Search for differences for Alzette S-Box with maximum or close to maximum differential characteristic probability

In this paper, we describe a “differential meet-in-the-middle” method for obtaining differences for $64$-bit ARX permutation Alzette with maximum or close to maximum differential characteristic probability (DCP). The method is based on testing the high-probability differences in the middle rounds of Alzette and extending them to the previous and following rounds. Using this method, we obtain $7$ differences for $4$-rounds Alzette with DCP $2^{-6}$, $1$ difference for $5$-rounds Alzette with DCP $2^{-10}$, and $1$ difference for $6$-rounds Alzette with DCP $2^{-18}$. Same differences for $4$ and $5$ rounds were obtained by the developers of Alzette as the differences with maximum DCP, but our method has lower complexity: taking the calculation of probability for a round difference as a single operation, it's $36$ operations ($4$ rounds), $135$ operations ($5$ rounds) and $486$ operations ($6$ rounds) for our method and more than $1.29\cdot 10^8$ operations ($4$ rounds), $2\cdot 1.29\cdot 10^8$ operations ($5$ rounds) and $1.03\cdot 10^{14}$ operations ($6$ rounds) for Alzette developers’ method. Also, we obtain $6$ differences for $7$-rounds Alzette with DCP $2^{-27}$ and $11$ differences for $8$-rounds Alzette with DCP $2^{-35}$ with complexity $\le 5\cdot 10^{13}$ operations for both cases. For these number of rounds by the developers of Alzette were obtained only the higher bounds for maximum DCP: $2^{-24}$ ($7$ rounds) and $2^{-32}$ ($8$ rounds). Our estimations of Alzette developers’ method complexity is $\ge2.97\cdot 10^{16}$ operations for $7$-rounds Alzette and $\ge2.97\cdot 10^{16} + 4.75\cdot 10^{12}$ operations for $8$-rounds Alzette.