Rotational Rebound Attacks on Reduced Skein

  • Dmitry Khovratovich
  • Ivica Nikolić
  • Christian Rechberger
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6477)

Abstract

In this paper we combine a recent rotational cryptanalysis with the rebound attack, which results in the best cryptanalysis of Skein, a candidate for the SHA-3 competition. The rebound attack approach was so far only applied to AES-like constructions. For the first time, we show that this approach can also be applied to very different constructions. In more detail, we develop a number of techniques that extend the reach of both the inbound and the outbound phase, leading to cryptanalytic results on an estimated 53/57 out of the 72 rounds of the Skein-256/512 compression function and the Threefish cipher.

The new techniques include an analytical search for optimal input values in the rotational cryptanalysis, which allows to extend the outbound phase of the attack with a precomputation phase, an approach never used in any rebound-style attack before. Further we show how to combine multiple inside-out computations and neutral bits in the inbound phase of the rebound attack, and give well-defined rotational distinguishers as certificates of weaknesses for the compression functions and block ciphers.

Keywords

Skein hash function rotational cryptanalysis rebound attack distinguisher 

References

  1. 1.
    Assche, G.V.: A rotational distinguisher on Shabal’s keyed permutation and its impact on the security proofs (2010), http://gva.noekeon.org/papers/ShabalRotation.pdf
  2. 2.
    Aumasson, J.-P., Çalik, Ç., Meier, W., Özen, O., Phan, R.C.-W., Varici, K.: Improved cryptanalysis of Skein. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 542–559. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  3. 3.
    Biham, E., Chen, R.: Near-collisions of SHA-0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004)Google Scholar
  4. 4.
    Biryukov, A., Khovratovich, D., Nikolic, I.: Distinguisher and related-key attack on the full AES-256. In: Halevi, S. (ed.) Advances in Cryptology - CRYPTO 2009. LNCS, vol. 5677, pp. 231–249. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  5. 5.
    Chen, J., Jia, K.: Improved related-key boomerang attacks on round-reduced threefish-512. Cryptology ePrint Archive, Report 2009/526 (2009)Google Scholar
  6. 6.
    Daum, M.: Cryptanalysis of Hash Functions of the MD4-Family. PhD thesis, Ruhr-Universität Bochum (May 2005)Google Scholar
  7. 7.
    Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The Skein hash function family. Submitted to SHA-3 Competition (2008)Google Scholar
  8. 8.
    Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The Skein hash function family - version 2. Submission to NIST (Round 2) (2009)Google Scholar
  9. 9.
    Joux, A., Peyrin, T.: Hash functions and the (amplified) boomerang attack. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 244–263. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  10. 10.
    Khovratovich, D., Nikolić, I.: Rotational cryptanalysis of ARX. In: Beyer, I. (ed.) FSE 2010. LNCS, vol. 6147, pp. 333–348. Springer, Heidelberg (2010)Google Scholar
  11. 11.
    Klima, V.: Tunnels in hash functions: MD5 collisions within a minute (2006), http://eprint.iacr.org/2006/105.pdf
  12. 12.
    Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: Rebound distinguishers: Results on the full Whirlpool compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 126–143. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  13. 13.
    Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: The Rebound Attack and Subspace Distinguishers: Application to Whirlpool. Cryptology ePrint Archive, Report 2010/198 (2010), http://eprint.iacr.org/
  14. 14.
    Matusiewicz, K., Naya-Plasencia, M., Nikolic, I., Sasaki, Y., Schläffer, M.: Rebound attack on the full LANE compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 106–125. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Mendel, F., Peyrin, T., Rechberger, C., Schläffer, M.: Improved cryptanalysis of the reduced Grøstl compression function, ECHO permutation and AES block cipher. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 16–35. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  16. 16.
    Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The rebound attack: Cryptanalysis of reduced Whirlpool and Grøstl. In: Dunkelman, O. (ed.) Fast Software Encryption. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  17. 17.
    Naito, Y., Sasaki, Y., Shimoyama, T., Yajima, J., Kunihiro, N., Ohta, K.: Improved collision search for SHA-0. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 21–36. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  18. 18.
    Nikolić, I., Pieprzyk, J., Sokolowski, P., Steinfeld, R.: Rotational cryptanalysis of (modified) versions of BMW and SIMD (2010), https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_Nikolic,Pieprzyk,Sokolowski,Steinfeld.pdf
  19. 19.
    Stevens, M.: On collisions for MD5. Master’s thesis, Eindhoven University of Technology, Eindhoven, Netherlands (2007)Google Scholar
  20. 20.
    Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
  21. 21.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. 22.
    Wu, S.: Semi-free start collision for 12-round Cheetah-256. NIST mailing list (local link) (2009)Google Scholar

Copyright information

© International Association for Cryptologic Research 2010

Authors and Affiliations

  • Dmitry Khovratovich
    • 1
    • 2
  • Ivica Nikolić
    • 1
  • Christian Rechberger
    • 3
  1. 1.University of LuxembourgLuxembourg
  2. 2.Microsoft Research RedmondUSA
  3. 3.ESAT/COSIC, and IBBTKatholieke Universiteit LeuvenBelgium

Personalised recommendations