Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

Block Cipher Invariants as Eigenvectors of Correlation Matrices


A new approach to invariant subspaces and nonlinear invariants is developed. This results in both theoretical insights and practical attacks on block ciphers. It is shown that, with minor modifications to some of the round constants, Midori-64 has a nonlinear invariant with \(2^{96} + 2^{64}\) corresponding weak keys. Furthermore, this invariant corresponds to a linear hull with maximal correlation. By combining the new invariant with integral cryptanalysis, a practical key-recovery attack on ten rounds of unmodified Midori-64 is obtained. The attack works for \(2^{96}\) weak keys and irrespective of the choice of round constants. The data complexity is \(1.25 \cdot 2^{21}\) chosen plaintexts, and the computational cost is dominated by \(2^{56}\) block cipher calls. The validity of the attack is verified by means of experiments.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8


  1. 1.

    Such functions may be called defective probability mass functions [17].

  2. 2.

    It is not hard to see that it will be linearly independent from any previously computed eigenvectors.

  3. 3.

    A transformation such as \(C^P\) may be called a braiding map.

  4. 4.

    A Sage implementation is available online at

  5. 5.

    If the zero-sum property can be used, this actually yields a five-round property.


  1. 1.

    M.A. Abdelraheem, M. Ågren, P. Beelen, G. Leander, On the distribution of linear biases: three instructive examples, in R. Safavi-Naini, R. Canetti, editors, CRYPTO 2012. LNCS, vol. 7417 (Springer, Heidelberg, Germany, Santa Barbara, CA, USA, August 19–23, 2012), pp. 50–67

  2. 2.

    R. Ankele, C. Dobraunig, J. Guo, E. Lambooij, G. Leander, Y. Todo,Zero-correlation attacks on tweakable block ciphers with linear tweakey expansion. IACR Trans. Symmetric Cryptol.2019(1), 192–235 (2019).

  3. 3.

    S. Banik, A. Bogdanov, T. Isobe, K. Shibutani, H. Hiwatari, T. Akishita, F. Regazzoni, Midori: A block cipher for low energy, in T. Iwata, J.H. Cheon, editors, ASIACRYPT 2015, Part II. LNCS, vol. 9453 (Springer, Heidelberg, Germany, Auckland, New Zealand, Nov 30–Dec 3, 2015), pp. 411–436.

  4. 4.

    C. Beierle, A. Canteaut, G. Leander, Y. Rotella, Proving resistance against invariant attacks: How to choose the round constants, in J. Katz, H. Shacham, editors, CRYPTO 2017, Part II. LNCS, vol. 10402 (Springer, Heidelberg, Germany, Santa Barbara, CA, USA, Aug 20–24, 2017), pp. 647–678

  5. 5.

    C. Beierle, J. Jean, S. Kölbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki, P. Sasdrich, S.M. Sim, The SKINNY family of block ciphers and its low-latency variant MANTIS, in M. Robshaw, J. Katz, editor, CRYPTO 2016, Part II. LNCS, vol. 9815 (Springer, Heidelberg, Germany, Santa Barbara, CA, USA, Aug 14–18, 2016), pp. 123–153.

  6. 6.

    T. Beyne, Block cipher invariants as eigenvectors of correlation matrices, in ASIACRYPT 2018, Part I. LNCS (Springer, Heidelberg, Germany, Dec 2018), pp. 3–31.

  7. 7.

    T. Beyne, Block cipher invariants as eigenvectors of correlation matrices (full version). Cryptology ePrint Archive, Report 2018/763 (2018).

  8. 8.

    A. Biryukov, L. Perrin, State of the art in lightweight symmetric cryptography. Cryptology ePrint Archive, Report 2017/511 (2017).

  9. 9.

    J. Borghoff, A. Canteaut, T. Güneysu, E.B. Kavun, M. Knežević, L.R. Knudsen, G. Leander, V. Nikov, C. Paar, C. Rechberger, P. Rombouts, S.S. Thomsen, T. Yalçin, PRINCE: a low-latency block cipher for pervasive computing applications-extended abstract, in X. Wang, K. Sako, editor, ASIACRYPT 2012. LNCS, vol. 7658 (Springer, Heidelberg, Germany, Beijing, China, Dec 2–6, 2012), pp. 208–225.

  10. 10.

    T. Ceccherini-Silberstein, F. Scarabotti, F. Tolli, in Harmonic Analysis on Finite Groups (Cambridge University Press, Cambridge, 2008)

  11. 11.

    J. Daemen, R. Govaerts, J. Vandewalle, Correlation matrices, in B. Preneel, editor, FSE’94. LNCS, vol. 1008 (Springer, Heidelberg, Germany, Leuven, Belgium, Dec 14–16, 1995), pp. 275–285

  12. 12.

    J. Daemen, V. Rijmen, The wide trail design strategy, in B. Honary, editor, 8th IMA International Conference on Cryptography and Coding, Dec 17–19, 2001. LNCS, vol. 2260 (Springer, Heidelberg, Germany, Cirencester, UK), pp. 222–238

  13. 13.

    P. Diaconis, in Group Representations in Probability and Statistics, Lecture Notes–Monograph Series. vol. 11 (Institute of Mathematical Statistics, Hayward, CA, 1988).

  14. 14.

    C. Dobraunig, M. Eichlseder, D. Kales, F. Mendel, Practical key-recovery attack on MANTIS5. IACR Trans. Symm. Cryptol. 2016(2), 248–260 (2016).,

  15. 15.

    B. Dravie, J. Parriaux, P. Guillot, G. Millérioux, Matrix representations of vectorial Boolean functions and eigenanalysis. Cryptogr. Commun. Discrete Struct. Boolean Funct. Seq. 8(4), 555–577 (2016).,

  16. 16.

    M. Eichlseder, D. Kales, Clustering related-tweak characteristics: application to MANTIS-6. IACR Trans. Symm. Cryptol.2018(2), 111–132 (2018).

  17. 17.

    W. Feller, in An Introduction to Probability Theory and Its Applicatons. vol. 2 (Wiley, New York, 1971)

  18. 18.

    J. Guo, J. Jean, I. Nikolic, K. Qiao, Y. Sasaki, S.M. Sim, Invariant subspace attack against Midori64 and the resistance criteria for S-box designs. IACR Trans. Symm. Cryptol.2016(1), 33–56 (2016).,

  19. 19.

    L.R. Knudsen, D. Wagner, Integral cryptanalysis, in J. Daemen, V. Rijmen, editors, FSE 2002, Feb 4–6, 2002. LNCS, vol. 2365 (Springer, Heidelberg, Germany, Leuven, Belgium), pp. 112–127

  20. 20.

    G. Leander, M.A. Abdelraheem, H. AlKhzaimi, E. Zenner, A cryptanalysis of PRINTcipher: the invariant subspace attack, in P. Rogaway, editor, CRYPTO 2011, Aug 14–18, 2011. LNCS, vol. 6841 (Springer, Heidelberg, Germany, Santa Barbara, CA, USA), pp. 206–221

  21. 21.

    L. Lin, W. Wu, Meet-in-the-middle attacks on reduced-round Midori64. IACR Trans. Symm. Cryptol.2017(1), 215–239 (2017).

  22. 22.

    A. Luykx, B. Mennink, K.G. Paterson, Analyzing multi-key security degradation, in T. Takagi, T. Peyrin, editors, ASIACRYPT 2017, Part II, Dec 3–7, 2017. LNCS, vol. 10625 (Springer, Heidelberg, Germany, Hong Kong, China), pp. 575–605

  23. 23.

    M. Matsui, Linear cryptanalysis method for DES cipher, in T. Helleseth, editor, EUROCRYPT’93, May 23–27, 1994. LNCS, vol. 765 (Springer, Heidelberg, Germany, Lofthus, Norway), pp. 386–397

  24. 24.

    K. Nyberg, Linear approximation of block ciphers (rump session), in A.D. Santis, editor, EUROCRYPT’94, May 9–12, 1995. LNCS, vol. 950 (Springer, Heidelberg, Germany, Perugia, Italy), pp. 439–444

  25. 25.

    Y. Todo, G. Leander, Y. Sasaki, Nonlinear invariant attack-practical attack on full SCREAM, iSCREAM, and Midori64, in J.H. Cheon, T. Takagi, editors, ASIACRYPT 2016, Part II, Dec 4–8, 2016. LNCS, vol. 10032 (Springer, Heidelberg, Germany, Hanoi, Vietnam), pp. 3–33.

  26. 26.

    C. Zhan, W. Xiaoyun, Impossible differential cryptanalysis of Midori. Cryptology ePrint Archive, Report 2016/535 (2016).

Download references


I acknowledge the anonymous referees for their comments and corrections. In addition, I thank Tomer Ashur and Yunwen Liu for discussions related to this work. Finally, I am especially grateful to Vincent Rijmen for his comments on a draft version of this paper and for his support.

Author information

Correspondence to Tim Beyne.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This work was supported by the Research Council KU Leuven: C16/18/004. The author is supported by a PhD Fellowship from the Research Foundation Flanders (FWO). A preliminary version of this paper was published at ASIACRYPT 2018 [6]. The full version of this work is available on ePrint [7].

Communicated by Kaisa Nyberg.


List of Invariants Produced by Algorithm 1

See Table 5.

Table 5 Invariants for two rounds of (modified) Midori-64, as obtained using Algorithm 1

Test Code for Nonlinear Invariant from Sect. 5.3

The following code was tested using Sage 8.1.


Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Beyne, T. Block Cipher Invariants as Eigenvectors of Correlation Matrices. J Cryptol (2020).

Download citation


  • Invariant subspace attack
  • Nonlinear invariant attack
  • Linear cryptanalysis
  • Integral cryptanalysis
  • Correlation matrices
  • Midori-64