Fluxless (flux-free) soldering technology deals with investigating and developing techniques and ... more Fluxless (flux-free) soldering technology deals with investigating and developing techniques and methods that can eliminate the use of fluxes in the soldering process. The fluxless feature in soldering processes has become increasing more important and received more attention from industries because there are more and more devices and products that cannot take fluxes in the soldering process. Examples are MEMS devices, sensor devices, biomedical devices, and photonic devices. In addition, in flip-chip soldering processes with very small gap between chips and substrates, flux residues are hard to clean out or are embedded in the underfills. The residues may reduce the reliability of the resulting flip-chip devices. There are two basic fluxless approaches that have been reported. The first is to use chemicals or RF plasma to convert or to remove the oxide layer that already exists. The existence of oxide layer is the reason why the flux is needed in nearly all soldering operations. The second approach is to remove the root cause, which is solder oxidation. This is accomplished by producing the solder materials in a non-oxidizing environment, followed immediately by capping the solder with a barrier layer that would prevent oxygen from penetrating into the solder layer. In this paper, we first present the root cause of needing fluxes in the soldering process. The fluxless processes dealing with oxides are summarized. The four fundamental steps of the oxidation prevention approach are reported. A fluxless process based on Sn-rich Sn-Au alloys is described as an example to illustrate the fluxless fundamentals. Results show that strong and nearly void-free joints can indeed be produced using this new technology.
In this paper we propose a notion of related-key rectangle attack using 4 related keys. It is bas... more In this paper we propose a notion of related-key rectangle attack using 4 related keys. It is based on two consecutive related-key differentials which are independent of each other. Using this attack we can break SHACAL-1 with 512-bit keys up to 70 rounds out of 80 rounds and AES with 192-bit keys up to 8 rounds out of 12 rounds, which are faster than exhaustive search.
SHACAL-2 is a 256-bit block cipher with various key sizes based on the hash function SHA-2. Recen... more SHACAL-2 is a 256-bit block cipher with various key sizes based on the hash function SHA-2. Recently, it was recommended as one of the NESSIE selections. This paper presents differential-linear type attacks on SHACAL-2 with 512-bit keys up to 32 out of its 64 rounds. Our 32-round attack on the 512-bit keys variants is the best published attack on this cipher.
Summary: In 1997, M. Matsui proposed secret-key cryptosystems called MISTY 1 and MISTY 2, which a... more Summary: In 1997, M. Matsui proposed secret-key cryptosystems called MISTY 1 and MISTY 2, which are 8-and 12-round block ciphers with a 64-bit block, and a 128-bit key. They are designed based on the principle of provable security against differential and linear cryptanalysis. In ...
The design and analysis of block ciphers is an established field of study which has seen signific... more The design and analysis of block ciphers is an established field of study which has seen significant progress since the early 1990s. Nevertheless, what remains on an interesting direction to explore in this area is to design block ciphers with provable security against powerful known attacks such as differential and linear cryptanalysis. In this paper we introduce seven new block
HMAC is a widely used message authentication code and a pseudorandom function generator based on ... more HMAC is a widely used message authentication code and a pseudorandom function generator based on cryptographic hash functions such as MD5 and SHA-1. It has been standardized by ANSI, IETF, ISO and NIST. HMAC is proved to be secure as long as the compression function of the underlying hash function is a pseudorandom function. In this paper we devise two new distinguishers of the structure of HMAC, called differential and rectangle distinguishers, and use them to discuss the security of HMAC based on HAVAL, MD4, MD5, SHA-0 and SHA-1. We show how to distinguish HMAC with reduced or full versions of these cryptographic hash functions from a random function or from HMAC with a random function. We also show how to use our differential distinguisher to devise a forgery attack on HMAC. Our distinguishing and forgery attacks can also be mounted on NMAC based on HAVAL, MD4, MD5, SHA-0 and SHA-1.
SHACAL-1 is a 160-bit block cipher with variable key length of up to 512-bit key based on the has... more SHACAL-1 is a 160-bit block cipher with variable key length of up to 512-bit key based on the hash function SHA-1. It was submitted to the NESSIE project and was accepted as a finalist for the 2nd phase of the evaluation. In this paper we devise the first known attack on the full 80-round SHACAL-1 faster than exhaustive key search. The related-key differentials used in the attack are based on transformation of the collision-producing differentials of SHA-1 presented by Wang et al.
We observe that when conducting an impossible differential cryptanalysis on Camellia and MISTY1, ... more We observe that when conducting an impossible differential cryptanalysis on Camellia and MISTY1, their round structures allow us to partially determine whether a candidate pair is useful by guessing only a small fraction of the unknown required subkey bits of a relevant round at a time, instead of guessing all of them at once. Taking advantage of the early abort technique, we improve a previous impossible differential attack on 6-round MISTY1 without the FL functions, and present impossible differential cryptanalysis of 11-round Camellia-128 without the FL functions, 13-round Camellia-192 without the FL functions and 14-round Camellia-256 without the FL functions. The presented results are better than any previously published cryptanalytic results on Camellia and MISTY1 without the FL functions.
The rectangle attack and the related-key attack on block ciphers are well-known to be very powerf... more The rectangle attack and the related-key attack on block ciphers are well-known to be very powerful. In this paper we combine the rectangle attack with the related-key attack. Using this combined attack we can attack the SHACAL-1 cipher with 512-bit keys up to 59 out of its 80 rounds. Our 59-round attack requires a data complexity of 2149.72 chosen plaintexts and a time complexity of 2498.30 encryptions, which is faster than exhaustive search.
Impossible Differential Cryptanalysis(IDC) [4] uses impossible differential characteristics to re... more Impossible Differential Cryptanalysis(IDC) [4] uses impossible differential characteristics to retrieve a subkey material for the first or the last several rounds of block ciphers. Thus, the security of a block cipher against IDC can be evaluated by impossible differential characteristics. In this paper, we study impossible differential characteristics of block cipher structures whose round functions are bijective. We introduce a widely applicable method to find various impossible differential characteristics of block cipher structures. Using this method, we find various impossible differential characteristics of known block cipher structures: Nyberg’s generalized Feistel network, a generalized CAST256-like structure [14], a generalized MARS-like structure [14], a generalized RC6-like structure [14], and Rijndael structure.
SHACAL is a 160-bit block cipher based on the hash standard SHA-1, as a submission to NESSIE. SHA... more SHACAL is a 160-bit block cipher based on the hash standard SHA-1, as a submission to NESSIE. SHACAL uses the XOR, modular addition operation and the functions of bit-by-bit manner. These operations and functions make the differential cryptanalysis difficult, i.e, it is hard to find a long differential characteristic with high probability. But, we can find short differential characteristics with high probabilities. Using this fact, we discuss the security of SHACAL against an amplified boomerang attack. We find a 36-step boomerang-distinguisher and present attacks on reduced-round SHACAL with various key sizes. We can attack 39-step SHACAL with 256-bit key, and 47-step SHACAL with 512-bit key. In addition, we present differential attacks of reduced-round SHACAL with various key sizes.
In this paper, we propose a new block cipher HIGHT with 64-bit block length and 128-bit key lengt... more In this paper, we propose a new block cipher HIGHT with 64-bit block length and 128-bit key length. It provides low-resource hardware implementation, which is proper to ubiquitous computing device such as a sensor in USN or a RFID tag. HIGHT does not only consist of simple operations to be ultra-light but also has enough security as a good encryption algorithm. Our hardware implementation of HIGHT requires 3048 gates on 0.25 μm technology.
In this paper, we cryptanalyze the compression functions of MD4, MD5 and 4-, 5-pass HAVAL in encr... more In this paper, we cryptanalyze the compression functions of MD4, MD5 and 4-, 5-pass HAVAL in encryption mode. We exploit the recently proposed related-key rectangle and boomerang techniques to show non-randomness of MD4, MD5 and 4-, 5-pass HAVAL and to distinguish them from a randomly chosen cipher. The attacks are highly practical and have been confirmed by our experiments.
In 1992, Zheng, Pieprzyk and Seberry proposed a one-way hashing algorithm called HAVAL, which com... more In 1992, Zheng, Pieprzyk and Seberry proposed a one-way hashing algorithm called HAVAL, which compresses a message of arbitrary length into a digest of 128, 160, 192, 224 or 256 bits. It operates in so called passes where each pass contains 32 steps. The number of passes can be chosen equal to 3, 4 or 5. In this paper, we devise a new differential path of 3-pass HAVAL with probability 2− 114, which allows us to design a second preimage attack on 3-pass HAVAL and partial key recovery attacks on HMAC/NMAC-3-pass HAVAL. Our partial key-recovery attack works with 2122 oracle queries, 5·232 memory bytes and 296 3-pass HAVAL computations.
SHACAL-1 is an 80-round block cipher with a 160-bit block size and a key of up to 512 bits. In th... more SHACAL-1 is an 80-round block cipher with a 160-bit block size and a key of up to 512 bits. In this paper, we mount rectangle attacks on the first 51 rounds and a series of inner 52 rounds of SHACAL-1, and also mount differential attacks on the first 49 rounds and a series of inner 55 rounds of SHACAL-1. These are the best currently known cryptanalytic results on SHACAL-1 in an one key attack scenario.
Cobra-F64a and Cobra-F64b, designed for firmware-oriented applications, are 64-bit Data-dependent... more Cobra-F64a and Cobra-F64b, designed for firmware-oriented applications, are 64-bit Data-dependent Permutation based block ciphers with 128 key bits, which consist of 16 and 20 rounds, respectively. In this paper, we investigate their security against related-key attacks. Our investigation shows that the full 16-round Cobra-F64a can be broken by our related-key rectangle attack and that the full 20-round Cobra-F64b can be broken by our related-key differential attack.
Fluxless (flux-free) soldering technology deals with investigating and developing techniques and ... more Fluxless (flux-free) soldering technology deals with investigating and developing techniques and methods that can eliminate the use of fluxes in the soldering process. The fluxless feature in soldering processes has become increasing more important and received more attention from industries because there are more and more devices and products that cannot take fluxes in the soldering process. Examples are MEMS devices, sensor devices, biomedical devices, and photonic devices. In addition, in flip-chip soldering processes with very small gap between chips and substrates, flux residues are hard to clean out or are embedded in the underfills. The residues may reduce the reliability of the resulting flip-chip devices. There are two basic fluxless approaches that have been reported. The first is to use chemicals or RF plasma to convert or to remove the oxide layer that already exists. The existence of oxide layer is the reason why the flux is needed in nearly all soldering operations. The second approach is to remove the root cause, which is solder oxidation. This is accomplished by producing the solder materials in a non-oxidizing environment, followed immediately by capping the solder with a barrier layer that would prevent oxygen from penetrating into the solder layer. In this paper, we first present the root cause of needing fluxes in the soldering process. The fluxless processes dealing with oxides are summarized. The four fundamental steps of the oxidation prevention approach are reported. A fluxless process based on Sn-rich Sn-Au alloys is described as an example to illustrate the fluxless fundamentals. Results show that strong and nearly void-free joints can indeed be produced using this new technology.
In this paper we propose a notion of related-key rectangle attack using 4 related keys. It is bas... more In this paper we propose a notion of related-key rectangle attack using 4 related keys. It is based on two consecutive related-key differentials which are independent of each other. Using this attack we can break SHACAL-1 with 512-bit keys up to 70 rounds out of 80 rounds and AES with 192-bit keys up to 8 rounds out of 12 rounds, which are faster than exhaustive search.
SHACAL-2 is a 256-bit block cipher with various key sizes based on the hash function SHA-2. Recen... more SHACAL-2 is a 256-bit block cipher with various key sizes based on the hash function SHA-2. Recently, it was recommended as one of the NESSIE selections. This paper presents differential-linear type attacks on SHACAL-2 with 512-bit keys up to 32 out of its 64 rounds. Our 32-round attack on the 512-bit keys variants is the best published attack on this cipher.
Summary: In 1997, M. Matsui proposed secret-key cryptosystems called MISTY 1 and MISTY 2, which a... more Summary: In 1997, M. Matsui proposed secret-key cryptosystems called MISTY 1 and MISTY 2, which are 8-and 12-round block ciphers with a 64-bit block, and a 128-bit key. They are designed based on the principle of provable security against differential and linear cryptanalysis. In ...
The design and analysis of block ciphers is an established field of study which has seen signific... more The design and analysis of block ciphers is an established field of study which has seen significant progress since the early 1990s. Nevertheless, what remains on an interesting direction to explore in this area is to design block ciphers with provable security against powerful known attacks such as differential and linear cryptanalysis. In this paper we introduce seven new block
HMAC is a widely used message authentication code and a pseudorandom function generator based on ... more HMAC is a widely used message authentication code and a pseudorandom function generator based on cryptographic hash functions such as MD5 and SHA-1. It has been standardized by ANSI, IETF, ISO and NIST. HMAC is proved to be secure as long as the compression function of the underlying hash function is a pseudorandom function. In this paper we devise two new distinguishers of the structure of HMAC, called differential and rectangle distinguishers, and use them to discuss the security of HMAC based on HAVAL, MD4, MD5, SHA-0 and SHA-1. We show how to distinguish HMAC with reduced or full versions of these cryptographic hash functions from a random function or from HMAC with a random function. We also show how to use our differential distinguisher to devise a forgery attack on HMAC. Our distinguishing and forgery attacks can also be mounted on NMAC based on HAVAL, MD4, MD5, SHA-0 and SHA-1.
SHACAL-1 is a 160-bit block cipher with variable key length of up to 512-bit key based on the has... more SHACAL-1 is a 160-bit block cipher with variable key length of up to 512-bit key based on the hash function SHA-1. It was submitted to the NESSIE project and was accepted as a finalist for the 2nd phase of the evaluation. In this paper we devise the first known attack on the full 80-round SHACAL-1 faster than exhaustive key search. The related-key differentials used in the attack are based on transformation of the collision-producing differentials of SHA-1 presented by Wang et al.
We observe that when conducting an impossible differential cryptanalysis on Camellia and MISTY1, ... more We observe that when conducting an impossible differential cryptanalysis on Camellia and MISTY1, their round structures allow us to partially determine whether a candidate pair is useful by guessing only a small fraction of the unknown required subkey bits of a relevant round at a time, instead of guessing all of them at once. Taking advantage of the early abort technique, we improve a previous impossible differential attack on 6-round MISTY1 without the FL functions, and present impossible differential cryptanalysis of 11-round Camellia-128 without the FL functions, 13-round Camellia-192 without the FL functions and 14-round Camellia-256 without the FL functions. The presented results are better than any previously published cryptanalytic results on Camellia and MISTY1 without the FL functions.
The rectangle attack and the related-key attack on block ciphers are well-known to be very powerf... more The rectangle attack and the related-key attack on block ciphers are well-known to be very powerful. In this paper we combine the rectangle attack with the related-key attack. Using this combined attack we can attack the SHACAL-1 cipher with 512-bit keys up to 59 out of its 80 rounds. Our 59-round attack requires a data complexity of 2149.72 chosen plaintexts and a time complexity of 2498.30 encryptions, which is faster than exhaustive search.
Impossible Differential Cryptanalysis(IDC) [4] uses impossible differential characteristics to re... more Impossible Differential Cryptanalysis(IDC) [4] uses impossible differential characteristics to retrieve a subkey material for the first or the last several rounds of block ciphers. Thus, the security of a block cipher against IDC can be evaluated by impossible differential characteristics. In this paper, we study impossible differential characteristics of block cipher structures whose round functions are bijective. We introduce a widely applicable method to find various impossible differential characteristics of block cipher structures. Using this method, we find various impossible differential characteristics of known block cipher structures: Nyberg’s generalized Feistel network, a generalized CAST256-like structure [14], a generalized MARS-like structure [14], a generalized RC6-like structure [14], and Rijndael structure.
SHACAL is a 160-bit block cipher based on the hash standard SHA-1, as a submission to NESSIE. SHA... more SHACAL is a 160-bit block cipher based on the hash standard SHA-1, as a submission to NESSIE. SHACAL uses the XOR, modular addition operation and the functions of bit-by-bit manner. These operations and functions make the differential cryptanalysis difficult, i.e, it is hard to find a long differential characteristic with high probability. But, we can find short differential characteristics with high probabilities. Using this fact, we discuss the security of SHACAL against an amplified boomerang attack. We find a 36-step boomerang-distinguisher and present attacks on reduced-round SHACAL with various key sizes. We can attack 39-step SHACAL with 256-bit key, and 47-step SHACAL with 512-bit key. In addition, we present differential attacks of reduced-round SHACAL with various key sizes.
In this paper, we propose a new block cipher HIGHT with 64-bit block length and 128-bit key lengt... more In this paper, we propose a new block cipher HIGHT with 64-bit block length and 128-bit key length. It provides low-resource hardware implementation, which is proper to ubiquitous computing device such as a sensor in USN or a RFID tag. HIGHT does not only consist of simple operations to be ultra-light but also has enough security as a good encryption algorithm. Our hardware implementation of HIGHT requires 3048 gates on 0.25 μm technology.
In this paper, we cryptanalyze the compression functions of MD4, MD5 and 4-, 5-pass HAVAL in encr... more In this paper, we cryptanalyze the compression functions of MD4, MD5 and 4-, 5-pass HAVAL in encryption mode. We exploit the recently proposed related-key rectangle and boomerang techniques to show non-randomness of MD4, MD5 and 4-, 5-pass HAVAL and to distinguish them from a randomly chosen cipher. The attacks are highly practical and have been confirmed by our experiments.
In 1992, Zheng, Pieprzyk and Seberry proposed a one-way hashing algorithm called HAVAL, which com... more In 1992, Zheng, Pieprzyk and Seberry proposed a one-way hashing algorithm called HAVAL, which compresses a message of arbitrary length into a digest of 128, 160, 192, 224 or 256 bits. It operates in so called passes where each pass contains 32 steps. The number of passes can be chosen equal to 3, 4 or 5. In this paper, we devise a new differential path of 3-pass HAVAL with probability 2− 114, which allows us to design a second preimage attack on 3-pass HAVAL and partial key recovery attacks on HMAC/NMAC-3-pass HAVAL. Our partial key-recovery attack works with 2122 oracle queries, 5·232 memory bytes and 296 3-pass HAVAL computations.
SHACAL-1 is an 80-round block cipher with a 160-bit block size and a key of up to 512 bits. In th... more SHACAL-1 is an 80-round block cipher with a 160-bit block size and a key of up to 512 bits. In this paper, we mount rectangle attacks on the first 51 rounds and a series of inner 52 rounds of SHACAL-1, and also mount differential attacks on the first 49 rounds and a series of inner 55 rounds of SHACAL-1. These are the best currently known cryptanalytic results on SHACAL-1 in an one key attack scenario.
Cobra-F64a and Cobra-F64b, designed for firmware-oriented applications, are 64-bit Data-dependent... more Cobra-F64a and Cobra-F64b, designed for firmware-oriented applications, are 64-bit Data-dependent Permutation based block ciphers with 128 key bits, which consist of 16 and 20 rounds, respectively. In this paper, we investigate their security against related-key attacks. Our investigation shows that the full 16-round Cobra-F64a can be broken by our related-key rectangle attack and that the full 20-round Cobra-F64b can be broken by our related-key differential attack.
Uploads
Papers by JongSung Kim