Advances in Cryptology – CRYPTO 2013

Volume 8042 of the series Lecture Notes in Computer Science pp 241-258

Construction of Differential Characteristics in ARX Designs Application to Skein

  • Gaëtan LeurentAffiliated withUCL Crypto Group

* Final gross prices may vary according to local VAT.

Get Access


In this paper, we study differential attacks against ARX schemes. We build upon the generalized characteristics of De Cannière and Rechberger and the multi-bit constraints of Leurent.

Our main result is an algorithm to build complex non-linear differential characteristics for ARX constructions, that we applied to reduced versions of the hash function Skein. We present several characteristics for use in various attack scenarios: on the one hand we show attacks with a relatively low complexity, in relatively strong settings; and on the other hand weaker distinguishers reaching more rounds. Our most notable results are practical free-start and semi-free-start collision attacks for 20 rounds and 12 rounds of Skein-256, respectively. Since the full version of Skein-256 has 72 rounds, this result confirms the large security margin of the design.

These results are some of the first examples of complex differential trails built for pure ARX designs. We believe this is an important work to assess the security those functions against differential cryptanalysis. Our tools are publicly available from the ARXtools webpage.


Symmetric ciphers Hash functions ARX Generalized characteristics Differential attacks Skein