Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs
We present an invariant subspace attack on the block cipher Midori64, proposed at Asiacrypt 2015. Our analysis shows that Midori64 has a class of 232 weak keys. Under any such key, the cipher can be distinguished with only a single chosen query, and the key can be recovered in 216 time with two chos...
Main Authors: | , , , , , |
---|---|
Format: | Article |
Language: | English |
Published: |
Ruhr-Universität Bochum
2016-12-01
|
Series: | IACR Transactions on Symmetric Cryptology |
Subjects: | |
Online Access: | https://tosc.iacr.org/index.php/ToSC/article/view/534 |
id |
doaj-db4aa9cbddee4f08aa0aa9e6f8937644 |
---|---|
record_format |
Article |
spelling |
doaj-db4aa9cbddee4f08aa0aa9e6f89376442021-03-02T09:01:50ZengRuhr-Universität BochumIACR Transactions on Symmetric Cryptology2519-173X2016-12-01335610.13154/tosc.v2016.i1.33-56534Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box DesignsJian Guo0Jérémy Jean1Ivica Nikolic2Kexin Qiao3Yu Sasaki4Siang Meng Sim5Nanyang Technological UniversityANSSI Crypto Lab, ParisNanyang Technological UniversitySKLOIS, Institute of Information Engineering, Chinese Academy of Sciences, China; Nanyang Technological UniversityNanyang Technological University, Singapore; NTT Secure Platform Laboratories, TokyoNanyang Technological UniversityWe present an invariant subspace attack on the block cipher Midori64, proposed at Asiacrypt 2015. Our analysis shows that Midori64 has a class of 232 weak keys. Under any such key, the cipher can be distinguished with only a single chosen query, and the key can be recovered in 216 time with two chosen queries. As both the distinguisher and the key recovery have very low complexities, we confirm our analysis by implementing the attacks. Some tweaks of round constants make Midori64 more resistant to the attacks, but some lead to even larger weak-key classes. To eliminate the dependency on the round constants, we investigate alternative S-boxes for Midori64 that provide certain level of security against the found invariant subspace attacks, regardless of the choice of the round constants. Our search for S-boxes is enhanced with a dedicated tool which evaluates the depth of any given 4-bit S-box that satisfies certain design criteria. The tool may be of independent interest to future S-box designs.https://tosc.iacr.org/index.php/ToSC/article/view/534MidoriBlock CipherInvariant Subspace AttackWeak Key |
collection |
DOAJ |
language |
English |
format |
Article |
sources |
DOAJ |
author |
Jian Guo Jérémy Jean Ivica Nikolic Kexin Qiao Yu Sasaki Siang Meng Sim |
spellingShingle |
Jian Guo Jérémy Jean Ivica Nikolic Kexin Qiao Yu Sasaki Siang Meng Sim Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs IACR Transactions on Symmetric Cryptology Midori Block Cipher Invariant Subspace Attack Weak Key |
author_facet |
Jian Guo Jérémy Jean Ivica Nikolic Kexin Qiao Yu Sasaki Siang Meng Sim |
author_sort |
Jian Guo |
title |
Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs |
title_short |
Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs |
title_full |
Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs |
title_fullStr |
Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs |
title_full_unstemmed |
Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs |
title_sort |
invariant subspace attack against midori64 and the resistance criteria for s-box designs |
publisher |
Ruhr-Universität Bochum |
series |
IACR Transactions on Symmetric Cryptology |
issn |
2519-173X |
publishDate |
2016-12-01 |
description |
We present an invariant subspace attack on the block cipher Midori64, proposed at Asiacrypt 2015. Our analysis shows that Midori64 has a class of 232 weak keys. Under any such key, the cipher can be distinguished with only a single chosen query, and the key can be recovered in 216 time with two chosen queries. As both the distinguisher and the key recovery have very low complexities, we confirm our analysis by implementing the attacks. Some tweaks of round constants make Midori64 more resistant to the attacks, but some lead to even larger weak-key classes. To eliminate the dependency on the round constants, we investigate alternative S-boxes for Midori64 that provide certain level of security against the found invariant subspace attacks, regardless of the choice of the round constants. Our search for S-boxes is enhanced with a dedicated tool which evaluates the depth of any given 4-bit S-box that satisfies certain design criteria. The tool may be of independent interest to future S-box designs. |
topic |
Midori Block Cipher Invariant Subspace Attack Weak Key |
url |
https://tosc.iacr.org/index.php/ToSC/article/view/534 |
work_keys_str_mv |
AT jianguo invariantsubspaceattackagainstmidori64andtheresistancecriteriaforsboxdesigns AT jeremyjean invariantsubspaceattackagainstmidori64andtheresistancecriteriaforsboxdesigns AT ivicanikolic invariantsubspaceattackagainstmidori64andtheresistancecriteriaforsboxdesigns AT kexinqiao invariantsubspaceattackagainstmidori64andtheresistancecriteriaforsboxdesigns AT yusasaki invariantsubspaceattackagainstmidori64andtheresistancecriteriaforsboxdesigns AT siangmengsim invariantsubspaceattackagainstmidori64andtheresistancecriteriaforsboxdesigns |
_version_ |
1724240230579437568 |