Cryptanalysis of Reduced-Round Midori64 Block Cipher

Midori is a hardware-oriented lightweight block cipher designed by Banik \emph{et al.} in ASIACRYPT 2015. It has two versions according to the state sizes, i.e. Midori64 and Midori128. In this paper, we explore the security of Midori64 against truncated differential and related-key differential attacks. By studying the compact representation of Midori64, we get the branching distribution properties of almost MDS matrix used by Midori64. By applying an automatic truncated differential search algorithm developed by Moriai \emph{et al.} in SAC 1999, we get 3137 4-round truncated differentials of Midori64. In addition, we find some 2-round iterative differential patterns for Midori64. By searching the differential characteristics matching the differential pattern, we find some iterative 2-round differentials with probability of $2^{-24}$, based on these differentials, a 11-round related-key differential characteristic is constructed. Then we mount a 14-round(out of 16 full rounds) related-key differential attack on Midori64. As far as we know, this is the first related-key differential attack on Midori64

Efficient Error detection Architectures for Low-Energy Block Ciphers with the Case Study of Midori Benchmarked on FPGA

Achieving secure, high performance implementations for constrained applications such as implantable and wearable medical devices is a priority in efficient block ciphers. However, security of these algorithms is not guaranteed in presence of malicious and natural faults. Recently, a new lightweight block cipher, Midori, has been proposed which optimizes the energy consumption besides having low latency and hardware complexity. This algorithm is proposed in two energy-efficient varients, i.e., Midori64 and Midori128, with block sizes equal to 64 and 128 bits. In this thesis, fault diagnosis schemes for variants of Midori are proposed. To the best of the our knowledge, there has been no fault diagnosis scheme presented in the literature for Midori to date. The fault diagnosis schemes are provided for the nonlinear S-box layer and for the round structures with both 64-bit and 128-bit Midori symmetric key ciphers. The proposed schemes are benchmarked on field-programmable gate array (FPGA) and their error coverage is assessed with fault-injection simulations. These proposed error detection architectures make the implementations of this new low-energy lightweight block cipher more reliable

Invariant Subspace Attack Against Full Midori64

In this paper, we present an invariant subspace attack against block cipher Midori64 which has recently been proposed by Banik et al. at Asiacrypt 2015 to achieve low energy consumption. We show that when each nibble of the key has the value 0 or 1 and each nibble of the plaintext has the value 8 or 9, each nibble of the ciphertext also has the value 8 or 9 with probability one regardless of the number of rounds applied. This fact indicates that Midori64 has a class of $2^{32}$ weak keys that can be distinguished with a single query. It also indicates that the number of keys generated uniformly at random for Midori64 must not exceed $2^{96}$, i.e., the pseudorandom-permutation security of Midori64 is only up to 96 bits instead of 128 bits. Interestingly, given the information that the key is from the $2^{32}$ weak key subspace, key recovery can be performed within time complexity $2^{16}$ and data complexity $2^1$. We have confirmed the correctness of the analysis by implementing the attack. At the current stage, our attacks do not apply to Midori128

More Accurate Differential Properties of LED64 and Midori64

In differential cryptanalysis, a differential is more valuable than the single trail belonging to it in general. The traditional way to compute the probability of the differential is to sum the probabilities of all trails within it. The automatic tool for the search of differentials based on Mixed Integer Linear Programming (MILP) has been proposed and realises the task of finding multiple trails of a given differential. The problem is whether it is reliable to evaluate the probability of the differential traditionally. In this paper, we focus on two lightweight block ciphers – LED64 and Midori64 and show the more accurate estimation of differential probability considering the key schedule. Firstly, an automated tool based on Boolean Satisfiability Problem (SAT) is put forward to accomplish the automatic search of differentials for ciphers with S-boxes and is applied to LED64 and Midori64. Secondly, we provide an automatic approach to detect the right pairs following a given differential, which can be exploited to calculate the differential property. Applying this technique to the STEP function of LED64, we discover some differentials with enhanced probability. As a result, the previous attacks relying upon high probability differentials can be improved definitely. Thirdly, we present a method to compute an upper-bound of the weak-key ratio for a given differential, which is utilised to analyse 4-round differentials of Midori64. We detect two differentials whose weak-key ratios are much lower than the expected 50%. More than 78% of the keys will make these two differentials being impossible differentials. The idea of the estimation for an upper-bound of the weak-key ratio can be employed for other ciphers and allows us to launch differential attacks more reliably. Finally, we introduce how to compute the enhanced differential probability and evaluate the size of keys achieving the improved probability. Such a property may incur an efficient weak-key attack. For a 4-round differential of Midori64, we obtain an improved differential property for a portion of keys

New Automatic search method for Truncated-differential characteristics: Application to Midori, SKINNY and CRAFT

In this paper, using Mixed Integer Linear Programming, a new automatic search tool for truncated differential characteristic is presented. Our method models the problem of finding a maximal probability truncated differential characteristic, which is able to distinguish the cipher from a pseudo random permutation. Using this method, we analyse Midori64, SKINNY64/X and CRAFT block ciphers, for all of which the existing results are improved. In all cases, the truncated differential characteristic is much more efficient than the (upper bound of) bit-wise differential characteristic proven by the designers, for any number of rounds. More specifically, the highest possible rounds, for which an efficient differential characteristic can exist for Midori64, SKINNY64/X and CRAFT are 6, 7 and 10 rounds respectively, for which differential characteristics with maximum probabilities of $2^{-60}$, $2^{-52}$ and $2^{-62.61}$ (may) exist. Using our new method, we introduce new truncated differential characteristics for these ciphers with respective probabilities $2^{-54}$, $2^{-4}$ and $2^{-24}$ at the same number of rounds. Moreover, the longest truncated differential characteristics found for SKINNY64/X and CRAFT have 10 and 12 rounds, respectively. This method can be used as a new tool for differential analysis of SPN block ciphers

Midori: A Block Cipher for Low Energy (Extended Version)

In the past few years, lightweight cryptography has become a popular research discipline with a number of ciphers and hash functions proposed. The designers\u27 focus has been predominantly to minimize the hardware area, while other goals such as low latency have been addressed rather recently only. However, the optimization goal of low energy for block cipher design has not been explicitly addressed so far. At the same time, it is a crucial measure of goodness for an algorithm. Indeed, a cipher optimized with respect to energy has wide applications, especially in constrained environments running on a tight power/energy budget such as medical implants. This paper presents the block cipher Midori that is optimized with respect to the energy consumed by the circuit per bit in encryption or decryption operation. We deliberate on the design choices that lead to low energy consumption in an electrical circuit, and try to optimize each component of the circuit as well as its entire architecture for energy. An added motivation is to make both encryption and decryption functionalities available by small tweak in the circuit that would not incur significant area or energy overheads. We propose two energy-efficient block ciphers Midori128 and Midori64 with block sizes equal to 128 and 64 bits respectively. These ciphers have the added property that a circuit that provides both the functionalities of encryption and decryption can be designed with very little overhead in terms of area and energy. We compare our results with other ciphers with similar characteristics: it was found that the energy consumptions of Midori64 and Midori128 are by far better when compared ciphers like PRINCE and NOEKEON

A Deep Study of The Impossible Boomerang Distinguishers: New Construction Theory and Automatic Search Methods

The impossible boomerang attack (IBA) is a combination of the impossible differential attack and boomerang attack, which has demonstrated remarkable power in the security evaluation of AES and other block ciphers. However, this method has not received sufficient attention in the field of symmetric cipher analysis. The only existing search method for impossible boomerang distinguishers (IBD), the core of IBAs, is the $\mathcal{UB}\text{-method}$, but it is considered rather rudimentary given current technological advancements and may result in missed opportunities for effective attacks. Therefore, this paper delves into a comprehensive study on the construction theory and automatic search method of IBDs. Theoretically, we propose 5 IBD constructions aligned with the techniques of arbitrary S-box, boomerang distinguisher, Boomerang Connectivity Table, U/L/EBCT and mixed tables for differential propagation for SPN-network block ciphers, and 2 IBD constructions accompanied by state propagation for block ciphers with any structure. Furthermore, we investigate the relationship among these IBD constructions and demonstrate that the most superior IBD aligns precisely with the original definition. Technically, we develop a general SAT-based automatic search tool for IBDs by introducing optimized search strategies of the composite model method and the mixed model method. This tool not only considers the details of each operation but also takes into account the impact of key schedule in a single-key setting. As applications, we first acquire 59584 4-round 1 active word truncated IBDs for AES-128, and 192 of those IBDs cannot be detected by the $\mathcal{UB} \text{-method}$. For Midori64, we first demonstrate the non-existence of $7$-round $1$ active word truncated IBDs, and obtain $7296$ $6$-round $1$ active word truncated IBDs, which is complementary to the finding that there are no existing $6$-round $1$ active word truncated IDs. For PRESENT-80, we get the first 6-round IBDs which cannot be detected by the $\mathcal{UB}\text{-method}$. Those results indicate that our method outperforms the $\mathcal{UB}\text{-method}$ and offer an advantage over IDs. We believe that our work can bring new insights to symmetric cipher analysis

Evaluating the Security of Block Ciphers Against Zero-correlation Linear Attack in the Distinguishers Aspect

Zero-correlation linear attack is a powerful attack of block ciphers, the lower number of rounds (LNR) which no its distinguisher (named zero-correlation linear approximation, ZCLA) exists reflects the ability of a block cipher against the zero-correlation linear attack. However, due to the large search space, showing there are no ZCLAs exist for a given block cipher under a certain number of rounds is a very hard task. Thus, present works can only prove there no ZCLAs exist in a small search space, such as 1-bit/nibble/word input and output active ZCLAs, which still exist very large gaps to show no ZCLAs exist in the whole search space. In this paper, we propose the meet-in-the-middle method and double-collision method to show there no ZCLAs exist in the whole search space. The basic ideas of those two methods are very simple, but they work very effectively. As a result, we apply those two methods to AES, Midori64, and ARIA, and show that there no ZCLAs exist for $5$-round AES without the last Mix-Column layer, $7$-round Midori64 without the last Mix-Column layer, and $5$-round ARIA without the last linear layer. As far as we know, our method is the first automatic method that can be used to show there no ZCLAs exist in the whole search space, which can provide sufficient evidence to show the security of a block cipher against the zero-correlation linear attack in the distinguishers aspect, this feature is very useful for designing block ciphers

Commutative Cryptanalysis Made Practical

About 20 years ago, Wagner showed that most of the (then) known techniques used in the cryptanalysis of block ciphers were particular cases of what he called commutative diagram cryptanalysis. However, to the best of our knowledge, this general framework has not yet been leveraged to find concrete attacks. In this paper, we focus on a particular case of this framework and develop commutative cryptanalysis, whereby an attacker targeting a primitive E constructs affine permutations A and B such that E ○ A = B ○ E with a high probability, possibly for some weak keys. We develop the tools needed for the practical use of this technique: first, we generalize differential uniformity into “A-uniformity” and differential trails into “commutative trails”, and second we investigate the commutative behaviour of S-box layers, matrix multiplications, and key additions. Equipped with these new techniques, we find probability-one distinguishers using only two chosen plaintexts for large classes of weak keys in both a modified Midori and in Scream. For the same weak keys, we deduce high probability truncated differentials that can cover an arbitrary number of rounds, but which do not correspond to any high probability differential trails. Similarly, we show the existence of a trade-off in our variant of Midori whereby the probability of the commutative trail can be decreased in order to increase the weak key density. We also show some statistical patterns in the AES super S-box that have a much higher probability than the best differentials, and which hold for a class of weak keys of density about 2−4.5