A Simple Related-Key Attack on the Full SHACAL-1

SHACAL-1 is a 160-bit block cipher with variable key length of up to 512-bit key based on the hash function SHA-1. It was submitted to the NESSIE project and was accepted as a finalist for the 2nd phase of evaluation. Since its introduction, SHACAL-1 withstood extensive cryptanalytic efforts. The best known key recovery attack on the full cipher up to this paper has a time complexity of about 2 encryptions. In this paper we use an observation due to Saarinen to present an elegant related-key attack on SHACAL-1. The attack can be mounted using two to eight unknown related keys, where each additional key reduces the time complexity of retrieving the actual values of the keys by a factor of 2. When all eight related-keys are used, the attack requires 2 related-key chosen plaintexts and has a running time of 2 encryptions. This is the first successful related-key key recovery attack on a cipher with varying round constants.