Mehmet Emin Gönen; Muhammed Said Gündoğan; Kamil Otal
Abstract
Midori64 is a lightweight SPN block cipher introduced by Banik et al. at ASIACRYPT 2015 which operates on 64-bit states through 16 rounds using a 128-bit key. In the last decade, Midori64 has been exposed to several attacks intensely. In this paper, we provide the first boomerang attack on Midori64 in ...
Read More
Midori64 is a lightweight SPN block cipher introduced by Banik et al. at ASIACRYPT 2015 which operates on 64-bit states through 16 rounds using a 128-bit key. In the last decade, Midori64 has been exposed to several attacks intensely. In this paper, we provide the first boomerang attack on Midori64 in the literature, to the best of our knowledge. For this purpose, firstly we present a practical single key 7-round boomerang attack on Midori64 improving the mixture idea of Biryukov by a new technique which we call ``mixture pool", and then extend our attack up to 9 rounds with time complexity $2^{122.3}$, and memory and data complexity $2^{36}$. (The authors of Midori stated that they expect much smaller rounds than 8 rounds of Midori64 are secure against boomerang-type attacks.) We also emphasize that the mixture pool idea provides a kind of data-memory tradeoff and hence presents more usefulness for boomerang-type attacks.
A. Rezaei Shahmirzdi; A. Azimi; M. Salmasizadeh; J. Mohajeri; M. R. Aref
Abstract
Impossible differential attack is a well-known mean to examine robustness of block ciphers. Using impossible differential cryptanalysis, we analyze security of a family of lightweight block ciphers, named Midori, that are designed considering low energy consumption. Midori state size can be ...
Read More
Impossible differential attack is a well-known mean to examine robustness of block ciphers. Using impossible differential cryptanalysis, we analyze security of a family of lightweight block ciphers, named Midori, that are designed considering low energy consumption. Midori state size can be either 64 bits for Midori64 or 128 bits for Midori128; however, both versions have key size equal to 128 bits. In this paper, we mainly study security of Midori64. To this end, we use various techniques such as early-abort, memory reallocation, miss-in-the-middle and turning to account the inadequate key schedule algorithm of Midori64. We first show two new 7round impossible differential characteristics which are, to the best of our knowledge, the longest impossible differential characteristics found for Midori64. Based on the new characteristics, we mount three impossible differential attacks for 10, 11, and 12 rounds on Midori64 with 2 87.7 , 2 90.63 , and 2 90.51 time complexity, respectively, to retrieve the master-key.