Dukjae Moon

Impossible Differential Cryptanalysis of Reduced Round XTEA and TEA

We present the impossible differential cryptanalysis of the block cipher XTEA[7] and TEA[6]. The core of the design principle of these block ciphers is an easy implementation and a simplicity. But this simplicity dose not offer a large diffusion property. Our impossible differential cryptanalysis of reduced-round versions of XTEA and TEA is based on this fact. We will show how to construct a 12-round impossible characteristic of XTEA. We can then derive 128-bit user key of the 14- round XTEA with 262.5 chosen plaintexts and 285 encryption times using the 12-round impossible characteristic. In addition, we will show how to construct a 10-round impossible characteristic of TEA. Then we can derive 128-bit user key of the 11-round TEA with 252.5 chosen plaintexts and 284 encryption times using the 10-round impossible characteristic.

Amplified Boomerang Attack against Reduced-Round SHACAL

SHACAL is a 160-bit block cipher based on the hash standard SHA-1, as a submission to NESSIE. SHACAL uses the XOR, modular addition operation and the functions of bit-by-bit manner. These operations and functions make the differential cryptanalysis difficult, i.e, it is hard to find a long differential characteristic with high probability. But, we can find short differential characteristics with high probabilities. Using this fact, we discuss the security of SHACAL against an amplified boomerang attack. We find a 36-step boomerang-distinguisher and present attacks on reduced-round SHACAL with various key sizes. We can attack 39-step SHACAL with 256-bit key, and 47-step SHACAL with 512-bit key. In addition, we present differential attacks of reduced-round SHACAL with various key sizes.

Related-Key differential attacks on cobra-h64 and cobra-h128

Cobra-H64 and Cobra-H128, which use data-dependent permutations as a main cryptographic primitive, are 64-bit and 128-bit iterated block ciphers with 128-bit and 256-bit keys, respectively. Since these ciphers use very simple key scheduling and controlled permutation (CP) for fast hardware encryption, they are suitable for wireless communications networks which require high-speed networks. Actually, these ciphers have better hardware performances than other ciphers used in security layers of wireless protocols (Wap, OMA, UMTS, IEEE 802.11 and so on). In this paper, however, we show that Cobra-H64 and Cobra-H128 are vulnerable to related-key differential attacks. We first describe how to construct full-round related-key differential characteristics of Cobra-H64 and Cobra-H128 with high probabilities and then we exploit them to attack full-round Cobra-H64 with a complexity of 215.5 and Cobra-H128 with a complexity of 244.

The Switching Generator: New Clock-Controlled Generator with Resistance against the Algebraic and Side Channel Attacks

Since Advanced Encryption Standard (AES) in stream modes, such as counter (CTR), output feedback (OFB) and cipher feedback (CFB), can meet most industrial requirements, the range of applications for dedicated stream ciphers is decreasing. There are many attack results using algebraic properties and side channel information against stream ciphers for hardware applications. Al-Hinai et al. presented an algebraic attack approach to a family of irregularly clock-controlled linear feedback shift register systems: the stop and go generator, self-decimated generator and alternating step generator. Other clock-controlled systems, such as shrinking and cascade generators, are indeed vulnerable against side channel attacks. To overcome these threats, new clock-controlled systems were presented, e.g., the generalized alternating step generator, cascade jump-controlled generator and mutual clock-controlled generator. However, the algebraic attack could be applied directly on these new systems. In this paper, we propose a new clock-controlled generator: the switching generator, which has resistance to algebraic and side channel attacks. This generator also preserves both security properties and the efficiency of existing clock-controlled generators.

Security evaluation of double-block-length hash modes with preimage attacks on PGV schemes

In FSE 2011, Sasaki presented the preimage attacks on Davies-Meyer (DM) scheme of 7-round AES and explained conversion of it to the attack on the hash function for 12 secure PGV schemes. In this paper, we apply Sasakis work to Double-Block-Length (DBL) hash modes based on arbitrary blockcipher. We generalize compression functions in several DBL hash modes. Assuming a Sasakis preimage attack on DM scheme of the underlying blockcipher is faster than brute-force attack, we evaluate securities of the hash modes against preimage or second-preimage attacks. Hence, we analyzed the hash modes against preimage or second-preimage attacks except some case of the generalized MDC-4.

New Efficient Padding Methods Secure Against Padding Oracle Attacks

This paper proposes three new padding methods designed to withstand padding oracle attacks, which aim at recovering a plaintext without knowing the secret key by exploiting oracle’s characteristic of checking the padding during decryption. Of the ten existing padding methods, only two (ABYT-PAD and ABIT-PAD) can withstand padding oracle attacks. However, these methods are not efficient since they either use a random number generator or require MAC verification in applications. The three new padding methods proposed in this paper are secure against padding oracle attacks and more efficient compared to the two aforementioned padding methods.

Safety Analysis of Various Padding Techniques on Padding Oracle Attack

We use various types of cryptographic algorithms for the protection of personal and sensitive informations in the application environments, such as an internet banking and an electronic commerce. However, recent researches were introduced that if we implement modes of operation, padding method and other cryptographic implementations in a wrong way, then the critical information can be leaked even though the underlying cryptographic algorithms are secure. Among these attacking techniques, the padding oracle attack is representative. In this paper, we analyze the possibility of padding oracle attacks of 12 kinds of padding techniques that can be applied to the CBC operation mode of a block cipher. As a result, we discovered that 3 kinds were safe padding techniques and 9 kinds were unsafe padding techniques. We propose 5 considerations when designing a safe padding techniques to have a resistance to the padding oracle attack through the analysis of three kinds of safe padding techniques.

A new primitive for stream ciphers applicable to pervasive environments

Abstract omputing devices in pervasive environments have limitations on the following attributes: calculation capacity, power consumption, and chip size. The huge amount of operation required for applications of cryptographic primitives restricts the implementation of these primitives in pervasive environments. In order to overcome such limitations, we propose a new primitive for stream ciphers called PC-AddRotR (Pervasive Computing -Adder Right Rotation). PC-AddRotR is easily implemented by light-weight hardware and fast word-based software. PC-AddRotR efficiently generates sequences of long period and multi-bit sequences. In addition, using aword-based adder with a nonlinear property, it has more resistance against algebraic attacks, which are known to be the strong analysis methods for stream ciphers.