Bonwook Koo

Biclique attack on the full HIGHT

HIGHT is a lightweight block cipher proposed at CHES 2006 and included in ISO/IEC 18033-3. In this paper, we apply recently proposed biclique cryptanalysis to attack HIGHT. We show that bicliques can be constructed for 8 rounds in HIGHT, and those are used to recover the 128-bit key for the full rounds of HIGHT with the computational complexity of 2126.4, faster than exhaustive search. This is the first single-key attack result for the full HIGHT.

Improved preimage attack for 68-step HAS-160

In this paper, we improve previous preimage attacks on hash function HAS-160, which is standardized in Korea. We show that the last 68 steps out of 80 steps of HAS-160 can be attacked, while a previous attack works for only intermediate 52 steps. We also show that the first 67 steps of HAS-160 can be attacked. These attacks are based on the meet-in-the-middle attack, which is also used in the previous attack. Recently, various techniques of preimage attacks have been proposed on other hash functions. We show that these techniques can also be applied to HAS-160 and the number of attacked steps can be improved. For the attack on 68 steps, we first generate pseudo-preimages with a complexity of 2150.7, and then convert them to a preimage with a complexity of 2156.3. This attack uses a memory of 212 × 7 words. To the best of our knowledge, attacking 68 steps is the best of all attacks on HAS-160 hash function.

Format-Preserving Encryption Algorithms Using Families of Tweakable Blockciphers

We present two new algorithms, FEA-1 and FEA-2, for secure and efficient format-preserving encryption. Each algorithm is built from a family of dedicated tweakable blockciphers supporting various block bit-lengths. The tweakable blockciphers in the same family have similar structures and are based on common building blocks, enabling security analyses in the same frameworks. Their security follows largely from the structures, the round functions, and the tweak schedules. Their structures are new tweakable Feistel schemes, which are shown to be indistinguishable from tweakable random permutations against adaptive chosen tweak, plaintext, and ciphertext attacks. Their building blocks are shown to have cryptographically strong properties. The proposed algorithms outperform existing ones. They are several times faster than FF1-AES on test platforms.

Preimage attacks on reduced steps of ARIRANG and PKC98-hash

In this paper, we present the preimage attacks on step-reduced ARIRANG and PKC98-Hash. Our attacks find the preimages of 35 steps out of 40 steps of ARIRANG and 80 steps out of 96 steps of PKC98-Hash, faster than the brute force attack. We applied recently developed techniques of preimage attack. Our attack for ARIRANG is the improvement of the previous attack, and our attack for PKC98-hash is the first analysis result of its preimage resistance.

Converting random bits into random numbers

Converting random bits into random numbers is necessary for cryptographic protocols such as key agreements, public key encryptions, digital signatures and so on. In this paper, we propose the simple partial discard method and the complex partial discard method that convert random bits into random numbers. They are up to two times more efficient than standardized techniques.

Security evaluation of double-block-length hash modes with preimage attacks on PGV schemes

In FSE 2011, Sasaki presented the preimage attacks on Davies-Meyer (DM) scheme of 7-round AES and explained conversion of it to the attack on the hash function for 12 secure PGV schemes. In this paper, we apply Sasakis work to Double-Block-Length (DBL) hash modes based on arbitrary blockcipher. We generalize compression functions in several DBL hash modes. Assuming a Sasakis preimage attack on DM scheme of the underlying blockcipher is faster than brute-force attack, we evaluate securities of the hash modes against preimage or second-preimage attacks. Hence, we analyzed the hash modes against preimage or second-preimage attacks except some case of the generalized MDC-4.

CHAM : A Family of Lightweight Block Ciphers for Resource-Constrained Devices

In this paper, we propose a family of lightweight block ciphers CHAM that has remarkable efficiency on resource-constrained devices. The family consists of three ciphers, CHAM-64/128, CHAM-128/128, and CHAM-128/256 which are of the generalized 4-branch Feistel structure based on ARX (Addition, Rotation, XOR) operations.

IMPERSONATION ATTACK ON THE STRONG IDENTIFICATION BASED ON A HARD-ON-AVERAGE PROBLEM

Abstract. In this paper, we analyze a zero-knowledge identificationscheme presented in [1], which is based on an average-case hard prob-lem, called distributional matrix representability problem . On the con-trary to the soundness property claimed in [1], we show that a simpleimpersonation attack is feasible. 1. IntroductionZero-knowledge proof is an interactive method for one party to convinceanother of knowledge of a secret without revealing any information on thesecret. It has been used in authentication systems where a prover wants toprove her identity to a verifier via some secret information, but does not wantthe verifier or a wiretapper to learn anything about the secret. The zero-knowledge proof must satisfy completeness, soundness, and zero-knowledgeproperty. Completeness is satisfied if an honest verifier always verifies an hon-est prover. Soundness is satisfied if no cheating prover can convince an honestverifier of knowledge of the secret. Zero-knowledge property stipulates that nocheating verifier learns any information on the secret except the fact that theprover knows the secret. Zero-knowledge proofs was introduced in the semi-nal paper of Goldwasser, Micali, and Rackoff [3] and realized as Fiat-Shamirscheme and Schnorr’s scheme [2, 6]. They are based on well known problemsin number theory such like integer factoring problem and discrete logarithmproblem. Since there are no proofs on the hardness of these problems, cryptog-raphers have published alternative schemes based on NP-complete problems incombinatorics, coding theory, graph theory, and so on.NP-complete problems are widely used as basis of cryptographic protocols.However, most of NP-complete problems allow for efficient solvers on randominstances, making useless their worst-case difficulty. For this reason, Levin et al.introduced a notion of