Keywords

1 Introduction

The increasing usage of embedded devices led to a lot of research on how to adapt existing cryptographic primitives for the low power and energy constraints associated with the internet of things. Lightweight block ciphers follow this trend, and aim at providing energy efficient ways to ensure confidentiality for fixed size block messages. In 2015, the authors of [2] consider the challenging task of minimizing the energy cost for a lightweight block cipher. They proposed a lightweight symmetric block cipher scheme called Midori, composed of two versions Midori64 and Midori128, which respectively cipher 64- and 128-bit message blocks.

In this paper, we challenge the related-key security of both versions of Midori. In the related-key model, introduced independently by Biham [3] and Knudsen [12], the attacker is allowed to require the encryption of messages of his choice under the secret key, but also under other keys which have a relation to the original one. For instance, if K is the secret key, the attacker can require the encryption of a message m under K, but also under another key \(K^*\), computed as \(K \oplus \delta _K\), where \(\oplus \) is the XOR operation and \(\delta _K\) is a bit string chosen by the attacker. In an ideal block cipher, the distribution of the resulting ciphertext difference should be uniform and independent from the input difference. However, in real ciphers, there exist related-key differential characteristics, i.e., difference propagation patterns, which happen with higher probabilities. In a related-key differential attack, the attacker requires the encryption of message pairs satisfying a difference \(\delta _P\), under keys satisfying a difference \(\delta _K\), expecting an output difference \(\delta _C\).

One of the main applications of related-key cryptanalysis is finding collisions on hash functions built from block ciphers (e.g., with the Davies-Meyer construction). For instance, the hash function used in Microsoft’s Xbox was broken due to the related-key vulnerability of the underlying block cipher TEA [19], leading to a hack of the system [20]. Related-key attacks were not taken into account in the design of Midori, and the authors made no claim on its security in this model. As Midori is designed for embedded devices, it could however be used to build a hash function, which motivates scrutinizing its security in the related key setting.

The search for related-key differential characteristics is however difficult. Following the idea of [9], we use constraint programming (CP) to tackle this problem. In this programming paradigm, instead of providing an imperative algorithm, the programmer describes the problem to be solved as a set of variables linked together by constraints (for instance, \(x+y = 10\)), and the exploration of the search space is left to the solver. While an overwhelming part of the cryptanalysis literature relies on custom algorithms, we believe that a more generic approach is very promising. In particular, as shown in [9], constraint programming seems less error prone than custom code.

Contributions

  • We provide constraint programming models to find optimal related key differential characteristics on both versions of Midori.

  • Using our models, we give the optimal \(R-1\) rounds related-key differential characteristics of both versions of Midori, with probability \(2^{-14}\) for Midori64, and \(2^{-38}\) for Midori128.

  • We then mount practical time key recovery attacks requiring \(2^{35.8}\) operations with 20 related keys for Midori64, and \(2^{43.7}\) encryptions with 16 related keys for Midori128.

  • We also provide a related-key distinguisher of probability \(2^{-16}\) for Midori64 and \(2^{-40}\) for Midori128.

Related Work: Most results in the literature using constraint programming for the cryptanalysis of block ciphers use Mixed Integer Linear Programming (MILP). In [14], the authors use MILP to mount a linear cryptanalysis on a stream cipher and on the block cipher AES, both in the single key setting. In [17, 18], the authors use MILP to find the best related-key differential characteristics on several bit oriented block ciphers, but they do not treat Midori. As opposed to MILP, CP supports table constraints defining tuples of authorized values, which provides a rather efficient way to model the non linear SBs. To the best of our knowledge, only [9] uses classical CP instead of MILP. The authors present a model for finding optimal related-key differential characteristics against AES, using a method similar to the one presented in this paper.

The existing attacks against Midori are summed up in Table 1.

Table 1. Summary of the attacks against Midori.
Full size table

In [6], the authors propose an impossible differential attack on 10 rounds of Midori64. In [13], Li Lin and Wenling Wu describe a meet-in-the-middle attack on 12-round Midori64. In [11], the authors exhibit a class of \(2^{32}\) weak keys which can be distinguished with a single query. Assuming a key from this class is used, then it can be recovered with as little as \(2^{16}\) operations, and a data complexity of \(2^1\). Finally, a related-key cryptanalysis of Midori64 is performed in [7]. It covers 14 rounds and has a complexity of \(2^{116}\), as opposed to \(2^{35.8}\) for ours. This difference is due to their differential characteristics being far from optimal.

As for Midori128, to the best of our knowledge, no cryptanalysis on it has been published yet. We fill this gap by mounting a key recovery attack on the whole cipher, requiring \(2^{43.7}\) encryptions.

Outline: In Sect. 2, we give a brief description of Midori. We then remind the basics of related-key cryptanalysis and introduce our notations in Sect. 3. We present our CP models in Sect. 4. Finally, we detail our results in Sect. 5, before concluding in the last section.

2 Description of Midori Encryption Scheme

Both versions of Midori, Midori64 and Midori128, use 128-bit keys. In both versions, the blocks are treated as \(4\times 4\) matrices of words of m bits, with \(m=4\) for Midori64 and \(m=8\) for Midori128. The encryption process consists in applying a round function that updates an internal state S, represented as shown on Fig. 1 (where the \(s_i\) are 4-bit words for Midori64 and 8-bit words (bytes) for Midori128), for a given number of rounds R. For Midori64, R is equal to 16, whereas for Midori128 R is 20Footnote 1.

Fig. 1.
figure 1

Representation of the state in Midori.

Full size image

The round function is composed of the following consecutive operations:

  • SubCell (SB) substitutes every cell of the state, using a non linear Substitution Box, denoted Sbox. The Sbox of Midori64 is given as example in Fig. 2(a). For Midori128, 4 different \(\text {Sboxes}\) are used (one for each line of the state)Footnote 2.

  • ShuffleCell (SC) operates a permutation of the cells of the state. On input \((s_0,\ldots ,s_{15})\), it applies the following permutation:

    $$\begin{aligned} \left( s_0, s_{10}, s_5, s_{15}, s_{14}, s_4, s_{11}, s_1, s_9, s_3, s_{12}, s_6, s_7, s_{13}, s_2, s_8\right) . \end{aligned}$$

  • MixColumns (MC) multiplies the state by the symmetric matrix given in Fig. 2(b), thus applying a linear transformation on each column independently. It has the quasi-MDS property if \(MC(0,0,0,0)=(0,0,0,0)\) or \(|X| + |MC(X)| = 0\) or \(|X| + |MC(X)| \ge 4\), where |X| denotes the number of non-zero words in a column X of the state.

  • KeyAdd (KA) is a XOR between S and a round key derived from the initial key.

Fig. 2.
figure 2

Midori description.

Full size image

The Midori encryption process works as follows: an initial KeyAdd, using the whitening key WK, is applied. Then, the round function is executed \(R-1\) times. Finally, a final SubCell is applied to the resulting state, and a new KeyAdd is performed, again using WK. The round key derivation is very straightforward: the key for each round i is obtained by XORing the initial key with a predefined \(4\times 4\) constant matrix \(\alpha _i\). For Midori64, the 128-bit key is considered as two \(4\times 4\) matrices of 4-bit words \(K_0\) and \(K_1\), and WK is computed as \(K_0 \oplus K_1\). The round key for round i is computed as \(K_{i \mod 2} \oplus \alpha _i\). For Midori128, K is a single \(4\times 4\) bytes matrix, and \(WK=K\). The round key for round i is then simply computed as for Midori64: \(K \oplus \alpha _i\).

3 Related-Key Cryptanalysis

Differential cryptanalysis studies the propagation of the differences, generally computed as a XOR, between two plaintexts ciphered with the same key. Related-key cryptanalysis, which was independently introduced by Biham [3] and Knudsen [12], additionally considers the case where the two plaintexts are ciphered with different keys. A tuple (\(\delta _{in}, \delta _K, \delta _{out}\)) is an n-rounds related-key differential for a keyed round function \(f_K\), for which \(f_K^i\) denotes the output after round i (starting from 0), if for some plaintext P and key K it holds that \(f_K^{n-1}(P) \oplus f_{K \oplus \delta _K}^{n-1}(P \oplus \delta _{in}) = \delta _{out}\). Similarly, if \(X_i^{P,K}\) denotes the internal state of the round function with inputs P and K at round i, a tuple (\(\delta _{in}, \delta _K, \delta _{X_{0}} \ldots \delta _{X_{n-1}}, \delta _{out}\)) is an n-rounds related-key differential characteristics if (\(\delta _{in}, \delta _{out}, \delta _K\)) is an n-rounds related-key differential and, for all i from 0 to \(n-1\), it holds that \(X_i^{P,K} \oplus X_i^{P \oplus \delta _{in},K \oplus \delta _K} = \delta _{X_{i}}\).

The differences \(\delta _{X}\) are composed of differential words, defined as \(\delta _{X}[i][j]=X[i][j] \oplus X'[i][j]\), where X[i][j] (resp. \(X'[i][j]\)) denotes a word at position ij (where \((i,j) \in [0;3]^2\)) of a matrix X (resp. \(X'\)).

The probability \(p=Pr[(\delta _{in},\delta _K)\) \( \rightarrow \delta _{out}]\) denotes the probability that a related-key differential \((\delta _{in}, \delta _{k}, \delta _{out})\) holds, i.e., for P and K drawn uniformly at random, \(f_{K}(P) \oplus f_{K \oplus \delta _K}(P \oplus \delta _{in}) = \delta _{out}\).

Note that, by definition, for the linear parts L of the cipher, we have \(L(P) \oplus L(P \oplus \delta ) = L( \delta )\), for any P and \(\delta \). On the other hand, for the non linear parts NL, \(NL(P) \oplus NL(P \oplus \delta )\) is generally different from \(NL(\delta )\). Hence, to handle the non linear parts of block ciphers (namely the \(\text {Sboxes}\)), related-key differential cryptanalysis usually uses a Differential Distribution Table (DDT) to derive the probability \(Pr[\delta _{in}\rightarrow \delta _{out}]\) that for a random word w, \(SB(w) \oplus SB(w \oplus \delta _{in}) = \delta _{out}\). For any differential words \(\delta _{in}\) and \(\delta _{out}\), \(DDT[\delta _{in}][\delta _{out}]\) gives the number of words w satisfying this relation, and the probability is computed as \(\frac{DDT[i][j]}{2^{|W|}}\), where |W| denotes the bit length of the words. When the \(\text {Sboxes}\) are bijectiveFootnote 3, they do not introduce nor remove differences. More formally, it holds that for any word w, \(SB(w) \oplus SB(w \oplus \delta ) \ne 0\) if \(\delta \ne 0\), and \(SB(w) \oplus SB(w \oplus \delta ) = 0\) if \(\delta =0\). Said otherwise, for a given \(\text {Sbox}\), \(Pr[0 \rightarrow 0]=1\). Hence, the probability of a related-key differential characteristic is only affected by active Sboxes, i.e., \(\text {Sboxes}\) which have a non-zero difference at their input. Thus, the probability p for a related-key differential characteristic to hold for random P and K is computed as the product of the probabilities associated with each the active \(\text {Sboxes}\) it contains. We have \(p=\prod _{i=1}^{x} p_{i}\), where \(p_i\) denotes the probability that the transition \({\delta _{in}}_i \rightarrow {\delta _{out}}_i\), defined by the related-key differential characteristic, holds for the \(i^{th}\) active \(\text {Sbox}\) (among x). Since the complexity of a related-key differential key recovery attack is directly related to the probability of the related-key differential that is used, characteristics with the least possible active \(\text {Sboxes}\) are generally the most interesting. The crucial point of this type of cryptanalysis is then to determine high probability related-key differential characteristics.

However, exhaustive search on all possible input differences is not practical for Midori because the size of the input is 128 bits for the key and 64 or 128 bits for the plaintext. Hence, a common method is to solve the problem in two steps (e.g., [5, 8, 9]). The first step does not consider the value of the differential bytes, but only the positions of non-zero differences. During the first step, the differential words are abstracted to a compact representation. In the compact representation, the differential words are abstracted to differential bits. The differential bit \(\varDelta \) representing a differential word \(\delta \) in the compact representation is defined by \(\delta =0 \Rightarrow \varDelta =0\) and \(\delta \ne 0 \Rightarrow \varDelta =1\). We denote a differential word by \(\delta \), and a differential bit by \(\varDelta \).

An n-round compact related-key differential characteristic \(\varDelta \) abstracting a related-key differential characteristic \(\delta = (\delta _{in}, \delta _{k}, \delta _{X_{0}}, \ldots , \delta _{X_{n-1}}, \delta _{out})\) is the tuple (\(\varDelta _{in}, \varDelta _{k}, \varDelta _{X_{0}}, \ldots , \varDelta _{X_{n-1}}, \varDelta _{out}\)), where \(\varDelta _{in}=0\) if \(\delta _{in}=0\) and \(\varDelta _{in}=1\) if \(\delta _{in}\ne 0\) (and similarly for \(\varDelta _{X_{0}}, \ldots , \varDelta _{X_{n-1}}\) and \(\varDelta _{out}\)).

The idea of working with two steps is that related-key differential characteristics with the best probabilities are generally the ones with the least active \(\text {Sboxes}\). Hence, a lot of filtering can be done by simply starting by working on differential bits and minimizing the number of active \(\text {Sboxes}\).

Once compact related-key differential characteristics minimizing the number of active \(\text {Sboxes}\) are obtained, a second step is run to build full related-key differential characteristics built with differential words. Note that not all compact related-key differential characteristics can be instantiated with differential words. The main reason is that a given input difference to an \(\text {Sbox}\) can only yield a limited number of output differences. For instance, in Midori64, if \(\delta _X=0x1\) (where 0x denotes hexadecimal representation), there exists no word X such that \(SB(X) \oplus SB(X \oplus 0x1)= 0x9\), according to the Sboxes of Midori64 given in Fig. 2(a). Moreover, the coefficients of the MixColumns matrix cannot be directly taken into account with differential bits, nor can the equalities of the corresponding differential words. This yields transitions that are correct when working on a bit related-key differential characteristic, but not with differential words. Such solutions are said to be inconsistent, otherwise, they are consistent.

4 Constraint Programming Model

We describe our constraint programming models to find related-key differential characteristics with optimal probability on Midori. This process is decomposed in two steps: the first one aims at lower bounding the number of active \(\text {Sboxes}\). It only considers compact related-key differential characteristics. The second step transforms the solutions to Step 1 into word related-key differential characteristics when it is possible. In other words, during Step 1, we simply find the positions of the differences in the related-key differential characteristic, and in Step 2, we assign actual values to these differences.

4.1 Step 1

Variables and Objective Function: In Step 1, we consider the propagation of differences through the cipher by working on compact related-key differential characteristics. Let n denote the number of times the full round function is applied, i.e., we neglect the initial KeyAdd and the final KeyAdd and SB. For Midori64, \(n=15\), and for Midori128, \(n=19\). When no information about the format is provided, the variables are \(n \times 4 \times 4\) binary arrays, i.e., one \(4 \times 4\) matrix per round. Each of the following variables represent differential bits:

  • \(\varDelta _K\) represents the differential bits of the key. For Midori64, it is modeled as a \(2 \times 4 \times 4\) binary array (as the initial key is composed of two \(4\times 4\) matrices). For Midori128, it is represented as a \(4 \times 4\) binary matrix.

  • \(\varDelta _{SB}\) represents the state after the SB operation. Note that since this operation does not introduce differences, this variable is somehow redundant. We however use it for readability.

  • \(\varDelta _{KA}\) represents the state after the KeyAdd operation.

  • \(\varDelta _{MC}\) represents the state after the MixColumns operation.

  • \(\varDelta _{SC}\) represents the state after the ShuffleCell operation.

The relations between these variables for a given round r is:

$$\begin{aligned} \varDelta _{SB}[r] \xrightarrow {SC} \varDelta _{SC}[r] \xrightarrow {MC} \varDelta _{MC}[r] \xrightarrow {KA} \varDelta _{KA}[r] \xrightarrow {SB} \varDelta _{SB}[r+1] \end{aligned}$$

Our aim is to minimize the number of active \(\text {Sboxes}\), i.e., \(\text {Sboxes}\) with non zero differences. Hence, we ask the solver to minimize the sum of all \(\varDelta _{SB}[r]\), which constitutes our objective function:

$$\begin{aligned} Minimize\left( \sum \nolimits _{r=0}^{n-1} \sum \nolimits _{i=0}^3 \sum \nolimits _{j=0}^3 \varDelta _{SB}[r][i][j]\right) \end{aligned}$$

Constraints: Since we work with differential bits representing the presence or absence of difference, we cannot use the regular XOR operation between such values for KeyAdd nor MixColumns. Let \(\varDelta _0\) and \(\varDelta _1\) denote two differential bits. We remind that \(\varDelta _0\) (resp. \(\varDelta _1\)) is 1 if \(\delta _{0}\ne 0\) (resp. \(\delta _1 \ne 0\)). The compact representation contains no information about the actual values of \(\delta _0\) and \(\delta _1\) when they are non-zero. This abstraction leads us to define the following constraint that describes the xor between several differential bits \(x_1,\dots ,x_{q-1}\) where \(x_q\) is the result:

$$\begin{aligned} \mathsf {XOR}(x_1, \ldots , x_ q) \Leftrightarrow \{x_1 + \ldots + x_q \ne 1 \} \end{aligned}$$

where \(+\) denotes the integer addition and \(x_1,\dots ,x_k \in \{0,1\}\). Intuitively, it states that the xor of the \(q-1\) corresponding words is known to be 0 when all the differential bits are zero, or only one is non zero, but can be either 0 or 1 otherwise.

For ShuffleCell, we simply apply the permutation given in Sect. 2 to build \(\varDelta _{SC}[r]\) from \(\varDelta _{SB}[r]\).

\(\varDelta _{SC}[r][0][0]=\varDelta _{SB}[r][0][0], \varDelta _{SC}[r][1][0]=\varDelta _{SB}[r][2][2], \varDelta _{SC}[r][2][0]=\varDelta _{SB}[r][1][1]\), \( \varDelta _{SC}[r][3][0]=\varDelta _{SB}[r][3][3], \varDelta _{SC}[r][0][1]=\varDelta _{SB}[r][2][3], \varDelta _{SC}[r][1][1]=\varDelta _{SB}[r][0][1]\), \(\varDelta _{SC}[r][2][1]=\varDelta _{SB}[r][3][2], \varDelta _{SC}[r][3][1]=\varDelta _{SB}[r][1][0],\varDelta _{SC}[r][0][2]=\varDelta _{SB}[r][1][2]\), \(\varDelta _{SC}[r][1][2]=\varDelta _{SB}[r][3][0], \varDelta _{SC}[r][2][2]=\varDelta _{SB}[r][0][3], \varDelta _{SC}[r][3][2]=\varDelta _{SB}[r][2][1]\), \(\varDelta _{SC}[r][0][3]=\varDelta _{SB}[r][3][1], \varDelta _{SC}[r][1][3]=\varDelta _{SB}[r][1][3], \varDelta _{SC}[r][2][3]=\varDelta _{SB}[r][2][0]\), \(\varDelta _{SC}[r][3][3]=\varDelta _{SB}[r][0][2]\).

The constraint for MC contains two parts, where r varies from 0 to \(n-1\) and j varies from 0 to 3.

Firstly the quasi-MDS property directly gives the following constraint:

$$\begin{aligned} \left( \sum \nolimits _{i=0}^{3} \varDelta _{SC}[r][i][j] + \varDelta _{MC}[r][i][j]\right) \in \{0,4,5,6,7,8\} \end{aligned}$$

Then, we model the fact that \(MC(0,0,0,0) = (0,0,0,0)\) as follows:

$$\begin{aligned} \left( \sum \nolimits _{i=0}^{3} \varDelta _{SC}[r][i][j] =0\right) \Leftrightarrow \left( \sum \nolimits _{i=0}^{3} \varDelta _{MC}[r][i][j] =0\right) . \end{aligned}$$

The second part directly implements the product of the vector \(\varDelta _{SC}\) with the matrix given in Midori to get \(\varDelta _{MC}\). It is modeled as follows:

$$\begin{aligned} \mathsf {XOR}(\varDelta _{SC}[r][1][j], \varDelta _{SC}[r][2][j], \varDelta _{SC}[r][3][j], \varDelta _{MC}[r][0][j])\\ \mathsf {XOR}(\varDelta _{SC}[r][0][j], \varDelta _{SC}[r][2][j], \varDelta _{SC}[r][3][j], \varDelta _{MC}[r][1][j])\\ \mathsf {XOR}(\varDelta _{SC}[r][0][j], \varDelta _{SC}[r][1][j], \varDelta _{SC}[r][3][j], \varDelta _{MC}[r][2][j])\\ \mathsf {XOR}(\varDelta _{SC}[r][0][j], \varDelta _{SC}[r][1][j], \varDelta _{SC}[r][2][j], \varDelta _{MC}[r][3][j]) \end{aligned}$$

For KA, following the rules of Midori and the \(\mathsf {XOR}\) constraint described earlierFootnote 4, we have, for r from 0 to \(n-1\), and i and j from 0 to 3: For Midori64:

$$\begin{aligned} \mathsf {XOR}(\varDelta _{MC}[r][i][j], \varDelta _K[r \mod 2][i][j], \varDelta _{KA}[r][i][j]) \end{aligned}$$

and for Midori128:

$$\begin{aligned} \mathsf {XOR}(\varDelta _{MC}[r][i][j], \varDelta _K[i][j], \varDelta _{KA}[r][i][j]) \end{aligned}$$

4.2 Step 2

Variables: In addition to the variables from Step 1, new ones are introduced to represent the differential words in the whitening key, the plaintext, the result of the initial KeyAdd, and the probabilities for each Sbox. When no information about the format is provided, the following variables are \(n \times 4 \times 4\) word arrays, i.e., one \(4 \times 4\) matrix per round.

  • \(\delta _K\) represents the differential words in the key. It is modeled as a \(2 \times 4 \times 4\) array of 4-bit words for Midori64, as a \(4 \times 4\) byte matrix for Midori128.

  • \(\delta _{SB}\) represents the state after the SB operation.

  • \(\delta _{KA}\) represents the state after the KeyAdd operation.

  • \(\delta _{MC}\) represents the state after the MixColumns operation.

  • \(\delta _{SC}\) represents the state after the ShuffleCell operation.

  • \(\delta _{WK}\) represents the whitening key, which is \(\delta _K[0] \oplus \delta _K[1]\) for Midori64, and \(\delta _K\) for Midori128.

  • \(\delta _{P}\) represents the plaintext and \(\delta _{P'}\) the state after the initial KeyAdd.

  • P is a \(n\times 4\times 4\) matrix used to compute the final probability, where \(P[r][i][j]=0\) if \(\delta _{SB}[r][i][j]=0\), and \(log_2(DDT[\delta _{KA}[r][i][j]][\delta _{SB}[r+1][i][j])\) otherwise. For Midori64, the domain of this variable is \(\{0,1,2\}\), whereas for Midori128 it is \(\{0,1,2,3,4,5,6\}\).

To find the optimal related-key differential characteristics, we need to maximize the sum of the P variables, hence our objective function is

$$\begin{aligned} Maximize\left( \sum \nolimits _{r=0}^{n-1} \sum \nolimits _{i=0}^3 \sum \nolimits _{j=0}^3 P[r][i][j]\right) \end{aligned}$$

Constraints: The first constraints aim at linking each variable of the input (from Step 1) to the variables of Step 2: for instance, for \(\delta _{KA}\), we have \(\forall r \in [0..n-1], \forall i \in [0..3], \forall j \in [0..3]:\)

$$\begin{aligned} \text {if } \varDelta _{KA}[r][i][j]==0 \text { then } \delta _{KA}[r][i][j]=0, \text { else } \delta _{KA}[r][i][j]>0 \end{aligned}$$

Similar constraints are defined for the other input variables.

The constraint for SC is exactly the same as in Step 1, except that it is on the \(\delta \) variables (differential words) instead of the \(\varDelta \) variables (differential bits).

For the other operations, we make use of table constraints to model the \(\text {Sboxes}\) and the XOR operationsFootnote 5. Intuitively, table constraints tell the solver which tuples of values are allowed.

We denote \(\mathsf {tupleXOR}\) the set of all tuples (XYZ) that satisfying \(Z= X \oplus Y\). Similarly we denote \(\mathsf {tupleSB}_S\) the tuples modeling the DDT for the \(\text {Sbox}\) S, i.e., for every couple of words \(\delta _{in}, \delta _{out}\) there is a tuple \((\delta _{in}, \delta _{out}, log_2(DDT_S[\delta _{in}][\delta _{out}]))\), where \(DDT_S\) is the DDT of the \(\text {Sbox}\) S.

We also denote by \(\mathsf {TABLE}((x,y,z), SET)\), the constraint that tells the solver that the values xy and z must for a valid tuple with regards to a given SET.

We define \(\mathsf {XORbyte}(x,y,z) := \mathsf {TABLE}((x,y,z), \mathsf {tupleXOR})\) and extend it to \(\mathsf {XORbyte_3}(x,y,z,w):= \mathsf {XORbyte}(t,z,w)\), where t is defined by \(\mathsf {XORbyte}(x,y,t)\).

The MixColumns operation can then be expressed, according the specification of the cipher, by: \(\forall r \in [0..n-1], \forall j \in [0..3]:\)

$$\begin{aligned} \mathsf {XORbyte_3}(\delta _{SC}[r][1][j],\delta _{SC}[r][2][j],\delta _{SC}[r][3][j], \delta _{MC}[r][0][j])\\ \mathsf {XORbyte_3}(\delta _{SC}[r][0][j],\delta _{SC}[r][2][j],\delta _{SC}[r][3][j], \delta _{MC}[r][1][j])\\ \mathsf {XORbyte_3}(\delta _{SC}[r][0][j],\delta _{SC}[r][1][j],\delta _{SC}[r][3][j], \delta _{MC}[r][2][j])\\ \mathsf {XORbyte_3}(\delta _{SC}[r][0][j],\delta _{SC}[r][1][j],\delta _{SC}[r][2][j], \delta _{MC}[r][3][j])\\ \end{aligned}$$

We now define \(\delta _{WK}\). For Midori64, \(\delta _{WK}\) is defined by: \( \forall i \in [0..3], \forall j \in [0..3]:\)

$$\begin{aligned} \mathsf {XORbyte}(\delta _{K}[0][i][j], \delta _K[1][i][j],\delta _{WK}[i][j]) \end{aligned}$$

For Midori128, we simply have \(\delta _{WK}=\delta _K\).

The initial KeyAdd operation then is modeled as: \(\forall i \in [0..3], \forall j \in [0..3] :\)

$$\begin{aligned} \mathsf {XORbyte}(\delta _{P}[r][i][j],\delta _{WK}[i][j], \delta _{P'}[i][j]) \end{aligned}$$

For the other KeyAdd operations, we have \(\forall r \in [0..n-1], \forall i \in [0..3], \forall j \in [0..3] : \)

$$\begin{aligned} \mathsf {XORbyte}(\delta _{MC}[r][i][j],\delta _{K}[r \mod 2][i][j],\delta _{KA}[r][i][j]) \end{aligned}$$

for Midori64, and

$$\begin{aligned} \mathsf {XORbyte}(\delta _{MC}[r][i][j],\delta _{K}[i][j],\delta _{KA}[r][i][j]) \end{aligned}$$

for Midori128. We finally model the SB operations. In the model for Midori128, where 4 different \(\text {Sboxes}\) are used, we use \(\text {Sbox}_i\), where i is the number of the line. For readability, the number of the \(\text {Sbox}\) is omitted in what follows.

The initial SB is modeled as follows: \( \forall i \in [0..3], \forall j \in [0..3]:\)

$$\begin{aligned} \mathsf {TABLE}((\delta _{P'}[i][j], \delta _{SB}[0][i][j], P[0][i][j]), \mathsf {tupleSB}) \end{aligned}$$

Then, for the other rounds, we have \( \forall r \in [1..n-1], \forall i \in [0..3], \forall j \in [0..3]:\)

$$\begin{aligned} \mathsf {TABLE}((\delta _{KA}[r-1][i][j], \delta _{SB}[r][i][j], P[r][i][j]), \mathsf {tupleSB}) \end{aligned}$$

5 Results

Step 1 was implemented in the MinizincFootnote 6 language, and solved using the solver ChuffedFootnote 7, which minimizes the objective function in around 3 h for Midori64 and in around 10 h for Midori128Footnote 8. Step 2 was solved using Choco3 [15], which finds the best related-key differential characteristic (when it exists) for each input from Step 1 within 10 s.

The results are given in Table 2.

Note that since all \(\text {Sboxes}\) in our related-key differential characteristics have the best possible probability (\(2^{-2}\)), any related-key differential characteristic with more \(\text {Sboxes}\) has a lower probability.

Table 2. The results obtained by the solvers, both for full-round and \(n-1\) rounds of both versions of Midori. The number of \(\text {Sboxes}\) is the result of Step 1, and the probability is the result of Step 2.
Full size table

5.1 Key Recovery Attacks

Our goal is to recover the secret key K. We use an encryption oracle \(\mathsf {Enc}_K(x,m)\) that encrypts a message m with the key \(K \oplus x\). Our attacks are different for Midori64 and Midori128.

Midori64: For this attack, we first recover WK, one word at a time, using 16 15-rounds related-key differential characteristics with \(16 \cdot 2^{19.32}= 2^{23.32}\) operations. Then we use 4 14-rounds related-key differential characteristics to recover K[0] in \(2^{35.8}\) operations. By combining them, we obtain \(K[1]=K[0]\oplus WK\) and deduce K (composed of K[0] and K[1]), for a total complexity of \(2^{23.32} + 2^{35.8} \approx 2^{35.8}\).

Recovery of WK : The solvers give 16 different 15-rounds related-key differential characteristics, the corresponding related-key differentials are given in Appendix A. Each of them contains only one non-zero difference at the end of the 15th round (corresponding to \(\delta _{KA}[14]\) in Fig. 3), all at different positions.

Fig. 3.
figure 3

An example of a related-key differential characteristic provided by the solver.

Full size image

To be complete we need to give all the details our related-key differential characteristics. Minizinc finds optimal 2-rounds patterns with 1 active \(\text {Sbox}\) in all the odd rounds and none in the even rounds, as described in Fig. 4. Then the missing steps in Fig. 3 are 7.5 times the characteristic given in Fig. 4.

Fig. 4.
figure 4

An optimal 2-rounds related-key differential characteristic from Set 1 for Midori64, where r is an even round. Non-zero differences are represented as black and gray squares. It has 1 active \(\text {Sbox}\), for instance with and \(\blacksquare = 0x2\).

Full size image

In order to recover one word of WK, we use the corresponding values of \(\delta _K\), \(\delta _P\) and \(\delta _{KA}[14]\) given by the related-key differential characteristicsFootnote 9. First we randomly choose some plaintext P, and query the oracle for \(C=\mathsf {Enc}_K(0,P)\), and \(C^*=\mathsf {Enc}_K(\delta _K,P \delta _P)\). We compute \(\delta _C=C \oplus C^*\). We say that \(\delta _C\) is valid iff \(\forall i,j \in [0,3], \delta _{KA}[14][i][j]=0 \Rightarrow \delta _C[i][j] = \delta _{WK}[i][j]\). If \(\delta _C\) is valid then we compute \(\delta _{SB}[i][j]= \delta _C[i][j] \oplus \delta _{WK}[i][j]\) (where (ij) is the positions of the non-null difference). We now use the fact that for Midori64 the maximum value in the DDT is 4, i.e. every valid \(\delta _C\) yields at most 4 possible values for SB[i][j] (x in Algorithm 1), to obtain four candidates for \(WK[i][j] = SB[i][j] \oplus C[i][j]\). By repeating this process several times we can find the right candidate: it is the word that has the most occurrencesFootnote 10. This is formally described in Algorithm 1. This is done 16 times, one for each word of WK.

figure a

Complexity Analysis of Algorithm 1: Our aim is to determine how many times we need to repeat our attack in order to have the true key. To determine precisely this value denoted T, we follow the approach given in [16]. It uses the signal to noise ratio S / N introduced by Biham in [4]. It is defined as \(S/N= \frac{2^k \cdot p}{\alpha \cdot \beta }\), where k is the number of key bits that we want to recover (in our case, \(k=4\) since we aim to recover a word of 4 bits of the key), p is the probability of the related-key differential characteristic (for us \(p= 2^{-14}\)), \(\alpha \) is the number of key candidates suggested for each good pair (using the DDT, we have \(\alpha =4\)), and \(\beta \) is the ratio of the pairs that are not discarded. For \(\beta \) we have \(2^{-14}+2^{-60}\) since \(2^{-14}\) is the probability given by the solvers and \(2^{-60}\) corresponds to the false positives, i.e., pairs having the same difference pattern, with 4 bits of undetermined difference. Then we obtain \(S/N= \frac{2^k \cdot p}{\alpha \cdot \beta } =\frac{2^4 \cdot 2^{-14}}{ 4 \cdot (2^{-14}+2^{-60})}= \frac{2^{-10}}{2^{-12}+2^{-58}}\approx 4\). We denote by \(\mathsf {P_S}\) the probability to obtain the true key. We use the Eq. (19) of [16], where \(\varPhi \) denote the density probability function of the standard normal distribution, and \(\varPhi ^{-1}\) its inverse: \(\mathsf {P_S}=\varPhi \left( \frac{\sqrt{T \cdot S/N} - \varPhi ^{-1}(1-2^{-k})}{\sqrt{S/N+1}}\right) (19)\). Then we can obtain \(\mathsf {P_S}\) for given values of T, S / N and \(\alpha \). Note that since we repeat the analysis 16 times (one for each word of WK), we need to have \(\mathsf {P_S}^{16}\) sufficiently large as well. By numerical approximation we obtain \(T=20\approx 2^{4.32}\), which gives \(\mathsf {P_S}> 0.99\), and \(\mathsf {P_S}^{16} > 0.99\). Hence, using \(T \cdot p^{-1}\) plaintext pairs, we recover a key word with a probability greater than 0.99. The corresponding data complexity is then \(16 \cdot 2 \cdot 20 \cdot 2^{14} \approx 2^{23.32}\) chosen plaintexts, as well as 1 related key, for each related-key differential characteristic used.

figure b

Recovery of K [0]: Using WK previously computed thanks to the 15-rounds related-key differential characteristics, we decrypt the last round of Midori and obtain the state of the 14th round \(\delta _{KA}[14]\). Now we use other four 14-rounds related-key differential characteristics outputted by the solvers, one for each column of K[0], the corresponding related-key differentials are given in Appendix B. They have only one active Sbox in the last round and there is a characteristic for each position of the active word. Hence we obtain the value of \(\delta _{KA}[13]\). Similarly as in the case of Midori64, we can use the DDT to obtain 4 possibilities for a word of SB[13]. In the encryption function of Midori64, we have to apply the ShuffleCell (which does not influence our attack), then MixColumns which propagates the position of the 4 possibles values into different position. Then we need to guess all the remaining values for these 3 words of 4 bits in the column where the value has been shifted after the ShuffleCell. This leads us to a total of \(2^4\cdot 2^4 \cdot 2^4 \cdot 4 = 2^{14}\) possibilities. Each of these possibilities gives a candidate for 4 words of the key K[0] by xoring the obtained column of MC[13] and the corresponding column of KA[14], as described in Algorithm 2.

Complexity Analysis of Algorithm 2: This time \(k=4 \times 4=16\), \(p=2^{-14}\), \(\alpha =2^{14}\), \(\beta = 2^{-14}+2^{-60}\), then \(S/N= \frac{2^k \cdot p}{\alpha \cdot \beta } = \frac{2^{16} \cdot 2^{-14}}{2^{14} \cdot (2^{-14}+2^{-60})}= \frac{2^{-12}}{2^{-14}+2^{-58}}\approx 4\). Then by numerical approximation we find \(T=28\approx 2^{4.8}\), which gives \(\mathsf {P_S}> 0.99\), and \(\mathsf {P_S}^{4} > 0.99\). It gives us the time complexity of \(2 \cdot 4 \cdot 28\cdot 2^{14} \cdot 2^{14} =2^{35.8}\) and a data complexity of \(2 \cdot 4 \cdot 28\cdot 2^{14}=2^{21.8}\).

Midory128: The constraints programming solvers find 16 patterns similar to the one of Fig. 5, each of them having a different position for the active \(\text {Sbox}\). The corresponding related-key differentials are given in Appendix C. Hence, we can build 16 different 19-rounds related-key differential characteristics with 19 active \(\text {Sboxes}\) each, and each happening with probability \(2^{-38}\), to recover one word of WK per characteristic. We use a similar technique as for Midori64 for WK, since in Midori128 the key is K exactly WK.

Fig. 5.
figure 5

The optimal 1-round related-key differential characteristic for Midori128. There is 1 active \(\text {Sbox}\) that can be repeated to cover 19 rounds of Midori128, for instance with and \(\blacksquare = 0x1\).

Full size image

Complexity Evaluation: Here, we only need to use 16 related-key differential characteristics, so we want \(\mathsf {P_S}^{16} \ge 0.99\). To compute S / N, we use \(k=8\) as we recover a 8-bit word of the key for each related-key differential characteristic, \(p=2^{-38}\), \(\alpha = 64\) (according to the DDT), and \(\beta =2^{-38}+2^{-120}\). With these values, we have \(S/N=4\), and need \(T=25\approx 2^{4.7}\) to have \(\mathsf {P_S}^{16} > 0.99\). Thus, the data complexity of the attack is \(2 \cdot 25 \cdot 2^{38} \approx 2^{43.7}\) plaintexts and 16 related keys, and we need \(2^{43.7}\) encryptions.

5.2 Related-Key Distinguishers

A related-key distinguisher aims at distinguishing a cipher scheme from a Pseudo-Random Function (PRF) that represents an ideal cipher. We construct two distinguishers for Midori64 and for Midori128.

Midori64: Midori64 has related-key differential characteristics with 8 active \(\text {Sboxes}\), all of which can be crossed with the maximal probability \(2^{-2}\). Following the bound given in [1], we have that only \(\frac{\sqrt{2} }{p} = \frac{ \sqrt{2} }{2^{-18}} = 2^{18.5}\) are needed to distinguish Midori64 from a PRF, using the distinguisher given in Fig. 3. The equivalent complexity to find for a PRF is \(2^{26}\) operations (following the formula given in [10]). Thus, we are able to distinguish Midori64 from a PRFFootnote 11.

figure c

Midori128: As for Midori64, there exist patterns that can be repeated to cover the whole cipher. The optimal ones only contain one active \(\text {Sbox}\) per round, e.g., Fig. 5, hence leading to 20-rounds distinguishers with 20 active \(\text {Sboxes}\). Since these \(\text {Sboxes}\) can be crossed with maximal probability (\(2^{-2}\)), the probability of the distinguisher is \(2^{-40}\). Hence, distinguishing Midori128 from a PRF, using Algorithm 3, can be done with \(\frac{\sqrt{2}}{p}=2^{39.5}\) encryptions of plaintext pairs whereas the equivalent complexity to find such a structure for a PRF is \(2^{52}\), again with the formula given in [10].

6 Conclusion

In this paper, we give a practical related-key attack on Midori64, improving the existing key recovery attack from \(2^{116}\) for 14 rounds to \(2^{35.8}\) for the full 16 rounds cipher. We also are able to provide the first related-key attack on Midori128 with a complexity of \(2^{43.7}\). In order to construct such impressive practical attacks, we model Midori with constraint programming. The constraint programming solvers help us determine the minimal number of active Sboxes in a few hours, and then to derive optimal related-key differential characteristics in a few seconds.

Finally we propose two efficient distinguishers for Midori64 and Midori128. In the future, we aim at exploring how CP can be used to perform some related-key cryptanalysis on other symmetric encryption schemes.