Jaechul Sung

HIGHT: a new block cipher suitable for low-resource device

In this paper, we propose a new block cipher HIGHT with 64-bit block length and 128-bit key length. It provides low-resource hardware implementation, which is proper to ubiquitous computing device such as a sensor in USN or a RFID tag. HIGHT does not only consist of simple operations to be ultra-light but also has enough security as a good encryption algorithm. Our hardware implementation of HIGHT requires 3048 gates on 0.25 μm technology.

Related-Key Chosen IV Attacks on Grain-v1 and Grain-128

The slide resynchronization attack on Grain was proposed in [6]. This attack finds related keys and initialization vectors of Grain that generate the 1-bit shifted keystream sequence. In this paper, we extend the attack proposed in [6] and propose related-key chosen IV attacks on Grain-v1 and Grain-128. The attack on Grain-v1 recovers the secret key with 222.59chosen IVs, 226.29-bit keystream sequences and 222.90computational complexity. To recover the secret key of Grain-128, our attack requires 226.59chosen IVs, 231.39-bit keystream sequences and 227.01computational complexity. These works are the first known key recovery attacks on Grain-v1 and Grain-128.

Differential fault analysis on block cipher SEED

LED-64 is a 64-bit block cipher proposed in CHES 2011 and suitable for the efficient implementation in constrained hardware environments such as WSN. In this paper, we propose a differential fault analysis on LED-64. In order to recover the secret key of LED-64, this attack requires only one random nibble fault and an exhaustive search of 28. This work is the first known cryptanalytic result on LED-64.

A new dedicated 256-bit hash function: FORK-256

This paper describes a new software-efficient 256-bit hash function, FORK-256. Recently proposed attacks on MD5 and SHA-1 motivate a new hash function design. It is designed not only to have higher security but also to be faster than SHA-256. The performance of the new hash function is at least 30% better than that of SHA-256 in software. And it is secure against any known cryptographic attacks on hash functions.

Second Preimage Attack on 3-Pass HAVAL and Partial Key-Recovery Attacks on HMAC/NMAC-3-Pass HAVAL

In 1992, Zheng, Pieprzyk and Seberry proposed a one-way hashing algorithm called HAVAL, which compresses a message of arbitrary length into a digest of 128, 160, 192, 224 or 256 bits. It operates in so called passes where each pass contains 32 steps. The number of passes can be chosen equal to 3, 4 or 5. In this paper, we devise a new differential path of 3-pass HAVAL with probability 2i¾? 114, which allows us to design a second preimage attack on 3-pass HAVAL and partial key recovery attacks on HMAC/NMAC-3-pass HAVAL. Our partial key-recovery attack works with 2122oracle queries, 5·232memory bytes and 2963-pass HAVAL computations.

Related-Key attacks on DDP based ciphers: CIKS-128 and CIKS-128H

CIKS-128 and CIKS-128H are 128-bit block ciphers with a 256-bit key sizes based on data-dependent operations, respectively. They are also fast hardware-oriented ciphers and improvements of block cipher CIKS-1 introduced in [14]. This paper presents related-key differential attacks on full-round CIKS-128 and CIKS-128H. In result, using full-round related-key differential characteristics with probability 2−−36 and 2−−35.4, these attacks can recover the partial subkey bits for CIKS-128 and CIKS-128H with about 240 plaintexts, respectively. These works suggests that the greatest possible care has to be taken when proposing improvements of the existing block ciphers.

Weak-Key Classes of 7-Round MISTY 1 and 2 for Related-Key Amplified Boomerang Attacks

In 1997, M. Matsui proposed secret-key cryptosystems called MISTY 1 and MISTY 2, which are 8-and 12-round block ciphers with a 64-bit block, and a 128-bit key. They are designed based on the principle of provable security against differential and linear cryptanalysis. In this paper we present large collections of weak-key classes encompassing 273 and 270 weak keys for 7-round MISTY 1 and 2 for which they are vulnerable to a related-key amplified boomerang attack. Under our weak-key assumptions, the related-key amplified boomerang attack can be applied to 7-round MISTY 1 and 2 with 254, 256 chosen plaintexts and 255.3 7-round MISTY 1 encryptions, 265 7-round MISTY 2 encryptions, respectively.

Related-Key differential attacks on cobra-s128, cobra-f64a, and cobra-f64b

Data-dependent permutations (DDPs) which are very suitable for cheap hardware implementations have been introduced as a cryptographic primitive. Cobra-S128 and Cobra-F64 (which is a generic name for Cobra-F64a and Cobra-F64b) are 128-bit and 64-bit iterated block ciphers with a 128-bit key size based on such DDPs, respectively. Unlike the predecessor DDP-based ciphers [16,5], Cobra-S128 is a software-oriented cipher and Cobra-F64 is a firmware-suitable cipher. In this paper, we derive several structural properties of Cobra-S128 and Cobra-F64 and then use them to devise key recovery attacks on Cobra-S128 and Cobra-F64. These works are the first known attacks on Cobra-S128 and Cobra-F64.

Related-Key differential attacks on cobra-h64 and cobra-h128

Cobra-H64 and Cobra-H128, which use data-dependent permutations as a main cryptographic primitive, are 64-bit and 128-bit iterated block ciphers with 128-bit and 256-bit keys, respectively. Since these ciphers use very simple key scheduling and controlled permutation (CP) for fast hardware encryption, they are suitable for wireless communications networks which require high-speed networks. Actually, these ciphers have better hardware performances than other ciphers used in security layers of wireless protocols (Wap, OMA, UMTS, IEEE 802.11 and so on). In this paper, however, we show that Cobra-H64 and Cobra-H128 are vulnerable to related-key differential attacks. We first describe how to construct full-round related-key differential characteristics of Cobra-H64 and Cobra-H128 with high probabilities and then we exploit them to attack full-round Cobra-H64 with a complexity of 215.5 and Cobra-H128 with a complexity of 244.

Weakness of lightweight block ciphers mCrypton and LED against biclique cryptanalysis

In this paper, we evaluate the security of lightweight block ciphers mCrypton and LED against biclique cryptanalysis. In cases of mCryton-64/96/128, our attacks require computational complexities of