International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Seokhie Hong

Publications

Year
Venue
Title
2024
TOSC
Improved Quantum Rebound Attacks on Double Block Length Hashing with Round-Reduced AES-256 and ARIA-256
Dongjae Lee Seokhie Hong
At EUROCRYPT 2020, Hosoyamada and Sasaki proposed the first dedicated quantum collision attacks on hash functions. Their proposal presented a quantum adaptation of the rebound attack and revealed that differential trails, which have too low probability for use in classical settings, might be exploitable in quantum settings. After their work, subsequent research has actively delved into analyzing the security of hash functions in the quantum setting.In this paper, we revisit the quantum rebound attacks on the double block hash function Hirose instantiated with 10-round AES-256 (HCF-AES-256) and 7-round ARIA-256 (HCF-ARIA-256) proposed by Chauhan et al. and Baek et al., respectively. Initially, we identify the flaws in their work and reevaluate the complexity of the attacks. We reveal that the flaws stem from not considering the issue that the S-box differential equation has one solution on average. Earlier research addressed this problem by adding auxiliary bits to the search space. If this method is used to correct the flaws, the resulting time complexities are 217.36 and 220.94 times higher than their proposals. Consequently, in some settings, their attacks become less efficient than generic attacks.Subsequently, we propose improved quantum rebound attacks using nested quantum amplitude amplification and quantum state preparation. Our improved attack efficiently pre-filters the search space, leading to a reduction in overall time complexity. We first classically reduce the search space and employ quantum state preparation to generate a superposition state over the pre-filtered search space. We then use nested quantum amplitude amplification to further reduce the search space quantumly. As a result, we achieve a reduction in the time complexity of the quantum rebound attacks on HCF-AES-256 and HCF-ARIA-256 by factors of 211.2 and 219.5, respectively, making the attacks more efficient than generic attacks again.
2022
TOSC
Accelerating the Best Trail Search on AES-Like Ciphers
In this study, we accelerate Matsui’s search algorithm to search for the best differential and linear trails of AES-like ciphers. Our acceleration points are twofold. The first exploits the structure and branch number of an AES-like round function to apply strict pruning conditions to Matsui’s search algorithm. The second employs permutation characteristics in trail search to reduce the inputs that need to be analyzed. We demonstrate the optimization of the search algorithm by obtaining the best differential and linear trails of existing block ciphers: AES, LED, MIDORI-64, CRAFT, SKINNY, PRESENT, and GIFT. In particular, our search program finds the fullround best differential and linear trails of GIFT-64 (in approx. 1 s and 10 s) and GIFT-128 (in approx. 89 h and 452 h), respectively.For a more in-depth application, we leverage the acceleration to investigate the optimal DC/LC resistance that GIFT-variants, called BOGI-based ciphers, can achieve. To this end, we identify all the BOGI-based ciphers and reduce them into 41,472 representatives. Deriving 16-, 32-, 64-, and 128-bit BOGI-based ciphers from the representatives, we obtain their best trails until 15, 15, 13, and 11 rounds, respectively. The investigation shows that 12 rounds are the minimum threshold for a 64-bit BOGIbased cipher to prevent efficient trails for DC/LC, whereas GIFT-64 requires 14 rounds. Moreover, it is shown that GIFT can provide better resistance by only replacing the existing bit permutation. Specifically, the bit permutation variants of GIFT-64 and GIFT-128 require fewer rounds, one and two, respectively, to prevent efficient differential and linear trails.
2021
TCHES
Novel Key Recovery Attack on Secure ECDSA Implementation by Exploiting Collisions between Unknown Entries 📺
In this paper, we propose a novel key recovery attack against secure ECDSA signature generation employing regular table-based scalar multiplication. Our attack exploits novel leakage, denoted by collision information, which can be constructed by iteratively determining whether two entries loaded from the table are the same or not through side-channel collision analysis. Without knowing the actual value of the table entries, an adversary can recover the private key of ECDSA by finding the condition for which several nonces are linearly dependent by exploiting only the collision information. We show that this condition can be satisfied practically with a reasonable number of digital signatures and corresponding traces. Furthermore, we also show that all entries in the pre-computation table can be recovered using the recovered private key and a sufficient number of digital signatures based on the collision information. As case studies, we find that fixed-base comb and T_SM scalar multiplication are vulnerable to our attack. Finally, we verify that our attack is a real threat by conducting an experiment with power consumption traces acquired during T_SM scalar multiplication operations on an ARM Cortex-M based microcontroller. We also provide the details for validation process.
2019
ASIACRYPT
Optimized Method for Computing Odd-Degree Isogenies on Edwards Curves
In this paper, we present an efficient method to compute arbitrary odd-degree isogenies on Edwards curves. By using the w-coordinate, we optimized the isogeny formula on Edwards curves by Moody and Shumow. We demonstrate that Edwards curves have an additional benefit when recovering the coefficient of the image curve during isogeny computation. For $$\ell $$-degree isogeny where $$\ell =2s+1$$, our isogeny formula on Edwards curves outperforms Montgomery curves when $$s \ge 2$$. To better represent the performance improvements when w-coordinate is used, we implement CSIDH using our isogeny formula. Our implementation is about 20% faster than the previous implementation. The result of our work opens the door for the usage of Edwards curves in isogeny-based cryptography, especially for CSIDH which requires higher degree isogenies.
2011
CHES
2010
FSE
2008
FSE
2007
FSE
2006
CHES
2006
FSE
2006
JOFC
2005
FSE
2004
FSE
2002
ASIACRYPT
2001
ASIACRYPT
2000
ASIACRYPT
2000
FSE

Program Committees

Asiacrypt 2019
FSE 2010 (Program chair)
FSE 2007