Nonlinear Invariant Attack: Practical Attack on Full SCREAM, iSCREAM, and Midori64

  • Yosuke Todo
  • Gregor Leander
  • Yu Sasaki


In this paper, we introduce a new type of attack, called nonlinear invariant attack. As application examples, we present new attacks that are able to distinguish the full versions of the (tweakable) block ciphers Scream, iScream and Midori64 in a weak-key setting. Those attacks require only a handful of plaintext–ciphertext pairs and have minimal computational costs. Moreover, the nonlinear invariant attack on the underlying (tweakable) block cipher can be extended to a ciphertext-only attack in well-known modes of operation such as CBC or CTR. The plaintext of the authenticated encryption schemes SCREAM and iSCREAM can be practically recovered only from the ciphertexts in the nonce-respecting setting. This is the first result breaking a security claim of SCREAM. Moreover, the plaintext in Midori64 with well-known modes of operation can practically be recovered. All of our attacks are experimentally verified.


Nonlinear invariant attack Boolean function Ciphertext-only message-recovery attack SCREAM iSCREAM Midori64 CAESAR competition 



We would like to thank Christof Beierle for development of sage code to detect bases of nonlinear invariants.

Supplementary material


  1. 1.
    S. Banik, A. Bogdanov, T. Isobe, K. Shibutani, H. Hiwatari, T. Akishita, F. Regazzoni, Midori: a block cipher for low energy. in T. Iwata, J.H. Cheon, (eds), ASIACRYPT Part II. LNCS, vol. 9453 (Springer, 2015), pp. 411–436Google Scholar
  2. 2.
    E. Biham, A. Biryukov, A. Shamir, Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials, in J. Stern, editor, EUROCRYPT, LNCS, vol. 1592 (Springer, 1999), pp. 12–23Google Scholar
  3. 3.
    C. Beierle, A. Canteaut, G. Leander, Y. Rotella, Proving resistance against invariant attacks: how to choose the round constants, in J. Katz, H. Shacham, editors, CRYPTO 2017, Part II. LNCS, vol. 10402 (Springer, 2017), pp. 647–678Google Scholar
  4. 4.
    C. Bouillaguet, O. Dunkelman, G. Leurent, P.-A. Fouque, Another look at complementation properties, in S. Hong , T. Iwata, editors, FSE. LNCS, vol. 6147 (Springer, 2010), pp. 347–364Google Scholar
  5. 5.
    A. Bogdanov, V. Rijmen, Linear hulls with correlation zero and linear cryptanalysis of block ciphers. Des. Codes Cryptogr., 70(3), 369–383, (2014)Google Scholar
  6. 6.
    E. Biham, A. Shamir, Differential cryptanalysis of DES-like cryptosystems, in A. Menezes, S.A. Vanstone, editors, CRYPTO. LNCS. vol. 537 (Springer, 1990), pp. 2–21Google Scholar
  7. 7.
    A. Biryukov, D. Wagner, Slide attacks, in L.R. Knudsen, editor, FSE. LNCS, vol. 1636 (Springer, 1999), pp. 245–259Google Scholar
  8. 8.
    J. Guo, J. Jean, I. Nikolic, K. Qiao, Y. Sasaki, S. Sim, Invariant subspace attack against Midori64 and the resistance criteria for S-box designs. IACR Trans. Symm. Cryptol., 2016(1), 33–56, (2016)Google Scholar
  9. 9.
    V. Grosso, G. Leurent, F.-X. Standaert, K. Varici, A. Journault, F. Durvaux, L. Gaspar, S. Kerckhof, SCREAM v1. 2014. Submission to CAESAR competitionGoogle Scholar
  10. 10.
    V. Grosso, G. Leurent, F.-X. Standaert, K. Varici, A. Journault, F. Durvaux, L. Gaspar, S. Kerckhof, SCREAM v3. 2015. Submission to CAESAR competitionGoogle Scholar
  11. 11.
    V. Grosso, G. Leurent, F.-X. Standaert, K. Varici, LS-Designs: Bitslice encryption for efficient masked software implementations, in C. Cid, C. Rechberger, editors, FSE. LNCS, vol. 8540 (Springer, 2014), pp. 18–37Google Scholar
  12. 12.
    M. Hermelin, J.Y. Cho, K. Nyberg, Multidimensional linear cryptanalysis of reduced round Serpent, in Y. Mu, W. Susilo, J. Seberry, editors, ACISP.LNCS, vol. 5107 (Springer, 2008), pp. 203–215Google Scholar
  13. 13.
    C. Harpes, G.G. Kramer, J.L. Massey, A generalization of linear cryptanalysis and the applicability of Matsui’s piling-up lemma, in L.C. Guillou, J.-J. Quisquater, editors, EUROCRYPT. LNCS, vol. 921 (Springer, 1995), pp. 24–38Google Scholar
  14. 14.
    L.R. Knudsen, Truncated and higher order differentials, in B. Preneel, editor, FSE. LNCS, vol. 1008 (Springer, 1994), pp. 196–211Google Scholar
  15. 15.
    L.R. Knudsen, M.J.B. Robshaw, Non-linear approximations in linear cryptanalysis, in U.M. Maurer, editor, EUROCRYPT. LNCS, vol. 1070 (Springer, 1996), pp. 224–236Google Scholar
  16. 16.
    G. Leander, M.A. Abdelraheem, H. AlKhzaimi, E. Zenner, A cryptanalysis of PRINTCIPHER: the invariant subspace attack, in P. Rogaway, editor, CRYPTO. LNCS, vol. 6841 (Springer, 2011), pp. 206–221Google Scholar
  17. 17.
    G. Leander, B. Minaud, S. Rønjom, A generic approach to invariant subspace attacks: cryptanalysis of robin, iscream and zorro, in E. Oswald, M. Fischlin, editors, EUROCRYPT. LNCS, vol. 9056 (Springer, 2015), pp. 254–283Google Scholar
  18. 18.
    M. Liskov, R.L. Rivest, D. Wagner, Tweakable block ciphers. J. Cryptol., 24(3), 588–613, (2011)Google Scholar
  19. 19.
    M. Matsui, Linear cryptanalysis method for DES cipher, in T. Helleseth, editor, EUROCRYPT. LNCS, vol. 765 (Springer, 1993), pp. 386–397Google Scholar
  20. 20.
    S. Moriai, T. Shimoyama, T. Kaneko, Higher order differential attak of CAST cipher, in S. Vaudenay, editor, FSE. LNCS, vol. 1372 (Springer, 1998), pp. 17–31Google Scholar
  21. 21.
    National Bureau of Standards, Data Encryption Standard (DES), (1977). Federal Information Processing Standards Publication 46Google Scholar
  22. 22.
    M. Özen, M. Çoban, F. Karakoç, A guess-and-determine attack on reduced-round Khudra and weak keys of full cipher. IACR Cryptol. ePrint Arch., 2015, 1163, (2015).Google Scholar
  23. 23.
    U.S. Department of Commerce/National Institute of Standards and Technology, Specification for the Advanced Encryption Standard (AES), (2001). Federal Information Processing Standards Publication 197Google Scholar
  24. 24.
    T. Van Le, R. Sparr, R. Wernsdorf, Y. Desmedt, Complementation-like and cyclic properties of AES round functions, in H. Dobbertin, V. Rijmen, A. Sowa, editors, AES Conference. LNCS, vol. 3373 (Springer, 2004), pp. 128–141Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.NTT Secure Platform LaboratoriesTokyoJapan
  2. 2.Horst Görtz Institute for IT SecurityRuhr-Universität BochumBochumGermany

Personalised recommendations