Paper 2009/438

Improved Cryptanalysis of Skein

Jean-Philippe Aumasson, Cagdas Calik, Willi Meier, Onur Ozen, Raphael C. -W. Phan, and Kerem Varici


The hash function Skein is the submission of Ferguson et al. to the NIST Hash Competition, and is arguably a serious candidate for selection as SHA-3. This paper presents the first third-party analysis of Skein, with an extensive study of its main component: the block cipher Threefish. We notably investigate near collisions, distinguishers, impossible differentials, key recovery using related-key differential and boomerang attacks. In particular, we present near collisions on up to 17 rounds, an impossible differential on 21 rounds, a related-key boomerang distinguisher on 34 rounds, a known-related-key boomerang distinguisher on 35 rounds, and key recovery attacks on up to 32 rounds, out of 72 in total for Threefish-512. None of our attacks directly extends to the full Skein hash. However, the pseudorandomness of Threefish is required to validate the security proofs on Skein, and our results conclude that at least 36 rounds of Threefish seem required for optimal security guarantees.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Extended version of an article accepted to Asiacrypt 2009
hash functionsblock ciphersSHA-3
Contact author(s)
jeanphilippe aumasson @ gmail com
2009-09-13: received
Short URL
Creative Commons Attribution


      author = {Jean-Philippe Aumasson and Cagdas Calik and Willi Meier and Onur Ozen and Raphael C. -W.  Phan and Kerem Varici},
      title = {Improved Cryptanalysis of Skein},
      howpublished = {Cryptology ePrint Archive, Paper 2009/438},
      year = {2009},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.