Attacking 44 Rounds of the SHACAL-2 Block Cipher Using Related-Key Rectangle Cryptanalysis∗

Home , DEAL, Serpent (cipher), SHACAL, Square (cipher)

IEICE TRANS. FUNDAMENTALS, VOL.Exx–??, NO.xx XXXX 200x 1

PAPER Attacking 44 Rounds of the SHACAL-2 Block Cipher Using Related-Key Rectangle Cryptanalysis∗

Jiqiang LU†a) and Jongsung KIM††b),

Table 1 Summary of previous and our new cryptanalytic re- SUMMARY SHACAL-2 is a 64-round block cipher with a sults on SHACAL-2 256-bit block size and a variable length key of up to 512 bits. It is a NESSIE selected block cipher algorithm. In this paper, we ob- T ype of Attack Rounds Data T ime Memory Source serve that, when checking whether a candidate quartet is useful in Impossible diff. 30 744 CP 2495.1 214.5 [7] a (related-key) rectangle attack, we can check the two pairs from Square 28 240.9 CP 2494.1 245.9 [18] the quartet one after the other, instead of checking them simul- 43.4 504.2 48.4 taneously; if the first pair does not meet the expected conditions, Differential 32 2 CP 2 2 [18] we can discard the quartet immediately. We next exploit a 35- Related-key diff. 35 242.4 RK-CP 2452.1 247.4 [12] round related-key rectangle distinguisher with probability 2−460 Related-key 37 2235.2 RK-CP 2487 2240.2 [12] for the first 35 rounds of SHACAL-2, which is built on an existing rectangle 42 2243.4 RK-CP 2488.4 2247.4 [15] 24-round related-key differential and a new 10-round differential. 43† 2240.4 RK-CP 2480.4 2245.4 [20] Finally, taking advantage of the above observation, we use the 233 497.2 238 distinguisher to mount a related-key rectangle attack on the first 44 2 RK-CP 2 2 This 44 rounds of SHACAL-2. The attack requires 2233 related-key diff.: differential, CP: Chosen Plaintexts, RK: Related-Key, chosen plaintexts, and has a time complexity of 2497.2 computa- Time unit: Encryptions, Memory unit: Bytes, tions. This is better than any previously published cryptanalytic †: The attack has a flaw; see Section 4.2 of this paper. results on SHACAL-2 in terms of the numbers of attacked rounds. key words: Block cipher, SHACAL-2, Differential cryptanalysis, Related-key rectangle attack gorithm, after a thorough analysis of its security and 1. Introduction performance. The published cryptanalytic results on SHACAL-2 SHACAL-2 is a 64-round block cipher with a 256-bit are as follows. In 2003, Hong et al. [7] presented block size and a variable length key of up to 512 bits, an impossible differential attack[2], [14] on 30-round which was proposed in 2001 by Handschuh and Nac- SHACAL-2. In 2004, Shin et al. [18] presented a cache [6] as a submission to the NESSIE (New Euro- square-nonlinear attack on 28-round SHACAL-2 and pean Schemes for Signatures, Integrity and Encryption) a differential-nonlinear attack on 32-round SHACAL-2. project [16]; it is based on the compression function Also in 2004, Kim et al. [12] presented a related-key of SHA-256 [17], an ISO hash function international differential-nonlinear attack on 35-round SHACAL-2 standard, where the plaintext enters the compression and a related-key rectangle attack [11] on 37-round function as the chaining value, and the key enters the SHACAL-2, where the latter is based on a 33-round compression function as the message block. In 2003, related-key rectangle distinguisher. In 2006, Lu et SHACAL-2 became a NESSIE selected block cipher al- al. [15] presented a related-key rectangle attack on 42-

† round SHACAL-2, after exploiting a 34-round related- The author is with the Information Security Group, key rectangle distinguisher with probability 2−456.76 Royal Holloway, University of London, Egham, Surrey TW20 OEX, UK. He as well as his work was supported and then adopting the proposed early abort technique. by a British Chevening / Royal Holloway Scholarship and In 2007, Wang [20] presented a related-key rectangle the European Commission under contract IST-2002-507932 attack on 43-round SHACAL-2, by extending Lu et (ECRYPT). al.’s 34-round related-key rectangle distinguisher to a ††The author is with the Center for Information Security 35-round distinguisher with probability 2−474.76. Technologies (CIST), Korea University, Anam Dong, Sung- In this paper, we find that there is a flaw in Wang’s buk Gu, Seoul, Korea. He was supported by the MKE (Min- istry of Knowledge Economy), Korea, under the ITRC (In- attack algorithm on 43-round SHACAL-2, which makes formation Technology Research Center) support program the attack infeasible. We exploit a more powerful 35- supervised by the IITA (Institute of Information Technol- round related-key rectangle distinguisher which has a ogy Advancement) (IITA-2008-(C1090-0801-0025)). probability of 2−460, following the previous work de- a) E-mail: lvjiqiang AT hotmail.com scribed in [15], [20]. More importantly, we observe that, b) E-mail: joshep AT cist.korea.ac.kr when checking whether a candidate quartet is useful ∗This paper was published in IEICE Transactions on Fundamentals of Electronics, Communications and Com- in a (related-key) rectangle attack, we can check the puter Sciences, Vol. 91-A(9), pp. 2588-2596, IEICE Press, two pairs from the quartet one after the other, instead 2008. of checking them simultaneously; if the first pair does IEICE TRANS. FUNDAMENTALS, VOL.Exx–??, NO.xx XXXX 200x 2

not meet the expected conditions, we can discard the Di+1 = Ci, quartet immediately. This can reduce the computa- Ci+1 = Bi, tion complexity of an attack, and, even more signif- Bi+1 = Ai, i+1 i+1 i+1 icantly, may allow us to break more rounds of a ci- A = T1 ¢ T2 . pher. Taking advantage of this observation, we finally 3. The ciphertext C is (A64,B64,C64,D64,E64,F 64, use the 35-round related-key rectangle distinguisher to G64,H64). conduct a related-key rectangle attack on the first 44 rounds of SHACAL-2. This is better than any pre- In the above description, Ki is the i-th round key, viously published cryptanalytic results on SHACAL-2 W i is the i-th round constant, and the four functions in terms of the numbers of attacked rounds. Table 1 Σ0(X), Σ1(X), Ch(X,Y,Z) and Maj(X,Y,Z) are de- summarises both previous and our new cryptanalytic fined as follows. results on SHACAL-2 that uses 512 key bits. The rest of this paper is organised as follows. In Σ0(X) = S2(X) ⊕ S13(X) ⊕ S22(X), the next section, we describe some notation and the Σ1(X) = S6(X) ⊕ S11(X) ⊕ S25(X), SHACAL-2 block cipher. In Section 3, we introduce Ch(X,Y,Z) = (X&Y ) ⊕ (¬X&Z), our observation on related-key rectangle attacks. In Maj(X,Y,Z) = (X&Y ) ⊕ (X&Z) ⊕ (Y &Z), Section 4, we give the 35-round related-key rectangle −460 distinguisher with probability 2 , as well as the flaw where Sj(X) represents right rotation of X by j bits. in Wang’s attack. In Section 5, we present our related- The key schedule of SHACAL-2 accepts a variable key rectangle attack on 44-round SHACAL-2. Section length key of up to 512 bits. Shorter keys can be used 6 concludes this paper. by padding them with zeros to produce a 512-bit key string. The 512-bit user key K is divided into sixteen 2. Preliminaries 32-bit words (K0,K1, ··· ,K15), which are the round keys for the first 16 rounds. Finally, the i-th round key 2.1 Notation (16 ≤ i ≤ 63) is generated as follows,

i i−2 i−7 i−15 i−16 • ⊕ : bitwise logical exclusive OR (XOR) K = σ1(K ) ¢ K ¢ σ0(K ) ¢ K , • & : bitwise logical AND with σ0(X) = S7(X) ⊕ S18(X) ⊕ R3(X), 32 • ¢ : addition modulo 2 σ1(X) = S17(X) ⊕ S19(X) ⊕ R10(X), • ¬ : bitwise logical complement • ◦ : functional composition where Rj(X) represents right shift of X by j bits. • ej : a 32-bit word with zeros in all positions but bit j, (0 ≤ j ≤ 31) 3. An Observation on Related-Key Rectangle Attacks • ei1,···,ij : ei1 ⊕ · · · ⊕ eij , (0 ≤ i1, ··· , ij ≤ 31) • ej,∼ : a 32-bit word that has 0’s in bits 0 to j −1, a one in bit j and indeterminate values in bits (j +1) In this section, we introduce our observation on related- to 31 key rectangle attacks.

The notion of difference used throughout this pa- 3.1 Description of Related-Key Rectangle Attacks per is with respect to the ⊕ operation, unless otherwise stated explicitly. A related-key rectangle attack [4], [8], [11] is a combi- nation of a related-key attack [1], [13] and a rectangle 2.2 The SHACAL-2 Block Cipher attack [3]. A related-key attack requires an assump- tion that the attacker knows the specific differences be- SHACAL-2 [6] takes as input a 256-bit plaintext, and tween one or more pairs of unknown keys; this assump- has a total of 64 rounds. Its encryption procedure can tion makes it difficult or even infeasible to conduct in be described as follows. many cryptographic applications, but some of the cur- rent real-world applications allow for practical related- 1. The 256-bit plaintext P is represented as eight 32- key attacks [10], for example, key-exchange protocols bit words A0, B0, C0, D0, E0, F 0, G0 and H0. and hash functions. A rectangle attack is a variant 2. For i = 0 to 63: of the boomerang attack [19] and an improvement of i+1 i i i i i i i T1 = K ¢ Σ1(E ) ¢ Ch(E ,F ,G ) ¢ H ¢ W , the amplified boomerang attack [9]. As a result, they i+1 i i i i T2 = Σ0(A ) ¢ Maj(A ,B ,C ), share the same basic idea of using two (or more) short Hi+1 = Gi, differentials with larger probabilities instead of a long Gi+1 = F i, differential with a smaller probability. F i+1 = Ei, A related-key rectangle attack is based on a i+1 i i+1 E = D ¢ T1 , related-key rectangle distinguisher, which treats a block LU and KIM: ATTACKING 44 ROUNDS OF THE SHACAL-2 BLOCK CIPHER USING RELATED-KEY RECTANGLE CRYPTANALYSIS 3

∗ 0∗ P P Therefore, if pb·qb > 2−n/2, the related-key rectangle P α P 0 α distinguisher can distinguish between E and a random function, given sufficient chosen plaintext pairs. E0 E0 KB K 0 0 D Note that there exist three kinds of related-key EK E A KC rectangle attacks, which correspond to the following three cases. β β γ • Type 1: ∆K 6= 0, ∆K 6= 0, (four keys); γ 0 1 • Type 2: ∆K0 = 0, ∆K1 6= 0, (two keys); E1 E1 KB KD • Type 3: ∆K0 6= 0, ∆K1 = 0, (two keys). E1 E1 KA KC 3.2 The Observation C∗ δ C0∗ C δ C0 A typical related-key rectangle attack treats a block cipher E : {0, 1}n × {0, 1}k → {0, 1}n as a cascade of Fig. 1 A Related-Key Rectangle Distinguisher four sub-ciphers E = Eb ◦ E1 ◦ E0 ◦ Ea, where E1 ◦ E0 denotes the rounds for the rectangle distinguisher, cipher E : {0, 1}n × {0, 1}k → {0, 1}n as a cascade of Ea denotes the rounds before E0, and Eb denotes the 1 0 1 a a a a two sub-ciphers E = E ◦ E and requires that there rounds after E . Suppose KA, KB, KC and KD are a exists a related-key differential ∆α → ∆β with proba- the subkeys used in E , which correspond to KA, KB, 0 0 0 b b b b bility p for E : Pr n [E (X) ⊕ E (X ⊕ α) = KC and KD, respectively; and K , K , K and K X∈{0,1} KA KB A B C D 0 0 b β] = Pr n [E (X) ⊕ E (X ⊕ α) = β] = p, are the subkeys used in E , which correspond to KA, X∈{0,1} KC KD and a related-key differential ∆γ → ∆δ with proba- KB, KC and KD, respectively. 1 1 1 a b bility q for E : Pr n [E (X) ⊕ E (X ⊕ γ) = Given a guess for the subkeys used in E and E , X∈{0,1} KA KC 1 1 the attacker tries to check whether a candidate quartet δ] = PrX∈{0,1}n [E (X) ⊕ E (X ⊕ γ) = δ] = q, KB KD ((P,e Pe∗), (Pe0, Pe0∗)) meets the difference conditions re- where the four unknown user keys KA,KB,KC and quired by the related-key rectangle distinguisher, that KD satisfy KB = KA ⊕ ∆K0, KC = KA ⊕ ∆K1 and is, the following two conditions. KD = KC ⊕∆K0, with ∆K0 and ∆K1 being two known differences. a e a e∗ a e0 a e0∗ EKa (P ) ⊕ EKa (P ) = EKa (P ) ⊕ EKa (P ) A quartet consists of two pairs of plaintexts A B C D (P,P ∗ = P ⊕ α) and (P 0,P 0∗ = P 0 ⊕ α). It is use- = α, (4) ful only if the two pairs (P,P ∗) and (P 0,P 0∗) satisfy b,−1 e b,−1 e0 b,−1 e∗ b,−1 e0∗ EKb (C) ⊕ EKb (C ) = EKb (C ) ⊕ EKb (C ) the following three conditions; see Fig. 1. A C B D = δ, (5) 0 0 ∗ 0 0 0 0∗ C1: EKA (P ) ⊕ EKB (P ) = EKC (P ) ⊕ EKD (P ) where Ce = E (Pe), Ce∗ = E (Pe∗), Ce0 = E (Pe0), = β, (1) KA KB KC Ce0∗ = E (Pe0∗), and Eb,−1 denotes the inverse of Eb. C2: E0 (P ) ⊕ E0 (P 0) = E0 (P ∗) ⊕ E0 (P 0∗) KD KA KC KB KD In a chosen-plaintext attack scenario, the general = γ, (2) approach to meet the conditions described in Eq. (4) is 1 0 1 0 0 1 0 e e∗ e0 e0∗ C3: EKA (EKA (P )) ⊕ EKC (EKC (P ))=EKB (EKB to choose the pairs (P, P ) and (P , P ) in the follow- ∗ 1 0 0∗ ing way. (P )) ⊕ EKD (EKD (P )) = δ. (3) a 0 1. Choose a plaintext, Pe say, and encrypt it with E By assuming that the intermediate values after E a distribute uniformly over all possible values, we can under the guess for KA; we denote the encrypted 0 0 0 −n a e get E (P ) ⊕ E (P ) = γ with probability 2 . value by EKa (P ). KA KC A 0 ∗ a a Once this occurs, by C1 we know that E (P ) ⊕ 2. Compute E a (Pe) ⊕ α, and decrypt it with E un- KB KA E0 (P 0∗) = γ holds with probability 1, for E0 (P ∗)⊕ a KD KB der the guess for KB; the decrypted value is what E0 (P 0∗) = (E0 (P ) ⊕ E0 (P ∗)) ⊕ (E0 (P 0) ⊕ e∗ KD KA KB KC we look for P . E0 (P 0∗)) ⊕ (E0 (P ) ⊕ E0 (P 0)) = β ⊕ β ⊕ γ = γ. 3. Choose the pair (Pe0, Pe0∗) in the same way as de- KD KA KC As a result, by summarising all the possible β scribed above. and γ, we get that the probability that the quartet P Obviously, the quartet ((P,e Pe∗), (Pe0, Pe0∗)), se- satisfies C3 is expected to be about β,γ (Pr(∆α → 2 −n 2 −n 2 lected in the above way, meets the conditions described ∆β)) · 2 · (Pr(∆γ → ∆δ)) = 2 · (pb · qb) , where in Eq. (4). The remaining problem is to check whether P 2 1 P 2 2 pb = ( β Pr (∆α → ∆β)) and qb = ( γ Pr (∆γ → it also meets the conditions described in Eq. (5). 1 ∆δ)) 2 . For a random function, this probability is about The key schedules of some block ciphers make it 2−n×2 = 2−2n. possible for us to know the subkey differences involved IEICE TRANS. FUNDAMENTALS, VOL.Exx–??, NO.xx XXXX 200x 4

b b,−1 e∗ b,−1 e0∗ in E from the user key differences ∆K0 and ∆K1, es- pair meets the condition E b (C ) ⊕ E b (C ) = δ. KB KD pecifically those with linearity. Thus, to check whether The candidate quartet is useful if, and only if, every e e∗ e0 e0∗ the candidate quartet ((P, P ), (P , P )) meets the pair meets the respective conditions. conditions in Eq. (5), we do not need to guess all the This can reduce the computational workload of a four unknown subkeys; we just guess one or more of related-key rectangle attack, and, even more signifi- them, and then XOR them with the subkey differences cantly, may allow us to break more rounds of a cipher, to get the remaining unknown subkeys. Whereas the depending on the distinguisher used and the round key schedules of some block ciphers make it impossible structure of the cipher. Note that this observation can for us to determine the subkey differences involved in be also used to improve a rectangle attack, although b E from the user key differences ∆K0 and ∆K1; thus this improvement is usually small (generally, a factor † b 1 it is necessary to guess the four unknown subkeys KA, of on the computational workload). b b b 2 KB, KC and KD to check whether the candidate quartet ((P,e Pe∗), (Pe0, Pe0∗)) meets the conditions in Eq. (5). 4. A 35-Round Related-Key Rectangle Distin- Previously, this is usually done by guessing the four guisher with Probability 2−460 of SHACAL-2 subkeys at once, and then simultaneously decrypting both the pairs (C,e Ce0) and (Ce∗, Ce0∗) to check whether In this section, we exploit a 35-round related-key rect- they meet the conditions in Eq. (5). However, in 2006, angle distinguisher with probability 2−460 for Rounds Lu et al. [15] found that it may be possible to par- 0 to 34, following the previous work described in [15], tially determine whether or not a candidate quartet [20]; the distinguisher belongs to Type 3. Besides, we in a related-key rectangle attack is useful one or more give the flaw in Wang’s attack on 43-round SHACAL-2. rounds earlier than usual. Specifically, from Eq. (5) we know the expected output difference δ after E1. Thus, 4.1 The 34-Round Related-Key Rectangle Distin- if we know the expected output differences of one or guisher Due to Lu et al. more rounds after E1, we can guess part of the subkeys b b b b KA, KB, KC and KD such that we can check whether In 2006, Lu et al. [15] gave a 24-round related-key differ- a candidate quartet meets one of the expected output ential (0, 0, e6,9,18,20,25,29, e31, 0, e9,13,19, e18,29, e31) → 1 −38 differences of the one or more rounds after E . If not, (e13,24,28, 0, 0, 0, e13,24,28, 0, 0, 0) with probability 2 we can discard it immediately; otherwise, we guess part for Rounds 1 to 24† and a 10-round differential b b b (or all) of the remaining of the subkeys KA, KB, KC (e31, e31, e6,9,18,20,25,29,31, 0, 0, e9,13,19, e18,29,31, 0) → b and KD, and check the quartet similarly. Since some (e6,9,18,20,25,29, e31, 0, 0, e6,20,25, e31, 0, 0) with probabil- candidate quartets are discarded before the next subkey ity 2−65 for Rounds 25 to 34. guess, this results in less computations in the following They computed a square sum of at least 2−74(= steps, and may allow us to break more rounds, depend- 2−37×2) for the probabilities of all the 24-round related- ing on how many candidate quartets are remaining and key differentials for Rounds 1 to 24 that have only the how many subkeys are required to guess. This is called output differences different from the above 24-round the early abort technique [15]. differential, and a square sum of at least 2−126.76(= We further observe that the early abort technique 2−63.38×2) for the probabilities of all the 10-round dif- can be conducted in a more efficient way. Our observa- ferentials for Rounds 25 to 34 that have only the input tion focuses on a single application of the early abort differences different from the above 10-round differen- technique. To make things clearer, we assume that the tial. round immediately following E1 is the target round for As a result, they exploited a 34-round related- an application of the early abort technique, and, to key rectangle distinguisher with probability 2−456.76(= simplify our explanation we assume that Eb has only 2−74 · 2−126.76 · 2−256) for Rounds 1 to 34, which was this round (by this we can continue to use the above finally used to break the first 42 rounds of SHACAL-2 notation for the ciphertexts and subkeys without defin- along with the proposed early abort technique. ing more). The observation is as follows. We can first b b guess the two subkeys KA and KC connected with the 4.2 The 35-Round Related-Key Rectangle Distin- pair (C,e Ce0), and then check whether the pair meets guisher Due to Wang b,−1 e b,−1 e0 the condition E b (C) ⊕ E b (C ) = δ. If the pair KA KC does not meet this condition, then we can discard the In 2007, Wang [20] found that Lu et al.’s 34- candidate quartet; if it does meet the condition, then round related-key rectangle distinguisher can be we guess the other two subkeys Kb and Kb connected extended to a 35-round distinguisher by append- B D ing one-round related-key differential with proba- with the other pair (Ce∗, Ce0∗), and check whether this bility 1 at the beginning: given a plaintext pair P = (A0,B0,C0,D0,E0,F 0,G0,H0) and Pe = †We consider the general related-key rectangle attack with four keys here; similar for the case with two keys. †Certain input bits are fixed to meet several conditions. LU and KIM: ATTACKING 44 ROUNDS OF THE SHACAL-2 BLOCK CIPHER USING RELATED-KEY RECTANGLE CRYPTANALYSIS 5

Table 2 The 25-round related-key diﬀerential for Rounds 0 to 24 Round (i) ∆Ai ∆Bi ∆Ci ∆Di ∆Ei ∆F i ∆Gi ∆Hi ∆Ki Prob. 0 0 0 e6,9,18,20,25,29 e31 0 e9,13,19 e18,29 e31 ∆ e31 1 −11 1 0 0 e6,9,18,20,25,29 e31 0 e9,13,19 e18,29 e31 0 2 −10 2 e31 0 0 e6,9,18,20,25,29 0 0 e9,13,19 e18,29 0 2 −7 3 0 e31 0 0 e6,20,25 0 0 e9,13,19 0 2 −4 4 0 0 e31 0 0 e6,20,25 0 0 0 2 −3 5 0 0 0 e31 0 0 e6,20,25 0 0 2 −4 6 0 0 0 0 e31 0 0 e6,20,25 0 2 −1 7 0 0 0 0 0 e31 0 0 0 2 −1 8 0 0 0 0 0 0 e31 0 0 2 9 0 0 0 0 0 0 0 e31 e31 1 10 0 0 0 0 0 0 0 0 0 1 ...... 23 0 0 0 0 0 0 0 0 0 1 24 0 0 0 0 0 0 0 0 · 2−6 output e13,24,28 0 0 0 e13,24,28 0 0 0 / /

0 0 0 0 0 0 0 0 (A , B , C , D , E , F , G , H ) with some fixed bits 0 4.3 A 35-Round Related-Key Rectangle Distinguisher as described in Eq. (6), (where xi denotes the i-th bit of X0), the 25-round related-key dif- with Probability 2−460 ferential with probability 2−47 for Rounds 0 to 0 We exploit a more powerful 10-round differential for 24 is (0, e6,9,18,20,25,29, e31, 0, e9,13,19, e18,29, e31, ∆ ) → 0 0 Rounds 25 to 34: (0, 0, e , e , 0, e , (e13,24,28, 0, 0, 0, e13,24,28, 0, 0, 0), where ∆ = Σ1(E ) − 6,9,18,20,25,29 31 9,13,19 0 e e18,19, e31) → (e6,9,18,20,25,29, e31, 0, 0, e6,20,25, e31, 0, 0), Σ1(E ⊕ e9,13,19) and the key difference is K ⊕ K = −56 0 1 15 which has a probability of 2 . See Table 3 for more (∆K , ∆K , ··· , ∆K ) = (e31, 0, 0, 0, 0, 0, 0, 0, 0, e31, 0, 0, 0, 0, 0, 0). See Table 2 for more details. details. Using this 10-round differential with probability −56 a0 = b0 , a0 = c0, for i = 6, 9, 18, 20, 25, 29; 2 and the 25-round related-key differential with 31 31 i i −47 b0 = ¬e0, a0 = ¬f 0, for i = 19, 30; probability 2 of Wang, we get a new 35-round 9 9 i i (6) e0 = 0, for i = 18, 29, 30; related-key rectangle distinguisher, which has a prob- i −460 −46 −56 2 −256 f 0 = g0, for i = 9, 13, 19. ability of at least 2 (= (2 · 2 ) · 2 ) for i i the 35-round SHACAL-2, and has a probability of The second differential for the 35-round distinguisher (2−256)2 = 2−512 for a random cipher. is the same 10-round differential as that used in the 34- round related-key rectangle distinguisher due to Lu et 5. Related-Key Rectangle Attack on 44-Round al. SHACAL-2 As a result, Wang exploited a 35-round related- e key rectangle distinguisher with probability (2−46)2 · Assume that the two related user keys are K and K. 2−126.76 · 2−256 = 2−474.76, which was used to break the First, we review the following differential property of first 43 rounds of SHACAL-2. SHACAL-2, which allows us to break more rounds by However, we find a flaw in Wang’s attack algo- using the early abort technique proposed in [15]. rithm, which makes the attack infeasible. Property 1 (from [15], [20]): If the values of (Ai,Bi, i i i ··· ,Hi) and (A , B , ··· , H ), and the additive dif- 4.2.1 A Flaw in Wang’s Attack ference between Ki−1 and Ke i−1 are known, then we can get the values of (Ai−1,Bi−1, ··· ,Gi−1) and i−1 i−1 i−1 In Wang’s attack [20], the probability that 6 or more (A , B , ··· , G ), the additive difference between i−1 quartets pass the filtering condition in Step 6 is about Hi−1 and H , the values of (Ai−5,Bi−5,Ci−5) and 31.76 ¡ 31.76¢ P2 2 −32×2 i −32×2 231.76−i i−5 i−5 i−5 i=6 [ i · (2 ) · (1 − 2 ) ] ≈ (A , B , C ), and the additive difference between 2−202.93, so it is expected that about 2448 · 2−202.93 = i−5 Di−5 and D . 2245.07 guesses of ((K36, ··· ,K42), (K∗36, ··· ,K∗42)) are suggested in Step 6. Thus, to find the 512-bit user From the key schedule of SHACAL-2, we know key by exhaustively searching for the remaining 288 that it is impossible to determine the subkey differences bits, Step 7 is expected to have a time complexity much of the last few rounds (to be attacked) from the user key larger than 2512. Therefore, unlike what the author difference K ⊕ Ke; thus, to conduct an early abort on a claimed, the attack cannot break 43-round SHACAL-2 candidate quartet it is necessary to guess the two un- (faster than an exhaustive key search). known subkeys in every such a round, corresponding to IEICE TRANS. FUNDAMENTALS, VOL.Exx–??, NO.xx XXXX 200x 6

Table 3 The 10-round diﬀerential for Rounds 25 to 34 Round (i) ∆Ai ∆Bi ∆Ci ∆Di ∆Ei ∆F i ∆Gi ∆Hi Prob. −11 25 0 0 e6,9,18,20,25,29 e31 0 e9,13,19 e13,18,29 e13,31 2 −14 26 e31 0 0 e6,9,18,20,25,29 0 0 e9,13,19 e13,18,29 2 −7 27 0 e31 0 0 e6,20,25 0 0 e9,13,19 2 −4 28 0 0 e31 0 0 e6,20,25 0 0 2 −3 29 0 0 0 e31 0 0 e6,20,25 0 2 −4 30 0 0 0 0 e31 0 0 e6,20,25 2 −1 31 0 0 0 0 0 e31 0 0 2 −1 32 0 0 0 0 0 0 e31 0 2 33 0 0 0 0 0 0 0 e31 1 −11 34 e31 0 0 0 e31 0 0 0 2 output e6,9,18,20,25,29 e31 0 0 e6,20,25 e31 0 0 /

K and Ke. In previous related-key rectangle attacks on decrypt all the ciphertexts Cei through Rounds 43– reduced-round SHACAL-2 presented in [15], [20], this is 40 with (Ke 43, Ke 42, Ke 41, Ke 40) to get their interme- done by first guessing both the round subkeys at a time, diate values just before Round 40; we denote them e40 40 e40 then partially decrypting a candidate quartet to get its by Ci , respectively. Keep (Ci , Ci ) in a hash ta- corresponding quartet just before this round, and fi- ble. This process proposes about 2232×2/2 = 2463 nally checking whether it meets difference conditions. candidate quartets (C40, Ce40,C40, Ce40), where i0 i0 i1 i1 232 However, as described in Section 3, we can check the 1 ≤ i0 ≤ i1 ≤ 2 . By Prop- two pairs from a candidate quartet one after the other; erty 1, we know (A35,B35,C35), (A35,B35,C35), i0 i0 i0 i1 i1 i1 more specifically, when we conduct an early abort on a 35 35 35 35 35 35 (A , B , C ), (A , B , C ), the additive dif- candidate quartet, we first check whether one pair from i0 i0 i0 i1 i1 i1 ference between D35 and D35, and the addi- i0 i1 the quartet is useful, by guessing only the single subkey 35 35 involved. If not, then this quartet is not useful, thus tive difference between Di0 and Di1 . Finally, we can discard it immediately; otherwise, we check the we choose only the quartets (C40, Ce40,C40, Ce40) i0 i0 i1 i1 other pair by guessing the other subkey. The candi- such that (A35,B35,C35) ⊕ (A35,B35,C35) = i0 i0 i0 i1 i1 i1 date quartet is useful if, and only if, both the pairs are 35 35 35 35 35 (e6,9,18,20,25,29, e31, 0), (Ai0 , Bi0 , Ci0 ) ⊕ (Ai1 , Bi1 , useful. 35 C ) = (e , e , 0), and D35 − D35 = We can use the 35-round distinguisher given in Sec- i1 6,9,18,20, 25,29 31 i0 i1 tion 4 to mount the following related-key rectangle at- 35 35 Di0 −Di1 = 0. If 6 or more quartets pass this test, tack on the first 44 rounds of SHACAL-2. The obser- record all the qualified quartets, and go to Step 4; vation described in Section 3.2 plays a crucial role on otherwise, repeat this step with another guess. the efficiency of our attack; otherwise, the distinguisher 4. For every remaining quartet (C40,C40, Ce40, Ce40), i0 i1 i0 i1 would enable us to break just the first 43 rounds of do the following. SHACAL-1 in a similar way as described in [15]. a. Guess a 32-bit subkey K39 in Round 39. Par- 232 40 40 1. Choose a set S of 2 plaintexts Pi = tially decrypt C and C through Round i0 i1 0 0 0 0 0 0 0 0 39 (Ai ,Bi ,Ci ,Di ,Ei ,Fi ,Gi ,Hi ), under the condi- 39 with K to get their intermediate val- tion of Eq. (6), (i = 1, 2, ··· , 2232). In a chosen- ues just before Round 39; we denote them by plaintext attack scenario, obtain all their corre- C39 and C39, respectively. Thus, we can com- i0 i1 sponding ciphertexts under the key K; we denote pute the the additive difference between H38 i0 them by Ci, respectively. and H38 by Property 1; since H38 = E35, we e 232 e i1 i i 2. Compute another set S of 2 plaintexts Pi = 40 40 40 40 0 0 0 0 0 0 0 0 choose only the quartets (C ,C , Ce , Ce ) (A , B , C , D , E , F , G , H ) = (A0,B0 ⊕ i0 i1 i0 i1 i i such that H38 − H38 ∈ {±26 ± 220 ± 225}. If 6 e ,C0 ⊕ e ,D0,E0 ⊕ e ,F 0 ⊕ i0 i1 6,9,18,20,25,29 i 31 i i 9,13,19 i or more quartets pass this test, record all the e ,G0⊕e ,H0+Σ (E0)−Σ (E0⊕e ) mod 18,29 i 31 i 1 i 1 i 9,13,19 qualified (C40,C40, Ce40, Ce40), and go to Step 232). In a chosen-plaintext attack scenario, obtain i0 i1 i0 i1 4-(b); otherwise, repeat this step with another all their corresponding ciphertexts under the re- 39 e guess of K . lated key K = K⊕(e31, 0, 0, 0, 0, 0, 0, 0, 0, e31, 0, 0, 0, e 39 e b. Guess a 32-bit subkey K in Round 39. Par- 0, 0, 0); we denote them by Ci, respectively. tially decrypt Ce40 and Ce40 through Round 3. Guess a 128-bit subkey pair ((K40,K41,K42,K43), i0 i1 39 with Ke 39 to get their intermediate val- (Ke 40, Ke 41, Ke 42, Ke 43)) in Rounds 40, 41, 42 and ues just before Round 39; we denote them 43. Then, partially decrypt all the ciphertexts C i by Ce39 and Ce39, respectively. Similarly, we through Rounds 43–40 with (K43,K42,K41,K40) i0 i1 choose only the quartets (C40,C40, Ce40, Ce40) to get their intermediate values just before Round i0 i1 i0 i1 40 38 38 6 20 25 40; we denote them by Ci , respectively. Partially such that Hi0 − Hi1 ∈ {±2 ± 2 ± 2 }. If LU and KIM: ATTACKING 44 ROUNDS OF THE SHACAL-2 BLOCK CIPHER USING RELATED-KEY RECTANGLE CRYPTANALYSIS 7

6 or more quartets pass this test, record all 35 35 F i0 , F i1 , and the additive difference between the qualified (C39,C39, Ce39, Ce39), and go to 36 36 i0 i1 i0 i1 H and H . We choose only the quartets Step 5; otherwise, repeat this step with an- i0 i1 38 38 38 38 35 35 39 (C ,C , Ce , Ce ) such that F ⊕F = e other guess of Ke . i0 i1 i0 i1 i0 i1 31 36 36 39 39 39 39 and H − H = 0. If 6 or more quar- 5. For every remaining quartet (C ,C , Ce , Ce ), i0 i1 i0 i1 i0 i1 do the following. tets pass this test, record all the qualified (C37,C37, Ce37, Ce37), and go to Step 7; oth- 38 i0 i1 i0 i1 a. Guess a 32-bit subkey K in Round 38. Par- erwise, repeat this step with another guess of tially decrypt C39 and C39 through Round e 37 i0 i1 K . 38 with K38 to get their intermediate values 37 37 37 37 38 7. For every remaining quartet (C ,C , Ce , Ce ), just before Round 38; we denote them by C i0 i1 i0 i1 i0 and C38, respectively. Thus, we can compute do the following. i1 E35, E35, and the additive difference between 36 i0 i1 a. Guess a 32-bit subkey K in Round 36. Par- H37 and H37. We choose only the quartets tially decrypt C37 and C37 through Round 36 i0 i1 i0 i1 (C39,C39, Ce39, Ce39) such that E35 ⊕ E35 = with K36 to get their intermediate values just i0 i1 i0 i1 i0 i1 37 37 31 before Round 36; we denote them by C36 and e6,20,25 and Hi − Hi ∈ {±2 }. If 6 or more i0 0 1 C36, respectively. Thus, we can compute the quartets pass this test, record all the quali- i1 fied (C39,C39, Ce39, Ce39), and go to Step 5-(b); additive difference between H35 and H35. We i0 i1 i0 i1 i0 i1 37 37 e37 e37 otherwise, repeat this step with another guess choose only the quartets (Ci ,Ci , Ci , Ci ) 38 0 1 0 1 of K . such that H35 − H35 = 0. If 6 or more e 38 i0 i1 b. Guess a 32-bit subkey K in Round 38. Par- quartets pass this test, record all the quali- e39 e39 37 37 37 37 tially decrypt Ci and Ci through Round fied (C ,C , Ce , Ce ), and go to Step 7-(b); 0 1 i0 i1 i0 i1 38 with Ke 38 to get their intermediate values otherwise, repeat this step with another guess just before Round 38; we denote them by Ce38 of K36. i0 e 36 and Ce38, respectively. Thus, we can compute b. Guess a 32-bit subkey K in Round 36. Par- i1 37 37 35 35 tially decrypt Ce and Ce through Round 36 E , E , and the additive difference between i0 i1 i0 i1 36 37 37 with Ke to get their intermediate values just H and H . We choose only the quartets 36 i0 i1 before Round 36; we denote them by Ce and 35 35 i0 (C40,C40, Ce40, Ce40) such that E ⊕ E = 36 i0 i1 i0 i1 i0 i1 Ce , respectively. Thus, we can compute the i1 37 37 31 35 35 e6,20,25 and H − H ∈ {±2 }. If 6 or more i0 i1 additive difference between Hi and Hi . We quartets pass this test, record all the qualified 0 1 choose only the quartets (C37,C37, Ce37, Ce37) (C38,C38, Ce38, Ce38), and go to Step 6; other- i0 i1 i0 i1 i0 i1 i0 i1 35 35 wise, repeat this step with another guess of such that Hi0 − Hi1 = 0. If 6 or more quar- Ke 38. tets pass this test, record (K36,K37, ··· ,K43), 38 38 38 38 and go to Step 8; otherwise, repeat this step 6. For every remaining quartet (C ,C , Ce , Ce ), 36 i0 i1 i0 i1 with another guess of Ke . do the following. 8. For a recorded (K36,K37, ··· ,K43), exhaustively a. Guess a 32-bit subkey K37 in Round 37. Par- search for the remaining 256 bits with one known tially decrypt C38 and C38 through Round i0 i1 pair of plaintext and ciphertext. If a 512-bit key 37 with K37 to get their intermediate values is suggested, output it as the user key of the 44- just before Round 37; we denote them by C37 i0 round SHACAL-2; otherwise, repeat Step 3 with and C37, respectively. Thus, we can compute i1 another guess. F 35, F 35, and the additive difference between i0 i1 36 36 This attack requires 2233 related-key chosen plain- Hi and Hi . We choose only the quartets 0 1 texts. The required memory for this attack is domi- (C38,C38, Ce38, Ce38) such that F 35⊕F 35 = e i0 i1 i0 i1 i0 i1 31 233 36 36 nated by the ciphertexts, which is approximately 2 · and H − H = 0. If 6 or more quar- 238 i0 i1 32 ≈ 2 memory bytes. tets pass this test, record all the qualified Step 3 has about 2 · 2232 · 232×8 · 8 ≈ 2486.54 (C38,C38, Ce38, Ce38), and go to Step 6-(b); 44 i0 i1 i0 i1 44-round SHACAL-2 encryptions, and it also requires otherwise, repeat this step with another guess about 232×8 ·2232 · 232 = 2490.86 memory accesses if con- of K37. 32 ducted on a 32-bit computer, which is negligible com- b. Guess a 32-bit subkey Ke 37 in Round 37. Par- pared with the 2486.54 encryptions. Due to the 128-bit tially decrypt Ce38 and Ce38 through Round i0 i1 filtering condition in Step 3, it is expected that only e 37 37 with K to get their intermediate values about 2463 · (2−128)2 = 2207 candidate quartets remain just before Round 37; we denote them by Ce37 i0 after Step 3 for every key guess. and Ce37, respectively. Thus, we can compute The time complexity of Step 4-(a) is about 2·2207 · i1 IEICE TRANS. FUNDAMENTALS, VOL.Exx–??, NO.xx XXXX 200x 8

32×9 1 490.54 Table 4 The time complexity of (each step of) the attack 2 · 44 ≈ 2 encryptions. There is a filtering 23 −29 Step (i) Time Complexity condition of 32 = 2 in either of Steps 4-(a) and (b). 2 232 In Step 4-(a), the probability that 6 or more quartets 1 2 Encryptions pass the test for a wrong guess is about 1, thus it follows 2 2232 Encryptions that all the 2288 key guesses pass this step; and about 3 2486.54 Encryptions 2207 · 2−29 = 2178 candidate quartets remain after this 4 2490.54 + 2493.54 ≈ 2493.71 Encryptions step for every key guess. The time complexity of Step 5 2496.54 + 2494.54 ≈ 2496.87 Encryptions 178 32×10 1 493.54 6 2492.54 + 2491.54 ≈ 2493.13 Encryptions 4-(b) is about 2 · 2 · 2 · 44 ≈ 2 encryptions. In Step 4-(b), the probability that 6 or more quartets 7 2490.54 + 2398.63 ≈ 2490.54 Encryptions pass the test for a wrong guess is also about 1, thus 8 2464.51 Encryptions it follows that all the 2320 key guesses pass this step; total 2497.2 Encryptions and about 2178 · 2−29 = 2149 candidate quartets remain after this step for every key guess. The time complexity of Step 5-(a) is about 2·2149 · step of the attack. Therefore, the attack has a to- 497.2 32×11 1 496.54 tal time complexity of approximately 2 44-round 2 · 44 ≈ 2 encryptions. There is a filtering condition of 2 · 1 = 2−34 in either of Steps 5-(a) SHACAL-2 computations, faster than an exhaustive 232 23 search. and (b). In Step 5-(a), the probability that 6 or more 463 quartets pass the test for a wrong guess is about 1, so As about 2 quartets are tested in this attack 352 and the 35-round related-key rectangle distinguisher it follows that all the 2 key guesses pass this step; −460 and about 2149 · 2−34 = 2115 candidate quartets remain has a probability of 2 , we can learn that the expected number of the qualified quartets for the correct after this step for every key guess. The time complexity 463 −460 of Step 5-(b) is about 2 · 2115 · 232×12 · 1 ≈ 2494.54 key guess in Step 7-(b) is about 2 · 2 = 8. The 44 probability that 6 or more quartets pass Step 7-(b) is encryptions. In Step 5-(b), since the probability that 463 ¡ 463¢ P2 2 −460 i −460 2463−i 6 or more quartets pass the test for a wrong guess is i=6 [ i ·(2 ) ·(1−2 ) ] ≈ 0.8, therefore, also about 1, it follows that all the 2384 key guesses the related-key rectangle attack works with a success pass this step; and about 2115 · 2−34 = 281 candidate probability of 80%. quartets remain after this step for every key guess. The time complexity of Step 6-(a) is about 2 · 281 · 6. Conclusions 32×13 1 492.54 2 · 44 ≈ 2 encryptions. There is a filtering 1 1 −33 SHACAL-2 is a NESSIE selected block cipher algo- condition of 232 · 2 = 2 in either of Steps 6-(a) and (b). In Step 6-(a), the probability that 6 or more quar- rithm. In this paper, we observe that, when checking tets pass the test for a wrong guess is about 1 as well, whether a candidate quartet is useful in a (related-key) thus it follows that all the 2416 key guesses pass this rectangle attack, we can check the two pairs from the step; and about 281 · 2−33 = 248 candidate quartets re- quartet one after the other, instead of checking them main after this step for every key guess. The time com- simultaneously; if the first pair does not meet expected 48 32×14 1 491.54 conditions, we can discard the quartet immediately. plexity of Step 6-(b) is about 2·2 ·2 · 44 ≈ 2 encryptions. In Step 6-(b), the probability that 6 or Using this observation, we present a related-key rectan- more quartets pass the test for a wrong guess is about gle attack on the first 44 rounds of SHACAL-2, after ex- 1, thus it follows that all the 2448 key guesses pass this ploiting a 35-round related-key rectangle distinguisher −460 step; and about 248 · 2−33 = 215 candidate quartets with probability 2 . This is the best currently pub- remain after this step for every key guess. lished cryptanalytic result on SHACAL-2. The time complexity of Step 7-(a) is about 2 · 15 32×15 1 490.54 Acknowledgments 2 · 2 · 44 ≈ 2 encryptions. There is a filtering condition of 2−32 in either of Steps 7-(a) and (b). In Step 7-(a), the probability that 6 or more The authors are very grateful to Orr Dunkelman and quartets pass the test for a wrong guess is about Nathan Keller for their valuable discussions, and thank 15 ¡ 15¢ P2 2 −32 i −32 215−i −111.49 Gaoli Wang and the two anonymous reviewers for their i=6[ i · (2 ) · (1 − 2 ) ] ≈ 2 , thus it follows that about the 2480 · 2−111.49 = 2368.51 key comments. guesses pass this step. The time complexity of Step 7- 368.51+32 1 398.63 References (b) is about 2·2 ·6· 44 ≈ 2 encryptions. In Step 7-(b), the probability that 6 or more quartets pass [1] E. Biham, “New types of cryptanalytic attacks using related −32 6 −192 the test for a wrong guess is about (2 ) = 2 , so keys”. In: T. Helleseth (ed.), EUROCRYPT ’93, LNCS 765, it is expected that only about 2368.51+32·2−192 = 2208.51 pp. 398–409, Springer-Verlag, 1993. guesses of (K36,K37, ··· ,K43) pass Step 7-(b), which [2] E. Biham, A. Biryukov, and A. Shamir, “Cryptanalysis of result in 2464.51 trials in Step 8. Skipjack reduced to 31 rounds using impossible differen- Table 4 summarises the time complexity of each tials”. In: J. Stern (ed.), EUROCRYPT ’99, LNCS 1592, pp. 12–23, Springer-Verlag, 1999. LU and KIM: ATTACKING 44 ROUNDS OF THE SHACAL-2 BLOCK CIPHER USING RELATED-KEY RECTANGLE CRYPTANALYSIS 9

[3] E. Biham, O. Dunkelman, and N. Keller, “The rectangle Jiqiang Lu was born in Gaomi city, attack — rectangling the Serpent”. In: B. Pfitzmann (ed.), Shandong province, CHINA, in November EUROCRYPT ’01, LNCS 2045, pp. 340–357, Springer- 1977. He received a B.Sc. degree in Ap- Verlag, 2001. plied Mathematics from Yantai Univer- [4] E. Biham, O. Dunkelman, and N. Keller, “Related-key sity (CHINA) in July 2000 and a M.Eng. boomerang and rectangle attacks”. In: R. Cramer (ed.), degree in Information and Communica- EUROCRYPT ’05. LNCS 3494, pp. 507–525, Springer- tion Engineering from Xidian University Verlag, 2005. (CHINA) in March 2003. He then served [5] E. Biham and A. Shamir, “Differential cryptanalysis of the sequentially as a government officer in Data Encryption Standard”, Springer, 1993. the Intellectual Property Office of Depart- [6] H. Handschuh and D. Naccache, SHACAL, NESSIE, 2001. ment of Science & Technology of Shan- [7] S. Hong, J. Kim, G. Kim, J. Sung, C. Lee, and S. Lee, dong Province (CHINA), a research assistant in Information and “Impossible differential attack on 30-round SHACAL-2”. Communication University (KOREA), and a software engineer in In: T. Johansson and S. Maitra (eds.), INDOCRYPT ’03, ONETS Wireless&Internet Security Co. Ltd. (CHINA) and the LNCS 2904, pp. 97–106, Springer-Verlag, 2003. Beijing R&D Institute, Huawei Technologies, Co. Ltd. (CHINA). [8] S. Hong, J. Kim, S. Lee, and B. Preneel, “Related-key rect- Currently, he is a Ph.D. candidate in the Information Security angle attacks on reduced versions of SHACAL-1 and AES- Group, Royal Holloway, University of London (UK), and his re- 192”. In: H. Gilbert and H. Handschuh (eds.), FSE ’05, search topic is cryptanalysis of block ciphers. LNCS 3557, pp. 368–383, Springer-Verlag, 2005. [9] J. Kelsey, T. Kohno, and B. Schneier, “Amplified boomerang attacks against reduced-round MARS and Ser- pent”. In: B. Schneier (ed.), FSE ’00. LNCS 1978, pp. 75– Jongsung Kim was born in Chung- 93, Springer-Verlag, 2001. buk, SOUTH KOREA, in 1978. He re- [10] J. Kelsey, B. Schneier, and D. Wagner, “Key-schedule ceived a Bachelor degree in 2000 and a cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple- Master degree in 2002, both in Mathe- DES”. In: N. Koblitz (ed.), CRYPTO ’96, LNCS 1109, matics from Korea University (KOREA), pp. 237–251, Springer-Verlag, 1996. a Ph.D. degree in Engineering from [11] J. Kim, G. Kim, S. Hong, S. Lee, and D. Hong, “The Katholieke Universiteit Leuven (BEL- related-key rectangle attack — application to SHACAL-1”. GIUM) in 2006, and a Ph.D. degree in In- In: H. Wang, J. Pieprzyk, and V. Varadharajan (eds.), formation Security from Korea University ACISP ’04, LNCS 3108, pp. 123–136, Springer-Verlag, in 2007. Currently, he is a post doctoral 2004. researcher of the Center for Information [12] J. Kim, G. Kim, S. Lee, J. Lim, and J. Song, “Related-key Security Technologies (CIST) at Korea University, and his re- attacks on reduced rounds of SHACAL-2”. In: A. Canteaut search topic is symmetric-key cryptography. and K. Viswanathan (eds.), INDOCRYPT ’04, LNCS 3348, pp. 175–190, Springer-Verlag, 2004. [13] L.R. Knudsen, “Cryptanalysis of LOKI91”. In: J. Seberry and Y. Zheng (eds.), ASIACRYPT ’92, LNCS 718, pp. 196– 208, Springer-Verlag, 1993. [14] L.R. Knudsen, “DEAL — a 128-bit block cipher”. Technical report, Department of Informatics, University of Bergen, Norway, 1998. [15] J. Lu, J. Kim, N. Keller, and O. Dunkelman, “Related- key rectangle attack on 42-round SHACAL-2”. In: S.K. Katsikas, J. Lopez, M. Backes, S. Gritzalis, and B. Preneel (eds.), ISC ’06, LNCS 4176, pp. 85–100, Springer-Verlag, 2006. [16] NESSIE — New European Schemes for Signatures, In- tegrity and Encryption, https://www.cosic.esat.kuleuven.be /nessie/ [17] National Institute of Standards and Technology, USA, Se- cure Hash Standard FIPS 180-2, 2002. [18] Y. Shin, J. Kim, G. Kim, S. Hong, and S. Lee, “Differential- linear type attacks on reduced rounds of SHACAL-2”. In: H. Wang, J. Pieprzyk, and V. Varadharajan (eds.), ACISP ’04, LNCS 3108, pp. 110–122, Springer-Verlag, 2004. [19] D. Wagner, “The boomerang attack”. In: L.R. Knudsen (ed.), FSE ’99, LNCS 1636, pp. 156–170, Springer-Verlag, 1999. [20] G. Wang, “Related-key rectangle attack on 43-Round SHACAL-2”. In: E. Dawson and D.S. Wong (eds.), ISPEC ’07, LNCS 4464, pp. 33–42, Springer-Verlag, 2007.