Paper 2012/668

Construction of Differential Characteristics in ARX Designs -- Application to Skein

Gaetan Leurent

Abstract

In this paper, we study differential attacks against ARX schemes. We build upon the generalized characteristics of de Cannière and Rechberger and the multi-bit constraints of Leurent. We describe a more efficient way to propagate multi-bit constraints, that allows us to use the complete set of 2^32 2.5-bit constraints, instead of the reduced sets used by Leurent. As a result, we are able to build complex non-linear differential characteristics for reduced versions of the hash function Skein. We present several characteristics for use in various attack scenarios; this results in attacks with a relatively low complexity, in relatively strong settings. In particular, we show practical free-start and semi-free-start collision attacks for 20 rounds and 12 rounds of Skein-256, respectively. To the best of our knowledge, these are the first examples of complex differential trails are build for pure ARX designs. We believe this is an important work to assess the security of ARX designs against differential cryptanalysis. Our improved tools will be publicly available with the final version of this paper.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Keywords
Symmetric ciphersHash functionsARXGeneralized characteristicsDifferential attacksSkein
Contact author(s)
gaetan leurent @ uclouvain be
History
2012-11-28: received
Short URL
https://ia.cr/2012/668
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2012/668,
      author = {Gaetan Leurent},
      title = {Construction of Differential Characteristics in ARX Designs -- Application to Skein},
      howpublished = {Cryptology ePrint Archive, Paper 2012/668},
      year = {2012},
      note = {\url{https://eprint.iacr.org/2012/668}},
      url = {https://eprint.iacr.org/2012/668}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.