Paper 2016/973
Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs
Jian Guo, Jérémy Jean, Ivica Nikolić, Kexin Qiao, Yu Sasaki, and Siang Meng Sim
Abstract
We present an invariant subspace attack on the block cipher Midori64, proposed at Asiacrypt 2015. Our analysis shows that Midori64 has a class of 2^{32} weak keys. Under any such key, the cipher can be distinguished with only a single chosen query, and the key can be recovered in 2^{16} time with two chosen queries. As both the distinguisher and the key recovery have very low complexities, we confirm our analysis by implementing the attacks. Some tweaks of round constants make Midori64 more resistant to the attacks, but some lead to even larger weak-key classes. To eliminate the dependency on the round constants, we investigate alternative S-boxes for Midori64 that provide certain level of security against the found invariant subspace attacks, regardless of the choice of the round constants. Our search for S-boxes is enhanced with a dedicated tool which evaluates the depth of any given 4-bit S-box that satisfies certain design criteria. The tool may be of independent interest to future S-box designs.
Metadata
- Available format(s)
-
PDF
- Category
- Secret-key cryptography
- Publication info
- A minor revision of an IACR publication in FSE 2017
- Keywords
- MidoriBlock CipherInvariant Subspace AttackWeak Key
- Contact author(s)
- ssim011 @ e ntu edu sg
- History
- 2016-10-12: received
- Short URL
- https://ia.cr/2016/973
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2016/973,
author = {Jian Guo and Jérémy Jean and Ivica Nikolić and Kexin Qiao and Yu Sasaki and Siang Meng Sim},
title = {Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs},
howpublished = {Cryptology {ePrint} Archive, Paper 2016/973},
year = {2016},
url = {https://eprint.iacr.org/2016/973}
}
