Differential attack on nine rounds of the SEED block cipher
Introduction
The SEED [9] block cipher was designed by a group of Korean cryptographers in 1998. It has a 128-bit block length, a 128-bit user key and a total number of 16 rounds. SEED became a Korean national industrial association standard [16] in 1999, and was adopted as an ISO international standard [8] in 2005. Currently, SEED has been used in reality, mostly by banks and companies in Korea, to protect the privacy of the users and the transaction data in security applications like e-commerce and financial services [18]. Besides, it was included in PKCS #11 on Cryptographic Token Interface Standard [13], and was proposed by IETF [3] for Cryptographic Message Syntax (CMS) [4], Transport Layer Security (TLS) [5], Secure Real-time Transport Protocol (SRTP) [7] and IPsec [6]. And, Mozilla Firefox web browser supports the SEED algorithm now [11].
The SEED designers first analysed the security of SEED against differential cryptanalysis [1] as well as certain other cryptanalytic techniques, and they indicated that a 6-round differential characteristic of SEED would have a probability of at least , meaning that there would not exist any effective 6-round differential characteristic for SEED. However, in 2002 Yanami and Shimoyama [17] presented three 6-round differential characteristics with probability , and finally used them to conduct a differential attack on 7-round SEED (faster than exhaustive key search). In 2011, Sung [15] described a 7-round differential with probability for SEED, by summing the probabilities of many 7-round differential characteristics with the same input and output differences, and finally gave a differential attack on 8-round SEED; Sung also described a 7-round differential with probability of SEED. Sungʼs attack on 8-round SEED is the best previously published cryptanalytic result on the SEED cipher algorithm in terms of the numbers of attacked rounds.
In this letter, we further investigate the security of SEED against differential cryptanalysis. We find there exist two 7-round differentials with a probability of trivially larger than the probability of Sungʼs best 7-round differential, plus seventeen 7-round differentials with a probability of trivially larger than the probability of Sungʼs second best 7-round differential. More importantly, we devise a differential attack on 9-round SEED, which requires a memory of 269.71 bytes and has a time complexity of 2126.36 encryptions with a success probability of 99.9% when using 2125 chosen plaintexts, or a time complexity of 2125.36 encryptions with a success probability of 97.8% when using 2124 chosen plaintexts. This is the first published cryptanalytic attack on 9-round SEED, and it suggests that the safety margin of SEED decreases below half of the number of rounds. Table 1 summarises both previous and our main cryptanalytic results on SEED.
The remainder of this letter is organised as follows. In the next section, we give the notation and describe the SEED block cipher. In Section 3, we describe the 7-round differentials of SEED. In Section 4, we present our differential attack on 9-round SEED. Section 5 concludes the letter.
Section snippets
Preliminaries
In this section we give the notation used throughout this letter, and then briefly describe the SEED block cipher.
Seven-round differentials of SEED
In this section, we first describe the 7-round differentials owing to Sung [15], and then present two 7-round differentials with a probability of trivially larger than Sungʼs best 7-round differential, and seventeen 7-round differentials with a probability of trivially larger than Sungʼs second best 7-round differential.
Differential attack on 9-round SEED
In this section we devise a differential attack on 9-round SEED, building it on the best 7-round differential with , , (that has a probability of ) we have described in Section 3.2. Thus, . The attack consists of an offline precomputation phase and an online attack phase, and without loss of generality we assume the attacked rounds are the first 9 rounds of SEED, that is to say, from Rounds 1 to 9. It is noteworthy that
Conclusions
SEED is a 128-bit block cipher with a 128-bit user key and a total of 16 rounds, which is an ISO international standard. In this letter, we have described some 7-round differentials that have a trivially larger probability than the previously known ones on SEED, and have presented a differential attack on 9-round SEED. The presented attack is theoretical, and it does not threaten the security of the full SEED cipher; but nevertheless, from a cryptanalytic view it suggests that the safety margin
References (18)
Differential cryptanalysis of eight-round SEED
Inf. Process. Lett.
(2011)- et al.
Differential cryptanalysis of DES-like cryptosystems
J. Cryptol.
(1991) - et al.
Differential cryptanalysis of the full 16-round DES
- Internet Engineering Task Force (IETF), Use of the SEED encryption algorithm in cryptographic message syntax (CMS), RFC...
- Internet Engineering Task Force (IETF), Addition of SEED cipher suites to transport layer security (TLS), RFC 4162,...
- Internet Engineering Task Force (IETF), The SEED cipher algorithm and its use with IPSec, RFC 4196,...
- Internet Engineering Task Force (IETF), The SEED cipher algorithm and its use with the secure real-time transport...
- International Organization for Standardization (ISO), International Standard – ISO/IEC 18033-3, Information technology...
Cited by (3)
New differential cryptanalysis results for the lightweight block cipher BORON
2022, Journal of Information Security and ApplicationsAn image encryption algorithm based on SM4 and Base64
2021, Journal of Physics: Conference SeriesCryptanalysis of a new image alternate encryption algorithm based on chaotic map
2015, Nonlinear Dynamics
- 1
The author was with Institute for Infocomm Research (Singapore) when the work was completed.