Paper 2016/732

Nonlinear Invariant Attack --Practical Attack on Full SCREAM, iSCREAM, and Midori64

Yosuke Todo, Gregor Leander, and Yu Sasaki


In this paper we introduce a new type of attack, called nonlinear invariant attack. As application examples, we present new attacks that are able to distinguish the full versions of the (tweakable) block ciphers Scream, iScream and Midori64 in a weak-key setting. Those attacks require only a handful of plaintext-ciphertext pairs and have minimal computational costs. Moreover, the nonlinear invariant attack on the underlying (tweakable) block cipher can be extended to a ciphertext-only attack in well-known modes of operation such as CBC or CTR. The plaintext of the authenticated encryption schemes SCREAM and iSCREAM can be practically recovered only from the ciphertexts in the nonce-respecting setting. This is the first result breaking a security claim of SCREAM. Moreover, the plaintext in Midori64 with well-known modes of operation can practically be recovered. All of our attacks are experimentally verified.

Available format(s)
Secret-key cryptography
Publication info
A minor revision of an IACR publication in ASIACRYPT 2016
Nonlinear invariant attackBoolean functionSCREAMiSCREAMMidori64CAESAR competition
Contact author(s)
todo yosuke @ lab ntt co jp
2016-09-26: last of 2 revisions
2016-07-28: received
See all versions
Short URL
Creative Commons Attribution


      author = {Yosuke Todo and Gregor Leander and Yu Sasaki},
      title = {Nonlinear Invariant Attack --Practical Attack on Full SCREAM, iSCREAM, and Midori64},
      howpublished = {Cryptology ePrint Archive, Paper 2016/732},
      year = {2016},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.