Deukjo Hong

LEA: A 128-Bit Block Cipher for Fast Encryption on Common Processors

We propose a new block cipher LEA, which has 128-bit block size and 128, 192, or 256-bit key size. It provides a high-speed software encryption on general-purpose processors. Our experiments show that LEA is faster than AES on Intel, AMD, ARM, and ColdFire platforms. LEA can be also implemented to have tiny code size. Its hardware implementation has a competitive throughput per area. It is secure against all the existing attacks on block ciphers.

Biclique attack on the full HIGHT

HIGHT is a lightweight block cipher proposed at CHES 2006 and included in ISO/IEC 18033-3. In this paper, we apply recently proposed biclique cryptanalysis to attack HIGHT. We show that bicliques can be constructed for 8 rounds in HIGHT, and those are used to recover the 128-bit key for the full rounds of HIGHT with the computational complexity of 2126.4, faster than exhaustive search. This is the first single-key attack result for the full HIGHT.

Improved preimage attack for 68-step HAS-160

In this paper, we improve previous preimage attacks on hash function HAS-160, which is standardized in Korea. We show that the last 68 steps out of 80 steps of HAS-160 can be attacked, while a previous attack works for only intermediate 52 steps. We also show that the first 67 steps of HAS-160 can be attacked. These attacks are based on the meet-in-the-middle attack, which is also used in the previous attack. Recently, various techniques of preimage attacks have been proposed on other hash functions. We show that these techniques can also be applied to HAS-160 and the number of attacked steps can be improved. For the attack on 68 steps, we first generate pseudo-preimages with a complexity of 2150.7, and then convert them to a preimage with a complexity of 2156.3. This attack uses a memory of 212 × 7 words. To the best of our knowledge, attacking 68 steps is the best of all attacks on HAS-160 hash function.

Improved known-key distinguishers on Feistel-SP ciphers and application to camellia

This paper revisits previous known-key distinguishers on generic Feistel-SP ciphers based on rebound attacks. In this paper first we propose a new 5-round inbound phase that requires 2c computations, while the previous work requires 22c computations (c is a size of the S-box). The new method also improves the number of rounds which can be attacked. Then, we apply the new procedure to Camellia. After several optimizations for Camellia, it is shown that collisions are efficiently generated against 9 rounds out of 18 rounds of Camellia-128 including FL and whitening layers in the compression function modes such as MMO and Miyaguchi-Preneel modes. The attack on Camellia is verified by a machine experiment and the generated results are presented in the paper.

LSH: A New Fast Secure Hash Function Family

Since Wang’s attacks on the standard hash functions MD5 and SHA-1, design and analysis of hash functions have been studied a lot. NIST selected Keccak as a new hash function standard SHA-3 in 2012 and announced that Keccak was chosen because its design is different from MD5 and SHA-1/2 so that it could be secure against the attacks to them and Keccak ’s hardware efficiency is quite better than other SHA-3 competition candidates. However, software efficiency of Keccak is somewhat worse than present standards and other candidates. Since software efficiency becomes more important due to increase of kinds and volume of communication/storage data as cloud and big data service spread widely, its software efficiency degradation is not desirable.

Preimage attacks on reduced steps of ARIRANG and PKC98-hash

In this paper, we present the preimage attacks on step-reduced ARIRANG and PKC98-Hash. Our attacks find the preimages of 35 steps out of 40 steps of ARIRANG and 80 steps out of 96 steps of PKC98-Hash, faster than the brute force attack. We applied recently developed techniques of preimage attack. Our attack for ARIRANG is the improvement of the previous attack, and our attack for PKC98-hash is the first analysis result of its preimage resistance.

Security evaluation of double-block-length hash modes with preimage attacks on PGV schemes

In FSE 2011, Sasaki presented the preimage attacks on Davies-Meyer (DM) scheme of 7-round AES and explained conversion of it to the attack on the hash function for 12 secure PGV schemes. In this paper, we apply Sasakis work to Double-Block-Length (DBL) hash modes based on arbitrary blockcipher. We generalize compression functions in several DBL hash modes. Assuming a Sasakis preimage attack on DM scheme of the underlying blockcipher is faster than brute-force attack, we evaluate securities of the hash modes against preimage or second-preimage attacks. Hence, we analyzed the hash modes against preimage or second-preimage attacks except some case of the generalized MDC-4.

Improved preimage attacks on hash modes of 8-round AES-256

We observe the slow diffusion of the AES key schedule for 256-bit keys and find weakness which can be used in the preimage attack on its Davies-Meyer mode. Our preimage attack works for 8 rounds of AES-256 with the computational complexity of 2124.9. It is comparable with Bogdanov et al.’s biclique-based preimage attack on AES-256, which is applicable up to full rounds but has the computational complexity more than 2126.5. We also extend our result to the preimage attack on some well-known double-block-length hash modes assuming the underlying block cipher is 8-round AES-256, whose computational complexity is 2252.9.

Higher order eTCR hash functions

Abstract We study higher order eTCR (enhanced target collision resistance) hash functions, where r th-order eTCR is denoted by eTCR ( r ) . We prove that a few rounds of the MD (Merkle–Damgard) scheme and a few levels of the TR (tree) scheme can be eTCR under the compression function is eTCR ( r ) for some positive integer r . Additionally, we prove that the TH (tree hash) scheme also preserves eTCR.