Research Interests:
Research Interests:
Research Interests:
Research Interests:
In case of security analysis of hash functions, finding a good collision-inducing differential paths has been only focused on. However, it is not clear how differential paths of a hash function influence the securities of schemes based on... more
In case of security analysis of hash functions, finding a good collision-inducing differential paths has been only focused on. However, it is not clear how differential paths of a hash function influence the securities of schemes based on the hash function. In this paper, we show that any differential path of a hash function can influence the securities of schemes based on the hash function. We explain this fact with the MD4 hash function. We first show that APOP-MD4 with a nonce of fixed length can be analyzed efficiently with a new differential path. Then we improve the result of the key-recovery attack on NMAC-MD4 described by Fouque et al. (4) by combining new differential paths. Our results mean that good hash functions should have the following property : It is computationally infeasible to find differential a path of hash functions with a high probability.
Research Interests:
We provide simple and unified indifferentiable security anal- yses of choppfMD, chopMD, a chopMDP (where the permutation P is to be xored with any non-zero constant.), chopWPH (the chopped version of Wide-Pipe Hash proposed in (16)),... more
We provide simple and unified indifferentiable security anal- yses of choppfMD, chopMD, a chopMDP (where the permutation P is to be xored with any non-zero constant.), chopWPH (the chopped version of Wide-Pipe Hash proposed in (16)), chopEMD, chopNI, chopCS, chopESh hash domain extensions. Even though there are security analysis of them in the case of no-bit chopping (i.e., s = 0), there is no unified way to give security proofs. All our proofs in this paper follow the technique introduced in (3). These proofs are simple and easy to follow.
Research Interests:
SMS4 is a 128-bit block cipher with a 128-bit user key and 32 rounds, which is used in WAPI, the Chinese WLAN national standard. In this paper, we present a linear attack and a differential attack on a 22round reduced SMS4; our 22-round... more
SMS4 is a 128-bit block cipher with a 128-bit user key and 32 rounds, which is used in WAPI, the Chinese WLAN national standard. In this paper, we present a linear attack and a differential attack on a 22round reduced SMS4; our 22-round linear attack has a data complexity of 2 117 known plaintexts, a memory complexity of 2 109 bytes and a time complexity of 2 109.86 22-round SMS4 encryptions and 2 120.39 arithmetic operations, while our 22-round differential attack requires 2 118 chosen plaintexts, 2 123 memory bytes and 2 125.71 22-round SMS4 encryptions. Both of our attacks are better than any previously known cryptanalytic results on SMS4 in terms of the number of attacked rounds. Furthermore, we present a boomerang and a rectangle attacks on a 18-round reduced SMS4. These results are better than previously known rectangle attacks on reduced SMS4. The methods presented to attack SMS4 can be applied to other unbalanced Feistel ciphers with incomplete diffusion.
ABSTRACT PP-1 is a scalable block cipher which can be implemented on a platform with limited resource. In this paper, we analyze the security of PP-1 by using truncated differential cryptanalysis. As concrete examples, we consider four... more
ABSTRACT PP-1 is a scalable block cipher which can be implemented on a platform with limited resource. In this paper, we analyze the security of PP-1 by using truncated differential cryptanalysis. As concrete examples, we consider four versions of PP-1, PP-1/64, PP-1/128, PP-1/192, and PP-1/256. Our attack is applicable to full-round versions of them, respectively. The proposed attacks can recover a secret key of PP-1 with the computational complexity which is faster than the exhaustive search. These are the first known cryptanalytic results on PP-1.
Research Interests:
ABSTRACT PRINTcipher-48/96 are 48/96-bit block ciphers proposed in CHES 2010 which support the 80/160-bit secret keys, respectively. In this paper, we propose related-key cryptanalysis of PRINTcipher. To recover the 80-bit secret key of... more
ABSTRACT PRINTcipher-48/96 are 48/96-bit block ciphers proposed in CHES 2010 which support the 80/160-bit secret keys, respectively. In this paper, we propose related-key cryptanalysis of PRINTcipher. To recover the 80-bit secret key of PRINTcipher-48, our attack requires 247 related-key chosen plaintexts with a computational complexity of . In the case of PRINTcipher-96, we require 295 related-key chosen plaintexts with a computational complexity of 2107. These results are the first known related-key cryptanalytic results on them.
Research Interests:
Research Interests:
Research Interests:
In this paper we show that the full-round Eagle-64 and Eagle-128 are vulnerable to the related-key amplified boomerang attack. The attack on the full-round Eagle-64 requires 265 full-round Eagle-64 decryptions with 237 related-key chosen... more
In this paper we show that the full-round Eagle-64 and Eagle-128 are vulnerable to the related-key amplified boomerang attack. The attack on the full-round Eagle-64 requires 265 full-round Eagle-64 decryptions with 237 related-key chosen ciphertexts, while the attack on the full-round Eagle-128 requires about 2154.51 full-round Eagle-128 encryptions with 294.83 related-key chosen plaintexts. These works are the first known attacks
Research Interests:
Research Interests:
SEED is a 128-bit block cipher with a 128-bit secret key. Since it supports only a 128-bit secret key, it is difficult to apply this algorithm to various environments. In this paper, we propose SEED-192/256 which support 192/256-bit... more
SEED is a 128-bit block cipher with a 128-bit secret key. Since it supports only a 128-bit secret key, it is difficult to apply this algorithm to various environments. In this paper, we propose SEED-192/256 which support 192/256-bit secret keys, respectively. Also we evaluate the security these algorithms against well-known attacks and the software performance of them on PC environments.
Research Interests:
SHACAL-2 is a 256-bit block cipher with various key sizes based on the hash function SHA-2. Recently, it was recommended as one of the NESSIE selections. Up to now, no security flaws have been found in SHACAL-2. In this paper, we discuss... more
SHACAL-2 is a 256-bit block cipher with various key sizes based on the hash function SHA-2. Recently, it was recommended as one of the NESSIE selections. Up to now, no security flaws have been found in SHACAL-2. In this paper, we discuss the security of SHACAL-2 against an impossible differential attack. We propose two types of 14-round impossible characteristics and using them, we attack 30-round SHACAL-2 with 512-bit key. This attack requires 744 chosen plaintexts and has time complexity of 2495.1 30-round SHACAL-2 encryptions.
Research Interests:
Research Interests:
CIKS-128 and CIKS-128H are 128-bit block ciphers with a 256-bit key sizes based on data-dependent operations, respectively. They are also fast hardware-oriented ciphers and improvements of block cipher CIKS-1 introduced in [14]. This... more
CIKS-128 and CIKS-128H are 128-bit block ciphers with a 256-bit key sizes based on data-dependent operations, respectively. They are also fast hardware-oriented ciphers and improvements of block cipher CIKS-1 introduced in [14]. This paper presents related-key differential attacks on full-round CIKS-128 and CIKS-128H. In result, using full-round related-key differential characteristics with probability 2− − 36 and 2− − 35.4, these attacks can recover the partial subkey bits for CIKS-128 and CIKS-128H with about 240 plaintexts, respectively. These works suggests that the greatest possible care has to be taken when proposing improvements of the existing block ciphers.
Research Interests:
ABSTRACT At ASIACRYPT 2004, Hong et al. introduced the notion of UOWHFs of order r > 0. A UOWHF has the order r if it is infeasible for any adversary to win the game for UOWHF where the adversary is allowed r adaptive queries to... more
ABSTRACT At ASIACRYPT 2004, Hong et al. introduced the notion of UOWHFs of order r > 0. A UOWHF has the order r if it is infeasible for any adversary to win the game for UOWHF where the adversary is allowed r adaptive queries to the hash function oracle before outputting his target message. They showed that if a UOWHF has the order r, its some-round MD (Merkle-Damgård) or some-level TR (TRee) extension is a UOWHF. Since MD and TR extensions do not require additional key values except the key of compression functions for hashing, their result means that the order of UOWHFs can be useful for minimizing the total key length. In this paper we study how to construct such UOWHFs of order r. As the first step, we observe Bellare-Rogaway UOWHF and Naor-Yung UOWHF. It is shown that Bellare-Rogaway UOWHF has the order 0 and that Naor-Yung UOWHF has the order 1. We generalize the construction of Naor-Yung UOWHF based on a one-way permutation to that of the UOWHF of order r.
Research Interests:
ABSTRACT In this paper, we propose a fault injection attack on A5/3 used in GSM. This attack is based on the fault assumption in. That is, it is assumed that we can decrease the number of rounds in block cipher KASUMI of A5/3 by injecting... more
ABSTRACT In this paper, we propose a fault injection attack on A5/3 used in GSM. This attack is based on the fault assumption in. That is, it is assumed that we can decrease the number of rounds in block cipher KASUMI of A5/3 by injecting some faults. With small number of fault injections, we can recover the session key of A5/3 supporting a 64-bit session key. This is the first known cryptanalytic result on A5/3 so far.
Research Interests:
Research Interests:
ABSTRACT
Research Interests:
In 1993, Preneel, Govaerts and Vandewalle [11] considered 64 block cipher based hash functions (64 PGV-hash functions). In 2002, Black, Rogaway and Shrimpton [3] proved that 20 of 64 PGV-hash functions are collision resistant, assumed... more
In 1993, Preneel, Govaerts and Vandewalle [11] considered 64 block cipher based hash functions (64 PGV-hash functions). In 2002, Black, Rogaway and Shrimpton [3] proved that 20 of 64 PGV-hash functions are collision resistant, assumed that a block cipher is a random block cipher. In 2002, Hirose [4] defined ACPA(Adaptive Chosen Plaintext Attack) model and ACPCA(Adaptive Chosen Plaintext/Ciphertext Attack) model and he showed that, for every PGV-hash function, there exist block ciphers secure against ACPA such that the PGV-hash function based on them is not a OWHF which has the properties of preimage resistance and second-preimage resistance. Recently, Lee et al. [6] generalized the definition of PGV-hash function into a hash family and showed that 42 of 64 PGV-hash families are collision resistant. In this paper, we show that, for every PGV-hash function, there exist block ciphers secure against ACPCA such that the PGV-hash family based on them is not a OWHF. We also show that, for every PGV-hash family, there exist block ciphers secure against ACPCA such that the PGV-hash family based on them is not a UOWHF.
Research Interests:
ABSTRACT
Research Interests:
Research Interests:
ABSTRACT We propose new double-block-length hash functions. Our approach for constructing collision-resistant double-block-length hash functions is to convert a blockcipher E with n-bit block length and 2n-bit key length to a 3-round... more
ABSTRACT We propose new double-block-length hash functions. Our approach for constructing collision-resistant double-block-length hash functions is to convert a blockcipher E with n-bit block length and 2n-bit key length to a 3-round Feistel cipher E * with 2n-bit block length, and then to embed E * in PGV compression functions. We prove that 12 hash functions with the group-1 PGV compression functions in which E * is embedded are collision-resistant in the ideal cipher model. Furthermore, since our hash functions have the hash rate 2/3, they are more efficient than any other existing double-block-length hash functions in terms of the number of blockcipher calls required for processing messages.
Research Interests:
ABSTRACT The RMAC[6] is a variant of CBC-MAC, which resists birthday attacks and gives provably full security. The RMAC uses 2k-bit keys and the size of the RMAC is 2n, where n is the size of underlying block cipher. The TMAC[10] is the... more
ABSTRACT The RMAC[6] is a variant of CBC-MAC, which resists birthday attacks and gives provably full security. The RMAC uses 2k-bit keys and the size of the RMAC is 2n, where n is the size of underlying block cipher. The TMAC[10] is the improved MAC scheme of XCBC[4] such that it requires (k +n)-bit keys while the XCBC requires (k +2n)-bit keys. In this paper, we introduce trivial key recovery attack on the RMAC with about 2n computations, which is more realistic than the attacks in [9]. Also we give a new attack on the TMAC using about 2 n/2+1 texts, which can recover an (k + n)-bit key. However this attack can not be applied to the XCBC. Furthermore we analyzed the IACBC mode[8], which gives confidentiality and message integrity.
Abstract. DHA(Double Hash Algorithm)-256 is a dedicated hash function with message length of 512 bits and output length of 256 bits. “Double” means that each message word which is generated by the message expansion algorithm is used twice... more
Abstract. DHA(Double Hash Algorithm)-256 is a dedicated hash function with message length of 512 bits and output length of 256 bits. “Double” means that each message word which is generated by the message expansion algorithm is used twice in a step. Our Design goal is to enhance the security of SHA-256. The step function and the message expansion of DHA-256
Research Interests: October and Hash Function
Abstract. DHA(Double Hash Algorithm)-256 is a dedicated hash function with message length of 512 bits and output length of 256 bits. “Double” means that each message word which is generated by the message expansion algorithm is used twice... more
Abstract. DHA(Double Hash Algorithm)-256 is a dedicated hash function with message length of 512 bits and output length of 256 bits. “Double” means that each message word which is generated by the message expansion algorithm is used twice in a step. Our Design goal is to enhance the security of SHA-256. The step function and the message expansion of DHA-256
Research Interests: October and Hash Function
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
SMS4 is a 128-bit block cipher with a 128-bit user key and 32 rounds, which is used in WAPI, the Chinese WLAN national standard. In this paper, we present a linear attack and a difierential attack on a 22- round reduced SMS4; our 22-round... more
SMS4 is a 128-bit block cipher with a 128-bit user key and 32 rounds, which is used in WAPI, the Chinese WLAN national standard. In this paper, we present a linear attack and a difierential attack on a 22- round reduced SMS4; our 22-round linear attack has a data complexity of 2117 known plaintexts, a memory complexity of 2109 bytes and a time complexity of 2109:86 22-round SMS4 encryptions and 2120:39 arithmetic operations, while our 22-round difierential attack requires 2118 chosen plaintexts, 2123 memory bytes and 2125:71 22-round SMS4 encryptions. Both of our attacks are better than any previously known cryptanalytic results on SMS4 in terms of the number of attacked rounds. Furthermore, we present a boomerang and a rectangle attacks on a 18-round reduced SMS4. These results are better than previously known rectangle attacks on reduced SMS4. The methods presented to attack SMS4 can be applied to other unbalanced Feistel ciphers with incomplete difiusion.
Research Interests:
Research Interests:
ABSTRACT CBC-MAC suitable for wireless sensor networks is one of the most popular MAC algorithms among many existing methods to build MACs. Moreover many variants have been introduced in order to improve the security of it. In this paper,... more
ABSTRACT CBC-MAC suitable for wireless sensor networks is one of the most popular MAC algorithms among many existing methods to build MACs. Moreover many variants have been introduced in order to improve the security of it. In this paper, we propose fault attacks on CBC-MAC and its variants based on AES-128. By using our attacks, we can recover secret keys of CBC-MAC and its variants with only small number of fault injections, respectively. These are the first known side channel attack results on them.
Research Interests:
The hash function FORK-256 was published at the flrst NIST hash workshop and FSE 2006. It consists of simple operations so that its performance is better than that of SHA-256. However, recent papers show some weaknesses of FORK-256. In... more
The hash function FORK-256 was published at the flrst NIST hash workshop and FSE 2006. It consists of simple operations so that its performance is better than that of SHA-256. However, recent papers show some weaknesses of FORK-256. In this paper, we propose newly modifled FORK-256 which has no microcoliisions and so is resistant against existing attacks. Furthermore, it is faster than the old one.
Research Interests:
Research Interests:
ABSTRACT DDO-64 is a 64-bit Feistel-like block cipher based on data-dependent operations (DDOs). It is composed of 8 rounds and uses a 128-bit key. There are two versions of DDO-64, named DDO-64V1 and DDO-64V2, according to the key... more
ABSTRACT DDO-64 is a 64-bit Feistel-like block cipher based on data-dependent operations (DDOs). It is composed of 8 rounds and uses a 128-bit key. There are two versions of DDO-64, named DDO-64V1 and DDO-64V2, according to the key schedule. They were designed under an attempt for improving the security and performance of DDP-based ciphers. In this paper, however, we show that like most of the existing DDP-based ciphers, DDO-64V1 and DDO-64V2 are also vulnerable to related-key attacks. The attack on DDO-64V1 requires 235.5 related-key chosen plaintexts and 263.5 encryptions while the attack on DDO-64V2 only needs 8 related-key chosen plaintexts and 231 encryptions; our attacks are both mainly due to their simple key schedules and structural weaknesses. These works are the first known cryptanalytic results on DDO-64V1 and DDO-64V2 so far.