Differential attack on nine rounds of the SEED block cipher

https://doi.org/10.1016/j.ipl.2013.11.004Get rights and content

Highlights

  • The SEED block cipher is an ISO international standard.

  • We describe two 7-round differentials with a trivially larger probability than the best previously known one on SEED.

  • We present a differential cryptanalysis attack on 9-round SEED.

  • Our result is better than any previously published cryptanalytic results on SEED in terms of the numbers of attacked rounds.

  • Our result suggests that the safety margin of SEED decreases below half of the number of rounds.

Abstract

The SEED block cipher has a 128-bit block length, a 128-bit user key and a total number of 16 rounds. It is an ISO international standard. In this letter, we describe two 7-round differentials with a trivially larger probability than the best previously known one on SEED, and present a differential cryptanalysis attack on a 9-round reduced version of SEED. The attack requires a memory of 269.71 bytes, and has a time complexity of 2126.36 encryptions with a success probability of 99.9% when using 2125 chosen plaintexts, or a time complexity of 2125.36 encryptions with a success probability of 97.8% when using 2124 chosen plaintexts. Our result is better than any previously published cryptanalytic results on SEED in terms of the numbers of attacked rounds, and it suggests for the first time that the safety margin of SEED decreases below half of the number of rounds.

Introduction

The SEED [9] block cipher was designed by a group of Korean cryptographers in 1998. It has a 128-bit block length, a 128-bit user key and a total number of 16 rounds. SEED became a Korean national industrial association standard [16] in 1999, and was adopted as an ISO international standard [8] in 2005. Currently, SEED has been used in reality, mostly by banks and companies in Korea, to protect the privacy of the users and the transaction data in security applications like e-commerce and financial services [18]. Besides, it was included in PKCS #11 on Cryptographic Token Interface Standard [13], and was proposed by IETF [3] for Cryptographic Message Syntax (CMS) [4], Transport Layer Security (TLS) [5], Secure Real-time Transport Protocol (SRTP) [7] and IPsec [6]. And, Mozilla Firefox web browser supports the SEED algorithm now [11].

The SEED designers first analysed the security of SEED against differential cryptanalysis [1] as well as certain other cryptanalytic techniques, and they indicated that a 6-round differential characteristic of SEED would have a probability of at least 2130, meaning that there would not exist any effective 6-round differential characteristic for SEED. However, in 2002 Yanami and Shimoyama [17] presented three 6-round differential characteristics with probability 2124, and finally used them to conduct a differential attack on 7-round SEED (faster than exhaustive key search). In 2011, Sung [15] described a 7-round differential with probability 2122 for SEED, by summing the probabilities of many 7-round differential characteristics with the same input and output differences, and finally gave a differential attack on 8-round SEED; Sung also described a 7-round differential with probability 2124 of SEED. Sungʼs attack on 8-round SEED is the best previously published cryptanalytic result on the SEED cipher algorithm in terms of the numbers of attacked rounds.

In this letter, we further investigate the security of SEED against differential cryptanalysis. We find there exist two 7-round differentials with a probability of trivially larger than the probability of Sungʼs best 7-round differential, plus seventeen 7-round differentials with a probability of trivially larger than the probability of Sungʼs second best 7-round differential. More importantly, we devise a differential attack on 9-round SEED, which requires a memory of 269.71 bytes and has a time complexity of 2126.36 encryptions with a success probability of 99.9% when using 2125 chosen plaintexts, or a time complexity of 2125.36 encryptions with a success probability of 97.8% when using 2124 chosen plaintexts. This is the first published cryptanalytic attack on 9-round SEED, and it suggests that the safety margin of SEED decreases below half of the number of rounds. Table 1 summarises both previous and our main cryptanalytic results on SEED.

The remainder of this letter is organised as follows. In the next section, we give the notation and describe the SEED block cipher. In Section 3, we describe the 7-round differentials of SEED. In Section 4, we present our differential attack on 9-round SEED. Section 5 concludes the letter.

Section snippets

Preliminaries

In this section we give the notation used throughout this letter, and then briefly describe the SEED block cipher.

Seven-round differentials of SEED

In this section, we first describe the 7-round differentials owing to Sung [15], and then present two 7-round differentials with a probability of trivially larger than Sungʼs best 7-round differential, and seventeen 7-round differentials with a probability of trivially larger than Sungʼs second best 7-round differential.

Differential attack on 9-round SEED

In this section we devise a differential attack on 9-round SEED, building it on the best 7-round differential with α=0x80808000, β=0x83808000, X=0x84808000 (that has a probability of 2121.07) we have described in Section 3.2. Thus, Xˆ=X0x80000000=0x04808000. The attack consists of an offline precomputation phase and an online attack phase, and without loss of generality we assume the attacked rounds are the first 9 rounds of SEED, that is to say, from Rounds 1 to 9. It is noteworthy that

Conclusions

SEED is a 128-bit block cipher with a 128-bit user key and a total of 16 rounds, which is an ISO international standard. In this letter, we have described some 7-round differentials that have a trivially larger probability than the previously known ones on SEED, and have presented a differential attack on 9-round SEED. The presented attack is theoretical, and it does not threaten the security of the full SEED cipher; but nevertheless, from a cryptanalytic view it suggests that the safety margin

References (18)

  • J. Sung

    Differential cryptanalysis of eight-round SEED

    Inf. Process. Lett.

    (2011)
  • E. Biham et al.

    Differential cryptanalysis of DES-like cryptosystems

    J. Cryptol.

    (1991)
  • E. Biham et al.

    Differential cryptanalysis of the full 16-round DES

  • Internet Engineering Task Force (IETF)
  • Internet Engineering Task Force (IETF), Use of the SEED encryption algorithm in cryptographic message syntax (CMS), RFC...
  • Internet Engineering Task Force (IETF), Addition of SEED cipher suites to transport layer security (TLS), RFC 4162,...
  • Internet Engineering Task Force (IETF), The SEED cipher algorithm and its use with IPSec, RFC 4196,...
  • Internet Engineering Task Force (IETF), The SEED cipher algorithm and its use with the secure real-time transport...
  • International Organization for Standardization (ISO), International Standard – ISO/IEC 18033-3, Information technology...
There are more references available in the full text version of this article.

Cited by (3)

  • New differential cryptanalysis results for the lightweight block cipher BORON

    2022, Journal of Information Security and Applications
  • An image encryption algorithm based on SM4 and Base64

    2021, Journal of Physics: Conference Series
1

The author was with Institute for Infocomm Research (Singapore) when the work was completed.

View full text