Cryptology ePrint Archive: Report 2016/732

Nonlinear Invariant Attack --Practical Attack on Full SCREAM, iSCREAM, and Midori64

Yosuke Todo and Gregor Leander and Yu Sasaki

Abstract: In this paper we introduce a new type of attack, called nonlinear invariant attack. As application examples, we present new attacks that are able to distinguish the full versions of the (tweakable) block ciphers Scream, iScream and Midori64 in a weak-key setting. Those attacks require only a handful of plaintext-ciphertext pairs and have minimal computational costs. Moreover, the nonlinear invariant attack on the underlying (tweakable) block cipher can be extended to a ciphertext-only attack in well-known modes of operation such as CBC or CTR. The plaintext of the authenticated encryption schemes SCREAM and iSCREAM can be practically recovered only from the ciphertexts in the nonce-respecting setting. This is the first result breaking a security claim of SCREAM. Moreover, the plaintext in Midori64 with well-known modes of operation can practically be recovered. All of our attacks are experimentally verified.

Category / Keywords: secret-key cryptography / Nonlinear invariant attack, Boolean function, SCREAM, iSCREAM, Midori64, CAESAR competition

Original Publication (with minor differences): IACR-ASIACRYPT-2016

Date: received 25 Jul 2016, last revised 26 Sep 2016

Contact author: todo yosuke at lab ntt co jp

Available format(s): PDF | BibTeX Citation

Version: 20160926:103136 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]