Institutional Repository
| Differential cryptanalysis and linear distinguisher of full-round Zorro | |
| Wang, Yanfeng (1); Wu, Wenling (1); Guo, Zhiyuan (1); Yu, Xiaoli (1) | |
| 2014 | |
| 会议名称 | 12th International Conference on Applied Cryptography and Network Security, ACNS 2014 |
| 页码 | 308-323 |
| 会议日期 | June 10, 2014 - June 13, 2014 |
| 会议地点 | Lausanne, Switzerland |
| 收录类别 | CPCI ; EI |
| 出版地 | Springer Verlag |
| ISSN | 3029743 |
| ISBN | 9783319075358 |
| 部门归属 | (1) Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing, 100190, China; (2) State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing, 100190, China; (3) Graduate University of Chinese Academy of Sciences, Beijing, 100049, China |
| 摘要 | Zorro is an AES-like lightweight block cipher proposed in CHES 2013, which only uses 4 S-boxes per round. The designers showed the resistance of the cipher against various attacks and concluded the cipher has a large security margin. Recently, Guo et. al [1] have given a key recovery attack on full-round Zorro by using the internal differential characteristics. However, the attack only works for 264 out of 2128 keys. In this paper, the secret key selected randomly from the whole key space can be recovered much faster than the brute-force attack. We first observe that the fourth power of the MDS matrix used in Zorro(or AES) equals to the identity matrix. Moveover, several iterated differential characteristics and iterated linear trails are found due to the interesting property. We select three characteristics with the largest probability to give the key recovery attack on Zorro and a linear trail with the largest correlation to show a linear distinguishing attack with 2 105.3 known plaintexts. The results show that the security of Zorro against linear and differential cryptanalysis evaluated by designers is insufficient and the security margin of Zorro is not enough. © Springer International Publishing Switzerland 2014.; Zorro is an AES-like lightweight block cipher proposed in CHES 2013, which only uses 4 S-boxes per round. The designers showed the resistance of the cipher against various attacks and concluded the cipher has a large security margin. Recently, Guo et. al [1] have given a key recovery attack on full-round Zorro by using the internal differential characteristics. However, the attack only works for 264 out of 2128 keys. In this paper, the secret key selected randomly from the whole key space can be recovered much faster than the brute-force attack. We first observe that the fourth power of the MDS matrix used in Zorro(or AES) equals to the identity matrix. Moveover, several iterated differential characteristics and iterated linear trails are found due to the interesting property. We select three characteristics with the largest probability to give the key recovery attack on Zorro and a linear trail with the largest correlation to show a linear distinguishing attack with 2 105.3 known plaintexts. The results show that the security of Zorro against linear and differential cryptanalysis evaluated by designers is insufficient and the security margin of Zorro is not enough. © Springer International Publishing Switzerland 2014. |
| 关键词 | Zorro Block Cipher Differential Cryptanalysis Linear Distinguisher |
| 语种 | 英语 |
| 内容类型 | 会议论文 |
| URI标识 | http://ir.iscas.ac.cn/handle/311060/16512 |
| 专题 | 中国科学院软件研究所 |
| 推荐引用方式 GB/T 7714 | Wang, Yanfeng ,Wu, Wenling ,Guo, Zhiyuan ,et al. Differential cryptanalysis and linear distinguisher of full-round Zorro[C]. Springer Verlag,2014:308-323. |
| 条目包含的文件 | 条目无相关文件。 | |||||
除非特别说明,本系统中所有内容都受版权保护,并保留所有权利。
修改评论