IEICE TRANS. FUNDAMENTALS, VOL.Exx{??, NO.xx XXXX 200x 1 PAPER Attacking 44 Rounds of the SHACAL-2 Block Cipher Using Related-Key Rectangle Cryptanalysis¤ Jiqiang LUya) and Jongsung KIMyyb), Table 1 Summary of previous and our new cryptanalytic re- SUMMARY SHACAL-2 is a 64-round block cipher with a sults on SHACAL-2 256-bit block size and a variable length key of up to 512 bits. It is a NESSIE selected block cipher algorithm. In this paper, we ob- T ype of Attack Rounds Data T ime Memory Source serve that, when checking whether a candidate quartet is useful in Impossible di®. 30 744 CP 2495:1 214:5 [7] a (related-key) rectangle attack, we can check the two pairs from Square 28 240:9 CP 2494:1 245:9 [18] the quartet one after the other, instead of checking them simul- 43:4 504:2 48:4 taneously; if the ¯rst pair does not meet the expected conditions, Di®erential 32 2 CP 2 2 [18] we can discard the quartet immediately. We next exploit a 35- Related-key di®. 35 242:4 RK-CP 2452:1 247:4 [12] round related-key rectangle distinguisher with probability 2¡460 Related-key 37 2235:2 RK-CP 2487 2240:2 [12] for the ¯rst 35 rounds of SHACAL-2, which is built on an existing rectangle 42 2243:4 RK-CP 2488:4 2247:4 [15] 24-round related-key di®erential and a new 10-round di®erential. 43y 2240:4 RK-CP 2480:4 2245:4 [20] Finally, taking advantage of the above observation, we use the 233 497:2 238 distinguisher to mount a related-key rectangle attack on the ¯rst 44 2 RK-CP 2 2 This 44 rounds of SHACAL-2. The attack requires 2233 related-key di®.: di®erential, CP: Chosen Plaintexts, RK: Related-Key, chosen plaintexts, and has a time complexity of 2497:2 computa- Time unit: Encryptions, Memory unit: Bytes, tions. This is better than any previously published cryptanalytic y: The attack has a flaw; see Section 4.2 of this paper. results on SHACAL-2 in terms of the numbers of attacked rounds. key words: Block cipher, SHACAL-2, Di®erential cryptanaly- sis, Related-key rectangle attack gorithm, after a thorough analysis of its security and 1. Introduction performance. The published cryptanalytic results on SHACAL-2 SHACAL-2 is a 64-round block cipher with a 256-bit are as follows. In 2003, Hong et al. [7] presented block size and a variable length key of up to 512 bits, an impossible di®erential attack[2], [14] on 30-round which was proposed in 2001 by Handschuh and Nac- SHACAL-2. In 2004, Shin et al. [18] presented a cache [6] as a submission to the NESSIE (New Euro- square-nonlinear attack on 28-round SHACAL-2 and pean Schemes for Signatures, Integrity and Encryption) a di®erential-nonlinear attack on 32-round SHACAL-2. project [16]; it is based on the compression function Also in 2004, Kim et al. [12] presented a related-key of SHA-256 [17], an ISO hash function international di®erential-nonlinear attack on 35-round SHACAL-2 standard, where the plaintext enters the compression and a related-key rectangle attack [11] on 37-round function as the chaining value, and the key enters the SHACAL-2, where the latter is based on a 33-round compression function as the message block. In 2003, related-key rectangle distinguisher. In 2006, Lu et SHACAL-2 became a NESSIE selected block cipher al- al. [15] presented a related-key rectangle attack on 42- y round SHACAL-2, after exploiting a 34-round related- The author is with the Information Security Group, key rectangle distinguisher with probability 2¡456:76 Royal Holloway, University of London, Egham, Surrey TW20 OEX, UK. He as well as his work was supported and then adopting the proposed early abort technique. by a British Chevening / Royal Holloway Scholarship and In 2007, Wang [20] presented a related-key rectangle the European Commission under contract IST-2002-507932 attack on 43-round SHACAL-2, by extending Lu et (ECRYPT). al.'s 34-round related-key rectangle distinguisher to a yyThe author is with the Center for Information Security 35-round distinguisher with probability 2¡474:76. Technologies (CIST), Korea University, Anam Dong, Sung- In this paper, we ¯nd that there is a flaw in Wang's buk Gu, Seoul, Korea. He was supported by the MKE (Min- istry of Knowledge Economy), Korea, under the ITRC (In- attack algorithm on 43-round SHACAL-2, which makes formation Technology Research Center) support program the attack infeasible. We exploit a more powerful 35- supervised by the IITA (Institute of Information Technol- round related-key rectangle distinguisher which has a ogy Advancement) (IITA-2008-(C1090-0801-0025)). probability of 2¡460, following the previous work de- a) E-mail: lvjiqiang AT hotmail.com scribed in [15], [20]. More importantly, we observe that, b) E-mail: joshep AT cist.korea.ac.kr when checking whether a candidate quartet is useful ¤This paper was published in IEICE Transactions on Fundamentals of Electronics, Communications and Com- in a (related-key) rectangle attack, we can check the puter Sciences, Vol. 91-A(9), pp. 2588-2596, IEICE Press, two pairs from the quartet one after the other, instead 2008. of checking them simultaneously; if the ¯rst pair does IEICE TRANS. FUNDAMENTALS, VOL.Exx{??, NO.xx XXXX 200x 2 not meet the expected conditions, we can discard the Di+1 = Ci, quartet immediately. This can reduce the computa- Ci+1 = Bi, tion complexity of an attack, and, even more signif- Bi+1 = Ai, i+1 i+1 i+1 icantly, may allow us to break more rounds of a ci- A = T1 ¢ T2 . pher. Taking advantage of this observation, we ¯nally 3. The ciphertext C is (A64;B64;C64;D64;E64;F 64; use the 35-round related-key rectangle distinguisher to G64;H64). conduct a related-key rectangle attack on the ¯rst 44 rounds of SHACAL-2. This is better than any pre- In the above description, Ki is the i-th round key, viously published cryptanalytic results on SHACAL-2 W i is the i-th round constant, and the four functions in terms of the numbers of attacked rounds. Table 1 §0(X), §1(X), Ch(X; Y; Z) and Maj(X; Y; Z) are de- summarises both previous and our new cryptanalytic ¯ned as follows. results on SHACAL-2 that uses 512 key bits. The rest of this paper is organised as follows. In §0(X) = S2(X) © S13(X) © S22(X); the next section, we describe some notation and the §1(X) = S6(X) © S11(X) © S25(X); SHACAL-2 block cipher. In Section 3, we introduce Ch(X; Y; Z) = (X&Y ) © (:X&Z); our observation on related-key rectangle attacks. In Maj(X; Y; Z) = (X&Y ) © (X&Z) © (Y &Z); Section 4, we give the 35-round related-key rectangle ¡460 distinguisher with probability 2 , as well as the flaw where Sj(X) represents right rotation of X by j bits. in Wang's attack. In Section 5, we present our related- The key schedule of SHACAL-2 accepts a variable key rectangle attack on 44-round SHACAL-2. Section length key of up to 512 bits. Shorter keys can be used 6 concludes this paper. by padding them with zeros to produce a 512-bit key string. The 512-bit user key K is divided into sixteen 2. Preliminaries 32-bit words (K0;K1; ¢ ¢ ¢ ;K15), which are the round keys for the ¯rst 16 rounds. Finally, the i-th round key 2.1 Notation (16 · i · 63) is generated as follows, i i¡2 i¡7 i¡15 i¡16 ² © : bitwise logical exclusive OR (XOR) K = σ1(K ) ¢ K ¢ σ0(K ) ¢ K ; ² & : bitwise logical AND with σ0(X) = S7(X) © S18(X) © R3(X); 32 ² ¢ : addition modulo 2 σ1(X) = S17(X) © S19(X) © R10(X); ² : : bitwise logical complement ² ± : functional composition where Rj(X) represents right shift of X by j bits. ² ej : a 32-bit word with zeros in all positions but bit j, (0 · j · 31) 3. An Observation on Related-Key Rectangle Attacks ² ei1;¢¢¢;ij : ei1 © ¢ ¢ ¢ © eij , (0 · i1; ¢ ¢ ¢ ; ij · 31) ² ej;» : a 32-bit word that has 0's in bits 0 to j ¡1, a one in bit j and indeterminate values in bits (j +1) In this section, we introduce our observation on related- to 31 key rectangle attacks. The notion of di®erence used throughout this pa- 3.1 Description of Related-Key Rectangle Attacks per is with respect to the © operation, unless otherwise stated explicitly. A related-key rectangle attack [4], [8], [11] is a combi- nation of a related-key attack [1], [13] and a rectangle 2.2 The SHACAL-2 Block Cipher attack [3]. A related-key attack requires an assump- tion that the attacker knows the speci¯c di®erences be- SHACAL-2 [6] takes as input a 256-bit plaintext, and tween one or more pairs of unknown keys; this assump- has a total of 64 rounds. Its encryption procedure can tion makes it di±cult or even infeasible to conduct in be described as follows. many cryptographic applications, but some of the cur- rent real-world applications allow for practical related- 1. The 256-bit plaintext P is represented as eight 32- key attacks [10], for example, key-exchange protocols bit words A0, B0, C0, D0, E0, F 0, G0 and H0.