• 한국정보통신설비학회:학술대회논문집
• /
• 2008.08a
• /
• pp.155-158
• /
• 2008

In 1989, Kocher et al. introduced Differential Power Attack on block ciphers. This attack allows to extract secret key used in cryptographic computations even if these are executed inside tamper-resistant devices such as smart card. Since 1989, many papers were published to improve resistance of DPA. At FSE 2003 and 2004, Akkar and Goubin presented several masking methods to protect iterated block ciphers such as DES against Differential Power Attack. The idea is to randomize the first few and last few rounds(3 $\sim$ 4 round) of the cipher with independent random masks at each round and thereby disabling power attacks on subsequent inner rounds. This paper show how to combine truncated differential cryptanalysis applied to the first few rounds of the cipher with power attacks to extract the secret key from intermediate unmasked values.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.15 no.1
• /
• pp.29-40
• /
• 2005

In this paper we consider the security of recently proposed software-orienred stram cipher HELIX, SCREAM, MUGI, and PANAMA against algebraic attacks. Algebraic attack is a key recovery attack by solving an over-defined system of multi-variate equations with input-output pairs of an algorithm. The attack was firstly applied to block ciphers with some algebraic properties and then it has been mon usefully applied to stream ciphers. However it is difficult to obtain over-defined algebraic equations for a given cryptosystem in general. Here we analyze recently proposed software-oriented stream ciphers by constructing a system of equations for each cipher. furthermore we propose three design considerations of software-oriented stream ciphers.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.2
• /
• pp.347-355
• /
• 2018

Ransomware uses symmetric-key algorithm such as a block cipher to encrypt users' files illegally. If we find the traces of a block cipher algorithm in a certain program in advance, the ransomware will be detected in increased rate. The inclusion of a block cipher can consider the encryption function will be enabled potentially. This paper proposes a way to determine whether a particular program contains a block cipher. We have studied the implementation characteristics of various block ciphers, as well as the AES used by ransomware. Based on those characteristics, we are able to find what kind of block ciphers have been contained in a particular program. The methods proposed in this paper will be able to detect ransomware with high probability by complementing the previous detection methods.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.17 no.6
• /
• pp.11-18
• /
• 2007

Multiple linear cryptanalysis has been researched as a method building up the linear attack strength. We indicate that the lastest linear attack algorithm using multiple approximations, which was proposed by Biryukov et al. is hardly applicable to block ciphers with highly nonlinear key schedule, and propose a new multiple linear attack algorithm. Simulation of the new attack algorithm with a small block cipher shows that theory for the new multiple linear cryptanalysis works well in practice.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.3
• /
• pp.325-336
• /
• 2020

Nonlinear Invariant Attack is an attack that should be considered when constructing lightweight block ciphers with relatively simple key schedule. A shortcut to prove a block cipher's resistance against nonlinear invariant attack is checking the smallest dimension of linear layer-invariant linear subspace which contains all known differences between round keys is equal to the block size. In this paper, we presents the following results. We identify the structure and number of optimal bit-permutations which require only one known difference between round keys for a designer to show that the corresponding block cipher is resistant against nonlinear invariant attack. Moreover, we show that PRESENT-like block ciphers need at least two known differences between round keys by checking all PRESENT-like bit-permutations. Additionally, we verify that the variants of PRESENT-like bit-permutations requiring the only two known differences between round keys do not conflict with the resistance against differential attack by comparing the best differential trails. Finally, through the distribution of the invariant factors of all bit-permutations that maintain BOGI logic with GIFT S-box, GIFT-variant block ciphers require at least 8 known differences between round keys for the resistance.

• Journal of the Korea Society of Computer and Information
• /
• v.13 no.4
• /
• pp.169-175
• /
• 2008

The existing block encryption algorithms have been designed for the encryption key value to be unchanged and applied to the round functions of each block. and enciphered. Therefore, it has such a weak point that the plaintext or encryption key could be easily exposed by differential cryptanalysis or linear cryptanalysis, both are the most powerful methods for decoding block encryption of a round repeating structure. Dynamic cipher has the property that the key-size, the number of round, and the plaintext-size are scalable simultaneously. Dynamic network is the unique network satisfying these characteristics among the networks for symmetric block ciphers. We analyze the strength of Dynamic network for meet-in-the-middle attack, linear cryptanalysis, and differential cryptanalysis. Also, In this paper we propose a new network called Dynamic network for symmetric block ciphers.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.1
• /
• pp.33-41
• /
• 2012

A differential fault analysis(DFA) is one of the most important side channel attacks on block ciphers. Most block ciphers, such as DES, AES, ARIA, SEED and so on., have been analysed by this attack. PRESENT is a 64-bit block cipher with 80/128-bit secret keys and has a 31-round SP-network. So far, several DFAs on PRESENT have been proposed. These attacks recovered 80, 128-bit secret keys of PRESENT with 8~64 fault injections. respectively. In this paper, we propose an improved DFA on PRESENT-80/128. Our attack can reduce the complexity of exhaustive search of PRESENT-80(resp. 128) to on average 1.7(resp. $2^{22.3}$) with 2(resp. 3) fault injections, From these results, our attack results are superior to known DFAs on PRESENT.

• Proceedings of the IEEK Conference
• /
• 2000.07b
• /
• pp.743-746
• /
• 2000

In this paper we propose a new network called Dynamic network for symmetric block ciphers. Dynamic cipher has the property that the key-size, the number of round, and the plaintext-size are scalable simultaneously We present the method for designing secure Dynamic cipher against meet-in-the-middle attack and linear cryptanalysis. Also, we show that the differential cryptanalysis to Dynamic cipher is hard.

• 한국정보통신설비학회:학술대회논문집
• /
• 2008.08a
• /
• pp.340-344
• /
• 2008

In the block cipher, DPA-resistant masking methods make an appropriation of extremely high cost for the non-linear part. Block ciphers like AES and ARIA use the inversion operation as this non-linear part. This make various countermeasures be proposed for reducing the cost of masking inversion. In this paper, we propose the efficient masking inverter by rearranging the masking inversion operation over the composite field and finding duplicated multiplications.

• ETRI Journal
• /
• v.32 no.3
• /
• pp.370-379
• /
• 2010

In this paper, we propose efficient masking methods for ARIA and AES. In general, a masked S-box (MS) block can be constructed in different ways depending on the implementation platform, such as hardware and software. However, the other components of ARIA and AES have less impact on the implementation cost. We first propose an efficient masking structure by minimizing the number of mask corrections under the assumption that we have an MS block. Second, to make a secure and efficient MS block for ARIA and AES, we propose novel methods to solve the table size problem for the MS block in a software implementation and to reduce the cost of a masked inversion which is the main part of the MS block in the hardware implementation.