The Skein Hash Function Family

Executive Summary Skein is a new family of cryptographic hash functions. Its design combines speed, security, simplicity , and a great deal of flexibility in a modular package that is easy to analyze. Skein is fast. Skein-512—our primary proposal—hashes data at 6.1 clock cycles per byte on a 64-bit CPU. This means that on a 3.1 GHz x64 Core 2 Duo CPU, Skein hashes data at 500 MBytes/second per core—almost twice as fast as SHA-512 and three times faster than SHA-256. An optional hash-tree mode speeds up parallelizable implementations even more. Skein is fast for short messages, too; Skein-512 hashes short messages in about 1000 clock cycles. Skein is secure. Its conservative design is based on the Threefish block cipher. The current best attack on the tweaked Threefish-512 is on 35 of 72 rounds, for a safety factor of just over 2.0. For comparison, at a similar stage in the standardization process, the AES encryption algorithm had an attack on 6 of 10 rounds, for a safety factor of only 1.7. Additionally, Skein has a number of provably secure properties, greatly increasing confidence in the algorithm. Skein is simple. Using only three primitive operations, the Skein compression function can be easily understood and remembered. The rest of the algorithm is a straightforward iteration of this function. Skein is flexible. Skein is defined for three different internal state sizes—256 bits, 512 bits, and 1024 bits—and any output size. This allows Skein to be a drop-in replacement for the entire SHA family of hash functions. A completely optional and extendable argument system makes Skein an efficient tool to use for a very large number of functions: PRNG, stream cipher, key derivation function, authentication without the overhead of HMAC, and personalization capability. All these features can be implemented with very low overhead. Together with the Threefish large-block cipher at Skein's core, this design provides a full set of symmetric cryptographic primitives suitable for most modern applications. Skein is efficient on a variety of platforms, both hardware and software. Skein-512 can be implemented in about 200 bytes of state. Small devices, such as 8-bit smart cards, can implement Skein-256 using about 100 bytes of memory. Larger devices can implement the larger versions of Skein to achieve faster speeds. Skein was designed by a team of highly experienced cryptographic experts from academia and industry , with expertise in cryptography, security analysis, software, chip design, and …

[1]  H. Feistel Cryptography and Computer Privacy , 1973 .

[2]  Manuel Blum,et al.  How to Generate Cryptographically Strong Sequences of Pseudo Random Bits , 1982, FOCS.

[3]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[4]  Manuel Blum,et al.  How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[5]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[6]  Ralph Howard,et al.  Data encryption standard , 1987 .

[7]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[8]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[9]  Jean-Jacques Quisquater,et al.  2n-Bit Hash-Functions Using n-Bit Symmetric Block Cipher Algorithms , 1990, EUROCRYPT.

[10]  J. Hartmanis,et al.  Advances in Cryptology: Crypto, 90 : Proceedings , 1991 .

[11]  Ronald L. Rivest,et al.  The MD4 Message-Digest Algorithm , 1990, RFC.

[12]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[13]  J. Feigenbaum Advances in cryptology--CRYPTO '91 : proceedings , 1992 .

[14]  Eli Biham,et al.  Differential Cryptanalysis of the Data Encryption Standard , 1993, Springer New York.

[15]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[16]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[17]  Gustavus J. Simmons,et al.  Contemporary Cryptology: The Science of Information Integrity , 1994 .

[18]  Joos Vandewalle,et al.  Correlation Matrices , 1994, FSE.

[19]  Mihir Bellare,et al.  The Security of Cipher Block Chaining , 1994, CRYPTO.

[20]  James H. Burrows,et al.  Secure Hash Standard , 1995 .

[21]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[22]  Hugo Krawczyk,et al.  Pseudorandom functions revisited: the cascade construction and its concrete security , 1996, Proceedings of 37th Conference on Foundations of Computer Science.

[23]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[24]  Bruce Schneier,et al.  Related-Key Cryptanalysis of 3-WAY , 1997 .

[25]  Bruce Schneier,et al.  Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA , 1997, ICICS.

[26]  Bruce Schneier,et al.  Fast Software Encryption: Designing Encryption Algorithms for Optimal Software Speed on the Intel Pentium Processor , 1997, FSE.

[27]  Bruce Schneier,et al.  Protocol Interactions and the Chosen Protocol Attack , 1997, Security Protocols Workshop.

[28]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[29]  Antoine Joux,et al.  Differential Collisions in SHA-0 , 1998, CRYPTO.

[30]  Hans Dobbertin,et al.  Cryptanalysis of MD4 , 1996, Journal of Cryptology.

[31]  Bruce Schneier,et al.  The Twofish Encryption Algorithm , 1999 .

[32]  Bruce Schneier,et al.  A Cryptographic Evaluation of IPsec , 1999 .

[33]  Bruce Schneier,et al.  Yarrow-160: Notes on the Design and Analysis of the Yarrow Cryptographic Pseudorandom Number Generator , 1999, Selected Areas in Cryptography.

[34]  Shai Halevi,et al.  MARS - a candidate cipher for AES , 1999 .

[35]  Alex Biryukov,et al.  Slide Attacks , 1999, FSE.

[36]  Burton S. Kaliski,et al.  PKCS #5: Password-Based Cryptography Specification Version 2.0 , 2000, RFC.

[37]  Bruce Schneier,et al.  Side Channel Cryptanalysis of Product Ciphers , 1998, J. Comput. Secur..

[38]  William M. Daley,et al.  Digital Signature Standard (DSS) , 2000 .

[39]  Alex Biryukov,et al.  Advanced Slide Attacks , 2000, EUROCRYPT.

[40]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[41]  Dirk Fox,et al.  Digital Signature Standard (DSS) , 2001, Datenschutz und Datensicherheit.

[42]  Shiho Moriai,et al.  Efficient Algorithms for Computing Differential Properties of Addition , 2001, FSE.

[43]  William Stallings,et al.  THE ADVANCED ENCRYPTION STANDARD , 2002, Cryptologia.

[44]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[45]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[46]  Elaine B. Barker,et al.  The Keyed-Hash Message Authentication Code (HMAC) | NIST , 2002 .

[47]  Bruce Schneier,et al.  Practical cryptography , 2003 .

[48]  Mihir Bellare,et al.  Forward-Security in Private-Key Cryptography , 2003, CT-RSA.

[49]  Bruce Schneier,et al.  Helix: Fast Encryption and Authentication in a Single Cryptographic Primitive , 2003, FSE.

[50]  Ondrej Mikle,et al.  Practical Attacks on Digital Signatures Using MD5 Message Digest , 2004, IACR Cryptol. ePrint Arch..

[51]  Eli Biham,et al.  Near-Collisions of SHA-0 , 2004, CRYPTO.

[52]  Eli Biham,et al.  New types of cryptanalytic attacks using related keys , 1994, Journal of Cryptology.

[53]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[54]  Bogdan Warinschi,et al.  Theory of Cryptography , 2004, Lecture Notes in Computer Science.

[55]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[56]  Frédéric Muller Differential Attacks against the Helix Stream Cipher , 2004, FSE.

[57]  Dan Kaminsky,et al.  MD5 To Be Considered Harmful Someday , 2004, IACR Cryptol. ePrint Arch..

[58]  Dengguo Feng,et al.  Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD , 2004, IACR Cryptol. ePrint Arch..

[59]  Hugo Krawczyk,et al.  Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC Modes , 2004, CRYPTO.

[60]  Philip Hawkes,et al.  On Corrective Patterns for the SHA-2 Family , 2004, IACR Cryptol. ePrint Arch..

[61]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[62]  Vlastimil Klíma,et al.  Finding MD5 Collisions on a Notebook PC Using Multi-message Modifications , 2005, IACR Cryptol. ePrint Arch..

[63]  Magnus Daum,et al.  Cryptanalysis of Hash functions of the MD4-family , 2005 .

[64]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[65]  Vlastimil Klíma Finding MD5 Collisions - a Toy For a Notebook , 2005, IACR Cryptol. ePrint Arch..

[66]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[67]  Hui Chen,et al.  Cryptanalysis of the Hash Functions MD4 and RIPEMD , 2005, EUROCRYPT.

[68]  Bart Preneel,et al.  Near Optimal Algorithms for Solving Differential Equations of Addition with Batch Queries , 2005, INDOCRYPT.

[69]  Jongsung Kim,et al.  On the Security of Encryption Modes of MD4, MD5 and HAVAL , 2005, ICICS.

[70]  Bart Preneel,et al.  Solving Systems of Differential Equations of Addition , 2005, ACISP.

[71]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[72]  Arjen K. Lenstra,et al.  On the Possibility of Constructing Meaningful Hash Collisions for Public Keys , 2005, ACISP.

[73]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[74]  John Kelsey,et al.  Herding Hash Functions and the Nostradamus Attack , 2006, EUROCRYPT.

[75]  Stefan Lucks Two-Pass Authenticated Encryption Faster Than Generic Composition , 2005, FSE.

[76]  Stefan Lucks,et al.  A Failure-Friendly Design Principle for Hash Functions , 2005, ASIACRYPT.

[77]  Phillip Rogaway,et al.  Formalizing Human Ignorance , 2006, VIETCRYPT.

[78]  Vlastimil Klíma,et al.  Tunnels in Hash Functions: MD5 Collisions Within a Minute , 2006, IACR Cryptol. ePrint Arch..

[79]  B.K. Yi,et al.  Digital signatures , 2006, IEEE Potentials.

[80]  Joseph Bonneau,et al.  Cache-Collision Timing Attacks Against AES , 2006, CHES.

[81]  Mihir Bellare,et al.  Multi-Property-Preserving Hash Domain Extension and the EMD Transform , 2006, ASIACRYPT.

[82]  Guido Bertoni,et al.  RadioGatún, a belt-and-mill hash function , 2006, IACR Cryptol. ePrint Arch..

[83]  Hugo Krawczyk,et al.  Strengthening Digital Signatures Via Randomized Hashing , 2006, CRYPTO.

[84]  Marc Stevens,et al.  Fast Collision Attack on MD5 , 2006, IACR Cryptol. ePrint Arch..

[85]  Werner Schindler,et al.  A Note on the Practical Value of Single Hash Collisions for Special File Formats , 2006, Sicherheit.

[86]  Arjen K. Lenstra,et al.  Predicting the winner of the 2008 US Presidential Elections using a Sony PlayStation 3 , 2007 .

[87]  J. Leasure,et al.  Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3 , 2007 .

[88]  Søren S. Thomsen,et al.  Grindahl – a family of hash functions , 2007 .

[89]  Elaine B. Barker,et al.  SP 800-56A. Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised) , 2007 .

[90]  Bart Preneel,et al.  Differential-Linear Attacks Against the Stream Cipher Phelix , 2007, FSE.

[91]  Palash Sarkar,et al.  New Collision Attacks against Up to 24-Step SHA-2 , 2008, INDOCRYPT.

[92]  Thomas Peyrin,et al.  Slide Attacks on a Class of Hash Functions , 2008, IACR Cryptol. ePrint Arch..

[93]  Jongsung Kim,et al.  Attacking 44 Rounds of the SHACAL-2 Block Cipher Using Related-Key Rectangle Cryptanalysis , 2008, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[94]  Lidong Chen,et al.  Recommendation for Key Derivation Using Pseudorandom Functions (Revised) , 2009 .

[95]  Quynh Dang Randomized Hashing for Digital Signatures , 2009 .

[96]  Willi Meier,et al.  Improved Cryptanalysis of Skein , 2009, IACR Cryptol. ePrint Arch..

[97]  M. Bellare Provable Security Support for the Skein Hash Family Version 1 , 2009 .

[98]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, Journal of Cryptology.

[99]  Ivica Nikolic,et al.  Rotational Cryptanalysis of ARX , 2010, FSE.