Paper 2014/220

Total Break of Zorro using Linear and Differential Attacks

Shahram Rasoolzadeh, Zahra Ahmadian, Mahmoud Salmasizadeh, and Mohammad Reza Aref

Abstract

An AES-like lightweight block cipher, namely Zorro, was proposed in CHES 2013. While it has a 16-byte state, it uses only 4 S-Boxes per round. This weak nonlinearity was widely criticized, insofar as it has been directly exploited in all the attacks on Zorro reported by now, including the weak key, reduced round, and even full round attacks. In this paper, using some properties discovered by Wang et al., we present new differential and linear attacks on Zorro, both of which recover the full secret key with practical complexities. These attacks are based on very efficient distinguishers that have only two active S-Boxes per four rounds. The time complexity of our differential and linear attacks are $2^{56.76}$ and $2^{45.50}$ and the data complexity are $2^{56.73}$ chosen plaintexts and $2^{45.44}$ known plaintexts, respectively. The results clearly show that the block cipher Zorro does not have enough security against differential and linear attacks.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Minor revision. The ISC International Journal of Information Security
Keywords
ZorroDifferential AttackLinear AttackLightweight Block Cipher
Contact author(s)
rasoolzadeh shahram @ gmail com
History
2016-08-11: last of 5 revisions
2014-03-27: received
See all versions
Short URL
https://ia.cr/2014/220
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2014/220,
      author = {Shahram Rasoolzadeh and Zahra Ahmadian and Mahmoud Salmasizadeh and Mohammad Reza Aref},
      title = {Total Break of Zorro using Linear and Differential Attacks},
      howpublished = {Cryptology {ePrint} Archive, Paper 2014/220},
      year = {2014},
      url = {https://eprint.iacr.org/2014/220}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.