Related-Key Rectangle Attack on the Full SHACAL-1

Dunkelman, Orr; Keller, Nathan; Kim, Jongsung

doi:10.1007/978-3-540-74462-7_3

Cited by 18 publications

(26 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A successful RKA is universally viewed by cryptanalysts as a break of the cipher. The recent attention-grabbing attacks on AES-192 and AES-256 [17,16,15] were RKAs, and far from unique in this regard: a look at the literature shows that RKAs abound [38,42,19,9,10,12,11,49,54,29,36,13,39,34]. Several higher-level cryptographic constructs, including HMAC [3,2], the 3GPP confidentiality and integrity algorithms f8,f9 [35], and RMAC [37,41], use related keys and thus rely for their (standard, not RKA) security on RKA-security of the underlying compression function or blockcipher.…”

Section: Contextmentioning

confidence: 99%

“…Alarmed by the number of successful related-key attacks (RKAs) against real blockciphers [15,17,16,38,42,19,9,10,12,11,49,54,29,36,13,39,34], theoreticians have stepped back to ask to what extent the underlying goal of RKA-secure PRFs and PRPs is achievable at all. The question is made challenging by the unusual nature of the attack model which allows the adversary to manipulate the key.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Pseudorandom Functions and Permutations Provably Secure against Related-Key Attacks

Bellare

Cash

2010

Advances in Cryptology – CRYPTO 2010

157

View full text Add to dashboard Cite

Abstract. This paper fills an important foundational gap with the first proofs, under standard assumptions and in the standard model, of the existence of PRFs and PRPs resisting rich and relevant forms of relatedkey attack (RKA). An RKA allows the adversary to query the function not only under the target key but under other keys derived from it in adversary-specified ways. Based on the Naor-Reingold PRF we obtain an RKA-PRF whose keyspace is a group and that is proven, under DDH, to resist attacks in which the key may be operated on by arbitrary adversary-specified group elements. Our framework yields other RKA-PRFs including a DLIN-based one derived from the LewkoWaters PRF. We show how to turn these PRFs into PRPs (blockciphers) while retaining security against RKAs. Over the last 17 years cryptanalysts and blockcipher designers have routinely and consistenly targeted RKA-security; it is important for abuse-resistant cryptography; and it helps protect against fault-injection sidechannel attacks. Yet ours are the first significant proofs of existence of secure constructs. We warn that our constructs are proofs-of-concept in the foundational style and not practical.

show abstract

Section: Contextmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Pseudorandom Functions and Permutations Provably Secure against Related-Key Attacks

Bellare

Cash

2010

Advances in Cryptology – CRYPTO 2010

157

View full text Add to dashboard Cite

show abstract

“…In this section, we detect contradictions in the trails used in attacks on XTEA [31], SHACAL-1 [49,12] block ciphers and the SM3 [3] hash function. The first two attacks are rectangle relatedkey key recovery attacks and the latter attack is a distinguishing attack against a reduced-round SM3 compression function.…”

Section: Detecting Rectangle/boomerang Trail Contradictionsmentioning

confidence: 99%

“…Reduced-step SHACAL-1 was scrutinized both in the single-key and the related-key cryptanalytic models [5,18,27,33]. As for the full-round SHACAL-1, it was shown to be susceptible to a rectangle related-key attack with complexity better than exhaustive search in [12] in 2006.…”

Section: On the Incompatibility Of Shacal-1 Trails [49 12]mentioning

confidence: 99%

Analysis of Boomerang Differential Trails via a SAT-Based Constraint Solver URSA

Kircanski¹

2015

Applied Cryptography and Network Security

View full text Add to dashboard Cite

In order to obtain differential patterns over many rounds of a cryptographic primitive, the cryptanalyst often needs to work on local differential trail analysis. Examples include merging two differential trail parts into one or, in the case of boomerang and rectangle attacks, connecting two short trails within the quartet boomerang setting. In the latter case, as shown by Murphy in 2011, caution should be exercised as there is increased chance of running into contradictions in the middle rounds of the primitive. In this paper, we propose the use of a SAT-based constraint solver URSA as aid in analysis of differential trails and find that previous rectangle/boomerang attacks on XTEA and SHACAL-1 block ciphers and SM3 hash function are based on incompatible trails. Given the C specification of the cryptographic primitive, verifying differential trail portions requires minimal work on the side of the cryptanalyst.

show abstract

“…2.2 we unify all previous works on boomerang-style distinguishers [63,32,6,57,7,8,48,37] and their related-key counterparts [36,25,38,9,10,22,53,29,35,64,46,47,49,50,23]. We highlight their similarities and differences for a better view of which attack variant is more suitable for a particular situation.…”

Section: Outline Of This Papermentioning

confidence: 92%