• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.16 no.3
• /
• pp.972-985
• /
• 2022

In the year 2020, a new lightweight block cipher µ² is proposed. It has both good software and hardware performance, and it is especially suitable for constrained resource environment. However, the security evaluation on µ² against impossible differential cryptanalysis seems missing from the specification. To fill this gap, an impossible differential cryptanalysis on µ² is proposed. In this paper, firstly, some cryptographic properties on µ² are proposed. Then several longest 7-round impossible differential distinguishers are constructed. Finally, an impossible differential cryptanalysis on µ² reduced to 10 rounds is proposed based on the constructed distinguishers. The time complexity for the attack is about 2^69.63 10-round µ² encryptions, the data complexity is O(2⁴⁸), and the memory complexity is 2^63.57 Bytes. The reported result indicates that µ² reduced to 10 rounds can't resist against impossible differential cryptanalysis.

• ETRI Journal
• /
• v.39 no.1
• /
• pp.108-115
• /
• 2017

ARIA is a 128-bit block cipher that has been selected as a Korean encryption standard. Similar to AES, it is robust against differential cryptanalysis and linear cryptanalysis. In this study, we analyze the security of ARIA against differential-linear cryptanalysis. We present five rounds of differential-linear distinguishers for ARIA, which can distinguish five rounds of ARIA from random permutations using only 284.8 chosen plaintexts. Moreover, we develop differential-linear attacks based on six rounds of ARIA-128 and seven rounds of ARIA-256. This is the first multidimensional differential-linear cryptanalysis of ARIA and it has lower data complexity than all previous results. This is a preliminary study and further research may obtain better results in the future.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.9 no.3
• /
• pp.63-74
• /
• 1999

In this paper we present a Hangul Encryption Algorithm (HEA) which encrypts composition Hangul syllables into composition Hangul syllables using the non-linear structure of Hangul. Since ciphertexts generated by HEA are displayable characters HEA can be used in applications such as Privacy Enhanced mail (PEM) where ciphertexts should be displayable characters. HEA is based on DES and it can be shown that HEA is as safe as DES against the exhaustive key search differential cryptanalysis and linear cryptanalysis. HEA also has randomness of phonemes of ciphertexts and satisfies plaintext-ciphetext avalanche effect and key-ciphertext avalanche effect.

• ETRI Journal
• /
• v.37 no.1
• /
• pp.165-174
• /
• 2015

In this paper, we focus on a novel technique called the cube-linear attack, which is formed by combining cube attacks with linear attacks. It is designed to recover the secret information in a probabilistic polynomial and can reduce the data complexity required for a successful attack in specific circumstances. In addition to the different combination strategies of the two attacks, two cube-linear schemes are discussed. Applying our method of a cube-linear attack to a reduced-round Trivium, as an example, we get better linear cryptanalysis results. More importantly, we believe that the improved linear cryptanalysis technique introduced in this paper can be extended to other ciphers.

• ETRI Journal
• /
• v.37 no.5
• /
• pp.1012-1022
• /
• 2015

Conventional cryptographic algorithms are not sufficient to protect secret keys and data in white-box environments, where an attacker has full visibility and control over an executing software code. For this reason, cryptographic algorithms have been redesigned to be resistant to white-box attacks. The first white-box AES (WB-AES) implementation was thought to provide reliable security in that all brute force attacks are infeasible even in white-box environments; however, this proved not to be the case. In particular, Billet and others presented a cryptanalysis of WB-AES with 230 time complexity, and Michiels and others generalized it for all substitution-linear transformation ciphers. Recently, a collision-based cryptanalysis was also reported. In this paper, we revisit Chow and others's first WB-AES implementation and present a conditional re-encoding method for cryptanalysis protection. The experimental results show that there is approximately a 57% increase in the memory requirement and a 20% increase in execution speed.

• Journal of the Korea Computer Industry Society
• /
• v.5 no.3
• /
• pp.405-414
• /
• 2004

In this paper, we designed a 128-bits block cipher, Circle-g, which has 18-rounds modified Feistel structure and analyzed its secureness by the differential cryptanalysis and linear cryptanalysis. We could have full diffusion effect from the two rounds of the Circle-g. Because of the strong diffusion effect of the F-function of the algorithm, we could get a 9-rounds DC characteristic with probability 2^{-144} and a 12-rounds LC characteristic with probability 2^{-144}. For the Circle-g with 128-bit key, there is no shortcut attack, which is more efficient than the exhaustive key search, for more than 12 rounds of the algorithm.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.17 no.1
• /
• pp.121-125
• /
• 2007

Differential cryptanalysis and linear cryptanalysis are the most powerful approaches known for attacking many block ciphers and used to evaluating the security of many block ciphers. So designers have designed secure block ciphers against these cryptanalyses. In this paper, we present new three block cipher structures. And for given r, we prove that differential(linear) probabilities for r-round blockcipher structures are upper bounded by $p^2(q^2),\;2p^2(2q^2)$ if the maximum differential(linear) probability is p(q) and the round function is a bijective function.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.10 no.4
• /
• pp.107-112
• /
• 2000

In this paper, we study a security of HEA(Hangul Encryption Algorithm) against differential cryptanalysis. HEA, which is 1,024bits input/output and 56bits key size, has the same structure as DES(Data Encyption Standard) only for Korean characters to be produced in ciphertexts. An encryption algorithm should be developed to meet certain critria such as input/ouput dependencies, correlation, avalanche effects, etc. However HEA uses the same S-Boxes as DES does and just expands the plaintext/ciphertext sizes . We analysize HEA with a differential cryptanalysis and present two results. The number of rounds of HEA has not been determined in a concrete basis of cryptanalysis and we show a chosen plintext attack of 10 round reduced HEA with a diffe- rential cryptanalysis characteristic.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.15 no.2
• /
• pp.600-616
• /
• 2021

SIMON and SPECK are two families of lightweight block ciphers that have excellent performance on hardware and software platforms. At CRYPTO 2019, Gohr first introduces the differential cryptanalysis based deep learning on round-reduced SPECK32/64, and finally reduces the remaining security of 11-round SPECK32/64 to roughly 38 bits. In this paper, we are committed to evaluating the safety of SIMON cipher under the neural differential cryptanalysis. We firstly prove theoretically that SIMON is a non-Markov cipher, which means that the results based on conventional differential cryptanalysis may be inaccurate. Then we train a residual neural network to get the 7-, 8-, 9-round neural distinguishers for SIMON32/64. To prove the effectiveness for our distinguishers, we perform the distinguishing attack and key-recovery attack against 15-round SIMON32/64. The results show that the real ciphertexts can be distinguished from random ciphertexts with a probability close to 1 only by 2^8.7 chosen-plaintext pairs. For the key-recovery attack, the correct key was recovered with a success rate of 23%, and the data complexity and computation complexity are as low as 2⁸ and 2^20.1 respectively. All the results are better than the existing literature. Furthermore, we briefly discussed the effect of different residual network structures on the training results of neural distinguishers. It is hoped that our findings will provide some reference for future research.

• Journal of the Korea Computer Industry Society
• /
• v.4 no.4
• /
• pp.523-532
• /
• 2003

In this paper, we designed a 128-bit block cipher, Lambda, which has 16-round extended Feistel structure and analyzed its secureness by the differential cryptanalysis and linear cryptanalysis. We could have full diffusion effect from the two rounds of the Lambda. Because of the strong diffusion effect of the algorithm, we could get a 8-round differential characteristic with probability $2^{-192}$ and a linear characteristic with probability $2^{-128}$. For the Lambda with 128-bit key, there is no shortcut attack, which is more efficient than the exhaustive key search, for more than 8 rounds of the algorithm.