Related-Key Cryptanalysis of Midori

  • David GéraultEmail author
  • Pascal Lafourcade
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10095)


Midori64 and Midori128 [2] are lightweight block ciphers, which respectively cipher 64-bit and 128-bit blocks. While several attack models are discussed by the authors of Midori, the authors made no claims concerning the security of Midori against related-key differential attacks. In this attack model, the attacker uses related-key differential characteristics, i.e., tuples \((\delta _P, \delta _K, \delta _C)\) such that a difference (generally computed as a XOR) of \(\delta _P\) in the plaintext coupled with a difference \(\delta _K\) in the key yields a difference \(\delta _C\) after r rounds with a good probability. In this paper, we propose a constraint programming model to automate the search for optimal (in terms of probability) related-key differential characteristics on Midori. Using it, we build related-key distinguishers on the full-round Midori64 and Midori128, and mount key recovery attacks on both versions of the cipher with practical time complexity, respectively \(2^{35.8}\) and \(2^{43.7}\).


Midori Related-key attack Constraint programming 



We would like to thank Marine Minier for her valuable advice.

Supplementary material


  1. 1.
    Baignères, T., Sepehrdad, P., Vaudenay, S.: Distinguishing distributions using chernoff information. In: Heng, S.-H., Kurosawa, K. (eds.) ProvSec 2010. LNCS, vol. 6402, pp. 144–165. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-16280-0_10 CrossRefGoogle Scholar
  2. 2.
    Banik, S., Bogdanov, A., Isobe, T., Shibutani, K., Hiwatari, H., Akishita, T., Regazzoni, F.: Midori: a block cipher for low energy. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 411–436. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48800-3_17 CrossRefGoogle Scholar
  3. 3.
    Biham, E.: New types of cryptanalytic attacks using related keys. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 398–409. Springer, Heidelberg (1994). doi: 10.1007/3-540-48285-7_34 Google Scholar
  4. 4.
    Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer, London (1993)CrossRefzbMATHGoogle Scholar
  5. 5.
    Biryukov, A., Nikolić, I.: Automatic search for related-key differential characteristics in byte-oriented block ciphers: application to AES, Camellia, Khazad and others. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 322–344. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-13190-5_17 CrossRefGoogle Scholar
  6. 6.
    Chen, Z., Wang, X.: Impossible differential cryptanalysis of midori. IACR Cryptology ePrint Archive 2016, 535 (2016)Google Scholar
  7. 7.
    Dong, X.: Cryptanalysis of reduced-round midori64 block cipher. Cryptology ePrint Archive, Report 2016, 676 (2016).
  8. 8.
    Fouque, P.-A., Jean, J., Peyrin, T.: Structural evaluation of AES, and chosen-key distinguisher of 9-round AES-128. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 183–203. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40041-4_11 CrossRefGoogle Scholar
  9. 9.
    Gerault, D., Minier, M., Solnon, C.: Constraint programming models for chosen key differential cryptanalysis. In: The 22nd International Conference on Principles and Practice of Constraint Programming, Toulouse, France (2016)Google Scholar
  10. 10.
    Gilbert, H., Peyrin, T.: Super-sbox cryptanalysis: improved attacks for AES-like permutations. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 365–383. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-13858-4_21 CrossRefGoogle Scholar
  11. 11.
    Guo, J., Jean, J., Nikolić, I., Qiao, K., Sasaki, Y., Sim, S.M.: Invariant subspace attack against full midori64. Cryptology ePrint Archive, Report 2015, 1189 (2015).
  12. 12.
    Knudsen, L.R.: Cryptanalysis of LOKI 91. In: Seberry, J., Zheng, Y. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 196–208. Springer, Heidelberg (1993). doi: 10.1007/3-540-57220-1_62 CrossRefGoogle Scholar
  13. 13.
    Lin, L., Wu, W.: Meet-in-the-middle attacks on reduced-round midori-64. Cryptology ePrint Archive, Report 2015, 1165 (2015).
  14. 14.
    Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Wu, C.-K., Yung, M., Lin, D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34704-7_5 CrossRefGoogle Scholar
  15. 15.
    Prud’homme, C., Fages, J.-G., Lorca, X.: Choco Documentation. TASC, INRIA Rennes, LINA CNRS UMR 6241, COSLING S.A.S. (2016)Google Scholar
  16. 16.
    Selçuk, A.A.: On probability of success in linear and differential cryptanalysis. J. Crypt. 21(1), 131–147 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Sun, S., Hu, L., Wang, M., Yang, Q., Qiao, K., Ma, X., Song, L., Shan, J.: Extending the applicability of the mixed-integer programming technique in automatic differential cryptanalysis. In: Lopez, J., Mitchell, C.J. (eds.) ISC 2015. LNCS, vol. 9290, pp. 141–157. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-23318-5_8 CrossRefGoogle Scholar
  18. 18.
    Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (Related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-45611-8_9 Google Scholar
  19. 19.
    Wheeler, D.J., Needham, R.M.: TEA, a tiny encryption algorithm. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 363–366. Springer, Heidelberg (1995). doi: 10.1007/3-540-60590-8_29 CrossRefGoogle Scholar
  20. 20.
    ZDNet: New xbox security cracked by linux fans.

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  1. 1.University Clermont AuvergneClermont-FerrandFrance

Personalised recommendations