• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.5
• /
• pp.807-816
• /
• 2022

See-In-The-Middle (SITM) is an analysis technique that uses Side-Channel information for differential cryptanalysis. This attack collects unmasked middle-round power traces when implementing block ciphers to select plaintext pairs that satisfy the attacker's differential pattern and utilize them for differential cryptanalysis to recover the key. Romulus, one of the final candidates for the NIST Lightweight Cryptography standardization competition, is based on Tweakable block cipher Skinny-128-384+. In this paper, the SITM attack is applied to Skinny-128-384 implemented with 14-round partial masking. This attack not only increased depth by one round, but also significantly reduced the time/data complexity to 2^14.93/2^14.93. Depth refers to the round position of the block cipher that collects the power trace, and it is possible to measure the appropriate number of masking rounds required when applying the masking technique to counter this attack. Furthermore, we extend the attack to Romulus's Nonce-based AE mode Romulus-N, and Tweakey's structural features show that it can attack with less complexity than Skinny-128-384.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.3
• /
• pp.391-399
• /
• 2023

In this paper, we presents for the first time an implementation using T-table for PIPO-64/128, 256 which are lightweight block ciphers. While our proposed implementation requires 16 T-tables, we show that the two types of T-tables are circulant and obtain variants implementations that require a smaller number of T-tables. We then discuss trade-off between the number of required T-tables (code size) and throughput by evaluating the throughput of the variant implementations on an Intel Core i7-9700K processor. The throughput-optimized versions for PIPO-64/128, 256 provide better throughput than TLU(Table-Look-Up) reference implementation by factors of 3.11 and 2.76, respectively, and bit-slice reference implementation by factors of 3.11 and 2.76, respectively.

• The Transactions of the Korea Information Processing Society
• /
• v.7 no.10
• /
• pp.3138-3147
• /
• 2000

EC(Electronic Commerce) which is cone the virtual space through Internet, has the advantage of time and space. On the contrary, it also has weak point like security probelm because anybody can easily access to the system due to open network attribute of Internet. Theretore, we need the solutions that protect the EC security problem for safe and useful EC activity. One of these solution is the implemonlation of a strong cipher algorithm. YK2(YoungKu Kang) cipher algorithm proposed in this paper is advantage for the EC security and it overcomes the limit of the current 6/1 bits block cipher algorithm using 128 bits key length for input, output, encryption key and 32 rounds. Moreover, it is degigned for the increase of time complexity and probability calculation by adapting more complex design for key scheduling regarded as one of the important element effected to enciyption.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.8 no.1
• /
• pp.123-136
• /
• 2004

In this paper, complexity and regularity of polynomial multiplication over $GF({2^n})$ are defined by using Hamming weight of rows and columns of the matrix ever GF(2) which represents polynomial multiplication. It is shown experimentally that in order to construct the block cipher robust against differential cryptanalysis, polynomial multiplication of substitution layer and the permutation layer should have high complexity and high regularity. With result of the experiment, a way of constituting S box and G function is suggested in the block cipher whose structure is similar to SEED, which is KOREA standard of 128-bit block cipher. S box can be formed with a nonlinear function and an affine transform. Nonlinear function must be strong with differential attack and linear attack, and it consists of an inverse number over $GF({2^8})$ which has neither a fixed pout, whose input and output are the same except 0 and 1, nor an opposite fixed number, whose output is one`s complement of the input. Affine transform can be constituted so that the input/output correlation can be the lowest and there can be no fixed point or opposite fixed point. G function undergoes linear transform with 4 S-box outputs using the matrix of 4${\times}$4 over $GF({2^8})$. The components in the matrix of linear transformation have high complexity and high regularity. Furthermore, G function can be constituted so that MDS(Maximum Distance Separable) code can be formed, SAC(Strict Avalanche Criterion) can be met, and there can be no weak input where a fixed point an opposite fixed point, and output can be two`s complement of input. The primitive polynomials of nonlinear function affine transform and linear transformation are different each other. The S box and G function suggested in this paper can be used as a constituent of the block cipher with high security, in that they are strong with differential attack and linear attack with no weak input and they are excellent at diffusion.

• KIPS Transactions on Computer and Communication Systems
• /
• v.12 no.6
• /
• pp.181-188
• /
• 2023

Block cipher is not expected to be safe for quantum computer, as Grover's algorithm reduces the security strength by accelerating brute-force attacks on symmetric key ciphers. So it is necessary to check the post-quantum security strength by implementing quantum circuit for the target cipher. In this paper, we propose the optimal quantum circuit implementation result designed as a technique to minimize the use of quantum resources (qubits, quantum gates) for SIMECK lightweight cryptography, and explain the operation of each quantum circuit. The implemented SIMECK quantum circuit is used to check the estimation result of quantum resources and calculate the Grover attack cost. Finally, the post-quantum strength of SIMECK lightweight cryptography is evaluated. As a result of post-quantum security strength evaluation, all SIMECK family cipher failed to reach NIST security strength. Therefore, it is expected that the safety of SIMECK cipher is unclear when large-scale quantum computers appear. About this, it is judged that it would be appropriate to increase the block size, the number of rounds, and the key length to increase the security strength.

• Journal of KIISE:Computing Practices and Letters
• /
• v.13 no.4
• /
• pp.231-239
• /
• 2007

This paper presents the trade-off relationship between area and performance in the hardware design space exploration for the Korean national standard 128-bit block cipher algorithm SEED. In this paper, we compare the following four hardware design types of SEED algorithm : (1) Design 1 that is 16 round fully pipelining approach, (2) Design 2 that is a one round looping approach, (3) Design 3 that is a G function sharing and looping approach, and (4) Design 4 that is one round with internal 3 stage pipelining approach. The Design 1, Design 2, and Design 3 are the existing design approaches while the Design 4 is the newly proposed design in this paper. Our new design employs the pipeline between three G-functions and adders consisting of a F function, which results in the less area requirement than Design 2 and achieves the higher performance than Design 2 and Design 3 due to pipelining and module sharing techniques. We design and implement all the comparing four approaches with real hardware targeting FPGA for the purpose of exact performance and area analysis. The experimental results show that Design 4 has the highest performance except Design 1 which pursues very aggressive parallelism at the expanse of area. Our proposed design (Design 4) shows the best throughput/area ratio among all the alternatives by 2.8 times. Therefore, our new design for SEED is the most efficient design comparing with the existing designs.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.5
• /
• pp.875-888
• /
• 2021

In this paper, we search integral distinguishers of lightweight block cipher PIPO and propose a key recovery attack on 8-round PIPO-64/128 with the obtained 6-round distinguishers. The lightweight block cipher PIPO proposed in ICISC 2020 is designed to provide the efficient implementation of high-order masking for side-channel attack resistance. In the proposal, various attacks such as differential and linear cryptanalyses were applied to show the sufficient security strength. However, the designers leave integral attack to be conducted and only show that it is unlikely for PIPO to have integral distinguishers longer than 5-round PIPO without further analysis on Division Property. In this paper, we search integral distinguishers of PIPO using a MILP-aided Division Property search method. Our search can show that there exist 6-round integral distinguishers, which is different from what the designers insist. We also consider linear operation on input and output of distinguisher, respectively, and manage to obtain totally 136 6-round integral distinguishers. Finally, we present an 8-round PIPO-64/128 key recovery attack with time complexity 2^124.5849 and memory complexity of 2⁹³ with four 6-round integral distinguishers among the entire obtained distinguishers.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.2
• /
• pp.201-211
• /
• 2012

This paper addresses a Full Disk Encryption hardware processor for SATA HDD in a single FPGA design, and shows its experimental result using an FPGA board. The proposed processor mainly consists of two blocks: the first block processes XTS-AES block cipher which is the IEEE P1619 standard of storage media encryption and the second block executes the interface between SATA Host (PC) and Device (HDD). To minimize the performance degradation, we designed the XTS-AES block with the 4-stage pipelined structure which can process a 128-bit block per 4 clock cycles and has 4.8Gbps (max) performance. Also, we implemented the proposed design with Xilinx ML507 FPGA board and our experiment showed 140MB/sec read/write speed in Windows XP 32-bit and a SATA II HDD. This performance is almost equivalent with the speed of the direct SATA connection without FDE devices, hence our proposed processor is very suitable for SATA HDD Full Disk Encryption environments.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 1997.11a
• /
• pp.303-314
• /
• 1997

계산능력이 제한된 8비트 마이크로프로세서에 적합하도록 모든 기본 연산을 8비트 단위로 처리하는, 블록 크기는 64비트, 키 크기는 128비트인, Feistel 구조의 블록 암호 알고리즘을 제시한다. 이 알고리즘의 안전도는 잘 알려진 two-key triple-DES[ANSI86]나 IDEA[Lai92]와 비견할 만하며, 처리속도는 single-DES[NBS77]보다도 10∼20배 빠르다. 본 논문에서는 이 알고리즘의 설계원칙 및 안전성 분석에 대하여 설명하였고, 다른 알고리즘과의 통계적 특성 및 성능에 대해서도 비교하였다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2001.10b
• /
• pp.823-830
• /
• 2001

본 논문에서는 데이터 의존 회전 기법과 프로그램 셀룰라 오토마타 기법을 사용한 블록 암호 알고리즘인 가칭 Pkc128(PuKyong Code 128) 암호 알고리즘을 제안한다. 제안한 암호 알고리즘의 블록 크기는 128 비트이고, 키의 치기는 128 비트 이상 가변이며 Feistel Network 구조를 취하였다. 제안한 알고리즘의 안전성을 검정하기 위하여 출력 스트림에 대한 통계적 검정을 실시하였다. 그 결과 16 회전 시에 모든 검정과정을 통과하여 제안된 알고리즘이 통계적으로 안전함을 확인하였다.