Attacking 44 Rounds of the SHACAL-2 Block Cipher Using Related-Key Rectangle Cryptanalysis

摘要

SHACAL-2 is a 64-round block cipher with a 256-bit block size and a variable length key of up to 512 bits. It is a NESSIE selected block cipher algorithm. In this paper, we observe that, when checking whether a candidate quartet is useful in a (related-key) rectangle attack, we can check the two pairs from the quartet one after the other, instead of checking them simultaneously; if the first pair does not meet the expected conditions, we can discard the quartet immediately. We next exploit a 35-round related-key rectangle distinguisher with probability 2~(-460) for the first 35 rounds of SHACAL-2, which is built on an existing 24-round related-key differential and a new 10-round differential. Finally, taking advantage of the above observation, we use the distinguisher to mount a related-key rectangle attack on the first 44 rounds of SHACAL-2. The attack requires 2~(233) related-key chosen plaintexts, and has a time complexity of 2~(497.2) computations. This is better than any previously published cryptanalytic results on SHACAL-2 in terms of the numbers of attacked rounds.