Cryptology ePrint Archive: Report 2016/973

Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs

Jian Guo and Jérémy Jean and Ivica Nikolić and Kexin Qiao and Yu Sasaki and Siang Meng Sim

Abstract: We present an invariant subspace attack on the block cipher Midori64, proposed at Asiacrypt 2015. Our analysis shows that Midori64 has a class of 2^{32} weak keys. Under any such key, the cipher can be distinguished with only a single chosen query, and the key can be recovered in 2^{16} time with two chosen queries. As both the distinguisher and the key recovery have very low complexities, we confirm our analysis by implementing the attacks. Some tweaks of round constants make Midori64 more resistant to the attacks, but some lead to even larger weak-key classes. To eliminate the dependency on the round constants, we investigate alternative S-boxes for Midori64 that provide certain level of security against the found invariant subspace attacks, regardless of the choice of the round constants. Our search for S-boxes is enhanced with a dedicated tool which evaluates the depth of any given 4-bit S-box that satisfies certain design criteria. The tool may be of independent interest to future S-box designs.

Category / Keywords: secret-key cryptography / Midori, Block Cipher, Invariant Subspace Attack, Weak Key

Original Publication (with minor differences): IACR-FSE-2017

Date: received 7 Oct 2016

Contact author: ssim011 at e ntu edu sg

Available format(s): PDF | BibTeX Citation

Version: 20161012:200537 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]