Related-Key Cryptanalysis of Midori

Midori64 and Midori128 [2] are lightweight block ciphers, which respectively cipher 64-bit and 128-bit blocks. While several attack models are discussed by the authors of Midori, the authors made no claims concerning the security of Midori against related-key differential attacks. In this attack model, the attacker uses related-key differential characteristics, i.e., tuples \((\delta _P, \delta _K, \delta _C)\) such that a difference (generally computed as a XOR) of \(\delta _P\) in the plaintext coupled with a difference \(\delta _K\) in the key yields a difference \(\delta _C\) after r rounds with a good probability. In this paper, we propose a constraint programming model to automate the search for optimal (in terms of probability) related-key differential characteristics on Midori. Using it, we build related-key distinguishers on the full-round Midori64 and Midori128, and mount key recovery attacks on both versions of the cipher with practical time complexity, respectively \(2^{35.8}\) and \(2^{43.7}\).

[1]  Serge Vaudenay,et al.  Distinguishing Distributions Using Chernoff Information , 2010, ProvSec.

[2]  Alex Biryukov,et al.  Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers: Application to AES, Camellia, Khazad and Others , 2010, EUROCRYPT.

[3]  Dawu Gu,et al.  Differential and Linear Cryptanalysis Using Mixed-Integer Linear Programming , 2011, Inscrypt.

[4]  Lei Hu,et al.  Extending the Applicability of the Mixed-Integer Programming Technique in Automatic Differential Cryptanalysis , 2015, ISC.

[5]  Kyoji Shibutani,et al.  Midori: A Block Cipher for Low Energy , 2015, ASIACRYPT.

[6]  Lars R. Knudsen,et al.  Cryptanalysis of LOKI91 , 1992, AUSCRYPT.

[7]  Thomas Peyrin,et al.  Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations , 2010, FSE.

[8]  Eli Biham,et al.  Differential Cryptanalysis of the Data Encryption Standard , 1993, Springer New York.

[9]  Xiaoyun Wang,et al.  Impossible Differential Cryptanalysis of Midori , 2016, IACR Cryptol. ePrint Arch..

[10]  Ali Aydin Selçuk,et al.  On Probability of Success in Linear and Differential Cryptanalysis , 2008, Journal of Cryptology.

[11]  Yanzhao Shen,et al.  Cryptanalysis of Reduced-Round Midori64 Block Cipher , 2016, IACR Cryptol. ePrint Arch..

[12]  Lei Hu,et al.  Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-Oriented Block Ciphers , 2014, ASIACRYPT.

[13]  Li Lin,et al.  Meet-in-the-Middle Attacks on Reduced-Round Midori64 , 2017, IACR Trans. Symmetric Cryptol..

[14]  Marine Minier,et al.  Constraint Programming Models for Chosen Key Differential Cryptanalysis , 2016, CP.

[15]  Yu Sasaki,et al.  Invariant Subspace Attack Against Full Midori64 , 2015, IACR Cryptol. ePrint Arch..

[16]  Roger M. Needham,et al.  TEA, a Tiny Encryption Algorithm , 1994, FSE.

[17]  Eli Biham,et al.  New Types of Cryptanalytic Attacks Using related Keys (Extended Abstract) , 1994, EUROCRYPT.

[18]  Thomas Peyrin,et al.  Structural Evaluation of AES and Chosen-Key Distinguisher of 9-Round AES-128 , 2013, CRYPTO.