SHACAL-1 is a 160-bit block cipher with variable key length of up to 512-bit key based on the hash function SHA-1. It was submitted to the NESSIE project and was accepted as a finalist for the 2nd phase of evaluation. Since its introduction, SHACAL-1 withstood extensive cryptanalytic efforts. The best known key recovery attack on the full cipher up to this paper has a time complexity of about 2...

Differential cryptanalysis analyzes ciphers by studying the development of differences during encryption. Linear cryptanalysis is similar but is based on studying approximate linear relations. In 1994, Langford and Hellman showed that both kinds of analysis can be combined together by a technique called differential-linear cryptanalysis, in which the differential part creates a linear approxima...

In this paper, a novel scheme to generate (n 2 + n) common secret keys in one session is proposed, in which two parties can use them to encrypt and decrypt their communicated messages by using symmetric-key cryptosystem. The proposed scheme is based on the difficulty of calculating discrete logarithms problem. All the session keys can be used against the known key attacks, main-in-the middle at...

In this paper we construct a chosen-key distinguisher and a related-key attack on the full 256-bit key AES. We define a notion of differential q-multicollision and show that for AES-256 q-multicollisions can be constructed in time q · 2 and with negligible memory, while we prove that the same task for an ideal cipher of the same block size would require at least O(q · 2 q−1 q+1 ) time. Using si...

In this paper we present new fundamental properties of SPNs. These properties turn out to be particularly useful in the adaptive chosen ciphertext/plaintext setting and we show this by introducing for the first time key-independent yoyo-distinguishers for 3to 5-rounds of AES. All of our distinguishers beat previous records and require respectively 3, 4 and 2 data and essentially zero computatio...

NLS is one of the stream ciphers submitted to the eSTREAM project. We present a distinguishing attack on NLS by Crossword Puzzle (CP) attack method which is newly introduced in this paper. We build the distinguisher by using linear approximations of both the non-linear feedback shift register (NFSR) and the nonlinear filter function (NLF). Since the bias of the distinguisher depends on the Kons...

In this paper, we propose two new ways to mount attacks on the SHA-3 candidates Grøstl, and ECHO, and apply these attacks also to the AES. Our results improve upon and extend the rebound attack. Using the new techniques, we are able to extend the number of rounds in which available degrees of freedom can be used. As a result, we present the first attack on 7 rounds for the Grøstl-256 output tra...

This paper presents two types of cryptanalysis on a MerkleDamg̊ard hash based MAC, which computes a MAC value of a message M by Hash(K‖`‖M) with a shared key K and the message length `. This construction is often called LPMAC. Firstly, we present a distinguishingH attack against LPMAC instantiating any narrow-pipe Merkle-Damg̊ard hash function with O(2) queries, which indicates the incorrectness ...

We consider highly structured truncated differential paths to mount a new rebound attack on Grøstl-512, a hash functions based on two AES-like permutations, P1024 and Q1024, with non-square input and output registers. We explain how such differential paths can be computed using a Mixed-Integer Linear Programming approach. Together with a SuperSBox description, this allows us to build a rebound ...

We consider highly structured truncated differential paths to mount a new rebound attack on Grøstl-512, a hash functions based on two AES-like permutations, P1024 and Q1024, with non-square input and output registers. We explain how such differential paths can be computed using a Mixed-Integer Linear Programming approach. Together with a SuperSBox description, this allows us to build a rebound ...