SHACAL-1 is a 160-bit block cipher with variable key length of up to 512-bit key based on the hash function SHA-1. It was submitted to the NESSIE project and was accepted as a finalist for the 2nd phase of evaluation. Since its introduction, SHACAL-1 withstood extensive cryptanalytic efforts. The best known key recovery attack on the full cipher up to this paper has a time complexity of about 2420 encryptions. In this paper we use an observation due to Saarinen to present an elegant related-key attack on SHACAL-1. The attack can be mounted using two to eight unknown related keys, where each additional key reduces the time complexity of retrieving the actual values of the keys by a factor of 262. When all eight related-keys are used, the attack requires 2101.3 related-key chosen plaintexts and has a running time of 2101.3 encryptions. This is the first successful related-key key recovery attack on a cipher with varying round constants.
|Title of host publication||Topics in Cryptology|
|Subtitle of host publication||CT-RSA 2007 - The Cryptographers Track at the RSA Conference 2007, Proceedings|
|Number of pages||11|
|State||Published - 2007|
|Event||Cryptographers Track at the RSA Conference, CT-RSA 2007 - San Francisco, United States|
Duration: 5 Feb 2007 → 9 Feb 2007
|Name||Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)|
|Conference||Cryptographers Track at the RSA Conference, CT-RSA 2007|
|Period||5/02/07 → 9/02/07|
Bibliographical noteFunding Information:
★ This work was supported in part by the Israel MOD Research and Technology Unit. ★★ The author was supported by the Adams fellowship.
© Springer-Verlag Berlin Heidelberg 2007.