Cryptanalysis of HALFLOOP Block Ciphers
Destroying HALFLOOP-24
DOI:
https://doi.org/10.46586/tosc.v2023.i4.58-82Keywords:
HF Radio, ALE, HALFLOOP, Differential, DS-MITM, TDM-TOAbstract
HALFLOOP is a family of tweakable block ciphers that are used for encrypting automatic link establishment (ALE) messages in high frequency radio, a technology commonly used by the military, other government agencies and industries which require high robustness in long-distance communications. Recently, it was shown in [DDLS22] that the smallest version of the cipher, HALFLOOP-24, can be attacked within a practical time and memory complexity. However, in the real-word ALE setting, it turns out that this attack require to wait more than 500 years to collect the necessary amount of plaintext-tweak-ciphertext pairs fulfilling the conditions of the attack.
In this paper, we present real-world practical attacks against HALFLOOP-24 which are based on a probability-one differential distinguisher. In our attacks, we significantly reduce the data complexity to three differential pairs in the chosen-plaintext (CPA) setting which is optimal in the sense that even a brute force attack needs at least six plaintext-tweak-ciphertext pairs to uniquely identify the correct key. Considering the same ALE setting as [DDLS22], this translates to a reduction from 541 years to 2 hours worth of intercepted traffic.
Besides, we provide the first, non generic, public cryptanalysis of HALFLOOP-48 and HALFLOOP-96. More precisely, we present Demirci-Selçuk meet-in-the-middle attacks against full-round HALFLOOP-48 and round-reduced HALFLOOP-96 to recover the complete master key in a CPA setting. However, unlike the attacks on HALFLOOP-24, our attacks on the larger versions are only theoretical. Moreover for HALFLOOP-96 the known generic time-memory trade-off attack, based on a flawed tweak handling, remains the strongest attack vector.
In conclusion, we iterate what was already stated in [DDLS22]: HALFLOOP does not provide adequate protection and should not be used.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2023 Gregor Leander, Shahram Rasoolzadeh, Lukas Stennes
This work is licensed under a Creative Commons Attribution 4.0 International License.