• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.8 no.9
• /
• pp.3266-3285
• /
• 2014

With limited computing and storage resources, many network applications of encryption algorithms require low power devices and fast computing components. CHESS-64 is designed by employing simple key scheduling and Data-Dependent operations (DDO) as main cryptographic components. Hardware performance for Field Programmable Gate Arrays (FPGA) and for Application Specific Integrated Circuits (ASIC) proves that CHESS-64 is a very flexible and powerful new cipher. In this paper, the security of CHESS-64 block cipher under related-key differential cryptanalysis is studied. Based on the differential properties of DDOs, we construct two types of related-key differential characteristics with one-bit difference in the master key. To recover 74 bits key, two key recovery algorithms are proposed based on the two types of related-key differential characteristics, and the corresponding data complexity is about $2^{42.9}$ chosen-plaintexts, computing complexity is about $2^{42.9}$ CHESS-64 encryptions, storage complexity is about $2^{26.6}$ bits of storage resources. To break the cipher, an exhaustive attack is implemented to recover the rest 54 bits key. These works demonstrate an effective and general way to attack DDO-based ciphers.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.14 no.3
• /
• pp.75-84
• /
• 2004

In this paper, we present a related key differential attack on Full-round GOST Firstly, we present a distinguishing attack on full rounds of GOST, which can distinguish it from random oracle with probability 1- 64$2^{64}$ using a related key differential characteristic. We will also show that H. Seki et al.'s idea can be applied to attack on 31 rounds of GOST combining our related key differential characteristic. Lastly, we propose a related key differential attack on full rounds of GOST. In this attack we can recover 12 bits of the master key with $2^{35}$ chosen plaintexts and $2^{36}$ encryption times for the 91.7% expectation of success rate.

• Journal of Platform Technology
• /
• v.11 no.1
• /
• pp.72-84
• /
• 2023

With the rise of the Internet of Things, the security of such lightweight computing environments has become a hot topic. Lightweight block ciphers that can provide efficient performance and security by having a relatively simpler structure and smaller key and block sizes are drawing attention. Due to these characteristics, they can become a target for new attack techniques. One of the new cryptanalytic attacks that have been attracting interest is Neural cryptanalysis, which is a cryptanalytic technique based on neural networks. It showed interesting results with better results than the conventional cryptanalysis method without a great amount of time and cryptographic knowledge. The first work that showed good results was carried out by Aron Gohr in CRYPTO'19, the attack was conducted on the lightweight block cipher SPECK-/32/64 and showed better results than conventional differential cryptanalysis. In this paper, we first apply the Differential Neural Distinguisher proposed by Aron Gohr to the block ciphers HIGHT and GOST to test the applicability of the attack to ciphers with different structures. The performance of the Differential Neural Distinguisher is then analyzed by replacing the neural network attack model with five different models (Multi-Layer Perceptron, AlexNet, ResNext, SE-ResNet, SE-ResNext). We then propose a Related-key Neural Distinguisher and apply it to the SPECK-/32/64, HIGHT, and GOST block ciphers. The proposed Related-key Neural Distinguisher was constructed using the relationship between keys, and this made it possible to distinguish more rounds than the differential distinguisher.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.6 no.8
• /
• pp.1946-1963
• /
• 2012

Hummingbird is a lightweight encryption and message authentication primitive published in RISC'09 and WLC'10. In FSE'11, Markku-Juhani O.Saarinen presented a differential divide-and-conquer method which has complexity upper bounded by $2^{64}$ operations and requires processing of few megabytes of chosen messages under two related nonces (IVs). The improved version, Hummingbird-2, was presented in RFIDSec 2011. Based on the idea of differential collision, this paper discovers some weaknesses of the round function WD16. Combining with the simple key loading algorithm, a related-key chosen-IV attack which can recover the full secret key is proposed. Under 15 pairs of related keys, the 128 bit initial key can be recovered, requiring $2^{27}$ chosen IV and the computational complexity is $O(2^{27})$. In average, the attack needs several minutes to recover the full 128-bit secret key on a PC. The experimental result corroborates our attack. The result shows that the Hummingbird-2 cipher can't resist related key attack.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.15 no.10
• /
• pp.3815-3833
• /
• 2021

MILP-based automatic search is the most common method in analyzing the security of cryptographic algorithms. However, this method brings many issues such as low efficiency due to the large size of the model, and the difficulty in finding the contradiction of the impossible differential distinguisher. To analyze the security of ESF algorithm, this paper introduces a simplified MILP-based search model of the differential distinguisher by reducing constrains of XOR and S-box operations, and variables by combining cyclic shift with its adjacent operations. Also, a new method to find contradictions of the impossible differential distinguisher is proposed by introducing temporary variables, which can avoid wrong and miss selection of contradictions. Based on a 9-round impossible differential distinguisher, 15-round attack of ESF can be achieved by extending forward and backward 3-round in single-key setting. Compared with existing results, the exact lower bound of differential active S-boxes in single-key setting for 10-round ESF are improved. Also, 2108 9-round impossible differential distinguishers in single-key setting and 14 12-round impossible differential distinguishers in related-key setting are obtained. Especially, the round of the discovered impossible differential distinguisher in related-key setting is the highest, and compared with the previous results, this attack achieves the highest round number in single-key setting.

• Journal of Advanced Navigation Technology
• /
• v.13 no.6
• /
• pp.977-983
• /
• 2009

Recently, several DDP, DDO and COS-based block ciphers have been proposed for hardware implementations with low cost. However, most of them are vulnerable to related-keyt attacks. A 12-round block cipher SCOS-3 is desinged to eliminate the weakness of DDP, DDO and COS-based block ciphers. In this paper, we propose a related-key differential attack on an 11-round reduced SCOS-3. The attack on an 11-round reduced SCOS-3 requires $2^{58}$ related-key chosen plaintexts and $2^{117.54}$ 11-round reduced SCOS-3 encryptions. This work is the first known attack on SCOS-3. Therefore, SCOS-3 is still vulnerable to related-key attacks.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.15 no.3
• /
• pp.115-126
• /
• 2005

SHACAL-2 is a 256-bit block cipher with up to 512 bits of key length based on the hash function SHA-2. It was submitted to the the NESSIE project and was recommended as one of the NESSIE selections. In this paper, we present two types of related-key attacks called the related-key differential-(non)linear and the related-key rectangle attacks, and we discuss the security of SHACAL-2 against these two types of attacks. Using the related-key differential-nonlinear attack, we can break SHACAL-2 with 512-bit keys up to 35 out of its 64 rounds, and using the related-key rectangle attack, we can break SHACAL-2 with 512-bit keys up to 37 rounds.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.18 no.4
• /
• pp.27-35
• /
• 2008

In this paper we show that the full-round SCO-1[12] is vulnerable to the related-key differential attack. The attack on the full-round SCO-1 requires $2^{61}$ related-key chosen ciphertexts and $2^{120.59}$ full-round SCO-1 decryptions. This work is the first known attack on SCO-1.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.16 no.3
• /
• pp.1047-1062
• /
• 2022

Differential power analysis (DPA) is disturbed by ghost peaks. There is a phenomenon that the mean absolute difference (MAD) value of the wrong key is higher than the correct key. We propose a compressed key guessing space (CKGS) scheme to solve this problem and analyze the AES algorithm. The DPA based on this scheme is named CKGS-DPA. Unlike traditional DPA, the CKGS-DPA uses two power leakage points for a combined attack. The first power leakage point is used to determine the key candidate interval, and the second is used for the final attack. First, we study the law of MAD values distribution when the attack point is AddRoundKey and explain why this point is not suitable for DPA. According to this law, we modify the selection function to change the distribution of MAD values. Then a key-related value screening algorithm is proposed to obtain key information. Finally, we construct two key candidate intervals of size 16 and reduce the key guessing space of the SubBytes attack from 256 to 32. Simulation experimental results show that CKGS-DPA reduces the power traces demand by 25% compared with DPA. Experiments performed on the ASCAD dataset show that CKGS-DPA reduces the power traces demand by at least 41% compared with DPA.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.13 no.11
• /
• pp.5717-5730
• /
• 2019

LBlock-s is the core block cipher of authentication encryption algorithm LAC, which uses the same structure of LBlock and an improved key schedule algorithm with better diffusion property. Using the differential properties of the key schedule algorithm and the cryptanalytic technique which combines impossible boomerang attacks with related-key attacks, a 15-round related-key impossible boomerang distinguisher is constructed for the first time. Based on the distinguisher, an attack on 22-round LBlock-s is proposed by adding 4 rounds on the top and 3 rounds at the bottom. The time complexity is about only 2^68.76 22-round encryptions and the data complexity is about 2⁵⁸ chosen plaintexts. Compared with published cryptanalysis results on LBlock-s, there has been a sharp decrease in time complexity and an ideal data complexity.