Biclique Cryptanalysis of Block Cipher SHACAL2

SHACAL2 is a block cipher designed by Handschuh H. et al based on the standard Hash function SHA2 in 2002. It one of the European standard block ciphers, and has relatively high security because of its long block length and key length, which are 256b and 512b respectively. There have been a few security analysis results about SHACAL2, such as impossible differential cryptanalysis and related-key rectangle attack on reduced rounds of SHACAL2. Taking advantage of the characteristics of the key schedule and the permutation layer of block cipher SHACAL2, 18-round 32-dimensional Biclique of the first eight rounds of SHACAL2 is constructed. Based on the Biclique constructed, Biclique attack is applied to the whole 64-round SHACAL2. And the results show that, using Biclique attack to recover the whole 512b key information of 64-round SHACAL2, the data complexity is no more than 2\+{224} chosen plaintexts, and the time complexity is 2\+{511.18} 64-round encryptions. Compared with the known analysis results, the data complexity of Biclique attack decreased obviously, and the time complexity is better than exhaustive search. For whole round SHACAL2，Biclique attack is a relatively effective method. This is the first single-key attack for whole round SHACAL2.