• 한국정보통신설비학회:학술대회논문집
• /
• 2006.08a
• /
• pp.219-222
• /
• 2006

In this paper we present a cryptanalysis of the generalized patchwork algorithm under the assumption that the attacker possesses only a single copy of the watermarked audio. In the scheme, watermark is inserted by modifying randomly chosen DCT values in each block of the original audio. Towards the attack we first fit low degree polynomials (which minimize the mean square error) on the data available from each block of the watermarked content. Then we replace the corresponding DCT data of the at-tacked audio by the available data from the polynomials to construct an attacked audio. The technique nullifies the modification achieved during watermark embedding. Experimental results show that recovery of the watermark becomes difficult after the attack.

• Journal of Advanced Navigation Technology
• /
• v.16 no.5
• /
• pp.787-793
• /
• 2012

Piccolo-128 is a 64-bit ultra-light block cipher suitable for the constrained environments such as wireless sensor network environments. In this paper, we propose biclique cryptanalysis on the full Piccolo-128. To recover the secret key of Piccolo-128, the proposed attack requires $2^{24}$ chosen plaintexts and the computational complexity of about $2^{127.35}$. This result is the first known theoretical attack result on the full Piccolo-128.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.18 no.6A
• /
• pp.179-183
• /
• 2008

Recently, an efficient password-authenticated key exchange protocol based on RSA has been proposed by Park et al. with formal security proof. In this letter, we analyze their protocol, and show that it is not secure against an active adversary who performs a dictionary attack. Moreover, we analyze the performance of the proposed attack and show that the attack is a threatening attack against the protocol.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.18 no.2
• /
• pp.478-493
• /
• 2024

In this paper, the Mixed Integer Linear Programming (MILP) model is improved for searching differential characteristics of block cipher Midori-64, and 4 search strategies of differential path are given. By using strategy IV, set 1 S-box on the top of the distinguisher to be active, and set 3 S-boxes at the bottom to be active and the difference to be the same, then we obtain a 5-round differential characteristics. Based on the distinguisher, we attack 12-round Midori-64 with data and time complexities of 2⁶³ and 2^103.83, respectively. To our best knowledge, these results are superior to current ones.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.3
• /
• pp.467-476
• /
• 2017

In this paper, we analyze Generalized Feistel Network(GFN) Type I, Type II, Type III that round function use SP update function, secret S-box and $k{\times}k$ MDS matirx. In this case an attacker has no advantage about S-box. For each type of GFN, we analyze and restore secret S-box in 9, 6, 6 round using the basis of integral cryptanalysis with chosen plaintext attack. Also we restore secret S-box in 16 round of GFN Type I with chosen ciphertext attack. In conclusion, we need $2^{2m}$ data complexity and ${\frac{2^{3m}}{32k}},{\frac{2^{3m}}{24k}},{\frac{2^{3m}}{36k}}$ time complexity to restore m bit secret S-box in GFN Type I, Type II, Type III.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.3
• /
• pp.337-347
• /
• 2020

In CRYPTO 2019, Gohr presents that Deep-learning can be used for cryptanalysis. In this paper, we verify whether Deep-learning can identify the structures of S-box. To this end, we conducted two experiments. First, we use DDT and LAT of S-boxes as the learning data, whose structure is one of mainly used S-box structures including Feistel, MISTY, SPN, and multiplicative inverse. Surprisingly, our Deep-learning algorithms can identify not only the structures but also the number of used rounds. The second application verifies the pseudo-randomness of and structures by increasing the nuber of rounds in each structure. Our Deep-learning algorithms outperform the theoretical distinguisher in terms of the number of rounds. In general, the design rationale of ciphers used for high level of confidentiality, such as for military purposes, tends to be concealed in order to interfere cryptanalysis. The methods presented in this paper show that Deep-learning can be utilized as a tool for analyzing such undisclosed design rationale.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.5
• /
• pp.807-816
• /
• 2022

See-In-The-Middle (SITM) is an analysis technique that uses Side-Channel information for differential cryptanalysis. This attack collects unmasked middle-round power traces when implementing block ciphers to select plaintext pairs that satisfy the attacker's differential pattern and utilize them for differential cryptanalysis to recover the key. Romulus, one of the final candidates for the NIST Lightweight Cryptography standardization competition, is based on Tweakable block cipher Skinny-128-384+. In this paper, the SITM attack is applied to Skinny-128-384 implemented with 14-round partial masking. This attack not only increased depth by one round, but also significantly reduced the time/data complexity to 2^14.93/2^14.93. Depth refers to the round position of the block cipher that collects the power trace, and it is possible to measure the appropriate number of masking rounds required when applying the masking technique to counter this attack. Furthermore, we extend the attack to Romulus's Nonce-based AE mode Romulus-N, and Tweakey's structural features show that it can attack with less complexity than Skinny-128-384.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.2
• /
• pp.175-182
• /
• 2023

Differential cryptanalysis is one of the analysis techniques for block ciphers, and uses the property that the output difference with respect to the input difference exists with a high probability. If random data and differential data can be distinguished, data complexity for differential cryptanalysis can be reduced. For this, many studies on deep learning-based neural distinguisher have been conducted. In this paper, a deep learning-based neural distinguisher for PIPO 64/128 is proposed. As a result of experiments with various input differences, the 3-round neural distinguisher for the differential characteristics for 0, 1, 3, and 5-rounds achieved accuracies of 0.71, 0.64, 0.62, and 0.64, respectively. This work allows distinguishing attacks for up to 8 rounds when used with the classical distinguisher. Therefore, scalability was achieved by finding a distinguisher that could handle the differential of each round. To improve performance, we plan to apply various neural network structures to construct an optimal neural network, and implement a neural distinguisher that can use related key differential or process multiple input differences simultaneously.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.19 no.1
• /
• pp.43-51
• /
• 2009

In 1998, Kocher et al. introduced Differential Power Attack on block ciphers. This attack allows to extract secret key used in cryptographic primitives even if these are executed inside tamper-resistant devices such as smart card. At FSE 2003 and 2004, Akkar and Goubin presented several masking methods, randomizing the first few and last few($3{\sim}4$) rounds of the cipher with independent random masks at each round and thereby disabling power attacks on subsequent inner rounds, to protect iterated block ciphers such as DES against Differential Power Attack. Since then, Handschuh and Preneel have shown how to attack Akkar's masking method using Differential Cryptanalysis. This paper presents how to combine Truncated Differential Cryptanalysis and Power Attack to extract the secret key from intermediate unmasked values and shows how much more efficient our attacks are implemented than the Handschuh-Preneel method in term of reducing the number of required plaintexts, even if some errors of Hamming weights occur when they are measured.

• ETRI Journal
• /
• v.35 no.1
• /
• pp.131-141
• /
• 2013

Integral cryptanalysis, which is based on the existence of (higher-order) integral distinguishers, is a powerful cryptographic method that can be used to evaluate the security of modern block ciphers. In this paper, we focus on substitution-permutation network (SPN) ciphers and propose a criterion to characterize how an r-round integral distinguisher can be extended to an (r+1)-round higher-order integral distinguisher. This criterion, which builds a link between integrals and higher-order integrals of SPN ciphers, is in fact based on the theory of direct decomposition of a linear space defined by the linear mapping of the cipher. It can be directly utilized to unify the procedure for finding 4-round higher-order integral distinguishers of AES and ARIA and can be further extended to analyze higher-order integral distinguishers of various block cipher structures. We hope that the criterion presented in this paper will benefit the cryptanalysts and may thus lead to better cryptanalytic results.