Open AccessInvariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs
Author(s) -
Jingjie Guo,
Jérémy Jean,
Ivica Nikolić,
Kexin Qiao,
Yasutsuna Sasaki,
Siang Meng Sim
Publication year - 2016
Publication title -
iacr transaction on symmetric cryptology
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.715
H-Index - 10
ISSN - 2519-173X
DOI - 10.46586/tosc.v2016.i1.33-56
Subject(s) - block cipher , subspace topology , computer science , invariant (physics) , s box , cipher , key (lock) , theoretical computer science , invariant subspace , algorithm , arithmetic , mathematics , computer security , cryptography , encryption , pure mathematics , artificial intelligence , linear subspace , mathematical physics
We present an invariant subspace attack on the block cipher Midori64, proposed at Asiacrypt 2015. Our analysis shows that Midori64 has a class of 232 weak keys. Under any such key, the cipher can be distinguished with only a single chosen query, and the key can be recovered in 216 time with two chosen queries. As both the distinguisher and the key recovery have very low complexities, we confirm our analysis by implementing the attacks. Some tweaks of round constants make Midori64 more resistant to the attacks, but some lead to even larger weak-key classes. To eliminate the dependency on the round constants, we investigate alternative S-boxes for Midori64 that provide certain level of security against the found invariant subspace attacks, regardless of the choice of the round constants. Our search for S-boxes is enhanced with a dedicated tool which evaluates the depth of any given 4-bit S-box that satisfies certain design criteria. The tool may be of independent interest to future S-box designs.