A Simple Related-Key Attack on the Full SHACAL-1

SHACAL-1 is a 160-bit block cipher with variable key length of up to 512-bit key based on the hash function SHA-1. It was submitted to the NESSIE project and was accepted as a finalist for the 2nd phase of evaluation. Since its introduction, SHACAL-1 withstood extensive cryptanalytic efforts. The best known key recovery attack on the full cipher up to this paper has a time complexity of about 2 420 encryptions. In this paper we use an observation due to Saarinen to present an elegant related-key attack on SHACAL-1. The attack can be mounted using two to eight unknown related keys, where each additional key reduces the time complexity of retrieving the actual values of the keys by a factor of 2 62 . When all eight related-keys are used, the attack requires 2 101.3 related-key chosen plaintexts and has a running time of 2 101.3 encryptions. This is the first successful related-key key recovery attack on a cipher with varying round constants.

[1]  Eli Biham,et al.  Improved Slide Attacks , 2007, FSE.

[2]  Eli Biham,et al.  New types of cryptanalytic attacks using related keys , 1994, Journal of Cryptology.

[3]  Eli Biham,et al.  NESSIE D21 - Performance of Optimized Implementations of the NESSIE Primitives , 2003 .

[4]  Markku-Juhani O. Saarinen Cryptanalysis of Block Ciphers Based on SHA-1 and MD5 , 2003, FSE.

[5]  Xiaoyun Wang,et al.  Efficient Collision Search Attacks on SHA-0 , 2005, CRYPTO.

[6]  Jongsung Kim,et al.  The Related-Key Rectangle Attack - Application to SHACAL-1 , 2004, ACISP.

[7]  Eli Biham,et al.  Near-Collisions of SHA-0 , 2004, CRYPTO.

[8]  Lars R. Knudsen,et al.  Cryptanalysis of LOKI91 , 1992, AUSCRYPT.

[9]  Jongsung Kim,et al.  Related-Key Rectangle Attacks on Reduced Versions of SHACAL-1 and AES-192 , 2005, FSE.

[10]  Jongsung Kim,et al.  Amplified Boomerang Attack against Reduced-Round SHACAL , 2002, ASIACRYPT.

[11]  Jongsung Kim,et al.  Related-Key Rectangle Attack on the Full SHACAL-1 , 2006, Selected Areas in Cryptography.

[12]  Matthew J. B. Robshaw,et al.  Analysis of SHA-1 in Encryption Mode , 2001, CT-RSA.

[13]  Eli Biham,et al.  Differential Cryptanalysis of the Data Encryption Standard , 1993, Springer New York.

[14]  Soichi Furuya,et al.  Slide Attacks with a Known-Plaintext Cryptanalysis , 2001, ICISC.

[15]  David Chaum,et al.  Advances in Cryptology: Proceedings Of Crypto 83 , 2012 .

[16]  Bruce Schneier,et al.  Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES , 1996, CRYPTO.

[17]  Eli Biham,et al.  New Results on Boomerang and Rectangle Attacks , 2002, FSE.

[18]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[19]  Alex Biryukov,et al.  Advanced Slide Attacks , 2000, EUROCRYPT.

[20]  Eli Biham,et al.  Rectangle Attacks on 49-Round SHACAL-1 , 2003, FSE.

[21]  Antoine Joux,et al.  Differential Collisions in SHA-0 , 1998, CRYPTO.

[22]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[23]  Eli Biham,et al.  Related-Key Boomerang and Rectangle Attacks , 2005, EUROCRYPT.

[24]  Eli Biham,et al.  The Rectangle Attack - Rectangling the Serpent , 2001, EUROCRYPT.

[25]  David A. Wagner,et al.  The Boomerang Attack , 1999, FSE.

[26]  Antoine Joux,et al.  Collisions of SHA-0 and Reduced SHA-1 , 2005, EUROCRYPT.

[27]  Alex Biryukov,et al.  Slide Attacks , 1999, FSE.

[28]  Bruce Schneier,et al.  Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent , 2000, FSE.

[29]  Hui Chen,et al.  Cryptanalysis of the Hash Functions MD4 and RIPEMD , 2005, EUROCRYPT.

[30]  Eli Biham,et al.  New Results on Boomerang and Rectangle Attack , 2002, IACR Cryptol. ePrint Arch..