Attacking 44 Rounds of the SHACAL-2 Block Cipher Using Related-Key Rectangle Cryptanalysis

Home , DEAL, Serpent (cipher), SHACAL, Square (cipher)

IEICE TRANS. FUNDAMENTALS, VOL.E91–A, NO.9 SEPTEMBER 2008 2588

PAPER Attacking 44 Rounds of the SHACAL-2 Block Cipher Using Related-Key Rectangle Cryptanalysis

Jiqiang LU†a), Student Member and Jongsung KIM††b), Nonmember

SUMMARY SHACAL-2 is a 64-round block cipher with a 256-bit In 2004, Shin et al. [18] presented a square-nonlinear attack block size and a variable length key of up to 512 bits. It is a NESSIE se- on 28-round SHACAL-2 and a differential-nonlinear attack lected block cipher algorithm. In this paper, we observe that, when check- on 32-round SHACAL-2. Also in 2004, Kim et al. [12] ing whether a candidate quartet is useful in a (related-key) rectangle attack, ff we can check the two pairs from the quartet one after the other, instead of presented a related-key di erential-nonlinear attack on 35- checking them simultaneously; if the first pair does not meet the expected round SHACAL-2 and a related-key rectangle attack [11] conditions, we can discard the quartet immediately. We next exploit a 35- on 37-round SHACAL-2, where the latter is based on a 33- −460 round related-key rectangle distinguisher with probability 2 for the first round related-key rectangle distinguisher. In 2006, Lu et 35 rounds of SHACAL-2, which is built on an existing 24-round related- key differential and a new 10-round differential. Finally, taking advantage al. [15] presented a related-key rectangle attack on 42-round of the above observation, we use the distinguisher to mount a related-key SHACAL-2, after exploiting a 34-round related-key rectan- − rectangle attack on the first 44 rounds of SHACAL-2. The attack requires gle distinguisher with probability 2 456.76 and then adopt- 2233 related-key chosen plaintexts, and has a time complexity of 2497.2 com- ing the proposed early abort technique. In 2007, Wang putations. This is better than any previously published cryptanalytic results [20] presented a related-key rectangle attack on 43-round on SHACAL-2 in terms of the numbers of attacked rounds. key words: block cipher, SHACAL-2, differential cryptanalysis, related-key SHACAL-2, by extending Lu et al.’s 34-round related- rectangle attack key rectangle distinguisher to a 35-round distinguisher with probability 2−474.76. 1. Introduction In this paper, we find that there is a flaw in Wang’s attack algorithm on 43-round SHACAL-2, which makes the SHACAL-2 is a 64-round block cipher with a 256-bit block attack infeasible. We exploit a more powerful 35-round size and a variable length key of up to 512 bits, which was related-key rectangle distinguisher which has a probability − proposed in 2001 by Handschuh and Naccache [6] as a sub- of 2 460, following the previous work described in [15], [20]. mission to the NESSIE (New European Schemes for Sig- More importantly, we observe that, when checking whether natures, Integrity and Encryption) project [16]; it is based a candidate quartet is useful in a (related-key) rectangle at- on the compression function of SHA-256 [17], an ISO hash tack, we can check the two pairs from the quartet one after function international standard, where the plaintext enters the other, instead of checking them simultaneously; if the the compression function as the chaining value, and the key first pair does not meet the expected conditions, we can dis- enters the compression function as the message block. In card the quartet immediately. This can reduce the computa- 2003, SHACAL-2 became a NESSIE selected block cipher tion complexity of an attack, and, even more significantly, algorithm, after a thorough analysis of its security and per- may allow us to break more rounds of a cipher. Taking formance. advantage of this observation, we finally use the 35-round The published cryptanalytic results on SHACAL-2 are related-key rectangle distinguisher to conduct a related-key as follows. In 2003, Hong et al. [7] presented an impos- rectangle attack on the first 44 rounds of SHACAL-2. This sible differential attack [2], [14] on 30-round SHACAL-2. is better than any previously published cryptanalytic results on SHACAL-2 in terms of the numbers of attacked rounds. Manuscript received January 28, 2008. Manuscript revised March 21, 2008. Table 1 summarises both previous and our new cryptanalytic †The author is with the Information Security Group, Royal results on SHACAL-2 that uses 512 key bits. Holloway, University of London, Egham, Surrey TW20 OEX, UK. The rest of this paper is organised as follows. In the He as well as his work was supported by a British Chevening/Royal next section, we describe some notation and the SHACAL-2 Holloway Scholarship and the European Commission under con- block cipher. In Sect. 3, we introduce our observation on tract IST-2002-507932 (ECRYPT). †† related-key rectangle attacks. In Sect. 4, we give the 35- The author is with the Center for Information Security Tech- nologies (CIST), Korea University, Anam Dong, Sungbuk Gu, round related-key rectangle distinguisher with probability −460 Seoul, Korea. He was supported by the MKE (Ministry of Knowl- 2 , as well as the flaw in Wang’s attack. In Sect. 5, edge Economy), Korea, under the ITRC (Information Technol- we present our related-key rectangle attack on 44-round ogy Research Center) support program supervised by the IITA SHACAL-2. Section 6 concludes this paper. (Institute of Information Technology Advancement) (IITA-2008- (C1090-0801-0025)). a) E-mail: [email protected] b) E-mail: [email protected] DOI: 10.1093/ietfec/e91–a.9.2588

Copyright c 2008 The Institute of Electronics, Information and Communication Engineers LU and KIM: ATTACKING 44 ROUNDS OF THE SHACAL-2 BLOCK CIPHER USING RELATED-KEY RECTANGLE CRYPTANALYSIS 2589

Table 1 Summary of previous and our new cryptanalytic results on In the above description, Ki is the i-th round key, Wi is SHACAL-2. the i-th round constant, and the four functions Σ (X), Σ (X), Type o f Attack Rounds Data Time Memory S ource 0 1 Ch(X, Y, Z)andMaj(X, Y, Z) are defined as follows. Impossible diff. 30 744 CP 2495.1 214.5 [7] 40.9 494.1 45.9 Square 28 2 CP 2 2 [18] Σ0(X) = S 2(X) ⊕ S 13(X) ⊕ S 22(X), Differential 32 243.4 CP 2504.2 248.4 [18] Σ1(X) = S 6(X) ⊕ S 11(X) ⊕ S 25(X), Related-key diff. 35 242.4 RK-CP 2452.1 247.4 [12] Ch(X, Y, Z) = (X&Y) ⊕ (¬X&Z), Related-key 37 2235.2 RK-CP 2487 2240.2 [12] = ⊕ ⊕ rectangle 42 2243.4 RK-CP 2488.4 2247.4 [15] Maj(X, Y, Z) (X&Y) (X&Z) (Y&Z), 43† 2240.4 RK-CP 2480.4 2245.4 [20] 233 497.2 238 where S j(X) represents right rotation of X by j bits. 44 2 RK-CP 2 2 This The key schedule of SHACAL-2 accepts a variable diff.: differential, CP: Chosen Plaintexts, RK: Related-Key, length key of up to 512 bits. Shorter keys can be used by Time unit: Encryptions, Memory unit: Bytes, †: The attack has a flaw; see Sect. 4.2 of this paper. padding them with zeros to produce a 512-bit key string. The 512-bit user key K is divided into sixteen 32-bit words (K0, K1, ···, K15), which are the round keys for the first 16 rounds. Finally, the i-th round key (16 ≤ i ≤ 63) is gener- ated as follows, 2. Preliminaries i i−2 i−7 i−15 i−16 K = σ1(K ) K σ0(K ) K ,

2.1 Notation with σ0(X) = S 7(X) ⊕ S 18(X) ⊕ R3(X), σ (X) = S (X) ⊕ S (X) ⊕ R (X), •⊕: bitwise logical exclusive OR (XOR) 1 17 19 10 • & : bitwise logical AND where R j(X) represents right shift of X by j bits. • : addition modulo 232 •¬: bitwise logical complement 3. An Observation on Related-Key Rectangle Attacks •◦: functional composition • e j : a 32-bit word with zeros in all positions but bit j, In this section, we introduce our observation on related-key (0 ≤ j ≤ 31) rectangle attacks. • ⊕···⊕ ≤ ··· ≤ ei1,···,i j : ei1 ei j ,(0 i1, , i j 31) • e j,∼ : a 32-bit word that has 0’s in bits 0 to j − 1, a one 3.1 Description of Related-Key Rectangle Attacks in bit j and indeterminate values in bits ( j + 1) to 31 A related-key rectangle attack [4], [8], [11] is a combination ff The notion of di erence used throughout this paper is of a related-key attack [1], [13] and a rectangle attack [3]. A ⊕ with respect to the operation, unless otherwise stated ex- related-key attack requires an assumption that the attacker plicitly. knows the specific differences between one or more pairs of unknown keys; this assumption makes it difficult or even in- 2.2 The SHACAL-2 Block Cipher feasible to conduct in many cryptographic applications, but some of the current real-world applications allow for practi- SHACAL-2 [6] takes as input a 256-bit plaintext, and has a cal related-key attacks [10], for example, key-exchange pro- total of 64 rounds. Its encryption procedure can be described tocols and hash functions. A rectangle attack is a variant as follows. of the boomerang attack [19] and an improvement of the 1. The 256-bit plaintext P is represented as eight 32-bit amplified boomerang attack [9]. As a result, they share the words A0, B0, C0, D0, E0, F0, G0 and H0. same basic idea of using two (or more) short differentials 2. For i = 0to63: with larger probabilities instead of a long differential with a smaller probability. T i+1 = Ki Σ (Ei) Ch(Ei, Fi, Gi) Hi Wi, 1 1 A related-key rectangle attack is based on a related- i+1 =Σ i i i i T2 0(A ) Maj(A , B , C ), key rectangle distinguisher, which treats a block cipher + Hi 1 = Gi, E : {0, 1}n ×{0, 1}k →{0, 1}n as a cascade of two sub- + Gi 1 = Fi, ciphers E = E1 ◦ E0 and requires that there exists a + Fi 1 = Ei, related-key differential Δα → Δβ with probability p for E0: i+1 i i+1 0 0 0 E = D T n ⊕ ⊕ = = n ⊕ 1 , PrX∈{0,1} [EK (X) EK (X α) β] PrX∈{0,1} [EK (X) i+1 = i A B C D C , E0 (X⊕α) = β] = p, and a related-key differential Δγ → Δδ i+1 i KD C = B , 1 1 1 + with probability q for E :PrX∈{0,1}n [E (X) ⊕ E (X ⊕ γ) = i 1 = i KA KC B A , 1 1 + + + δ] = Pr ∈{ }n [E (X) ⊕ E (X ⊕ γ) = δ] = q,where i 1 = i 1 i 1 X 0,1 KB KD A T1 T2 . the four unknown user keys KA, KB, KC and KD satisfy 64 64 64 64 64 64 64 3. The ciphertext C is (A , B , C , D , E , F , G , KB = KA ⊕ ΔK0, KC = KA ⊕ ΔK1 and KD = KC ⊕ ΔK0, 64 H ). with ΔK0 and ΔK1 being two known differences. IEICE TRANS. FUNDAMENTALS, VOL.E91–A, NO.9 SEPTEMBER 2008 2590

3.2 The Observation

A typical related-key rectangle attack treats a block cipher E : {0, 1}n ×{0, 1}k →{0, 1}n as a cascade of four sub-ciphers E = Eb ◦ E1 ◦ E0 ◦ Ea,whereE1 ◦ E0 denotes the rounds for the rectangle distinguisher, Ea denotes the rounds before 0 b 1 a a E ,andE denotes the rounds after E . Suppose KA, KB, a a a KC and KD are the subkeys used in E , which correspond to b b b b KA, KB, KC and KD, respectively; and KA, KB, KC and KD b are the subkeys used in E , which correspond to KA, KB, KC and KD, respectively. Given a guess for the subkeys used in Ea and Eb, the attacker tries to check whether a candidate quartet ((P, P∗), (P , P ∗)) meets the diﬀerence conditions required by the related-key rectangle distinguisher, that is, the following two conditions.

Fig. 1 A related-key rectangle distinguisher. a a ∗ a a ∗ E a (P) ⊕ E a (P ) = E a (P ) ⊕ E a (P ) = α, (4) KA KB KC KD − − − − Eb, 1(C) ⊕ Eb, 1(C ) = Eb, 1(C∗) ⊕ Eb, 1(C ∗) = δ, (5) ∗ Kb Kb Kb Kb A quartet consists of two pairs of plaintexts (P, P = A C B D ∗ P⊕α)and(P , P = P ⊕α). It is useful only if the two pairs = ∗ = ∗ = ∗ = ∗ ∗ where C EKA (P), C EKB (P ), C EKC (P ), C (P, P )and(P , P ) satisfy the following three conditions; ∗ − E (P ), and Eb, 1 denotes the inverse of Eb. see Fig. 1. KD In a chosen-plaintext attack scenario, the general ap- 0 ⊕ 0 ∗ = 0 ⊕ 0 ∗ proach to meet the conditions described in Eq. (4) is to C1: EK (P) EK (P ) EK (P ) EK (P ) A B C D choose the pairs (P, P∗)and(P , P ∗) in the following way. = β, (1) 0 ⊕ 0 = 0 ∗ ⊕ 0 ∗ 1. Choose a plaintext, P say, and encrypt it with Ea under C2: EK (P) EK (P ) EK (P ) EK (P ) A C B D the guess for Ka; we denote the encrypted value by = γ, (2) A a 1 0 1 0 1 0 EKa (P). C3: E (E (P)) ⊕ E (E (P ))=E (E A KA KA KC KC KB KB a ⊕ a ∗ 1 0 ∗ 2. Compute EKa (P) α, and decrypt it with E under the (P )) ⊕ E (E (P )) = δ. (3) A KD KD a guess for KB; the decrypted value is what we look for ∗ By assuming that the intermediate values after E0 P . ∗ distribute uniformly over all possible values, we can get 3. Choose the pair (P , P ) in the same way as described E0 (P) ⊕ E0 (P ) = γ with probability 2−n. Once this oc- above. KA KC curs, by C1 we know that E0 (P∗)⊕E0 (P ∗) = γ holds with ∗ ∗ KB KD Obviously, the quartet ((P, P ), (P , P )), selected in probability 1, for E0 (P∗)⊕E0 (P ∗) = (E0 (P)⊕E0 (P∗))⊕ KB KD KA KB the above way, meets the conditions described in Eq. (4). (E0 (P ) ⊕ E0 (P ∗)) ⊕ (E0 (P) ⊕ E0 (P )) = β ⊕ β ⊕ γ = γ. The remaining problem is to check whether it also meets KC KD KA KC As a result, by summarising all the possible β and γ, the conditions described in Eq. (5). we get that the probability that the quartet satisfies C3 is The key schedules of some block ciphers make it pos- expected to be about (Pr(Δα → Δβ))2 · 2−n · (Pr(Δγ → sible for us to know the subkey differences involved in Eb β,γ 2 −n 2 2 1 from the user key differences ΔK0 and ΔK1, especifically Δδ)) = 2 · (p · q) ,wherep = ( β Pr (Δα → Δβ)) 2 1 those with linearity. Thus, to check whether the candidate = 2 Δ → Δ 2 and q ( γ Pr ( γ δ)) . For a random function, this ∗ ∗ − × − quartet ((P, P ), (P , P )) meets the conditions in Eq. (5), we probability is about 2 n 2 = 2 2n. − do not need to guess all the four unknown subkeys; we just Therefore, if p · q > 2 n/2, the related-key rectangle guess one or more of them, and then XOR them with the distinguisher can distinguish between E and a random func- subkey differences to get the remaining unknown subkeys. tion, given sufficient chosen plaintext pairs. Whereas the key schedules of some block ciphers make it Note that there exist three kinds of related-key rectan- impossible for us to determine the subkey differences in- gle attacks, which correspond to the following three cases. b volved in E from the user key differences ΔK0 and ΔK1; † • Type 1: ΔK0 0, ΔK1 0, (four keys); thus it is necessary to guess the four unknown subkeys • Δ = Δ b b b b Type 2: K0 0, K1 0, (two keys); KA, KB, KC and KD to check whether the candidate quar- • Δ Δ = ∗ ∗ Type 3: K0 0, K1 0, (two keys). tet ((P, P ), (P , P )) meets the conditions in Eq. (5). †We consider the general related-key rectangle attack with four keys here; similar for the case with two keys. LU and KIM: ATTACKING 44 ROUNDS OF THE SHACAL-2 BLOCK CIPHER USING RELATED-KEY RECTANGLE CRYPTANALYSIS 2591

Previously, this is usually done by guessing the four subkeys at once, and then simultaneously decrypting both 4.1 The 34-Round Related-Key Rectangle Distinguisher ∗ ∗ the pairs (C, C )and(C , C ) to check whether they meet DuetoLuetal. the conditions in Eq. (5). However, in 2006, Lu et al. [15] found that it may be possible to partially determine whether In 2006, Lu et al. [15] gave a 24-round related- or not a candidate quartet in a related-key rectangle attack key differential (0, 0, e6,9,18,20, 25,29, e31, 0, e9,13,19, e18,29, e31) −38 is useful one or more rounds earlier than usual. Specifically, → (e13,24,28, 0, 0, 0, e13,24,28, 0, 0, 0) with probability 2 from Eq. (5) we know the expected output difference δ after for Rounds 1 to 24† and a 10-round differential 1 ff E . Thus, if we know the expected output di erences of one (e31, e31, e6,9,18,20,25,29,31, 0, 0, e9,13,19, e18,29,31, 0) → (e6,9,18, 1 −65 or more rounds after E , we can guess part of the subkeys 20,25,29, e31, 0, 0, e6,20,25, e31, 0, 0) with probability 2 for b b b b KA, KB, KC and KD such that we can check whether a can- Rounds 25 to 34. didate quartet meets one of the expected output differences They computed a square sum of at least 2−74(= 2−37×2) of the one or more rounds after E1. If not, we can discard it for the probabilities of all the 24-round related-key differen- immediately; otherwise, we guess part (or all) of the remain- tials for Rounds 1 to 24 that have only the output differences b b b b ing of the subkeys KA, KB, KC and KD, and check the quar- different from the above 24-round differential, and a square tet similarly. Since some candidate quartets are discarded sumofatleast2−126.76(= 2−63.38×2) for the probabilities of before the next subkey guess, this results in less computa- all the 10-round differentials for Rounds 25 to 34 that have tions in the following steps, and may allow us to break more only the input differences different from the above 10-round rounds, depending on how many candidate quartets are re- differential. maining and how many subkeys are required to guess. This As a result, they exploited a 34-round related-key rect- is called the early abort technique [15]. angle distinguisher with probability 2−456.76(= 2−74 ·2−126.76 · We further observe that the early abort technique can 2−256) for Rounds 1 to 34, which was finally used to break be conducted in a more efficient way. Our observation fo- the first 42 rounds of SHACAL-2 along with the proposed cuses on a single application of the early abort technique. early abort technique. To make things clearer, we assume that the round imme- 1 diately following E is the target round for an application 4.2 The 35-Round Related-Key Rectangle Distinguisher of the early abort technique, and, to simplify our explana- Due to Wang tion we assume that Eb has only this round (by this we can continue to use the above notation for the ciphertexts and In 2007, Wang [20] found that Lu et al.’s 34-round subkeys without defining more). The observation is as fol- related-key rectangle distinguisher can be extended to a b b lows. We can first guess the two subkeys KA and KC con- 35-round distinguisher by appending one-round related- nected with the pair (C, C ), and then check whether the pair key differential with probability 1 at the beginning: − − meets the condition Eb, 1(C) ⊕ Eb, 1(C ) = δ. If the pair = 0 0 0 0 0 0 0 0 Kb Kb given a plaintext pair P (A , B , C , D , E , F , G , H ) A C 0 0 0 0 0 0 0 0 does not meet this condition, then we can discard the candi- and P = (A , B , C , D , E , F , G , H ) with some 0 date quartet; if it does meet the condition, then we guess the fixed bits as described in Eq. (6), (where xi denotes b b 0 ff other two subkeys KB and KD connected with the other pair the i-th bit of X ), the 25-round related-key di er- − (C∗, C ∗), and check whether this pair meets the condition ential with probability 2 47 for Rounds 0 to 24 is b,−1 ∗ b,−1 ∗ E (C ) ⊕ E (C ) = δ. The candidate quartet is useful (0, e6,9,18,20,25,29, e31, 0, e9,13,19, e18,29, e31, Δ ) → (e13,24,28, 0, Kb Kb B D Δ =Σ 0 − Σ 0 ⊕ if, and only if, every pair meets the respective conditions. 0, 0, e13,24,28, 0, 0, 0), where 1(E ) 1(E e9,13,19) ff ⊕ = Δ 0 Δ 1 ··· Δ 15 = This can reduce the computational workload of a andthekeydi erence is K K ( K , K , , K ) related-key rectangle attack, and, even more significantly, (e31, 0, 0, 0, 0, 0, 0, 0, 0, e31, 0, 0, 0, 0, 0, 0). See Table 2 for may allow us to break more rounds of a cipher, depending on more details. the distinguisher used and the round structure of the cipher. a0 = b0 , a0 = c0, for i = 6, 9, 18, 20, 25, 29; Note that this observation can be also used to improve a 31 31 i i b0 = ¬e0, a0 = ¬ f 0, for i = 19, 30; rectangle attack, although this improvement is usually small 9 9 i i (6) 1 e0 = 0, for i = 18, 29, 30; (generally, a factor of 2 on the computational workload). i 0 = 0 = fi gi , for i 9, 13, 19. 4. A 35-Round Related-Key Rectangle Distinguisher − ff with Probability 2 460 of SHACAL-2 The second di erential for the 35-round distinguisher is the same 10-round differential as that used in the 34-round In this section, we exploit a 35-round related-key rectan- related-key rectangle distinguisher due to Lu et al. gle distinguisher with probability 2−460 for Rounds 0 to 34, As a result, Wang exploited a 35-round related-key −46 2 · −126.76 · following the previous work described in [15], [20]; the dis- rectangle distinguisher with probability (2 ) 2 −256 = −474.76 tinguisher belongs to Type 3. Besides, we give the flaw in 2 2 , which was used to break the first 43 rounds Wang’s attack on 43-round SHACAL-2. of SHACAL-2. †Certain input bits are fixed to meet several conditions. IEICE TRANS. FUNDAMENTALS, VOL.E91–A, NO.9 SEPTEMBER 2008 2592

Table 2 The 25-round related-key diﬀerential for Rounds 0 to 24, where M = {6, 9, 18, 20, 25, 29}. Round (i) ΔAi ΔBi ΔCi ΔDi ΔEi ΔFi ΔGi ΔHi ΔKi Prob.

0 0 eM e31 0 e9,13,19 e18,29 e31 Δ e31 1 −11 1 00eM e31 0 e9,13,19 e18,29 e31 0 2 −10 2 e31 00eM 00e9,13,19 e18,29 0 2 −7 3 0 e31 00e6,20,25 00e9,13,19 0 2 −4 4 00e31 00e6,20,25 000 2 −3 5 000e31 00e6,20,25 0 0 2 −4 6 0000e31 00e6,20,25 0 2 −1 7 00000 e31 000 2 −1 8 00000 0e31 0 0 2 9 00000 0 0e31 e31 1 10 00000 0 0 00 1 ...... 23 00000 0 0 00 1 24 00000 0 0 0· 2−6

output e13,24,28 000e13,24,28 000/ /

Table 3 The 10-round diﬀerential for Rounds 25 to 34, where M = {6, 9, 18, 20, 25, 29}. Round (i) ΔAi ΔBi ΔCi ΔDi ΔEi ΔFi ΔGi ΔHi Prob. −11 25 00eM e31 0 e9,13,19 e13,18,29 e13,31 2 −14 26 e31 00eM 00e9,13,19 e13,18,29 2 −7 27 0 e31 00e6,20,25 00e9,13,19 2 −4 28 00e31 00e6,20,25 002 −3 29 000e31 00e6,20,25 0 2 −4 30 0000 e31 00e6,20,25 2 −1 31 0000 0 e31 002 −1 32 0000 0 0 e31 0 2 33 0000 0 0 0 e31 1 −11 34 e31 000 e31 00 02 output eM e31 00e6,20,25 e31 00/

However, we find a flaw in Wang’s attack algorithm, a probability of 2−56. See Table 3 for more details. which makes the attack infeasible. Using this 10-round differential with probability 2−56 and the 25-round related-key differential with probability 4.2.1 A Flaw in Wang’s Attack 2−47 due to Wang, we get a new 35-round related-key rectangle distinguisher, which has a probability of at least 2−460(= In Wang’s attack [20], the probability that 6 or more (2−46 ·2−56)2 ·2−256) for the correct key, and has a probability −256 2 = −512 quartets pass the filtering condition in Step 6 is about of (2 ) 2 for a wrong key. 231.76 231.76 · −32×2 i · − −32×2 231.76−i ≈ −202.93 i=6 [ i (2 ) (1 2 ) ] 2 ,so it is expected that about 2448 · 2−202.93 = 2245.07 guesses 5. Related-Key Rectangle Attack on 44-Round of ((K36, ···, K42), (K∗36, ···, K∗42)) are suggested in Step 6. SHACAL-2 Thus, to find the 512-bit user key by exhaustively search- ing for the remaining 288 bits, Step 7 is expected to have a Assume that the two related user keys are K and K.First,we ff time complexity much larger than 2512. Therefore, unlike review the following di erential property of SHACAL-2, what the author claimed, the attack cannot break 43-round which allows us to break more rounds by using the early SHACAL-2 (faster than an exhaustive key search). abort technique proposed in [15]. Property 1 (from [15], [20]): If the values of (Ai, Bi, 4.3 A 35-Round Related-Key Rectangle Distinguisher ··· i i i ··· i ff −460 , H )and(A , B , , H ), and the additive di erence be- with Probability 2 tween Ki−1 and Ki−1 are known, then we can get the val- − − − i−1 i−1 i−1 i 1 i 1 i 1 ff ues of (A , B , ···, G )and(A , B , ···, G ), the We exploit a more powerful 10-round di erential for i−1 additive difference between Hi−1 and H , the values of Rounds 25 to 34: (0, 0, e6,9,18,20,25,29, e31, 0, e9,13,19, e18, − − − i−5 i−5 i−5 i 5 i 5 i 5 19, e31)→(e6,9,18,20,25,29, e31, 0, 0, e6,20,25, e31, 0, 0), which has (A , B , C )and(A , B , C ), and the additive dif- LU and KIM: ATTACKING 44 ROUNDS OF THE SHACAL-2 BLOCK CIPHER USING RELATED-KEY RECTANGLE CRYPTANALYSIS 2593

i−5 35 35 35 35 35 35 Di−5 D A , B , C A , B , C ff ference between and . ( i0 i0 i0 ), ( i1 i1 i1 ), the additive di erence between D35 and D35, and the additive difference be- i0 i1 From the key schedule of SHACAL-2, we know that 35 35 tween D and D . Finally, we choose only the it is impossible to determine the subkey differences of the i0 i1 ff quartets (C40, C40, C40, C40) such that (A35, B35, C35) ⊕ last few rounds (to be attacked) from the user key di er- i0 i0 i1 i1 i0 i0 i0 35 35 35 ence K ⊕ K; thus, to conduct an early abort on a candidate (A35, B35, C35) = (e , e , 0), (A , B , C )⊕ i1 i1 i1 6,9,18,20,25,29 31 i0 i0 i0 quartet it is necessary to guess the two unknown subkeys in 35 35 35 35 35 (A , B , C ) = (e6,9,18,20, 25,29, e31, 0), and D −D = every such a round, corresponding to K and K. In previous i1 i1 i1 i0 i1 35 35 related-key rectangle attacks on reduced-round SHACAL-2 D − D = i0 i1 0. If 6 or more quartets pass this test, presented in [15], [20], this is done by first guessing both the record all the qualified quartets, and go to Step 4; oth- round subkeys at a time, then partially decrypting a candi- erwise, repeat this step with another guess. date quartet to get its corresponding quartet just before this 4. For every remaining quartet (C40, C40, C40, C40), do the i0 i1 i0 i1 round, and finally checking whether it meets difference con- following. ditions. However, as described in Sect. 3, we can check the a. Guess a 32-bit subkey K39 in Round 39. Par- two pairs from a candidate quartet one after the other; more tially decrypt C40 and C40 through Round 39 with specifically, when we conduct an early abort on a candidate i0 i1 39 quartet, we first check whether one pair from the quartet is K to get their intermediate values just before Round 39; we denote them by C39 and C39,re- useful, by guessing only the single subkey involved. If not, i0 i1 then this quartet is not useful, thus we can discard it imme- spectively. Thus, we can compute the the additive difference between H38 and H38 by Prop- diately; otherwise, we check the other pair by guessing the i0 i1 38 = 35 other subkey. The candidate quartet is useful if, and only if, erty 1; since Hi Ei , we choose only the both the pairs are useful. quartets (C40, C40, C40, C40) such that H38 − H38 ∈ i0 i1 i0 i1 i0 i1 We can use the 35-round distinguisher given in Sect. 4 {±26±220±225}. If 6 or more quartets pass this test, to mount the following related-key rectangle attack on the record all the qualified (C40, C40, C40, C40), and go i0 i1 i0 i1 first 44 rounds of SHACAL-2. The observation described to Step 4-(b); otherwise, repeat this step with an- in Sect. 3.2 plays a crucial role on the efficiency of our at- other guess of K39. tack; otherwise, the distinguisher would enable us to break b. Guess a 32-bit subkey K39 in Round 39. Par- just the first 43 rounds of SHACAL-1 in a similar way as 40 40 tially decrypt Ci and Ci through Round 39 with described in [15]. 0 1 K39 to get their intermediate values just before 39 39 232 0 0 0 0 Round 39; we denote them by C and C ,re- 1. Choose a set S of 2 plaintexts P = (A , B , C , D , i0 i1 i i i i i spectively. Similarly, we choose only the quar- E0, F0, G0, H0), under the condition of Eq. (6), (i = i i i i 38 38 ··· 232 tets (C40, C40, C40, C40) such that H − H ∈ 1, 2, , 2 ). In a chosen-plaintext attack scenario, i0 i1 i0 i1 i0 i1 obtain all their corresponding ciphertexts under the key {±26±220±225}. If 6 or more quartets pass this test, K; we denote them by C , respectively. record all the qualified (C39, C39, C39, C39), and go i i0 i1 i0 i1 232 = 0 0 to Step 5; otherwise, repeat this step with another 2. Compute another set S of 2 plaintexts Pi (A , B , 0 0 0 0 0 0 guess of K39. C , D , E , F , G , H ) = (A0, B0 ⊕ e , i i 6,9,18,20,25,29 C0 ⊕e , D0, E0 ⊕ e , F0 ⊕ e , G0 ⊕e , 5. For every remaining quartet (C39, C39, C39, C39), do the i 31 i i 9,13,19 i 18,29 i 31 i0 i1 i0 i1 0 +Σ 0 − Σ 0 ⊕ 32 Hi 1(Ei ) 1(Ei e9,13,19)mod2 ). In a chosen- following. plaintext attack scenario, obtain all their correspond- K38 = ⊕ a. Guess a 32-bit subkey in Round 38. Par- ing ciphertexts under the related key K K tially decrypt C39 and C39 through Round 38 with i0 i1 (e31, 0, 0, 0, 0, 0, 0, 0, 0, e31, 0, 0, 0, 0, 0, 0); we denote K38 to get their intermediate values just before them by Ci, respectively. 38 38 40 41 42 43 Round 38; we denote them by C and C ,re- 3. Guess a 128-bit subkey pair ((K , K , K , K ), i0 i1 40 41 42 43 spectively. Thus, we can compute E35, E35,and (K , K , K , K )) in Rounds 40, 41, 42 and 43. i0 i1 the additive difference between H37 and H37.We Then, partially decrypt all the ciphertexts Ci through i0 i1 Rounds 43–40 with (K43, K42, K41, K40) to get their choose only the quartets (C39, C39, C39, C39)such i0 i1 i0 i1 intermediate values just before Round 40; we de- 35 35 37 37 31 that E ⊕ E = e , , and H − H ∈{±2 }. 40 i0 i1 6 20 25 i0 i1 note them by Ci , respectively. Partially decrypt If 6 or more quartets pass this test, record all the 39 39 39 39 all the ciphertexts Ci through Rounds 43–40 with qualified (C , C , C , C ), and go to Step 5-(b); i0 i1 i0 i1 (K43, K42, K41, K40) to get their intermediate values just otherwise, repeat this step with another guess of 40 38 before Round 40; we denote them by Ci , respec- K . 40 40 38 tively. Keep (Ci , Ci ) in a hash table. This pro- b. Guess a 32-bit subkey K in Round 38. Par- 232×2 = 463 tially decrypt C39 and C40 through Round 38 with cess proposes about 2 /2 2 candidate quar- i0 i1 tets (C40, C40, C40, C40), where 1 ≤ i ≤ i ≤ 2232. 38 i0 i0 i1 i1 0 1 K to get their intermediate values just before By Property 1, we know (A35, B35, C35), (A35, B35, C35), Round 38; we denote them by C38 and C38,re- i0 i0 i0 i1 i1 i1 i0 i1 IEICE TRANS. FUNDAMENTALS, VOL.E91–A, NO.9 SEPTEMBER 2008 2594

35 35 35 35 spectively. Thus, we can compute E , E ,and tets (C37, C37, C37, C37) such that H − H = i0 i1 i0 i1 i0 i1 i0 i1 37 37 the additive difference between H and H .We 0. If 6 or more quartets pass this test, record i0 i1 36 37 ··· 42 40 40 40 40 (K , K , , K ),andgotoStep8;otherwise, choose only the quartets (C , C , C , C )such 36 i0 i1 i0 i1 repeat this step with another guess of K . 35 35 37 37 31 that E ⊕ E = e6,20,25 and H − H ∈{±2 }. i0 i1 i0 i1 36 37 ··· 43 If 6 or more quartets pass this test, record all the 8. For a recorded (K , K , , K ), exhaustively search for the remaining 256 bits with one known pair of qualified (C38, C38, C38, C38),andgotoStep6; i0 i1 i0 i1 plaintext and ciphertext. If a 512-bit key is suggested, otherwise, repeat this step with another guess of output it as the user key of the 44-round SHACAL-2; K38. otherwise, repeat Step 3 with another guess. 6. For every remaining quartet (C38, C38, C38, C38), do the i0 i1 i0 i1 233 following. This attack requires 2 related-key chosen plaintexts. The required memory for this attack is dominated by the a. Guess a 32-bit subkey K37 in Round 37. Par- ciphertexts, which is approximately 2233 ·32 ≈ 2238 memory tially decrypt C38 and C38 through Round 37 with i0 i1 bytes. 37 · 232 · 32×8 · 8 ≈ 486.54 K to get their intermediate values just before Step 3 has about 2 2 2 44 2 44-round Round 37; we denote them by C37 and C37,re- SHACAL-2 encryptions, and it also requires about 232×8 · i0 i1 35 35 2232 · 232 = 2490.86 memory accesses if conducted on a 32- spectively. Thus, we can compute Fi , Fi ,and 32 0 1 486.54 the additive difference between H36 and H36.We bit computer, which is negligible compared with the 2 i0 i1 38 38 38 38 encryptions. Due to the 128-bit filtering condition in Step 3, choose only the quartets (C , C , C , C )such − i0 i1 i0 i1 463 · 128 2 = 207 35 35 36 36 it is expected that only about 2 (2 ) 2 candidate that F ⊕ F = e31 and H − H = 0. If 6 or i0 i1 i0 i1 quartets remain after Step 3 for every key guess. more quartets pass this test, record all the quali- The time complexity of Step 4-(a) is about 2·2207·232×9· fied (C38, C38, C38, C38), and go to Step 6-(b); oth- 1 ≈ 490.54 i0 i1 i0 i1 44 2 encryptions. There is a filtering condition of 37 3 erwise, repeat this step with another guess of K . 2 = 2−29 in either of Steps 4-(a) and (b). In Step 4-(a), by 37 232 b. Guess a 32-bit subkey K in Round 37. Par- Poisson distribution, we can know that the probability that tially decrypt C38 and C38 through Round 37 with i0 i1 6 or more quartets pass the test for a wrong guess is about K37 to get their intermediate values just before 1, thus it follows that all the 2288 key guesses pass this step; Round 37; we denote them by C37 and C37,re- and about 2207 · 2−29 = 2178 candidate quartets remain after i0 i1 35 35 this step for every key guess. The time complexity of Step spectively. Thus, we can compute F , F ,and × i0 i1 · 178 · 32 10 · 1 ≈ 493.54 36 36 4-(b) is about 2 2 2 44 2 encryptions. In Step ff H H the additive di erence between i0 and i1 .We 4-(b), the probability that 6 or more quartets pass the test for choose only the quartets (C38, C38, C38, C38)such a wrong guess is also about 1, thus it follows that all the i0 i1 i0 i1 − 35 35 36 36 2320 key guesses pass this step; and about 2178 · 2 29 = 2149 that F ⊕ F = e31 and H − H = 0. If 6 or i0 i1 i0 i1 candidate quartets remain after this step for every key guess. more quartets pass this test, record all the qualified 149 37 37 37 37 The time complexity of Step 5-(a) is about 2 · 2 · (C , C , C , C ),andgotoStep7;otherwise, × i0 i1 i0 i1 232 11· 1 ≈ 2496.54 encryptions. There is a filtering condition 37 44 repeat this step with another guess of K . 2 · 1 = −34 of 232 23 2 in either of Steps 5-(a) and (b). In Step 5- 7. For every remaining quartet (C37, C37, C37, C37), do the (a), the probability that 6 or more quartets pass the test for i0 i1 i0 i1 following. a wrong guess is about 1, so it follows that all the 2352 key guesses pass this step; and about 2149 · 2−34 = 2115 candidate a. Guess a 32-bit subkey K36 in Round 36. Partially 37 37 36 quartets remain after this step for every key guess. The time decrypt C and C through Round 36 with K 115 32×12 1 494.54 i0 i1 complexity of Step 5-(b) is about 2·2 ·2 · ≈ 2 to get their intermediate values just before Round 44 encryptions. In Step 5-(b), since the probability that 6 or 36; we denote them by C36 and C36, respectively. i0 i1 more quartets pass the test for a wrong guess is also about Thus, we can compute the additive difference be- 384 35 35 1, it follows that all the 2 key guesses pass this step; and tween H and H . We choose only the quartets 115 −34 81 i0 i1 about 2 · 2 = 2 candidate quartets remain after this (C37, C37, C37, C37) such that H35 − H35 = 0. If 6 i0 i1 i0 i1 i0 i1 step for every key guess. or more quartets pass this test, record all the quali- · 81· 32×13· The time complexity of Step 6-(a) is about 2 2 2 fied (C37, C37, C37, C37), and go to Step 7-(b); oth- 1 ≈ 492.54 i0 i1 i0 i1 44 2 encryptions. There is a filtering condition of erwise, repeat this step with another guess of K36. 1 · 1 = 2−33 in either of Steps 6-(a) and (b). In Step 6- 232 2 b. Guess a 32-bit subkey K36 in Round 36. Partially (a), the probability that 6 or more quartets pass the test for decrypt C37 and C37 through Round 36 with K36 i0 i1 a wrong guess is about 1 as well, thus it follows that all the to get their intermediate values just before Round 2416 key guesses pass this step; and about 281 · 2−33 = 248 36; we denote them by C36 and C36, respectively. i0 i1 candidate quartets remain after this step for every key guess. Thus, we can compute the additive difference be- The time complexity of Step 6-(b) is about 2·248·232×14· 1 ≈ 35 35 44 H H 491.54 tween i0 and i1 . We choose only the quar- 2 encryptions. In Step 6-(b), the probability that 6 or LU and KIM: ATTACKING 44 ROUNDS OF THE SHACAL-2 BLOCK CIPHER USING RELATED-KEY RECTANGLE CRYPTANALYSIS 2595

Table 4 The time complexity of (each step of) the attack. Step (i) Time Complexity Acknowledgments 1 2232 Encryptions 2 2232 Encryptions The authors are very grateful to Orr Dunkelman and Nathan 3 2486.54 Encryptions Keller for their valuable discussions, and thank Gaoli Wang 4 2490.54 + 2493.54 ≈ 2493.71 Encryptions and the two anonymous reviewers for their comments. 5 2496.54 + 2494.54 ≈ 2496.87 Encryptions 6 2492.54 + 2491.54 ≈ 2493.13 Encryptions References 7 2490.54 + 2398.63 ≈ 2490.54 Encryptions [1] E. Biham, “New types of cryptanalytic attacks using related 8 2464.51 Encryptions keys,” EUROCRYPT’93, ed. T. Helleseth, LNCS 765, pp.398–409, 497.2 total 2 Encryptions Springer-Verlag, 1993. [2] E. Biham, A. Biryukov, and A. Shamir, “Cryptanalysis of skip- jack reduced to 31 rounds using impossible differentials,” EURO- more quartets pass the test for a wrong guess is about 1, CRYPT’99, ed. J. Stern, LNCS 1592, pp.12–23, Springer-Verlag, thus it follows that all the 2448 key guesses pass this step; 1999. and about 248 · 2−33 = 215 candidate quartets remain after [3] E. Biham, O. Dunkelman, and N. Keller, “The rectangle attack— this step for every key guess. Rectangling the serpent,” EUROCRYPT’01, ed. B. Pfitzmann, LNCS 2045, pp.340–357, Springer-Verlag, 2001. · 15 · The time complexity of Step 7-(a) is about 2 2 [4] E. Biham, O. Dunkelman, and N. Keller, “Related-key boomerang 32×15 · 1 ≈ 490.54 2 44 2 encryptions. There is a filtering condi- and rectangle attacks,” EUROCRYPT’05, ed. R. Cramer, LNCS tion of 2−32 in either of Steps 7-(a) and (b). In Step 7-(a), the 3494, pp.507–525, Springer-Verlag, 2005. ff probability that 6 or more quartets pass the test for a wrong [5] E. Biham and A. Shamir, Di erential cryptanalysis of the Data En- 15 15 cryption Standard, Springer, 1993. 2 2 · −32 i · − −32 215−i ≈ −111.49 guess is about i=6[ i (2 ) (1 2 ) ] 2 , [6] H. Handschuh and D. Naccache, SHACAL, NESSIE, 2001. thus it follows that about the 2480 · 2−111.49 = 2368.51 key [7] S. Hong, J. Kim, G. Kim, J. Sung, C. Lee, and S. Lee, “Impossi- guesses pass this step. The time complexity of Step 7-(b) ble differential attack on 30-round SHACAL-2,” INDOCRYPT’03, is about 2 · 2368.51+32 · 6 · 1 ≈ 2398.63 encryptions. In Step eds. T. Johansson and S. Maitra, LNCS 2904, pp.97–106, Springer- 44 Verlag, 2003. 7-(b), the probability that 6 or more quartets pass the test [8] S. Hong, J. Kim, S. Lee, and B. Preneel, “Related-key rectan- −32 6 −192 for a wrong guess is about (2 ) = 2 ,soitisex- gle attacks on reduced versions of SHACAL-1 and AES-192,” + − pected that only about 2368.51 32 · 2 192 = 2208.51 guesses of FSE’05, eds. H. Gilbert and H. Handschuh, LNCS 3557, pp.368– (K36, K37, ···, K43) pass Step 7-(b), which result in 2464.51 383, Springer-Verlag, 2005. trials in Step 8. [9] J. Kelsey, T. Kohno, and B. Schneier, “Amplified boomerang at- Table 4 summarises the time complexity of each step of tacks against reduced-round MARS and Serpent,” FSE’00, ed. B. Schneier, LNCS 1978, pp.75–93, Springer-Verlag, 2001. the attack. Therefore, the attack has a total time complexity [10] J. Kelsey, B. Schneier, and D. Wagner, “Key-schedule cryptanalysis 497.2 of approximately 2 44-round SHACAL-2 computations, of IDEA, G-DES, GOST, SAFER, and Triple-DES,” CRYPTO’96, faster than an exhaustive search. ed. N. Koblitz, LNCS 1109, pp.237–251, Springer-Verlag, 1996. As about 2463 quartets are tested in this attack and the [11] J. Kim, G. Kim, S. Hong, S. Lee, and D. Hong, “The related- 35-round related-key rectangle distinguisher has a probabil- key rectangle attack—Application to SHACAL-1,” ACISP’04, eds. −460 H. Wang, J. Pieprzyk, and V. Varadharajan, LNCS 3108, pp.123– ity of 2 , we can learn that the expected number of the 136, Springer-Verlag, 2004. qualified quartets for the correct key guess in Step 7-(b) is [12] J. Kim, G. Kim, S. Lee, J. Lim, and J. Song, “Related-key attacks on 463 · −460 = about 2 2 8. The probability that 6 or more quartets reduced rounds of SHACAL-2,” INDOCRYPT’04, eds. A. Canteaut 2463 2463 · −460 i · − −460 2463−i ≈ and K. Viswanathan, LNCS 3348, pp.175–190, Springer-Verlag, pass Step 7-(b) is i=6 [ i (2 ) (1 2 ) ] 0.8, therefore, the related-key rectangle attack works with a suc- 2004. [13] L.R. Knudsen, “Cryptanalysis of LOKI91,” ASIACRYPT’92, eds. cess probability of 80%. J. Seberry and Y. Zheng, LNCS 718, pp.196–208, Springer-Verlag, 1993. 6. Conclusions [14] L.R. Knudsen, “DEAL—A 128-bit block cipher,” Technical report, Department of Informatics, University of Bergen, Norway, 1998. SHACAL-2 is a NESSIE selected block cipher algorithm. [15] J. Lu, J. Kim, N. Keller, and O. Dunkelman, “Related-key rectangle attack on 42-round SHACAL-2,” ISC’06, eds. S.K. Katsikas, In this paper, we observe that, when checking whether a J. Lopez, M. Backes, S. Gritzalis, and B. Preneel, LNCS 4176, candidate quartet is useful in a (related-key) rectangle at- pp.85–100, Springer-Verlag, 2006. tack, we can check the two pairs from the quartet one after [16] NESSIE—New European Schemes for Signatures, Integrity and En- the other, instead of checking them simultaneously; if the cryption, https://www.cosic.esat.kuleuven.be/nessie/ first pair does not meet expected conditions, we can dis- [17] National Institute of Standards and Technology, USA, Secure Hash card the quartet immediately. Using this observation, we Standard FIPS 180-2, 2002. [18] Y. Shin, J. Kim, G. Kim, S. Hong, and S. Lee, “Differential-linear present a related-key rectangle attack on the first 44 rounds type attacks on reduced rounds of SHACAL-2,” ACISP’04, eds. of SHACAL-2, after exploiting a 35-round related-key rect- H. Wang, J. Pieprzyk, and V. Varadharajan, LNCS 3108, pp.110– − angle distinguisher with probability 2 460. This is the best 122, Springer-Verlag, 2004. currently published cryptanalytic result on SHACAL-2. [19] D. Wagner, “The boomerang attack,” FSE’99, ed. L.R. Knudsen, LNCS 1636, pp.156–170, Springer-Verlag, 1999. IEICE TRANS. FUNDAMENTALS, VOL.E91–A, NO.9 SEPTEMBER 2008 2596

[20] G. Wang, “Related-key rectangle attack on 43-Round SHACAL-2,” ISPEC’07, eds. E. Dawson and D.S. Wong, LNCS 4464, pp.33–42, Springer-Verlag, 2007.

Jiqiang Lu was born in Gaomi city, Shan- dong province, CHINA, in November 1977. He received a B.Sc. degree in Applied Mathemat- ics from Yantai University (CHINA) in July 2000 and a M.Eng. degree in Information and Communication Engineering from Xidian Uni- versity (CHINA) in March 2003. He then served sequentially as a government oﬃcer in the Intellectual Property Oﬃce of Department of Science & Technology of Shandong Prov- ince (CHINA), a research assistant in Informa- tion and Communication University (KOREA), and a software engineer in ONETS Wireless&Internet Security Co. Ltd. (CHINA) and the Beijing R&D Institute, Huawei Technologies, Co. Ltd. (CHINA). Currently, he is a Ph.D. candidate in the Information Security Group, Royal Holloway, Uni- versity of London (UK), and his research topic is cryptanalysis of block ciphers.

Jongsung Kim was born in Chungbuk, SOUTH KOREA, in 1978. He received a Bach- elor degree in 2000 and a Master degree in 2002, both in Mathematics from Korea Uni- versity (KOREA), a Ph.D. degree in Engineer- ing from Katholieke Universiteit Leuven (BEL- GIUM) in 2006, and a Ph.D. degree in Infor- mation Security from Korea University in 2007. Currently, he is a post doctoral researcher of the Center for Information Security Technologies (CIST) at Korea University, and his research topic is symmetric-key cryptography.