Revisited Security Evaluation on Midori-64 against Differential Cryptanalysis

Abstract

In this paper, the Mixed Integer Linear Programming (MILP) model is improved for searching differential characteristics of block cipher Midori-64, and 4 search strategies of differential path are given. By using strategy IV, set 1 S-box on the top of the distinguisher to be active, and set 3 S-boxes at the bottom to be active and the difference to be the same, then we obtain a 5-round differential characteristics. Based on the distinguisher, we attack 12-round Midori-64 with data and time complexities of 2⁶³ and 2^103.83, respectively. To our best knowledge, these results are superior to current ones.

1. Introduction

With the development of Information Technology and the improvement of wireless communication technologies, a lot of lightweight cipher algorithms have sprung up, such as LED, Piccolo, Midori [1], SKINNY, PRESENT, GIFT and KLEIN.

At present, some MILP models are used in the cryptanalysis of encryption algorithms, such as differential cryptanalysis, conditional differential cryptanalysis [2] and ID (impossible differential) cryptanalysis. MILP is the most important method in optimization. In 2011, the MILP model was applied to count the total of active S-boxes by Mouha et al. [3]. Then, Sun et al. improved this technique to look for differential paths [4], whose core thought is to depict all differential patterns of nonlinear layer by some linear inequalities, optimize and reduce the number of inequalities in 2014. Xiang et al. put the MILP method to several lightweight block ciphers [5]. Sasaki et al. looked for ID trail at EUROCRYPT 2017 [6]. In 2013, Sun et al. gave a 12-round differential path of PRESENT-80 [7]. Further, Sun et al. gave a method to look for the the high probability differential trail in 2014 [8]. Zhu et al. gave a 19-round differential cryptanalysis about GIFT-64 by a 12-round differential distinguisher [9]. In 2019, Cao et al. presented a 13-round differential trail of related-key based on MILP and attacked on 20-round of GIFT-64 [10].

Midori [1] is a lightweight ciphers presented at Asiacrypt 2015. It has been favored by many cryptographers since its release.

The research work of the distinguisher is as follows. In 2018, Zhang et al. gave a 7-round integral distinguisher [11]. In 2020, Moghaddam et al. showed the truncated differential characteristics for 4/5/6-round Midori-64 with the probability of 2^-12/2^-24/2^-52 [12]. In 2021, Sun et al. gave a novel model based on SAT to search for the differential distinguisher [13]. Derbez et al. presented 6/7/9-round integral distinguishers with 2¹⁵/2⁴⁵/2⁶³ chosen plaintexts relying on MILP or SAT solvers [14]. In 2022, Li et al. gave the best valid 5/6-round differential distinguishers based on SAT with the probability of 2^-46/2^-60 [15]. Kim et al. demonstrated the optimization of the search algorithm by obtaining the best differential and linear trails of some block ciphers [16]. In 2023, Baksi et al. provided a solution to search for differential distinguishers utilizing neural networks and support vector machines [17].

The above researches only give the solution of search distinguishers, but does not give the specific cryptanalysises of cipher algorithm. Among them, [16] only greatly improves the search speed, and does not give the specific distinguishers. The probabilities of these distinguishers in [12] and [15] are higher than those in this paper, but the characteristics of these distinguishers are not easy to spread and cannot attack more rounds.

In terms of related key attacks： Dong et al. gave a related-key differential cryptanalysis [18]. Gerault et al. attacked a 16-round Midori-64 utilizing a 15-round differential trail of related-key [19]. The related-key attack is weak because it assumes that part of the key could be modified, which might not be suitable for the practical scenario. Contrarily, our attack method is single key attack.

In terms of weak key attacks：Guo et al. presented an invariant subspace attack against full Midori-64 with 2³² weak key setting in 2016 [20]. Todo et al. provided an non-linear invariant attack against full Midori-64 with 2⁶⁴ weak key setting [21]. In 2020, Beyne gave a 10-round integral cryptanalysis with 2⁹⁶ weak keys and the data and time complexities of 2^21.3 and 2⁵⁶ [22]. These methods only verify if the key is one of the weak keys that satisfy certain conditions. They are not universal because the true keys may not be one of these weak keys.

The research work on single-key attack is as follows. In 2015, Lin et al. attacked on Midori-64 utilizing MITM distinguisher [23]. In 2016, Chen et al. presented a cryptanalysis using ID distinguisher [24]. In 2019, Li et al. showed an 11-round impossible differential cryptanalysis with data and time complexities of 2^60.8 and 2^121.4 [25]. In 2020, Zhao et al. gave an 11-round differential cryptanalysis with data and time complexities of 2^55.6/2^61.2 and 2^109.35/2^100.26 [26]. In 2023, Liu et al. gave an 11-round impossible differential cryptanalysis with data and time complexities of 2⁶⁰ and 2^116.59 [27].

In this paper, we listed a 12-round differential cryptanalysis on Midori-64 with data and time complexities of 2⁶³ and 2^103.83. We use single key attack which is an efficient attack, and give the details of the attack process and complexity calculation. Compared to [23], their computational complexity of 12-round attack is 2^125.5, and our complexity is 2^103.82, almost 2²² times that of ours. So, we have an absolute advantage. Compared to [24,25,27], the maximum number of rounds they attack are 10/11/11-round respectively, and ours is 12-round. At the same time, the computational complexity of our attack is much less than those of [25] and [27]. Compared to [26], we attack more one round than it.

Compared with [18] and [19], especially [19], they have great advantages in terms of the number of rounds, data complexity and computation complexity over us. However, their attack is the related-key attack which is weak. The principle of related key attack is to set the difference on the key, which is not easy to operate in practice. Contrarily, our attack method is single key attack which is a more effective attack method than related-key attack.

All the results of cryptanalysis of Midori-64 are summarized in Table 1.

Table 1. Summary of attacks on Midori-64

1.1 Our Contributions

In this paper, we mostly optimize the MILP model to look for the optimal differential paths in order to attack the longer rounds of cipher algorithms.

(1) We describe accurately the linear layer and the nonlinear layer to look for differential characteristics by some inequalities. Then the objective function is the maximal differential probability.

(2) Four search strategies of differential path are given. We present several 5-round differential distinguishers of Midori-64 with the probability of 2^-46, 2^-52, 2^-58, respectively. We find that different differences can be changed into the same difference through the S-box with a high probability. Then, set 1 S-box on the top of the distinguisher to be active, and set 3 S-boxes at the bottom to be active and the difference to be the same. We find a 5-round differential distinguishers which can be extended back for four rounds, and its probability is no less than 2^-62. Through analyzing these four differential search strategies in deep, we find that the fourth differential distinguisher has the highest efficiency, and can attack a 12-round Midori-64.

(3) Taking advantage of the fact that the three differences at the end of the distinguisher are the same, we give a 12-round differential cryptanalysis of Midori-64 with computational complexity of 2^103.83 and data complexity of 2⁶³. We can take the differential cryptanalysis on Midori-64 one round further. Our results have the longest number of rounds, low data complexity and time complexity in single-key attacks.

1.2 Organization

The structure of the paper is as follows. The related works about MILP method are listed in Section 2. The brief description of Midori-64 and its MILP Model are described in Section 3. Section 4 presents some 5-round distinguishers of Midori-64. Differential cryptanalysis on 12-round Midori-64 is discussed in Section 5. Finally, we draw our conclusions.

2. Preliminaries

2.1 Notations

P, C, M : plaintexts, ciphertexts, the internal states.

∆P, ∆C, ∆M : the difference in plaintexts, ciphertexts, the internal states.

S_i : the i-th S-box.

X_r, Y_r, Z_r, W_r : the internal state of the r-th round.

? : uncertain difference.

* : any non-zero difference.

2.2 Word-Oriented Related Work

Mouha et al.[3] used the MILP model earlier to count the total of active S-boxes. If there is a difference at any position in the word, the word is active.

Definition 1. Let ∆ = (∆₀, ∆₁, ∆₂ ⋯, ∆_n-1), ∆_i is a byte. Then, the difference vector x = (x₀, x₁, x₂ ⋯, x_n-1), x_i is a bit, corresponding to ∆ is as follows:

\(\begin{align}x_{i}=\left\{\begin{array}{ll}1, & \text { there is a difference in any bit of } \Delta_{i}, \\ 0, & \text { otherwise. }\end{array}\right.\end{align}\)       (1)

\(\begin{align}S_{i}=\left\{\begin{array}{l}1, \quad \text { the } S \text { - Box marked by } S_{i} \text { is an active, } \\ 0, \quad \text { otherwise. }\end{array}\right.\end{align}\)       (2)

According to Definition 1, they formed the XOR and the linear transformation models.

Modeling the Linear Transformation. Let the input and outpue difference of linear transformation L be (x₀, x₁, x₂⋯, x_m-1) and (y₀, y₁, ⋯, y_m-1) respectively. In addition, let the differential branch number be B_D. These symbols should comply with the following regulations:

\(\begin{align}\left\{\begin{array}{l}\sum_{i=0}^{m-1} x_{i}+\sum_{i=0}^{m-1} y_{i} \geq B_{D} d_{L} \\ x_{i} \leq d_{L}, \quad y_{i} \leq d_{L}, i \in\{0,1,2, \ldots, m-1\}\end{array}\right.\end{align}\)       (3)

where d_L ∈{0,1} , a dummy variable.

2.3 Bit-Oriented Related Work

Sun et al. [4] presented a scheme to describe all differential patterns for the S-box, which improved Mouha’s work [3] to bit-oriented ciphers. They constructed the S-box operation model.

Describing the S-Box Operation. Let (x₀, x₁, x₂⋯, x_m-1) and (y₀, y₁, ⋯, y_m-1) be the input and output bit-level differences respectively. S = 1 holds if and only if (x₀, x₁, x₂⋯, x_m-1) are not all zero (i.e. S is active), where S ∈{0,1} , a dummy variable.

\(\begin{align}\left\{\begin{array}{l}S-x_{i} \geq 0, i \in\{0,1, \cdots, m-1\} \\ \sum x_{i}-S \geq 0\end{array}\right.\end{align}\)       (4)

3. Brief Description of Midori-64 and Its MILP Model

3.1 Description of the Midori-64 Cipher

Midori is a SPN block cipher and its overall structure is shown in Fig. 1. The state M (64 bits) of Midori-64 consists of 16 nibbles as follows:

\(\begin{align}M=\left[\begin{array}{llll}m_{0} & m_{4} & m_{8} & m_{12} \\ m_{1} & m_{5} & m_{9} & m_{13} \\ m_{2} & m_{6} & m_{10} & m_{14} \\ m_{3} & m_{7} & m_{11} & m_{15}\end{array}\right].\end{align}\)

Fig. 1. The Round Function of Midori

Round Function. the round function is composed of the following 4 steps.

(1) SubCell: all 16 nibbles use the same S-box (Sb₀).

(2) ShuffleCell: the shufflecell operation is 16 nibbles out of order, and the rule is as follows: (z₀, z₁, z₂, ⋯, z₁₅) ← (y₀, y₁₀, y₅, y₁₅, y₁₄, y₄, y₁₁, y₁, y₉, y₃, y₁₂, y₆, y₇, y₁₃, y₂, y₈).

(3) MixColumn: a 4 × 4 involution matrix M (almost MDS matrix) is multiplied by 4 columns of the internal state as follows:

\(\begin{align}\left[\begin{array}{c}w_{i} \\ w_{i+1} \\ w_{i+2} \\ w_{i+3}\end{array}\right]=\left[\begin{array}{llll}0 & 1 & 1 & 1 \\ 1 & 0 & 1 & 1 \\ 1 & 1 & 0 & 1 \\ 1 & 1 & 1 & 0\end{array}\right] \cdot\left[\begin{array}{c}z_{i} \\ z_{i+1} \\ z_{i+2} \\ z_{i+3}\end{array}\right].\end{align}\)

(4) KeyAdd: calculates the bitwise XOR of the internal state M and RK_i. The master Key K contains k₀ and k₁, where WK = k₀ ⊕ k₁ ⊕ and RK_r = k_{r mod2} ⊕ α_r, 0 ≤ r ≤ 14. α_r is the round constant.

3.2 A precise description of S-Box

The numbers in Table2 are 16, 4, 2 and 0, i.e., the possible propagation probabilities 1 (16/16), 2^-2 (4/16 = 1/4), 2^-3(2/16 = 1/8) and 0. Let's introduce two variables: (p₀, p₁). The difference pattern can be represented as follows.

 \(\begin{align}\left\{\begin{array}{l}\left(p_{0}, p_{1}\right)=(0,0) \text {, if } \operatorname{Pr}_{s}\left[\left(x_{0}, x_{1}, x_{2}, x_{3}\right) \rightarrow\left(y_{0}, y_{1}, y_{2}, y_{3}\right)\right]=16 / 16=1 \\ \left(p_{0}, p_{1}\right)=(0,1) \text {, if } \operatorname{Pr}_{s}\left[\left(x_{0}, x_{1}, x_{2}, x_{3}\right) \rightarrow\left(y_{0}, y_{1}, y_{2}, y_{3}\right)\right]=2 / 16=2^{-3} \\ \left(p_{0}, p_{1}\right)=(1,0) \text {, if } \operatorname{Pr}_{s}\left[\left(x_{0}, x_{1}, x_{2}, x_{3}\right) \rightarrow\left(y_{0}, y_{1}, y_{2}, y_{3}\right)\right]=4 / 16=2^{-2}\end{array}\right.\end{align}\)      (5)

Table 2. DDT of Midori-64 S-Box

 For example, the ninth row and the ninth column of DDT (Table 2) is 2. It means that the probability for ∆_in(= 1001) with the corresponding ∆_out(= 1001) is 2/16=2^-3. We represent it with (1, 0, 0, 1, 1, 0, 0, 1, 0, 1). Similarly, the probability of (0, 0, 0, 1, 0, 0, 1, 0, 1, 0) is 4/16=2^-2. Various differential modes of this S-box can be represented with the following 97 points. [0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 1, 0, 0, 0, 1, 0, 1], [0, 0, 0, 1, 0, 0, 1, 0, 1, 0], [0, 0, 0, 1, 0, 1, 0, 0, 0, 1], [0, 0, 0, 1, 0, 1, 0, 1, 0, 1],……, [1, 1, 1, 1, 0, 1, 1, 0, 0, 1], [1, 1, 1, 1, 1, 0, 1, 0, 1, 0], [1, 1, 1, 1, 1, 0, 1, 1, 0, 1], [1, 1, 1, 1, 1, 1, 1, 0, 0, 1], [1, 1, 1, 1, 1, 1, 1, 1, 1, 0].

We can represent the 97 points above with 1304 linear inequalities whose forms are as follows. Then, 26 inequalities are left by optimizing.

\(\begin{align}\left\{\begin{array}{l}\alpha_{0,0} x_{0}+\alpha_{0,1} x_{1}+\alpha_{0,2} x_{2}+\alpha_{0,3} x_{3}+\alpha_{0,4} y_{0}+\alpha_{0,5} y_{1}+\alpha_{0,6} y_{2}+\alpha_{0,7} y_{3}+\alpha_{0,8} p_{0}+\alpha_{0,9} p_{1}+\gamma_{0} \geq 0, \\ \alpha_{1,0} x_{0}+\alpha_{1,1} x_{1}+\alpha_{1,2} x_{2}+\alpha_{1,3} x_{3}+\alpha_{1,4} y_{0}+\alpha_{1,5} y_{1}+\alpha_{1,6} y_{2}+\alpha_{1,7} y_{3}+\alpha_{1,8} p_{0}+\alpha_{1,9} p_{1}+\gamma_{1} \geq 0, \\ \cdots \\ \alpha_{n-1,0} x_{0}+\alpha_{n-1,1} x_{1}+\alpha_{n-1,2} x_{2}+\alpha_{n-1,3} x_{3}+\alpha_{n-1,4} y_{0}+\alpha_{n-1,5} y_{1}+\alpha_{n-1,6} y_{2}+\alpha_{n-1,7} y_{3}+\alpha_{n-1,8} p_{0}+\alpha_{n-1,9} p_{1}+\gamma_{n-1} \geq 0 .\end{array}\right.\end{align}\)       (6)

Finally the target function is the maximum probability, i.e., ∑_min(2⋅p₀ + 3⋅p₁).

3.3 Modeling the ShuffleCell Operation (SFC)

Assume the ∆_in and ∆_out of ShuffleCell operation be (y₀, y₁, y₂, y₃, ⋯, y₆₁, y₆₂, y₆₃) and (z₀, z₁, z₂, z₃, ......, z₆₁, z₆₂, z₆₃). 64 equalities can describe the Shuffle operation as follows:.

\(\begin{align}\left\{\begin{array}{c}y_{0}-z_{0}=0 \\ y_{1}-z_{1}=0 \\ \vdots \\ y_{62}-z_{14}=0 \\ y_{63}-z_{15}=0\end{array}\right.\end{align}\)       (7)

3.4 Modeling the Multiple Bit XOR Operation

We transform the MC matrix into a bit matrix as follows:

\(\begin{align}\left[\begin{array}{llllllllllllllll}0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 1 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 1 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 1 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 1 \\ 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 1 & 0 & 0 & 0 \\ 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 1 & 0 & 0 \\ 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 1 & 0 \\ 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 1 \\ 1 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 \\ 0 & 1 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 \\ 0 & 0 & 1 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 \\ 0 & 0 & 0 & 1 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 \\ 1 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 1 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 1 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 1 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0\end{array}\right]\end{align}\)

Assume the the ∆_in and ∆_out of MixColumn operation be (x₀, x₁, x₂, x₃, ⋯, x₆₁, x₆₂, x₆₃) and (y₀, y₁, y₂, y₃, ⋯, y₆₁, y₆₂, y₆₃). Since y₀ = x₄ + x₈ + x₁₂, we add intermediate variable u₁, s.t. u₁ = x₄ + x₈, y₀ = u₁ + x₁₂. So y₀ can be described by these inequalities as follows:

\(\begin{align}\left\{\begin{array}{l}x_{4}+x_{8}-u_{1} \geq 0 \\ x_{4}-x_{8}+u_{1} \geq 0 \\ -x_{4}+x_{8}+u_{1} \geq 0 \\ x_{4}+x_{8}+u_{1} \leq 2 \\ x_{12}+u_{1}-y_{0} \geq 0 \\ x_{12}-u_{1}+y_{0} \geq 0 \\ -x_{12}+u_{0}+y_{0} \geq 0 \\ x_{12}+u_{1}+y_{0} \leq 2\end{array}\right.\end{align}\)       (8)

4. Experimental Results of 5-Round for Midori-64

We can obtain the solution of the model through the Cplex optimizer. We can get the results of 5-round distinguishers for Midori-64 in 5 minutes, and these results are summarized in Table 3 to Table 5. There are 4 differential distinguishers with the probability of 2^-46, 2^-52, 2^-58 and 2^-62 by different strategies.

Table 3. Summary of Differential Path for Midori-64

Table 4. Two 5-round Differential Paths with the Probability of 2^-46 and 2^-52

Table 5. Two 5-round Differential Paths with the Probability of 2^-58 and 2^-62

δ ∈{5, A, D, F}

4.1 Strategy I (3 Active S-boxes)

Let three S-boxes be active at the top of these distinguishers, and one S-box is active after one round, where the positions of these three S-boxes are in any set of {0,5,10,15} , {1,4,11,14} , {3,6,9,12} and {2,7,8,13} . So there are 16 modes. The feature of the distinguishers is that the three active S-boxes must be on the same column after SFC operation. So, the total of active S-boxes in the first 5 rounds is 3,1,3,9,7, respectively. According to the rule of DDT, the maximum probability of differential transmission can be obtained as follows: 0xa ⇌ 0xa , 0xb ⇌ 0xb , 0xe ⇌ 0xe , 0xf ⇌ 0xf , 0x1 ⇌ 0x2 , 0x2 ⇌ 0x4 , 0x2 ⇌ 0x9 , 0x2 ⇌ 0xc , 0x3 ⇌ 0x6 , 0x5 ⇌ 0x7 , 0x5 ⇌ 0xa , 0x7 ⇌ 0xd , 0xa ⇌ 0xd , and 0xa ⇌ 0xf (14 cases). So, the probability of the distinguishers is 2^-2*23 = 2^-46.

The characteristics of these distinguishers are as follows. Full diffusion is achieved by extending forward 2 rounds and backward 2 rounds. So, we can attack a 9-round Midori-64 based on these distinguishers which have a high probability and a low number of extended rounds. An example of this type of distinguishers are shown in the left of Table 4.

4.2 Strategy II (2 Active S-boxes)

Let two S-boxes be active at the top of these distinguishers, and they are still active after one round, where the positions of these two S-boxes are in any set of {0,5,10,15} , {1,4,11,14} , {3,6,9,12} and {2,7,8,13} . So there are 24 modes. The feature of the distinguishers is that the total of active S-boxes in the first 5 rounds is 2,2,6,10,6, respectively.

The characteristics of these distinguishers are as follows. Two active S-boxes can be transformed into the same column after SFC operation of the first round. After 5 rounds, there is no difference in one column, and there are 2 differences in other columns. Full diffusion is achieved by extending forward 3 rounds and backward 3 rounds. So, we can attack a 11-round Midori-64. An example of the type is shown in the right of Table 4.

4.3 Strategy III (1 Active S-boxes)

Let one S-box be active at the top of these distinguishers, and they is no other requirements. The distinguishers can extend forward 3 rounds. So, we can attack an 11-round Midori-64. An example of the type is shown in the left of Table 5.

4.4 Strategy IV (1 Active S-boxes)

Let one S-box is active at the top of these distinguishers, and there are three active S-boxes after 5-round. These three S-boxes must be transformed into the same column after SFC operation. The distinguisher can extend forward 3 rounds and backward 4 rounds. So, we can attack a 12-round Midori-64. An example of the type is shown in the right of Table 5 and Fig. 2.

Fig. 2. A 5-round Differential Path of Midori-64 with Probability of 2^-62

Obviously, the positions of the differential cells on the bottom of the distinguisher are special. Then we can choose it to attack Midori-64.

5. Differential Attack on 12-Round Midori-64

5.1 The Property of Round Function

Property 1. Let P((?,?,?,?) → (?,?,?,0)) represent P(SC(?,?,?,?) → (MC(?,?,?,?) = (?,?,?,0))), where * ∈ {1,2,3,4,......,15} (i.e. * is any nonzero difference) and ? ∈ {*∪{0}}, we can obtain the following probabilities easily.

\(\begin{align}\left\{\begin{array}{l}P((?, ?, ?, ?) \rightarrow(?, 0, ?, ?))=\frac{1}{16}=2^{-4} \\ P\left((?, ?, ?, ?) \rightarrow\left\{\begin{array}{l}(*, 0, *, *) \\ (0, *, *, *)\end{array}\right)=\left(\frac{15}{16}\right)^{3} \times \frac{1}{16} \approx 2^{-4.28}\right.\end{array}\right.\end{align}\)       (9)

\(\begin{align}P\left(\left\{\begin{array}{l}(?, ?, *, *) \\ (?, *, ?, *) \\ (?, *, *, ?)\end{array} \rightarrow\left\{\begin{array}{l}(0,0, *, *) \\ (0, *, 0, *) \\ (0, *, *, 0)\end{array}\right)=\left(\frac{1}{16}\right)^{2}=2^{-8}\right.\right.\end{align}\)       (10)

\(\begin{align}P\left(\left\{\begin{array}{l}(?, ?, ?, 0) \\ (?, ?, 0, ?) \\ (?, 0, ?, ?) \\ (0, ?, ?, ?)\end{array} \rightarrow\left\{\begin{array}{l}(0,0,0, ?) \\ (0,0, ?, 0) \\ (0, ?, 0,0) \\ (?, 0,0,0)\end{array}\right)=\left(\frac{1}{16}\right)^{2}=2^{-8}\right.\right.\end{align}\)       (11)

Property 2. If there is input differences(not necessarily equal) of S-box in 3 nibbles, and the output difference is identical, we can also get the following formulas, where ∆_i ∈ {1,2,3,4,......,15}.

\(\begin{align}P\left(\left\{\begin{array}{l}(*, *, *, 0) \\ (*, *, 0, *) \\ (*, 0, *, *) \\ (0, *, *, *)\end{array} \rightarrow\left\{\begin{array}{l}\left(\Delta_{i}, \Delta_{i}, \Delta_{i}, 0\right) \\ \left(\Delta_{i}, \Delta_{i}, 0, \Delta_{i}\right) \\ \left(\Delta_{i}, 0, \Delta_{i}, \Delta_{i}\right) \\ \left(0, \Delta_{i}, \Delta_{i}, \Delta_{i}\right)\end{array}\right)=\left(\frac{1}{15}\right)^{2} \approx 2^{-7.81}\right.\right.\end{align}\)       (12)

5.2 Attack on 12-Round Midori-64

We can attack 12-round Midori-64 taking the advantage of the 5-round differential characteristic (δ , 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)→ (0, 0, A, 0, 0, 0, 0, A, A, 0, 0, 0, 0, 0, 0, 0) in Table 5 and Fig. 2, where δ ∈{5, A, D, F}.

The biggest advantage of this distinguisher is the positions of ’A’ because the three ’A’ can be in the same column after the operation of SFC. Then we can extend 4 rounds at the end of the distinguisher. Since only one cell is active at the beginning of the distinguisher, we can extend forward for 3 rounds (Fig. 3). The attack steps are as following.

Fig. 3. 12-Round Differential Attack on Midori-64

1. Data Collection. Choose any 2ⁿ plaintexts to compose 2^2n-1 plaintext pairs. We can calculate these plaintext combinations to the intermediate state W₁. Since P((?,?,?,?) → (0,*,*,*)) = 2^−4.28 (Property 1), we can discard some ineligible pairs through ∆W₁[0,1,2,3] = {0,*,*,*} (Fig. 3). Similarly, we can discard some pairs through ∆W₁[4,5,6,7] = {0,0,*,* }, ∆W₁[8,9,10,11] ={0,*,0,*} and ∆W₁[12,13,14,15] = {0,*,*,0}.

Therefore, in the phase, we can obtain 2^{2n-1-4.28-8*3} = 2^2n-29.28 plaintext/cipertext combinations without infer any of keys.

2. The Master Key Recovery.

(1) First of all, we guess 12 bits K₀[2,7,13]. Since P((*,*,0,*)→(∆₃,∆₃,0,∆₃)) = 2^-7.81(Property 2), we can throw away some ineligible pairs through ∆X₂[2,7,8,13] = {*,*,0,*} and ∆Y₂[2,7,8,13] = {∆₃,∆₃,0,∆₃} (Fig. 3).

Similarly, infer K₀[1,11,14] and K₀[3,6,9]. We can discard some pairs through (∆X₂[1,4,11,14] = {*,0,*,*}) → (∆Y₂[1,4,11,14] = {∆₁,0,∆₁,∆₁}) and (∆X₂[3,6,9,12] = {*,*,*,0} → (∆Y₂[3,6,9,12] = {∆₂,∆₂,∆₂,0}), respectively. So, the total of the left combinations is 2^{2n-29.28-7.81*3} = 2^2n-52.17.

(2) Subsequently, infer K₁[5], K₁[10] and K₁[15] one by one in the 3rd round,. We can filter pairs by ∆Y₃[5] = ∆Y₃[10] = ∆Y₃[15] = δ, where δ ∈ {5, A, D, F} and the probability is \(\begin{align}\frac{4}{15} \times \frac{1}{15} \times \frac{1}{15} \approx 2^{-9.72}\end{align}\). There are 2^2n-62.43 combinations left.

(3) In the 12th round, infer MC^-1(K₁)[0,1,2,3,4,6,7,8,9,11,12,13,14]. Then decrypt the eligible combinations to the intermediate state W₁₁. We can use the probability 2^-4 of ∆W₁₁[0,1,2,3] = ∆W₁₁[4,5,6,7] = ∆W₁₁[8,9,10,11] = ∆W₁₁[12,13,14,15] = {?,0,?,?}, to filter combinations. After this round, we can obtain 2^2n-78.43 eligible pairs.

(4) Similarly, infer MC^-1(K₀)[0,4,8,10,12,15]. We can filter pairs by ∆W₁₀[0,1,2,3] = {0,0,0,?}, ∆W₁₀[4,5,6,7] = {?,0,0,0}, ∆W₁₀[8,9,10,11] = {0,0,?,0} and ∆W₁₀[12,13,14,15] = {0,?,0,0}, and the probability of (2^-8)⁴ = 2^-32 (Property 1). Then we can obtain 2^2n-110.43 eligible pairs.

(5) Decrypt these eligible combinations to the intermediate state W₉ and use the probability 2^-4.28 of ∆W₉[12,13,14,15] = {*,0,*,*} to filter pairs. So, the total of the left combinations is 2^2n-114.71.

(6) Finally, decrypt the remaining combinations to the intermediate state X₉ and we can filter combinations through ∆X₉[2,7,8] = {A,A,A} one by one. The probability of this round is \(\begin{align}\frac{1}{15} \times \frac{1}{15} \times \frac{1}{15} =2^{-11.73}\end{align}\). There are 2^2n-126.44 eligible combinations left.

5.3 Complexity Analysis

1. Data Complexity. Let n = 63, and we can select the correct key from the candidate keys well. For the correct one, there are 2^{2*63-62.43-62} ≈ 3 combinations left. However, 2^2*63-126.44 ≈ 2^-0.44 combinations remain for a random key. This will be able to pick out the correct key. Note: the probability of the 5-round distinguisher and the first three rounds are is 2^-62 and 2^-61.43, Correspondingly. So, the data complexity is 2⁶³ chosen plaintexts..

2. Calculation Complexity.

There are 2^2n-29.28 = 2^96.72 eligible combinations remained after the step of data collection.

(1) In the first round, guess 12 bits K₀[1,11,14], the computation complexity is \(\begin{align}2^{96.72} \times 2 \times 2^{12} \times \frac{3}{16} \times \frac{1}{12} \approx 2^{103.82}\end{align}\) 12-round encryptions. There are 2^88.91 suitable pairs left.

Similarly, guess K₀[2,7,13], and the computation complexity is \(\begin{align}2^{88.91} \times 2 \times 2^{12} \times \frac{3}{16} \times \frac{1}{12} \approx 2^{95.91}\end{align}\) 12-round encryptions. There are 2^81.10 suitable pairs left.

Then, guess K₀[3,6,9], and the computation complexity is 2^88.10 12-round encryptions. There are 2^73.29 suitable pairs left.

(2) Infer 12 bits K₁[5,10,15] in the second round, and the computation complexity is \(\begin{align}2^{73.29} \times 2 \times 2^{12} \times \frac{3}{16} \times \frac{1}{12} \approx 2^{82.29}\end{align}\) 12-round encryptions.

Because the complexity of the last four rounds is trivial compared to the first three rounds, we can ignore it. Thus, the total time complexity is 2^103.83 12-round encryptions.

6. Conclusion

In the paper, we mostly optimize the MILP model to look for the optimal differential paths in order to attack the longer rounds of Midori-64.

(1) We describe accurately the linear layer and the nonlinear layer to look for differential characteristics by some inequalities. Then the objective function is the maximal differential probability.

(2) Four search strategies of differential path are given. We present several 5-round differential distinguishers of Midori-64 with the probability of 2^-46, 2^-52, 2^-58, respectively. We find that different differences can be changed into the same difference through the S-box with a high probability. Then, set 1 S-box on the top of the distinguisher to be active, and set 3 S-boxes at the bottom to be active and the difference to be the same. We obtain a 5-round differential distinguishers which can be extended back for four rounds, and its probability is no less than 2^-62.

(3) Taking advantage of the fact that the three differences at the end of the distinguisher are the same, we give a 12-round differential cryptanalysis of Midori-64 with computation complexity of 2^103.83 and data complexity of 2⁶³. We can take the differential cryptanalysis on Midori-64 one round further.

(4) Since the schedule of the round key is particularly simple, and we can easily to get the related-key differential distinguisher through extra 128 bit key variables.