Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs

Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs

We present an invariant subspace attack on the block cipher Midori64, proposed at Asiacrypt 2015. Our analysis shows that Midori64 has a class of 232 weak keys. Under any such key, the cipher can be distinguished with only a single chosen query, and the key can be recovered in 216 time with two chos...

Full description

Bibliographic Details
Main Authors: Jian Guo, Jérémy Jean, Ivica Nikolic, Kexin Qiao, Yu Sasaki, Siang Meng Sim
Format: Article
Language:English
Published: Ruhr-Universität Bochum 2016-12-01
Series:IACR Transactions on Symmetric Cryptology
Subjects:
Midori
Block Cipher
Invariant Subspace Attack
Weak Key
Online Access:https://tosc.iacr.org/index.php/ToSC/article/view/534
id doaj-db4aa9cbddee4f08aa0aa9e6f8937644
record_format Article
spelling doaj-db4aa9cbddee4f08aa0aa9e6f89376442021-03-02T09:01:50ZengRuhr-Universität BochumIACR Transactions on Symmetric Cryptology2519-173X2016-12-01335610.13154/tosc.v2016.i1.33-56534Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box DesignsJian Guo0Jérémy Jean1Ivica Nikolic2Kexin Qiao3Yu Sasaki4Siang Meng Sim5Nanyang Technological UniversityANSSI Crypto Lab, ParisNanyang Technological UniversitySKLOIS, Institute of Information Engineering, Chinese Academy of Sciences, China; Nanyang Technological UniversityNanyang Technological University, Singapore; NTT Secure Platform Laboratories, TokyoNanyang Technological UniversityWe present an invariant subspace attack on the block cipher Midori64, proposed at Asiacrypt 2015. Our analysis shows that Midori64 has a class of 232 weak keys. Under any such key, the cipher can be distinguished with only a single chosen query, and the key can be recovered in 216 time with two chosen queries. As both the distinguisher and the key recovery have very low complexities, we confirm our analysis by implementing the attacks. Some tweaks of round constants make Midori64 more resistant to the attacks, but some lead to even larger weak-key classes. To eliminate the dependency on the round constants, we investigate alternative S-boxes for Midori64 that provide certain level of security against the found invariant subspace attacks, regardless of the choice of the round constants. Our search for S-boxes is enhanced with a dedicated tool which evaluates the depth of any given 4-bit S-box that satisfies certain design criteria. The tool may be of independent interest to future S-box designs.https://tosc.iacr.org/index.php/ToSC/article/view/534MidoriBlock CipherInvariant Subspace AttackWeak Key
collection DOAJ
language English
format Article
sources DOAJ
author Jian Guo
Jérémy Jean
Ivica Nikolic
Kexin Qiao
Yu Sasaki
Siang Meng Sim
spellingShingle Jian Guo
Jérémy Jean
Ivica Nikolic
Kexin Qiao
Yu Sasaki
Siang Meng Sim
Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs
IACR Transactions on Symmetric Cryptology
Midori
Block Cipher
Invariant Subspace Attack
Weak Key
author_facet Jian Guo
Jérémy Jean
Ivica Nikolic
Kexin Qiao
Yu Sasaki
Siang Meng Sim
author_sort Jian Guo
title Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs
title_short Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs
title_full Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs
title_fullStr Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs
title_full_unstemmed Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs
title_sort invariant subspace attack against midori64 and the resistance criteria for s-box designs
publisher Ruhr-Universität Bochum
series IACR Transactions on Symmetric Cryptology
issn 2519-173X
publishDate 2016-12-01
description We present an invariant subspace attack on the block cipher Midori64, proposed at Asiacrypt 2015. Our analysis shows that Midori64 has a class of 232 weak keys. Under any such key, the cipher can be distinguished with only a single chosen query, and the key can be recovered in 216 time with two chosen queries. As both the distinguisher and the key recovery have very low complexities, we confirm our analysis by implementing the attacks. Some tweaks of round constants make Midori64 more resistant to the attacks, but some lead to even larger weak-key classes. To eliminate the dependency on the round constants, we investigate alternative S-boxes for Midori64 that provide certain level of security against the found invariant subspace attacks, regardless of the choice of the round constants. Our search for S-boxes is enhanced with a dedicated tool which evaluates the depth of any given 4-bit S-box that satisfies certain design criteria. The tool may be of independent interest to future S-box designs.
topic Midori
Block Cipher
Invariant Subspace Attack
Weak Key
url https://tosc.iacr.org/index.php/ToSC/article/view/534
work_keys_str_mv AT jianguo invariantsubspaceattackagainstmidori64andtheresistancecriteriaforsboxdesigns
AT jeremyjean invariantsubspaceattackagainstmidori64andtheresistancecriteriaforsboxdesigns
AT ivicanikolic invariantsubspaceattackagainstmidori64andtheresistancecriteriaforsboxdesigns
AT kexinqiao invariantsubspaceattackagainstmidori64andtheresistancecriteriaforsboxdesigns
AT yusasaki invariantsubspaceattackagainstmidori64andtheresistancecriteriaforsboxdesigns
AT siangmengsim invariantsubspaceattackagainstmidori64andtheresistancecriteriaforsboxdesigns
_version_ 1724240230579437568

Similar Items