The Boomerang Attacks on the Round-Reduced Skein-512 [chapter]

Hongbo Yu, Jiazhe Chen, Xiaoyun Wang
2013 Lecture Notes in Computer Science  
The hash function Skein is one of the five finalists of the NIST SHA-3 competition; it is based on the block cipher Threefish which only uses three primitive operations: modular addition, rotation and bitwise XOR (ARX). This paper studies the boomerang attacks on Skein-512. Boomerang distinguishers on the compression function reduced to 32 and 36 rounds are proposed, with complexities 2 104.5 and 2 454 respectively. Examples of the distinguishers on 28-round and 31round are also given. In
more » ... on, the boomerang distinguishers are applicable to the key-recovery attacks on reduced Threefish-512. The complexities for key-recovery attacks reduced to 32-/33-/34-round are about 2 181 , 2 305 and 2 424 . Because Laurent et al. [14] pointed out that the previous boomerang distinguishers for Threefish-512 are in fact not compatible, our attacks are the first valid boomerang attacks for the final round Skein-512. Cryptographic hash functions, which provide integrity, authentication and etc., are very important in modern cryptology. In 2005, as the most widely used hash functions MD5 and SHA-1 were broken by Wang et al. [18] [19], NIST started a hash competition for a new hash standard (SHA-3) in 2007. Now the competition has come into the third round (the final round), and 5 out of the candidates are selected. Skein [7] , which is one of the finalists, is a ARX-type hash function (based on modular addition, rotation and exclusive-OR). The core of the compression function of Skein is a tweakable block cipher called Threefish, which is proposed with 256-, 512-, 1024-bit block sizes and 72, 72, 80 rounds, respectively. When the algorithm entered into the second round, the authors had changed the rotation constants, and after it was selected as a finalist, the constants used in the key schedule were updated to resist the rotational attack [10, 11] . During the competition, Skein has been attracting the attentions of the cryptanalysts, and there are several cryptanalytic results on the security of the compression function of Skein and its based block cipher Threefish. At Asiacrypt 2009 [1], Aumasson et al. used the boomerang attack to launch a key recovery attack on Threefish-512 reduced to 32 rounds and the knownkey distinguisher to 35 rounds under the old rotation constants. However, we find that their differential paths use an inverse permutation instead of the original one. At ISPEC 2010 [6], Chen et al. also proposed a boomerang attack for the key recovery of Threefish-512 reduced to 33 and 34 rounds. At CT-RSA 2012 [14], Leurent et al. gave a boomerang distinguisher for 32-round compression function of Skein-256 with complexity 2 114 , and they also pointed that the differential paths in [6] are incompatible. We correct the paths in [1] with the right permutation and show that they are also incompatible under the old rotation constants due to similar contradictions as in [6] . At CANS 2010 [15], Su et al. presented free-start near-collisions of Skein-256/-512 compression functions reduced to 20 rounds and Skein-1024 reduced to 24 rounds.
doi:10.1007/978-3-642-35999-6_19 fatcat:vfuxfww7hbcqjol3uqi65ivle4