Institutional Repository
| Differential cryptanalysis and linear distinguisher of full-round Zorro | |
| Wang, Yanfeng (1); Wu, Wenling (1); Guo, Zhiyuan (1); Yu, Xiaoli (1) | |
| 2014 | |
| Conference Name | 12th International Conference on Applied Cryptography and Network Security, ACNS 2014 |
| Pages | 308-323 |
| Conference Date | June 10, 2014 - June 13, 2014 |
| Conference Place | Lausanne, Switzerland |
| Indexed Type | CPCI ; EI |
| Publish Place | Springer Verlag |
| ISSN | 3029743 |
| ISBN | 9783319075358 |
| Department | (1) Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing, 100190, China; (2) State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing, 100190, China; (3) Graduate University of Chinese Academy of Sciences, Beijing, 100049, China |
| English Abstract | Zorro is an AES-like lightweight block cipher proposed in CHES 2013, which only uses 4 S-boxes per round. The designers showed the resistance of the cipher against various attacks and concluded the cipher has a large security margin. Recently, Guo et. al [1] have given a key recovery attack on full-round Zorro by using the internal differential characteristics. However, the attack only works for 264 out of 2128 keys. In this paper, the secret key selected randomly from the whole key space can be recovered much faster than the brute-force attack. We first observe that the fourth power of the MDS matrix used in Zorro(or AES) equals to the identity matrix. Moveover, several iterated differential characteristics and iterated linear trails are found due to the interesting property. We select three characteristics with the largest probability to give the key recovery attack on Zorro and a linear trail with the largest correlation to show a linear distinguishing attack with 2 105.3 known plaintexts. The results show that the security of Zorro against linear and differential cryptanalysis evaluated by designers is insufficient and the security margin of Zorro is not enough. © Springer International Publishing Switzerland 2014.; Zorro is an AES-like lightweight block cipher proposed in CHES 2013, which only uses 4 S-boxes per round. The designers showed the resistance of the cipher against various attacks and concluded the cipher has a large security margin. Recently, Guo et. al [1] have given a key recovery attack on full-round Zorro by using the internal differential characteristics. However, the attack only works for 264 out of 2128 keys. In this paper, the secret key selected randomly from the whole key space can be recovered much faster than the brute-force attack. We first observe that the fourth power of the MDS matrix used in Zorro(or AES) equals to the identity matrix. Moveover, several iterated differential characteristics and iterated linear trails are found due to the interesting property. We select three characteristics with the largest probability to give the key recovery attack on Zorro and a linear trail with the largest correlation to show a linear distinguishing attack with 2 105.3 known plaintexts. The results show that the security of Zorro against linear and differential cryptanalysis evaluated by designers is insufficient and the security margin of Zorro is not enough. © Springer International Publishing Switzerland 2014. |
| Keyword | Zorro Block Cipher Differential Cryptanalysis Linear Distinguisher |
| Language | 英语 |
| Content Type | 会议论文 |
| URI | http://ir.iscas.ac.cn/handle/311060/16512 |
| Collection | 中国科学院软件研究所 |
| Recommended Citation GB/T 7714 | Wang, Yanfeng ,Wu, Wenling ,Guo, Zhiyuan ,et al. Differential cryptanalysis and linear distinguisher of full-round Zorro[C]. Springer Verlag,2014:308-323. |
| Files in This Item: | There are no files associated with this item. | |||||
Items in the repository are protected by copyright, with all rights reserved, unless otherwise indicated.
Edit Comment