Paper 2023/1314

Cryptanalysis of HALFLOOP Block Ciphers: Destroying HALFLOOP-24

Gregor Leander, Ruhr University Bochum, Bochum, Germany
Shahram Rasoolzadeh, Radboud University, Nijmegen, The Netherlands
Lukas Stennes, Ruhr University Bochum, Bochum, Germany
Abstract

HALFLOOP is a family of tweakable block ciphers that are used for encrypting automatic link establishment (ALE) messages in high-frequency radio, a technology commonly used by the military, other government agencies, and industries that require high robustness in long-distance communications. Recently, it was shown in [DDLS22] that the smallest version of the cipher, HALFLOOP-24, can be attacked within a practical time and memory complexity. However, in the real-word ALE setting, it turns out that this attack requires waiting more than 500 years to collect the necessary amount of plaintext-tweak-ciphertext pairs fulfilling the conditions of the attack. In this paper, we present real-world practical attacks against HALFLOOP-24 which are based on a probability-one differential distinguisher. In our attacks, we significantly reduce the data complexity to three differential pairs in the chosen-plaintext (CPA) setting which is optimal in the sense that even a brute force attack needs at least six plaintext-tweak-ciphertext pairs to uniquely identify the correct key. Considering the same ALE setting as [DDLS22], this translates to a reduction from 541 years to 2 hours worth of intercepted traffic. Besides, we provide the first, non generic, public cryptanalysis of HALFLOOP-48 and HALFLOOP-96. More precisely, we present Demirci-Selçuk meet-in-the-middle attacks against full-round HALFLOOP-48 and round-reduced HALFLOOP-96 to recover the complete master key in a CPA setting. However, unlike the attacks on HALFLOOP-24, our attacks on the larger versions are only theoretical. Moreover, for HALFLOOP-96 the known generic time-memory trade-off attack, based on a flawed tweak handling, remains the strongest attack vector. In conclusion, we iterate what was already stated in [DDLS22]: HALFLOOP does not provide adequate protection and should not be used.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
HF RadioALEHALFLOOPDifferentialDS-MITMTDM-TO
Contact author(s)
gregor leander @ rub de
shahram rasoolzadeh @ ru nl
lukas stennes @ rub de
History
2023-09-04: approved
2023-09-03: received
See all versions
Short URL
https://ia.cr/2023/1314
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/1314,
      author = {Gregor Leander and Shahram Rasoolzadeh and Lukas Stennes},
      title = {Cryptanalysis of {HALFLOOP} Block Ciphers: Destroying {HALFLOOP}-24},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/1314},
      year = {2023},
      url = {https://eprint.iacr.org/2023/1314}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.