Truncated and Multiple Differential Cryptanalysis of Reduced Round Midori128

Midori is a family of SPN-based lightweight block ciphers designed to optimize the hardware energy consumption per bit during the encryption and decryption operations. At ASIACRYPT 2015, two variants of the cipher, namely Midori128 and Midori64, which support a 128-bit secret key and a 64/128-bit block, respectively, were proposed. Recently, a meet-in-the-middle attack and an invariant subspace attack were presented against Midori64 but both attacks cannot be applied to Midori128. In this paper, we present truncated and multiple differential cryptanalysis of round reduced Midori128. Our analysis utilizes the special structure of the S-boxes and binary linear transformation layer in order to minimize the number of active S-boxes. In particular, we consider differentials that contain only single bit differences in the input and output of the active S-boxes. To keep this single bit per S-box patterns after the MixColumn operation, we restrict the bit differences of the output of the active S-boxes, which lie in the same column after the shuffle operation, to be in the same position. Using these restrictions, we were able to find 10-round differential which holds with probability 2−118. By adding two rounds above and one round below this differential, we obtain a 13 round truncated differential and use it to perform a key recovery attack on the 13-round reduced Midori128. The time and data complexities of the 13-round attack are 2 encryptions and 2 chosen plaintext, respectively. We also present a multiple differential attack on the 13-round Midori128, with time and data complexities of 2 encryptions and 2 chosen plaintext, respectively.