Cryptology ePrint Archive: Report 2010/538

Rotational Rebound Attacks on Reduced Skein

Dmitry Khovratovich and Ivica Nikolic and Christian Rechberger

Abstract: In this paper we combine the recent rotational cryptanalysis with the rebound attack, which results in the best cryptanalysis of Skein, a candidate for the SHA-3 competition. The rebound attack approach was so far only applied to AES-like constructions. For the first time, we show that this approach can also be applied to very different constructions. In more detail, we develop a number of techniques that extend the reach of both the inbound and the outbound phase, leading to rotational collisions for about 53/57 out of the 72 rounds of the Skein-256/512 compression function and the Threefish cipher. At this point, the results do not threaten the security of the full-round Skein hash function.

The new techniques include an analytical search for optimal input values in the rotational cryptanalysis, which allows to extend the outbound phase of the attack with a precomputation phase, an approach never used in any rebound-style attack before. Further we show how to combine multiple inside-out computations and neutral bits in the inbound phase of the rebound attack, and give well-defined rotational distinguishers as certificates of weaknesses for the compression functions and block ciphers.

Category / Keywords: secret-key cryptography / Skein, SHA-3, hash function, compression function, cipher, rotational cryptanalysis, rebound attack, distinguisher.

Publication Info: Earlier version appears in Proceedings of Asiacrypt 2010

Date: received 20 Oct 2010

Contact author: christian rechberger at esat kuleuven be

Available formats: PDF | BibTeX Citation

Version: 20101025:150843 (All versions of this report)

Discussion forum: Show discussion | Start new discussion