Paper 2013/713

Cryptanalysis of Zorro

Jian Guo, Ivica Nikolic, Thomas Peyrin, and Lei Wang


At CHES 2013 was presented a new block cipher called Zorro. Although it uses only 4 S-boxes per round, the designers showed the resistance of the cipher against various attacks, and concluded the cipher has a large security margin. In this paper, we give a key recovery attack on the full cipher in the single-key model that works for $2^{64}$ out of $2^{128}$ keys. Our analysis is based precisely on the fact that the non-linear layer has only 4 S-boxes. We exploit this twice in a two-stage attack: first, we show that Zorro has an equivalent description that does not have constants in the rounds, and then, we launch an internal differential attack on the newly described cipher. With computer verifications we confirm the correctness of the analysis. Our attack is the first to use internal differentials for block ciphers, thus we adapt Daemen's attack on Even-Mansour construction to the case of internal differentials (instead of differentials), which allows us to recovery to full key. This work provides as well insights on alternative descriptions of general Zorro-type ciphers (incomplete non-linear layers), the importance of well chosen constants, and the advantages of Daemen's attack.

Available format(s)
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Zorrocryptanalysisblock cipherinternal differentials
Contact author(s)
inikolic @ ntu edu sg
2013-11-03: received
Short URL
Creative Commons Attribution


      author = {Jian Guo and Ivica Nikolic and Thomas Peyrin and Lei Wang},
      title = {Cryptanalysis of Zorro},
      howpublished = {Cryptology ePrint Archive, Paper 2013/713},
      year = {2013},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.