• Journal of IKEEE
• /
• v.23 no.2
• /
• pp.388-394
• /
• 2019

This paper describes a design of security system-on-chip (SoC) that integrates a Cortex-M0 CPU with an AAW (ARIA-AES- Whirlpool) crypto-core which implements two block cipher algorithms of ARIA and AES and a hash function Whirlpool into an unified hardware architecture. The AAW crypto-core was implemented in a small area through hardware sharing based on algorithmic characteristics of ARIA, AES and Whirlpool, and it supports key sizes of 128-bit and 256-bit. The designed security SoC was implemented on FPGA device and verified by hardware-software co-operation. The AAW crypto-core occupied 5,911 slices, and the AHB_Slave including the AAW crypto-core was implemented with 6,366 slices. The maximum clock frequency of the AHB_Slave was estimated at 36 MHz, the estimated throughputs of the ARIA-128 and the AES-128 was 83 Mbps and 78 Mbps respectively, and the throughput of the Whirlpool hash function of 512-bit block was 156 Mbps.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.13 no.9
• /
• pp.4727-4741
• /
• 2019

The lightweight block cipher Piccolo adopts Generalized Feistel Network structure with 64 bits of block size. Its key supports 80 bits or 128 bits, expressed by Piccolo-80 or Piccolo-128, respectively. In this paper, we exploit the security of reduced version of Piccolo from the first round with the pre-whitening layer, which shows the vulnerability of original Piccolo. As a matter of fact, we first study some linear relations among the round subkeys and the properties of linear layer. Based on them, we evaluate the security of Piccolo-80/128 against the meet-in-the-middle attack. Finally, we attack 13 rounds of Piccolo-80 by applying a 5-round distinguisher, which requires $2^{44}$ chosen plaintexts, $2^{67.39}$ encryptions and $2^{64.91}$ blocks, respectively. Moreover, we also attack 17 rounds of Piccolo-128 by using a 7-round distinguisher, which requires $2^{44}$ chosen plaintexts, $2^{126}$ encryptions and $2^{125.49}$ blocks, respectively. Compared with the previous cryptanalytic results, our results are the currently best ones if considering Piccolo from the first round with the pre-whitening layer.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.5
• /
• pp.807-816
• /
• 2022

See-In-The-Middle (SITM) is an analysis technique that uses Side-Channel information for differential cryptanalysis. This attack collects unmasked middle-round power traces when implementing block ciphers to select plaintext pairs that satisfy the attacker's differential pattern and utilize them for differential cryptanalysis to recover the key. Romulus, one of the final candidates for the NIST Lightweight Cryptography standardization competition, is based on Tweakable block cipher Skinny-128-384+. In this paper, the SITM attack is applied to Skinny-128-384 implemented with 14-round partial masking. This attack not only increased depth by one round, but also significantly reduced the time/data complexity to 2^14.93/2^14.93. Depth refers to the round position of the block cipher that collects the power trace, and it is possible to measure the appropriate number of masking rounds required when applying the masking technique to counter this attack. Furthermore, we extend the attack to Romulus's Nonce-based AE mode Romulus-N, and Tweakey's structural features show that it can attack with less complexity than Skinny-128-384.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.3
• /
• pp.391-399
• /
• 2023

In this paper, we presents for the first time an implementation using T-table for PIPO-64/128, 256 which are lightweight block ciphers. While our proposed implementation requires 16 T-tables, we show that the two types of T-tables are circulant and obtain variants implementations that require a smaller number of T-tables. We then discuss trade-off between the number of required T-tables (code size) and throughput by evaluating the throughput of the variant implementations on an Intel Core i7-9700K processor. The throughput-optimized versions for PIPO-64/128, 256 provide better throughput than TLU(Table-Look-Up) reference implementation by factors of 3.11 and 2.76, respectively, and bit-slice reference implementation by factors of 3.11 and 2.76, respectively.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.20 no.11
• /
• pp.2093-2099
• /
• 2016

This paper describes a design of crypto-processor that supports multiple block cipher algorithms of PRESENT, ARIA, and AES. The crypto-processor integrates three cores that are PRmo (PRESENT with mode of operation), AR_AS (ARIA_AES), and AES-16b. The PRmo core implementing 64-bit block cipher PRESENT supports key length 80-bit and 128-bit, and four modes of operation including ECB, CBC, OFB, and CTR. The AR_AS core supporting key length 128-bit and 256-bit integrates two 128-bit block ciphers ARIA and AES into a single data-path by utilizing resource sharing technique. The AES-16b core supporting key length 128-bit implements AES with a reduced data-path of 16-bit for minimizing hardware. Each crypto-core contains its own on-the-fly key scheduler, and consecutive blocks of plaintext/ciphertext can be processed without reloading key. The crypto-processor was verified by FPGA implementation. The crypto-processor implemented with a $0.18{\mu}m$ CMOS cell library occupies 54,500 gate equivalents (GEs), and it can operate with 55 MHz clock frequency.

• ETRI Journal
• /
• v.23 no.4
• /
• pp.158-167
• /
• 2001

We examine the diffusion layers of some block ciphers referred to as substitution-permutation networks. We investigate the practical and provable security of these diffusion layers against differential and linear cryptanalysis. First, in terms of practical security, we show that the minimum number of differentially active S-boxes and that of linearly active S-boxes are generally not identical and propose some special conditions in which those are identical. We also study the optimal diffusion effect for some diffusion layers according to their constraints. Second, we obtain the results that the consecutive two rounds of SPN structure provide provable security against differential and linear cryptanalysis, i.e., we prove that the probability of each differential (resp. linear hull) of the consecutive two rounds of SPN structure with a maximal diffusion layer is bounded by $p^n(resp.q^n)$ and that of each differential (resp. linear hull) of the SDS function with a semi-maximal diffusion layer is bounded by $p^{n-1}(resp. q^{n-1})$, where p and q are maximum differential and linear probabilities of the substitution layer, respectively.

• The KIPS Transactions:PartC
• /
• v.9C no.3
• /
• pp.307-312
• /
• 2002

Among the various zero suppression (ZS) algorithms used in a for synchronous stream cipher system, a ZS-2 exhibits certain good properties, including the omission of the block synchronization, easy implementation, etc., yet also a weakness in channel error propagation. Accordingly, This paper proposes a new method by minimizing the bit-wide substitution in the substitution blocks of ZS-2 to improve the degenerated error property in a noisy channel. As a result, the proposed ZS-3 algorithm can decrease the mean error propagation by about 18.7% over that of ZS-2 at n=8.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.15 no.2
• /
• pp.600-616
• /
• 2021

SIMON and SPECK are two families of lightweight block ciphers that have excellent performance on hardware and software platforms. At CRYPTO 2019, Gohr first introduces the differential cryptanalysis based deep learning on round-reduced SPECK32/64, and finally reduces the remaining security of 11-round SPECK32/64 to roughly 38 bits. In this paper, we are committed to evaluating the safety of SIMON cipher under the neural differential cryptanalysis. We firstly prove theoretically that SIMON is a non-Markov cipher, which means that the results based on conventional differential cryptanalysis may be inaccurate. Then we train a residual neural network to get the 7-, 8-, 9-round neural distinguishers for SIMON32/64. To prove the effectiveness for our distinguishers, we perform the distinguishing attack and key-recovery attack against 15-round SIMON32/64. The results show that the real ciphertexts can be distinguished from random ciphertexts with a probability close to 1 only by 2^8.7 chosen-plaintext pairs. For the key-recovery attack, the correct key was recovered with a success rate of 23%, and the data complexity and computation complexity are as low as 2⁸ and 2^20.1 respectively. All the results are better than the existing literature. Furthermore, we briefly discussed the effect of different residual network structures on the training results of neural distinguishers. It is hoped that our findings will provide some reference for future research.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.14 no.5
• /
• pp.57-68
• /
• 2004

The rectangle attack and the related-key attack on block ciphers are well-known to be very powerful. In this paper we combine the rectangle attack with the related-key attack. Using this combined attack we can attack the SHACAL-1 cipher with 512-bit keys up to 59 out of its 80 rounds. Our 59-round attack requires a data complexity of $2^{149.72}$ chosen plaintexts and a time complexity of $2^{498.30}$ encryptions, which is faster than exhaustive search.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.15 no.3
• /
• pp.103-107
• /
• 2005

Impossible differential attacks on AES have been proposed up to 6-round which requires $2^{91.5}$ chosen plaintexts and $2^{122}$ 6-round AES encryptions. In this paper, we introduce various 4-round impossible differentials and using them, we propose improved impossible differential attacks on 6-round AES. The current attacks require $2^{83.4}$ chosen plaintexts and $2^{105.4}$ 6-round AES encryptions to retrieve 11 bytes of the first and the last round keys.