SHACAL1 and SHACAL2 are block ciphers based on cryptographic hash function from the SHA family. It was designed by Helena Handschuh and David Naccache, both cryptographers from the smart card manufacturer Gemplus. Encryption Decryption In cryptography, a block cipher is a symmetric key cipher which operates on fixedlength groups of bits, termed blocks, with an unvarying transformation. ...
In cryptography, a cryptographic hash function is a hash function with certain additional security properties to make it suitable for use as a primitive in various information security applications, such as authentication and message integrity. ...
The SHA (Secure Hash Algorithm) family is a set of related cryptographic hash functions. ...
Smart card used for health insurance in France. ...
SHACAL1 (originally simply SHACAL) is a 160bit block cipher based on SHA1, and supports keys from 128bit to 512bit. SHACAL2 is a 256bit block cipher based upon the larger hash function SHA256. The SHA (Secure Hash Algorithm) family is a set of related cryptographic hash functions designed by the National Security Agency (NSA) and published by the National Institute of Standards and Technology (NIST). ...
In 2003, SHACAL2 was selected by the NESSIE project as one of their 17 recommended algorithms. 2003 (MMIII) was a common year starting on Wednesday of the Gregorian calendar. ...
NESSIE (New European Schemes for Signatures, Integrity and Encryption) was a European research project funded from 2000–2003 to identify secure cryptographic primitives. ...
Design
SHACAL is based on the following observation of SHA1: The hash function SHA1 is designed around a compression function. This function takes as input a 160bit state and a 512bit data word and outputs a new 160bit state. The hash function works by repeatedly calling this compression function with successive 512bit data blocks and each time updating the state accordingly. This compression function is easily invertible if the data block is known, i.e. given the data block on which it acted and the output of the compression function, one can compute that state that went in. SHACAL turns the SHA1 compression function into a block cipher by using the state input as the data block and using the data input as the key input. In other words SHACAL views the SHA1 compression function as 160bit block cipher with a 512bit key. Keys shorter than 512 bits are supported by padding them with zero up to 512. SHACAL is not intended to be used with keys shorter than 128 bit.
References  Eli Biham, Orr Dunkelman, Nathan Keller: Rectangle Attacks on 49Round SHACAL1. FSE 2003: pp22–35
 Helena Handschuh, Lars R. Knudsen, Matthew J. B. Robshaw: Analysis of SHA1 in Encryption Mode. CTRSA 2001: pp70–83
 Seokhie Hong, Jongsung Kim, Guil Kim, Jaechul Sung, Changhoon Lee, Sangjin Lee: Impossible Differential Attack on 30Round SHACAL2. INDOCRYPT 2003: pp97–106
 Jongsung Kim, Guil Kim, Sangjin Lee, Jongin Lim and Junghwan Song, RelatedKey Attacks on Reduced Rounds of SHACAL2, INDOCRYPT 2004, pp175190.
 Jongsung Kim, Guil Kim, Seokhie Hong, Sangjin Lee, Dowon Hong: The RelatedKey Rectangle Attack — Application to SHACAL1. ACISP 2004: pp123–136
 Jongsung Kim, Dukjae Moon, Wonil Lee, Seokhie Hong, Sangjin Lee, Seokwon Jung: Amplified Boomerang Attack against ReducedRound SHACAL. ASIACRYPT 2002: pp243–253
 MarkkuJuhani Olavi Saarinen: Cryptanalysis of Block Ciphers Based on SHA1 and MD5. FSE 2003: pp36–44
 YongSup Shin, Jongsung Kim, Guil Kim, Seokhie Hong, Sangjin Lee: DifferentialLinear Type Attacks on Reduced Rounds of SHACAL2. ACISP 2004: pp110–122
