Difference between revisions of "Skein"

Revision as of 10:22, 22 April 2011

1 The algorithm

Author(s): Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker
Website: http://www.schneier.com/skein.html; http://skein-hash.info/
NIST submission package:
- Round 3: Skein_FinalRnd.zip
- Round 2: Skein_Round2.zip
- Round 1: SkeinUpdate.zip (old version: Skein.zip)

Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker - The Skein Hash Function Family

,2010

http://www.skein-hash.info/sites/default/files/skein1.3.pdf
Bibtex

Author : Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker
Title : The Skein Hash Function Family
In : -
Address :
Date : 2010

Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker - The Skein Hash Function Family

,2009

http://www.skein-hash.info/sites/default/files/skein1.2.pdf
Bibtex

Author : Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker
Title : The Skein Hash Function Family
In : -
Address :
Date : 2009

Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker - The Skein Hash Function Family

,2008

http://www.skein-hash.info/sites/default/files/skein1.1.pdf
Bibtex

Author : Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker
Title : The Skein Hash Function Family
In : -
Address :
Date : 2008

2 Cryptanalysis

We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.

A description of the tables is given here.

Recommended security parameter: 72 rounds (Skein-512)

2.1 Hash function

Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.

Type of Analysis	Hash Size (n)	Parameters	Compression Function Calls	Memory Requirements	Reference

2.2 Building blocks

Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.

Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).

Type of Analysis	Hash Function Part	Hash Size (n)	Parameters/Variants	Compression Function Calls	Memory Requirements	Reference
distinguisher	compression function	all	57 rounds (Round 2)	2⁵⁰³	-	Khovratovich,Nikolić,Rechberger
distinguisher	compression function	256	53 rounds (Round 2)	2²⁵¹, Skein-256	-	Khovratovich,Nikolić,Rechberger
near-collision	compression function	all	24 rounds (No. 20-43)	2²³⁰	-	Su,Wu,Wu,Dong
near-collision	compression function	256	24 rounds (No. 12-35), Skein-256	2⁶⁰	-	Su,Wu,Wu,Dong
near-collision	compression function	all	24 rounds, Skein-1024	2³⁹⁵	-	Su,Wu,Wu,Dong
observations	hash	all				Gligoroski
observations	block cipher	all	-	-	-	McKay,Vora
observations	compression function	all	-	-	-	Kaminsky
key recovery	block cipher	256	39 rounds	2^254.1	-	Khovratovich,Nikolic
key recovery	block cipher	512	42 rounds	2⁵⁰⁷	-	Khovratovich,Nikolic
key recovery	block cipher	512	32 rounds (Round 1)	2²²⁶ (2²²²)	2¹²	Chen,Jia
key recovery	block cipher	512	33 rounds (Round 1)	2^352.17 (2^355.5)	-	Chen,Jia
near collision	compression function	512	17 rounds (Round 1)	2²⁴	-	Aumasson,Calik,Meier,Ozen,Phan,Varici
distinguisher	block cipher	512	35 rounds (Round 1)	2⁴⁷⁸	-	Aumasson,Calik,Meier,Ozen,Phan,Varici
impossible differential	block cipher	512	21 rounds (Round 1)	-	-	Aumasson,Calik,Meier,Ozen,Phan,Varici
key recovery	block cipher	512	32 rounds (Round 1)	2³¹²	-	Aumasson,Calik,Meier,Ozen,Phan,Varici

Dmitry Khovratovich, Ivica Nikolić, Christian Rechberger - Rotational Rebound Attacks on Reduced Skein

ASIACRYPT 6477:1-19,2010

http://eprint.iacr.org/2010/538.pdf
Bibtex

Author : Dmitry Khovratovich, Ivica Nikolić, Christian Rechberger
Title : Rotational Rebound Attacks on Reduced Skein
In : ASIACRYPT -
Address :
Date : 2010

Bozhan Su, Wenling Wu, Shuang Wu, Le Dong - Near-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE

CANS 6467:124-139,2010

http://eprint.iacr.org/2010/355.pdf
Bibtex

Author : Bozhan Su, Wenling Wu, Shuang Wu, Le Dong
Title : Near-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE
In : CANS -
Address :
Date : 2010

Danilo Gligoroski - Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains

,2010

http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf
Bibtex

Author : Danilo Gligoroski
Title : Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains
In : -
Address :
Date : 2010

Kerry A. McKay, Poorvi L. Vora - Pseudo-Linear Approximations for ARX Ciphers: With Application to Threefish

,2010

http://eprint.iacr.org/2010/282.pdf
Bibtex

Author : Kerry A. McKay, Poorvi L. Vora
Title : Pseudo-Linear Approximations for ARX Ciphers: With Application to Threefish
In : -
Address :
Date : 2010

Alan Kaminsky - Cube Test Analysis of the Statistical Behavior of CubeHash and Skein

,2010

http://eprint.iacr.org/2010/262.pdf
Bibtex

Author : Alan Kaminsky
Title : Cube Test Analysis of the Statistical Behavior of CubeHash and Skein
In : -
Address :
Date : 2010

Dmitry Khovratovich, Ivica Nikolic - Rotational Cryptanalysis of ARX

FSE 6147:333-346

http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf
Bibtex

Author : Dmitry Khovratovich, Ivica Nikolic
Title : Rotational Cryptanalysis of ARX
In : FSE -
Address :
Date :

Jiazhe Chen, Keting Jia - Improved Related-key Boomerang Attacks on Round-Reduced Threefish-512

,2009

http://eprint.iacr.org/2009/526.pdf
Bibtex

Author : Jiazhe Chen, Keting Jia
Title : Improved Related-key Boomerang Attacks on Round-Reduced Threefish-512
In : -
Address :
Date : 2009

Jean-Philippe Aumasson, Cagdas Calik, Willi Meier, Onur Ozen, Raphael C.-W. Phan, Kerem Varici - Improved Cryptanalysis of Skein

ASIACRYPT 5912:542-559,2009

http://eprint.iacr.org/2009/438.pdf
Bibtex

Author : Jean-Philippe Aumasson, Cagdas Calik, Willi Meier, Onur Ozen, Raphael C.-W. Phan, Kerem Varici
Title : Improved Cryptanalysis of Skein
In : ASIACRYPT -
Address :
Date : 2009

Jean-Philippe Aumasson, Willi Meier, Raphael Phan - Improved analyis of Threefish

,2009

http://131002.net/data/talks/threefish_rump.pdf
Bibtex

Author : Jean-Philippe Aumasson, Willi Meier, Raphael Phan
Title : Improved analyis of Threefish
In : -
Address :
Date : 2009

@@ Line 107: / Line 107: @@
 <bibtex>
-@misc{skeinKNR10,
+@inproceedings{skeinKNR10,
    author = {Dmitry Khovratovich and Ivica Nikolić and Christian Rechberger},
    title = {Rotational Rebound Attacks on Reduced Skein},
-   howpublished = {Cryptology ePrint Archive, Report 2010/538},
+   booktitle = {ASIACRYPT},
-   year = {2010},
+  year      = {2010},
+   pages     = {1-19},
+  publisher = {Springer},
+  series    = {LNCS},
+  volume    = {6477},
    url = {http://eprint.iacr.org/2010/538.pdf},
    abstract = {In this paper we combine the recent rotational cryptanalysis with the rebound attack, which results in the best cryptanalysis of Skein, a candidate for the SHA-3 competition. The rebound attack approach was so far only applied to AES-like constructions. For the first time, we show that this approach can also be applied to very different constructions. In more detail, we develop a number of techniques that extend the reach of both the inbound and the outbound phase, leading to rotational collisions for about 53/57 out of the 72 rounds of the Skein-256/512 compression function and the Threefish cipher. At this point, the results do not threaten the security of the full-round Skein hash function.
@@ Line 120: / Line 124: @@
 <bibtex>
-@misc{skeinSuWWD10,
+@inproceedings{skeinSuWWD10,
    author = {Bozhan Su and Wenling Wu and Shuang Wu and Le Dong},
    title = {Near-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE},
-   howpublished = {Cryptology ePrint Archive, Report 2010/355},
+   booktitle = {CANS},
-   year = {2010},
+  year      = {2010},
+   pages     = {124-139},
+  publisher = {Springer},
+  series    = {LNCS},
+  volume    = {6467},
    url = {http://eprint.iacr.org/2010/355.pdf},
    abstract = {The SHA-3 competition organized by NIST aims to find a new hash standard as a replacement of SHA-2. Till now, 14 submissions have been selected as the second round candidates, including Skein and BLAKE, both of which have components based on modular addition, rotation and bitwise XOR (ARX). In this paper, we propose improved near-collision attacks on the reduced-round compression functions of Skein and a variant of BLAKE. The attacks are based on linear differentials of the modular additions. The computational complexity of near-collision attacks on a 4-round compression function of BLAKE-32, 4-round and 5-round compression functions of BLAKE-64 are 2^{21}, 2^{16} and 2^{216} respectively, and the attacks on a 24-round compression functions of Skein-256, Skein-512 and Skein-1024 have a complexity of 2^{60}, 2^{230} and 2^{395} respectively.}
@@ Line 147: / Line 155: @@
      year = {2010},
      url = {http://eprint.iacr.org/2010/282.pdf},
-    note = {\url{http://eprint.iacr.org/}},
      abstract = {The operations addition modulo 2^n and exclusive-or have recently been combined to obtain an efficient mechanism for nonlinearity in block cipher design. In this paper, we show that ciphers using this approach may be approximated by pseudo-linear expressions relating groups of contiguous bits of the round key, round input, and round output. The bias of an approximation can be large enough for known plaintext attacks. We demonstrate an application of this concept to a reduced-round version of the Threefish block cipher, a component of the Skein entry in the secure hash function competition.}
 }
@@ Line 159: / Line 166: @@
      year = {2010},
      url = {http://eprint.iacr.org/2010/262.pdf},
-    note = {\url{http://eprint.iacr.org/}},
      abstract = {This work analyzes the statistical properties of the SHA-3 candidate cryptographic hash algorithms CubeHash and Skein to try to find nonrandom behavior. Cube tests were used to probe each algorithm's internal polynomial structure for a large number of choices of the polynomial input variables. The cube test data were calculated on a 40-core hybrid SMP cluster parallel computer. The cube test data were subjected to three statistical tests: balance, independence, and off-by-one. Although isolated statistical test failures were observed, the balance and off-by-one tests did not find nonrandom behavior overall in either CubeHash or Skein. However, the independence test did find nonrandom behavior overall in both CubeHash and Skein. }
 }
@@ Line 165: / Line 171: @@
 <bibtex>
-@misc{cryptoeprint:2009:526,
+@inproceedings{cryptoeprint:2009:526,
      author = {Dmitry Khovratovich and Ivica Nikolic},
      title = {Rotational Cryptanalysis of ARX},
-     howpublished = {Preproceedings of FSE 2010},
+  pages     = {333-346},
-    year = {2010},
+  booktitle = {FSE},
+  publisher = {Springer},
+  series    = {LNCS},
+  volume    = {6147},
      url = {http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf},
      abstract = {In this paper we analyze the security of systems based on
@@ Line 191: / Line 200: @@
      year = {2009},
      url = {http://eprint.iacr.org/2009/526.pdf},
-    note = {\url{http://eprint.iacr.org/}},
      abstract = {Hash function Skein is one of the 14 NIST SHA-3 second round candidates. Threefish is a tweakable block cipher as the core of Skein, defined with a 256-, 512-, and 1024-bit block size. The 512-bit block size is the primary proposal of the authors. In this paper we construct two related-key boomerang distinguishers on round-reduced Threefish-512 using the method of \emph{modular differential}. With a distinguisher on 32 rounds of Threefish-512, we improve the key recovery attack on 32 rounds of Threefish-512 proposed by Aumasson et al. Their attack requires $2^{312}$ encryptions and $2^{71}$ bytes of memory. However, our attack has a time complexity of $2^{226}$ encryptions with memory of $2^{12}$ bytes. Furthermore, we give a key recovery attack on Threefish-512 reduced to 33 rounds using a 33-round related-key boomerang distinguisher, with $2^{352.17}$ encryptions and negligible memory. Skein had been updated after it entered the second round and the results above are based on the original version. However, as the only differences between the original and the new version are the rotation constants, both of the methods can be applied to the new version with modified differential trails. For the new rotation constants, our attack on 32-round Threefish-512 has a time complexity $2^{222}$ and $2^{12}$ bytes' memory. Our attack on 33-round Threefish-512 has a time complexity $2^{355.5}$ and negligible memory.},
 }
@@ Line 197: / Line 205: @@
 <bibtex>
-@misc{skeinA+09,
+@inproceedings{skeinA+09,
      author = {Jean-Philippe Aumasson and Cagdas Calik and Willi Meier and Onur Ozen and Raphael C.-W. Phan and Kerem Varici},
      title = {Improved Cryptanalysis of Skein},
-    howpublished = {Cryptology ePrint Archive, Report 2009/438},
+  booktitle = {ASIACRYPT},
-     year = {2009},
+  year      = {2009},
+  pages     = {542-559},
+  publisher = {Springer},
+  series    = {LNCS},
+  volume    = {5912},
      url = {http://eprint.iacr.org/2009/438.pdf},
-    note = {\url{http://eprint.iacr.org/}},
      abstract={The hash function Skein is the submission of Ferguson et al. to the NIST Hash Competition, and is arguably a serious candidate for selection as SHA-3. This paper presents the first third-party analysis of Skein, with an extensive study of its main component: the block cipher Threefish. We notably investigate near collisions, distinguishers, impossible differentials, key recovery using related-key differential and boomerang attacks. In particular, we present near collisions on up to 17 rounds, an impossible differential on 21 rounds, a related-key boomerang distinguisher on 34 rounds, a known-related-key boomerang distinguisher on 35 rounds, and key recovery attacks on up to 32 rounds, out of 72 in total for Threefish-512. None of our attacks directly extends to the full Skein hash. However, the pseudorandomness of Threefish is required to validate the security proofs on Skein, and our results conclude that at least 36 rounds of Threefish seem required for optimal security guarantees.},
 }

Difference between revisions of "Skein"

Revision as of 10:22, 22 April 2011

Contents

1 The algorithm

2 Cryptanalysis

2.1 Hash function

2.2 Building blocks

Navigation menu

Views

Personal tools

Navigation

Search

Tools