• ETRI Journal
• /
• v.35 no.1
• /
• pp.131-141
• /
• 2013

Integral cryptanalysis, which is based on the existence of (higher-order) integral distinguishers, is a powerful cryptographic method that can be used to evaluate the security of modern block ciphers. In this paper, we focus on substitution-permutation network (SPN) ciphers and propose a criterion to characterize how an r-round integral distinguisher can be extended to an (r+1)-round higher-order integral distinguisher. This criterion, which builds a link between integrals and higher-order integrals of SPN ciphers, is in fact based on the theory of direct decomposition of a linear space defined by the linear mapping of the cipher. It can be directly utilized to unify the procedure for finding 4-round higher-order integral distinguishers of AES and ARIA and can be further extended to analyze higher-order integral distinguishers of various block cipher structures. We hope that the criterion presented in this paper will benefit the cryptanalysts and may thus lead to better cryptanalytic results.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.14 no.11
• /
• pp.4502-4521
• /
• 2020

At EUROCRYPT 2015, Todo proposed a new technique named division property, and it is a powerful technique to find integral distinguishers. The original division property is also named word-based division property. Later, Todo and Morii once again proposed a new technique named the bit-based division property at FSE 2016 and find more rounds integral distinguisher for SIMON-32. There are two basic approaches currently being adopted in researches under the bit-based division property. One is conventional bit-based division property (CBDP), the other is bit-based division property using three-subset (BDPT). Particularly, BDPT is more powerful than CBDP. In this paper, we use Boolean Satisfiability Problem (SAT)-aided cryptanalysis to search integral distinguishers. We conduct experiments on SIMON-32/-48/-64/-96, SIMON (102)-32/-48/-64, SIMECK-32/-48/-64, LBlock, GIFT and Khudra to prove the efficiency of our method. For SIMON (102)-32/-48/-64, we can determine some bits are odd, while these bits can only be determined as constant in the previous result. For GIFT, more balanced (zero-sum) bits can be found. For LBlock, we can find some other new integral distinguishers. For Khudra, we obtain two 9-round integral distinguishers. For other ciphers, we can find the same integral distinguishers as before.

• Annual Conference of KIPS
• /
• 2023.11a
• /
• pp.175-178
• /
• 2023

차분 분석은 암호 분석기법 중 하나이며, 차분 공격을 위해 랜덤 데이터들로부터 차분 특성 (입/출력차분)을 만족하는 데이터를 구별해 내는 것을 구별자 공격이라 한다. Neural distinguisher는 구별자에 딥러닝을 적용한 것이다. 본 논문에서는 NIST 표준 형태보존암호인 FF1, FF3-1을 위한 단일 차분을 사용한 최초의 신경 구별자를 제안하였다. FF1은 차분으로 0F를 사용할 때, 숫자 및 소문자 도메인에서 차분 데이터 구별에 성공하였다 (정확도는 각각 0.85 및 0.52). FF3-1에서는 08을 사용할 때, 숫자 및 소문자 도메인에서 차분 데이터 구별에 성공하였다 (정확도는 각각 0.98 및 0.55).

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.12 no.9
• /
• pp.4548-4559
• /
• 2018

Conditional differential attack against NFSR-based cryptosystems proposed by Knellwolf et al. in Asiacrypt 2010 has been widely used for analyzing round-reduced Grain v1. In this paper, we present improved conditional differential attacks on Grain v1 based on a factorization simplification method, which makes it possible to obtain the expressions of internal states in more rounds and analyze the expressions more precisely. Following a condition-imposing strategy that saves more IV bits, Sarkar's distinguishing attack on Grain v1 of 106 rounds is improved to a key recovery attack. Moreover, we show new distinguishing attack and key recovery attack on Grain v1 of 107 rounds with lower complexity O($2^{34}$) and appreciable theoretical success probability 93.7%. Most importantly, our attacks can practically recover key expressions with higher success probability than theoretical results.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.5
• /
• pp.875-888
• /
• 2021

In this paper, we search integral distinguishers of lightweight block cipher PIPO and propose a key recovery attack on 8-round PIPO-64/128 with the obtained 6-round distinguishers. The lightweight block cipher PIPO proposed in ICISC 2020 is designed to provide the efficient implementation of high-order masking for side-channel attack resistance. In the proposal, various attacks such as differential and linear cryptanalyses were applied to show the sufficient security strength. However, the designers leave integral attack to be conducted and only show that it is unlikely for PIPO to have integral distinguishers longer than 5-round PIPO without further analysis on Division Property. In this paper, we search integral distinguishers of PIPO using a MILP-aided Division Property search method. Our search can show that there exist 6-round integral distinguishers, which is different from what the designers insist. We also consider linear operation on input and output of distinguisher, respectively, and manage to obtain totally 136 6-round integral distinguishers. Finally, we present an 8-round PIPO-64/128 key recovery attack with time complexity 2^124.5849 and memory complexity of 2⁹³ with four 6-round integral distinguishers among the entire obtained distinguishers.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.11 no.5
• /
• pp.2660-2679
• /
• 2017

Crypton is a SP-network block cipher that attracts much attention because of its excellent performance on hardware. Based on Crypton, mCrypton is designed as a lightweight block cipher suitable for Internet of Things (IoT) and Radio Frequency Identification (RFID). The security of Crypton and mCrypton under meet-in-the-middle attack is analyzed in this paper. By analyzing the differential properties of cell permutation, several differential characteristics are introduced to construct generalized ${\delta}-sets$. With the usage of a generalized ${\delta}-set$ and differential enumeration technique, a 6-round meet-in-the-middle distinguisher is proposed to give the first meet-in-the-middle attack on 9-round Crypton-192 and some improvements on the cryptanalysis of 10-round Crypton-256 are given. Combined with the properties of nibble permutation and substitution, an improved meet-in-the-middle attack on 8-round mCrypton is proposed and the first complete attack on 9-round mCrypton-96 is proposed.

• Annual Conference of KIPS
• /
• 2023.05a
• /
• pp.151-153
• /
• 2023

구별자 공격은 암호 알고리즘이 특정 확률로 특정 차분 특성을 만족한다는 사실을 활용하여 랜덤 데이터들로부터 암호 데이터를 구별해내는 작업이며, 데이터에 대한 확률적인 예측을 수행하는 딥러닝 기술은 이에 대한 좋은 솔루션이 될 수 있다. 최근 딥러닝 기술이 발달함에 따라 실제로 신경망 구별자에 대한 많은 연구들이 진행되고 있지만, 형태 보존 암호인 FF3에 대한 딥러닝 기반의 구별자 공격에 대한 연구는 아직 수행되지 않았다. 본 논문에서는 형태 보존암호인 FF3에 대한 딥러닝 기반의 신경망 구별자를 최초로 제안하였다. 실험 결과, 0x08 (입력 차분)에 대해서는 숫자 도메인에서 8 라운드까지0.98 이상의 정확도를 달성하였으며, 소문자 도메인에서는 2라운드까지 구별이 가능하였다. 향후에는 또 다른 형태 보존 암호에 대한 신경망 구별자와 더 큰 도메인 및 높은 라운드에서도 동작 가능한 FF3 신경망 구별자를 구현할 예정이다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.3
• /
• pp.337-347
• /
• 2020

In CRYPTO 2019, Gohr presents that Deep-learning can be used for cryptanalysis. In this paper, we verify whether Deep-learning can identify the structures of S-box. To this end, we conducted two experiments. First, we use DDT and LAT of S-boxes as the learning data, whose structure is one of mainly used S-box structures including Feistel, MISTY, SPN, and multiplicative inverse. Surprisingly, our Deep-learning algorithms can identify not only the structures but also the number of used rounds. The second application verifies the pseudo-randomness of and structures by increasing the nuber of rounds in each structure. Our Deep-learning algorithms outperform the theoretical distinguisher in terms of the number of rounds. In general, the design rationale of ciphers used for high level of confidentiality, such as for military purposes, tends to be concealed in order to interfere cryptanalysis. The methods presented in this paper show that Deep-learning can be utilized as a tool for analyzing such undisclosed design rationale.

• Journal of Korea Multimedia Society
• /
• v.12 no.5
• /
• pp.644-652
• /
• 2009

New communication environments such as USN, WiBro and RFID have been realized nowadays. Thus, in order to ensure security and privacy protection, various light-weight block ciphers, e.g., mCrypton, HIGHT, SEA and PRESENT, have been proposed. The block cipher mCrypton, which is a light-weight version of Crypton, is a 64-bit block cipher with three key size options (64 bits, 96 bits, 128 bits). In this paper we show that 8-round mCrypton with 128-bit key is vulnerable to related-key rectangle attack. It is the first known cryptanalytic result on mCrypton. We first describe how to construct two related-key truncated differentials on which 7-round related-key rectangle distinguisher is based and then exploit it to attack 8-round mCrypton. This attack requires $2^{45.5}$dada and $2^{45.5}$time complexities which is faster than exhaustive key search.