Rotational Rebound Attacks on Reduced Skein

In this paper we combine two powerful methods of symmetric cryptanalysis: rotational cryptanalysis and the rebound attack. Rotational cryptanalysis was designed for the analysis of bit-oriented designs like ARX (Addition-Rotation-XOR) schemes. It has been applied to several hash functions and block...

Full description

Saved in:
Bibliographic Details
Published in:Journal of cryptology Vol. 27; no. 3; pp. 452 - 479
Main Authors: Khovratovich, Dmitry, Nikolić, Ivica, Rechberger, Christian
Format: Journal Article
Language:English
Published: Boston Springer US 01.07.2014
Springer
Springer Nature B.V
Subjects:
Algorithms
Applied sciences
Coding and Information Theory
Combinatorics
Communications Engineering
Complexity
Computational Mathematics and Numerical Analysis
Computer Science
Cryptography
Design
Encryption
Exact sciences and technology
Information, signal and communications theory
Networks
Permutations
Probability Theory and Stochastic Processes
Signal and communications theory
Telecommunications and information theory
Skein
SHA-3
Hash function
Rotational cryptanalysis
Distinguisher
Rebound attack
Cipher
Compression function
Private key
Block ciphering
Security of data
Cryptanalysis
Hashing
Open market
ISSN:0933-2790, 1432-1378
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:In this paper we combine two powerful methods of symmetric cryptanalysis: rotational cryptanalysis and the rebound attack. Rotational cryptanalysis was designed for the analysis of bit-oriented designs like ARX (Addition-Rotation-XOR) schemes. It has been applied to several hash functions and block ciphers, including the new standard SHA-3 (Keccak). The rebound attack is a start-from-the-middle approach for finding differential paths and conforming pairs in byte-oriented designs like Substitution-Permutation networks and AES. We apply our new compositional attack to the reduced version of the hash function Skein, a finalist of the SHA-3 competition. Our attack penetrates more than two thirds of the Skein core—the cipher Threefish, and made the designers to change the submission in order to prevent it. The rebound part of our attack has been significantly enhanced to deliver results on the largest number of rounds. We also use neutral bits and message modification methods from the practice of collision search in MD5 and SHA-1 hash functions. These methods push the rotational property through more rounds than previous analysis suggested, and eventually establish a distinguishing property for the reduced Threefish cipher. We formally prove that such a property cannot be found for an ideal cipher within the complexity limits of our attack. The complexity estimates are supported by extensive experiments.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:0933-2790
1432-1378
DOI:10.1007/s00145-013-9150-0