Paper 2015/1189
Invariant Subspace Attack Against Full Midori64
Jian Guo, Jérémy Jean, Ivica Nikolić, Kexin Qiao, Yu Sasaki, and Siang Meng Sim
Abstract
In this paper, we present an invariant subspace attack against block cipher Midori64 which has recently been proposed by Banik et al. at Asiacrypt 2015 to achieve low energy consumption. We show that when each nibble of the key has the value 0 or 1 and each nibble of the plaintext has the value 8 or 9, each nibble of the ciphertext also has the value 8 or 9 with probability one regardless of the number of rounds applied. This fact indicates that Midori64 has a class of $2^{32}$ weak keys that can be distinguished with a single query. It also indicates that the number of keys generated uniformly at random for Midori64 must not exceed $2^{96}$, i.e., the pseudorandom-permutation security of Midori64 is only up to 96 bits instead of 128 bits. Interestingly, given the information that the key is from the $2^{32}$ weak key subspace, key recovery can be performed within time complexity $2^{16}$ and data complexity $2^1$. We have confirmed the correctness of the analysis by implementing the attack. At the current stage, our attacks do not apply to Midori128.
Metadata
- Available format(s)
-
PDF
- Category
- Secret-key cryptography
- Publication info
- Preprint. MINOR revision.
- Keywords
- Midoriblock cipherinvariant subspace attackS-boxround constantweak keypseudorandom-permutation
- Contact author(s)
- sasaki yu @ lab ntt co jp
- History
- 2015-12-16: received
- Short URL
- https://ia.cr/2015/1189
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2015/1189,
author = {Jian Guo and Jérémy Jean and Ivica Nikolić and Kexin Qiao and Yu Sasaki and Siang Meng Sim},
title = {Invariant Subspace Attack Against Full Midori64},
howpublished = {Cryptology {ePrint} Archive, Paper 2015/1189},
year = {2015},
url = {https://eprint.iacr.org/2015/1189}
}
