Deoxys is a final-round candidate of the CAESAR competition. Deoxys is built upon an internal tweakable block cipher Deoxys-BC, where in addition to the plaintext and key, it takes an extra non-secret input called a tweak. This paper presents the first impossible DIFFERENTIAL CRYPTANALYSIS of Deoxys-BC-256 which is used in Deoxys as an internal tweakable block cipher. First, we find a 4.5-round ID characteristic by utilizing a miss-in-the-middle-approach. We then present several CRYPTANALYSIS based upon the 4.5 rounds distinguisher against round-reduced Deoxys-BC-256 in both single-key and related-key settings. Our contributions include impossible DIFFERENTIAL attacks on up to 8-round Deoxys-BC-256 in the single-key model. Our attack reaches 9 rounds in the related-key related-tweak model which has a slightly higher data complexity than the best previous results obtained by a related-key related-tweak rectangle attack presented at FSE 2018, but requires a lower memory complexity with an equal time complexity.

Impossible difference attack is a powerful tool for evaluating the security of block ciphers based on finding a DIFFERENTIAL characteristic with the probability of exactly zero. The linear layer diffusion rate of a cipher plays a fundamental role in the security of the algorithm against the impossible difference attack. In this paper, we show an efficient method, which is independent of the quality of the linear layer, can find impossible DIFFERENTIAL characteristics of Zorro block cipher. In other words, using the proposed method, we show that, independent of the linear layer feature and other internal elements of the algorithm, it is possible to achieve effective impossible DIFFERENTIAL characteristic for the 9-round Zorro algorithm. Also, based on represented 9-round impossible DIFFERENTIAL characteristic, we provide a key recovery attack on reduced 10-round Zorro algorithm. In this paper, we propose a robust and different method to find impossible difference characteristics for Zorro cipher, which is independent of the linear layer of the algorithm. The main observation in this method is that the number of possible differences in that which may occur in the middle of Zorro algorithm might be very limited. This is due to the different structure of Zorro. We show how this attribute can be used to construct impossible difference characteristics. Then, using the described method, we show that, independent of the features of the algorithm elements, it is possible to achieve efficient 9-round impossible DIFFERENTIAL characteristics of Zorro cipher. It is important to note that the best impossible DIFFERENTIAL characteristics of the AES encryption algorithm are only practicable for four rounds. So the best impossible DIFFERENTIAL characteristic of Zorro cipher is far more than the best characteristic of AES, while both algorithms use an equal linear layer. Also, the analysis presented in the article, in contrast to previous analyzes, can be applied to all ciphers with the same structure as Zorro, because our analysis is independent of the internal components of the algorithm. In particular, the method presented in this paper shows that for all Zorro modified versions, there are similarly impossible DIFFERENTIAL characteristics. Zorro cipher is a block cipher algorithm with 128-bit block size and 128-bit key size. Zorro consists of 6 different sections, each with 4 rounds (24 rounds in all). Zorro does not have any subkey production algorithm and the main key is simply added to the value of the beginning state of each section using the XOR operator. Internal rounds of one section do not use the key. Similar to AES, Zorro state matrix can be shown by a 4 × 4 matrix, which each of these 16 components represent one byte. One round of Zorro, consists of four functions, which are SB*, AC, SR, and MC, respectively. The SB* function is a nonlinear function applying only to the four bytes in the first row of the state matrix. Therefore, in the opposite of the AES, where the substitution box is applied to all bytes, the Zorro substitution box only applies to four bytes. The AC operator is to add a round constant. Finally, the two SR and MC transforms are applied to the state matrix, which is, respectively, the shift row and mixed column used in the AES standard algorithm. Since the analyzes presented in this article are independent of the substitution properties, we do not use the S-box definition used by Zorro. Our proposed model uses this Zorro property that the number of possible differences after limited rounds can be much less than the total number of possible differences. In this paper, we introduce features of the Zorro, which can provide a high bound for the number of possible values of an intermediate difference. We will then present a model for how to find Zorro impossible DIFFERENTIAL characteristics, based on the limitations of the intermediate differences and using the miss-in-the-middle attack. Finally, we show that based on the proposed method, it is possible to find an impossible DIFFERENTIAL characteristic for 9 rounds of algorithms with a Zorro-like structure and regardless of the linear layer properties. Also, it is possible to apply the key recovery attack on 10 rounds of the algorithm. So, regardless of the features of the used elements, it can be shown that this number of round of algorithms is not secure even by changing the linear layer.

Impossible DIFFERENTIAL attack is a well-known mean to examine robustness of block ciphers. Using impossible DIFFERENTIAL CRYPTANALYSIS, we analyze security of a family of lightweight block ciphers, named Midori, that are designed considering low energy consumption. Midori state size can be either 64 bits for Midori64 or 128 bits for Midori128; however, both versions have key size equal to 128 bits. In this paper, we mainly study security of Midori64. To this end, we use various techniques such as early-abort, memory reallocation, miss-in-the-middle and turning to account the inadequate key schedule algorithm of Midori64. We first show two new 7-round impossible DIFFERENTIAL characteristics which are, to the best of our knowledge, the longest impossible DIFFERENTIAL characteristics found for Midori64. Based on the new characteristics, we mount three impossible DIFFERENTIAL attacks on 10, 11, and 12 rounds on Midori64 with287: 7, 290: 63, and 290: 51 time complexity, respectively, to retrieve the master-key.

On June 2013, Beaulieu and et. al from the U. S National Security Agency proposed a family of block ciphers, SIMON. This family of block ciphers is classified as lightweight block ciphers that comes in a variety of widths and key sizes. SIMON offers excellent performance on hardware and software platforms from which hardware performance is optimal. The main purpose of this paper is to provide improved DIFFERENTIAL attacks proposed on this family of block ciphers. Getting help from the new ideas and viewpoints about methods and key-guessing policies, we improve DIFFERENTIAL attack on 22-round SIMON32, 23-round SIMON48 and 29-round SIMON64. This attack adds one round to the latest DIFFERENTIAL CRYPTANALYSIS presented before this paper submission.

Impossible DIFFERENTIAL CRYPTANALYSIS, the extension of DIFFERENTIAL CRYPTANALYSIS, is one of the most efficient attacks against block ciphers. This CRYPTANALYSIS method has been applied to most of the block ciphers and has shown significant results. Using structures, key schedule considerations, early abort, and pre-computation are some common methods to reduce complexities of this attack. In this paper, we present a new method for decreasing the time complexity of impossible DIFFERENTIAL CRYPTANALYSIS through breaking down the target key space into subspaces, and extending the results on subspaces to the main target key space. The main advantage of this method is that there is no need to consider the effects of changes in the values of independent key bits on each other. Using the 14-round impossible DIFFERENTIAL characteristic observed by Boura et al. at ASIACRYPT 2014, we implement this method on 23-round LBlock and demonstrate that it can reduce the time complexity of the previous attacks to 271.8 23-round encryptions using 259 chosen plaintexts and 273 blocks of memory.

One of the most important methods for checking the resistant of a block cipher against linear and DIFFERENTIAL analysis is counting of minimum active s-boxes. According to this number, proportion of minimum active s-boxes to all used s-boxes can be obtained. In Feistel structure, left and right half XORing cause difference cancelation reducing this proportion. One method for reducing difference cancelation and improving this proportion is presented previously using multiple MDS matrix. However, this method is suitable for design of 128 bit block ciphers and hasn’t good efficiency in 256 bit block ciphers. In this paper, the problem of finding proper multiple diffusion layers for Switching Structure on big dimension and big field is firstly surveyed. Then, a search algorithm is presented, used for making several categories of Recursive Diffusion Layers. In the next section, by using this Recursive Diffusion Layers, a 256 bit block cipher is designed base on Switching Structure. We verify security and efficiency of this scheme is verified and it is concluded that this scheme is resistant to linear and DIFFERENTIAL attack showing impossible DIFFERENTIAL attack and also has a good efficiency compare to other 256 bit block cipher algorithm.

With the increasing and widespread application of deep learning and neural networks across various scientific domains and the notable successes achieved, deep neural networks were employed for DIFFERENTIAL CRYPTANALYSIS in 2019. This marked the initiation of growing interest in this research domain. While most existing works primarily focus on enhancing and deploying neural distinguishers, limited studies have delved into the intrinsic principles and learned characteristics of these neural distinguishers. In this study, our focus will be on analyzing block ciphers such as Speck, Simon, and Simeck using deep learning. We will explore and compare the factors and components that contribute to better performance. Additionally, by detailing attacks and comparing results, we aim to address the question of whether neural networks and deep learning can effectively serve as tools for block cipher CRYPTANALYSIS or not.

One of the most important areas of symmetric cryptography is block cipher algorithms which have many applications in security mechanisms. Linear and DIFFERENTIAL CRYPTANALYSIS are the most important statistical attacks against block ciphers. Since most of the attacks against block cipher algorithms are based on these two types of CRYPTANALYSIS, encryption algorithm design methods are guided to resist these attacks. This paper presents a new block cipher design method based on data dependent key which prevents linear and DIFFERENTIAL attacks. Based on the proposed method, an instance structure for block cipher algorithms is presented and evaluated. It has been shown that the proposed structure resists linear and DIFFERENTIAL attacks even in reduced number of rounds.

Hash functions have a very important role in network and telecommunication security. These functions play an important role in hashing a message which are widely used in cryptographic applications such as digital signatures, random number generator algorithms, authentication protocols, and so on. Rotational CRYPTANALYSIS is a relatively new attack that is part of a generic attack on hash functions and is effective on algorithms that have an ARX structure. In this paper, for the first time, we apply a rotational CRYPTANALYSIS and with the given assumption of the markov chain for the modular additions sequence employed in two algorithms Shabal and CubeHash, which are second-round candidates for the SHA-3 competition that use the ARX property in their structure. With the implementation of rotational CRYPTANALYSIS we arrived at the complexity of 2-3393. 58 for the entire 16+3-rounds Shabal algorithm and the complexity of 2-57. 6 for the en-tire 16-round CubeHash algorithm. According to the obtained results, it can be seen that due to the large number of modular additions with the given assumption of markov chain, the Shabal algorithm exhibits greater resistance to rotational CRYPTANALYSIS, compared to the CubeHash algorithm and is less likely to succeed.

In this paper we analyze the security of SEAS protocol. The only security goal of this protocol is to authenticate the RFID tag to the RFID reader which, in this paper, we show that the protocol does not satisfy this property. Hence, we do not recommend this protocol to be employed in any application. In this paper we present a tag impersonation attack against it. Tag impersonation attack is a forgery attack in which the reader authenticates the attacker as a legitimate tag. Our tag impersonation attack’s success probability, which is the first attack against the SEAS protocol to the best of our knowledge, is “1” and its complexity is only two runs of protocol.