Differential attack on nine rounds of the SEED block cipher

• The SEED block cipher is an ISO international standard.
• We describe two 7-round differentials with a trivially larger probability than the best previously known one on SEED.
• We present a differential cryptanalysis attack on 9-round SEED.
• Our result is better than any previously published cryptanalytic results on SEED in terms of the numbers of attacked rounds.
• Our result suggests that the safety margin of SEED decreases below half of the number of rounds.

The SEED block cipher has a 128-bit block length, a 128-bit user key and a total number of 16 rounds. It is an ISO international standard. In this letter, we describe two 7-round differentials with a trivially larger probability than the best previously known one on SEED, and present a differential cryptanalysis attack on a 9-round reduced version of SEED. The attack requires a memory of 269.71 bytes, and has a time complexity of 2126.36 encryptions with a success probability of 99.9% when using 2125 chosen plaintexts, or a time complexity of 2125.36 encryptions with a success probability of 97.8% when using 2124 chosen plaintexts. Our result is better than any previously published cryptanalytic results on SEED in terms of the numbers of attacked rounds, and it suggests for the first time that the safety margin of SEED decreases below half of the number of rounds.