Deoxys is a final-round candidate of the CAESAR competition. Deoxys is built upon an internal tweakable block cipher Deoxys-BC, where in addition to the plaintext and key, it takes an extra non-secret input called a tweak. This paper presents the first IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS of Deoxys-BC-256 which is used in Deoxys as an internal tweakable block cipher. First, we find a 4.5-round ID characteristic by utilizing a miss-in-the-middle-approach. We then present several CRYPTANALYSIS based upon the 4.5 rounds distinguisher against round-reduced Deoxys-BC-256 in both single-key and related-key settings. Our contributions include IMPOSSIBLE DIFFERENTIAL attacks on up to 8-round Deoxys-BC-256 in the single-key model. Our attack reaches 9 rounds in the related-key related-tweak model which has a slightly higher data complexity than the best previous results obtained by a related-key related-tweak rectangle attack presented at FSE 2018, but requires a lower memory complexity with an equal time complexity.

IMPOSSIBLE difference attack is a powerful tool for evaluating the security of block ciphers based on finding a DIFFERENTIAL characteristic with the probability of exactly zero. The linear layer diffusion rate of a cipher plays a fundamental role in the security of the algorithm against the IMPOSSIBLE difference attack. In this paper, we show an efficient method, which is independent of the quality of the linear layer, can find IMPOSSIBLE DIFFERENTIAL characteristics of Zorro block cipher. In other words, using the proposed method, we show that, independent of the linear layer feature and other internal elements of the algorithm, it is possible to achieve effective IMPOSSIBLE DIFFERENTIAL characteristic for the 9-round Zorro algorithm. Also, based on represented 9-round IMPOSSIBLE DIFFERENTIAL characteristic, we provide a key recovery attack on reduced 10-round Zorro algorithm. In this paper, we propose a robust and different method to find IMPOSSIBLE difference characteristics for Zorro cipher, which is independent of the linear layer of the algorithm. The main observation in this method is that the number of possible differences in that which may occur in the middle of Zorro algorithm might be very limited. This is due to the different structure of Zorro. We show how this attribute can be used to construct IMPOSSIBLE difference characteristics. Then, using the described method, we show that, independent of the features of the algorithm elements, it is possible to achieve efficient 9-round IMPOSSIBLE DIFFERENTIAL characteristics of Zorro cipher. It is important to note that the best IMPOSSIBLE DIFFERENTIAL characteristics of the AES encryption algorithm are only practicable for four rounds. So the best IMPOSSIBLE DIFFERENTIAL characteristic of Zorro cipher is far more than the best characteristic of AES, while both algorithms use an equal linear layer. Also, the analysis presented in the article, in contrast to previous analyzes, can be applied to all ciphers with the same structure as Zorro, because our analysis is independent of the internal components of the algorithm. In particular, the method presented in this paper shows that for all Zorro modified versions, there are similarly IMPOSSIBLE DIFFERENTIAL characteristics. Zorro cipher is a block cipher algorithm with 128-bit block size and 128-bit key size. Zorro consists of 6 different sections, each with 4 rounds (24 rounds in all). Zorro does not have any subkey production algorithm and the main key is simply added to the value of the beginning state of each section using the XOR operator. Internal rounds of one section do not use the key. Similar to AES, Zorro state matrix can be shown by a 4 × 4 matrix, which each of these 16 components represent one byte. One round of Zorro, consists of four functions, which are SB*, AC, SR, and MC, respectively. The SB* function is a nonlinear function applying only to the four bytes in the first row of the state matrix. Therefore, in the opposite of the AES, where the substitution box is applied to all bytes, the Zorro substitution box only applies to four bytes. The AC operator is to add a round constant. Finally, the two SR and MC transforms are applied to the state matrix, which is, respectively, the shift row and mixed column used in the AES standard algorithm. Since the analyzes presented in this article are independent of the substitution properties, we do not use the S-box definition used by Zorro. Our proposed model uses this Zorro property that the number of possible differences after limited rounds can be much less than the total number of possible differences. In this paper, we introduce features of the Zorro, which can provide a high bound for the number of possible values of an intermediate difference. We will then present a model for how to find Zorro IMPOSSIBLE DIFFERENTIAL characteristics, based on the limitations of the intermediate differences and using the miss-in-the-middle attack. Finally, we show that based on the proposed method, it is possible to find an IMPOSSIBLE DIFFERENTIAL characteristic for 9 rounds of algorithms with a Zorro-like structure and regardless of the linear layer properties. Also, it is possible to apply the key recovery attack on 10 rounds of the algorithm. So, regardless of the features of the used elements, it can be shown that this number of round of algorithms is not secure even by changing the linear layer.

IMPOSSIBLE DIFFERENTIAL attack is a well-known mean to examine robustness of block ciphers. Using IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS, we analyze security of a family of lightweight block ciphers, named Midori, that are designed considering low energy consumption. Midori state size can be either 64 bits for Midori64 or 128 bits for Midori128; however, both versions have key size equal to 128 bits. In this paper, we mainly study security of Midori64. To this end, we use various techniques such as early-abort, memory reallocation, miss-in-the-middle and turning to account the inadequate key schedule algorithm of Midori64. We first show two new 7-round IMPOSSIBLE DIFFERENTIAL characteristics which are, to the best of our knowledge, the longest IMPOSSIBLE DIFFERENTIAL characteristics found for Midori64. Based on the new characteristics, we mount three IMPOSSIBLE DIFFERENTIAL attacks on 10, 11, and 12 rounds on Midori64 with287: 7, 290: 63, and 290: 51 time complexity, respectively, to retrieve the master-key.

IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS, the extension of DIFFERENTIAL CRYPTANALYSIS, is one of the most efficient attacks against block ciphers. This CRYPTANALYSIS method has been applied to most of the block ciphers and has shown significant results. Using structures, key schedule considerations, early abort, and pre-computation are some common methods to reduce complexities of this attack. In this paper, we present a new method for decreasing the time complexity of IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS through breaking down the target key space into subspaces, and extending the results on subspaces to the main target key space. The main advantage of this method is that there is no need to consider the effects of changes in the values of independent key bits on each other. Using the 14-round IMPOSSIBLE DIFFERENTIAL characteristic observed by Boura et al. at ASIACRYPT 2014, we implement this method on 23-round LBlock and demonstrate that it can reduce the time complexity of the previous attacks to 271.8 23-round encryptions using 259 chosen plaintexts and 273 blocks of memory.

One of the most important methods for checking the resistant of a block cipher against linear and DIFFERENTIAL analysis is counting of minimum active s-boxes. According to this number, proportion of minimum active s-boxes to all used s-boxes can be obtained. In Feistel structure, left and right half XORing cause difference cancelation reducing this proportion. One method for reducing difference cancelation and improving this proportion is presented previously using multiple MDS matrix. However, this method is suitable for design of 128 bit block ciphers and hasn’t good efficiency in 256 bit block ciphers. In this paper, the problem of finding proper multiple diffusion layers for Switching Structure on big dimension and big field is firstly surveyed. Then, a search algorithm is presented, used for making several categories of Recursive Diffusion Layers. In the next section, by using this Recursive Diffusion Layers, a 256 bit block cipher is designed base on Switching Structure. We verify security and efficiency of this scheme is verified and it is concluded that this scheme is resistant to linear and DIFFERENTIAL attack showing IMPOSSIBLE DIFFERENTIAL attack and also has a good efficiency compare to other 256 bit block cipher algorithm.

IMPOSSIBLE DIFFERENTIAL attack is considered as one of the most efficient attacks on block ciphers. The main idea of this attack is to find the differences with zero probability to eliminate the wrong keys and, as a result, to find the right one. Because of having good diffusion in comparison with Feistel algorithms, Piccolo has remained secure against the DIFFERENTIAL attacks. In this paper, using some structural weaknesses of the algorithm, a DIFFERENTIAL attack is executed on 9 rounds of it. The time, data and memory complexity of the attack are 266.4 for 9-rounds Piccolo-80 encryptions, 261 chosen plaintext and 257 bytes of memory, respectively.

IMPOSSIBLE DIFFERENTIAL attack is one of the strongest methods of CRYPTANALYSIS on block ciphers. In block ciphers based on SPN (substitution permutation network), the only layer that resists the difference is the nonlinear layer. Obviously, paying attention to the features of nonlinear layer is important for the sake of preventing statistical attacks, such as the DIFFERENTIAL attack. Therefore, this layers’ features regarding attack tolerance should be carefully investigated. The existence of such a nonlinear layer with the required features and applying it in the entire length of the block can lead to more resistance against DIFFERENTIAL attacks. Over the past few years, a new set of block ciphers based on SPN has been introduced, in which the nonlinear layer is applied only to a particular part of the state. In this paper, a general framework for finding the characteristics of the IMPOSSIBLE difference in this type of new block cipher is presented. Contrary to the previous miss-in-the-middle methods, which are used to find the IMPOSSIBLE differences, the method presented in this article is independent of the feature of linear layer of the algorithm and allows the attacker to systematically find the effective IMPOSSIBLE DIFFERENTIAL even in cryptographic algorithms with highly complex linear layer. In order to demonstrate the efficiency of the proposed method, the family of LowMC ciphers that use bitwise linear layer are examined in this paper and based on this framework some IMPOSSIBLE DIFFERENTIAL characteristics are proposed for some versions of reduced LowMCs. This proposed IMPOSSIBLE DIFFERENTIAL characteristics can be easily applied in key-recovery attacks based on the framework presented in this paper. As an example, we show that based on the IMPOSSIBLE difference characteristic obtained for 63 rounds of the LowMC (128, 128, 2, 128), a key-recovery attack is applied to the 64-round of this algorithm. In proposed attack, the complexity of memory is 289, the complexity of the time is 2123. 7, and the complexity of the data is equal to 2123. 1 of the chosen plain text.

On June 2013, Beaulieu and et. al from the U. S National Security Agency proposed a family of block ciphers, SIMON. This family of block ciphers is classified as lightweight block ciphers that comes in a variety of widths and key sizes. SIMON offers excellent performance on hardware and software platforms from which hardware performance is optimal. The main purpose of this paper is to provide improved DIFFERENTIAL attacks proposed on this family of block ciphers. Getting help from the new ideas and viewpoints about methods and key-guessing policies, we improve DIFFERENTIAL attack on 22-round SIMON32, 23-round SIMON48 and 29-round SIMON64. This attack adds one round to the latest DIFFERENTIAL CRYPTANALYSIS presented before this paper submission.

With the increasing and widespread application of deep learning and neural networks across various scientific domains and the notable successes achieved, deep neural networks were employed for DIFFERENTIAL CRYPTANALYSIS in 2019. This marked the initiation of growing interest in this research domain. While most existing works primarily focus on enhancing and deploying neural distinguishers, limited studies have delved into the intrinsic principles and learned characteristics of these neural distinguishers. In this study, our focus will be on analyzing block ciphers such as Speck, Simon, and Simeck using deep learning. We will explore and compare the factors and components that contribute to better performance. Additionally, by detailing attacks and comparing results, we aim to address the question of whether neural networks and deep learning can effectively serve as tools for block cipher CRYPTANALYSIS or not.

One of the most important areas of symmetric cryptography is block cipher algorithms which have many applications in security mechanisms. Linear and DIFFERENTIAL CRYPTANALYSIS are the most important statistical attacks against block ciphers. Since most of the attacks against block cipher algorithms are based on these two types of CRYPTANALYSIS, encryption algorithm design methods are guided to resist these attacks. This paper presents a new block cipher design method based on data dependent key which prevents linear and DIFFERENTIAL attacks. Based on the proposed method, an instance structure for block cipher algorithms is presented and evaluated. It has been shown that the proposed structure resists linear and DIFFERENTIAL attacks even in reduced number of rounds.