International Association
for Cryptologic Research

An AES-like lightweight block cipher, namely Zorro, was proposed in CHES 2013. While it has a 16-byte state, it uses only 4 S-Box per round. Its weak nonlinearity was widely criticized and caused serious vulnerabilities, insofar as it has been directly exploited in all the attacks reported by now, including the weak key, reduced round, and even full round attacks.

In this paper, based on some observations discovered by Wang et. al., we present new differential and linear attacks on Zorro, both of which recover the full secret key with practical complexity. These attacks are based on very efficient distinguishers that have only two active sboxes per four rounds. The time complexity of our differential and linear attacks are $2^{52.74}$ and $2^{57.85}$ and the data complexity are $2^{55.15}$ chosen plaintexts and $2^{45.44}$ known plaintexts, respectively. The results clearly show that the block cipher Zorro does not have enough security against differential and linear cryptanalysis.