Novel Impossible Differential Cryptanalysis of Zorro Block Cipher

Authors

Abstract:

Impossible difference attack is a powerful tool for evaluating the security of block ciphers based on finding a differential characteristic with the probability of exactly zero. The linear layer diffusion rate of a cipher plays a fundamental role in the security of the algorithm against the impossible difference attack. In this paper, we show an efficient method, which is independent of the quality of the linear layer, can find impossible differential characteristics of Zorro block cipher. In other words, using the proposed method, we show that, independent of the linear layer feature and other internal elements of the algorithm, it is possible to achieve effective impossible differential characteristic for the 9-round Zorro algorithm. Also, based on represented 9-round impossible differential characteristic, we provide a key recovery attack on reduced 10-round Zorro algorithm. In this paper, we propose a robust and different method to find impossible difference characteristics for Zorro cipher, which is independent of the linear layer of the algorithm. The main observation in this method is that the number of possible differences in that which may occur in the middle of Zorro algorithm might be very limited. This is due to the different structure of Zorro. We show how this attribute can be used to construct impossible difference characteristics. Then, using the described method, we show that, independent of the features of the algorithm elements, it is possible to achieve efficient 9-round impossible differential characteristics of Zorro cipher. It is important to note that the best impossible differential characteristics of the AES encryption algorithm are only practicable for four rounds. So the best impossible differential characteristic of Zorro cipher is far more than the best characteristic of AES, while both algorithms use an equal linear layer. Also, the analysis presented in the article, in contrast to previous analyzes, can be applied to all ciphers with the same structure as Zorro, because our analysis is independent of the internal components of the algorithm. In particular, the method presented in this paper shows that for all Zorro modified versions, there are similarly impossible differential characteristics. Zorro cipher is a block cipher algorithm with 128-bit block size and 128-bit key size. Zorro consists of 6 different sections, each with 4 rounds (24 rounds in all). Zorro does not have any subkey production algorithm and the main key is simply added to the value of the beginning state of each section using the XOR operator. Internal rounds of one section do not use the key. Similar to AES, Zorro state matrix can be shown by a 4 × 4 matrix, which each of these 16 components represent one byte. One round of Zorro, consists of four functions, which are SB*, AC, SR, and MC, respectively. The SB* function is a nonlinear function applying only to the four bytes in the first row of the state matrix. Therefore, in the opposite of the AES, where the substitution box is applied to all bytes, the Zorro substitution box only applies to four bytes. The AC operator is to add a round constant. Finally, the two SR and MC transforms are applied to the state matrix, which is, respectively, the shift row and mixed column used in the AES standard algorithm. Since the analyzes presented in this article are independent of the substitution properties, we do not use the S-box definition used by Zorro. Our proposed model uses this Zorro property that the number of possible differences after limited rounds can be much less than the total number of possible differences. In this paper, we introduce features of the Zorro, which can provide a high bound for the number of possible values of an intermediate difference. We will then present a model for how to find Zorro impossible differential characteristics, based on the limitations of the intermediate differences and using the miss-in-the-middle attack. Finally, we show that based on the proposed method, it is possible to find an impossible differential characteristic for 9 rounds of algorithms with a Zorro-like structure and regardless of the linear layer properties. Also, it is possible to apply the key recovery attack on 10 rounds of the algorithm. So, regardless of the features of the used elements, it can be shown that this number of round of algorithms is not secure even by changing the linear layer.

Upgrade to premium to download articles

Sign up to access the full text

Already have an account?login

similar resources

Impossible Differential Cryptanalysis for Block Cipher Structures

Impossible Differential Cryptanalysis(IDC) [4] uses impossible differential characteristics to retrieve a subkey material for the first or the last several rounds of block ciphers. Thus, the security of a block cipher against IDC can be evaluated by impossible differential characteristics. In this paper, we study impossible differential characteristics of block cipher structures whose round fun...

full text

Impossible Differential Cryptanalysis of Reduced-Round Midori64 Block Cipher (Extended Version)

Impossible differential attack is a well-known mean to examine robustness of block ciphers. Using impossible differ- ential cryptanalysis, we analyze security of a family of lightweight block ciphers, named Midori, that are designed considering low energy consumption. Midori state size can be either 64 bits for Midori64 or 128 bits for Midori128; however, both vers...

full text

Unified Impossible Differential Cryptanalysis on Block Cipher Structures

In this paper, we propose a systematic search method for finding the impossible differential characteristic for block cipher structures, better than the U-method introduced by Kim et al [6]. This method is referred as unified impossible differential (UID) cryptanalysis. We give practical UID cryptanalysis on some popular block ciphers and give the detailed impossible differential characteristic...

full text

Impossible Differential Cryptanalysis on Deoxys-BC-256

Deoxys is a final-round candidate of the CAESAR competition. Deoxys is built upon an internal tweakable block cipher Deoxys-BC, where in addition to the plaintext and key, it takes an extra non-secret input called a tweak. This paper presents the first impossible differential cryptanalysis of Deoxys-BC-256 which is used in Deoxys as an internal tweakable block cipher. First, we find a 4.5-round...

full text

Differential Cryptanalysis of SMS4 Block Cipher

SMS4 is a 128-bit block cipher used in the WAPI standard for wireless networks in China. In this paper, we analyze the security of SMS4 block cipher against differential cryptanalysis. Firstly, we prove three theorems and one corollary that reflect relationships of 5and 6round SMS4. Nextly, by these relationships, we clarify the minimum number of differentially active S-boxes in 6-, 7and 12-rou...

full text

Security of Reduced Version of the Block Cipher Camellia against Truncated and Impossible Differential Cryptanalysis

This paper describes truncated and impossible differential cryptanalysis of the 128-bit block cipher Camellia, which was proposed by NTT and Mitsubishi Electric Corporation. Our work improves on the best known truncated and impossible differential cryptanalysis. As a result, we show a nontrivial 9-round byte characteristic, which may lead to a possible attack of reduced-round version of Camelli...

full text

My Resources

Save resource for easier access later

Save to my library Already added to my library

{@ msg_add @}


Journal title

volume 16  issue 4

pages  17- 26

publication date 2020-03

By following a journal you will be notified via email when a new issue of this journal is published.

Keywords

No Keywords

Hosted on Doprax cloud platform doprax.com

copyright © 2015-2023