A new approach to invariant subspaces and nonlinear invariants is developed. This results in both theoretical insights and practical attacks on block ciphers. It is shown that, with minor modifications to some of the round constants, Midori-64 has a nonlinear invariant with $$2^{96} + 2^{64}$$ 2 96 + 2 64 corresponding weak keys. Furthermore, this invariant corresponds to a linear hull with maximal correlation. By combining the new invariant with integral cryptanalysis, a practical key-recovery attack on ten rounds of unmodified Midori-64 is obtained. The attack works for $$2^{96}$$ 2 96 weak keys and irrespective of the choice of round constants. The data complexity is $$1.25 \cdot 2^{21}$$ 1.25 · 2 21 chosen plaintexts, and the computational cost is dominated by $$2^{56}$$ 2 56 block cipher calls. The validity of the attack is verified by means of experiments.

中文翻译：

---

块密码不变量作为相关矩阵的特征向量

开发了一种处理不变子空间和非线性不变量的新方法。这导致了对分组密码的理论见解和实际攻击。结果表明，通过对一些轮常数稍加修改，Midori-64 具有非线性不变量，其中 $$2^{96} + 2^{64}$$ 2 96 + 2 64 个对应的弱密钥。此外，该不变量对应于具有最大相关性的线性外壳。通过将新的不变量与积分密码分析相结合，获得了对十轮未修改 Midori-64 的实用密钥恢复攻击。该攻击适用于 $$2^{96}$$ 2 96 个弱密钥并且与轮常数的选择无关。数据复杂度为 $$1.25 \cdot 2^{21}$$ 1.25 · 2 21 个选择的明文，计算成本由 $$2^{56}$$ 2 56 个分组密码调用支配。