Total break of Zorro using linear and differential attacks

Document Type: ORIGINAL RESEARCH PAPER

Authors

Abstract

An AES-like lightweight block cipher, namely Zorro, was proposed in CHES 2013. While it has a 16-byte state, it uses only 4 S-Boxes per round. This weak nonlinearity was widely criticized, insofar as it has been directly exploited in all the attacks on Zorro reported by now, including the weak key, reduced round, and even full round attacks. In this paper, using some properties discovered by Wang et al. we present new differential and linear attacks on Zorro, both of which recover the full secret key with practical complexities. These attacks are based on very efficient distinguishers that have only two active S-Boxes per four rounds. The time complexities of our differential and linear attacks are 255.40 and 245.44 and the data complexity are 255.15 chosen plaintexts and 245.44 known plaintexts, respectively. The results clearly show that the block cipher Zorro does not have enough security against differential and linear attacks.

Keywords


[1] Eli Biham and Adi Shamir. Differential cryptanalysis of DES-like cryptosystems. In Alfred J. Menezes and Scott A. Vanstone, editors, Advances in Cryptology-CRYPTO 1990, volume 537 of Lecture Notes in Computer Science, pages 221. Springer Berlin Heidelberg, 1991.

[2] Mitsuru Matsui. Linear cryptanalysis method for DES cipher. In Tor Helleseth, editor, Advances in Cryptology-EUROCRYPT 1993, volume 765 of Lecture Notes in Computer Science, pages 386-397. Springer Berlin Heidelberg, 1994.

[3] Howard M. Heys, A Tutorial on Linear and Differential Cryptanalysis. Technical Report CORR 2001-17, Centre for Applied Cryptographic Research, Department of Combinatorics and Optimization, University of Waterloo, Mar. 2001.

[4] Benoit Gerard, Vincent Grosso, Maria NayaPlasencia, and Francois-Xavier Standaert. Block ciphers that are easier to mask: How far can we go? In Guido Bertoni and Jean-Sbastien Coron, editors, Cryptographic Hardware and Embedded Systems (CHES) 2013, volume 8086 of Lecture Notes in Computer Science, pages 383-399. Springer Berlin Heidelberg, 2013.

[5] Jian Guo, Thomas Peyrin, Axel Poschmann, and Matt Robshaw. The LED block cipher. In Bart Pre-neel and Tsuyoshi Takagi, editors, Cryptographic Hardware and Embedded Systems-CHES 2011, volume 6917 of Lecture Notes in Computer Science, pages 326-341. Springer Berlin Heidelberg, 2011.

[6] Jian Guo, Ivica Nikolic, Thomas Peyrin, and Lei Wang. Cryptanalysis of Zorro. Cryptology ePrint Archive, Report 2013/713, 2013. http://eprint.iacr.org/

[7] Yanfeng Wang, Wenling Wu, Zhiyuan Guo, and Xiaoli Yu. Differential Cryptanalysis and Linear Distinguisher of Full-Round Zorro. Cryptology ePrint Archive, Report 2013/713, 2013. http://eprint.iacr.org/

[8] Hadi Soleimany. Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro. In the proceeding of the 21st International Workshop on Fast Software Encryption.

[9] Achiya Bar-On, Itai Dinur, Orr Dunkelman, Nathan Keller, Virginie Lallemand, Maria NayaPlasencia, Boaz Tsaban and Adi Shamir. New Results on Zorro. In the rump session of the 21st International Workshop on Fast Software Encryption. http://fse.2014.rump.cr.yp.to/

[10] Achiya Bar-On, Itai Dinur, Orr Dunkelman, Virginie Lallemand and Boaz Tsaban. Improved Analysis of Zorro-Like Ciphers. Cryptology ePrint Archive, Report 2014/228, 2014. http://eprint.iacr.org/

[11] Joan Daemen and Vincent Rijmen. The Design of Rijndael. Springer-Verlag New York, Inc., Secaucus, NJ, USA, 2002.