• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.19 no.1
• /
• pp.43-51
• /
• 2009

In 1998, Kocher et al. introduced Differential Power Attack on block ciphers. This attack allows to extract secret key used in cryptographic primitives even if these are executed inside tamper-resistant devices such as smart card. At FSE 2003 and 2004, Akkar and Goubin presented several masking methods, randomizing the first few and last few($3{\sim}4$) rounds of the cipher with independent random masks at each round and thereby disabling power attacks on subsequent inner rounds, to protect iterated block ciphers such as DES against Differential Power Attack. Since then, Handschuh and Preneel have shown how to attack Akkar's masking method using Differential Cryptanalysis. This paper presents how to combine Truncated Differential Cryptanalysis and Power Attack to extract the secret key from intermediate unmasked values and shows how much more efficient our attacks are implemented than the Handschuh-Preneel method in term of reducing the number of required plaintexts, even if some errors of Hamming weights occur when they are measured.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.8 no.9
• /
• pp.3266-3285
• /
• 2014

With limited computing and storage resources, many network applications of encryption algorithms require low power devices and fast computing components. CHESS-64 is designed by employing simple key scheduling and Data-Dependent operations (DDO) as main cryptographic components. Hardware performance for Field Programmable Gate Arrays (FPGA) and for Application Specific Integrated Circuits (ASIC) proves that CHESS-64 is a very flexible and powerful new cipher. In this paper, the security of CHESS-64 block cipher under related-key differential cryptanalysis is studied. Based on the differential properties of DDOs, we construct two types of related-key differential characteristics with one-bit difference in the master key. To recover 74 bits key, two key recovery algorithms are proposed based on the two types of related-key differential characteristics, and the corresponding data complexity is about $2^{42.9}$ chosen-plaintexts, computing complexity is about $2^{42.9}$ CHESS-64 encryptions, storage complexity is about $2^{26.6}$ bits of storage resources. To break the cipher, an exhaustive attack is implemented to recover the rest 54 bits key. These works demonstrate an effective and general way to attack DDO-based ciphers.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.10 no.4
• /
• pp.1944-1956
• /
• 2016

The Digital Video Broadcasting-Common Scrambling Algorithm is an ETSI-designated algorithm designed for protecting MPEG-2 signal streams, and it is universally used. Its structure is a typical hybrid symmetric cipher which contains stream part and block part within a symmetric cipher, although the entropy is 64 bits, there haven't any effective cryptanalytic results up to now. This paper studies the security level of CSA against impossible differential cryptanalysis, a 20-round impossible differential for the block cipher part is proposed and a flaw in the cipher structure is revealed. When we attack the block cipher part alone, to recover 16 bits of the initial key, the data complexity of the attack is O(2^44.5), computational complexity is O(2^22.7) and memory complexity is O(2^10.5) when we attack CSA-BC reduced to 21 rounds. According to the structure flaw, an attack on CSA with block cipher part reduced to 21 rounds is proposed, the computational complexity is O(2^21.7), data complexity is O(2^43.5) and memory complexity is O(2^10.5), we can recover 8 bits of the key accordingly. Taking both the block cipher part and stream cipher part of CSA into consideration, it is currently the best result on CSA which is accessible as far as we know.

• Journal of Internet Computing and Services
• /
• v.4 no.3
• /
• pp.1-8
• /
• 2003

The power analysis attack is a physical attack which can be applied to the cryptosystems such as smartcard. We try to experimental attack to a smart card which implemented Elliptic Curve Cryptosystem adopting NAF algorithm as a secret key recording method. Our differential power analysis attack is a potential threat to that implementation. The attacker measures the power traces during the multiplication with secret key bits in a target smart card and the multiplication with the guessed bits in other experimental one. The comparison of these two traces gives a secret bit, which means that attacker can find all secret key bits successively.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.15 no.10
• /
• pp.3815-3833
• /
• 2021

MILP-based automatic search is the most common method in analyzing the security of cryptographic algorithms. However, this method brings many issues such as low efficiency due to the large size of the model, and the difficulty in finding the contradiction of the impossible differential distinguisher. To analyze the security of ESF algorithm, this paper introduces a simplified MILP-based search model of the differential distinguisher by reducing constrains of XOR and S-box operations, and variables by combining cyclic shift with its adjacent operations. Also, a new method to find contradictions of the impossible differential distinguisher is proposed by introducing temporary variables, which can avoid wrong and miss selection of contradictions. Based on a 9-round impossible differential distinguisher, 15-round attack of ESF can be achieved by extending forward and backward 3-round in single-key setting. Compared with existing results, the exact lower bound of differential active S-boxes in single-key setting for 10-round ESF are improved. Also, 2108 9-round impossible differential distinguishers in single-key setting and 14 12-round impossible differential distinguishers in related-key setting are obtained. Especially, the round of the discovered impossible differential distinguisher in related-key setting is the highest, and compared with the previous results, this attack achieves the highest round number in single-key setting.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.20 no.4
• /
• pp.17-24
• /
• 2010

A differential fault attack(DFA) is one of the most efficient side channel attacks on block ciphers. Almost all block ciphers, such as DES, AES, ARIA, SEED and so on., have been analysed by this attack. In the case of the known DFAs on SEED, the attacker induces permanent faults on a whole left register of round 16. In this paper, we analyse SEED against DFA with differential characteristics and addition-XOR characteristics of the round function of SEED. The fault assumption of our attack is that the attacker induces 1-bit faults on a particular register. By using our attack, we can recover last round keys and the master key with about $2^{32}$ simple arithmetic operations. It can be simulated on general PC within about a couple of second.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.5
• /
• pp.807-816
• /
• 2022

See-In-The-Middle (SITM) is an analysis technique that uses Side-Channel information for differential cryptanalysis. This attack collects unmasked middle-round power traces when implementing block ciphers to select plaintext pairs that satisfy the attacker's differential pattern and utilize them for differential cryptanalysis to recover the key. Romulus, one of the final candidates for the NIST Lightweight Cryptography standardization competition, is based on Tweakable block cipher Skinny-128-384+. In this paper, the SITM attack is applied to Skinny-128-384 implemented with 14-round partial masking. This attack not only increased depth by one round, but also significantly reduced the time/data complexity to 2^14.93/2^14.93. Depth refers to the round position of the block cipher that collects the power trace, and it is possible to measure the appropriate number of masking rounds required when applying the masking technique to counter this attack. Furthermore, we extend the attack to Romulus's Nonce-based AE mode Romulus-N, and Tweakey's structural features show that it can attack with less complexity than Skinny-128-384.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.12 no.2
• /
• pp.727-746
• /
• 2018

The hash function RIPEMD-160 is a worldwide ISO/IEC standard and the hash function HAS-160 is the Korean hash standard and is widely used in Korea. On the basis of differential meet-in-the-middle attack and biclique technique, a preimage attack on 34-step RIPEMD-160 with message padding and a pseudo-preimage attack on 71-step HAS-160 without message padding are proposed. The former is the first preimage attack from the first step, the latter increases the best pseudo-preimage attack from the first step by 5 steps. Furthermore, we locate the linear spaces in another message words and exchange the bicliques construction process and the mask vector search process. A preimage attack on 35-step RIPEMD-160 and a preimage attack on 71-step HAS-160 are presented. Both of the attacks are from the intermediate step and satisfy the message padding. They improve the best preimage attacks from the intermediate step on step-reduced RIPEMD-160 and HAS-160 by 4 and 3 steps respectively. As far as we know, they are the best preimage and pseudo-preimage attacks on step-reduced RIPEMD-160 and HAS-160 respectively in terms of number of steps.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.15 no.2
• /
• pp.600-616
• /
• 2021

SIMON and SPECK are two families of lightweight block ciphers that have excellent performance on hardware and software platforms. At CRYPTO 2019, Gohr first introduces the differential cryptanalysis based deep learning on round-reduced SPECK32/64, and finally reduces the remaining security of 11-round SPECK32/64 to roughly 38 bits. In this paper, we are committed to evaluating the safety of SIMON cipher under the neural differential cryptanalysis. We firstly prove theoretically that SIMON is a non-Markov cipher, which means that the results based on conventional differential cryptanalysis may be inaccurate. Then we train a residual neural network to get the 7-, 8-, 9-round neural distinguishers for SIMON32/64. To prove the effectiveness for our distinguishers, we perform the distinguishing attack and key-recovery attack against 15-round SIMON32/64. The results show that the real ciphertexts can be distinguished from random ciphertexts with a probability close to 1 only by 2^8.7 chosen-plaintext pairs. For the key-recovery attack, the correct key was recovered with a success rate of 23%, and the data complexity and computation complexity are as low as 2⁸ and 2^20.1 respectively. All the results are better than the existing literature. Furthermore, we briefly discussed the effect of different residual network structures on the training results of neural distinguishers. It is hoped that our findings will provide some reference for future research.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.34 no.4
• /
• pp.569-575
• /
• 2024

The 64-bit block cipher IIoTBC is an encryption algorithm designed for the security of industrial IoT devices and uses an 128-bit secret key. The IIoTBC's encryption algorithm varies depending on whether the MCU size used in IoT is 8-bit or 16-bit. This paper deals with a differential attack on IIoTBC when the MCU size is 8-bit. It attacks 15-round out of the entire 32-round using IIoTBC's 14-round differential characteristic. At this time, the number of required plaintexts and encryption are 2⁵⁷ and 2^122.4, respectively. The differential characteristic presented in this paper has a longer round than the existing 13-round impossible differential characteristic, and the attack using this is the result of the first key recovery attack on IIoTBC.