## CryptoDB

### Jaechul Sung

#### Publications

Year
Venue
Title
2010
EPRINT
In SAC'08, an improved fast correlation attack on stream ciphers was proposed. This attack is based on the fast correlation attack proposed at Crypto'00 and combined with the fast Walsh transform. However, we found that the attack results are wrong. In this paper, we correct the results of the attack algorithm by analyzing it theoretically. Also we propose a threshold of the valid bias.
2008
FSE
2008
EPRINT
In case of security analysis of hash functions, finding a good collision-inducing differential paths has been only focused on. However, it is not clear how differential paths of a hash function influence the securities of schemes based on the hash function. In this paper, we show that any differential path of a hash function can influence the securities of schemes based on the hash function. We explain this fact with the MD4 hash function. We first show that APOP-MD4 with a nonce of fixed length can be analyzed efficiently with a new differential path. Then we improve the result of the key-recovery attack on NMAC-MD4 described by Fouque {\em et al.} \cite{FoLeNg07} by combining new differential paths. Our results mean that good hash functions should have the following property : \textit{It is computationally infeasible to find differential a path of hash functions with a high probability}.
2008
EPRINT
SMS4 is a 128-bit block cipher with a 128-bit user key and 32 rounds, which is used in WAPI, the Chinese WLAN national standard. In this paper, we present a linear attack and a differential attack on a 22-round reduced SMS4; our 22-round linear attack has a data complexity of 2^{117} known plaintexts, a memory complexity of 2^{109} bytes and a time complexity of 2^{109.86} 22-round SMS4 encryptions and 2^{120.39} arithmetic operations, while our 22-round differential attack requires 2^{118} chosen plaintexts, 2^{123} memory bytes and 2^{125.71} 22-round SMS4 encryptions. Both of our attacks are better than any previously known cryptanalytic results on SMS4 in terms of the number of attacked rounds. Furthermore, we present a boomerang and a rectangle attacks on a 18-round reduced SMS4. These results are better than previously known rectangle attacks on reduced SMS4. The methods presented to attack SMS4 can be applied to other unbalanced Feistel ciphers with incomplete diffusion.
2008
EPRINT
We provide simple and unified indifferentiable security analyses of choppfMD, chopMD, a chopMDP (where the permutation $P$ is to be xored with any non-zero constant.), chopWPH (the chopped version of Wide-Pipe Hash proposed in \cite{Lucks05}), chopEMD, chopNI, chopCS, chopESh hash domain extensions. Even though there are security analysis of them in the case of no-bit chopping (i.e., $s=0$), there is no unified way to give security proofs. All our proofs in this paper follow the technique introduced in \cite{BeDaPeAs08}. These proofs are simple and easy to follow.
2008
EPRINT
We propose a new hash domain extension \textit{a prefix-free-Counter-Masking-MD (pfCM-MD)}. And, among security notions for the hash function, we focus on the indifferentiable security notion by which we can check whether the structure of a given hash function has any weakness or not. Next, we consider the security of HMAC, two new prf constructions, NIST SP 800-56A key derivation function, and the randomized hashing in NIST SP 800-106, where all of them are based on the pfCM-MD. Especially, due to the counter of the pfCM-MD, the pfCM-MD are secure against all of generic second-preimage attacks such as Kelsey-Schneier attack \cite{KeSc05} and Elena {\em et al.}' attck \cite{AnBoFoHoKeShZi08}. Our proof technique and most of notations follow those in \cite{BeDaPeAs08,Bellare06,BeCaKr96a}.
2007
EPRINT
The hash function FORK-256 was published at the ¯rst NIST hash workshop and FSE 2006. It consists of simple operations so that its performance is better than that of SHA-256. However, recent papers show some weaknesses of FORK-256. In this paper, we propose newly modi¯ed FORK-256 which has no microcoliisions and so is resistant against existing attacks. Furthermore, it is faster than the old one.
2007
EPRINT
In this paper, we introduce new hash function design principles with variable output lengths (multiple of $n$). It is based on a function or a block cipher which has output size $n$. In the random oracle model it has optimal collision resistance which requires $\Theta(2^{(t+1)n/2})$ queries to find $(t+1)n$-bit hash output collisions, where $t$ is any positive integer. Similarly, in the ideal cipher model, $\Theta(2^{(t+1)n/2})$ queries are required to find $(t+1)n$-bit hash output collisions.
2006
CHES
2006
FSE
2006
JOFC
2001
ASIACRYPT
2001
FSE
2000
ASIACRYPT
2000
FSE