International Association for Cryptologic Research

International Association
for Cryptologic Research

IACR News item: 29 March 2014

Achiya Bar-Or, Itai Dinur, Orr Dunkelman, Virginie Lallemand, Mar\\\'{\\i}a Naya-Plasencia, Boaz Tsaban
ePrint Report ePrint Report
Zorro is a 128-bit lightweight block cipher supporting 128-bit keys, presented at CHES~2013 by G\\\'erard et al. One of the main design goals of the cipher was to allow efficient masking according to the Rivain and Prouff Scheme, which lead to a very unconventional design, using partial non-linear layers. Despite the security claims of the designers, the cipher was recently broken by differential and linear attacks due to Wang et al., recovering its 128-bit key with complexity of about $2^{108}$. These attacks are based on high-probability iterative characteristics that are made possible due a special property of the linear layer of Zorro, which is shown to be devastating in combination with its partial non-linear layer.

In this paper, we analyze the security of Zorro-like ciphers with partial non-linear layers by devising differential and linear characteristic search algorithms and key recovery algorithms. These algorithms exploit in a generic way the small number of Sboxes in a Zorro-like round, and are independent of any specific property of its linear layer (such as the one exploited by Wang et al.), or its Sbox implementation. When applied to the Zorro block cipher itself, we were able to find \\emph{the highest} probability characteristics for the full cipher and devise significantly improved attacks. Our differential attack has a time complexity of about $2^{45}$, requiring about $2^{44}$ chosen plaintexts, and our linear attack has a time complexity of about $2^{45}$, requiring about $2^{45}$ known plaintexts.

Independently of our results, the recently published paper by Rasoolzadeh et al. found similar iterative characteristics for Zorro by exploiting in a different way the devastating property of its linear layer, described by Wang et al. However, our improved key recovery techniques result in differential and linear attacks which are at least $2^{11}$ times faster. More significantly, the surprisingly large number of Zorro-like rounds analyzed by some of our generic techniques raises questions over the general design strategy of Zorro, namely, the use of partial non-linear layers.

Expand

Additional news items may be found on the IACR news page.