• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.11 no.5
• /
• pp.2660-2679
• /
• 2017

Crypton is a SP-network block cipher that attracts much attention because of its excellent performance on hardware. Based on Crypton, mCrypton is designed as a lightweight block cipher suitable for Internet of Things (IoT) and Radio Frequency Identification (RFID). The security of Crypton and mCrypton under meet-in-the-middle attack is analyzed in this paper. By analyzing the differential properties of cell permutation, several differential characteristics are introduced to construct generalized ${\delta}-sets$. With the usage of a generalized ${\delta}-set$ and differential enumeration technique, a 6-round meet-in-the-middle distinguisher is proposed to give the first meet-in-the-middle attack on 9-round Crypton-192 and some improvements on the cryptanalysis of 10-round Crypton-256 are given. Combined with the properties of nibble permutation and substitution, an improved meet-in-the-middle attack on 8-round mCrypton is proposed and the first complete attack on 9-round mCrypton-96 is proposed.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.12 no.2
• /
• pp.727-746
• /
• 2018

The hash function RIPEMD-160 is a worldwide ISO/IEC standard and the hash function HAS-160 is the Korean hash standard and is widely used in Korea. On the basis of differential meet-in-the-middle attack and biclique technique, a preimage attack on 34-step RIPEMD-160 with message padding and a pseudo-preimage attack on 71-step HAS-160 without message padding are proposed. The former is the first preimage attack from the first step, the latter increases the best pseudo-preimage attack from the first step by 5 steps. Furthermore, we locate the linear spaces in another message words and exchange the bicliques construction process and the mask vector search process. A preimage attack on 35-step RIPEMD-160 and a preimage attack on 71-step HAS-160 are presented. Both of the attacks are from the intermediate step and satisfy the message padding. They improve the best preimage attacks from the intermediate step on step-reduced RIPEMD-160 and HAS-160 by 4 and 3 steps respectively. As far as we know, they are the best preimage and pseudo-preimage attacks on step-reduced RIPEMD-160 and HAS-160 respectively in terms of number of steps.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.14 no.3
• /
• pp.118-124
• /
• 2004

KASUMI is a 64-bit iterated block cipher with a 128-bit key size and 8 rounds Feistel structure. In this paper, we describe saturation attacks on the five round KASUMI, which requires 10 $\times$$2^{32}$ chosen plaintexts and $2^{115}$ computational complexity We also improve this attack using meet-in-the-middle technique. This attack requires 7$\times$$2^{32}$ chosen plaintexts and $2^{90}$ computational complexity. Futhermore, we attack KASUMI by controlling the value of the fixed part of the key. This attack needs 3$\times$$2^{32}$ chosen plaintexts and $2^{57}$ computational complexity.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.19 no.2
• /
• pp.3-9
• /
• 2009

In this paper we introduce a new side-channel attack using block cipher cryptanalysis named meet-in-the middle attack. Using our new side-channel technique we introduce side-channel attacks on AES with reduced masked rounds. That is, we show that AES with reduced 10 masked rounds is vulnerable to side channel attacks based on an existing 4-round function. This shows that one has to mask the entire rounds of the 12-round 192-bit key AES to prevent our attacks. Our results are the first ones to analyze AES with reduced 10 masked rounds.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.5 no.1
• /
• pp.51-61
• /
• 2009

Conventional DES has been not only shown to have a vulnerable drawback to attack method called 'Meet in the Middle', but also to be hard to use that it is because software implementation has a number of problem in real time processing. This paper describes the design and implementation of the expanded DES algorithm using VHDL for resolving the above problems. The main reason for hardware design of an encryption algorithm is to ensure a security against cryptographic attack because there is no physical protection for the algorithm written in software. Total key length of 352 bits is used for the proposed DES. The result of simulation shows that the inputted plaintext in cryptosystem are equal to the outputted that in decryptosystem.

• Journal of Communications and Networks
• /
• v.14 no.1
• /
• pp.10-14
• /
• 2012

When tag privacy is required in radio frequency identification (ID) system, a reader needs to identify, and optionally authenticate, a multitude of tags without revealing their IDs. One approach for identification with lightweight tags is that each tag performs pseudo-random function with his unique embedded key. In this case, a reader (or a back-end server) needs to perform a brute-force search for each tag-reader interaction, whose cost gets larger when the number of tags increases. In this paper, we suggest a simple and efficient identification technique that reduces readers computation to $O$(${\sqrt{N}}$ log$N$) without increasing communication cost. Our technique is based on the well-known "meet-in-the-middle" strategy used in the past to attack symmetric ciphers.

• Journal of information and communication convergence engineering
• /
• v.3 no.1
• /
• pp.5-8
• /
• 2005

Dynamic cipher has the property that the key-size, the number of round, and the plaintext-size are scalable simultaneously. We present the method for designing secure Dynamic cipher against meet-in-the-middle attack and linear cryptanalysis. Also, we show that the differential cryptanalysis to Dynamic cipher is hard. In this paper we propose a new network called Dynamic network for symmetric block ciphers.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.13 no.9
• /
• pp.4727-4741
• /
• 2019

The lightweight block cipher Piccolo adopts Generalized Feistel Network structure with 64 bits of block size. Its key supports 80 bits or 128 bits, expressed by Piccolo-80 or Piccolo-128, respectively. In this paper, we exploit the security of reduced version of Piccolo from the first round with the pre-whitening layer, which shows the vulnerability of original Piccolo. As a matter of fact, we first study some linear relations among the round subkeys and the properties of linear layer. Based on them, we evaluate the security of Piccolo-80/128 against the meet-in-the-middle attack. Finally, we attack 13 rounds of Piccolo-80 by applying a 5-round distinguisher, which requires $2^{44}$ chosen plaintexts, $2^{67.39}$ encryptions and $2^{64.91}$ blocks, respectively. Moreover, we also attack 17 rounds of Piccolo-128 by using a 7-round distinguisher, which requires $2^{44}$ chosen plaintexts, $2^{126}$ encryptions and $2^{125.49}$ blocks, respectively. Compared with the previous cryptanalytic results, our results are the currently best ones if considering Piccolo from the first round with the pre-whitening layer.

• Proceedings of the IEEK Conference
• /
• 1999.11a
• /
• pp.220-223
• /
• 1999

Conventional double DES has been not only shown to have a vulnerable drawback to attack method called 'Meet-in-the-Middle', but also to be hard to use that it is because software implementation has a number of problem in real time processing. This paper describes the design and implementation of modified Isolated double DES algorithm using VHDL for resolving the above problems. In this approach, we also discuss an efficient method for increasing cipher strength through expansion of key length.

• Proceedings of the IEEK Conference
• /
• 2000.07b
• /
• pp.743-746
• /
• 2000

In this paper we propose a new network called Dynamic network for symmetric block ciphers. Dynamic cipher has the property that the key-size, the number of round, and the plaintext-size are scalable simultaneously We present the method for designing secure Dynamic cipher against meet-in-the-middle attack and linear cryptanalysis. Also, we show that the differential cryptanalysis to Dynamic cipher is hard.