SHACAL

SHACAL
General
Designers	Helena Handschuh, David Naccache
Derived from	SHA-1, SHA-256
Related to	Crab
Certification	NESSIE (SHACAL-2)
Cipher detail
Key sizes	128 to 512 bits
Block sizes	160 bits (SHACAL-1),; 256 bits (SHACAL-2)
Structure	Cryptographic hash function
Rounds	80

Last updated January 24, 2021

SHACAL-1 (originally simply SHACAL) is a 160-bit block cipher based on SHA-1, and supports keys from 128-bit to 512-bit. SHACAL-2 is a 256-bit block cipher based upon the larger hash function SHA-256.

Design

SHACAL-1 is based on the following observation of SHA-1:

The hash function SHA-1 is designed around a compression function. This function takes as input a 160-bit state and a 512-bit data word and outputs a new 160-bit state after 80 rounds. The hash function works by repeatedly calling this compression function with successive 512-bit data blocks and each time updating the state accordingly. This compression function is easily invertible if the data block is known, i.e. given the data block on which it acted and the output of the compression function, one can compute that state that went in.

SHACAL-1 turns the SHA-1 compression function into a block cipher by using the state input as the data block and using the data input as the key input. In other words, SHACAL-1 views the SHA-1 compression function as an 80-round, 160-bit block cipher with a 512-bit key. Keys shorter than 512 bits are supported by padding them with zeros. SHACAL-1 is not intended to be used with keys shorter than 128 bits.

Security of SHACAL-1

In the paper "Related-key rectangle attack on the full SHACAL-1", 2006, Orr Dunkelman, Nathan Keller and Jongsung Kim presented a related-key rectangle attack on the full 80 rounds of SHACAL-1.

In the paper "Differential and Rectangle Attacks on Reduced-Round SHACAL-1", Jiqiang Lu, Jongsung Kim, Nathan Keller and Orr Dunkelman presented rectangle attacks on the first 51 rounds and a series of 52 inner rounds of SHACAL-1 and presented differential attacks on the first 49 rounds and a series of 55 inner rounds of SHACAL-1. These are the best currently known cryptanalytic results on SHACAL-1 in a single key attack scenario.

Security of SHACAL-2

In the paper "Related-Key Rectangle Attack on 42-Round SHACAL-2", Jiqiang Lu, Jongsung Kim, Nathan Keller, Orr Dunkelman presented a related-key rectangle attack on 42-round SHACAL-2.

In 2008 Lu and Kim presented a related-key rectangle attack on 44-round SHACAL-2. This is the best currently known cryptanalytic result on SHACAL-2.

Related Research Articles

Advanced Encryption Standard Standard for the encryption of electronic data

The Advanced Encryption Standard (AES), also known by its original name Rijndael, is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.

In cryptography, the International Data Encryption Algorithm (IDEA), originally called Improved Proposed Encryption Standard (IPES), is a symmetric-key block cipher designed by James Massey of ETH Zurich and Xuejia Lai and was first described in 1991. The algorithm was intended as a replacement for the Data Encryption Standard (DES). IDEA is a minor revision of an earlier cipher Proposed Encryption Standard (PES).

Serpent is a symmetric key block cipher that was a finalist in the Advanced Encryption Standard (AES) contest, where it was ranked second to Rijndael. Serpent was designed by Ross Anderson, Eli Biham, and Lars Knudsen.

A cryptographic hash function (CHF) is a mathematical algorithm that maps data of arbitrary size to a bit array of a fixed size. It is a one-way function, that is, a function which is practically infeasible to invert. Ideally, the only way to find a message that produces a given hash is to attempt a brute-force search of possible inputs to see if they produce a match, or use a rainbow table of matched hashes. Cryptographic hash functions are a basic tool of modern cryptography.

GOST (block cipher) Soviet/Russian national standard block cipher

The GOST block cipher (Magma), defined in the standard GOST 28147-89, is a Soviet and Russian government standard symmetric key block cipher with a block size of 64 bits. The original standard, published in 1989, did not give the cipher any name, but the most recent revision of the standard, GOST R 34.12-2015, specifies that it may be referred to as Magma. The GOST hash function is based on this cipher. The new standard also specifies a new 128-bit block cipher called Kuznyechik.

In cryptography, XTEA is a block cipher designed to correct weaknesses in TEA. The cipher's designers were David Wheeler and Roger Needham of the Cambridge Computer Laboratory, and the algorithm was presented in an unpublished technical report in 1997. It is not subject to any patents.

KASUMI is a block cipher used in UMTS, GSM, and GPRS mobile communications systems. In UMTS, KASUMI is used in the confidentiality (f8) and integrity algorithms (f9) with names UEA1 and UIA1, respectively. In GSM, KASUMI is used in the A5/3 key stream generator and in GPRS in the GEA3 key stream generator.

In cryptography, MISTY1 is a block cipher designed in 1995 by Mitsuru Matsui and others for Mitsubishi Electric.

In cryptography, MacGuffin is a block cipher created in 1994 by Bruce Schneier and Matt Blaze at a Fast Software Encryption workshop. It was intended as a catalyst for analysis of a new cipher structure, known as Generalized Unbalanced Feistel Networks (GUFNs). The cryptanalysis proceeded very quickly, so quickly that the cipher was broken at the same workshop by Vincent Rijmen and Bart Preneel.

In cryptography, the boomerang attack is a method for the cryptanalysis of block ciphers based on differential cryptanalysis. The attack was published in 1999 by David Wagner, who used it to break the COCONUT98 cipher.

Introduced by Martin Hellman and Susan K. Langford in 1994, the differential-linear attack is a mix of both linear cryptanalysis and differential cryptanalysis.

In cryptography, impossible differential cryptanalysis is a form of differential cryptanalysis for block ciphers. While ordinary differential cryptanalysis tracks differences that propagate through the cipher with greater than expected probability, impossible differential cryptanalysis exploits differences that are impossible at some intermediate state of the cipher algorithm.

In cryptography, a one-way compression function is a function that transforms two fixed-length inputs into a fixed-length output. The transformation is "one-way", meaning that it is difficult given a particular output to compute inputs which compress to that output. One-way compression functions are not related to conventional data compression algorithms, which instead can be inverted exactly or approximately to the original data.

In cryptography, Cobra is the general name of a family of data-dependent permutation based block ciphers: Cobra-S128, Cobra-F64a, Cobra-F64b, Cobra-H64, and Cobra-H128. In each of these names, the number indicates the cipher's block size, and the capital letter indicates whether it is optimized for implementation in software, firmware, or hardware.

In cryptography, SC2000 is a block cipher invented by a research group at Fujitsu Labs. It was submitted to the NESSIE project, but was not selected. It was among the cryptographic techniques recommended for Japanese government use by CRYPTREC in 2003, however, has been dropped to "candidate" by CRYPTREC revision in 2013.

PMAC, which stands for parallelizable MAC, is a message authentication code algorithm. It was created by Phillip Rogaway. PMAC is a method of taking a block cipher and creating an efficient message authentication code that is reducible in security to the underlying block cipher.

In cryptography, Spectr-H64 is a block cipher designed in 2001 by N. D. Goots, A. A. Moldovyan and N. A. Moldovyan. It relies heavily on the permutation of individual bits, so is much better suited to implementation in hardware than in software.

In cryptography, COCONUT98 is a block cipher designed by Serge Vaudenay in 1998. It was one of the first concrete applications of Vaudenay's decorrelation theory, designed to be provably secure against differential cryptanalysis, linear cryptanalysis, and even certain types of undiscovered cryptanalytic attacks.

This article summarizes publicly known attacks against block ciphers and stream ciphers. Note that there are perhaps attacks that are not publicly known, and not all entries may be up to date.

Dmitry Khovratovich is a cryptographer, currently a Principal Cryptographer at Evernym, Inc., Senior Cryptographer for the Dusk Network and member of the International Association for Cryptologic Research. He developed, together with Alex Biryukov, the Equihash Proof-of-work algorithm which is currently being used as consensus mechanism for the ZCash cryptocurrency, and the Argon2 key derivation function, which won the Password Hashing Competition in July 2015.

References

Eli Biham, Orr Dunkelman, Nathan Keller (February 2003). Rectangle Attacks on 49-Round SHACAL-1 (PDF). 10th International Workshop on Fast Software Encryption (FSE '03). Lund: Springer-Verlag. pp. 22–35. Archived from the original (PDF) on 2007-09-26. Retrieved 2007-07-02.CS1 maint: multiple names: authors list (link)
Helena Handschuh, Lars R. Knudsen, Matthew J. B. Robshaw (April 2001). Analysis of SHA-1 in Encryption Mode (PDF/PostScript). CT-RSA 2001, The Cryptographer's Track at RSA Conference 2001. San Francisco, California: Springer-Verlag. pp. 70–83. Retrieved 2007-07-02.CS1 maint: multiple names: authors list (link)
Seokhie Hong; Jongsung Kim; Guil Kim; Jaechul Sung; Changhoon Lee; Sangjin Lee (December 2003). Impossible Differential Attack on 30-Round SHACAL-2. 4th International Conference on Cryptology in India (INDOCRYPT 2003). New Delhi: Springer-Verlag. pp. 97–106.
Jongsung Kim; Guil Kim; Sangjin Lee; Jongin Lim; Junghwan Song (December 2004). Related-Key Attacks on Reduced Rounds of SHACAL-2. INDOCRYPT 2004. Chennai: Springer-Verlag. pp. 175–190.
Jongsung Kim; Guil Kim; Seokhie Hong; Sangjin Lee; Dowon Hong (July 2004). The Related-Key Rectangle Attack — Application to SHACAL-1. 9th Australasian Conference on Information Security and Privacy (ACISP 2004). Sydney: Springer-Verlag. pp. 123–136.
Jongsung Kim; Dukjae Moon; Wonil Lee; Seokhie Hong; Sangjin Lee; Seokwon Jung (December 2002). Amplified Boomerang Attack against Reduced-Round SHACAL. ASIACRYPT 2002. Queenstown, New Zealand: Springer-Verlag. pp. 243–253.
Markku-Juhani Olavi Saarinen (February 2003). Cryptanalysis of Block Ciphers Based on SHA-1 and MD5 (PDF). FSE '03. Lund: Springer-Verlag. pp. 36–44. Archived from the original (PDF) on 2006-12-24. Retrieved 2007-07-02.
YongSup Shin; Jongsung Kim; Guil Kim; Seokhie Hong; Sangjin Lee (July 2004). Differential-Linear Type Attacks on Reduced Rounds of SHACAL-2. ACISP 2004. Sydney: Springer-Verlag. pp. 110–122.
Jiqiang Lu; Jongsung Kim; Nathan Keller; Orr Dunkelman (2006). Related-Key Rectangle Attack on 42-Round SHACAL-2 (PDF). Information Security, 9th International Conference (ISC 2006). Samos: Springer-Verlag. pp. 85–100. Archived from the original (PDF) on 2006-09-25. Retrieved 2007-07-02.
Jiqiang Lu; Jongsung Kim; Nathan Keller; Orr Dunkelman (December 2006). Differential and Rectangle Attacks on Reduced-Round SHACAL-1 (PDF). INDOCRYPT 2006. Kolkata: Springer-Verlag. pp. 17–31. Retrieved 2007-07-02.
O. Dunkelman; N. Keller; J. Kim (August 2006). Related-key rectangle attack on the full SHACAL-1 (PostScript). Selected Areas in Cryptography (SAC 2006), to appear. Montreal: Springer-Verlag. pp. 16 pages. Retrieved 2007-07-02.
Jiqiang Lu; Jongsung Kim (September 2008). "Attacking 44 Rounds of the SHACAL-2 Block Cipher Using Related-Key Rectangle Cryptanalysis" (PDF). IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences. IEICE: 2599–2596. Retrieved 2012-01-30.

External links

Nathan Keller's homepage

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.