Paper 2015/1189

Invariant Subspace Attack Against Full Midori64

Jian Guo, Jérémy Jean, Ivica Nikolić, Kexin Qiao, Yu Sasaki, and Siang Meng Sim


In this paper, we present an invariant subspace attack against block cipher Midori64 which has recently been proposed by Banik et al. at Asiacrypt 2015 to achieve low energy consumption. We show that when each nibble of the key has the value 0 or 1 and each nibble of the plaintext has the value 8 or 9, each nibble of the ciphertext also has the value 8 or 9 with probability one regardless of the number of rounds applied. This fact indicates that Midori64 has a class of $2^{32}$ weak keys that can be distinguished with a single query. It also indicates that the number of keys generated uniformly at random for Midori64 must not exceed $2^{96}$, i.e., the pseudorandom-permutation security of Midori64 is only up to 96 bits instead of 128 bits. Interestingly, given the information that the key is from the $2^{32}$ weak key subspace, key recovery can be performed within time complexity $2^{16}$ and data complexity $2^1$. We have confirmed the correctness of the analysis by implementing the attack. At the current stage, our attacks do not apply to Midori128.

Available format(s)
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Midoriblock cipherinvariant subspace attackS-boxround constantweak keypseudorandom-permutation
Contact author(s)
sasaki yu @ lab ntt co jp
2015-12-16: received
Short URL
Creative Commons Attribution


      author = {Jian Guo and Jérémy Jean and Ivica Nikolić and Kexin Qiao and Yu Sasaki and Siang Meng Sim},
      title = {Invariant Subspace Attack Against Full Midori64},
      howpublished = {Cryptology ePrint Archive, Paper 2015/1189},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.