Meet-in-the-Middle Attacks on Reduced-Round Midori-64

Midori is a lightweight block cipher designed by Banik et al. at ASIACRYPT 2015. One version of Midori uses a 64-bit state, another uses a 128-bit state and we denote these versions Midori-64 and Midori128. Each of these versions uses a 128-bit key. In this paper, we focus on the key-recovery attacks on reduced-round Midori-64 with meet-in-themiddle method. We use the differential enumeration technique and keydependent sieve technique which are popular to analyze AES to attack Midori-64. We propose a 6-round distinguisher, and achieve a 10-round attack with time complexity of 2 10-round Midori-64 encryptions, data complexity of 2 chosen-plaintexts and memory complexity of 2 64-bit blocks. After that, by adding one round at the end, we get an 11-round attack with time complexity of 2 11-round Midori-64 encryptions, data complexity of 2 chosen-plaintexts and memory complexity of 2 64-bit blocks. Finally, with a 7-round distinguisher, we get an attack on 12-round Midori-64 with time complexity of 2 12round Midori-64 encryptions, data complexity of 2 chosen-plaintexts and memory complexity of 2 64-bit blocks. To the best of our knowledge, this is recently the best attack on Midori-64.