• ETRI Journal
• /
• v.39 no.1
• /
• pp.108-115
• /
• 2017

ARIA is a 128-bit block cipher that has been selected as a Korean encryption standard. Similar to AES, it is robust against differential cryptanalysis and linear cryptanalysis. In this study, we analyze the security of ARIA against differential-linear cryptanalysis. We present five rounds of differential-linear distinguishers for ARIA, which can distinguish five rounds of ARIA from random permutations using only 284.8 chosen plaintexts. Moreover, we develop differential-linear attacks based on six rounds of ARIA-128 and seven rounds of ARIA-256. This is the first multidimensional differential-linear cryptanalysis of ARIA and it has lower data complexity than all previous results. This is a preliminary study and further research may obtain better results in the future.

• ETRI Journal
• /
• v.37 no.1
• /
• pp.165-174
• /
• 2015

In this paper, we focus on a novel technique called the cube-linear attack, which is formed by combining cube attacks with linear attacks. It is designed to recover the secret information in a probabilistic polynomial and can reduce the data complexity required for a successful attack in specific circumstances. In addition to the different combination strategies of the two attacks, two cube-linear schemes are discussed. Applying our method of a cube-linear attack to a reduced-round Trivium, as an example, we get better linear cryptanalysis results. More importantly, we believe that the improved linear cryptanalysis technique introduced in this paper can be extended to other ciphers.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.9 no.3
• /
• pp.63-74
• /
• 1999

In this paper we present a Hangul Encryption Algorithm (HEA) which encrypts composition Hangul syllables into composition Hangul syllables using the non-linear structure of Hangul. Since ciphertexts generated by HEA are displayable characters HEA can be used in applications such as Privacy Enhanced mail (PEM) where ciphertexts should be displayable characters. HEA is based on DES and it can be shown that HEA is as safe as DES against the exhaustive key search differential cryptanalysis and linear cryptanalysis. HEA also has randomness of phonemes of ciphertexts and satisfies plaintext-ciphetext avalanche effect and key-ciphertext avalanche effect.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.17 no.1
• /
• pp.121-125
• /
• 2007

Differential cryptanalysis and linear cryptanalysis are the most powerful approaches known for attacking many block ciphers and used to evaluating the security of many block ciphers. So designers have designed secure block ciphers against these cryptanalyses. In this paper, we present new three block cipher structures. And for given r, we prove that differential(linear) probabilities for r-round blockcipher structures are upper bounded by $p^2(q^2),\;2p^2(2q^2)$ if the maximum differential(linear) probability is p(q) and the round function is a bijective function.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.17 no.6
• /
• pp.11-18
• /
• 2007

Multiple linear cryptanalysis has been researched as a method building up the linear attack strength. We indicate that the lastest linear attack algorithm using multiple approximations, which was proposed by Biryukov et al. is hardly applicable to block ciphers with highly nonlinear key schedule, and propose a new multiple linear attack algorithm. Simulation of the new attack algorithm with a small block cipher shows that theory for the new multiple linear cryptanalysis works well in practice.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.11 no.3
• /
• pp.45-52
• /
• 2001

In this paper, we examine the method for evaluating the security of SPN structures against differential cryptanalysis and linear cryptanalysis. We present an example of SPN structures in which there is a considerable difference between the differential probabilities and the characteristic probabilities. Then we 7pose an algorithm for estimating the maximum differential probabilities and the maximum linear hull probabilities of SPN structures and an useful method for accelerating the proposed algorithm. By using this method, we obain the maximum differential probabilities and the maximum linear probabilities of round function F of block cipher E2.

• Journal of the Korea Computer Industry Society
• /
• v.5 no.3
• /
• pp.405-414
• /
• 2004

In this paper, we designed a 128-bits block cipher, Circle-g, which has 18-rounds modified Feistel structure and analyzed its secureness by the differential cryptanalysis and linear cryptanalysis. We could have full diffusion effect from the two rounds of the Circle-g. Because of the strong diffusion effect of the F-function of the algorithm, we could get a 9-rounds DC characteristic with probability 2^{-144} and a 12-rounds LC characteristic with probability 2^{-144}. For the Circle-g with 128-bit key, there is no shortcut attack, which is more efficient than the exhaustive key search, for more than 12 rounds of the algorithm.

• Journal of the Korea Computer Industry Society
• /
• v.4 no.4
• /
• pp.523-532
• /
• 2003

In this paper, we designed a 128-bit block cipher, Lambda, which has 16-round extended Feistel structure and analyzed its secureness by the differential cryptanalysis and linear cryptanalysis. We could have full diffusion effect from the two rounds of the Lambda. Because of the strong diffusion effect of the algorithm, we could get a 8-round differential characteristic with probability $2^{-192}$ and a linear characteristic with probability $2^{-128}$. For the Lambda with 128-bit key, there is no shortcut attack, which is more efficient than the exhaustive key search, for more than 8 rounds of the algorithm.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.6
• /
• pp.1379-1392
• /
• 2018

The complexity of the differential-linear cryptanalysis is strongly influenced by the probability of the differential-linear characteristic computed under the assumption of round independence, linear approximation independence, and uniformity for the trail that does not satisfy differential trail. Therefore, computing the exact probability of the differential-linear characteristic is a very important issue related to the validity of the attack. In this paper, we propose a new concept called DLCT(Differential-Linear Connectivity Table) for the differential-linear cryptanalysis. Additionally, we propose an improved probability computation technique of differential-linear characteristic by applying DLCT. By doing so, we were able to weaken linear approximation independence assumption. We reanalyzed the previous results by applying DLCT to DES and SERPENT. The probability of 7-round differential-linear characteristic of DES is $1/2+2^{-5.81}$, the probability of 9-round differential-linear characteristic of SERPENT is computed again to $1/2+2^{-57.9}$, and data complexity required for the attack is reduced by $2^{0.2}$ and $2^{2.2}$ times, respectively.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.9 no.1
• /
• pp.280-295
• /
• 2015

Block cipher ARIA was first proposed by some South Korean experts in 2003, and later, it was established as a Korean Standard block cipher algorithm by Korean Agency for Technology and Standards. In this paper, we focus on the security evaluation of ARIA block cipher against the recent zero-correlation linear cryptanalysis. In addition, Partial-sum technique and FFT (Fast Fourier Transform) technique are used to speed up the cryptanalysis, respectively. We first introduce some 4-round linear approximations of ARIA with zero-correlation, and then present some key-recovery attacks on 6/7-round ARIA-128/256 with the Partial-sum technique and FFT technique. The key-recovery attack with Partial-sum technique on 6-round ARIA-128 needs $2^{123.6}$ known plaintexts (KPs), $2^{121}$ encryptions and $2^{90.3}$ bytes memory, and the attack with FFT technique requires $2^{124.1}$ KPs, $2^{121.5}$ encryptions and $2^{90.3}$ bytes memory. Moreover, applying Partial-sum technique, we can attack 7-round ARIA-256 with $2^{124.6}$ KPs, $2^{203.5}$ encryptions and $2^{152}$ bytes memory and 7-round ARIA-256 employing FFT technique, requires $2^{124.7}$ KPs, $2^{209.5}$ encryptions and $2^{152}$ bytes memory. Our results are the first zero-correlation linear cryptanalysis results on ARIA.