Topics in Cryptology – CT-RSA 2007

Volume 4377 of the series Lecture Notes in Computer Science pp 20-30

A Simple Related-Key Attack on the Full SHACAL-1

  • Eli BihamAffiliated withComputer Science Department, Technion
  • , Orr DunkelmanAffiliated withComputer Science Department, TechnionKatholieke Universiteit Leuven, ESAT/SCD-COSIC
  • , Nathan KellerAffiliated withEinstein Institute of Mathematics, Hebrew University


SHACAL-1 is a 160-bit block cipher with variable key length of up to 512-bit key based on the hash function SHA-1. It was submitted to the NESSIE project and was accepted as a finalist for the 2nd phase of evaluation. Since its introduction, SHACAL-1 withstood extensive cryptanalytic efforts. The best known key recovery attack on the full cipher up to this paper has a time complexity of about 2420 encryptions.

In this paper we use an observation due to Saarinen to present an elegant related-key attack on SHACAL-1. The attack can be mounted using two to eight unknown related keys, where each additional key reduces the time complexity of retrieving the actual values of the keys by a factor of 262. When all eight related-keys are used, the attack requires 2101.3 related-key chosen plaintexts and has a running time of 2101.3 encryptions. This is the first successful related-key key recovery attack on a cipher with varying round constants.