• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.3
• /
• pp.533-543
• /
• 2018

In this paper, we propose an MILP-based method for Optimal Probability of Bit-based Differential Characteristic in SP(Substitution-permutation) ciphers based on Automatic Differential Characteristic Searching Method of Sasaki, et al. In [13], they used input/output variables and probability variables seperatably, but we simplify searching procedure by putting them(variables) together into linear inequalities. Also, In order to decrease the more linear inequalities, we choose Espresso algorithm among that used by Sasaki, et al(Quine-McCluskey algorithm & Espresso algorithm). Moreover, we apply our method to GIFT-64, GIFT-128, SKINNY-64, and we obtained results in the GIFT(Active S-boxs : 6, Probabilities : $2^{-11.415}$) compared with the existing one.(Active S-boxs : 5, Probabilities : unknown). In case of SKINNY-64, we can't find better result, but can find same result compared with the existing one.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.21 no.4
• /
• pp.795-803
• /
• 2017

This paper describes a dual-standard cryptographic processor that efficiently integrates two block ciphers ARIA and AES into a unified hardware. The ARIA-AES crypto-processor was designed to support 128-b and 256-b key sizes, as well as four modes of operation including ECB, CBC, OFB, and CTR. Based on the common characteristics of ARIA and AES algorithms, our design was optimized by sharing hardware resources in substitution layer and in diffusion layer. It has on-the-fly key scheduler to process consecutive blocks of plaintext/ciphertext without reloading key. The ARIA-AES crypto-processor that was implemented with a $0.18{\mu}m$ CMOS cell library occupies 54,658 gate equivalents (GEs), and it can operate up to 95 MHz clock frequency. The estimated throughputs at 80 MHz clock frequency are 787 Mbps, 602 Mbps for ARIA with key size of 128-b, 256-b, respectively. In AES mode, it has throughputs of 930 Mbps, 682 Mbps for key size of 128-b, 256-b, respectively. The dual-standard crypto-processor was verified by FPGA implementation using Virtex5 device.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.28 no.11C
• /
• pp.1077-1087
• /
• 2003

In this paper, we proposed an architecture of a cryptosystem with various operating modes for the network security and implemented in hardware using the ASIC library. For configuring a cryptosystem, the standard block ciphers such as AES, SEED and 3DES were included. And the implemented cryptosystem can encrypt and decrypt the data in real time through the wired/wireless network with the minimum latency time (minimum 64 clocks, maximum 256 clocks). It can support CTR mode which is widely used recently as well as the conventional block cipher modes such as ECB, CBC and OFB, and operates in the multi-bit mode (64, 128, 192, and 256 bits). The implemented hardware has the expansion possibility for the other algorithms according to the network security protocol such as IPsec and the included ciphering blocks can be operated simultaneously. The self-ciphering mode and various ciphering mode can be supported by the hardware sharing and the programmable data-path. The global operation is programmed by the serial communication port and the operation is decided by the control signals decoded from the instruction by the host. The designed hardware using VHDL was synthesized with Hynix 0.25$\mu\textrm{m}$ CMOS technology and it used the about 100,000 gates. Also we could assure the stable operation in the timing simulation over 100㎒ using NC-verilog.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.6
• /
• pp.1259-1270
• /
• 2019

The upper bound of differential characteristic probability is mainly used to determine the number of rounds when constructing a block cipher. As the number of rounds affects the performance of block cipher, it is critical to evaluate the tight upper bound in the constructing process. In order to calculate the upper bound of differential characteristic probability, the previous searching methods for minimum number of active S-boxes constructed constraint equations for non-linear operations and linear operations, independently. However, in the case of BOGI design strategy, where linear operation is dependent on non-linear operation, the previous methods may present the less tight upper bound. In this paper, we exploit the properties of BOGI strategy to propose a new method to evaluate a tighter upper bound of differential characteristic probability than previous ones. Additionally, we mathematically proved the validity of our method. Our proposed method was applied to GIFT-64 and GIFT-128, which are based on BOGI strategy, and the upper bounds of differential characteristic probability were derived until 9 round. Previously, the upper bounds of differential characteristic probability for 7-round GIFT-64 and 9-round GIFT-128 were 2^-18.395 and 2^-26.885, respectively, while we show that the upper bounds of differential characteristic probability are more tight as 2^-19.81 and 2^-28.3, respectively.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.20 no.11
• /
• pp.2093-2099
• /
• 2016

This paper describes a design of crypto-processor that supports multiple block cipher algorithms of PRESENT, ARIA, and AES. The crypto-processor integrates three cores that are PRmo (PRESENT with mode of operation), AR_AS (ARIA_AES), and AES-16b. The PRmo core implementing 64-bit block cipher PRESENT supports key length 80-bit and 128-bit, and four modes of operation including ECB, CBC, OFB, and CTR. The AR_AS core supporting key length 128-bit and 256-bit integrates two 128-bit block ciphers ARIA and AES into a single data-path by utilizing resource sharing technique. The AES-16b core supporting key length 128-bit implements AES with a reduced data-path of 16-bit for minimizing hardware. Each crypto-core contains its own on-the-fly key scheduler, and consecutive blocks of plaintext/ciphertext can be processed without reloading key. The crypto-processor was verified by FPGA implementation. The crypto-processor implemented with a $0.18{\mu}m$ CMOS cell library occupies 54,500 gate equivalents (GEs), and it can operate with 55 MHz clock frequency.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.12 no.6
• /
• pp.59-69
• /
• 2002

Many Linear attacks have introduced after M. Matsui suggested Linear Cryptanalysis in 1993. The one of them is the method suggested by B. Kaliski and M. Robshaw. It was a new method using multiple linear approximations to attack for block ciphers. It requires less known plaintexts than that of Linear Cryptanalysis(LC) by Matsui, but it has a problem. In this paper, we will introduce the new method using multiple linear approximation that can solve the problem. Using the new method, the requirements of the known plaintexts is 5(1.25) times as small as the requirements in LC on 8(16) round DES with a success rate of 95%(86%) respectively. We can also adopt A Chosen Plaintext Linear Attack suggested by L. R. Knudsen and J. E. Mathiassen and then our attack requires about $2^{40.6}$ chosen plaintexts to recover 15 key bits with 86% success rate. We believe that the results in this paper contain the fastest attack on the DES full round reported so far in the open literature.

• KIPS Transactions on Computer and Communication Systems
• /
• v.12 no.6
• /
• pp.181-188
• /
• 2023

Block cipher is not expected to be safe for quantum computer, as Grover's algorithm reduces the security strength by accelerating brute-force attacks on symmetric key ciphers. So it is necessary to check the post-quantum security strength by implementing quantum circuit for the target cipher. In this paper, we propose the optimal quantum circuit implementation result designed as a technique to minimize the use of quantum resources (qubits, quantum gates) for SIMECK lightweight cryptography, and explain the operation of each quantum circuit. The implemented SIMECK quantum circuit is used to check the estimation result of quantum resources and calculate the Grover attack cost. Finally, the post-quantum strength of SIMECK lightweight cryptography is evaluated. As a result of post-quantum security strength evaluation, all SIMECK family cipher failed to reach NIST security strength. Therefore, it is expected that the safety of SIMECK cipher is unclear when large-scale quantum computers appear. About this, it is judged that it would be appropriate to increase the block size, the number of rounds, and the key length to increase the security strength.

• KIPS Transactions on Computer and Communication Systems
• /
• v.11 no.6
• /
• pp.167-174
• /
• 2022

PIPO lightweight block ciphers were announced in ICISC'20. In this paper, a single-block optimization implementation and parallel optimization implementation of PIPO lightweight block cipher ECB, CBC, and CTR operation modes are performed on a 32-bit RISC-V processor. A single block implementation proposes an efficient 8-bit unit of Rlayer function implementation on a 32-bit register. In a parallel implementation, internal alignment of registers for parallel implementation is performed, and a method for four different blocks to perform Rlayer function operations on one register is described. In addition, since it is difficult to apply the parallel implementation technique to the encryption process in the parallel implementation of the CBC operation mode, it is proposed to apply the parallel implementation technique in the decryption process. In parallel implementation of the CTR operation mode, an extended initialization vector is used to propose a register internal alignment omission technique. This paper shows that the parallel implementation technique is applicable to several block cipher operation modes. As a result, it is confirmed that the performance improvement is 1.7 times in a single-block implementation and 1.89 times in a parallel implementation compared to the performance of the existing research implementation that includes the key schedule process in the ECB operation mode.