Advances in Cryptology – ASIACRYPT 2009

Volume 5912 of the series Lecture Notes in Computer Science pp 542-559

Improved Cryptanalysis of Skein

  • Jean-Philippe AumassonAffiliated withFHNW
  • , Çağdaş ÇalıkAffiliated withInstitute of Applied Mathematics, Middle East Technical University
  • , Willi MeierAffiliated withFHNW
  • , Onur ÖzenAffiliated withEPFL IC LACAL
  • , Raphael C. -W. PhanAffiliated withElectronic and Electrical Engineering, Loughborough Uni
  • , Kerem VarıcıAffiliated withDept. of Electrical Engineering, K.U.Leuven


The hash function Skein is the submission of Ferguson et al. to the NIST Hash Competition, and is arguably a serious candidate for selection as SHA-3. This paper presents the first third-party analysis of Skein, with an extensive study of its main component: the block cipher Threefish. We notably investigate near collisions, distinguishers, impossible differentials, key recovery using related-key differential and boomerang attacks. In particular, we present near collisions on up to 17 rounds, an impossible differential on 21 rounds, a related-key boomerang distinguisher on 34 rounds, a known-related-key boomerang distinguisher on 35 rounds, and key recovery attacks on up to 32 rounds, out of 72 in total for Threefish-512. None of our attacks directly extends to the full Skein hash. However, the pseudorandomness of Threefish is required to validate the security proofs on Skein, and our results conclude that at least 36 rounds of Threefish seem required for optimal security guarantees.