhile, the following limitation of those approaches should be noted.
Fact 2
Both of SageMath and the logical operations can be used only when the Sbox size is small.
In our computational environment, both methods are feasible for Sboxes of size five bits or less. No method is known to model bigger Sbox, e.g. 8bit Sbox.
MILP returns a solution of the system optimizing a given objective function. In differential cryptanalysis, the attacker’s goal is minimizing the number of active Sboxes, which can be defined as “Minimize \(\sum _{i}(x_{4i} \vee x_{4i+1} \vee x_{4i+2} \vee x_{4i+3})\).”
The system can be solved by the MILP solver to find the optimal solution. We use Gurobi Optimizer [24] as the MILP solver.
3 Composite Framework for Differential and Impossible Differential Searches
We begin with explaining the basic concept of our impossible differential search tool, which has been independently discovered by Cui et al. and their paper was posted on Cryptology ePrint Archive prior to our paper [21]. Comparison between [21] and this work will be explained in Appendix A.
The tool adds several constraints to the previous differential bound search for fixing an input and output difference to a specific pair \((\varDelta _i, \varDelta _o)\). Due to those additional constraints, the MILP solver may not be able to find the solution, thus returns some error code indicating that the system is infeasible, which tells that \((\varDelta _i, \varDelta _o)\) is an impossible differential characteristic.
Example 1
We then iterate this test to examine multiple pairs of \((\varDelta _i,\varDelta _o)\) e.g. all pairs with 1 active word both in input and output.
3.1 Composite Framework
A remarkable advantage of our tool is that users can switch differentialbound search and impossibledifferential search very easily. This helps primitive designers, generally required to evaluate the resistance against both of differential and impossible differential cryptanalyses. Here we introduce our framework to generate system of inequalities depending on the target to evaluate.
Most of the symmetrickey primitives can be described as an iteration of the round function consisting of the nonlinear and linear layers. We explain our tool by following this structure. Our tool focuses on the primitive whose nonlinear layer is the parallel application of Sboxes. The tool relies on the previous MILPbased differential search that models differential propagations through Sbox in bitwise [12, 13, 14]. Here, we recall how a system of inequalities is generated.
We slightly modify Algorithm 1 so that impossible differentials can be evaluated with several techniques. The goal of the tool can be either the differential bound (DB) or the impossibility of the given input and output differences (ID), which can be specified in the parameter “GOAL”. For converting DB to ID, the users need to modify only two parts; make the objective function empty and specify input and output differences.
For impossible differentials, the users can further choose several search modes specified in the parameter “MODE”. To be more precise, the Sboxes can be fixed to particular ones (SPECIFIC) or can be treated as general ones (ARBITRARY).
The users can also choose which of truncated differential (TRUNCATED) or a single impossible differential characteristic (CHARACTERISTIC) is searched as a parameter “OBJECT”.
Hereafter, we explain details of impossible differential search (“GOAL = ID”). We first explain how to search impossible differential characteristics (“OBJECT = CHARACTERISTIC”) with the specific Sbox mode and the arbitrary Sbox mode in Sects. 3.2 and 3.3, respectively. We then explain the case of truncated impossible differential (“OBJECT = TRUNCATED”) in Sect. 3.4.
3.2 Specific SBox Mode for Impossible Characteristic
In the specific Sbox mode, the users derive the differential distribution table (DDT) from the actual Sboxes, and construct the MILP model to describe all valid differential propagations by using the existing method [12, 13, 14]. Then differences in all input and output bits are constrained to the target pair. The analysis is iterated for various input and output differences chosen from a reasonable subset, i.e. only one word is active.
The specific Sbox mode can maximize the number of rounds of impossible differentials. Thus the attackers may prefer to choose this mode.
Impact of Key Schedule. The tool does not take into account the key schedule, thus we need a careful discussion about the impact of its omission.
The search by MILP describes a system of inequalities for the entire rounds by iterating a system of oneround differential propagation. Thus all valid propagations for one round are also valid in the evaluation of multiple rounds independently of the propagation in neighboring rounds and subkey values. This is true only if all subkeys are independent and chosen uniformly at random, which is not true in practical designs with a particular key schedule.
In summary, what the MILP simulates is the worstcase scenario (for the attackers). Namely, even if some differential propagations cannot occur for multiple rounds, the tool regards it possible, which leads to the following observation.
Observation 1
Impossible differential characteristics found in the specific Sbox mode are always impossible independently of the choice of key schedule.
3.3 Arbitrary SBox Mode for Impossible Characteristic
In the arbitrary Sbox mode, we assume an imaginary Sbox in which any nonzero input difference can be propagated to any nonzero output difference. Then, a set of valid differential propagations of any bijective Sbox can be a subset of the one in the arbitrary Sbox.

8bit Sboxes: There is no known method to describe differential propagations of 8bit Sboxes in MILP. Here by using the arbitrary Sbox, the tool can be applied to 8bit Sboxes.

Large Block Size: Even if the Sbox size is small, say 4 bits, it is computationally hard to evaluate a large block size, say 256 bits. Again the arbitrary Sbox enables analysis.
Note that, differently from the specific Sbox mode, the analysis can no longer exploit properties inside the Sbox. However, the analysis can still exploit another advantage that the tool catches any contradiction, and this advantage is often big enough to find new impossible differential characteristics. Actually, we found new characteristics of ARIA (8bit Sboxes) [19] and of Minalpher (4bit Sbox, 256bit block) [18], which will be explained in Sect. 4.
Similarly to Sect. 3.2, MILP simulates the worstcase scenario. Namely, even if some differential propagations cannot occur for some specific Sbox, the tool regards it possible.
Observation 2
Impossible differential characteristics found in the arbitrary Sbox mode are always impossible independently of the choice of Sbox and key schedule.
3.4 Searching for Truncated Impossible Differential
4 Applications from Cryptanalysis Aspect
4.1 Midori128
Midori is a low energy block cipher designed by Banik et al. in 2015 [16]. Midori provides two different block lengths; Midori64 and Midori128 have 64bit and 128bit block lengths, respectively. Both ciphers accept 128bit secret key.
Previous Cryptanalysis. Several thirdparty cryptanalyses have been proposed, and the fullround Midori64 was broken by the invariant subspace attack [25] and nonlinear invariant attack [26] under the weakkey setting. On the other hand, there are no cryptanalysis against fullround Midori128. Regarding the impossible differential attack on Midori128, the designers found 6round impossible differentials such that only one cell is active in the input and output [16]. Then, Zhen et al. found 6round impossible differentials that are advantageous for the key recovery but the number of rounds is not increased [27].
Configurations for the Tool. The block size of Midori128 is 128 bits and the Sboxes size is 8 bits. However, since the 8bit Sboxes are represented as concatenation of two 4bit Sboxes, we can regard that there are thirtytwo 4bit Sboxes in each round. The search space for impossible differential characteristics is large, hence we run our tool in the arbitrary Sbox mode.
When the arbitrary Sbox mode is chosen for Midori, it is sufficient to evaluate truncated impossible differentials rather than impossible differential characteristics. This is because, for any choice of the differential value of the active nibble in the plaintext, the set of possible output differences of the active Sbox in the first round is identical. In other words, when \((\varDelta _i,\varDelta _o)\) is an impossible differential characteristic, for any other 1nibble difference \(\varDelta _i^{\prime }\) in the same active nibble position, \((\varDelta _i^{\prime },\varDelta _o)\) becomes impossible.
We limit the input and output differences to 1 active nibble. The number of such input differences is 32, and we have the same number of output differences. In the end, we run MILP for \(32 * 32 = 1024\) pairs of input and output differences.
List of 7Round Truncated Impossible Differentials. We ran our tool with the above configuration. The tool required about 0.03 seconds per pair and it took about 0.5 min to test 1024 pairs.
7round truncated impossible differentials against Midori128
ID  \(\varDelta P\)  \(\varDelta C\)  Remarks 

001T  \((0\alpha _100,0000,0000,0000)\)  \((0\beta _100,0000,0000,0000)\)  Manually verified 
002T  \((0\beta _100,0000,0000,0000)\)  \((0\alpha _100,0000,0000,0000)\)  Manually verified 
003T  \((0000,\alpha _0000,0000,0000)\)  \((0000,\beta _0000,0000,0000)\)  
004T  \((0000,\beta _0000,0000,0000)\)  \((0000,\alpha _0000,0000,0000)\)  
005T  \((0000,0\alpha _100,0000,0000)\)  \((0000,0\beta _100,0000,0000)\)  
006T  \((0000,0\beta _100,0000,0000)\)  \((0000,0\alpha _100,0000,0000)\)  
007T  \((0000,0000,\alpha _0000,0000)\)  \((0000,0000,\beta _0000,0000)\)  
008T  \((0000,0000,\beta _0000,0000)\)  \((0000,0000,\alpha _0000,0000)\)  
009T  \((0000,0000,0\alpha _100,0000)\)  \((0000,0000,0\beta _100,0000)\)  
010T  \((0000,0000,0\beta _100,0000)\)  \((0000,0000,0\alpha _100,0000)\)  
011T  \((0000,0000,0000,\alpha _0000)\)  \((0000,0000,0000,\beta _0000)\)  
012T  \((0000,0000,0000,\beta _0000)\)  \((0000,0000,0000,\alpha _0000)\) 
Manual Verification of ID001T and ID002T. Although one of the major advantages of the tool is that the attacker does not have to analyze the reason of contradiction, we would like to verify the reason. The analysis reveals a new structural property of Midori128 exploiting the involution of \(\mathtt{SSb}_i\), which seems to be useful for future analysis. We first prove ID001T.
Theorem 1
The input difference \((0\alpha _100,0000,0000,0000)\) cannot propagate to the output difference \((0\beta _100,0000,0000,0000)\) after 7 rounds of Midori128, where only top four bits of \(p_1(\alpha _1)\) and bottom four bits of \(p_1(\beta _1)\) are active.
Proof
In Fig. 2, the input difference is propagated in forwards by 3.5 rounds, and the output difference is propagated in backwards by 3 rounds.
Let us focus on the forward propagation. From the definition, the differential form of \(\alpha _1\) is \((*,*,0,0,0,0,*,*)\) thus \(p_1(\alpha _1)=(*,*,*,*,0,0,0,0)\), where \(*\) and 0 are active and inactive, respectively. In SubCell in the first round, \(\mathtt{SSb}_1(\alpha _1) = p_1^{1} \circ (\mathtt{Sb}_1 \Vert \mathtt{Sb}_1) \circ p_1(\alpha _1)\) is computed. \((\mathtt{Sb}_1 \Vert \mathtt{Sb}_1)\) preserves that only top 4 bits are active, and active bit positions go back to \(\alpha _i\) after the application of \(p_1^{1}\). The position of the active byte moves from \(s_1\) to \(s_7\) by \(\mathtt {ShuffleCell}\), then is diffused to \(s_4\), \(s_5\), and \(s_6\) by \(\mathtt {MixColumns}\). Sboxes are applied in the second round again, but \(\mathtt {SSb}_0\) and \(\mathtt {SSb}_2\) do not preserve the form of \(\alpha _1\) due to the different bit permutations \(p_0\) and \(p_2\). Therefore, only \(s_5\) preserves the differential form of \(\alpha _1\). Similar analysis is continued during the 3.5round forward propagation.
The differential form of \(\beta _1\) is \((0,0,*,*,*,*,0,0)\). With the same reason as \(\alpha _1\), the differential form of \(\beta _1\) is preserved after the computation of \(\mathtt{SSb}_1^{1}(\beta _1)\), and 1 byte preserves the difference \(\beta _1\) after 3 round decryption.
On one hand, from the forward 3.5round propagation, only top half of \(p_1(s_5)\) is active and bottom half is inactive. On the other hand, from the 3round backward propagation, only bottom half of \(p_1(s_5)\) is active and top half is inactive. This is a contradiction, therefore ID001T is manually verified. \(\square \)
ID002T can be proved by exchanging the position of \(\alpha _1\) and \(\beta _1\) of ID001T. Note that all impossible differentials found by our tool have the similar structure. Therefore, we expect that ID003T–ID012T can be verified similarly.
4.2 LILLIPUT
Lilliput is a lightweight block cipher designed by Berger et al. in 2015 [17] in which the block size and the key size are 64 bits and 80 bits, respectively. Lilliput adopts an extended generalized Feistel network (EGFN) [28].
Specification. A 64bit plaintext is loaded to a 64bit state \(X^{0}\), which is divided into sixteen 4bit nibbles, \(X_{15}^0\Vert X_{14}^0\Vert \cdots \Vert X_0^0\). The round function, RF, takes as input a previous state \(X^j\) and a 32bit subkey \(SK^j \triangleq SK^j_7\Vert SK^j_6\Vert \cdots SK^j_0\) and updates the state to \(X^{j+1}\) with three operations \(\mathcal {F}\), \(\mathcal {L}\), and \(\mathcal {P}\).

Nonlinear layer \(\mathcal {F}\) : Copy the right half of the state, XOR the subkey, apply an Sbox to each nibble, finally XOR the results to the left half of the state. Namely, \(X_{8+i}^j \leftarrow X_{8+i}^j \oplus S(X_{7i}^j \oplus SK^j_i),\ i=0,1,\ldots ,7\), where \(S(\cdot )\) is a 4bit Sbox defined in Table 3.
 Linear layer \(\mathcal {L}\) : Update the left half of the state with several XORs.$$\begin{aligned} X_{15}^j&\leftarrow X_{15}^j \oplus X_7^j \oplus X_6^j \oplus X_5^j \oplus X_4^j \oplus X_3^j \oplus X_2^j \oplus X_1^j,\\ X_{15i}^j&\leftarrow X_{15i}^j \oplus X_7^j \text { for } i=1,2,\ldots ,6. \end{aligned}$$

Permutation layer \(\mathcal {P}\) : Permute nibble positions with \(\pi \) defined in Table 4.
Sbox in Lilliput (hex)
x  0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F 
S(x)  4  8  7  1  9  3  2  E  0  B  6  F  A  5  D  C 
Nibble permutation (decimal)
x  0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15 
\(\pi (x)\)  13  9  14  8  10  11  12  15  4  5  3  1  2  6  0  7 
The round function is iterated 30 times in which the permutation \(\pi \) is omitted in the last round. Because we are discussing distinguishers in which several rounds will be added for the key recovery, we do not omit the last permutation. The illustration of the round function can be seen in Fig. 3.
Previous Impossible Differential. The designers searched for truncated impossible differentials with \(\mathcal {U}\)method [5] and found two 8round truncated impossible differentials, e.g. the input difference \((0,0,0,0,0,0,0,\alpha ,0,0,0,0,0,0,0,0)\) is incompatible with the output difference \((0,0,0,\beta ,0,0,0,0,0,0,0,0,0,0,0,0)\). We stress that the designers searched for them independently of the Sbox choice.
Configurations for the Tool. Because both of the block size and the Sbox size are small in Lilliput, we run our tool in the specific Sbox mode to maximize the number of rounds of the distinguisher. In our experiment, we limited the input and output differences to only 1 active nibble.
Considering the Feistel network, having an active nibble in the left half of the input and in the right half of the output can maximize the number of rounds. The number of such input differences is \(8 * 15 = 120\), where 8 is for the active nibble position and 15 is for nonzero difference in the active nibble. The number of output differences is the same. In the end, we run MILP for \(120 * 120 = 14400\) pairs of input and output differences.
List of 9Round Impossible Differential Characteristics. We ran our tool with the above configuration. The tool required about 0.2 seconds per pair and it took about 1 h to test 14400 pairs.
9round impossible differential characteristics against Lilliput
ID  \((\varDelta L^0, \varDelta R^0)\)  \((\varDelta L^9, \varDelta R^9)\)  Remarks 

001–015  \((0000000\alpha ,00000000)\)  \((00000000,00000\alpha 00)\)  Manually verified 
016–030  \((000000\alpha 0,00000000)\)  \((00000000,00\alpha 00000)\)  
031–045  \((000000\alpha 0,00000000)\)  \((00000000,0000000\alpha )\)  
\(\cdots \)  \(\cdots \)  \(\cdots \)  \(\cdots \) 
181–195  \((000\alpha 0000,00000000)\)  \((00000000,0000000\alpha )\)  
196  (00000020, 00000000)  (00000000, 00000200)  Manually verified 
197  (00000030, 00000000)  (00000000, 00000300)  Manually verified 
198  (00000080, 00000000)  (00000000, 00000800)  Manually verified 
199  (00000090, 00000000)  (00000000, 00000900)  Manually verified 
200  (000000e0, 00000000)  (00000000, 00000e00)  Manually verified 
201  (000000f0, 00000000)  (00000000, 00000f00)  Manually verified 
202  (00007000, 00000000)  (00000000, 00000700)  
203  (0000e000, 00000000)  (00000000, 00000e00)  
204–216  \((000\beta 0000,00000000)\)  \((00000000,000000\beta 0)\)  Manually verified 
217  (00010000, 00000000)  (00000000, 00000050) 
Manual Verification of ID196 to ID201. Because some of detected impossible characteristics exploit the property of DDT, the analysis is completely different from the previous truncated impossible differentials. Verifying ID001–ID015 is relatively simple (but cannot be detected by the previous tools), which actually does not use the property inside the Sbox.^{1} Due to the page limitation, we omit the proof of ID001–ID015. We expect ID016–ID195 can be proven similarly.
ID196–ID201 essentially exploit the differential property of the Sbox. Here, we explain the details of the contradicting reasons of ID196–ID201.
Theorem 2
The input difference \((000000\alpha 0,00000000)\) cannot propagate to the output difference \((00000000,00000\alpha 00)\) after 9 rounds of Lilliput, where \(\alpha \in \{2,3,8,9,e,f\}\).
Proof
In Fig. 3, the input (resp. output) difference is propagated in forwards (resp. backwards) by 4 rounds. We first focus on the forward propagation.

In the second round, we denote by \(\beta \) the output difference of the active Sbox. Note that \(\beta \) may or may not be equal to \(\alpha \).

In the third round, we further introduce \(\gamma \) and \(\delta \) for the output difference from the Sboxes. In Fig. 3, we denote by \(\alpha \beta \) and \(\alpha \delta \) abbreviations of \(\alpha \oplus \beta \) and \(\alpha \oplus \delta \) respectively. Note that \(\alpha \oplus \beta \) and \(\alpha \oplus \delta \) may or may not be nonzero.

In the forth round, difference is unknown in many nibbles, denoted by ‘?’.
We do the same for the last 4 rounds and detect the contradiction in the middle.
 1.
We focus on \(X_8^4 \oplus S(X_7^4) = X_4^5\) in the fifth round, in which \(\varDelta X_8^4 = \varDelta X_4^5 =\alpha \), which eventually leads to \(\varDelta X_7^4 =0\) (red lines in Fig. 3).
 2.
We then focus on \(X_{11}^4 \oplus S(X_4^4) \oplus X_7^4 = X_1^5\), in which \(\varDelta X_{11}^4 = \varDelta X_1^5 = \alpha \) and \(\varDelta X_7^4 =0\). Hence, \(\varDelta X_4^4 = 0\). Similarly, \(\varDelta X_2^4 = 0\) (blue in Fig. 3).
 3.We focus on \(X_8^3 \oplus S(X_7^3) = X_4^4\) in the fourth round, in which \(\varDelta X_8^3 =\beta \) and \(\varDelta X_4^4 = 0\). Hence \(\varDelta S(X_7^3)\) must be \(\beta \) while \(\varDelta X_7^3 = \alpha \oplus \beta \) (green in Fig. 3). Considering that \(\beta \) is originally defined as an output difference of the Sbox whose input difference is \(\alpha \), we have the following necessary condition for this 9round characteristic to be possible.Whether this condition is satisfied or not depends on the Sbox, especially on its DDT.$$\begin{aligned} \exists \beta , x, y : \left\{ \begin{array}{l} S(x) \oplus S(x \oplus \alpha ) = \beta \\ S(y) \oplus S(y \oplus \alpha \oplus \beta ) = \beta \end{array}\right. \end{aligned}$$(4)
When \(\alpha =9\), \(\beta \) can be 3, 7, 8, 9, c, e, f for the first equation in (4). Then, \((\alpha \oplus \beta , \beta )\) can be computed as (a, 3), (e, 7), (1, 8), (0, 9), (5, c), (7, e), (6, f). The second equation in (4) constrains that one of them must be a valid propagation. From DDT in Table 5, all of them cannot occur, which proves that the 9round characteristic in Fig. 3 is impossible when \(\alpha =9\). Note that the condition (4) can be satisfied when \(\alpha \ne 0,9\).
 4.We then further focus on \(X_{12}^3 \oplus S(X_3^3) \oplus X_7^3 = X_2^4\) in the fourth round. \(\varDelta X_{12}^3 = \varDelta X_2^4 = 0\) and \(\varDelta X_7^3 = \alpha \oplus \beta \), which derives \(\varDelta S(X_3^3) = \alpha \oplus \beta \). Meanwhile, \(\varDelta X_3^3 = \alpha \) (yellow in Fig. 3). Thus besides (4), we obtain the following necessary condition.To avoid redundancy, we omit listing all candidates, but from DDT conditions (4) and (5) cannot be satisfied simultaneously when \(\alpha \in \{2,3,e,f\}\).$$\begin{aligned} \exists z : S(z) \oplus S(z \oplus \alpha ) = \alpha \oplus \beta \end{aligned}$$(5)
 5.
To prove the case \(\alpha = 8\), we further proceed the analysis. Because it requires too much details, we omit the proof in this paper.
With the above argument, Theorem 2 is proven. \(\square \)
Remarks
We would like to emphasize once again that the advantage of our tool is that we can obtain a list of all impossible differential characteristics without considering the contradicting reason. We also manually verified ID204 to ID216, while we could not catch the contradicting reason for ID202, ID203, and ID217 by hand. In particular, ID217 is the only pair that the difference of active nibbles in the input and output are different. We leave their verification open.
4.3 ARIA
ARIA is a 128bit block cipher and provides three secretkey lengths: 128, 192, and 256 bits [19]. ARIA is standardized by Korean Agency for Technology and Standards (KATS) and is described by RFC5794 and RFC6209. ARIA uses SubstitutionPermutation Network (SPN) structure, and the state is represented by 16 bytes. The round function consists of Substitution layer SL and Diffusion layer DL. We refer to [19] for its detailed specification.
Configurations for the Tool. Since the Sboxes size of ARIA is 8 bits, we run our tool in the arbitrary Sbox mode. Similar to Midori128, we only execute truncated impossible differential search. Our goal is to improve Li’s truncated impossible differentials. Namely, we search for 4.5round truncated impossible differentials, where input and output differences take 3 independent differences and the number of involved subkey is reduced from 14. To search such truncated impossible differentials efficiently, our tool searches for truncated impossible differentials for 3.5 rounds \((SL \circ (DL \circ SL)^3)\), where every active byte can take any difference. Then, found truncated differentials are trivially extended to 4.5 rounds by applying DL to the beginning and end. Finally, we evaluate the number of input and output differences.
4.4 Minalpher
Minalpher is an authenticated encryption scheme designed by Sasaki et al. in 2015 [18]. Minalpher uses 256bit core permutation called MinalpherP, which is based on SubstitutionPermutation Network (SPN) structure using 4bit Sboxes. We refer to [18] for its detailed specification.
Previous Cryptanalysis. The designers found 6.5round truncated impossible differentials by using the \(\mathcal {U}\)method by Kim et al. These are the longest impossible differentials discovered by the \(\mathcal {U}\)method.
Configurations for the Tool. While the Sboxes size is 4 bits, the block size, i.e., 256 bits, is very large. Therefore, we run our tool in the arbitrary Sbox mode aiming truncated impossible differentials with 1 active nibble in the input and output differences. The number of such differences is 64 for both of input and output. In the end, we run MILP for \(64 * 64 = 4096\) pairs.
7.5round truncated impossible differentials of MinalpherP
ID  \(\varDelta P\)  \(\varDelta C\)  Remarks 

0001T  A[0][0]  A[0][2]  Manually verified 
0002T  A[0][0]  A[0][3]  
0003T  A[0][0]  A[0][4]  
0004T  A[0][0]  A[0][5]  
\(\vdots \)  \(\vdots \)  \(\vdots \)  
1152T  B[3][7]  B[3][7] 
4.5 MIBS
MIBS is a lightweight block cipher designed by Izadi et al. in 2009 [20]. The block length is 64, and it provides two key lengths: 64 and 80bit secret key. We refer to [20] for its detailed specification.
Previous Cryptanalysis. Bay et al. found two 8round truncated impossible differentials [31]. Then, Wu and Wang found four additional 8round truncated impossible differentials [8].
Configurations for the Tool. The block size of MIBS is 64 bits and the Sboxes size is 4 bits. Therefore, we run our tool in the specific Sbox mode to maximize the number of rounds of the distinguisher. In our experiment, we limited the input and output differences to only 1 active nibble.
Considering the Feistel network, the number of differences we need to test is exactly the same as the case of Lilliput in Sect. 4.2. Thus we run MILP for \(120 \times 120 = 14400\) pairs of input and output differences.
List of 8Round Impossible Differential Characteristics. The tool required about 7.7 seconds per pair using single core and it took about 30 h to test 14400 pairs.
8round impossible differential characteristics against MIBS
ID  \(\varDelta P\)  \(\varDelta C\)  Remarks 

001T  \((00000000,000000\alpha 0)\)  \((0000\beta 000,00000000)\)  Bay 
002T  \((00000000,0000\alpha 000)\)  \((000000\beta 0,00000000)\)  Wu 
003T  \((00000000,00\alpha 00000)\)  \((0000000\beta ,00000000)\)  Bay 
004T  \((00000000,0000000\alpha )\)  \((00\beta 00000,00000000)\)  Wu 
005T  \((00000000,00\alpha 00000)\)  \((0000\beta 000,00000000)\)  Wu 
006T  \((00000000,0000\alpha 000)\)  \((00\beta 00000,00000000)\)  Wu 
001–120  \((00000000,000\gamma 0000)\)  \((00000\epsilon 00,00000000)\)  
121–240  \((00000000,00000\epsilon 00)\)  \((000\gamma 0000,00000000)\) 
Pairs of impossible differences found by our tool for MIBS
\(\gamma \)  \(\epsilon \)  

1  2  3  4  5  6  7  8  9  a  b  c  d  e  f  
1  x  x  x  0  x  x  0  0  0  x  0  0  x  0  x 
2  0  x  0  x  x  x  0  x  x  0  0  0  x  x  0 
3  x  0  x  x  0  0  0  x  x  x  0  0  0  x  x 
4  x  x  0  x  0  0  0  0  0  x  x  x  x  x  0 
5  x  0  0  0  x  x  0  x  x  x  x  x  0  0  0 
6  x  0  x  x  0  x  x  0  x  0  x  0  x  0  0 
7  0  0  0  0  0  x  x  x  0  x  x  0  x  x  x 
8  x  x  x  0  x  0  x  x  0  0  x  0  0  x  0 
9  0  x  x  0  0  x  x  0  x  x  0  x  0  x  0 
a  0  x  0  x  x  0  x  0  x  x  x  0  0  0  x 
b  x  0  0  0  x  0  x  0  x  0  0  x  x  x  x 
c  0  0  x  x  x  0  x  x  0  x  0  x  x  0  0 
d  0  0  x  x  x  x  0  0  0  0  x  x  0  x  x 
e  0  x  x  0  0  0  0  x  x  0  x  x  x  0  x 
f  x  x  0  x  0  x  x  x  0  0  0  x  0  0  x 
5 Differential Possibility Equivalence Technique
In Sect. 4.1, we searched for all truncated impossible differentials with one active nibble. However, since \(\mathtt {ShuffleCell}\) and \(\mathtt {MixColumn}\) in Midori128 are bytewise operations, we should search for all impossible characteristics with one active byte if possible. Moreover, the search in Sect 4.1 never exploited the property of \(\mathtt {Sb}_1\) because the tool was run in the arbitrary Sbox mode. This section explains how to run the tool in the specific Sbox mode in a feasible time.
5.1 Procedure of Differential Possibility Equivalence Technique
The differential possibility equivalence technique reduces the number of MILP instances that our tool has to solve.^{2} Figure 4 shows the outline of the technique. Assuming that we search for impossible differential characteristics in which the first words of plaintexts and ciphertexts are active, we want to evaluate \((2^{c}1)^2\) pairs of input and output differences. First, we solve one MILP instance and obtain that \((\varDelta _i \rightarrow \varDelta _i' \rightarrow \varDelta _o' \rightarrow \varDelta _o)\) is possible differential characteristic for one tuple of \((\varDelta _i,\varDelta _i',\varDelta _o',\varDelta _o)\). Next, we evaluate a set \(\mathcal {I}\) whose elements are all \(\varDelta \) such that \(\varDelta \rightarrow \varDelta _i'\) is possible. Similarly, we evaluate a set \(\mathcal {O}\) whose elements are all \(\varDelta \) such that \(\varDelta _o' \rightarrow \varDelta \) is possible. Then, pairs in \((\mathcal {I} \times \mathcal {O})\) are possible characteristics via \((\varDelta _i',\varDelta _o')\), we thus do not need to evaluate them using MILP. We note that some MILP solvers have API for programming languages, e.g. Gurobi Optimizer supports API for Clanguage. Thus, adding such auxiliary codes is easily done. Since the numbers of elements in \(\mathcal {I}\) and \(\mathcal {O}\) are \(2^{c/2}\) on average, we can efficiently reduce the number of MILP instances that our tool has to solve.
We estimate the effectiveness of differential possibility equivalence technique.
Theorem 3
Let n and c be the number of Sboxes per round and the size of each Sbox, respectively. Our tool aims to find impossible differential with d input active words and \(d'\) output active words. Then, the number of trials that we have to solve MILP instances is \(2^{d+d'}((d+d') \log _e(2^c1) + O(1))\) on average.
Due to the page limitation, we omit the proof of Theorem 3. Accurately, we can more efficiently collect N input and output differences than the estimation by Theorem 3 because every trial can always choose a pair without duplication. On the other hand, this error is not serious because \(N'\) differences are evaluated in the same time in one trial.
7round impossible differential characteristics against Midori128
ID  \(\varDelta P\)  \(\varDelta C\)  

Position  Value  Position  Value  
001  \(s_1\)  \(\mathtt{0x04}\)  \(s_8\)  \(\mathtt{0x43}\) 
002  \(s_1\)  \(\mathtt{0x0C}\)  \(s_8\)  \(\mathtt{0x43}\) 
6 Applications from Design Aspect
6.1 Design Tool Using Specific SBox Mode
Let us discuss using the tool for the design process of new primitives. Attack tools can always be used to evaluate how many rounds are attacked after the design is completed. Here we want to discuss a more interactive process. In many SPNbased designs, the designers evaluate many candidates with MILP and pick up the best choice. For example, the designers of Midori chose an almostMDS matrix for MixColumn, and tested all parameters for ShuffleCell. Similarly, the designers of Skinny tested all light nonMDS matrices for MixColumns and the designers of Minalpher tested all parameters of a ShiftRowslike operation.
To run our tool in the specific Sbox mode, Sboxes must be fixed in advance. This situation occurs when the choice of Sboxes has a high priority in the design. For example, Midori [16] chose the Sbox with the lowest depth, and FIDES [32] and PICARO [33] chose the Sbox that can be masked easily.
In our tool, all the components but for key schedule are simulated. Therefore, when we assume that subkeys are XORed to all words of the state before Sboxes, the tool can provide a certain level of proof, which is detailed below.
Observation 3
Suppose that the tool does not find any impossible differential characteristic for r rounds after testing all paired input and output differences in a certain subset in the specific Sbox mode. Then, the number of rounds of the longest impossible differential satisfying those input and output differences is at most \(r1\) by assuming that all subkeys are independent and chosen uniformly at random.
Proof
If we can verify that all input and output differences with one active word are possible in the specific Sbox mode, we say that the cipher is secure against impossible differential with one active word under the subkey uniform assumption.
Remarks About Proof in [21]. Cui et al. claimed that the tool can be used to prove the longest impossible differentials under the condition that input and output differences belong to the tested subset. After evaluating several ciphers, they claimed that “we proof that the longest impossible differentials for LBlock, TWINE and Piccolo ciphers are really 14, 14 and 7 rounds respectively.” Unfortunately, Cui et al. are misinterpreting what the tool does.
In the evaluation with MILP, all valid propagations for one round are also valid in the evaluation of multiple rounds irrespectively of the propagation in neighboring rounds and subkey values. This is true only if all subkeys are independent and chosen uniformly at random. Therefore, even if no impossible differential is found for r rounds by MILP, it cannot ensure the nonexistence for r rounds for real ciphers with particular key schedule.
6.2 Design Tool Using Arbitrary SBox Mode
The arbitrary Sbox mode is also useful for the design tool. When we run our tool in the specific Sbox mode for the design tool, Sboxes must be fixed in advance. Meanwhile, if the choice of the linear layer has a higher priority, we would like to recommend the arbitrary Sbox mode. The arbitrary Sbox mode have two advantages: it can be executed before Sboxes are not specified and is generally more efficient than the specific Sbox mode. In addition, the arbitrary Sbox mode leads to several benefit to the designers.

Evaluating Linear Layer: The designers often test many choices of the Sboxes and of the linear layer. Because exhaustively testing all combinations is infeasible, the designers need to evaluate them independently. The arbitrary Sbox mode finds impossible differential characteristics that are independent from the choice of the Sbox, which makes possible to evaluate the security of the linear layer. In addition, the arbitrary Sbox mode enables the designers to proceed the design of Sboxes and the design linear layer in parallel, which can shorten the design period.

Distinguishing Contradicting Reasoning: When impossible differentials are found for some rounds, the designers may prefer to patch the design or choose other design candidates. Then it is convenient for the designer to know whether the detected differentials can be prevented by changing Sboxes or not. In the arbitrary Sbox mode, the contradiction is clearly caused by the linear layer.
Actually, impossible differential characteristics ID001–ID195 of Lilliput can be found by both the specific and arbitrary Sbox modes, but the others ID196–ID217 can be found only by the specific Sbox mode. Thus, we can immediately know ID001–ID195 are impossible differential characteristics independent of the choice of the Sbox and cannot be prevented by replacing the Sbox.
Similarly to Sect. 6.1, the fact that no impossible differential is found gives a certain level of security proof as follows.
Observation 4
Suppose that the tool does not find any impossible differential characteristic for r rounds after testing all paired input and output differences in a certain subset in the arbitrary Sbox mode. Then, the number of rounds of the longest impossible differential satisfying those input and output differences is at most \(r  1\) by assuming that all Sboxes are keyed bijective Sboxes that are independent and chosen uniformly at random.
If we can verify that all pairs of input and output differences with one active word are possible in the arbitrary Sbox mode, we say that the cipher is secure against impossible differential with one active word under the keyed (uniform) bijective Sboxes assumption.
6.3 Optimal Pick Technique; Application to MIBS
When ciphers have heavy diffusion layer, MILP solver requires too much time to verify whether or not a given pair of input and output differences is possible. For example, suppose that we evaluate resistance of MIBS against 9round impossible differential. As discussed in Sect. 4.5, we need to test 14400 pairs of input and output differences. However, the tool could not finish the evaluation of 1 pair even after a couple of hours. Proving the security of 9round MIBS with the direct application of our tool is infeasible.
Optimal Pick Technique. We propose an optimal pick technique, which dramatically reduces the computation time to prove the resistance against impossible differentials, i.e. to prove the existence of differential characteristic. Suppose that we are given a pair of input and output differences. The optimal pick technique well works when there are many differential characteristics satisfying a pair of given input and output differences. The intuition of this technique is as follows. We partially constrain the difference of the state in a middle round as well as the input and output differences. Suppose that our aim is to prove the resistance against rrounds impossible differentials, and we expect that the proof is possible. Let \(X_{i1}\) be a difference of the input of the ith round. Our tool constrains a pair of input and output differences \((X_0,X_r)\), and additional b bits of \(X_{\lceil r/2 \rceil }\), where b is heuristically chosen. In our experiments, these additional constraints often reduce the execution time of the MILP solver. To prove the resistance against impossible differential, it is sufficient to find only one characteristic satisfying the constraint. Therefore, if the solver takes too long for a choice of constrained b bits, we give up searching for the b bits, and test another b bits by expecting that the new b bits are easy to compute.
In application to 9round MIBS, for pairs of input and output differences \((X_0,X_9)\) we used the optimal pick technique with the following strategy.

Four nibbles in \(X_{4}\) are additionally constrained \((b=16)\).

For all \(2^{16}\) choices of additional constraints, we evaluate whether or not it is possible to satisfy \((X_0,X_4,X_9)\). If the execution time reaches 10 s, we stop the evaluation and proceed the next additional constraints.

Once we find an additional constraint \(X_{4}\) satisfying the input and output differences \((X_0,X_9)\), we return that the pair \((X_0,X_9)\) is possible.
The second strategy is the essence of the optimal pick technique. The execution time of the MILP solver becomes too long for some choice of \(X_4\), and the second strategy allows us to escape from the unlucky choice. As a result, we successfully proved that there is no 9round impossible differential characteristics with one active nibble under the subkey uniform assumption. Note that the optimal pick technique only can be used for the proving approach, i.e. it cannot be used to find impossible differential characteristics because we terminate the MILP search when the execution time reaches 10 s.
6.4 List of Evaluated Designs
Provable security against impossible differentials
Target  #Rounds  Assumption  Remarks 

Midori128  8  Subkey uniform  1 active byte 
8  Keyed bijective 4bit Sboxes  1 active byte  
7  Keyed bijective 8bit Sboxes  1 active byte  
Lilliput  10  Subkey uniform  1 active nibble 
Minalpher  9.5  Keyed bijective Sboxes  1 active nibble 
ARIA  5  Keyed bijective Sboxes  1 active byte 
MIBS  9  Subkey uniform  1 active nibble 
SIMON  12  Subkey uniform  1 active bit 
TWINE  15  Subkey uniform  1 active nibble 
LBlock  15  Subkey uniform  1 active nibble 
Piccolo  8  Subkey uniform  1 active nibble 
RECTANGLE  9  Subkey uniform  1 active nibble 
Skinny64  12  Subkey uniform  1 active nibble 
Midori64  7  Subkey uniform  1 active nibble 
CLEFIA  10  Keyed bijective 8bit Sboxes  1 active byte 
Footnotes
 1.
We realized this fact only after we finished manual verification. The tool outputs a list of 217 pairs, and at that time we had no clue about the contradicting reason.
 2.
The motivation of the differential possibility equivalence technique is quite different from truncated impossible differential. The truncated impossible search overlooks impossible characteristics only with one possible characteristic in the truncated set. When the number of impossible characteristics is small, truncated impossible differential search is not useful.
References
 1.Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis using mixedinteger linear programming. In: Wu, C.K., Yung, M., Lin, D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012). doi: 10.1007/9783642347047_5 CrossRefGoogle Scholar
 2.Knudsen, L.: DEAL  a 128bit block cipher. Technical report no. 151, Department of Informatics, University of Bergen, Norway (1998)Google Scholar
 3.Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999). doi: 10.1007/354048910X_2 Google Scholar
 4.Biryukov, A.: Missinthemiddle attack. In: van Tilborg, H.C.A. (ed.) Encyclopedia of Cryptography and Security. Springer, Heidelberg (2005)Google Scholar
 5.Kim, J., Hong, S., Sung, J., Lee, S., Lim, J., Sung, S.: Impossible differential cryptanalysis for block cipher structures. In: Johansson, T., Maitra, S. (eds.) INDOCRYPT 2003. LNCS, vol. 2904, pp. 82–96. Springer, Heidelberg (2003). doi: 10.1007/9783540245827_6 CrossRefGoogle Scholar
 6.Luo, Y., Wu, Z., Lai, X., Gong, G.: A unified method for finding impossible differentials of block cipher structures. Cryptology ePrint Archive, report 2009/627 (2009)Google Scholar
 7.Luo, Y., Lai, X., Wu, Z., Gong, G.: A unified method for finding impossible differentials of block cipher structures. Inf. Sci. 263, 211–220 (2014)CrossRefzbMATHGoogle Scholar
 8.Wu, S., Wang, M.: Automatic search of truncated impossible differentials for wordoriented block ciphers. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 283–302. Springer, Heidelberg (2012). doi: 10.1007/9783642349317_17 CrossRefGoogle Scholar
 9.Tezcan, C.: Improbable differential attacks on present using undisturbed bits. J. Comput. Appl. Math. 259, 503–511 (2014)CrossRefzbMATHGoogle Scholar
 10.Zhang, W., Bao, Z., Lin, D., Rijmen, V., Yang, B., Verbauwhede, I.: RECTANGLE: a bitslice lightweight block cipher suitable for multiple platforms. Cryptology ePrint Archive, report 2014/084 (2014). http://eprint.iacr.org/2014/084
 11.Derbez, P., Fouque, P.A.: Automatic search of meetinthemiddle and impossible differential attacks. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 157–184. Springer, Heidelberg (2016). doi: 10.1007/9783662530085_6 CrossRefGoogle Scholar
 12.Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (relatedkey) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bitoriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014). doi: 10.1007/9783662456118_9
 13.Sun, S., Hu, L., Wang, M., Wang, P., Qiao, K., Ma, X., Shi, D., Song, L., Fu, K.: Towards finding the best characteristics of some bitoriented block ciphers and automatic enumeration of (relatedkey) differential and linear characteristics with predefined properties. IACR Cryptology ePrint Archive 2014/747 (2014)Google Scholar
 14.Sasaki, Y., Todo, Y.: New differential bounds and division property of Lilliput: block cipher with extended generalized Feistel network. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS. Springer, Cham (2016)Google Scholar
 15.Sun, S., Hu, L., Wang, M., Wang, P., Qiao, K., Ma, X., Shi, D., Song, L., Fu, K.: Constructing mixedinteger programming models whose feasible region is exactly the set of all valid differential characteristics of SIMON. Cryptology ePrint Archive, report 2015/122 (2015). http://eprint.iacr.org/2015/122
 16.Banik, S., Bogdanov, A., Isobe, T., Shibutani, K., Hiwatari, H., Akishita, T., Regazzoni, F.: Midori: a block cipher for low energy. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 411–436. Springer, Heidelberg (2015). doi: 10.1007/9783662488003_17 CrossRefGoogle Scholar
 17.Berger, T.P., Francq, J., Minier, M., Thomas, G.: Extended generalized Feistel networks using matrix representation to propose a new lightweight block cipher: Lilliput. IEEE Trans. Comput. 65, 2074–2089 (2015)MathSciNetCrossRefGoogle Scholar
 18.Sasaki, Y., Todo, Y., Aoki, K., Naito, Y., Sugawara, T., Murakami, Y., Matsui, M.: Minalpher v1.1. Submitted to CAESAR (2015)Google Scholar
 19.Kwon, D., et al.: New block cipher: ARIA. In: Lim, J.I., Lee, D.H. (eds.) ICISC 2003. LNCS, vol. 2971, pp. 432–445. Springer, Heidelberg (2004). doi: 10.1007/9783540246916_32 CrossRefGoogle Scholar
 20.Izadi, M., Sadeghiyan, B., Sadeghian, S.S., Khanooki, H.A.: MIBS: a new lightweight block cipher. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 334–348. Springer, Heidelberg (2009). doi: 10.1007/9783642104336_22 CrossRefGoogle Scholar
 21.Cui, T., Jia, K., Fu, K., Chen, S., Wang, M.: New automatic search tool for impossible differentials and zerocorrelation linear approximations. Cryptology ePrint Archive, report 2016/689 (2016). http://eprint.iacr.org/2016/689
 22.Beierle, C., et al.: The SKINNY family of block ciphers and its lowlatency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016). doi: 10.1007/9783662530085_5 CrossRefGoogle Scholar
 23.Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultralightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). doi: 10.1007/9783540747352_31
 24.Gurobi Optimization, Inc.: Gurobi optimizer 6.5 (2015). http://www.gurobi.com/
 25.Guo, J., Jean, J., Nikolić, I., Qiao, K., Sasaki, Y., Sim, S.M.: Invariant subspace attack against full Midori64. Cryptology ePrint Archive, report 2015/1189 (2015). http://eprint.iacr.org/2015/1189
 26.Todo, Y., Leander, G., Sasaki, Y.: Nonlinear invariant attack  practical attack on full SCREAM, iSCREAM, and Midori64. Cryptology ePrint Archive, report 2016/732 (2016). http://eprint.iacr.org/2016/732
 27.Zhan, C., Xiaoyun, W.: Impossible differential cryptanalysis of Midori. Cryptology ePrint Archive, report 2016/535 (2016). http://eprint.iacr.org/2016/535
 28.Berger, T.P., Minier, M., Thomas, G.: Extended generalized feistel networks using matrix representation. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 289–305. Springer, Heidelberg (2014). doi: 10.1007/9783662434147_15 CrossRefGoogle Scholar
 29.Wu, W., Zhang, W., Feng, D.: Impossible differential cryptanalysis of reducedround ARIA and Camellia. J. Comput. Sci. Technol. 22(3), 449–456 (2007)CrossRefGoogle Scholar
 30.Li, R., Sun, B., Zhang, P., Li, C.: New impossible differential cryptanalysis of ARIA. Cryptology ePrint Archive, report 2008/227 (2008). http://eprint.iacr.org/2008/227
 31.Bay, A., Nakahara Jr., J., Vaudenay, S.: Cryptanalysis of reducedround MIBS block cipher. In: Heng, S.H., Wright, R.N., Goi, B.M. (eds.) CANS 2010. LNCS, vol. 6467, pp. 1–19. Springer, Heidelberg (2010). doi: 10.1007/9783642176197_1 CrossRefGoogle Scholar
 32.Bilgin, B., Bogdanov, A., Knežević, M., Mendel, F., Wang, Q.: Fides: lightweight authenticated cipher with sidechannel resistance for constrained hardware. In: Bertoni, G., Coron, J.S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 142–158. Springer, Heidelberg (2013). doi: 10.1007/9783642403491_9 CrossRefGoogle Scholar
 33.Piret, G., Roche, T., Carlet, C.: PICARO – a block cipher allowing efficient higherorder sidechannel resistance. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 311–328. Springer, Heidelberg (2012). doi: 10.1007/9783642312847_19 CrossRefGoogle Scholar
 34.Beaulieu, R., Shors, D., Smith, J., TreatmanClark, S., Weeks, B., Wingers, L.: The SIMON and SPECK families of lightweight block ciphers. Cryptology ePrint Archive, report 2013/404 (2013). http://eprint.iacr.org/2013/404
 35.Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: TWINE: a lightweight block cipher for multiple platforms. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 339–354. Springer, Heidelberg (2013). doi: 10.1007/9783642359996_22 CrossRefGoogle Scholar
 36.Wu, W., Zhang, L.: LBlock: a lightweight block cipher. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 327–344. Springer, Heidelberg (2011). doi: 10.1007/9783642215544_19 CrossRefGoogle Scholar
 37.Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., Shirai, T.: Piccolo: an ultralightweight blockcipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 342–357. Springer, Heidelberg (2011). doi: 10.1007/9783642239519_23 CrossRefGoogle Scholar
 38.Shirai, T., Shibutani, K., Akishita, T., Moriai, S., Iwata, T.: The 128bit blockcipher CLEFIA (extended abstract). In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 181–195. Springer, Heidelberg (2007). doi: 10.1007/9783540746195_12 CrossRefGoogle Scholar
 39.Fu, K., Wang, M., Guo, Y., Sun, S., Hu, L.: MILPbased automatic search algorithms for differential and linear trails for speck. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 268–288. Springer, Heidelberg (2016). doi: 10.1007/9783662529935_14 CrossRefGoogle Scholar