Wonil Lee

Related Key Differential Attacks on 27 Rounds of XTEA and Full-Round GOST

In this paper, we present a related key truncated differential attack on 27 rounds of XTEA which is the best known attack so far. With an expected success rate of 96.9%, we can attack 27 rounds of XTEA using 2 20.5 chosen plaintexts and with a complexity of 2 115.15 27-round XTEA encryptions. We also propose several attacks on GOST. First, we present a distinguishing attack on full-round GOST, which can distinguish it from a random permutation with probability 1 - 2 -64 using a related key differential characteristic. We also show that H. Seki et al.s idea combined with our related key differential characteristic can be applied to attack 31 rounds of GOST . Lastly, we propose a related key differential attack on full-round GOST. In this attack, we can recover 12 bits of the master key with 2 35 chosen plaintexts, 2 36 encryption operations and an expected success rate of 91.7%.

Security analysis of a 2/3-rate double length compression function in the black-box model

In this paper, we propose a 2/3-rate double length compression function and study its security in the black-box model. We prove that to get a collision attack for the compression function requires Ω(22 n/3) queries, where n is the single length output size. Thus, it has better security than a most secure single length compression function. This construction is more efficient than the construction given in [8]. Also the three computations of underlying compression functions can be done in parallel. The proof idea uses a concept of computable message which can be helpful to study security of other constructions like [8],[14],[16] etc.

Impossible Differential Cryptanalysis of Reduced Round XTEA and TEA

We present the impossible differential cryptanalysis of the block cipher XTEA[7] and TEA[6]. The core of the design principle of these block ciphers is an easy implementation and a simplicity. But this simplicity dose not offer a large diffusion property. Our impossible differential cryptanalysis of reduced-round versions of XTEA and TEA is based on this fact. We will show how to construct a 12-round impossible characteristic of XTEA. We can then derive 128-bit user key of the 14- round XTEA with 262.5 chosen plaintexts and 285 encryption times using the 12-round impossible characteristic. In addition, we will show how to construct a 10-round impossible characteristic of TEA. Then we can derive 128-bit user key of the 11-round TEA with 252.5 chosen plaintexts and 284 encryption times using the 10-round impossible characteristic.

Amplified Boomerang Attack against Reduced-Round SHACAL

SHACAL is a 160-bit block cipher based on the hash standard SHA-1, as a submission to NESSIE. SHACAL uses the XOR, modular addition operation and the functions of bit-by-bit manner. These operations and functions make the differential cryptanalysis difficult, i.e, it is hard to find a long differential characteristic with high probability. But, we can find short differential characteristics with high probabilities. Using this fact, we discuss the security of SHACAL against an amplified boomerang attack. We find a 36-step boomerang-distinguisher and present attacks on reduced-round SHACAL with various key sizes. We can attack 39-step SHACAL with 256-bit key, and 47-step SHACAL with 512-bit key. In addition, we present differential attacks of reduced-round SHACAL with various key sizes.

New Parallel Domain Extenders for UOWHF

We present two new parallel algorithms for extending the domain of a UOWHF. The first algorithm is complete binary tree based construction and has less key length expansion than Sarkar’s construction which is the previously best known complete binary tree based construction. But only disadvantage is that here we need more key length expansion than that of Shoup’s sequential algorithm. But it is not too large as in all practical situations we need just two more masks than Shoup’s. Our second algorithm is based on non-complete l-ary tree and has the same optimal key length expansion as Shoup’s which has the most efficient key length expansion known so far. Using the recent result [9], we can also prove that the key length expansion of this algorithm and Shoup’s sequential algorithm are the minimum possible for any algorithms in a large class of “natural” domain extending algorithms. But its parallelizability performance is less efficient than complete tree based constructions. However if l is getting larger, then the parallelizability of the construction is also getting near to that of complete tree based constructions. We also give a sufficient condition for valid domain extension in sequential domain extension.

Saturation Attacks on Reduced Round Skipjack

This paper describes saturation attacks on reduced-round versions of Skipjack. To begin with, we will show how to construct a 16-round distinguisher which distinguishes 16 rounds of Skipjack from a random permutation. The distinguisher is used to attack on 18(5~22) and 23(5~27) rounds of Skipjack. We can also construct a 20-round distinguisher based on the 16-round distinguisher. This distinguisher is used to attack on 22(1~22) and 27(1~27) rounds of Skipjack. The 80- bit user key of 27 rounds of Skipjack can be recovered with 250 chosen plaintexts and 3 ? 275 encryption times.

Concrete Security Analysis of CTR-OFB and CTR-CFB Modes of Operation

In [1], they gave the notions of security for the symmetric encryption and provided a concrete security analysis of the XOR, CTR, and CBC schemes. Among the three schemes, the CTR scheme achieves the best concrete security in their analysis. In this paper, we propose the new schemes, CTR-OFB and CTR-CFB, which have the security as same as that of the CTR scheme on the point of the concrete security analysis and achieve higher resistance against some practical attacks than the CTR scheme.

A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model

In [1] it was proved that 20 out of 64 PGV-hash functions [2] based on block cipher are collision resistant and one-way-secure in black-box model of the underlying block cipher. Here, we generalize the definition of PGV-hash function into a hash family and prove that besides the previous 20 hash functions we have 22 more collision resistant and one-way secure hash families. As all these 42 families are keyed hash families, these become target collision resistant also. All these 42 hash families have tight upper and lower bounds on (target) collision resistant and one-way-ness.

Known-IV, Known-in-Advance-IV, and Replayed-and-Known-IV Attacks on Multiple Modes of Operation of Block Ciphers

Normally, it has been believed that the initial values of cryptographic schemes do not need to be managed secretly unlike the secret keys. However, we show that multiple modes of operation of block ciphers can suffer a loss of security by the state of the initial values. We consider several attacks according to the environment of the initial values; known-IV attack, known-in-advance-IV attack, and replayed-and-known-IV attack. Our attacks on cascaded three-key triple modes of operation requires 3-7 blocks of plaintexts (or ciphertexts) and 3 · 256-9 · 256 encryptions. We also give the attacks on multiple modes proposed by Biham.

On the pseudorandomness of a modification of KASUMI type permutations

We present a modification of KASUMI type permutations and analyze the security of it using the notion of pseudorandomness. Our modified KASUMI type permutation can be computed more efficiently than the original KASUMI type permutation. Furthermore, our results have a slightly better (same) upper bound of success probability against arbitrary attackers in the sense of (super) pseudorandomness.