Cryptanalysis of Zorro

At CHES 2013 was presented a new block cipher called Zorro. Although it uses only 4 S-boxes per round, the designers showed the resistance of the cipher against various attacks, and concluded the cipher has a large security margin. In this paper, we give a key recovery attack on the full cipher in the single-key model that works for 2 out of 2 keys. Our analysis is based precisely on the fact that the non-linear layer has only 4 S-boxes. We exploit this twice in a two-stage attack: first, we show that Zorro has an equivalent description that does not have constants in the rounds, and then, we launch an internal differential attack on the newly described cipher. With computer verifications we confirm the correctness of the analysis. Our attack is the first to use internal differentials for block ciphers, thus we adapt Daemen’s attack on Even-Mansour construction to the case of internal differentials (instead of differentials), which allows us to recovery to full key. This work provides as well insights on alternative descriptions of general Zorro-type ciphers (incomplete non-linear layers), the importance of well chosen constants, and the advantages of Daemen’s attack.