Seokhie Hong

Korea University, Sŏul, Seoul, South Korea

Are you Seokhie Hong?

Claim your profile

Publications (94)10.42 Total impact

  • [Show abstract] [Hide abstract]
    ABSTRACT: This article proposes a new message blinding methods requiring no multiplicative inversion for RSA. Most existing message blinding methods for RSA additionally require the multiplicative inversion, even though computational complexity of this operation is O(n3) which is equal to that of the exponentiation. Thus, this additional operation is known to be the main drawback of the existing message blinding methods for RSA. In addition to requiring no additional multiplicative inversion, our new countermeasure provides the security against various power analysis attacks as well as general differential power analysis.
    ACM Transactions on Embedded Computing Systems (TECS). 02/2014; 13(4).
  • Source
    Young In Cho, Nam Su Chang, Seokhie Hong
    [Show abstract] [Hide abstract]
    ABSTRACT: Evaluation of cube roots in characteristic three finite fields is required for Tate (or modified Tate) pairing computation. The Hamming weight of x1/3x1/3 means that the number of nonzero coefficients in the polynomial representation of x1/3x1/3 in F3mF3m = F3[x]/(f)F3[x]/(f), where f∈F3[x]f∈F3[x] is an irreducible polynomial. The Hamming weight of x1/3x1/3 determines the efficiency of cube roots computation for characteristic three finite fields. Ahmadi et al., determined the Hamming weight of x1/3x1/3[4]. In this paper, we observe that the shifted polynomial basis (SPB), a variation of polynomial basis, can reduce Hamming weights of x1/3x1/3 and x2/3x2/3. Moreover, we provide the suitable SPB that eliminates modular reduction process in cube roots computation.
    Information Processing Letters 01/2014; · 0.49 Impact Factor
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: PRESENT is a hardware-optimized 64-bit lightweight block cipher which supports 80-and 128-bit secret keys. In this paper, we propose a differential fault analysis DFA on PRESENT-80/128. The proposed attack is based on a 2-byte random fault model. In detail, by inducing several 2-byte random faults in input registers after 28 rounds, our attack recovers the secret key of the target algorithm. From simulation results, our attacks on PRESENT-80/128 can recover the secret key by inducing only two and three 2-byte random faults, respectively. These are superior to known DFA results on them.
    International Journal of Computer Mathematics. 12/2013; 90(12):2553-2563.
  • [Show abstract] [Hide abstract]
    ABSTRACT: PP-1 is a scalable block cipher which can be implemented on a platform with limited resource. In this paper, we analyze the security of PP-1 by using truncated differential cryptanalysis. As concrete examples, we consider four versions of PP-1, PP-1/64, PP-1/128, PP-1/192, and PP-1/256. Our attack is applicable to full-round versions of them, respectively. The proposed attacks can recover a secret key of PP-1 with the computational complexity which is faster than the exhaustive search. These are the first known cryptanalytic results on PP-1.
    International Journal of Distributed Sensor Networks 10/2013; 2013. · 0.73 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: In Choukri and Tunstall (2005), the authors showed that if they decreased the number of rounds in AES by injecting faults, it is possible to recover the secret key. In this paper, we propose fault injection attacks on HMAC/NMAC by applying the main idea of their attack. These attacks are applicable to HMAC/NMAC based on the MD-family hash functions and can recover the secret key with the negligible computational complexity. Particularly, these results on HMAC/NMAC-SHA-2 are the first known key recovery attacks so far.
    Journal of Applied Mathematics 09/2013; 2013. · 0.83 Impact Factor
  • Sung-Kyoung Kim, Tae Hyun Kim, Seokhie Hong
    [Show abstract] [Hide abstract]
    ABSTRACT: The Fiat-Shamir identification scheme is popular for “light” consumer devices, such as smart cards, in a wide range of consumer services. However, it can be vulnerable to fault attacks, even though a cryptographic algorithm is theoretically secure. Thus, a study on cryptanalysis and countermeasures to fault attacks is crucial. This article proposes a secure and practical modification of the Fiat-Shamir identification scheme resistant against fault attacks. A straightforward protection is to check integrity of the intermediate values and outputs at each step. However, this approach may be a bottleneck of the entire scheme and are attained at the expense of increased computational overhead that is similar to the overhead of the identification scheme. The proposed scheme is designed to propagate faults induced in a target variable to other parts without conditional branches. Therefore, a relatively small overhead enables implementation of the proposed scheme in small cryptographic devices such as smart cards.
    ACM Transactions on Embedded Computing Systems (TECS). 03/2013; 12(1s).
  • Source
    HeeSeok Kim, Hark-Soo Park, Seokhie Hong
    [Show abstract] [Hide abstract]
    ABSTRACT: This paper introduces a new collision attack on first-order masked AES. This attack is a known plaintext attack, while the existing collision attacks are a chosen plaintext attack. In addition, our method is more efficient than the second-order power analysis and requires about 1/27.5 power measurements by comparison with the last collision attack. Some experiment results of this paper support this fact. In this paper, we also introduce a simple countermeasure, which can protect against our attack.
    KIPS Transactions on Computer and Communication Systems. 01/2013; 2(9).
  • [Show abstract] [Hide abstract]
    ABSTRACT: Koç and Sunar proposed an architecture of the Mastrovito multiplier for the irreducible trinomial f(x) = xn + xk + 1, where k ≠ n/2 to reduce the time complexity. Also, many multipliers based on the Karatsuba-Ofman algorithm (KOA) was proposed that sacrificed time efficiency for lowspace complexity. In this paper, a new multiplication formula which is a variant of KOA presented. We also provide a straight forward architecture of a non-pipelined bit-parallel multiplier using the new formula. The proposed multiplier has lower space complexity than and comparable time complexity to previous Mastrovito multipliers' for all irreducible trinomials.
    IEEE Transactions on Very Large Scale Integration (VLSI) Systems. 10/2012; 20(10):1903-1908.
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: SEED is a Korean standard block cipher, and it is chosen as a 128-bit ISO/IEC standard block cipher together with AES and Camellia. In this paper, we propose a differential fault analysis on SEED on the basis of the bit-oriented model. Our fault model on SEED-128 is more flexible than the previous fault model on SEED-128. And our attack results on SEED-192/256 are the first known cryptanalytic results. From the simulation results, our attack on SEED-128 can recover a 128-bit secret key within a few seconds by inducing four faults. However, the computational complexities of our attack on SEED-192/256 are impractical.
    Mathematical and Computer Modelling. 01/2012; 55:26-34.
  • [Show abstract] [Hide abstract]
    ABSTRACT: We assume that the domain extender is the Merkle-Damgård (MD) scheme and he message is padded by a ‘1’, and minimum number of ‘0’s, followed by a fixed size length information so that the length of padded message is multiple of block length. Under this assumption, we analyze securities of the hash mode when the compression function follows the Davies-Meyer (DM) scheme and the underlying block cipher is one of the plain Feistel or Misty scheme or the generalized Feistel or Misty schemes with Substitution-Permutation (SP) round function. We do this work based on Meet-in-the-Middle (MitM) preimage attack techniques, and develop several useful initial structures.
    IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences 01/2012; E95.A(8):1379-1389. · 0.24 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: In 2004, we introduced the related-key boomerang/rectangle attacks, which allow us to enjoy the benefits of the boomerang attack and the related-key technique, simultaneously. The new attacks were used since then to attack numerous block ciphers. While the claimed applications are significant, most of them have a major drawback. Their validity cannot be verified experimentally due to their high complexity. Together with the lack of rigorous justification of the probabilistic assumptions underlying the technique, this lead Murphy to claim that attacks using the related-key boomerang/rectangle technique are not legitimate. This paper contains two contributions. The first is a rigorous analysis of the related-key boomerang/rectangle attacks, including devising provably optimal distinguishers and computing their success rate, and discussing the underlying independence assumptions. The second contribution is an extensive experimental verification of the related-key boomerang attack against the GSM block cipher, KASUMI. Our experiments reveal that the success probability of the distinguisher, when averaged over different choices of the keys, is close to the theoretical prediction. However, the exact probability depends on the key, such that for some portion of the keys, the distinguisher holds with a higher probability than expected, while for the rest of the keys, the distinguisher fails completely.
    IEEE Transactions on Information Theory 01/2012; 58(7):4948-4966. · 2.62 Impact Factor
  • Yuseop Lee, Jongsung Kim, Seokhie Hong
    [Show abstract] [Hide abstract]
    ABSTRACT: At CHES 2007, Biryukov and Knovratovich introduced a concept of side-channel attacks based on impossible collisions, and applied it to AES with reduced masked rounds. In this paper, we propose side-channel attacks on HIGHT (HIGh security and light weigHT) with the first 11, 12, 13 reduced masked rounds using impossible collision. Our best attacks on HIGHT with the first 11, 12 and 13 reduced masked rounds need 217, 232 and 240 chosen plaintexts and 223.6, 256.6 and 280.6 curve comparisons, respectively. They are the first known side-channel attacks on HIGHT with reduced masked rounds.
    Multimedia Tools and Applications 01/2012; 56:267-280. · 1.01 Impact Factor
  • Source
    HeeSeok Kim, Seokhie Hong, Jongin Lim
    [Show abstract] [Hide abstract]
    ABSTRACT: This paper proposes an efficient and secure higher-order masking algorithm for AES S-box that consumes the most computation time of the higher-order masked AES. During the past few years, much of the research has focused on finding higher-order masking schemes for this AES S-box, but these are still slow for embedded processors use. Our proposed higher-order masking of AES S-box is constructed based on the inversion operation over the composite field. We replace the subfield operations over the composite field into the table lookup operation, but these precomputation tables do not require much ROM space because these are the operations over GF(24). In the implementation results, we show that the higher-order masking scheme using our masked S-box is about 2.54 (second-order masking) and 3.03 (third-order masking) times faster than the fastest method among the existing higher-order masking schemes of AES.
    Cryptographic Hardware and Embedded Systems - CHES 2011 - 13th International Workshop, Nara, Japan, September 28 - October 1, 2011. Proceedings; 01/2011
  • [Show abstract] [Hide abstract]
    ABSTRACT: RSA digital signatures based on the Chinese Remainder Theorem (CRT) are subject to power and fault attacks. In particular, modular exponentiation and CRT recombination are prone to both attacks. However, earlier countermeasures are susceptible to the possibility of advanced and sophisticated attacks. In this paper, we investigate state-of-the-art countermeasures against power and fault attacks from the viewpoint of security and efficiency. Then, we show possible vulnerabilities to fault attacks. Finally, we propose new modular exponentiation and CRT recombination algorithms secure against all known power and fault attacks. Our proposal improves efficiency by replacing arithmetic operations with logical ones to check errors in the CRT recombination step. In addition, since our CRT-RSA algorithm does not require knowledge of the public exponent, it guarantees a more versatile implementation.
    Journal of Systems and Software. 01/2011; 84:1660-1669.
  • [Show abstract] [Hide abstract]
    ABSTRACT: As Graphic Processing Units (GPUs) are increasingly being used for general purpose computing, researches on applying GPUs for processing a number of crypto operations have been conducted. In this paper, we present an efficient implementation of Korean Certificate-based Digital Signature Algorithm (KCDSA) on GPU using CUDA platform. Using modern GTX285, throughput of up to 10,600 signings per second can be reached. At this time, the proposed software can achieve 25 times of improvement on GTX285 compared with KCDSA software on CPU-side. Our software can be used for Cloud- computing and distributed server computing environments which have to process a number of crypto operations in short time period as a crypto accelerator.
    5th FTRA International Conference on Multimedia and Ubiquitous Engineering, MUE 2011, Crete, Greece, 28-30 June, 2011; 01/2011
  • HeeSeok Kim, Dong-Guk Han, Seokhie Hong
    [Show abstract] [Hide abstract]
    ABSTRACT: Zhang’s three countermeasures are known to be secure against certain first-order side channel attacks such as differential power analysis and correlation power analysis. This security comes from the countermeasures’ use of random points to blind the message and random integers to blind the secret scalar. In this paper, we propose first-order side channel attack methods that can perfectly break these three countermeasures. Even though Zhang’s countermeasures use random points and random integers our attacks are made possible by the fact that intermediate values computed by these countermeasures are dependent on specific values that we can guess. The experimental results verify that the proposed attack methods can successfully break existing countermeasures.
    Inf. Sci. 01/2011; 181:4051-4060.
  • [Show abstract] [Hide abstract]
    ABSTRACT: In this paper, we propose a fault injection attack on A5/3 used in GSM. This attack is based on the fault assumption in. That is, it is assumed that we can decrease the number of rounds in block cipher KASUMI of A5/3 by injecting some faults. With small number of fault injections, we can recover the session key of A5/3 supporting a 64-bit session key. This is the first known cryptanalytic result on A5/3 so far.
    IEEE International Symposium on Parallel and Distributed Processing with Applications, ISPA 2011, Busan, Korea, 26-28 May, 2011; 01/2011
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Recently power attacks on RSA cryptosystems have been widely investigated, and various countermeasures have been proposed. One of the most efficient and secure countermeasures is the message blinding method, which includes the RSA derivative of the binary-with-random-initial-point algorithm on elliptical curve cryptosystems. It is known to be secure against first-order differential power analysis (DPA); however, it is susceptible to second-order DPA. Although second-order DPA gives some solutions for defeating message blinding methods, this kind of attack still has the practical difficulty of how to find the points of interest, that is, the exact moments when intermediate values are being manipulated. In this paper, we propose a practical second-order correlation power analysis (SOCPA). Our attack can easily find points of interest in a power trace and find the private key with a small number of power traces. We also propose an efficient countermeasure which is secure against the proposed SOCPA as well as existing power attacks.
    Etri Journal 01/2010; 32(3). · 0.74 Impact Factor
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In SAC'08, an improved fast correlation attack on stream ciphers was proposed. This attack is based on the fast correlation attack proposed at Crypto'00 and combined with the fast Walsh transform. However, we found that the attack results are wrong. In this paper, we correct the results of the attack algorithm by analyzing it theoretically. Also we propose a threshold of the valid bias.
    IACR Cryptology ePrint Archive. 01/2010; 2010:21.
  • Jongsung Kim, Seokhie Hong
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper, we introduce a new side-channel attack using block cipher cryptanalysis named a meet-in-the-middle attack. Using our new side-channel technique we show that advanced encryption standard (AES) with reduced 10 masked rounds is broken, which is faster than the exhaustive key search attack. This implies that one has to mask the entire rounds of the 12-round 192-bit key AES to prevent our attacks. Our result is the first one to analyse AES with reduced 10 masked rounds, while the previous best known side-channel attack is on AES with reduced eight masked rounds.
    Comput. J. 01/2010; 53:934-938.

Publication Stats

752 Citations
10.42 Total Impact Points


  • 2000–2014
    • Korea University
      Sŏul, Seoul, South Korea
  • 2011
    • Princeton Information Technology Center
      Security-Widefield, Colorado, United States
  • 2007
    • University of Seoul
      • Department of Mathematics
      Seoul, Seoul, South Korea