χ 2 Cryptanalysis of the SEAL Encryption Algorithm

SEAL was first introduced in [1] by Rogaway and Coppersmith as a fast software-oriented encryption algorithm. It is a pseudorandom function which stretches a short index into a much longer pseudorandom string under control of a secret key pre-processed into internal tables. In this paper we first describe an attack of a simplified version of SEAL, which provides large parts of the secret tables from approximately 2 algorithm computations. As far as the original algorithm is concerned, we construct a test capable of distinguishing SEAL from a random function using approximately 2 IV values. Moreover, we describe how to derive some bits of information about the secret tables. These results were confirmed by computer experiments. 1 Description of the SEAL Algorithm SEAL is a length-increasing ”pseudorandom” function which maps a 32-bit string n to an L-bit string SEAL(n) under a secret 160-bit key a. The output length L is meant to be variable, but is generally limited to 64 kbytes. In this paper, we assume it is worth exactly 64 kbytes (2 32-bit words), but all our results could be obtained with a smaller output length. The key a is only used to define three secret tables R, S, and T . These tables respectively contain 256, 256 and 512 32-bit values which are derived from the Secure Hash Algorithm (SHA) [2] using a as the secret key and re-indexing the 160-bit output into 32-bit output words. SEAL is the result of the two cascaded generators shown below. The first generator uses a routine depending on the a-derived tables R and T depicted at figure 1. It maps the 32-bit string n and the 6-bit counter l to 2 Helena Handschuh and Henri Gilbert