Paper 2013/775

Differential Cryptanalysis and Linear Distinguisher of Full-Round Zorro

Yanfeng Wang, Wenling Wu, Zhiyuan Guo, and Xiaoli Yu

Abstract

Zorro is an AES-like lightweight block cipher proposed in CHES 2013, which only uses 4 S-boxes per round. The designers showed the resistance of the cipher against various attacks and concluded the cipher has a large security margin. Recently, Guo et. al have given a key recovery attack on full-round Zorro by using the internal differential characteristics. However, the attack only works for $$ out of $$ keys. In this paper, the secret key selected randomly from the whole key space can be recovered with a time complexity of $$ full-round Zorro encryptions and a data complexity of $$ chosen plaintexts. We first observe that the fourth power of the MDS matrix used in Zorro equals to the identity matrix. Moveover, several iterated differential characteristics and iterated linear trails are found due to the interesting property. We select three characteristics with the largest probability to give a key recovery attack on Zorro and a linear trail with the largest correlation to show a a linear distinguishing attack with $$ known plaintexts. The results show that the security of Zorro against linear and differential cryptanalysis evaluated by designers is insufficient and the block cipher Zorro is far from a random permutation.