Donghoon Chang

HIGHT: a new block cipher suitable for low-resource device

In this paper, we propose a new block cipher HIGHT with 64-bit block length and 128-bit key length. It provides low-resource hardware implementation, which is proper to ubiquitous computing device such as a sensor in USN or a RFID tag. HIGHT does not only consist of simple operations to be ultra-light but also has enough security as a good encryption algorithm. Our hardware implementation of HIGHT requires 3048 gates on 0.25 μm technology.

Differential Cryptanalysis of TEA and XTEA

TEA and XTEA are simple block ciphers consisting of exclusive-or, addition, and shift. Although their round functions are very simple and guarantee a little security, large number of 64 rounds have made them secure enough. It seems that the best result for TEA is the related-key attack in [3], but it is less reasonable than such attacks for one key as differential and linear attacks. Impossible differential attacks on 12-round TEA and 14-round XTEA are best results except for related-key attack [5]. We suggest differential and truncated differential attacks on TEA and XTEA better than them. Our best results on TEA and XTEA are attacks on 17-round TEA and 23-round XTEA.

A new dedicated 256-bit hash function: FORK-256

This paper describes a new software-efficient 256-bit hash function, FORK-256. Recently proposed attacks on MD5 and SHA-1 motivate a new hash function design. It is designed not only to have higher security but also to be faster than SHA-256. The performance of the new hash function is at least 30% better than that of SHA-256 in software. And it is secure against any known cryptographic attacks on hash functions.

RC4-hash: a new hash function based on RC4

In this paper, we propose a new hash function based on RC4 and we call it RC4-Hash. This proposed hash function produces variable length hash output from 16 bytes to 64 bytes. Our RC4-Hash has several advantages over many popularly known hash functions. Its efficiency is comparable with widely used known hash function (e.g., SHA-1). Seen in the light of recent attacks on MD4, MD5, SHA-0, SHA-1 and on RIPEMD, there is a serious need to consider other hash function design strategies. We present a concrete hash function design with completely new internal structure. The security analysis of RC4-Hash can be made in the view of the security analysis of RC4 (which is well studied) as well as the attacks on different hash functions. Our hash function is very simple and rules out all possible generic attacks. To the best of our knowledge, the design criteria of our hash function is different from all previously known hash functions. We believe our hash function to be secure and will appreciate security analysis and any other comments.

New Parallel Domain Extenders for UOWHF

We present two new parallel algorithms for extending the domain of a UOWHF. The first algorithm is complete binary tree based construction and has less key length expansion than Sarkar’s construction which is the previously best known complete binary tree based construction. But only disadvantage is that here we need more key length expansion than that of Shoup’s sequential algorithm. But it is not too large as in all practical situations we need just two more masks than Shoup’s. Our second algorithm is based on non-complete l-ary tree and has the same optimal key length expansion as Shoup’s which has the most efficient key length expansion known so far. Using the recent result [9], we can also prove that the key length expansion of this algorithm and Shoup’s sequential algorithm are the minimum possible for any algorithms in a large class of “natural” domain extending algorithms. But its parallelizability performance is less efficient than complete tree based constructions. However if l is getting larger, then the parallelizability of the construction is also getting near to that of complete tree based constructions. We also give a sufficient condition for valid domain extension in sequential domain extension.

Second Preimage Attack on 3-Pass HAVAL and Partial Key-Recovery Attacks on HMAC/NMAC-3-Pass HAVAL

In 1992, Zheng, Pieprzyk and Seberry proposed a one-way hashing algorithm called HAVAL, which compresses a message of arbitrary length into a digest of 128, 160, 192, 224 or 256 bits. It operates in so called passes where each pass contains 32 steps. The number of passes can be chosen equal to 3, 4 or 5. In this paper, we devise a new differential path of 3-pass HAVAL with probability 2i¾? 114, which allows us to design a second preimage attack on 3-pass HAVAL and partial key recovery attacks on HMAC/NMAC-3-pass HAVAL. Our partial key-recovery attack works with 2122oracle queries, 5·232memory bytes and 2963-pass HAVAL computations.

Finding collision on 45-step HAS-160

HAS-160 is a cryptographic hash function designed and used widely in Korea. While similar in structure to SHA-1, up to now there was no published attack or security analysis of the algorithm. Applying techniques introduced by Wang et al. [1], we have found collision in the first 45 steps of HAS-160, with complexity 212.

A weak key class of XTEA for a related-key rectangle attack

XTEA is a block cipher with a very simple structure but there has not been found attack even for half of full round version i.e 32-round version. In this paper we introduce a class of weak keys which makes a 34-round reduced version of XTEA vulnerable to the related-key rectangle attack. The number of such weak keys is about 2108.21. Our attack on a 34-round reduced version of XTEA under weak key assumption requires 262 chosen plaintexts and 231.94 34-round XTEA encryptions.

Rig: A Simple, Secure and Flexible Design for Password Hashing

Password Hashing, a technique commonly implemented by a server to protect passwords of clients, by performing a one-way transformation on the password, turning it into another string called the hashed password. In this paper, we introduce a secure password hashing framework Rig which is based on secure cryptographic hash functions. It provides the flexibility to choose different functions for different phases of the construction. The design of the scheme is very simple to implement in software and is flexible as the memory parameter is independent of time parameter (no actual time and memory trade-off) and is strictly sequential (difficult to parallelize) with comparatively huge memory consumption that provides strong resistance against attackers using multiple processing units. It supports client-independent updates, i.e., the server can increase the security parameters by updating the existing password hashes without knowing the password. Rig can also support the server relief protocol where the client bears the maximum effort to compute the password hash, while there is minimal effort at the server side. We analyze Rig and show that our proposal provides an exponential time complexity against the low-memory attack.

Improved Meet-in-the-Middle Attacks on 7 and 8-Round ARIA-192 and ARIA-256

The ARIA block cipher has been established as a Korean encryption standard by Korean government since 2004. In this work, we re-evaluate the security bound of reduced round ARIA-192 and ARIA-256 against meet-in-the-middle MITM key recovery attacks in the single key model. We present a new 4-round distinguisher to demonstrate the best 7 & 8 round MITM attacks on ARIA-192/256. Our 7-round attack on ARIA-192 has data, time and memory complexity of