{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2024,9,29]],"date-time":"2024-09-29T10:40:06Z","timestamp":1727606406419},"reference-count":28,"publisher":"Oxford University Press (OUP)","issue":"6","license":[{"start":{"date-parts":[[2022,7,18]],"date-time":"2022-07-18T00:00:00Z","timestamp":1658102400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2023,6,19]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>The Pilsung cipher is part of the North Korean Red Star operating system, which was leaked to the West in 2014. Initial analysis by Kryptos Logic reported a possibility of a class of weak keys due to the use of pseudo-random diffusion. Following this lead, we analyzed the cipher and identified a small class of such weak keys. We developed techniques for searching for a key that belongs to the class. After spending thousands of CPU hours, we found a supposedly weak key for a slightly weaker version of Pilsung, but the key did not behave as we expected. On further investigation we found out a crucial misunderstanding in a critical part of the cipher and that no such class of weak keys exists in Pilsung. Thus, this paper makes two main contributions to the art of cryptanalysis. First, it identifies and shows how to investigate a potential weakness in randomizing diffusion, which although does not exist in Pilsung, may affect future designs. Second, it highlights the need for early verification of results in order to identify errors before expending significant resources.<\/jats:p>","DOI":"10.1093\/comjnl\/bxac092","type":"journal-article","created":{"date-parts":[[2022,7,18]],"date-time":"2022-07-18T20:38:59Z","timestamp":1658176739000},"page":"1335-1341","source":"Crossref","is-referenced-by-count":1,"title":["Row, Row, Row Your Boat: How to Not Find Weak Keys in Pilsung"],"prefix":"10.1093","volume":"66","author":[{"given":"Chitchanok","family":"Chuengsatiansup","sequence":"first","affiliation":[{"name":"The University of Adelaide , Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Eyal","family":"Ronen","sequence":"additional","affiliation":[{"name":"Tel Aviv University , Israel"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Gregory G","family":"Rose","sequence":"additional","affiliation":[{"name":"Deckard Technologies Inc. , USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yuval","family":"Yarom","sequence":"additional","affiliation":[{"name":"The University of Adelaide , Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"286","published-online":{"date-parts":[[2022,7,19]]},"reference":[{"volume-title":"Chaos Computer Club","year":"2015","author":"Grunow","key":"2023062312054456800_ref1"},{"volume-title":"A brief look at North Korean cryptography","year":"2018","author":"Logic","key":"2023062312054456800_ref2"},{"key":"2023062312054456800_ref3","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-662-04722-4","volume-title":"The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography","author":"Daemen","year":"2002"},{"key":"2023062312054456800_ref4","first-page":"305","article-title":"Generation of random permutations of given number of elements using random sampling numbers","volume":"23","author":"Rao","year":"1961","journal-title":"Sankhya: Indian J. Stat., Ser. A"},{"key":"2023062312054456800_ref5","doi-asserted-by":"crossref","first-page":"472","DOI":"10.1111\/j.2517-6161.1962.tb00474.x","article-title":"A simple randomization procedure","volume":"24","author":"Sandelius","year":"1962","journal-title":"J. R. Stat. Soc. Ser. B"},{"key":"2023062312054456800_ref6","first-page":"1","volume-title":"Proc. Asiacrypt 2009","author":"Biryukov","year":"2009"},{"key":"2023062312054456800_ref7","first-page":"344","volume-title":"Proc. Asiacrypt 2011","author":"Bogdanov","year":"2011"},{"volume-title":"Ecole Normale Sup\u00c3\u00a9rieure de Paris \u2014 ENS Paris","year":"2013","author":"Derbez","key":"2023062312054456800_ref8"},{"key":"2023062312054456800_ref9","first-page":"214","volume-title":"Proc. Eurocrypt 2016","author":"Tiessen","year":"2016"},{"key":"2023062312054456800_ref10","first-page":"213","volume-title":"Proc. FSE 2000","author":"Ferguson","year":"2000"},{"key":"2023062312054456800_ref11","first-page":"217","volume-title":"Proc. Asiacrypt 2017","author":"R\u00f8njom","year":"2017"},{"volume-title":"Cryptanalysis of Reduced Variants of Rijndael","year":"1999","author":"Biham","key":"2023062312054456800_ref12"},{"key":"2023062312054456800_ref13","doi-asserted-by":"crossref","first-page":"133","DOI":"10.46586\/tosc.v2018.i2.133-160","article-title":"Mixture differential cryptanalysis: a new approach to distinguishers and attacks on round-reduced AES","volume":"2018","author":"Grassi","year":"2018","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"2023062312054456800_ref14","doi-asserted-by":"crossref","first-page":"185","DOI":"10.1007\/978-3-319-96881-0_7","volume-title":"Roc. Crypto 2018","author":"Bar-On","year":"2018"},{"key":"2023062312054456800_ref15","first-page":"280","volume-title":"Proc. Eurocrypt 2020","author":"Dunkelman","year":"2020"},{"key":"2023062312054456800_ref16","first-page":"343","volume-title":"Proc. AES3","author":"Daemen","year":"2000"},{"key":"2023062312054456800_ref17","doi-asserted-by":"crossref","first-page":"101","DOI":"10.1007\/s00145-016-9251-7","article-title":"Making the impossible possible","volume":"31","author":"Boura","year":"2018","journal-title":"J. Cryptology"},{"key":"2023062312054456800_ref18","first-page":"371","volume-title":"Proc. Eurocrypt 2013","author":"Derbez","year":"2013"},{"key":"2023062312054456800_ref19","first-page":"230","volume-title":"Proc. AES3","author":"Gilbert","year":"2000"},{"key":"2023062312054456800_ref20","first-page":"231","article-title":"Cache vs. key-dependency: side channeling an implementation of Pilsung","volume":"2020","author":"Genkin","year":"2020","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"2023062312054456800_ref21","first-page":"1","volume-title":"CT-RSA","author":"Osvik","year":"2006"},{"key":"2023062312054456800_ref22","first-page":"9","volume-title":"Proc. Crypto 1986","author":"Moore","year":"1986"},{"key":"2023062312054456800_ref23","first-page":"224","volume-title":"Proc. Crypto 1993","author":"Daemen","year":"1993"},{"key":"2023062312054456800_ref24","first-page":"112","volume-title":"Proc. Eurocrypt 1998","author":"Hawkes","year":"1998"},{"key":"2023062312054456800_ref25","first-page":"315","volume-title":"Proc. ICICS 2002","author":"Biryukov","year":"2002"},{"key":"2023062312054456800_ref26","first-page":"175","volume-title":"Proc. AES2","author":"Wagner","year":"1999"},{"key":"2023062312054456800_ref27","first-page":"153","volume-title":"Proc. FSE 2007","author":"Biham","year":"2007"},{"key":"2023062312054456800_ref28","doi-asserted-by":"crossref","first-page":"294","DOI":"10.1007\/978-3-540-89754-5_23","volume-title":"Proc. Indocrypt 2008","author":"Kara","year":"2008"}],"container-title":["The Computer Journal"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/comjnl\/article-pdf\/66\/6\/1335\/50684680\/bxac092.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/comjnl\/article-pdf\/66\/6\/1335\/50684680\/bxac092.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,9,29]],"date-time":"2024-09-29T10:13:18Z","timestamp":1727604798000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/comjnl\/article\/66\/6\/1335\/6645991"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,7,19]]},"references-count":28,"journal-issue":{"issue":"6","published-online":{"date-parts":[[2022,7,19]]},"published-print":{"date-parts":[[2023,6,19]]}},"URL":"https:\/\/doi.org\/10.1093\/comjnl\/bxac092","relation":{},"ISSN":["0010-4620","1460-2067"],"issn-type":[{"type":"print","value":"0010-4620"},{"type":"electronic","value":"1460-2067"}],"subject":[],"published-other":{"date-parts":[[2023,6]]},"published":{"date-parts":[[2022,7,19]]}}}