Differential and Linear Analyses of DIZY Through MILP Modeling

Abstract

In this work, we present the first independent security analysis of DIZY, a recently proposed ultra-lightweight stream cipher with two variants: DIZY-80 and DIZY-128. Our analysis focuses on DIZY’s resistance to linear and differential cryptanalysis. We employ a formal technique known as Mixed Integer Linear Programming (MILP), which enables us to model the internal structure of DIZY and search for characteristics that describe how XOR differences or linear masks propagate through the cipher. Specifically, we construct such characteristics to evaluate how many S-boxes become “active” during keystream generation, as this number directly affects the cipher’s resistance to these attacks. Contrary to the designers’ claim that any linear or differential characteristic over 8 rounds must involve at least 20 active S-boxes in DIZY-80 and 22 in DIZY-128, we identify characteristics with only 18 differentially or linearly active S-boxes and 20 linearly active S-boxes, respectively. We mount two distinguishing attacks on each cipher. Our 3-round linear distinguishing attack requires 223 bits of keystream, while the 4-round version requires 235 bits for DIZY-128 and DIZY-80, respectively. Our 2-round differential resynchronization attacks succeed using only the first four bytes of keystream data from approximately 230 and 226 different initializations with chosen initialization vectors (IVs) for DIZY-128 and DIZY-80, respectively. While these attacks do not compromise the full 15-round version of the cipher, they provide valuable insights into the design of DIZY and contribute to a deeper understanding of the security requirements of its diffusion layer. © The Author(s), under exclusive license to Springer Nature Switzerland AG 2026.