Source code (requires Sage):
Test code for the almost-Midori-64 invariant.
Implementation of Algorithm 1 in the paper.
Other source code (attack on Midori-64/Mantis-4) is available on request.
Errata:
There is a typo (inconsistent numbering of variables) in the expressions for \(h^{(\cdot)}\) on page 24. The correct expressions for \(h^{(00)}\) and \(h^{(01)}\) are those listed on page 18. For \(h^{(11)}\) and \(h^{(10)}\) the expressions should be: \[\begin{aligned}h^{(11)}(x_1, x_2, x_3, x_4) &= x_2 x_4 + x_1 + x_2 + x_3\\ h^{(10)}(x_1, x_2, x_3, x_4) &= x_1 x_2 x_3 + x_1 x_3 x_4 + x_2 x_3 x_4 + x_1 x_4 + x_2 x_4 + x_2 + x_3 + x_4\end{aligned}\]
In Table 4 (Appendix 1), the following invariants should be added: \[\begin{aligned} v_1 &= (0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0)^T\\ v_2 &= (0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0)^T\\ v_3 &= (0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1)^T. \end{aligned}\] Each of these holds for \(2^{64}\) weak keys (with appropriate round constants) and is of Type II. In addition, the invariants \[\begin{aligned} v_1' &= (1, 0, 0, 0, -1, 0, 0, 0, -1, 0, 0, 0, \hphantom{-}1, 0, 0, 0)^T\\ v_2' &= (1, 0, 0, 0, \hphantom{-}1, 0, 0, 0, \hphantom{-}1, 0, 0, 0, -1, 0, 0, 0)^T, \end{aligned}\] may be removed since they are essentially duplicates (equal to \(C^Sv\) for some other \(v\) in the table).
This page was last modified on 11/08/2019.