International Association
for Cryptologic Research

Finding the longest impossible differentials is an essential assignment in proceeding

impossible differential cryptanalysis.

In this paper, we introduce a novel tool to search the longest truncated impossible

differentials for word-oriented block ciphers with bijective S-boxes. It costs polynomial time to

return a flag indicating whether a truncated differential is impossible under several filter conditions.

To demonstrate the strength of our tool, we show that it allows to automatically

find the longest truncated impossible differentials for many word-oriented block ciphers.

It independently rediscovers all known truncated impossible differentials on nine round CLEFIA.

What\'s more, it finds

new and longest truncated impossible differentials for the AES, ARIA, Camellia without $FL$ and $FL^{-1}$ layers, E2, MIBS,

LBlock and Piccolo.

Finally,

we give an impossible differential of 14-round LBlock to illustrate that our tool is more powerful than the $\\mathcal{U}$-method and UID-method.

We expect that the tool proposed in this paper will be useful for evaluating the security of block ciphers

against impossible differentials, especially when one tries to design a word-oriented block cipher with bijective S-boxes.