Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs
DOI:
https://doi.org/10.13154/tosc.v2016.i1.33-56Keywords:
Midori, Block Cipher, Invariant Subspace Attack, Weak KeyAbstract
We present an invariant subspace attack on the block cipher Midori64, proposed at Asiacrypt 2015. Our analysis shows that Midori64 has a class of 232 weak keys. Under any such key, the cipher can be distinguished with only a single chosen query, and the key can be recovered in 216 time with two chosen queries. As both the distinguisher and the key recovery have very low complexities, we confirm our analysis by implementing the attacks. Some tweaks of round constants make Midori64 more resistant to the attacks, but some lead to even larger weak-key classes. To eliminate the dependency on the round constants, we investigate alternative S-boxes for Midori64 that provide certain level of security against the found invariant subspace attacks, regardless of the choice of the round constants. Our search for S-boxes is enhanced with a dedicated tool which evaluates the depth of any given 4-bit S-box that satisfies certain design criteria. The tool may be of independent interest to future S-box designs.
Published
How to Cite
Issue
Section
License
Copyright (c) 2016 Jian Guo, Jérémy Jean, Ivica Nikolic, Kexin Qiao, Yu Sasaki, Siang Meng Sim
This work is licensed under a Creative Commons Attribution 4.0 International License.
