IACR News item: 29 March 2014
Achiya Bar-Or, Itai Dinur, Orr Dunkelman, Virginie Lallemand, Mar\\\'{\\i}a Naya-Plasencia, Boaz Tsaban
ePrint ReportIn this paper, we analyze the security of Zorro-like ciphers with partial non-linear layers by devising differential and linear characteristic search algorithms and key recovery algorithms. These algorithms exploit in a generic way the small number of Sboxes in a Zorro-like round, and are independent of any specific property of its linear layer (such as the one exploited by Wang et al.), or its Sbox implementation. When applied to the Zorro block cipher itself, we were able to find \\emph{the highest} probability characteristics for the full cipher and devise significantly improved attacks. Our differential attack has a time complexity of about $2^{45}$, requiring about $2^{44}$ chosen plaintexts, and our linear attack has a time complexity of about $2^{45}$, requiring about $2^{45}$ known plaintexts.
Independently of our results, the recently published paper by Rasoolzadeh et al. found similar iterative characteristics for Zorro by exploiting in a different way the devastating property of its linear layer, described by Wang et al. However, our improved key recovery techniques result in differential and linear attacks which are at least $2^{11}$ times faster. More significantly, the surprisingly large number of Zorro-like rounds analyzed by some of our generic techniques raises questions over the general design strategy of Zorro, namely, the use of partial non-linear layers.
Additional news items may be found on the IACR news page.