Links between Quantum Distinguishers Based on Simon’s Algorithm and Truncated Differentials

. In this paper, we study the quantum security of block ciphers based on Simon’s period-finding quantum algorithm. We explored the relations between periodic functions and truncated differentials. The basic observation is that truncated differentials with a probability of 1 can be used to construct periodic functions


Introduction
With the development of physics and computation techniques, quantum computation has subverted the cognition of traditional theories of computation, and thus attracted extensive attention, especially in the field of cryptography, since the emergence of large-scale quantum computers affects the security of existing cryptographic schemes significantly.
The proposal of Shor's algorithm [Sho97] is a milestone in developing quantum computation.Shor's algorithm can solve problems such as the factorization of large integers and the computation of discrete logarithms in polynomial time, which leads to the cracking of the public key cryptography designed based on those problems in the quantum scenario.
In addition, Grover's algorithm [Gro96] and Simon's algorithm [Sim97] also challenge the security of existing symmetric cryptographic schemes.Grover's algorithm quadratically accelerates the exhaustive key search for any cryptographic primitives.Simon's algorithm can be used to derive the period of periodic functions in polynomial time, by which the attacks on symmetric cryptographic structures can be conducted.
Various methods have been proposed to be used as cryptanalysis tools in the classical scenario, which should also be established for evaluating the post-quantum security of current cryptographic primitives and providing the necessary preparation for designing new quantum-resistant cryptographic primitives, as the authors suggested in [KLLN16a].At present, quantum attacks on cryptographic primitives can be roughly divided into two categories.One is the use of existing quantum algorithms to quantize classical cryptanalysis techniques, such as quantum differential and linear attacks [KLLN16b], quantum Demirci and Selçuk meet-in-the-middle attacks [HS18,BNS19b], quantum slide attacks [DDW20,BNS19a], and quantum rebound attacks [HS20, DSS + 20, CKS21].The other, as classical cryptanalysis does, is to consider combining the problems that quantum algorithms can solve with the flaws that exist in cryptographic primitives to complete the attack.Along this line of research, Simon's algorithm has attracted much attention since it was used by Kuwakado and Morii to distinguish the 3-round Feistel structure in 2010 [KM10].Later, Simon's algorithm was also applied in [KM12] to conduct a key recovery attack on the Even-Mansour structure, and the authors proved that the Even-Mansour structure was no longer secure under quantum scenarios.
Roughly, Simon's algorithm based quantum attacks can be divided into two categories.The first one is to distinguish a round-reduced block cipher, such as the 3-round distinguisher of Feistel structure presented in [KM10].Soon after, quantum distinguishers for generalized Feistel structures [DLW19, HKK20, ZWSW23], improved quantum distinguishers for Type-1 generalized Feistel structures [NIDI19], and chosen-ciphertext distinguisher for Feistel and Feistel-FK structures [IHM + 19] are proposed.Furthermore, Leander et al. presented a clever idea combining Grover's algorithm and Simon's algorithm at ASI-ACRYPT 2017 [LM17], and a key recovery attack for FX structure.Inspired by this idea, Dong and Wang [DW18] proposed a key recovery attack on the 5-round Feistel structure based on the 3-round distinguisher.The other line of research converts the weakness of modes of operations into recovering the period of well-designed periodic functions, such as the key recovery attack of the Even-Mansour cipher [KM12].Following this idea, Kaplan et al. broke several modes of operations at CRYPTO 2016 [KLLN16a], such as CBC-MAC, GCM, and OCB.Usually, the period in such attacks contains the key information, thus, recovering the period can directly retrieve the key.
Although Simon's quantum algorithm has many applications in the cryptanalysis of symmetric ciphers, it requires access to a quantum encryption oracle to which it may acquire superposition states.Recently, this requirement has been removed by offline Simon's algorithms [BHN + 19], where an attacker can only access a classical encryption oracle and run Simon's algorithm in an offline style with an increase in the time complexity.However, both Simon's algorithm and the offline Simon's algorithm need to devise a periodic function.Our Contributions.In this paper, we focus on the quantum security of basic symmetric primitives and investigate the construction of periodic functions for round-reduced block ciphers.We establish the links between periodic functions and truncated differentials and present a classical view of quantum distinguishing attacks for the first time.Our contributions are threefold.
(1) We observe that a periodic function always exhibits a differential with probability 1, and prove that as long as there is an r-round truncated differential whose output differences can be annihilated, a periodic function can be constructed.Moreover, two types of periodic functions that cover most existing studies and general constructions for such periodic functions from truncated differentials with probability 1 are presented, which prevents us from manually verifying the periodic property of constructed functions.Moreover, this indicates that the study of classical truncated differentials can be a guide for the study of quantum distinguishing attacks for a round-reduced block cipher.
(2) As an illustration, our general techniques are applied to LBlock and SIMON block ciphers.Regarding LBlock, an 8-round distinguisher which is 4 rounds longer than the previous generic result can be constructed.For the SIMON family block ciphers, we construct 9/10/11/13/15-round distinguishers for SIMON-32/48/64/96/128, while the best previous generic results cover 6 rounds for all SIMON variants.We provide a comparison table in Table 1.All our distinguishers can be easily verified from the view of truncated differentials.
(3) Finally, we study the quantum resistance of block cipher structures, where the details of non-linear components are not considered.The round number of quantum distinguishers for the unified structure is estimated.It's proved that for a d-branch unified structure with a few restrictions, one can always construct a (2d − 1)-round quantum distinguisher.Specifically, this result applies to classical Feistel, MARS-like, and SM4-like structures.
Organization.This paper is organized as follows.Section 2 introduces some notations and briefly revisits Simon's quantum algorithm.We introduce a new technique on how to construct periodic functions from truncated differentials in Section 3. Section 4 presents an extended periodic function.Section 5 applies our technique to LBlock and SIMON block ciphers.We study the round number of such quantum distinguishers for unified structures in Section 6. Section 7 concludes the paper.

Notation
This subsection introduces the notations that will be used throughout this paper.Let F 2 denote the finite field with two elements, and F n 2 denote the n-dimensional vector space over F 2 .All vectors that appear in this paper are treated as column vectors.With a bit of abuse of notations, we let a = (a 1 , ..., a n ) ∈ F n 2 denote a column vector, where we omit the transpose notation for clarity.0 n represents an n-dimensional zero vector.Denote the bit-wise XOR and AND operations by ⊕ and &, respectively.Let

Truncated Differential
The idea of truncated differentials was first introduced by Knudsen et al. in [Knu94] and later formalized in [BLN14,LTW18,ZSLS15]. Different from a classical differential, a truncated differential focuses on difference propagations from a set of input differences to a set of output differences.In this paper, we adopt the more general definition in [ZSLS15] shown below.

Simon's Algorithm
In this subsection, we briefly introduce Simon's quantum algorithm [Sim97].Throughout this paper, we assume that readers have basic knowledge about quantum computation.Simon's algorithm was originally proposed to solve the following problem.
Simon's problem Given a vectorial Boolean function f : F n 2 → F m 2 with the promise that there exists an s ∈ F n 2 \ {0 n }, such that for any x, y ∈ F n 2 , f (x) = f (y) ⇔ x ⊕ y ∈ {0 n , s}, the goal is to find s.
The condition that f (x) = f (y) ⇔ y = x ⊕ s for any distinct x and y is called the Simon's promise.According to the birthday bound, O(2 n/2 ) queries are needed to find s in the classical setting, while only O(n) quantum queries are required by Simon's algorithm in the quantum setting.We assume that the attacker has access to a quantum oracle U f , which is defined as 6. Measure the first register in the computational basis and get a random output value denoted by z.If z • s = 1, the amplitude of |z⟩ is 0, which means the probability of measuring such a z is 0. Therefore, one obtains z • s = 0 from the above fact.
Repeating the above subroutine O(n) times, n − 1 linearly independent vectors orthogonal to s can be obtained with a high probability.Furthermore, s can be recovered by solving linear equations.

The Extension of Simon's Algorithm
In practical settings, Simon's promise is not always completely satisfied in most cases.For example, when round functions are not permutations, there is no guarantee that the periodic function designed in [KM10] strictly satisfies Simon's promise.That is, one has a function f satisfying the only condition that y = x ⊕ s implies f (x) = f (y) for any x.In this case, Simon's algorithm no longer seems to work.In the following, we call such an f a periodic function and s a period of f .In order to solve the shortcomings when the Simon's promise is not strictly satisfied, Kaplan et al. [KLLN16a] studied Simon's algorithm and they introduced the parameter ε(f, s), where and concluded that as long as a periodic function f is constructed, which satisfies that there exists p 0 such that ε(f, s) ≤ p 0 < 1, one can also use Simon's algorithm with f to recover the period s with probability at least 1 − (2( has a period s, the obtained vectors must be orthogonal to s. Hence the dimension of the vector space spanned is less than l. On the other hand, if f O has no periods, the dimension can reach l.Thus, the evaluation of ε(f, s) is no longer required.This means as long as a periodic function is constructed, it is not required to prove the period is unique and a distinguishing attack can be achieved.

Automatic Search of Periodic Functions
Recently, Canale et al. proposed a generic algorithm for the automatic search of period functions and presented the first efficient key-recovery attacks against constructions like 5-round MISTY L-FK and 5-round Feistel-FK using Simon's algorithm at CRYPTO 2022 [CLS22].They represent those functions dependent on a round-reduced cipher E by a class of circuits, and these circuits can make use of oracle gates of E.Moreover, the oracle gates for several internal parts of E, such as the key-less round functions, are provided.Then, they automatically examine all circuits for periodicity.
Although their approach discovered many improved quantum distinguishers, this technique has several limitations.On the one hand, their approach is still quite complex in practice.On the other hand, their results do not cover periodic functions that have been constructed for some cryptographic primitives.In order to make the search algorithm practical, their approach just instantiates a reduced cipher with a small input size.Thus, the search algorithm may return an invalid periodic function, which further needs a verification process.Besides, the search algorithm requires exhaustively evaluating all possible combinations, whose complexity may be practically infeasible for more sophisticated ciphers.Compared with our approach which will be illustrated later, their approach fails to leverage the specific properties of the round function, while our approach exploits such properties in a difference-based technique, thus, potentially leading to longer distinguishers.

Links between Periodic Functions and Truncated Differentials
Revisiting the previous work [KM10, KM12, NIDI19, DLW19, HK20], the key to constructing a quantum distinguisher based on Simon's algorithm is to design a periodic function.
Previous studies construct periodic functions by analyzing the properties of underlying primitives case by case.In this section, we present a more general way to design periodic functions, which makes it easier to verify their periods.

Observations on Periodic Functions
Before we formally introduce our general technique, we would like to first make an in-depth study on periodic functions.The general idea is to try to connect periodic functions with differentials.Suppose f : ) is a natural input pair with an input difference s when considering differential cryptanalysis.Thus, we can restate periodic functions from the perspective of differential cryptanalysis.
2 is a periodic function if and only if there exists an s (s ̸ = 0 n ), such that the difference transition from s to 0 is of probability 1, i.e., Pr[s However, it is unlikely to exist such an input-output difference pair for a symmetric cipher.For instance, if f is a block cipher, this difference pair indicates that there are two plaintexts that are encrypted to the same ciphertext, which will never happen for a block cipher as decryption is necessary.Thus, we consider a more general case for symmetric ciphers.

Constructing Periodic Functions from Truncated Differentials
In this section, we show how to construct periodic functions from the perspective of truncated differentials, before which we first present a new notion which we call the differen ce-annihilation matrix.
2 be a non-empty set of differences.Assume that there exists a non-zero matrix L and such that Lx = γ for any x ∈ ∆ O , where γ ∈ F n 2 is a fixed value.Then, we call L a difference-annihilation matrix of ∆ O .
Then, g is a periodic function with (1, s) being its period for any s This proves that g is a periodic function, and (1, s) is a period of g for any s ∈ ∆ I .
Remark 1 When γ = 0 in Theorem 1, one can check that all of (0, s), (1, s) and (1, 0) are periods of g.In this case, we can simplify the construction of g as g 2 } with probability 1, where γ ∈ F n 2 and γ ̸ = 0 n .Take (0 n , γ) as the first vector τ 0 of ∆ O , Algorithm 1 returns the following matrix M 1 = (O I) and γ = M 1 τ 0 , where I and O denote the n × n identity and zero matrices over

New Insights on the 3-Round Distinguisher by Kuwakado and Morii
If we try to use a Type-I periodic function to construct a distinguisher for the Feistel structure, we can only get a 2-round distinguisher as in Example 1.However, there exists a 3-round quantum distinguisher given by Kuwakado and Morii as shown in Figure 1.The periodic function g ′ 1 used by such a distinguisher is defined as follows.According to Figure 1, in order to construct such a 3-round quantum distinguisher, the left branch of the input needs to be fixed to two distinct constants (γ 0 and γ 1 ) with a difference γ = γ 0 ⊕ γ 1 , such that the output difference of the first round function is a fixed unknown value s = F 1 (γ 0 ) ⊕ F 1 (γ 1 ), which is key-related.In this case, if the difference of the right branch equals the output difference of the first round function, the left branch of the input to the second round has a zero input difference.As 2 } is a truncated differential of 2-round Feistel structure with probability 1.Thus, g ′ 1 is a periodic function, and the 3-round quantum distinguisher can be constructed.

Type-II Periodic Function
Inspired by the 3-round distinguisher of the Feistel structure, we further extend the Type-I periodic functions to construct new periodic functions.
Theorem 2. Let E : F n 2 → F n 2 be a block cipher, which has an r 2 -round truncated differential ∆ I → ∆ O with probability 1. Assume that there exists a difference-annihilation matrix M ∈ F k×n 2 of full row rank with M x = γ for any x ∈ ∆ O .Moreover, assume that the r 1 -round difference transition from δ → ∆ I has a probability of 1 when one of the inputs belongs to a t-dimensional 2 (t < n) affine space w ⊕ W , where and δ the projection of δ to W .Let φ be a bijective linear transformation, and φ is defined as Let w 0 = w, w 1 = w ⊕ δ ⊥ , and γ 0 , γ 1 be two constants such that γ = γ 0 ⊕ γ 1 .Let g be defined as Then, g is a periodic function with a period (1, s), where s = φ −1 ( δ).
2 If t = n, the affine space is the full space F n 2 and one can construct (r 1 + r 2 )-round probability 1 truncated differentials with no input restrictions.

Proof. Since φ(x) ∈ W for any
Thus, w 0 ⊕ φ(x), as one of the input to E r1+r2 , falls into w ⊕ W .Moreover, According to the fact that the difference transition δ → ∆ I has a probability of 1 when one of the inputs belongs to w ⊕ W , it can deduced that This proves that g is a periodic function, and (1, s) is a period.
Remark 3 Figure 2 illustrates the construction of periodic functions in Theorem 2 from a differential point of view.Given an input x, the left and right branches of Figure 2 represent the encryption procedure of a differential pair with input difference φ −1 ( δ).Besides, in order to obtain identical outputs, w i and γ i are XORed to the left and right branches for i = 0 and 1, respectively.What marked with red in the middle of Figure 2 presents the intermediate differences during the encryption procedure.Remark 4 It should be noted that w i and γ i (i = 0, 1) are explicitly XORed to the two branches in Figure 2, thus, they should be known to the attacker.In this case, one can get identical outputs if the inputs have a difference of φ −1 ( δ), and this results in a periodic function whose period φ −1 ( δ) can be recovered by Simon's algorithm.This observation confirms the fact that only δ ⊥ is used to construct the periodic function in Theorem 2. Definition 4. Let E : F n 2 → F n 2 be a block cipher, which has an r 2 -round truncated differential ∆ I → ∆ O of probability 1, and an r 1 -round truncated differential δ → ∆ I of probability 1 with the restriction that one of the inputs belongs to an affine space w ⊕ W .If there exists a difference-annihilation matrix M ∈ F k×n 2 of ∆ O and the projection of δ to W ⊥ is known, we call the periodic function as constructed in Theorem 2 a Type-II periodic function of E r1+r2 , where E r1+r2 is the (r 1 + r 2 )-round reduced version of E.

8-Round Distinguisher of LBlock
LBlock is designed from a variant of Feistel structures with the only difference that a left circular shift is performed on the right branch.Therefore, the 4-round quantum distinguisher of Feistel structure designed in [IHM + 19] is also applicable to LBlock.However, when considering the details of the round function from truncated differentials with probability 1, longer quantum distinguishers can be devised.

7/9-Round Distinguisher of SIMON-32
In [IHM + 19], Ito et al. presented a 6-round distinguisher for Feistel-FK structures.Thus, a 6-round distinguisher for the SIMON family can be obtained directly.In the following, we take SIMON-32 as an example to illustrate how to construct longer distinguishers.

9-round Distinguisher of SIMON-32 [IHM +
19] presented a technique to construct longer distinguishers for Feistel-FK structures, which is also applicable to the SIMON family.The 9-round distinguisher for SIMON-32 can be obtained by placing the 7-round one from the second round to the eighth round, and adding one round before and after the 7-round distinguisher, respectively.Since (1, s) is a period of g 3 , and , where F is the round function of SIMON without the round key, which implies that the period does not contain any key information.Let where k 1 is the first round key of the 9-round reduced SIMON-32.Thus, λ 0 , λ 1 ∈ F n 2 are two distinct and unknown constants with λ 0 ⊕ λ 1 = α 0 ⊕ α 1 = α.Replacing α b involved in the above 7-round distinguisher by λ b .Furthermore, we define 3 are composed of a set of basis of V ⊥ 1,15 .As illustrated in Figure 5, g ′ 3 is a periodic function for the 9-round reduced SIMON-32, and Distinguishers for other SIMON variants Similarly, one can also construct longer distinguishers for other SIMON variants.The results are listed in Table 2, where ∆ I and ∆ O denote the input and output difference of the corresponding truncated differentials, and R 1 represents the round number of truncated differentials with probability 1, respectively.

Quantum Distinguishers of Cipher Structures
From previous sections, we can deduce that both Type-I and Type-II periodic functions contain a truncated differential with probability 1.This motivates us to study the round number that such truncated differentials can reach.Note that the periodic function for the 3-round Feistel structure holds for any bijective round functions, which is a structural property of the Feistel structure.Although, one can find longer distinguishers when focusing on a particular Feistel block cipher, such as LBlock and SIMON.It's necessary to study the weakness of such cipher structures against quantum distinguishing attacks.Thus, in order to study the round number of truncated differentials with probability 1, we may ignore the details of non-linear components as in [SLR + 15], where the authors presented the idea of structures to characterize ciphers' properties which are independent of the specific details of non-linear components.

The Unified Structure
In this section, we briefly revisit the structure theory [SLR + 15] and the unified structure [LSL + 22].Definition 5 ([SLR + 15]).Let E : F n 2 → F n 2 be a block cipher with bijective S-boxes as the basic non-linear components.A structure E E on F n 2 is defined as a set of block ciphers that are exactly the same as E except that the S-boxes can take all possible bijective transformations on the corresponding domains.
Basically, a structure is a set of block ciphers that differ only in their non-linear components.When studying cryptographic properties, one only needs to focus on those holding for all instances within the structure, i.e., irrelevant to the particular details of non-linear components.In the following, when we state a specific property of a structure, it holds for all instances of this structure.In [LSL + 22], the authors revisited the Feistel and Lai-Massey structures and presented a conversion between these two classical cipher structures.As a result, they presented a unified structure covering these two structures as well as most generalized Feistel structures.The unified structure is illustrated in Figure 6.
In a unified structure, the input is divided into d branches and the width of each branch is n bits.Each round is composed of four steps: the first step applies linear transformations to each input branch, which is denoted by A i for the i-th branch, where A i is an m × n matrix for i = 1, 2, . . ., d; the second step first sums the output of the first step and then applies a permutation f : F m 2 → F m 2 to the sum; the third step applies a linear transformation B i to the output of f and sums the output to the i-th branch, where B i is an n × m matrix for i = 1, 2, . . ., d; the last step applies a branch permutation denoted by π to all branches.In the following, we will denote an r-round unified structure by F A,B,π (f 1 , ..., f r ), where f i is the i-the round function.Moreover, it has been proved in T which is a dn × m matrix.Since π is a permutation on d branches and each branch is of n bits, we will interchangeably use π as either a d × d matrix over F n 2 or a dn × dn matrix over F 2 without causing ambiguity.Denote

Probability 1 Truncated Differentials
[LSL + 22] has shown that rank(A d−1 ) < nd always leads to the existence of a truncated differential with probability 1 for any rounds.In this section, we will illustrate that rank(B d−1 ) < nd also leads to a truncated differential with probability 1.
Theorem 3. Given a unified structure F A,B,π (f 1 , ..., f r ).If rank(B d−1 ) < nd, there always exists a truncated differential with probability 1 for any r.
Proof.Since rank(B d−1 ) < nd, there exists an (nd − rank(B d−1 )) × nd non-zero matrix L of full row rank such that LB d−1 = O.Taking ord(π) = d into consideration, for any integer i, we have Let the input and output differences to f i be α i and β i ∈ F n 2 , and ∆ i be the output difference of the i-th round, where i = 1, 2, . . ., r.Then we have Therefore, Thus, for any input difference ∆ 0 , L annihilates the difference π r Bβ Consequently, A d−1 and B d−1 should have a rank of nd to prevent an attacker from constructing probability 1 truncated differentials for arbitrary rounds.In Proposition 1, we present the exact round number for such differentials.
Proposition 1. Denote F A,B,π (f 1 , ..., f r ) a unified structure with d branches and each of size n bits.Let A i and B i as denoted above with and f i 's are bijective.Then, there always exists an (r 1 + r 2 )-round probability 1 truncated differential, where r 1 is the minimal number such that rank(A r1 ) = nd, and r 2 is the minimal number such that rank(B r2 ) = nd.
Proof.According to the definition of r 1 , the matrix A r1−1 is not of full column rank.Thus, there exists a non-zero vector ∆ 0 ∈ F nd 2 such that A r1−1 ∆ 0 = 0. Let ∆ 0 be the input difference to F A,B,π (f 1 , ..., f r ), it can be verified that the input difference to f 1 is A∆ 0 = 0. Therefore, the output difference of the first round is ∆ 1 = π∆ 0 and the input difference to f 2 is Aπ∆ 0 which is also equal to zero.Similarly, it can be deduced that the input difference to the first r 1 round functions is zero, and the output difference of the first r 1 rounds is thus deterministically being Denote the output difference of f r1+i by β r1+i where i = 1, ..., r 2 .Thus, the output difference of the (r 1 + 1)-th round is ∆ r1+1 = π(π r1 ∆ 0 ⊕ Bβ r1+1 ).Moreover, the output difference of the (r (1) Thus, M π −1 is a difference-annihilation matrix and it annihilates denote the unified structure derived from SM4, which means E SM4 is a set of block ciphers identical to SM4 except the round functions.The corresponding parameters are as follows.
where O and I denote the 32 × 32 zero and identity matrices over F 2 , respectively.Moreover, the branch permutation is Accordingly, we can get {η ∈ F 128 2 2 } with probability 1 and covering 6 rounds can be constructed for E SM4 , which can be obtained directly from Figure 7.

Bounding Probability 1 Truncated Differentials
Proposition 1 presents a lower bound for probability 1 truncated differentials that one can construct.Conversely, if the round number r > r 1 + r 2 , it can be proved that, for any fixed input difference ∆ 0 , one cannot find a truncated differential with probability 1 such that all instance of F A,B,π (f 1 , ..., f r ) conforming it.
Proposition 2. Denote F A,B,π (f 1 , ..., f r ) a unified structure with d branches and each of size n bits.Let A i and B i as denoted above with 2, . . ., d − 1) are invertible matrices, and f i 's are bijective.Then, there doesn't exists an r-round probability 1 truncated differential when r > r 1 + r 2 , where r 1 is the minimal number such that rank(A r1 ) = nd, and r 2 is the minimal number such that rank(B r2 ) = nd.
Proof.For any given non-zero input difference ∆ 0 to the structure, assume that the first r ′ rounds have a zero difference to the round function.According to the proof of Proposition 1, it can be deduced that r ′ ≤ r 1 .Denote the output difference of f r ′ +i by β r ′ +i , then the input difference to the (r for i = 1, 2, . . ., r − r ′ , and the input difference to f r ′ +i is When i = 1, α r ′ +1 = Aπ r ′ ∆ 0 ̸ = 0. Thus, β r ′ +1 can take any non-zero difference.Since α r ′ +2 = Aπ r ′ +1 ∆ 0 ⊕AπBβ r ′ +1 , β r ′ +2 can take any non-zero difference when Aπ r ′ +1 ∆ 0 = 0.Moreover, β r ′ +2 can be zero if Aπ r ′ +1 ∆ 0 ̸ = 0 and Aπ r ′ +1 ∆ 0 ⊕ AπBβ r ′ +1 = 0. Similarly, Assume that there exists a matrix M such that is a fixed constant.For any fixed β r ′ +1 , β r ′ +2 , . . ., β r−1 , there are two possibilities for the input difference α r to f r .The first case is that α r ̸ = 0 and β r can take any non-zero difference.Since is fixed and equal to M • πBβ r .It requires that M • πB = 0.The other case is that α r = 0, and we can choose other values for β r ′ +1 , β r ′ +2 , . . ., β r−1 such that α r ̸ = 0. Therefore, it can be deduced that M • πB = O.Thus, M • πB must be a zero matrix in either case. ) is of full row rank, and M must be a zero matrix.
This subsection presents the upper bound on the round number of probability 1 truncated differentials for a unified structure.Thus, we have the following results.Proposition 3. Denote F A,B,π (f 1 , ..., f r ) a unified structure with d branches and each of size n bits.Let Assume that Aπ i B's (i = 1, 2, . . ., d − 1) are invertible matrices, and f i 's are bijective.Then, a Type-I periodic function covers at most (r 1 + r 2 ) rounds for F A,B,π (f 1 , ..., f r ), where r 1 is the minimal number such that rank(A r1 ) = nd, and r 2 is the minimal number such that rank(B r2 ) = nd.
It should be noted that Proposition 3 presents an upper bound for Type-I periodic functions for a unified structure.If one considers a specific instance within the structure, longer Type-I periodic functions may exist.

On the Extension of Probability 1 Truncated Differentials
A Type-I periodic function is constructed directly from a truncated differential with probability 1.However, a Type-II periodic function is constructed from a truncated differential by extending it backward for several rounds.To make the difference transition hold deterministically when extending backward, one has to restrict the input to a subset.This subsection further discusses the extension of probability 1 truncated differentials for unified structures.
Given a unified structure F A,B,π (f 1 , ..., f r ) with a truncated differential ∆ I → ∆ O of probability 1, we only consider the case that |∆ I | = 1, i.e., there is only a single input difference as this is the common case.Denote the difference in ∆ I by ∆, which is a fixed and known constant.Assume that we propagate ∆ backward for r rounds.And we denote the round index from −1 to −r when extending backward.Let x be the input to the structure.Let u −i and v −i denote the input and output of f −i for i = 1, 2, . . ., r.Then, To make differences propagate deterministically, the input u −i 's to the first r round functions should be constants.Note that v −i 's are the output of the round function, which are also constants.Thus, Aπ i x should be fixed constant for i = 0, 1, . . ., r − 1.Without loss of generality, we assume that A r−1 x = 0. and denote W the solution space of A r−1 x = 0. Thus, W ⊥ , which is the orthogonal complement of W , is the linear space spanned by the row vectors of A r−1 .
In this case, when we consider a pair of inputs with a given input difference, the output difference of the r-round encryption is an unknown constant, as the input to each round function is fixed which results in an unknown fixed round function output difference.Denote the input and output difference of f −i by α −i and β −i , the input difference of the (−i)-th round by ∆ −i .Then, It should be noted that ∆ is a fixed and known constant.β −i 's are fixed and unknown constants.According to Theorem 2, the projection of ∆ −r to W ⊥ should be a known constant.That is, should be a constant known to the attacker.This indicates that the extended round number is related to specific forms of Aπ i B. In the following, we discuss two commonly used generalized Feistel structures to illustrate the backward extension.
should be known constants.When r = 1, Equation (3) is equivalent to ABβ 1 = 0, which is a fixed and known constant.Thus, one can always extend a probability 1 truncated differential for one round.However, when r ≥ 2, Equation (3) involves some unknown constants β i 's, and this prevents us from extending the distinguisher for more than one round.
Proposition 4. Denote F A,B,π (f 1 , ..., f r ) a unified structure with d branches and each of size n bits.Let Assume that Aπ i B = I for i = 1, 2, . . ., d − 1, and f i 's are bijective.Then, there exists an (r 1 + r 2 + 1)-round quantum distinguisher for F A,B,π (f 1 , ..., f r ), where r 1 is the minimal number such that rank(A r1 ) = nd, and r 2 is the minimal number such that rank(B r2 ) = nd.
For the second case, we can still make a similar analysis.However, this situation is a bit tricky here, and we focus on extending the input difference which is constructed as presented in Section 6. and f i 's are bijective.Assume that r 1 = d − 1 is the minimal number such that rank(A r1 ) = nd and r 2 is the minimal number such that rank(B r2 ) = nd.Then, there exists an (2r 1 +r 2 )round quantum distinguisher for F A,B,π (f 1 , ..., f r ).
Since Thus, the projection of ∆ −r1 to W is indeed a known constant, and one can extend such a probability 1 truncated differential for r 1 = d − 1 rounds.
It should be noted that Proposition 4 and 5 present a structural property of cipher structures, which holds for all instances within such a structure.In particular, the 7-round quantum distinguish holds for all SM4 variants with a different permutation round function.However, one should realize that longer quantum distinguishers may exist if the round function details are considered.

Conclusion
In this paper, we established the links between quantum distinguishers and truncated differentials with probability 1 for the first time.This enables us to use classic truncated differential cryptanalysis techniques to analyze the quantum security of block ciphers.Moreover, a general approach to constructing quantum distinguishers from truncated differentials is proposed in this paper, which can serve as a generic quantum cryptanalysis vector applicable to any block cipher.Moreover, this technique releases us from the tedious manual work of verifying the periodic property functions.As an illustration of our technique, we found better distinguishers for SIMON and LBlock.
On the other hand, we studied quantum resistance against unified structures.We established an upper bound on the length of probability 1 truncated differential, which bounds the round number of quantum distinguishers constructed from Type-I periodic functions.Although longer quantum distinguishers may exist for a specific cipher, this upper bound reflects the structural property of the underlying cipher structure.It can help with the cipher designs to evaluate its linear building blocks.
and s is a period of g for any s ∈ ∆ I .Remark 2 Denote l = |∆ O | the number of vectors in ∆ O , and denote τ i (i = 0, 1, . . ., l−1) the i-th vector of ∆ O .Let ∆O = {τ i ⊕ τ 0 | i = 1, 2, . . ., l − 1}.Algorithm 1 1 can return such an M and the corresponding γ.Algorithm 1: Evaluating the non-zero matrix M for any set ∆ O ⊆ F n 2 Input: the output set ∆ O of truncated differential; Output: difference-annihilation matrix M , fixed constant γ; 1 τ 0 ← the first vector of ∆ O ; 2 Evaluate ∆O from ∆ O as in Remark 2; 3 v 0 , ..., v r−1 ← maximal linearly independent system of ∆O ; 4 if r = n then 5 return Nonexistence; 6 end 7 else 8 Solving linear equations: v 0 • x = 0, ..., v r−1 • x = 0, and denote u 0 , ..., u k−1 a set of basis of the solution space; // r ⊕ k = n 9 M ← (u 0 , ..., u k−1 ) T ; 10 γ ← M τ 0 ; 11 return M, γ; 12 end Definition 3. Let E : F n 2 → F n 2 be a block cipher, which has an r-round truncated differential ∆ I → ∆ O with probability 1.If there exists a difference-annihilation matrix M of ∆ O , we call the periodic function as constructed in Theorem 1 a Type-I periodic function of E r , where E r is the r-round reduced version of E. Example 1.The Feistel structure E Feistel :

Figure 2 :
Figure 2: An illustration of Type-II periodic functions.

Table 1 :
The Distinguishers of SIMON and LBlock.
Perm(n) or a random permutation Π ∈ Perm(n), where Perm(n) denotes the set of all permutations over n-bit strings, the goal is to distinguish these two cases.Suppose that the quantum oracles U O and U O −1 are given.Assume that a functionf O : F l 2 → F m2 can be constructed by querying the oracles U O and U O −1 , which satisfies that it is a periodic function when O = E, and it is not periodic with a high probability when O is a random permutation.Instead of recovering a period for constructing distinguishers, Ito et al. [IHM + 19] focused on the dimension of the vector space spanned by those vectors returned by applying Simon's algorithm to f O .If f O

Table 2 :
Quantum Distinguishers of the SIMON Family.
[MS22] 0 63 )} W 64;{1,63} 15 Note It is not difficult to observe that the periodic functions used to construct quantum distinguishes for LBlock and SIMON have a few output bits.Specifically, the periodic functions for LBlock and SIMON-32/48/64/96/128 have output sizes of 4 and 2/1/2/2/2 bits, respectively.However, this feature does not affect the distinguishing properties.It has been proved in[MS22]that Simon's algorithm still works with a small (approximately doubled) overhead even if the output size of periodic functions is a single bit.
Aπ i B = I for i = 1, 2, ..., d − 1, where d is the branch number.Note that the classical two-branch Feistel network, SM4-like, and MARS-like structures fall into this case.Case 2 AπB = I and Aπ i B = O for i = 2, 3, ..., d − 1, where d is the branch number.This case applies to the Type-1 generalized Feistel structure.For the first case, Equation (2) indicates that Case 1