SQUARE is an 8-round SPN structure block cipher and its round function and key schedule have been slightly modified to design building blocks of Rijndael. Key schedule of SQUARE is simple and efficient but fully affine, so we apply a related-key attack on it. We find a 3-round related-key differential trail with probability 2-28, which has zero differences both on its input and output states, which is called local collision in [6]. By extending of this related-key differential, we construct a successful attack on full rounds of SQUARE. In this paper, we present a key recovery attack on full rounds of SQUARE using a related-key boomerang distinguisher. We construct a 7-round related-key boomerang distinguisher with probability 2-119 by finding local collision, and calculate its probability using ladder switch and multiple path estimation techniques. As a result, one round on top of the distinguisher is added to construct an attack on full rounds of SQUARE which recovers 16-bit key information with 2123 encryptions and 2121 data.

In this paper, we study the security of the Misty structure, where each round function is chosen at random from the set of involutions. Based on the game-playing framework, we prove the pseudorandomness of the 3-round R-Misty structure and the 4-round L-Misty structure as well as the super-pseudorandomness of the 5-round R-Misty structure for m 2n/2, where m denotes the number of queries and 2n denotes the block size. We also give similar results for the Misty structures such that each round function is chosen at random from the set of involutions with a constant number of fixed points. Our results generalize the results of giving the first construction of a (strong) pseudorandom permutation based on random involutions (without any restriction on the number of fixed points), and suggest a new criterion for design of block ciphers in an involutional Misty structure that each round function should have a constant number of fixed points.

We present pseudo-preimage attacks on Davis-Meyer mode of reduced rounds of the block ciphers ARIA, Camellia, and Serpent by using Sasaki's framework. They yield preimage or second-preimage attacks on PGV hashing modes. We develop proper initial structures for applying meet-in-the-middle techniques to the block ciphers, by considering their diffusion layers, and propose a method to find matching-check equations for indirect partial matching technique with a binary matrix. These works enable us to attack 5 rounds of ARIA, 7 rounds of Camellia, and 4 rounds of Serpent faster than brute force attack.