Differential cryptanalysis of PP-1 cipher

In this paper we present a differential attack on the block cipher PP-1 which was designed at Poznan University of Technology. Complexity of the attack is smaller than that of brute force attack for every version of the cipher (for every block length). The attack is possible is spite of the fact that the S-box exhibits optimal security against the differential cryptanalysis. The attack is based on the fact that the design of the cipher S-box and permutation were constructed independently. The permutation operates on individual bits, and in the XOR profile table of S-box 1 bit to 1 bit transitions are possible. It allows constructing a simple one-round differential characteristic which is "almost" iterative with the probability 1.5 · 2-6. By 9 times concatenation of the characteristic and its relaxation in the last round we obtained a 10-round characteristic with the probability 2-48.7. Using this characteristic with 1R attack makes differential cryptanalysis of full 11-round cipher with complexity smaller than exhaustive search possible. By carefully exploiting similar characteristics it is possible to find analogous attacks on different versions of cipher PP-1, with higher a larger of rounds.