Impossible Differential Cryptanalysis of Zodiac Deukjo Hong 1 , Jaechul Sung 1 , Shiho Moriai 2 , Sangjin Lee 1 , and Jongin Lim 1⋆ 1 Center for Information Security Technologies(CIST), Korea University, Anam Dong, Sungbuk Gu, Seoul, Korea {hongdj, sjames, sangjin, jilim}@cist.korea.ac.kr 2 NTT Laboratories, 1-1 Hikarinooka, Yokosuka, 239-0847 Japan shiho@isl.ntt.co.jp Abstract. We discuss the impossible differential cryptanalysis of the block cipher Zodiac [7]. The main design principles of Zodiac are sim- plicity and efficiency. However the diffusion layer in its round function is too simple to offer enough security. An impossible differential cryptanal- ysis is a proper method to attack the weakness of Zodiac. Our attack using two 14-round impossible characteristics derives 128-bit master key of the full 16-round Zodiac with its complexity 2 119 encryption times faster than the exhaustive search. The efficiency of the attack compared with exhaustive search increases as the key size increases. 1 Introduction Differential cryptanalysis which was proposed by E. Biham and A. Shamir [3] is the most powerful attack for block ciphers. Later, it was regarded as a very useful method in attacking the known block ciphers – FEAL [10], LOKI [4], and so on. For these reasons, block ciphers have been designed to consider the differential cryptanalysis since the middle of 1990’s. Differential cryptanalysis has also been advanced variously – Conditional Differential Cryptanalysis [1, 9], Truncated Differential Cryptanalysis [5], Impossible Differential Cryptanal- ysis [2], Higher Order Differential Cryptanalysis [5,6,8], Boomerang attack [11], and so on. The conventional differential cryptanalysis finds a key using the differential characteristicwithahighprobability.Theattackerchoosesciphertextpairswith aspecificdifferenceofplaintexts,discardswrongpairsbyfiltering,andthenfinds a key by applying the counting methods to the remaining pairs. If a filtering method is efficient, the signal to noise ratio is greater than 1. However, the case that the signal to noise ratio is far less than 1 is also useful. Especially, the differential characteristic whose probability is zero is efficiently applied to attack block ciphers. This attack is called the impossible differential cryptanalysis. ⋆ This work is supported in part by the Ministry of Information & Communication of Korea (“Support Project of University Information Technology Research Center” supervised by IITA) M. Matsui (Ed.): FSE 2001, LNCS 2355, pp. 300–311, 2002. c  Springer-Verlag Berlin Heidelberg 2002