Large-state cryptographic S-boxes can provide better obfuscation for symmetric encryption algorithms， but the costs for evaluating their properties are very expensive. To efficiently evaluate the differential properties of large-state cryptographic S-boxes， a GPU-based method for evaluating the differential properties of large-state cryptographic S-boxes was proposed. According to the existing differential uniformity calculation method， the GPU parallel schemes were designed for evaluating differential uniformity of 16-bit S-boxes and differential properties of 32-bit S-boxes respectively. The execution efficiencies of kernel functions and GPU were improved by the schemes， and the time costs were reduced by optimizing GPU parallel granularity and load balancing. The test results show that， compared with CPU methods and GPU parallel methods， the time costs of the proposed schemes for evaluating the differential properties of large-state cryptographic S-boxes are greatly reduced. The time for computing the differential uniformity of 16-bit S-box is 0.3 min； for a single input differential of 32-bit S-box， the time for computing the maximum output differential probability is about 5 min， and the time for evaluating the differential properties is about 2.6 h.

The Boolean SATisfiability problem （SAT）-based automated search methods can directly describe logical operations such as AND， OR， NOT， XOR， and establish more efficient search models. In order to efficiently evaluate the ability of GRANULE cipher to resist impossible differential attacks， firstly， the SAT model described by the S-box differential property was optimized based on the S-box differential distribution table property. Then， the SAT model of bit-oriented impossible differential distinguisher was established for GRANULE cipher， and multiple 10-round impossible differential distinguishers of GRANULE cipher were obtained by solving the SAT model. Furthermore， an improved SAT automated verification method was given， by which the impossible differential distinguishers were verified. Finally， 16-round impossible differential attack was performed on GRANULE-64/80 cipher， where the impossible differential distinguisher was further extended forward 3-round and backward 3-round respectively. As a result， 80-bit master key was recovered with the time complexity of 2^51.8 16-round encryptions and the data complexity of 2^41.8 chosen-plaintexts. Compared with the suboptimal results for impossible differential cryptanalysis of the GRANULE cipher， the number of distinguisher rounds and key recovery attack rounds obtained are improved by 3 rounds， and the time complexity and data complexity are further reduced.