• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.18 no.4
• /
• pp.45-52
• /
• 2008

The slide resynchronization attack on Grain-v1 was proposed in [5]. Given the keystream sequence, this attack can generate the 1-bit shifted keystream sequence generated by Grain-v1. In this paper, extending the attack proposed in [5], we propose the key recovery attack on Grain-v1 using the related-key. Using the weakness of the initialization procedure of Grain-v1, this attack recover the master key with $2^{25.02}$ Ⅳs and $2^{56}$ time complexity. This attack is the first known key recovery attack on Grain-v1.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.19 no.1
• /
• pp.53-62
• /
• 2009

H. Gilbert et al. proposed a collision attack on 7-round reduced Rijndael[5]. Applying this attack, we propose collision attacks on 8-round reduced Crypton, 8-round reduced mCrypton in this paper. Attacks on Crypton requires $2^{161.6}$ time complexity with $2^{96}$ chosen plaintexts, respectively. The attack on mCrypton requires $2^{81.6}$ time complexity with $2^{48}$ chosen plaintexts. These results are the best attacks on Crypton and mCrypton in published literatures.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.19 no.3
• /
• pp.3-10
• /
• 2009

In this paper, we introduce improved differential and linear attacks on the SMS4 block cipher which is used in the Chinese national standard WAPI (WLAN Authentication and Privacy Infrastructure, WLAN - Wireless Local Area Network): First, we introduce how to extend previously known differential attacks on SMS4 from 20 or 21 to 22 out of the full 32 rounds. Second, we improve a previously known linear attack on 22-round reduced SMS4 from $2^{119}$ known plaintexts, $2^{109}$ memory bytes, $2^{117}$ encryptions to $2^{117}$ known plaintexts, $2^{l09}$ memory bytes, $2^{112.24}$ encryptions, by using a new linear approximation.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.12 no.2
• /
• pp.65-76
• /
• 2002

Shin et al. proposed the new hash function with 160-bit output length at PKC'98. This hash function is based on the advantages of the existing hash functions, such as SHA-1, RIPEMD-160, HAVAL, and etc.$^{[1]}$ Recently, Han et al. cryptanalyzed the hash function proposed at PKC'98 and proposed the method finding a collision pair with $2^{-30}$ probability at FSE 2002, supposing that boolean functions satisfy SAC(Strict Avalanche Criterian).$^{[2]}$ This paper improves the method and shows that we can find a collision pair from the original version of the hash function with $2^{-37.13}$ probability through the improved method. And we point out that the problem of the function comes from shift values dependent on message.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.12 no.4
• /
• pp.55-66
• /
• 2002

HAVAL is a dedicated hash function of the MD family which was proposed by Zheng et al.. HAVAL compresses a message of arbitrary length into a hash value of 128, 160, 192, 224, or 256 bits. HAVAL has a parameter that controls the number of passes a message block of 1024 bits is processed. A message block can be processed in 3,4, or 5 passes. When a message block is processed in three passes, we call such a case 3-pass HAVAL. So, there are three kinds of HAVAL: 3-pass HAVAL, 4-pass HAVAL, and 5-pass HAVAL. In this paper, we study the security of reduced versions of 3-pass HAVAL. We propose a method for finding the collisions for the first two passes of 3-pass HAVAL and for the last two passes of 3-pass HAVAL. This approach of reducing the number of passes is similar to the initial attacks on MD4. We represent the first two passes of 3-pass HAVAL as HAVAL-12 and the last two passes of 3-pass HAVAL as HAVAL-23.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.16 no.1
• /
• pp.79-85
• /
• 2006

This attack requires an oracle which on receipt of a ciphertext, decrypts it and replies to the sender whether the padding is VALID or INVALID. In this paper we extend these attacks to other kinds of modes of operation for block ciphers. Specifically, we apply the padding oracle attacks to multiple modes of operation with various padding schemes. As a results of this paper, 12 out of total 36 double modes and 22 out of total 216 triple modes are vulnerable to the padding oracle attacks. It means that the 12 double modes and the 22 triple modes exposed to these types of attacks do not offer the better security than single modes.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.1
• /
• pp.33-41
• /
• 2012

A differential fault analysis(DFA) is one of the most important side channel attacks on block ciphers. Most block ciphers, such as DES, AES, ARIA, SEED and so on., have been analysed by this attack. PRESENT is a 64-bit block cipher with 80/128-bit secret keys and has a 31-round SP-network. So far, several DFAs on PRESENT have been proposed. These attacks recovered 80, 128-bit secret keys of PRESENT with 8~64 fault injections. respectively. In this paper, we propose an improved DFA on PRESENT-80/128. Our attack can reduce the complexity of exhaustive search of PRESENT-80(resp. 128) to on average 1.7(resp. $2^{22.3}$) with 2(resp. 3) fault injections, From these results, our attack results are superior to known DFAs on PRESENT.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.6
• /
• pp.35-44
• /
• 2011

The PP-1/64-128 block cipher support variety data block and secret key size. Also, it is suitable for hardware implementation and can much easier to apply Concurrent Error Detection(CED) for cryptographic chips compared to other block ciphers, because it has same encryption and decryption process. In this paper, we proposed truncated differential cryptanalysis of PP-1/64-128. the attack on PP-1/64-128 block cipher requires $2^{50.16}$ chosen plaintexts, $2^{46.16}$ bytes memory spaces and $2^{50.45}$ PP-1/64-128 encryption to retrieve secret key. This is the best result of currently known PP-1/64-128 differential cryptanalysis.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.20 no.6
• /
• pp.3-13
• /
• 2010

Differential Fault Analysis (DFA) is widely known for one of the most efficient method analyzing block cipher. In this paper, we propose a new type of DFA on DES (Data Encryption Standard). DFA on DES was first introduced by Biham and Shamir, then Rivain recently introduced DFA on DES middle rounds (9-12 round). However previous attacks on DES can only be applied to the encryption process. Meanwhile, we first propose the DFA on DES key-schedule. In this paper, we proposed a more efficient DFA on DES key schedule with random fault. The proposed DFA method retrieves the key using a more practical fault model and requires fewer faults than the previous DFA on DES.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.20 no.4
• /
• pp.17-24
• /
• 2010

A differential fault attack(DFA) is one of the most efficient side channel attacks on block ciphers. Almost all block ciphers, such as DES, AES, ARIA, SEED and so on., have been analysed by this attack. In the case of the known DFAs on SEED, the attacker induces permanent faults on a whole left register of round 16. In this paper, we analyse SEED against DFA with differential characteristics and addition-XOR characteristics of the round function of SEED. The fault assumption of our attack is that the attacker induces 1-bit faults on a particular register. By using our attack, we can recover last round keys and the master key with about $2^{32}$ simple arithmetic operations. It can be simulated on general PC within about a couple of second.