As a family of tweakable block ciphers,HALFLOOP is standardized in the interoperability and performance standards for medium and highfrequency radio systems published by the United States Department of Defense.Althoug...As a family of tweakable block ciphers,HALFLOOP is standardized in the interoperability and performance standards for medium and highfrequency radio systems published by the United States Department of Defense.Although HALFLOOP-24 has been destroyed in real-world practical attacks,seeking stronger attacks from the structure of ciphers against two larger variants of HALFLOOP is to be further explored.Since HALFLOOP has a property of smaller internal states compared to master keys,it leads to a low diffusion in the key schedule.Considering that related-key boomerang attacks have a significant effect on such ciphers and can even achieve full-round attacks,we evaluate the resistance of two larger variants of HALFLOOP against related-key boomerang attacks in the paper.First,we propose a more efficient model to search for sandwich distinguishers of ciphers with non-linear key schedules.Specifically,we derive more constraints rather than simple relationships in the internal linear layer to further restrict the appropriate distinguishers into a smaller space.In addition,we utilize the ladder switch effect in the related-key model to guarantee the differential transition with probability one among the master key quartet,thereby avoiding possible weak-key attacks or invalid trails.Second,applying the model to HALFLOOP,we propose a full-round related-key boomerang attack on HALFLOOP-48 and nearly full-round related-key attacks on HALFLOOP-96.The relevant results demonstrate that the security of two larger variants of HALFLOOP is weak in related-key scenario.Therefore,in addition to the serious flaw brought by the tweak,the low diffusion in the key schedule algorithm is also worthy of attention.展开更多
基金supported by the National Natural Science Foundation of China(Grant No.62206312).
文摘As a family of tweakable block ciphers,HALFLOOP is standardized in the interoperability and performance standards for medium and highfrequency radio systems published by the United States Department of Defense.Although HALFLOOP-24 has been destroyed in real-world practical attacks,seeking stronger attacks from the structure of ciphers against two larger variants of HALFLOOP is to be further explored.Since HALFLOOP has a property of smaller internal states compared to master keys,it leads to a low diffusion in the key schedule.Considering that related-key boomerang attacks have a significant effect on such ciphers and can even achieve full-round attacks,we evaluate the resistance of two larger variants of HALFLOOP against related-key boomerang attacks in the paper.First,we propose a more efficient model to search for sandwich distinguishers of ciphers with non-linear key schedules.Specifically,we derive more constraints rather than simple relationships in the internal linear layer to further restrict the appropriate distinguishers into a smaller space.In addition,we utilize the ladder switch effect in the related-key model to guarantee the differential transition with probability one among the master key quartet,thereby avoiding possible weak-key attacks or invalid trails.Second,applying the model to HALFLOOP,we propose a full-round related-key boomerang attack on HALFLOOP-48 and nearly full-round related-key attacks on HALFLOOP-96.The relevant results demonstrate that the security of two larger variants of HALFLOOP is weak in related-key scenario.Therefore,in addition to the serious flaw brought by the tweak,the low diffusion in the key schedule algorithm is also worthy of attention.
