Paper 2009/438

Improved Cryptanalysis of Skein

Jean-Philippe Aumasson, Cagdas Calik, Willi Meier, Onur Ozen, Raphael C. -W. Phan, and Kerem Varici

Abstract

The hash function Skein is the submission of Ferguson et al. to the NIST Hash Competition, and is arguably a serious candidate for selection as SHA-3. This paper presents the first third-party analysis of Skein, with an extensive study of its main component: the block cipher Threefish. We notably investigate near collisions, distinguishers, impossible differentials, key recovery using related-key differential and boomerang attacks. In particular, we present near collisions on up to 17 rounds, an impossible differential on 21 rounds, a related-key boomerang distinguisher on 34 rounds, a known-related-key boomerang distinguisher on 35 rounds, and key recovery attacks on up to 32 rounds, out of 72 in total for Threefish-512. None of our attacks directly extends to the full Skein hash. However, the pseudorandomness of Threefish is required to validate the security proofs on Skein, and our results conclude that at least 36 rounds of Threefish seem required for optimal security guarantees.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. Extended version of an article accepted to Asiacrypt 2009
Keywords
hash functionsblock ciphersSHA-3
Contact author(s)
jeanphilippe aumasson @ gmail com
History
2009-09-13: received
Short URL
https://ia.cr/2009/438
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2009/438,
      author = {Jean-Philippe Aumasson and Cagdas Calik and Willi Meier and Onur Ozen and Raphael C. -W.  Phan and Kerem Varici},
      title = {Improved Cryptanalysis of Skein},
      howpublished = {Cryptology ePrint Archive, Paper 2009/438},
      year = {2009},
      note = {\url{https://eprint.iacr.org/2009/438}},
      url = {https://eprint.iacr.org/2009/438}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.