Block Cipher Invariants as Eigenvectors of Correlation Matrices

A new approach to invariant subspaces and nonlinear invariants is developed. This results in both theoretical insights and practical attacks on block ciphers. It is shown that, with minor modifications to some of the round constants, Midori-64 has a nonlinear invariant with 296+264 corresponding weak keys. Furthermore, this invariant corresponds to a linear hull with maximal correlation. By combining the new invariant with integral cryptanalysis, a practical key-recovery attack on ten rounds of unmodified Midori-64 is obtained. The attack works for 296 weak keys and irrespective of the choice of round constants. The data complexity is 1.25 center dot 221 chosen plaintexts, and the computational cost is dominated by 256 block cipher calls. The validity of the attack is verified by means of experiments.