Information Security Practice and

Experience 12th International

Conference ISPEC 2016 Zhangjiajie
China November 16 18 2016
Proceedings 1st Edition Feng Bao
Visit to download the full and correct content document:
https://textbookfull.com/product/information-security-practice-and-experience-12th-int
ernational-conference-ispec-2016-zhangjiajie-china-november-16-18-2016-proceedin
gs-1st-edition-feng-bao/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Information Systems Security 12th International

Conference ICISS 2016 Jaipur India December 16 20 2016
Proceedings 1st Edition Indrajit Ray

https://textbookfull.com/product/information-systems-
security-12th-international-conference-iciss-2016-jaipur-india-
december-16-20-2016-proceedings-1st-edition-indrajit-ray/

Information Security and Cryptology: 12th International

Conference, Inscrypt 2016, Beijing, China, November
4-6, 2016, Revised Selected Papers 1st Edition Kefei
Chen
https://textbookfull.com/product/information-security-and-
cryptology-12th-international-conference-inscrypt-2016-beijing-
china-november-4-6-2016-revised-selected-papers-1st-edition-
kefei-chen/

Information Security Practice and Experience 11th

International Conference ISPEC 2015 Beijing China May 5
8 2015 Proceedings 1st Edition Javier Lopez

https://textbookfull.com/product/information-security-practice-
and-experience-11th-international-conference-ispec-2015-beijing-
china-may-5-8-2015-proceedings-1st-edition-javier-lopez/

Cryptology and Network Security 15th International

Conference CANS 2016 Milan Italy November 14 16 2016
Proceedings 1st Edition Sara Foresti

https://textbookfull.com/product/cryptology-and-network-
security-15th-international-conference-cans-2016-milan-italy-
november-14-16-2016-proceedings-1st-edition-sara-foresti/
Security and Privacy in Communication Networks 12th
International Conference SecureComm 2016 Guangzhou
China October 10 12 2016 Proceedings 1st Edition Robert
Deng
https://textbookfull.com/product/security-and-privacy-in-
communication-networks-12th-international-conference-
securecomm-2016-guangzhou-china-
october-10-12-2016-proceedings-1st-edition-robert-deng/

Information and Communications Security 18th

International Conference ICICS 2016 Singapore Singapore
November 29 December 2 2016 Proceedings 1st Edition
Kwok-Yan Lam
https://textbookfull.com/product/information-and-communications-
security-18th-international-conference-icics-2016-singapore-
singapore-november-29-december-2-2016-proceedings-1st-edition-
kwok-yan-lam/

Intelligent Information Processing VIII 9th IFIP TC 12

International Conference IIP 2016 Melbourne VIC
Australia November 18 21 2016 Proceedings 1st Edition
Zhongzhi Shi
https://textbookfull.com/product/intelligent-information-
processing-viii-9th-ifip-tc-12-international-conference-
iip-2016-melbourne-vic-australia-
november-18-21-2016-proceedings-1st-edition-zhongzhi-shi/

Building Sustainable Health Ecosystems 6th

International Conference on Well Being in the
Information Society WIS 2016 Tampere Finland September
16 18 2016 Proceedings 1st Edition Hongxiu Li
https://textbookfull.com/product/building-sustainable-health-
ecosystems-6th-international-conference-on-well-being-in-the-
information-society-wis-2016-tampere-finland-
september-16-18-2016-proceedings-1st-edition-hongxiu-li/

Future Network Systems and Security Second

International Conference FNSS 2016 Paris France
November 23 25 2016 Proceedings 1st Edition Robin Doss

https://textbookfull.com/product/future-network-systems-and-
security-second-international-conference-fnss-2016-paris-france-
november-23-25-2016-proceedings-1st-edition-robin-doss/
 Feng Bao · Liqun Chen
Robert H. Deng · Guojun Wang (Eds.)
LNCS 10060

Information Security
Practice and Experience
12th International Conference, ISPEC 2016
Zhangjiajie, China, November 16–18, 2016
Proceedings

123
Lecture Notes in Computer Science 10060
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board
David Hutchison
Lancaster University, Lancaster, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Friedemann Mattern
ETH Zurich, Zurich, Switzerland
John C. Mitchell
Stanford University, Stanford, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbrücken, Germany
More information about this series at http://www.springer.com/series/7410
Feng Bao Liqun Chen
•

Robert H. Deng Guojun Wang (Eds.)

•

Information Security
Practice and Experience
12th International Conference, ISPEC 2016
Zhangjiajie, China, November 16–18, 2016
Proceedings

123
Editors
Feng Bao Robert H. Deng
Huawei International Singapore Management University
Singapore Singapore
Singapore Singapore
Liqun Chen Guojun Wang
University of Surrey Guangzhou University
Guilford, Surrey Guangzhou, Guangdong
UK China

ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science
ISBN 978-3-319-49150-9 ISBN 978-3-319-49151-6 (eBook)
DOI 10.1007/978-3-319-49151-6

Library of Congress Control Number: 2016956490

LNCS Sublibrary: SL4 – Security and Cryptology

© Springer International Publishing AG 2016

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, express or implied, with respect to the material contained herein or for any errors or
omissions that may have been made.

Printed on acid-free paper

This Springer imprint is published by Springer Nature

The registered company is Springer International Publishing AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
 Preface

The 12th International Conference on Information Security Practice and Experience

(ISPEC 2016) was held in Zhangjiajie, China, during November 16–18, 2016, and was
jointly hosted by Central South University, Guangzhou University, and Jishou
University.
The ISPEC conference series is an established forum that brings together researchers
and practitioners to provide a confluence of new information security technologies,
including their applications and their integration with IT systems in various vertical
sectors. Previously, ISPEC took place in Singapore (2005), Hangzhou, China (2006),
Hong Kong, China (2007), Sydney, Australia (2008), Xi’an, China (2009), Seoul,
Korea (2010), Guangzhou, China (2011), Hangzhou, China (2012), Lanzhou, China
(2013), Fuzhou, China (2014), and Beijing, China (2015).
This year we received 75 anonymous submissions. All the submissions were
reviewed on the basis of their significance, novelty, technical quality, and practical
impact. After careful reviews by at least three experts in the relevant areas for each
paper, and intensive discussions by the Program Committee (PC) members, 25 papers
were selected for presentation at the conference and included in this Springer volume,
with an acceptance rate of 33.3 %. The accepted papers cover multiple topics in
information security, from technologies to systems and applications. Besides the reg-
ular paper presentations, the program of the conference included two interesting and
insightful keynotes addressed by Prof. David Basin, ETH Zurich, Switzerland, and
Prof. David Naccache, ENS, France. We would like to express our special thanks to
these two keynote speakers.
The ISPEC 2016 program also included a workshop, the Huawei IoT Security
Forum, which focused on security and privacy challenges in various IoT scenarios,
particularly discussing an expected future scenario of trillions of low-end devices being
deployed in the next decade. This forum consisted of five invited talks, by the two
conference keynote speakers, Prof. Yang Xiang, Deakin University, Australia, Prof. Jin
Li, Guanghzou University, China, and by Dr. Tieyan Li and Dr. Guilin Wang, Huawei
International, Singapore. We appreciate the excellent contributions from these invited
speakers.
ISPEC 2016 was made possible by the joint effort of numerous people and orga-
nizations worldwide. There is a long list of people who volunteered their time and
energy to put together the conference and who deserve special thanks. First and
foremost, we are deeply grateful to all the PC members for their great effort in reading,
commenting on, debating, and finally selecting the papers. We also thank all the
external reviewers for assisting the PC in their particular areas of expertise.
We would like to emphasize our gratitude to the general chairs, Dr. Feng Bao and
Prof. Guojun Wang, for their generous support and leadership that ensured the success
of the conference. Thanks also go to the: publicity chairs, Dr. Mamoun Alazab,
Dr. Chunhua Su, Dr. William Liu, and Prof. Zhe Tang; publication chair,
VI Preface

Dr. Yongdong Wu; organization chairs, Prof. Fang Qi, Dr. Xiaofei Xing, Prof.
Qingping Zhou; registration chair, Ms. Pin Liu; conference secretariat, Ms. Wenxiu
Ding; and Webmaster, Mr. Yang Shu.
We sincerely thank the authors of all submitted papers and all the conference
attendees. Thanks are also due to the staff at Springer for their help with producing the
proceedings and to the developers and maintainers of the EasyChair software, which
greatly helped simplify the submission and review process. Last but certainly not least,
our thanks go to Huawei for sponsoring the conference.

November 2016 Liqun Chen

Robert H. Deng
 Organization

General Chairs
Feng Bao Huawei, Singapore
Guojun Wang Guangzhou University, China

Program Chairs
Liqun Chen University of Surrey, UK
Robert H. Deng Singapore Management University, Singapore

Publicity Chairs
Mamoun Alazab Macquarie University, Australia
Chunhua Su JAIST, Japan
William Liu Auckland University of Technology, New Zealand
Zhe Tang Central South University, China

Program Committee
Joonsang Baek KUSTAR, UAE
Aldar Chun-Fai Chan Applied Science and Technology Research Institute,
Hong Kong, SAR China
Binbin Chen ADSC, Singapore
Raymond Choo ADSC, Singapore
Sherman Chow Chinese University of Hong Kong, Hong Kong,
SAR China
Cheng-Kang Chu Huawei, Singapore
Juan Estevez-Tapiador UC3M, Spain
Sara Foresti Università degli Studi di Milano, Italy
Debin Gao Singapore Management University, Singapore
Dieter Gollmann Hamburg University of Technology, Germany
Stefanos Gritzalis University of the Aegean, Greece
Dawu Gu Shanghai Jiao Tong University, China
Xinyi Huang Fujian Normal University, China
Lucas Hui Hong Kong University, Hong Kong, SAR China
Sokratis Katsikas University of Piraeus, Greece
Ryan Ko University of Waikato, New Zealand
Miroslaw Kutylowski Wroclaw University of Technology, Poland
Junzuo Lai Singapore Management University, Singapore
Heejo Lee Korea University, Korea
VIII Organization

Hao Lei Huawei, China

Jin Li Guangzhou University, China
Jiguo Li Hohai University, China
Tieyan Li Huawei, Singapore
Yingjiu Li Singapore Management University, Singapore
Peter Lipp Graz University of Technology, Austria
Joseph Kai Sui Liu Institute for Infocomm Research, Singapore
Shengli Liu Shanghai Jiao Tong University, China
Javier Lopez University of Malaga, Spain
Di Ma University of Michigan-Dearborn, USA
Masahiro Mambo Kanazawa University, Japan
Sjouke Mauw University of Luxembourg, Luxembourg
Yi Mu University of Wollongong, Australia
David Nacacche ENS, France
Siaw-Lynn Ng Royal Holloway, University of London, UK
Eiji Okamoto University of Tsukuba, Japan
Pedro Peris UC3M, Spain
Raphael C.-W. Phan Multimedia University, Malaysia
Kui Ren University of Buffalo, USA
Kouichi Sakurai Kyushu University, Japan
Pierangela Samarati University of Milan, Italy
Ben Smyth Huawei Technologies, France
Miguel Soriano UPC, Spain
Chunhua Su JAIST, Japan
Willy Susilo University of Wollongong, Australia
Hung-Min Sun National Tsing Hua University, Taiwan
Shaohua Tang South China University of Technology, China
Claire Vishik Intel Corporation, UK
Cong Wang City University of Hong Kong, Hong Kong,
SAR China
Huaxiong Wang Nanyang Technological University, Singapore
Jian Weng Jinan University, China
Hongjun Wu Nanyang Technological University, Singapore
Guilin Wang Huawei, Singapore
Qianhong Wu Beijing University of Aeronautics and Astronautics,
China
Zheng Yan Xidian University, China
Yanjiang Yang Institute for Infocomm Research, Singapore
Kehuan Zhang Chinese University of Hong Kong, Hong Kong,
SAR China
Rui Zhang Chinese Academy of Sciences, China
Futai Zhang Nanjing Normal University, China
Yunlei Zhao Fudan University, China
Wentao Zhu Chinese Academy of Sciences, China
 Organization IX

Workshop Chairs
Peter Mueller IBM Zurich Research Laboratory, Switzerland
Mark Ryan University of Birmingham, UK
Shui Yu Deakin University, Australia

Publication Chair
Yongdong Wu Institute for Infocomm Research, Singapore

Organizing Chairs
Fang Qi Central South University, China
Xiaofei Xing Guangzhou University, China
Qingping Zhou Jishou University, China

Registration chair
Pin Liu Central South University, China

Conference Secretariat
Wenxiu Ding Xidian University, China

Webmaster
Yang Shu Central South University, China

Additional Reviewers

Hiroaki Anada Ziyuan Hu Zhiqiang Liu

Marios Anagnostopoulos Jialin Huang Ya Liu
Zuling Chang Sumeet Jauhar Zhe Liu
Bing Chang Peng Jiang Jianan Liu
Jiageng Chen Jiaojiao Jiang Jiafa Liu
Yuechen Chen Xin Kang Maxime Meyer
Yao Cheng Hyunho Kang Ana Nieto
Hanwen Feng Russell Lai Michiharu Niimi
Boru Gong Mario Larangeira Elizabeth Quaglia
Shuai Han Hyung Tae Lee Evangelos Rekleitis
Lucjan Hanzlik Gabriele Lenzini Sushmita Ruj
Jagadeesh Harshan Huaxin Li Yusuke Sakai
Junhui He Juanru Li Zach Smith
Lin Hou Zhi Liang Le Su
X Organization

Benjamin Tan Wei Wang Xingjie Yu

Zisis Tsiatsikas Zhuo Wei Tsz Hon Yuen
Theodoros Tzouramanis Shuang Wu Rocky Zhang
Yoshifumi Ueshige Hao-Tian Wu Xiaoqian Zhang
Lei Wang Congge Xie Juanyang Zhang
Jingxuan Wang Masaya Yasuda Yongjun Zhao
Xiuhua Wang Leo Yeung Xiuwen Zhou

ISPEC 2016 Sponsor

 Contents

Cryptanalysis of Midori128 Using Impossible Differential Techniques . . . . . . 1

Zhan Chen, Huaifeng Chen, and Xiaoyun Wang

The Distribution of 2n -Periodic Binary Sequences with Fixed k-Error

Linear Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Wenlun Pan, Zhenzhen Bao, Dongdai Lin, and Feng Liu

Cryptanalysis of a Privacy Preserving Auditing for Data Integrity Protocol

from TrustCom 2013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Jingguo Bi and Jiayang Liu

A Spark-Based DDoS Attack Detection Model in Cloud Services . . . . . . . . . 48

Jian Zhang, Yawei Zhang, Pin Liu, and Jianbiao He

Security of SM4 Against (Related-Key) Differential Cryptanalysis . . . . . . . . 65

Jian Zhang, Wenling Wu, and Yafei Zheng

KopperCoin – A Distributed File Storage with Financial Incentives . . . . . . . . 79

Henning Kopp, Christoph Bösch, and Frank Kargl

Practical Signature Scheme from C-Protocol . . . . . . . . . . . . . . . . . . . . . . . . 94

Zhoujun Ma, Li Yang, and Yunlei Zhao

A Host-Based Detection Method of Remote Access Trojan

in the Early Stage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Daichi Adachi and Kazumasa Omote

Collision Attacks on CAESAR Second-Round Candidate: ELmD . . . . . . . . . 122

Jian Zhang, Wenling Wu, and Yafei Zheng

Masking Algorithm for Multiple Crosstalk Attack Source Identification

Under Greedy Sparse Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Hong Wei Siew, Saw Chin Tan, and Ching Kwang Lee

Fast Implementation of Simple Matrix Encryption Scheme

on Modern x64 CPU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Zhiniang Peng, Shaohua Tang, Ju Chen, Chen Wu, and Xinglin Zhang

Homomorphically Encrypted Arithmetic Operations Over the Integer Ring . . . . 167

Chen Xu, Jingwei Chen, Wenyuan Wu, and Yong Feng

A Privacy Preserving Source Verifiable Encryption Scheme . . . . . . . . . . . . . 182

Zhongyuan Yao, Yi Mu, and Guomin Yang
XII Contents

Structural Evaluation for Simon-Like Designs Against Integral Attack . . . . . . 194

Huiling Zhang and Wenling Wu

RFID Tags Batch Authentication Revisited – Communication Overhead

and Server Computational Complexity Limits . . . . . . . . . . . . . . . . . . . . . . . 209
Przemysław Błaśkiewicz, Łukasz Krzywiecki, and Piotr Syga

Privacy-Preserving Cloud Auditing with Multiple Uploaders. . . . . . . . . . . . . 224

Ge Wu, Yi Mu, Willy Susilo, and Fuchun Guo

A Formal Concept of Domain Pseudonymous Signatures . . . . . . . . . . . . . . . 238

Kamil Kluczniak, Lucjan Hanzlik, and Mirosław Kutyłowski

Efficient Tag Path Authentication Protocol with Less Tag Memory . . . . . . . . 255
Hongbing Wang, Yingjiu Li, Zongyang Zhang, and Yunlei Zhao

Anonymizing Bitcoin Transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Dimaz Ankaa Wijaya, Joseph K. Liu, Ron Steinfeld, Shi-Feng Sun,
and Xinyi Huang

Physical-Layer Identification of HF RFID Cards Based

on RF Fingerprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Guozhu Zhang, Luning Xia, Shijie Jia, and Yafei Ji

Privacy-Preserving Mining of Association Rules for Horizontally

Distributed Databases Based on FP-Tree . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Yaoan Jin, Chunhua Su, Na Ruan, and Weijia Jia

Countering Burst Header Packet Flooding Attack in Optical Burst

Switching Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Adel Rajab, Chin-Tser Huang, Mohammed Al-Shargabi,
and Jorge Cobb

Authenticated CAN Communications Using Standardized

Cryptographic Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Zhuo Wei, Yanjiang Yang, and Tieyan Li

Thrifty Zero-Knowledge: When Linear Programming Meets Cryptography . . . 344

Simon Cogliani, Houda Ferradi, Rémi Géraud, and David Naccache

ARMv8 Shellcodes from ‘A’ to ‘Z’ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Hadrien Barral, Houda Ferradi, Rémi Géraud, Georges-Axel Jaloyan,
and David Naccache

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

 Cryptanalysis of Midori128 Using Impossible
Differential Techniques

Zhan Chen1 , Huaifeng Chen3,4 , and Xiaoyun Wang2,3,4(B)

1
Department of Computer Science and Technology, Tsinghua University,
Beijing 100084, China
z-chen14@mails.tsinghua.edu.cn
2
Institute of Advanced Study, Tsinghua University, Beijing 100084, China
xiaoyunwang@mail.tsinghua.edu.cn
3
School of Mathematics, Shandong University, Jinan 250100, China
hfchen@mail.sdu.edu.cn
4
Key Laboratory of Cryptologic Technology and Information Security,
Ministry of Education, Shandong University, Jinan 250100, China

Abstract. The Midori family of light weight block cipher is presented

in ASIACRYPT2015. It is uses a SPN structure and has two versions:
Midori64 and Midori128. In this paper we use a 6-round impossible
differential path and present 10-round impossible differential attack on
Midori128. We exploit the properties of S-boxes to aid our attack. We
construct a hash table in the pre-computation phase to reduce time com-
plexity. Our attack requires 2116.17 chosen plaintexts, 297 blocks of mem-
ory and 2116.71 10-round Midori128 encryptions. We show that this is
the first attack ever applied to Midori128.

Keywords: Light weight block cipher · Impossible differential · Crypt-

analysis · Midori · Secret key

1 Introduction

In recent years, light weight block cipher has attracted lots of attention from
cryptographers. Some features of light weight block cipher such as small hard-
ware area and low latency, made it popular among low resource devices such as
sensor nodes, tags and medical implants. A vast number of light weight block
ciphers emerged these years such as HIGHT [1], CLEFIA [2], KATAN [3], KLEIN
[4], LED [5], PRESENT [6], Piccolo [7], and SIMON/SPECK [8] to name a few.
The Midori [9] block cipher is proposed in ASIACRYPT2015 by Banik et al.
It is designed to optimise energy and area consumed by the circuit per bit in
the encryption or decryption operation. There are two versions, Midori64 and
Midori128 with block sizes equal to 64 and 128 bits respectively. Both ver-
sions use a 128-bit key. It is based on the Substitution-Permutation Network
(SPN). It uses a optimal cell-permutation layer which has faster diffusion speed
than ShiftRow-type operation and drastically improves and the number of active

c Springer International Publishing AG 2016
F. Bao et al. (Eds.): ISPEC 2016, LNCS 10060, pp. 1–12, 2016.
DOI: 10.1007/978-3-319-49151-6 1
2 Z. Chen et al.

S-boxes in each round. The S-box used is 4-bit, signal delay is small and energy
consumption is low. Key schedule takes only XOR operations thus efficient.
Since its release, various attacks have been applied to Midori. The first meet-
in-the-middle attack is proposed by Wu et al.[10] using differential enumera-
tion technique and key-dependent sieve technique. Guo et al.[11]. presented the
invariant subspace attack against Midori64 which is a weak-key attack, the size
of the weak-key class is 232 . It shows that with such a weak key, Midori64 can
be distinguished from a random permutation only with one chosen plaintext
query, computation and memory cost are negligible. The first impossible differ-
ential attack against Midori has been applied to 10 rounds of the Midori64 by
Chen [12].
Impossible differential attack was independently proposed by Knudsen to
analyse AES candidate DEAL [13], and Biham et al. to attack Skipjack [14] and
IDEA [15]. It has successfully attacked some of the most popular block ciphers
such as AES (Rijndeal) [16–20] and CLEFIA [21]. The core idea of impossible
differential is to concatenate two differentials with probability one that contra-
dict in the middle. Using such a path that should never occur, we can discard
wrong keys until there is only one key left, we assume it is the right key.
Due to the prudent design decisions and relatively small key size of 128-bit,
no attack has applied to Midori128 yet. In this paper, we present the first attack
on Midori128 using impossible differential cryptanalysis.
The rest of this paper is organised as follows: in Sect. 2 we give a brief descrip-
tion of Midori block cipher and some notations that we use in the attack. We
describe our 10-round attack on Midori128 in Sect. 3. Section 4 summarise pre-
vious results and our results then concludes the paper.

2 A Brief Description of Midori128

Midori is a family of two block ciphers: Midori64 and Midori128. The block size
n is 64-bit for Midori64 and 128-bit for Midori128. The plaintext is loaded into
a 4 × 4 matrix called a state as shown below
⎛ ⎞
s0 s4 s8 s12
⎜ s1 s5 s9 s13 ⎟
S=⎜ ⎟
⎝ s2 s6 s10 s14 ⎠ . (1)
s3 s7 s11 s15
For Midori64, each cell si is 4 bits, and for Midori128, the cell size m = 8
bits. Some parameters are shown in Table 1.

2.1 Key Schedule

We focus on Midori128, the 128-bit secret key K is loaded as whitening key W K.

Each subkey ki = K ⊕ βi where i = 1, . . . , 19. βi s are constants and derived from
 Cryptanalysis of Midori128 Using Impossible Differential Techniques 3

Table 1. Parameters for Midori64 and Midori128

Block size(n) Key size Cell size(m) Number of rounds

Midori64 64 128 4 16
Midori128 128 128 8 20

the hexadecimal encoding of the fractional part of π. The round constants were
chosen in this manner with a view to have an energy-efficient decryption circuit.
They are added bitwise to the LSB of every round key byte in Midori128.

2.2 Round Function Specifications

Midori uses Substitution-Permutation Network. The substitution layer is a S-box

(SB) layer. Midori128 utilises 4 different 8-bit S-box es SSb0 , SSb1 , SSb2 , SSb3 :
(0, 1)8 → (0, 1)8 . They all have involution property and are given in Appendix A.
Mathematically each SSbi consists of input and output bit permutations and two
Sb1 s where Sb1 is a 4-bit Sbox: {0, 1}4 → {0, 1}4 . SSbi are applied to every 8-
bit cell of state S of Midori128 in parallel. That is, si ← SSb(i mod 4) (si ) where
0 ≤ i ≤ 15.
The permutation layer is a linear layer consists of two parts: Shuf f leCell
(SC) and M ixColumn (MC). SC is to permute the cells as follows:

(s0 , s1 , . . . , s15 ) ← (s0 , s10 , s5 , s15 , s14 , s4 , s11 , s1 , s9 , s3 , s12 , s6 , s7 , s13 , s2 , s8 ) .

(2)
MC is to apply an involutive binary matrix M where
⎛ ⎞
0111
⎜1 0 1 1⎟
M =⎜ ⎝1 1 0 1⎠
⎟ (3)
1110

to each 32-bit column of the state S. The matrix M updates four 8-bit cells
(si , si+1 , si+2 , si+3 ) as follows:
t
(si , si+1 , si+2 , si+3 ) ← M ·t (si , si+1 , si+2 , si+3 ) (4)

where the operations between a matrix and a vector are are performed over
GF (28 ).
Finally there is a KeyAdd (KA) layer which is to XOR 128-bit subkey ki to
the state.
Each round consists of substitution layer, permutation layer and KA layer.
Note that permutation layer is omitted in the last round and there is a XOR of
whitening key prior to round functions.
The encryption is depicted in Fig. 1. More details can be referred to [9].
4 Z. Chen et al.

Fig. 1. Midori128 algorithm

2.3 Some Notations

We use the following notations in this paper.
– Xi : the input of the i-th round, X0 is plaintext, X1 = X0 ⊕ W K
– XiSB : the state after S − box operation of the i-th round
– XiSC : the state after Shuf f leCell operation of the i-th round
– XiM C : the state after M ixColumn operation of the i-th round
– XiKA : the state after KeyAdd operation of the i-th round, obviously we have
XiKA = Xi+1
– Xi [j]: the j-th cell of Xi
– ki : the subkey of the i-th round, i = 1 · · · , 19
– X: the difference of two states X and X ∗

3 Impossible Differential Attack on Midori128

In this section, we first give two properties of Midori128 S-boxes, then we describe
a 6-round impossible differential path. We give our attack afterwards.

3.1 Properties of Midori128 S-boxes

Property 1. Consider three cells of the state, for example, position(0, 5, 15),
with any input differences, but we want the output differences to be the same
and non-zero. There are 2563 × 255 such inputs. The total number of inputs are
(28 )6 = 248 . So the probability that S-box outputs three cells with the same
non-zero difference is 2−16.0056 . If the input differences are non-zero, the total
number of inputs are (28 − 1)3 × (28 )3 , so the probability that S-box outputs
three cells with the same non-zero difference is 2−15.988 .

Property 2. Consider two cells of the state, for example, position (1, 11), with
any non-zero input differences, but we want the output differences to be the same
and non-zero. There are 2562 × 255 such inputs. The total number of inputs are
28×2 × (28 − 1)2 = 232 . So the probability that S-box outputs two cells with the
same non-zero difference is 2−7.994 .
 Cryptanalysis of Midori128 Using Impossible Differential Techniques 5

3.2 Impossible Differential Paths of Midori128

The impossible differential path that we use is the same one used in [12] for
the attack on Midori64. It is a 6-round impossible differential path, with two
non-zero and equal input differences and one non-zero output difference, written
as (0, a, 0, 0, 0, 0, 0, 0, 0, 0, 0, a, 0, 0, 0, 0) → (0, 0, 0, 0, 0, ∗, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0).
There are in total 288 such paths. Details of this path are shown in Fig. 2,
where a blank cell denotes zero difference, alphabets a and ∗ denote non-zero
differences, ? denotes an unknown difference.

Fig. 2. A 6-round impossible differential path of Midori128

3.3 Attack Procedures

The impossible differential path is extended one round on the top and three
rounds at the bottom. We mount 10-round attack on Midori128. The states of
each round are shown in Fig. 3.
6 Z. Chen et al.

Fig. 3. The states of each round

Pre-computation Phase. To reduce computational complexity, we build a

∗
hash table regarding k10 [1, 2, 3, 4, 5, 6, 8, 10, 11]. For all possible pairs (X10 , X10 )
which have zero difference in position (0, 7, 9, 12, 13, 14, 15), and whose cells
(1, 2, 3), (4, 5, 6), (8, 10, 11) have the same differences respectively, compute the
SB SB∗
corresponding values (X10 , X10 ). Store the pairs (X10 [1, 2, 3, 4, 5, 6, 8, 10, 11],
∗ SB
X10 [1, 2, 3, 4, 5, 6, 8, 10, 11]) in a hash table H indexed by ΔX10 [1, 2, 3, 4, 5, 6, 8,
SB
10, 11]. Note that the difference of X10 is equal to the difference of X11 , i.e.,
SB
ΔX10 = ΔX11 .
There are 272 indexes and about (28 × (28 − 1) × (28 )2 )3 ≈ 296 elements
(28 × (28 − 1) possible pairs for the first cell of a column, 28 possible pairs for
the second and third cells each, and there are three columns to be considered)
in hash table H. So for each index, suppose Δx, of H, there are 296−72 = 224
pairs in H(Δx) on average.

Data Collecting Phase. We fix 10 cells, i.e., cells (1,2,4,6,7,8,10,11,13,14),

of the plaintext and let the other 6 cells (0, 3, 5, 9, 12, 15) take over all possible
values. We call this a structure. Each structure consists of 248 plaintexts. If 2n
structures are needed, the data compelxity would be 2n+48 plaintexts.
For each structure, encrypt the plaintexts through 10 rounds. Insert the
corresponding ciphertexts X11 into a hash table indexed by cell positions
 Cryptanalysis of Midori128 Using Impossible Differential Techniques 7

(0,7,9,12,13,14,15). For each row we expect to have 248 × 2−8×7 = 2−8 cipher-
textxs. Select all possible pairs for each row with more than one ciphertexts, we
expect to have 2−8×2−1 × 28×7 = 239 pairs. So for 2n structures we get 2n+39
∗
pairs (X11 , X11 ) with zero difference in cell (0, 7, 9, 12, 13, 14, 15).

Key Recovering Phase. In this phase, we eliminate wrong values of k1 [1, 11]
and k10 [2, 3, 4, 5, 6, 8, 10] by showing that the impossible differential path holds
if these keys are used.
Step 1. For each plaintext pair (X1 , X1∗ ) corresponding to (X11 , X11 ∗
), one of
n+39
the 2 ciphertext pairs obtained in data collection phase, encrypt by S-box
layer, that is, compute (X1SB , X1SB∗ ), and keep only the pairs that have the same
non-zero difference in position (0, 5, 15) and in position (3, 9, 12) respectively. By
property 1, there remains approximately 2n+39−16.0056×2 = 2n+6.9888 ciphertext
pairs.
Step 2. For each of the 2n+6.9888 pairs (X11 , X11
∗
), let
x = X11 [1, 2, 3, 4, 5, 6, 8, 10, 11], x∗ = X11
∗
[1, 2, 3, 4, 5, 6, 8, 10, 11]
SB
and compute ΔX10 [1, 2, 3, 4, 5, 6, 8, 10, 11] = Δx.
We utilise the hash table established in the pre-computation stage.
Access row Δx in hash table H. For each pair (y, y ∗ ) (corresponding to
∗
(X10 [1, 2, 3, 4, 5, 6, 8, 10, 11], X10 [1, 2, 3, 4, 5, 6, 8, 10, 11])) in H(Δx), we assume
x ⊕ y as a reasonable guess for k10 [1, 2, 3, 4, 5, 6, 8, 10, 11], denoted by
g10 [1, 2, 3, 4, 5, 6, 8, 10, 11].
Step 3. We build a list A of all possible keys of k10 [1, 2, 3, 4, 5, 6, 8, 10, 11].
– For those reasonable guesses, we take g10 [1, 11]⊕β1 ⊕β10 as a guess of k1 [1, 11]
(by key schedule, k1 = k10 ⊕ β1 ⊕ β10 ). Encrypt the pairs (X2SB , X2SB∗ )
through first round ShuffleCell, MixColumn, KeyAdd and SubByte, compute
ΔX2SB [1, 11]. By property 2, there is a 2−7.994 probability that ΔX2SB [1] =
ΔX2SB [11].
– We take g10 ⊕β9 ⊕β10 as k9 (by key schedule, k9 = k10 ⊕β9 ⊕β10 ) and decrypt
through the 9-th round, that is, compute X9 = SB −1 ◦ SC −1 ◦ M C −1 ◦ (X10 ⊕
g10 ⊕ β9 ⊕ β10 ). By property 1, the chance that cells (0, 1, 3) of X9 have the
same difference is 2−15.988 .
– When this happens, this guess g10 for k10 [1, 2, 3, 4, 5, 6, 8, 10, 11] will result in
an impossible differential, and is definitely a wrong key and should be removed
from list A.

Step 4. After analysing the 2n+6.9888 pairs, if A is not empty, output the values
in A.
In step 2, there are 224 guesses of g10 each time. The probability that each
g10 should be removed from list A is 2−7.994−15.988 = 2−23.982 . So we remove
approximately 20.018 keys for each pair remained in Step 1. After analysing
the 2n+6.9888 pairs, the number of wrong keys remained is N = 272 × (1 −
20.018 2n+6.9888 n−64.9932

272 ) = 272 × 2−1.44×2 .

8 Z. Chen et al.

3.4 Complexity Analysis

If only the right key remains in A, we should let N < 1, which leads to n =
70.634. The data complexity is 2n+48 = 2118.634 chosen plaintexts.
The time complexity of pre-computation phase is 2×296 × 16 9
× 14 = 294.17 one-
118.634
round encryptions. Data collecting phase requires 2 10-round encryptions.
Step 1 requires 2 × 2n+39 × 166
× 14 = 2104.634 one-round encryptions. Step 3 part
1 and part 2 each requires 2 × 2n+6.988 × 224 = 2102.622 one-round encryptions.
The 2n+6.988 pairs analysed leads to 224 memory access in H and 20.018 memory
access in A. The time complexity is 2n+6.988 × (224 + 20.018 ) = 2101.64 memory
access which is equivalent to about 295 one round encryptions.
As a result, the total time complexity is 294.17 /10 + 2118.634 + 2104.634 /10 +
2 × 2102.622 /10 + 295 ≈ 2119 10-round encryptions. The other 7 × 8 bits of keys
can be found using exhaustive search which has a negligible complexity.
To balance the complexity in key elimination process and exhaustive search
phase, we can use less structures to reduce the total time complexity. By setting
n = 68.168, the data complexity becomes 2116.168 chosen plaintexts and about
N = 259 keys remain in A. So the exhaustive search needs about 259+56 = 2115
10-round encryptions and the key elimination needs about (294.17 + 2102.168 +
2100.156 )/10 + 2116.18 + 295 + 2115 ≈ 2116.707 10-round encryptions.
We need 2 × 296 = 297 blocks of memory in the pre-computation phase and
the list A requires 272 /128 = 264 blocks.

Table 2. Complexity of the attack on Midori128

Cipher Method Rounds Time Data Memory Reference

Midori64 Impossible differential 10 280.81 262.4 265.13 [12]
Midori64 Meet-in-the-middle 10 299.5 261.5 292.7 [10]
Midori64 Meet-in-the-middle 11 2122 253 289.2 [10]
Midori64 Meet-in-the-middle 12 2125.5 255.5 2107 [10]
Midori64 Invariant subspace attack full 216 1 - [11]
Midori128 Impossible differential 10 2119 2118.63 297 Sect. 3.4
Midori128 Impossible differential 10 2116.71 2116.17 297 Sect. 3.4

4 Conclusion
In this paper, we attack Midori128 using impossible differential cryptananlysis.
This is the first attack on Midori128. Table 2 lists the results of all previous
attacks on Midori and compares to our results.

Acknowledgments. We would like to thank anonymous reviewers for their very help-
ful comments on the paper. This work is supported by National Key Basic Research
973 Program of China under Grant No. 2013CB834205 and National Natural Science
Foundation of China (Grant No. 61133013).
 Cryptanalysis of Midori128 Using Impossible Differential Techniques 9

A Appendix
A.1 Sboxes Used in Midori128

See Tables 3, 4, 5 and 6.

Table 3. SSb0

0 1 2 3 4 5 6 7 8 9 a b c d e f
0 11 10 51 50 b4 30 f4 70 59 58 19 18 fc 78 bc 38
1 1 0 13 12 a4 20 b6 32 b a 1b 1a ae 2a be 3a
2 15 31 55 71 b5 35 f5 75 5d 79 1d 39 fd 7d bd 3d
3 5 21 17 33 a5 25 b7 37 f 2b 1f 3b af 2f bf 3f
4 4b 4a 5b 5a ee 6a fe 7a 49 48 41 40 ec 68 e4 60
5 3 2 53 52 a6 22 f6 72 9 8 43 42 ac 28 e6 62
6 4f 6b 5f 7b ef 6f ff 7f 4d 69 45 61 ed 6d e5 65
7 7 23 57 73 a7 27 f7 77 d 29 47 63 ad 2d e7 67
8 95 b0 d5 f0 94 90 d4 d0 dd f8 9d b8 dc d8 9c 98
9 85 a0 97 b2 84 80 96 92 8f aa 9f ba 8e 8a 9e 9a
a 91 b1 d1 f1 14 34 54 74 d9 f9 99 b9 5c 7c 1c 3c
b 81 a1 93 b3 4 24 16 36 8b ab 9b bb e 2e 1e 3e
c cf ea df fa ce ca de da cd e8 c5 e0 cc c8 c4 c0
d 87 a2 d7 f2 86 82 d6 d2 8d a8 c7 e2 8c 88 c6 c2
e cb eb db fb 4e 6e 5e 7e c9 e9 c1 e1 4c 6c 44 64
f 83 a3 d3 f3 6 26 56 76 89 a9 c3 e3 c 2c 46 66

Table 4. SSb1

0 1 2 3 4 5 6 7 8 9 a b c d e f
0 88 8a 4b cb ac ae 6f ef 80 82 43 c3 94 96 57 d7
1 a8 aa 6b eb 8c 8e 4f cf 98 9a 5b db 9c 9e 5f df
2 b4 b6 77 f7 a4 a6 67 e7 90 92 53 d3 84 86 47 c7
3 bc be 7f ff a0 a2 63 e3 b8 ba 7b fb b0 b2 73 f3
4 ca c8 4a a ee ec 6e 2e c2 c0 42 2 d6 d4 56 16
5 ea e8 6a 2a ce cc 4e e da d8 5a 1a de dc 5e 1e
6 f6 f4 76 36 e6 e4 66 26 d2 d0 52 12 c6 c4 46 6
7 fe fc 7e 3e e2 e0 62 22 fa f8 7a 3a f2 f0 72 32
8 8 89 9 8b 2c ad 2d af 0 81 1 83 14 95 15 97
9 28 a9 29 ab c 8d d 8f 18 99 19 9b 1c 9d 1d 9f
a 34 b5 35 b7 24 a5 25 a7 10 91 11 93 4 85 5 87
b 3c bd 3d bf 20 a1 21 a3 38 b9 39 bb 30 b1 31 b3
c 49 c9 48 b 6d ed 6c 2f 41 c1 40 3 55 d5 54 17
d 69 e9 68 2b 4d cd 4c f 59 d9 58 1b 5d dd 5c 1f
e 75 f5 74 37 65 e5 64 27 51 d1 50 13 45 c5 44 7
f 7d fd 7c 3f 61 e1 60 23 79 f9 78 3b 71 f1 70 33
10 Z. Chen et al.

Table 5. SSb2

0 1 2 3 4 5 6 7 8 9 a b c d e f
0 44 c3 47 43 40 c0 c2 42 54 d3 57 53 50 d0 d2 52
1 3c bb 3f 3b 38 b8 ba 3a 7c fb 7f 7b 78 f8 fa 7a
2 74 f3 77 73 70 f0 f2 72 64 e3 67 63 60 e0 e2 62
3 34 b3 37 33 30 b0 b2 32 14 93 17 13 10 90 92 12
4 4 83 7 3 0 80 82 2 4c cb 4f 4b 48 c8 ca 4a
5 c 8b f b 8 88 8a a 5c db 5f 5b 58 d8 da 5a
6 2c ab 2f 2b 28 a8 aa 2a 6c eb 6f 6b 68 e8 ea 6a
7 24 a3 27 23 20 a0 a2 22 1c 9b 1f 1b 18 98 9a 1a
8 45 c7 46 41 c4 c5 c6 c1 55 d7 56 51 d4 d5 d6 d1
9 3d bf 3e 39 bc bd be b9 7d ff 7e 79 fc fd fe f9
10 75 f7 76 71 f4 f5 f6 f1 65 e7 66 61 e4 e5 e6 e1
11 35 b7 36 31 b4 b5 b6 b1 15 97 16 11 94 95 96 91
12 5 87 6 1 84 85 86 81 4d cf 4e 49 cc cd ce c9
13 d 8f e 9 8c 8d 8e 89 5d df 5e 59 dc dd de d9
14 2d af 2e 29 ac ad ae a9 6d ef 6e 69 ec ed ee e9
15 25 a7 26 21 a4 a5 a6 a1 1d 9f 1e 19 9c 9d 9e 99

Table 6. SSb3

0 1 2 3 4 5 6 7 8 9 a b c d e f
0 22 2b 20 29 a2 ab 26 2f 4b b 49 9 cb 8b 4f f
1 b2 bb 34 3d 32 3b 36 3f db 9b 5d 1d 5b 1b 5f 1f
2 2 43 0 41 82 c3 6 47 42 3 40 1 c2 83 46 7
3 92 d3 14 55 12 53 16 57 d2 93 54 15 52 13 56 17
4 2a 23 28 21 aa a3 2e 27 6b a 69 8 eb 8a 6f e
5 ba b3 3c 35 3a 33 3e 37 fb 9a 7d 1c 7b 1a 7f 1e
6 62 63 60 61 e2 e3 66 67 6a 4a 68 48 ea ca 6e 4e
7 f2 f3 74 75 72 73 76 77 fa da 7c 5c 7a 5a 7e 5e
8 b4 bd 24 2d b6 bf a6 af dd 9d 4d d df 9f cf 8f
9 b0 b9 30 39 a0 a9 a4 ad d9 99 59 19 c9 89 cd 8d
10 94 d5 4 45 96 d7 86 c7 d4 95 44 5 d6 97 c6 87
11 90 d1 10 51 80 c1 84 c5 d0 91 50 11 c0 81 c4 85
12 bc b5 2c 25 be b7 ae a7 fd 9c 6d c ff 9e ef 8e
13 b8 b1 38 31 a8 a1 ac a5 f9 98 79 18 e9 88 ed 8c
14 f4 f5 64 65 f6 f7 e6 e7 fc dc 6c 4c fe de ee ce
15 f0 f1 70 71 e0 e1 e4 e5 f8 d8 78 58 e8 c8 ec cc
 Cryptanalysis of Midori128 Using Impossible Differential Techniques 11

References
1. Hong, D., Sung, J., Hong, S., Lim, J., Lee, S., Koo, B.-S., Lee, C., Chang, D., Lee,
J., Jeong, K., Kim, H., Kim, J., Chee, S.: HIGHT: a new block cipher suitable
for low-resource device. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol.
4249, pp. 46–59. Springer, Heidelberg (2006). doi:10.1007/11894063 4
2. Shirai, T., Shibutani, K., Akishita, T., Moriai, S., Iwata, T.: The 128-bit blockci-
pher CLEFIA (extended abstract). In: Biryukov, A. (ed.) FSE 2007. LNCS, vol.
4593, pp. 181–195. Springer, Heidelberg (2007). doi:10.1007/978-3-540-74619-5 12
3. Cannière, C., Dunkelman, O., Knežević, M.: KATAN and KTANTAN — a family
of small and efficient hardware-oriented block ciphers. In: Clavier, C., Gaj, K.
(eds.) CHES 2009. LNCS, vol. 5747, pp. 272–288. Springer, Heidelberg (2009).
doi:10.1007/978-3-642-04138-9 20
4. Gong, Z., Nikova, S., Law, Y.W.: KLEIN: a new family of lightweight block ciphers.
In: Juels, A., Paar, C. (eds.) RFIDSec 2011. LNCS, vol. 7055, pp. 1–18. Springer,
Heidelberg (2012). doi:10.1007/978-3-642-25286-0 1
5. Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED block cipher. In:
Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer,
Heidelberg (2011). doi:10.1007/978-3-642-23951-9 22
6. Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw,
M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher.
In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466.
Springer, Heidelberg (2007). doi:10.1007/978-3-540-74735-2 31
7. Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., Shirai, T.: Pic-
colo: an ultra-lightweight blockcipher. In: Preneel, B., Takagi, T. (eds.) CHES
2011. LNCS, vol. 6917, pp. 342–357. Springer, Heidelberg (2011). doi:10.1007/
978-3-642-23951-9 23
8. Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.:
The SIMON and SPECK lightweight block ciphers. In: Proceedings of the 52nd
Annual Design Automation Conference p. 175. ACM, June 2015
9. Banik, S., Bogdanov, A., Isobe, T., Shibutani, K., Hiwatari, H., Akishita, T.,
Regazzoni, F.: Midori: a block cipher for low energy. In: Iwata, T., Cheon, J.H.
(eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 411–436. Springer, Heidelberg
(2015). doi:10.1007/978-3-662-48800-3 17
10. Lin, L., Wu, W.: Meet-in-the-middle attacks on reduced-round Midori-64. IACR
Cryptology ePrint Archive, 1165 (2015)
11. Guo, J., Jean, J., Nikolić, I., Qiao, K., Sasaki, Y., Sim, S.M.: Invariant subspace
attack against full Midori64. IACR Cryptology ePrint Archive, 1189 (2015)
12. Chen, Z., Wang, X.: Impossible differential cryptanalysis of Midori. IACR Cryp-
tology ePrint Archive, 535 (2016)
13. Knudsen, L.: DEAL - a 128-bit block cipher. In: NIST AES Proposal (1998)
14. Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of skipjack reduced to 31
rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS,
vol. 1592, pp. 12–23. Springer, Heidelberg (1999). doi:10.1007/3-540-48910-X 2
15. Biham, E., Biryukov, A., Shamir, A.: Miss in the middle attacks on IDEA and
Khufu. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 124–138. Springer,
Heidelberg (1999). doi:10.1007/3-540-48519-8 10
16. Phan, R.C.W.: Impossible differential cryptanalysis of 7-round advanced encryp-
tion standard (AES). Inf. Process. Lett. 91(1), 33–38 (2004)
12 Z. Chen et al.

17. Bahrak, B., Aref, M.R.: Impossible differential attack on seven-round AES-128.
Inf. Secur. IET 2(2), 28–32 (2008)
18. Lu, J., Dunkelman, O., Keller, N., Kim, J.: New impossible differential attacks
on AES. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT
2008. LNCS, vol. 5365, pp. 279–293. Springer, Heidelberg (2008). doi:10.1007/
978-3-540-89754-5 22
19. Mala, H., Dakhilalian, M., Rijmen, V., Modarres-Hashemi, M.: Improved impossi-
ble differential cryptanalysis of 7-round AES-128. In: Gong, G., Gupta, K.C. (eds.)
INDOCRYPT 2010. LNCS, vol. 6498, pp. 282–291. Springer, Heidelberg (2010).
doi:10.1007/978-3-642-17401-8 20
20. Liu, Y., Gu, D., Liu, Z., Li, W., Kong, W.: New improved impossible differ-
ential attack on reduced-round AES-128. In: Park, J.J., Chao, H.-C., Obaidat,
M.S., Kim, J. (eds.) Computer Science and Convergence: CSA 2011 and WCC
2011 Proceedings. LNEE, pp. 453–461. Springer, Heidelbreg (2012). doi:10.1007/
978-94-007-2792-2 43
21. Boura, C., Naya-Plasencia, M., Suder, V.: Scrutinizing and improving impossi-
ble differential attacks: applications to CLEFIA, camellia, LBlock and Simon. In:
Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 179–199.
Springer, Heidelberg (2014). doi:10.1007/978-3-662-45611-8 10
 The Distribution of 2n -Periodic Binary
Sequences with Fixed k-Error Linear Complexity

Wenlun Pan1,2(B) , Zhenzhen Bao1,2 , Dongdai Lin1 , and Feng Liu1,2

1
State Key Laboratory of Information Security,
Institute of Information Engineering, Chinese Academy of Sciences,
Beijing 100093, China
wylbpwl@gmail.com, baozhenzhen10@gmail.com, {ddlin,liufeng}@iie.ac.cn
2
University of Chinese Academy of Sciences, Beijing 100049, China

Abstract. The linear complexity and k-error linear complexity of

sequences are important measures of the strength of key-streams gener-
ated by stream ciphers. Fu et al. studied the distribution of 2n -periodic
binary sequences with 1-error linear complexity in their SETA 2006
paper. Recently, people have strenuously promoted the solving of this
problem from k = 2 to k = 4 step by step. Unfortunately, it still remains
difficult to obtain the solutions for larger k. In this paper, we propose a
new sieve method to solve this problem. We first define an equivalence
relationship on error sequences and build a relation between the number
of sequences with given k-error linear complexity and the number of pair-
wise non-equivalent error sequences. We introduce the concept of cube
fragment and build specific equivalence relation based on the concept
of the cube classes to figure out the number of pairwise non-equivalent
error sequences. By establishing counting functions for several base cases
and building recurrence relations for different cases of k and L, it is easy
to manually get the complete counting function when k is not too large.
And an efficient algorithm can be derived from this method to solve the
problem using a computer when k is large.

Keywords: Sequence · Linear complexity · k-Error linear complexity ·

Counting function · Cube theory

1 Introduction
The linear complexity of sequence S = (s0 s1 s2 ...), denoted by LC(S), is defined
as the length of the shortest linear feedback shift register (LFSR) that can gener-
ate S. Using Berlekamp-Massey algorithm [6], the LFSR that generates a given
sequence can be determined by using only the first 2L elements of the sequence,
where L is the linear complexity of the sequence.
For a positive integer N , the sequence S is called N -periodic if si+N = si
for all i ≥ 0. Denote the set of all N -periodic binary sequence by S N . For any
sequence S ∈ S N , define the polynomial corresponding to S as
S(x) = s0 + s1 x + s2 x2 + ... + sN −1 xN −1 .

c Springer International Publishing AG 2016
F. Bao et al. (Eds.): ISPEC 2016, LNCS 10060, pp. 13–36, 2016.
DOI: 10.1007/978-3-319-49151-6 2
14 W. Pan et al.

Lemma 1 [1]. The linear complexity of the N -periodic binary sequence S

denoted by LC(S) is given by

LC(S) = N − deg(gcd(xN + 1, S(x))).

where S(x) = s0 + s1 x + s2 x2 + ... + sN −1 xN −1 is the corresponding polynomial.

Given a sequence S ∈ S N and a number m, where 0 ≤ m < N ,

we denote the Hamming weight of S and that of m as wH (S) and wH (m)
which means the number of nonzero elements in S and the number of 1 in
the binary representation of m. For any two sequences S, S  ∈ SN , where
S = (s0 s1 ...sN −1 ), S  = (s0 s1 ...sN −1 ), we define the summation of the two
sequences as S + S  = (u0 u1 ...uN −1 ), where ui = si + si .
For a cryptographically strong sequence, the linear complexity should not
decrease drastically if a few symbols are changed. That means the linear com-
plexity should be stable when we change some bits of the stream. This observa-
tion gives rise to the concept of k-error linear complexity of sequences which is
introduced in [1,10].

Definition 1 [1,10]. For any sequence S ∈ S N , denote the k-error linear com-
plexity of S by LCk (S) which is given by

LCk (S) = min LC(S + E)

E∈S N , wH (E)≤k

where 0 ≤ k ≤ N and the sequence E is called the error sequence.

The counting function of a sequence complexity measure gives the number

of sequences with a given complexity measure value. It is useful to determine
the expected value and variance of a given complexity measure of a family of
sequences. Besides, the exact number of available good sequences with high
complexity measure value in a family of sequences can be known. Rueppel [9]
determined the counting function of linear complexity for 2n -periodic binary
sequences as follow:
Lemma 2 [9]. Let N (L) and A(L) respectively denote the number of and the
set of 2n -periodic binary sequences with given linear complexity L, where 0 ≤
L ≤ 2n . Then
N (0) = 1, A(0) = {(00 · · · 0)}, and
L−1 2n 2n −L n
N (L) = 2 , A(L) = {S ∈ S : S(x) = (1 + x) a(x), a(1) = 0} f or 1 ≤ L ≤ 2 .

In this paper, we study the counting function for the number of 2n -periodic
binary sequences with given k-error linear complexity. By using algebraic and
combinatorial methods, Fu et al. [2] derived the counting function for the
1-error linear complexity in their SETA 2006 paper. Kavuluru [3,4] character-
ized 2n -periodic binary sequences with given 2-error or 3-error linear complexity
and obtained the counting functions. Unfortunately, those results in [3,4] on
the counting function of 3-error linear complexity are not completely correct
 The k-Error Linear Complexity Distribution 15

[11]. After that, Zhou et al. use sieve method of combinations to sieve sequences
S + E with LCk (S + E) = L in S + E where S = {S ∈ S N : LC(S) = L},
E = {E ∈ S N : wH (E) ≤ k} and S + E = {S + E : S ∈ S and E ∈ E}. And
they obtained the complete counting functions for k = 2, 3 [13]. In the informal
publication paper [12], Zhou et al. also study the counting functions for k = 4, 5.
In the paper [8], Ming Su proposes a novel decomposing approach to study the
complete set of error sequences and get the counting function for k ≤ 4. However,
those methods will become very complex when k becomes larger.
In this paper we propose a new sieve method to study this problem. Firstly,
we define an equivalence relationship on error sequences and build a relation
between the number of sequences with given k-error linear complexity and the
number of pairwise non-equivalent error sequences. We propose a sieve process
to figure out the number of counted pairwise non-equivalent error sequences.
During the sieve process, a concept of cube fragment are used to characterize
error sequences and to determine whether an error sequence should be sieved.
By using the cube fragment and building specific equivalence relation based on
cube classes, and by combinational theory we get the number of pairwise non-
equivalent error sequences. By establishing counting functions for several base
cases and building recurrence relations for different cases of k and L, it is easy
to manually get the complete counting function when k is not too large. And an
efficient algorithm can be derived from this method to solve the problem using
a computer when k is large. Experiment results got by the implementation of
the algorithm are shown in Table 2, which is unfeasible to get by other methods
and by native exhaustive method.
Notice that, we analyze error sequences, instead of analyzing the resulted
modified sequences which is did in [13]. That contributes to the simplicity of
the method. The original cube concepts are introduced to compute the stable
k-error linear complexity of periodic sequences in [14]. In this paper, we extend
the concept of cubes to cube fragment and cube class to get counting functions.

2 Preliminaries
This section sets up notations and summarizes preliminary facts used in subse-
quent sections.
Lemma 3 [7]. Let S be a 2n -periodic binary sequence. Then LC(S) = 2n if and
only if the Hamming weight of the sequence S is odd.
By Lemma 3, modifying only one bit in a binary sequence with periodic 2n will
result in the change of the linear complexity of this sequence. Consequently, we
can resolve the problem of characterization of 2n -periodic binary sequences with
given k-error linear complexity into two sub-problems which will be introduced
in detail at the end of this section.
Lemma 4 [7]. Let S and S  be two 2n -periodic binary sequences. Then we have
LC(S + S  ) = max{LC(S), LC(S  )} if LC(S) = LC(S  ), and LC(S + S  ) <
LC(S) for otherwise.
16 W. Pan et al.

Lemma 4 shows that to decrease the linear complexity of a given 2n -periodic

binary sequence by adding an error sequence, the error sequence must have the
same linear complexity with the given sequence.
For a given sequence S ∈ S N , denote merr(S) = min{k : LCk (S) < LC(S)}
which indicates the minimum value k such that LCk < LC(S), and which is
called the first descend point of linear complexity of S. Kurosawa et al. in [5]
derived a formula for the exact value of merr(S).

Lemma 5 [5]. Let S be a nonzero 2n -periodic binary sequence, then merr(S) =

n
2wH (2 −LC(S)) .

Lemma 5 shows a relation between linear complexity and k-error linear complex-
n
ity of a sequence, that is, we must modify at least 2wH (2 −LC(S)) bits in sequence
S to decrease the linear complexity of S.
For a given sequence S ∈ S N , denote the support set of S by supp(S),
which is the set of positions of the nonzero elements in S, that is, supp(S) =
{i : si = 0, 0 ≤ i < N }. And we also call the elements in supp(S) as points.
Let Zm = {0, 1, 2, · · · , m − 1} and denote P(Zm ) the power set of Zm which
is the set of all subsets of Zm , that is P(Zm ) = {U : U ⊆ Zm }. Notice that
the set P(ZN ) is one to one corresponding to S N . Especially, the empty set in
P(ZN ) corresponds to the all-zero sequence in S N . Hence, we define the linear
complexity of a set U ∈ P(ZN ) as the linear complexity of the sequence which
it is corresponding to.
In [14], the authors use cube theorem to study the stable k-error linear com-
plexity of periodic sequences. In this paper we use support set to define a cube
which will be convenient for us to propose the concept of cube fragment and to
study the counting functions.

Definition 2. Let u, v be two different none-negative integers, we define the

distance between u and v as 2t and denote d(u, v) = 2t if |u − v| = 2t b and 2  |b.

According to the definition of distance, it can easily be verified that for any dif-
ferent none-negative integers u1 , u2 , u3 , if d(u1 , u2 ) = d(u1 , u3 ), then d(u2 , u3 ) >
d(u1 , u2 ), otherwise d(u2 , u3 ) = min{d(u1 , u2 ), d(u1 , u3 )}.

Definition 3. Let U, V be two nonempty subsets of ZN , define the distance

between U and V as:
 
min{d(u, v) : u ∈ U, v ∈ V }, U V = ∅
d(U, V ) = .
0 otherwise

Lemma 6. Let U, V be two  nonempty subsets of ZN . If 0 < d(U, V ) <

min{d(U ), d(V )}, then U V = ∅ and d(u, v) = d(U, V ) for any u ∈ U, v ∈ V.

Proof. Because d(U, V ) > 0, then U V = ∅. Suppose d(U, V ) = d(u0 , v0 )
where u0 ∈ U, v0 ∈ V . Then for any u ∈ U, v ∈ V , according to Definitions 2
and 3, we have d(u, v0 ) = min{d(u, u0 ), d(u0 , v0 )} = d(u0 , v0 ). Then d(u, v) =
min{d(u, v0 ), d(v0 , v)} = d(u0 , v0 ) = d(U, V ). 
Another random document with
no related content on Scribd:
 The ointment-bearing women as they came with myrrh unto thy
grave, O Saviour, wail’d; but an angel spake with them, and said,
Why reckon ye the living with the dead? for he is risen from the
grave as God.
Glory to the Father....
Let us adore the Father, and his Son, also the Holy Ghost, the
Holy Trinity in substance one, exclaiming with the seraphim, Thou
holy, holy, holy art, O Lord.
Both now and ever....
Thou, Virgin, who didst bear the Giver of life, hast Adam ransomed
from sin, and Eve hast given joy instead of grief; for he that was
made flesh of thee, the God and man, hath them that fell from life
restored thereunto.[4]
XIV. Glory to God in the highest, and on earth peace, goodwill to
men. We hymn thee, we bless thee, we worship thee, we glorify
thee, we give thanks to thee for thy great glory, O Lord, the heavenly
King, O God, the Father almighty, O Lord, the only-begotten Son,
Jesus Christ, and O Holy Ghost. O Lord God, O Lamb of God, O
Son of the Father, thou that takest away the sins of the world, have
mercy upon us; thou that takest away the sins of the world, accept
our prayer. Thou that sittest on the right hand of the Father, have
mercy upon us. For thou alone art holy, thou alone art Lord, O Jesus
Christ, to the glory of God the Father. Amen. Every day will I bless
thee, and I will praise thy name to ages, and to ages of ages. Lord,
thou hast been our refuge in generation and generation. I have said,
O Lord, have mercy upon me, heal my soul, for I have sinned
against thee. Lord, I have fled unto thee, teach me to do thy will, for
thou art my God; for with thee is the fountain of life, in thy light shall
we see light: O continue forth thy mercy to them that know thee.
Vouchsafe, O Lord, to keep us this day without sin. Blessed art
thou, O Lord, O God of our fathers, and praised and glorified is thy
name to ages. Amen. O Lord, may thy mercy be upon us, like as we
have put our trust in thee. Blessed art thou, O Lord, O teach me by
thy statutes. Blessed art thou, O Master, give me understanding by
thy statutes. Blessed art thou, O Holy One, enlighten me in thy
statutes. O Lord, thy mercy endureth for ever, despise not the work
of thy hand. To thee is due praise, to thee is due a song, to thee is
due glory, to the Father, and to the Son, and to the Holy Ghost, now
and ever, and to ages of ages. Amen.[5]
XV. It is a good thing to give thanks unto the Lord, and to sing unto
thy name, O Most High, to proclaim thy mercy in the morning, and
thy truth every night.
XVI. The irmi of the great canon.
1. A help and protection hath he become unto me unto salvation,
he is my God, and I will glorify him, my father’s God, and I will exalt
him; for he is glorified in glorious wise.
2. Give ear, O heaven, and I will speak, and I will sing Christ who
hath come in flesh from the Virgin.
See ye, see ye, that I am God, who of old rained manna, and
caused water to spring from the rock in the wilderness for my people,
by my sole right hand and by my strength.
3. On thy commandments’ unmov’d rock, stablish thy church, O
Christ.
Stablish my fainting heart, O Lord, on thy commandments’ rock;
for thou alone art holy and the Lord.
4. The prophet heard of thine approach, O Lord, and fear’d; for
thou didst purpose of the Virgin to be born, and to appear ’mongst
men; and he exclaim’d, I heard the report of thee, and feared: glory
to thy power, O Lord.
5. Rising from the night betimes, O lover of mankind, I pray,
Enlighten me, and lead me in thine ordinances, and teach me,
Saviour, to perform thy will.
6. I cried with my whole heart to the merciful God, and he heard
me from the lowest hades, and brought back my life from corruption.
7. We have sinned, we have transgressed, we have been
unrighteous before thee, we have neither loved nor wrought that
which thou hast commanded us; still, cast us not away at the last, O
God of our fathers.
8. Him that heaven’s hosts glorify, and at whose presence quake
the cherubim and seraphim, let every spirit and creature sing, bless,
and set up for evermore.
9. From conception seedless unspeakable’s the birth, of Mother
husbandless corruptless is the fruit; for God’s nativity hath nature
form’d anew. Then we, all generations, right-believingly thee magnify
as Mother who was divinely wed.
XVII. Thou who man-lovingly in depth of wisdom orderest all, and
unto all dost grant that which of service is, O Maker sole; rest thou
thy servants’ souls, O Lord, for they have plac’d their trust in thee,
Our Maker, and our Author, and our God.
We have thee as a fortress and a haven, and am accepted
mediatress with God, whom thou didst bear, God-bearing one
unwed, salvation thou of them that faithful be.[6]
XVIII. God is the Lord, and hath manifested himself unto us:
blessed is he that cometh in the name of the Lord.[7]
XIX. Hear us, O God our Saviour, thou hope of all the ends of the
earth, and of them that are far away upon the sea; and be merciful,
be merciful, O Master, concerning our sins, and have mercy upon us.
For a merciful and man-loving God thou art, and to thee we ascribe
glory, to the Father, and to the Son, and to the Holy Ghost, now and
ever, and to ages of ages.
XX. Blessed be the name of the Lord, from henceforth, and to all
ages.
XXI. Forgive, remit, concede, O God, our sins, voluntary and
involuntary, those in word and in deed, those in knowledge and in
ignorance, those in the day and in the night, those in thought and in
intention; concede them all to us, as being good and lover of
mankind.
 XXII. And may the mercies of the great God and of our Saviour
Jesus Christ be with all of you.[8]
 NOTE III.
THE EASTER CANON, ETC. TO ELUCIDATE CHAPTER XVII.

Troparion. Tone v.
Christ is risen from the dead, death by death down doth he tread,
and on them that dwell in graves he bestoweth life.
Verse. Let God arise, and let his enemies be scattered, and let
them that hate him flee from before him.
Verse. As smoke is driven away, so drive them away, as wax
melteth at the presence of fire,
Verse. So let the sinners perish at the presence of God, but let the
righteous rejoice.
Verse. This is the day which the Lord hath made, let us rejoice and
be glad therein.
Verse. Glory to the Father, and to the Son, and to the Holy Ghost.
Verse. Both now and ever, and to ages of ages. Amen.
And to every verse the troparion, Christ is risen ... is added.
The Canon in tone i. Ode i.
Irmos. It is the day of resurrection! Ye folk, be we enlightened! It is
the Pascha, the Pascha of the Lord! For out of death to life, and unto
heaven from earth Christ God hath led us forth, us, singing victory’s
song.
Refrain. Christ is risen from the dead! This is said before every
Troparion in all the Odes unless otherwise indicated.
Troparion. Let us the senses cleanse, and we shall see, in light
accessless of the resurrection shining Christ, and we shall clearly
hear him saying, Hail! we, singing victory’s song.
Troparion. Let heaven, for ’tis meet, rejoice; and let the earth be
glad; and let the world, all that unseen is and is seen, keep festival;
for Christ is risen: joy eterne!
The Irmos is repeated, and they sing, Christ is risen ... the whole.
And so after every Ode.
Ode iii.
Irmos. Come, let us drink the beverage new, not that from barren
rock in wondrous wise outpour’d; but incorruption’s fount, shower’d
from the grave of Christ, in whom we stablish’d are.
Troparion. Now fill’d is all with light, the heaven, the earth, yea,
and the underworld. Then let the whole creation festal keep for
Christ’s awake, whereby it stablish’d is.
Troparion. I was entomb’d with thee, Christ, yesterday: to-day, at
thine arising, I awake. With thee I yesterday was crucified: O
Saviour, in thy kingdom me glorify with thee.
Hypacoë. Tone iv.
Preventing the dawn, and finding the stone rolled away from the
grave, they that accompanied Mary from an angel heard, Why seek
ye as a man among the dead him that in light accessless dwells?
Behold the swathes of death! Hasten, and tell the world the Lord is
risen, who slayeth death; for he is Son of God, who saves the race of
men.
Ode iv.
Irmos. With us on watching tower divine may the inspired
Abbacum stand, and show a radiant angel speaking plain,
Salvation’s for the world to-day; for Christ, th’ almighty one, is risen.
Troparion. Christ hath appeared as a male opening the Virgin’s
womb. As mortal, he is call’d a lamb; as undefil’d by stain, our
Pasch; and, as true God, he’s perfect nam’d.
Troparion. As yearling lamb our blessed crown, even Christ, of his
own will, as cleansing Pasch, was slain for all; and from the grave
hath shin’d to us again, he, glorious Sun of righteousness.
Troparion. David, divine forefather, leap’d, dancing the typical ark
before; and, we, beholding types fulfill’d, be we divinely glad, we,
holy folk of God; for Christ, th’ almighty one, is risen.
Ode v.
Irmos. In the deep dawn let us arise, and let us bring, instead of
myrrh, the Lord a song, and we the Sun of righteousness shall see,
Christ shining life to all.
Troparion. They that were held by hades’ bonds when they thy
boundless pity saw, hasten’d, O Christ, unto the light, praising, with
joyful feet, th’ eternal Pasch.
Troparion. Bearing the lamps, precede we Christ, who, as a
bridegroom, from the grave comes forth, and, with the festal-loving
ranks, let us together keep the saving Pasch of God.
Ode vi.
Irmos. Thou didst descend into earth’s lowest parts, O Christ, and
break the eternal bonds that held the captives bound, and the third
day didst rise out of the sepulchre, as Jonas from the whale.
Troparion. Keeping the seals entire, thou didst arise, O Christ, out
of the sepulchre, who, at thy birth, didst not destroy the virgin bars;
and thou hast op’d to us the doors of paradise.
Troparion. My Saviour, who, as God, didst to the Father bring
thyself, of thine own will, an offering living and unsacrific’d also,
arising from the grave, thou hast, along with thee, raised all Adam’s
race.
Condakion. Tone viii.
If into the grave thou didst descend, Immortal One, yet didst thou
overthrow the might of hades, and, as victor, rise, Christ God, unto
the women bearing myrrh exclaiming, Hail! and giving peace to thine
apostles, O thou that grantest resurrection unto them that fallen be.
Icos.
The Sun, that was before the sun, set once within a grave, the
maidens bearing myrrh, preventing dawn, sought as the day, and
unto one another cried, Come ye, O friends, let us with scents anoint
the body that life-bringing is, and buried is, the flesh, that raiseth
fallen Adam, that lieth in a grave. Let us go on, let us make haste,
like as the Magi did; and let us bring the myrrh as gift to him that’s
wrapp’d, not in the swaddling bands, but in a winding-sheet; and let
us weep, and let us cry, Master, arise, who grantest resurrection unto
them that fallen be.
Ode vii.
Irmos. He that delivered the children from the furnace became
man, and suffered as mortal, and, by his suffering, endued the
mortal with the beauty of immortality, even he, our fathers’ God, who
only blessed and most glorious is.
Troparion. The women who were divinely wise sped back to thee
with myrrh; and him whom they sought with tears as mortal, they
worshipp’d with joy as living God; and told, O Christ, to thy disciples
the glad tidings of the mystic Pasch.
Troparion. We celebrate the death of death, the overthrow of
hades, the first-fruits of another life that endless is, and sing
exultingly the Cause, even him, our fathers’ God, who only blessed
and most glorious is.
Troparion. How truly sacred and all-festal is this saving and
brightly beaming night, which heraldeth the rising of the splendour-
bearing day, on which the ageless Light in flesh hath shin’d to all
from out the grave.
Ode viii.
Irmos. This is the chosen and holy day, the one that is of sabbaths
king and lord. It feast of feasts is, and triumph is of triumphs, on
which we bless Christ for aye.
Troparion. Come, let us in the vine’s new fruit participators be of
joy divine on the auspicious day of resurrection to Christ’s kingdom,
singing him, as God, for aye.
Troparion. Lift up thine eyes, O Sion, round about, and see; for, lo!
thy children come to thee, as lights by God illum’d, from the west and
from the north, from the sea and from the east, in thee blessing
Christ for aye.
 Verse. O most holy Trinity, glory to thee, our God.
Troparion. Almighty Father, Word, and Spirit, nature conjoin’d in
persons three, superessential, God most high, in thee baptized we
have been, and thee we bless for evermore.
Ode ix.
Irmos. Shine, shine, O new Jerusalem; for the glory of the Lord is
risen on thee. Exult now, and rejoice, O Sion; and thou, O pure God-
bearing one, be glad at the rising of thy Child.
Verse. My soul him magnifies, who willingly did suffer and was
buried, and rose the third day from the grave, even Christ, the Giver
of life.
Troparion. O voice of thee divine, most sweet, and dear! for thou
hast promis’d undeceivingly to be with us, O Christ, until the ages
end, which holding as hope’s stablishment, let us, the faithful, joyful
be.
Verse. Christ is the Pascha new, the living sacrifice, the Lamb of
God, who the world’s sins doth take away.
Troparion. O Christ, thou great most sacred Pasch, wisdom, and
Word of God, and power! grant us in wise more perfect to partake of
thee thy kingdom’s day in that no evening hath.
Exapostilarion. Tone ii.
Asleep in flesh as mortal, King and Lord, on the third day thou
didst arise, arousing Adam from corruption and destroying death, O
Pasch of immortality, salvation of the world.
Stichera. Tone v.
Verse. Let God arise....
To-day the sacred Pascha is made manifest to us, the new, the
holy Pasch, the Pascha mystical, the Pascha all-rever’d, the Pascha,
even Christ the ransomer, the Pascha undefil’d, the Pascha great,
the faithful’s Pasch, the Pasch that opes the gates of Paradise to us,
the Pasch that halloweth all that faithful be.
 Verse. As smoke is driven away....
Come from that spectacle, ye women-gospellers, and unto Sion
say, Receive from us the joyful tidings of Christ’s resurrection. Be
fervent, dance, and joy, Jerusalem, beholding Christ the King
proceed as bridegroom from the grave.
Verse. So let the sinners perish....
The women bearing myrrh at early dawn stood the Life-giver’s
grave before, and found an angel sitting on the stone, and he,
accosting them, spake thus, Why seek the living mid the dead? why
the corruptless wail as though he in corruption were? Go, tell ye his
disciples this!
Verse. This is the day which....
Pascha the fervent, Pascha, the Pascha of the Lord, the Pascha
all-rever’d hath risen on us. It Pascha is, let us with joy each other
greet. O Pascha, ransoming from grief! For, shining from the grave
to-day, as bridegroom from a bridal-room, Christ hath with joy the
women fill’d, saying, Tell the disciples this!
Glory. Both now.
It is the day of resurrection, and by the triumph be illuminate we,
and we each other greet, and Brethren! to them that hate us say, and
at the resurrection everything forgive; and on this wise let us
exclaim,
Christ is risen from the dead, death by death down doth he tread,
and on them that dwell in graves he bestoweth life. Three times.
 ADDITIONAL NOTES.
A. Note that in Appendix the word translated Archpriest is in the
original Archiereus, and signifies the Bishop. There is however
another word which can only be translated into English by the term
Archpriest, namely Protoiereus, but this is a title borne by many
priests who are not of episcopal rank.
B. And note that in the Psalms the Orthodox Church follows the
Septuagint and not the Hebrew enumeration.
 ERRATA.
Page xi, line 17 of Notes, omit Archpriest. A Bishop, as
being calculated to give a wrong
impression. See Additional Note A,
page xxxix.
” 51, ” 3 of foot-note, for of read in.
” 61, ” 8, and page 62, line 27, for Gallilee read
Galilee.
” 64, ” 3, for help-meet read helpmeet.
” 103, ” 16, for who read whom.
” 142, lines 10 and 11, and page 158, lines 13 and 14, for
we ask of thee, O Christ, read let us
ask of Christ.
” 158, line 4, after for insert the repose of.
” 160, ” 18, descendants’, omit the apostrophe.

There are, in addition, a few obvious errors in the punctuation.

Transcriber’s Note: The errata have been corrected, including any obvious errors in the
punctuation that were found.
 TREBNIK.

MOSCOW.
At the Synodal Press.
MDCCCLXXXII.

To the glory of the holy, consubstantial, life-creating, and undivided

Trinity, the Father, the Son, and the Holy Ghost; by the command of
our Most Pious, Autocratic Great Lord, THE EMPEROR
ALEXANDER ALEXANDROVITCH of all Russia; before his Consort,
the Most Pious Lady, THE EMPRESS MARIA THEODOROVNA;
before His Heir, the Right-believing Lord, the Cesarevitch and Grand
Duke, NICOLAUS ALEXANDROVITCH; before the Right-believing
Lords, the Grand Dukes, GEORGE and MICHAEL
ALEXANDROVITCH; before the Right-believing Lord, the Grand
Duke, VLADIMIR ALEXANDROVITCH, and before His Consort, the
Lady, the Grand Duchess MARIA PAVLOVNA; before the Right-
believing Lords, the Grand Dukes, CYRIL, BORIS, and ANDREW
VLADIMIROVITCH; before the Right-believing Lords, the Grand
Dukes, ALEXIS, SERGIUS, and PAUL ALEXANDROVITCH; before
the Right-believing Lord, the Grand Duke, CONSTANTINE
NICOLAEVITCH, and before His Consort, the Right-believing Lady,
the Grand Duchess, ALEXANDRA JOSEPHOVNA; before the Right-
believing Lords, the Grand Dukes, NICOLAUS, CONSTANTINE, and
DEMETRIUS CONSTANTINOVITCH; before the Right-believing
Lord, the Grand Duke, NICOLAUS NICOLAEVITCH, and before His
Consort, the Right-believing Lady, the Grand Duchess, ALEXANDRA
PETROVNA; before the Right-believing Lords, the Grand Dukes,
NICOLAUS and PETER NICOLAEVITCH; before the Right-believing
Lord, the Grand Duke, MICHAEL NICOLAEVITCH, and before His
Consort, the Right-believing Lady, the Grand Duchess, OLGA
THEODOROVNA; before the Right-believing Lords, the Grand
Dukes, NICOLAUS, MICHAEL, GEORGE, ALEXANDER, SERGIUS,
and ALEXIS MICHAELOVITCH; and before the Right-believing
Ladies, the Grand Duchess, XENIA ALEXANDROVNA, the Grand
Duchess, MARIA ALEXANDROVNA, and before Her Consort, the
Queen of the Hellenes, OLGA CONSTANTINOVNA, and before Her
Consort, the Grand Duchess, VERA CONSTANTINOVNA, the Grand
Duchess, ANASTASIA MICHAELOVNA, and before Her Consort, the
Queen of Würtenburg, OLGA NICOLAEVNA, and before Her
Consort, the Grand Duchess KATHERINE MICHAELOVNA, and the
Grand Duchess HELEN VLADIMIROVNA; and with the Blessing of
the Most Holy Governing SYNOD, this book TREBNIK, hath been
printed in the royal city of Moscow at the Synodal Press in the year
of the creation of the world viicccxc, and of the birth of God the Word
according to the flesh mdccclxxxii, the xth of the indict, the month of
June.
THE DESIGNATION, WITH HOLY GOD,
OF THE CHAPTERS CONTAINED IN
THIS TREBNIK.
Chap. Page.
I. Prayers on the first day after a child is born to a
woman 1
II. Prayer at the signing of a child when it receiveth a
name on the eighth day after its birth 4
III. Prayers for a parturient woman after forty days 6
IV. Prayer for a woman when she hath aborted a child 11
V. Prayers at the making of a catechumen 13
VI. The order of holy baptism 24
And a prayer for holy baptism, that is, how briefly to
baptize a child because of fear of death 41
Concerning how it behoveth a spiritual person to
behave himself 44
VII. The order concerning confession 46
VIII. Prayer on the releasing from prohibition 51
IX. The order that is used at betrothals 53
X. The order of the coronation 58
XI. Prayer at the taking off of the crowns on the eighth
day 72
XII. The order for a second marriage 73
XIII. The order of the sanctification of the holy oil 83
XIV. The office when in extreme urgency occasion ariseth
to give communion to a sick person 123
XV. Prayerful canon to our Lord Jesus Christ and to the
most holy God-bearing Mother of the Lord at the
parting of the soul from the body of every right-
believer 128
 And the prayer at the departure of a soul 136
XVI. The mortuary order over lay bodies 138
XVII. The ordinance that is observed concerning the
carrying forth of them that fall asleep in holy
Pascha, and in all the bright week 164
XVIII. The mortuary order over a departed priest 169
XIX. The office of the burial of a babe 208
XX. The order of the lesser sanctification of water 225
XXI. The order of the sanctification of water on the holy
Theophany 240
XXIV. Prayer at the blessing of flesh-meat 255
XXV. Prayer at the blessing of cheese and eggs 256
XXVI. Prayer at the partaking of grapes on the vith day of
august 256
XXVII. Prayer for them that gather first-fruits 257
XXVIII. Prayer at the laying of the foundation of a house 258
XXIX. Prayer when one entereth into a new house 258
XXXIII. Prayer for one that purposeth to go on a journey 259
 Chapter I.
PRAYERS ON THE FIRST DAY AFTER A CHILD IS
BORN TO A WOMAN.

Let us pray to the Lord.

Master, Lord Almighty, who healest every sickness, and every
weakness; do thou thyself heal this thine handmaid, name, who to-
day hath borne a child, and raise her from the bed upon which she
lieth; for, according to the words of thy prophet David, we were
conceived in transgressions, and are all defiled before thee. Protect
her, and this child which she hath borne: shelter her under the
covering of thy wings from this day even unto her last end, through
the prayers of the most holy God-bearing one, and of all the Saints;
for blessed art thou to ages of ages. Amen.
Let us pray to the Lord.
Master, Lord our God, who wast born of our most holy Lady, the
God-bearing and ever-virgin Mary, and as a babe wast laid in a
manger, and as a child wast carried in arms; do thou thyself have
mercy upon this thine handmaid, who to-day hath borne this child,
and be gracious unto her voluntary and involuntary offences, and
protect her from every diabolical cruelty; and preserve the child
which she hath borne from every bane, from every harm, from every
hostile rage, from evil spirits of the day and night; and preserve her
under thy mighty hand; and grant unto her a speedy recovery, and
cleansing from defilement, and healing of suffering; and vouchsafe to
her health, and strength of soul and body; and surround her with
bright and shining angels; and preserve her from every approach of
invisible spirits; yea, O Lord, from sickness and infirmity, from
jealousy and envy, and from the glance of eyes; and have mercy
upon her, and upon the child, according to the greatness of thy
mercy; and cleanse her from bodily defilement, and from diverse
inward travail befalling her; and, by thy quick mercy, lead her to
recovery in her bodily affliction. And vouchsafe unto the child which
she hath borne to worship the earthly temple which thou hast
prepared for the glorification of thy holy name. For to thee is due all
glory, honour, and worship, to the Father, and to the Son, and to the
Holy Ghost, now and ever, and to ages of ages. Amen.
Let us pray to the Lord.
O Lord our God, who wast pleased to come down from heaven and
to be born of the holy God-bearing and ever-virgin Mary for the
salvation of us sinners, who knowest the feebleness of human
nature; be gracious, according to the greatness of thy compassions,
unto thine handmaid, name, who to-day hath borne a child. For thou
hast said, O Lord, Be fruitful, and multiply, and replenish the earth,
and subdue it. Therefore we, thy servants, beseech thee, and,
trusting in thy forbearing love to man, with fear invoke the holy name
of thy kingdom, Look down from heaven and behold the feebleness
of us condemned ones, and be gracious unto thine handmaid, name,
and to all the house in which the child hath been born, and to all who
are connected with her; and to all that here assemble be thou
gracious, as the good and man-loving God. For thou alone hast
power to forgive sins, through the prayers of the most holy God-
bearing one, and of all thy Saints. Amen.