Keywords

1 Introduction

CryptographicYu, Hongbo Chen, Jiazhe Wang, Xiaoyun hash functions are very important in modern cryptology which provide integrity, authentication, etc. In 2005, as the most widely used hash functions MD5 and SHA-1 were broken by Wang et al. [15, 16], the status of the hash functions becomes alarming. To deal with the undesirable situation, NIST started a hash competition for a new hash standard (SHA-3) in 2007. A total of 64 hash function proposals were submitted, and 51 of them advanced to the first round. After more than one-year’s evaluation, 14 submissions have entered into the second round. By 2010, the competition came into the final round, and 5 out of the second round candidates were selected as finalists. Now NIST chooses Keccak [2] as the SHA-3 winner.

Skein [3] is one of the five finalists, which is a ARX-type hash function (based on modular addition, rotation and exclusive-OR). The core of Skein is a tweakable block cipher called Threefish, which is proposed with 256-, 512-, 1024-bit block sizes and 72, 72, 80 rounds respectively. During the competition, Skein has been attracting the attention of the cryptanalysts, and there are several cryptanalytic results on the security of the compression function of Skein. At Asiacrypt 2009 [1], Aumasson et al. proposed a free-start near-collision attack for 17-round Skein-512 compression function with the old constants. At CANS 2010 [14], Su et al. presented free-start near-collisions of Skein-256/-512 reduced to 20 rounds and Skein-1024 reduced to 24 rounds. At Asiacrypt 2010 [9], Khovratovich et al. combined the rotational attack with the rebound attack, and gave distinguishers for 53-round Skein-256 and 57-round Skein-512 respectively. When the algorithm was getting into the second round, the authors had changed the rotation constants to resist the rotational attack [8, 9]. For the new version of Skein, Leurent and Roy [12] gave a boomerang distinguisher for 32-round compression function of Skein-256 and Yu et al. [17] provided a boomerang distinguisher for 36-round Skein-512. At FSE 2012 [10], Khovratovich et al. gave a pseudo-preimage attack on 22-round Skein-512 hash function and 37-round Skein-512 compression function by the biclique method, and their complexities of the attack are only marginally lower than exhaustive search.

Rebound attack for the ARX-type hash function. The rebound attack was presented by Mendel et al. at FSE 2009 [5] during the SHA-3 evaluation, it is used to analyze the hash functions based on the AES-like structure. Series of hash functions such as Whirlpool, Grøstl and JH [57, 11] are vulnerable to the rebound attack. Its basic strategy is to match two short truncated differentials in the middle using freedom degrees of the chaining values and messages. As the matching part is the S-box layer, which has a good distribution for the input and output differences, i.e., the average probability for each input/output difference pair to pass the S-box is 1/2, one can search the differentials that can be connected with high probability.

However, when applying the rebound attack to the ARX-type hash functions, we have to find two specific differentials that can be matched. Furthermore, there aren’t S-boxes in the connecting layer, and the distribution of the differences by applying the modular addition, rotation and XOR operations is harder to decided than that of S-boxes. As a result, it is far more difficult to apply the rebound attack to the ARX-type hash functions by connecting two differential paths into a long one.

Our contribution. This paper focuses on the cryptanalysis of Skein-256 compression function. We attempt to apply the rebound-type idea to the differential attack on the ARX-type algorithms. We first find two short differential paths by the modular differential techniques, then connect them to get a 32-round differential path. Finally, by applying the message modification techniques, we give a partial-collision attack on 32-round Skein-256 compression function. In order to verify the validity of our differential path, we provide examples of near-collision which follow our differential path for Skein-256 reduced to 24 and 28 rounds. The main results of this paper are shown in Table 1.

Table 1. The main results of this paper.
Full size table

The rest of the paper is organized as follows. In Sect. 2, we give some notations and a brief description of Skein-256 compression function. The main idea of our attack is described in Sect. 3. In Sect. 4, we demonstrate the techniques of our attack in detail. Finally, a conclusion is given in Sect. 5.

2 Preliminaries

In this section, we first give some notations used through the paper, and then describe the compression function of Skein-256 briefly.

2.1 Notations

  1. 1.

    \(\oplus \): exclusive-OR (XOR)

  2. 2.

    \(+\) and \(-\): addition and subtraction modular \(2^{64}\)

  3. 3.

    \(\varDelta a\): the XOR difference of \(a\) and \(a'\)

  4. 4.

    \(\varDelta ^+ a\): the modular subtraction difference of \(a\) and \(a'\) (modular \(2^{64}\))

  5. 5.

    \(\lll \): rotation to the left

  6. 6.

    \(a_{i,j}\): the \(j\)-th bit of \(a_i\), where \(a_{i}\) is a 64-bit word and \(a_{i,64}\) is the most significant bit

  7. 7.

    \(a_{i,j-k}\): the abbreviation of \(a_{i,j}\), \(a_{i,j+1}\),...,\(a_{i,k}\)

2.2 Near-Collision and Partial-Collision

The Handbook of Applied Cryptography [4] defines near-collision resistance by

Near-collision resistance. Let \(h\) be a hash function, it is hard to find any two inputs \(M\), \(M'\) such that \(h(M)\) and \(h(M')\) differ in a small number of bits.

More specifically, \(h\) is a hash function that takes an \(n\)-bit initial value IV and an \(m\)-bit message block \(M\) as inputs, and outputs another \(n\)-bit chaining value. A \(k\)-bit \((k<n)\) near-collision on \(h\) is obtained whenever two messages \(M_1\) and \(M_2\) satisfy:

$$ HW(h(M_1,IV)\oplus h(M_2,IV))=n-k, $$

where \(HW\) denotes the Hamming distance. Usually, we comprehend the “small number” as \(n-k\le n/3\).

  • For a generic attack, it is expected to have a \(k\)-bit near-collision with complexity about \(\sqrt{2^n/C_n^k }\). For \(n=256\) and \(k=206\), the complexity is only approximate to \(2^{39}\) hash computations; for \(n=256\) and \(k=28\), the complexity is about \(2^{66.5}\).

  • However, if we fix the \(k\)-bit colliding positions, the complexity for finding a near-collision with Hamming distance \(n-k\) is about \(2^{k/2}\) by the birthday paradox. Previous works [13] have used the terms partial-collision for this notion. For \(n=256\) and \(k=206\), the complexity to find a 206-bit partial-collision is about \(2^{103}\).

  • When we fix the \(k\)-bit colliding positions and keep the differences in the other positions being non-zero (actually, in this case the output difference is a given difference with \(k\)-bit zeroes), the complexity for finding a \(k\)-bit near-collision is about \(2^{n/2}\) by the birthday paradox. For \(n=256\), the complexity is \(2^{128}\) no matter what the value of \(k\) is.

  • Furthermore, when input difference is also fixed, the generic complexity would be \(2^{n}\). In this paper, our attack belong to this case.

2.3 Brief Description of the Compression Function of Skein-256

The compression function of Skein is defined as \(H=E(IV,T,M)\oplus M\), where \(E(IV,T,M)\) is the block cipher Threefish, \(M\) is the message, \(IV\) is the initial value and \(T\) is the tweak value. Here \(E\) takes the message as plaintext and the \(IV\) as master key. The word size which Skein operates on is 64 bits. For Skein-256, both \(M\) and \(IV\) are 256 bits, and the length of \(T\) is 128 bits. Let us denote \(h_i=(a_i,b_i,c_i,d_i)\) as the output value of the \(i\)-th round, where \(a_i\), \(b_i\), \(c_i\) and \(d_i\) are 64-bit words. Let \(h_0=M\) be the plaintext, the encryption procedure of Threefish-256 is carried out for \(i=1\) to 72 as follows.

If \((i-1)\mod 4=0\), first compute \(A_{i-1}=a_{i-1}+K_{(i-1)/4,a}\), \(B_{i-1}=b_{i-1}+K_{(i-1)/4,b}\), \(C_{i-1}=c_{i-1}+K_{(i-1)/4,c}\) and \(D_{i-1}=d_{i-1}+K_{(i-1)/4,d}\), where \(K_{(i-1)/4}\) are round subkeys which get involved every four rounds. Then carry out:

$$\begin{aligned} a_i&=A_{i-1}+B_{i-1}, d_i=a_i\oplus (B_{i-1}\lll R_{i,1}),\\ c_i&=C_{i-1}+D_{i-1}, b_i=c_i\oplus (D_{i-1}\lll R_{i,2}), \end{aligned}$$

where \(R_{i,1}\) and \(R_{i,2}\) are rotation constants which can be found in [3]. For the sake of convenience, we denote \(\overline{h_{i-1}}=(A_{i-1},B_{i-1},C_{i-1},D_{i-1})\).

If \((i-1)\mod 4\ne 0\), compute:

$$\begin{aligned} a_i&=a_{i-1}+b_{i-1}, d_i=a_i\oplus (b_{i-1}\lll R_{i,1}),\\ c_i&=c_{i-1}+d_{i-1}, b_i=c_i\oplus (d_{i-1}\lll R_{i,2}). \end{aligned}$$

After the last round, the ciphertext is computed as \(\overline{h_{72}}\).

The key schedule starts with the master key \(K=(k_0,k_1,k_2,k_{3})\) and the tweak value \(T=(t_0,t_1)\). First we compute:

$$ k_{4}:=0x1bd11bdaa9fc1a22 \oplus {\displaystyle \bigoplus \limits _{i=0}^{3}} k_{i} \ \ \ \ {\text{ and }} \ \ \ \ t_2:=t_0\oplus t_1. $$

Then the subkeys are derived for \(s=0\) to 18:

$$\begin{aligned} K_{s,a}&:=k_{(s+0)\,\mathrm{mod }\,5}\\ K_{s,b}&:=k_{(s+1)\,\mathrm{mod }\,5}+t_{s\,\mathrm{mod }\,3} \\ K_{s,c}&:=k_{(s+2)\,\mathrm{mod }\,5}+t_{(s+1)\,\mathrm{mod }\,3}\\ K_{s,d}&:=k_{(s+3)\,\mathrm{mod }\,5}+s\\ \end{aligned}$$

3 Outline of Our Attack

Skein is one of the SHA-3 finalists which uses the operations modular addition, rotation and XOR. Because of the strong diffusion after several rounds, only short differential paths can be found for Skein. An easy way to get short differential path is to find a short local collision in the middle, and then extend the local collision forward and backward, see the left part of Fig. 1. After finding a differential path of this type, we try to modify the message of the first several rounds to enhance the efficiency. For Skein, by choosing proper differences in the messages, IVs and tweak values, we can get a local collision for 8 rounds. Then we can get differential paths with more rounds by extending the 8-round local collision forward and backward. But longer differential path is not easy to search as a single bit difference will propagate to a heavy weight difference after 4 rounds. A natural idea is raised to connect two short differential paths into a long one, and then cancel a vast number of conditions by using message modification techniques in the connecting layer, see the right part of Fig. 1. The most expensive part of this strategy is the connection of the two differential paths, which is described in Sect. 4. To solve this problem, we use the properties of both XOR difference and modular subtraction difference, and choose an optimal position for the connection. Then by the bit-carry technique (which is the key technique for the connection), we find a 8-round non-linear differential to connect two short differential paths with 16 and 8 rounds respectively. Consequently, a differential path with 32 rounds is constructed, which can be used to mount near-collision attack on 32-round Skein-256 by further applying message modification techniques to reduce the conditions. The details of our attack can be found in Sect. 4.

Fig. 1.
figure 1

Two attack models

Full size image

Actually, our method can be applied to the ARX-type hash functions that do not have complex message extensions, and the message words or IVs get involved every round (or every several rounds).

4 Partial Collisions for 32-Round Compression Function of Skein-256

As mentioned above, the basic idea of our near-collision attack is to connect two short differential paths into a long one. To achieve this purpose, there are several steps to be carried out. Firstly, proper difference in \((K,T)\) should be chosen, which is the starting point of our attack. Secondly, we connect two short differential paths by the non-linear expansion in the middle rounds, and derive the sufficient conditions to guarantee the differential path to hold. Thirdly, the vast number of conditions in the intermediate rounds should be corrected by modifying the chaining variables, the key \(K\) and the tweak value \(T\). Finally, after the message/IV modification, we search the remaining conditions by divide and conquer technique.

4.1 Finding Two Short Differential Paths

The differences of the master key \(K=(k_0,k_1,k_2,k_3)\) and tweak value \(T=(t_0,t_1)\) selected for our differential path are \(\varDelta k_3=2^{63}\) and \(\varDelta t_0=2^{63}\). According to the key schedule, the differences for the subkey \(K_i=(K_{i,a},K_{i,b},K_{i,c},K_{i,d})\) \((0\le i\le 8)\) are shown in Table 2.

Table 2. The subkey differences of 32-round Skein-256, given a difference \(\delta =2^{63}\) in \(k_3\) and \(t_0\).
Full size table

The first short differential path we used consists of 16 rounds. Because \(\varDelta K_1=(0,0,0,2^{63})\) and \(\varDelta K_2=(0,0,0,0)\), the intermediate values are selected to meet \(\varDelta h_{4}=(0,0,0,2^{63})\), resulting in an 8-round path with zero differential from rounds 5 to 12. By extending the difference \(\varDelta h_4\) in the backward direction for 4 rounds and the difference \(\varDelta \overline{h_{12}}=\varDelta K_3\) in the forward direction for 4 rounds by the linear expansion, a 16-round differential path with high probability can be obtained.

The second differential path is shorter than the first one, as the number of zero-difference rounds in it is only 4. We choose \(\varDelta h_{24}\) as \((0,2^{63},2^{63},2^{63})\) to compensate the difference \(\varDelta K_6=(0,2^{63},2^{63},2^{63})\), which results in zero difference in rounds 25 to 28. As a consequence, a 8-round differential path with high probability can be obtained by linearly expanding the difference \(\varDelta \overline{h_{28}}=\varDelta K_7\) in the forward direction for 4 rounds.

4.2 Connecting the Two Short Differential Paths

The most difficult work in this paper is to connect the two short differential paths from rounds \({16}\) to \(24\) by the non-linear difference expansion. We choose the 20-th round as the connecting point; the reason is that the 20-th round is the place where the subkeys is involved (in the form of integer modular addition), if we connect the two differential paths in this round, the only requirement is that the integer modular substraction differences \(\varDelta ^{+}h_{20}\) computed by the forward direction and the \(\varDelta ^{+}\overline{h_{20}}\) computed by the backward direction should satisfy the equation \(\varDelta ^{+}\overline{h_{20}}=\varDelta ^{+} h_{20}+\varDelta ^{+}K_5\). Otherwise, if we connect the two differential paths in the other rounds in which the subkeys do not intervene, both the integer modular substraction differences and the XOR differences computed by two directions must be equal. This will face more difficulties for connecting.

For example, let \(\varDelta a_i=0x37\) be the XOR difference of round \(i\) computed in the forward direction, and \(\varDelta A_i=0x11\) be the difference computed in the backward direction; the \(i\)-th round is the round where we want to match \(\varDelta a_i\) and \(\varDelta A_i\). If \(i=20\), it is easy to know that the difference \(\varDelta ^+ a_i\) equals to \(\varDelta ^+A_i\) as long as \(A_{i,1}=a_{i,1}\oplus 1\), \(a_{i,1}=a_{i,2}=a_{i+3}\oplus 1\), \(A_{i,5}=a_{i,5}\oplus 1\) and \(a_{i,5}=a_{i,6}\oplus 1\). Hence \(\varDelta a_i\) and \(\varDelta A_i\) can be connected with probability \(2^{-5}\). Otherwise, if \(i=19\), it is obvious that \(\varDelta a_i\) and \(\varDelta A_i\) can not be connected because \(\varDelta a_i \ne \varDelta A_i\).

The major technique to connect two differential paths is the bit-carry technique; hundreds of bit equations need to be handled during the process of connection. Now we describe how to connect the two differential paths briefly.

For \(16<i\le 20\), firstly we compute the modular difference \(\varDelta ^{+}a_{i+1}=\varDelta ^{+}a_i+\varDelta ^{+}b_i\) and \(\varDelta ^{+}c_{i+1}=\) \(\varDelta ^{+}c_i+\varDelta ^{+}d_i\), then we convert the modular differences into XOR differences so that \(\varDelta a_i\) and \(\varDelta c_i\) have the lowest Hamming weights respectively. Finally, the XOR differences \(\varDelta b_{i+1}\) and \(\varDelta d_{i+1}\) are computed as \(\varDelta b_{i+1}=\varDelta c_{i+1}\oplus (\varDelta d_{i}\lll R_{i,2})\) and \(\varDelta d_{i+1}=\varDelta a_{i+1}\oplus (\varDelta b_{i}\lll R_{i,1})\). In the same way, we can compute \(\varDelta h_{24}\) to \(\varDelta \overline{h_{20}}\) by the backward direction so that the Hamming weights of \(\varDelta a_{i}\) and \(\varDelta c_{i}\) (\(20\le i \le 24\)) are as low as possible (see Table 2).

What we have to do next is to match \(\varDelta h_{20}\) and \(\varDelta \overline{h_{20}}\) so that their integer modular substraction difference is equal to \(\varDelta ^{+}K_5\). Generally, we first select \(\varDelta ^{+}a_{20}\) and \(\varDelta ^{+}c_{20}\) as the targets, and adjust the differences \(\varDelta ^{+} A_{20}\) and \(\varDelta ^{+} C_{20}\) to match \(\varDelta ^{+}a_{20}\) and \(\varDelta ^{+}c_{20}\) respectively by making a decision for the differences of \(\varDelta \overline{h_{20}}\) to \(\varDelta h_{24}\). Then we regard \(\varDelta B_{20}\) and \(\varDelta D_{20}\) as the targets again, and adjust the differences \(\varDelta b_{20}\) and \(\varDelta d_{20}\) to be consistent with \(\varDelta B_{20}\) and \(\varDelta D_{20}\) by modifying the differences \(\varDelta h_{16}\) to \(\varDelta h_{20}\).

In the following, we demonstrate how to match the modular substraction differences of \(a_{20}\) and \( A_{20}\) as an example. Here \(\varDelta ^{+} a_{20}\) is the target, hence we would like to adjust the difference \(\varDelta ^+ A_{20}\) by modifying the differences \(\varDelta a_{21}\), \(\varDelta d_{21}\), \(\varDelta b_{22}\), \(\varDelta a_{23}\) and \(\varDelta d_{23}\) so that \(\varDelta ^{+} a_{20}=\varDelta ^{+} A_{20}\). From Table 3, we can express the modular differences of \(\varDelta a_{20}\) and \(\varDelta A_{20}\) as

$$ \varDelta ^{+} a_{20}=\pm \mathbf{{2^{0}}}\pm 2^{3}\pm 2^{8}\pm \mathbf{2^{12}} \pm 2^{14} +\,.... $$
$$ \varDelta ^{+} A_{20}=\mathbf{\pm 2^{0}}\pm 2^{2}\pm 2^{4}\pm 2^{6} \pm \mathbf{{2^{12}}} \pm 2^{24} + \,... $$

In order to match the \(13\) least significant bits of \(\varDelta ^+ a_{20}\) and \(\varDelta ^+ A_{20}\), we should eliminate the differences \(\pm 2^{2} \pm 2^{4}\pm 2^{6}\) and produce the differences \(\pm 2^{3} \pm 2^{8}\) for \({\varDelta ^{+} A_{20}}\). What has to be done is extending the bit differences in bold in Table 3. We first extend the differences \(\varDelta B_{20,1}\), \(\varDelta B_{20,3}\), \(\varDelta B_{20,5}\) and \(\varDelta B_{20,7}\) to be \(\varDelta B_{20,1-2}\), \(\varDelta B_{20,3-4}\), \(\varDelta B_{20,5-6}\) and \(\varDelta B_{20,7-9}\), respectively. And then, to obtain these extensions, differences \(\varDelta d_{21,26}\), \(\varDelta b_{22,38}\) and \(\varDelta a_{23,32}\) are modified for \(\varDelta B_{20,1}\); \(\varDelta a_{21, 28}\) is modified for \(\varDelta B_{20,3}\); \(d_{21,30}\) and \(c_{22,42}\) are modified for \(\varDelta B_{20,5}\). In Table 3, we show the bit differences after extension in the brackets. Because \(A_{20}=a_{21}-B_{20}\), we can produce the desired differences \(\pm 2^{3} \pm 2^{8}\) for \(A_{20}\) by further setting some conditions on \(B_{20}\) as follows:

$$\begin{aligned} B_{20,1}&=B_{20,2}=B_{20,3}\oplus 1,\\ B_{20,4}&=a_{20,4},\\ B_{20,4}&=B_{20,5}=B_{20,6}=B_{20,7}=B_{20,8}\oplus 1,\\ B_{20,9}&=a_{20,9}\oplus 1.\\ \end{aligned}$$
Table 3. Two differential paths for rounds \(16 \sim 20\) and rounds \(24 \sim \overline{20}\).
Full size table

Similarly, we can also match the other differences of \(a_{20}\) and \(A_{20}\). That is, once an inconsistency occurs, we have to jump back to an earlier stage and make a different decision about the difference; this might result in changes of stages that are even earlier. Note that in this course, the following two requirements have to be considered.

  1. 1.

    For Skein-256, the subkeys (the IVs) intervene in the chaining values every 4 rounds, hence the degrees of freedom of four rounds between two subkeys are 256. As a result, the conditions deduced from guaranteeing the 4-round differential path to hold must be less than 256.

  2. 2.

    The conditions deduced from the 32-round differential path should be less than 640, because the degrees of the freedom of the \(M\), \(K\) and \(T\) are 640.

The 32-round near-collision differential path is shown in Table 4. In Table 4, we use two kinds of difference: the XOR difference and the integer modular substraction difference. In the round \(\overline{i}\) (the round after adding the subkey, \(i=0,4,8,...,28\)), we express the difference in the positions \(a\) and \(c\) with the integer modular substraction difference, i.e., \(\varDelta ^{+}A_i=\varDelta ^{+}a_i+\varDelta ^{+}K_{i,a}\) and \(\varDelta ^{+}C_i=\varDelta ^{+}c_i+\varDelta ^{+}K_{i,c}\), because we only use the integer modular addition properties of \(A_i\) and \(C_i\) when computing the chaining value \(h_{i+1}\)). In the other positions of the differential path, we use the XOR difference (see Table 4).

Table 4. Differential path used for the partial-collision of 32-round compression function of Skein-256, with a probability of \(2^{-89}\) after the message/IV modification.
Full size table

Corresponding to the differential path in Table 4, we can compute the sufficient conditions in \(h_{20} \sim h_0\) and \(\overline{h_{20}} \sim \overline{h_{32}}\), which are shown in Tables 7 and 8 respectively.

4.3 Message/IV Modification

In order to fulfill the Message/IV modification, we replace the conditions \(b_{i,j}\), \(d_{i,j}\) \((\overline{16}\le i \le 19, 1\le j\le 32)\) from the round 19 down to round \(\overline{16}\) in Table 7 with \(a_{i+1,((j+R_{i+1,0})\mod 64)}\oplus d_{i+1,((j+R_{i+1,0})\mod 64)}\) and \(b_{i+1,((j+R_{i+1,1})\mod 64)}\oplus c_{i+1,((j+R_{i+1,1})\mod 64)}\) respectively.

We divide the conditions in Tables 7 and 8 into three groups which are shown in Tables 9, 10, and 11 separately. The conditions in group-1 include all the conditions from round \(\overline{16}\) to \(20\) which are determined by \(h_{20}\)=(\(a_{20}\), \(b_{20}\), \(c_{20}\) and \(d_{20}\)). The conditions in group-2 consist of the conditions in \(\overline{h_{20}}\),\(h_{21}\),...,\(h_{24}\) and \(c_{16}\) that depend on \(h_{20}\) and \(K_5\). All the other conditions are incorporated into group-3 which are decided by \(h_{20}\), \(K_5\), \(K_{4,b}\) and \(K_{4,d}\). The distribution of the conditions for 32-round Skein-256 is shown in Table 5.

There are 216 conditions in group-1, of which 174 conditions can be fulfilled by modifying the values of \(h_{20}\). Most of conditions in group-2 can be corrected by modifying \(K_5\) and only 18 conditions are left after message modification. The 15 conditions in \(a_{16}\), \(b_{16}\), \(d_{16}\) and \(a_{15}\) of group-3 can be modified by \(K_{4,b}\) and \(K_{4,d}\), and there are 89 conditions remaining after the message modification.

Table 5. The conditions distribution for our attack of 32-round Skein-256.
Full size table

4.4 The Partial-Collision Attack on the Compression Function of 32-Round Skein-256

In our attack, we take the 256-bit value \(h_{20}\) and the 384-bit \(K_{5}\), \(K_{4,b}\) and \(K_{4,d}\) as the random variables. As the chaining values \(h_{19}\), \(h_{18}\), \(h_{17}\) and \(\overline{h_{16}}\) only depend on \(h_{20}\), the search of the right \(h_{20}\) is independent of \(K_5\) and \(K_4\). Once \(h_{20}\) are fixed, the values of \(\overline{h_{20}}\), \(h_{21}\), \(h_{22}\), \(h_{23}\), \(h_{24}\) and \(c_{16}\) are only determined by \(K_5\). Therefore, our near-collision search algorithm can be divided into three phases: the first phase is to find \(h_{20}\) that satisfies the conditions in group-1; the second phase is to find \(K_5\) to ensure the conditions in group-2; the last phase is to find \(K_{4,b}\) and \(K_{4,d}\) so that the differential path in Table 4 holds.

The partial-collision search algorithm:

  1. 1.

    Select a 256-bit chaining value \(h_{20}=(a_{20},b_{20},c_{20},d_{20})\) which satisfies the 95 conditions in \(h_{20}\) in Table 9.

    • Compute the chaining value \(h_{19}=(a_{19},b_{19},c_{19},d_{19})\) from \(h_{20}\) and modify the 62 conditions in \(a_{19}\) and \(c_{19}\) in Table 9 by \(h_{20}\) using the message/IV modification techniques.

    • Calculate the chaining values \(h_{18}=(a_{18},b_{18},c_{18},d_{18})\), \(h_{17}=(a_{17},b_{17},c_{17},d_{17})\) and \(\overline{h_{16}}=(A_{16},B_{16},C_{16},D_{16})\) by \(h_{19}\) in the backward direction. Modify 17 out of the 59 conditions, and check whether the other 42 conditions hold. If so, goto step 2; otherwise, goto step 1.

  2. 2.

    Choose the 256-bit subkey \(K_5=(K_{5,a},K_{5,b},K_{5,c},K_{5,d})\) randomly.

    • Compute

      $$\begin{aligned} \overline{h_{20}}&= h_{20}+K_5=(A_{20},B_{20},C_{20},D_{20}), \\ c_{16}&= C_{16}-K_{5,b}. \end{aligned}$$

      Modify the 53 conditions in \(B_{20}\) and \(D_{20}\) by \(K_{5,b}\) and \(K_{5,d}\) respectively.

    • Compute \(h_{21}\), \(h_{22}\), \(h_{23}\) and \(h_{24}\) by \(\overline{h_{20}}\) in the forward direction. Modify the \(97\) conditions in \(h_{21}\), \(h_{22}\) and \(h_{23}\) by \(K_5\). Then check whether the other 18 conditions are satisfied. If so, goto step 3; otherwise, goto step 2.

  3. 3.

    Select the 128-bit value \(K_{4,b}\) and \(K_{4,d}\) randomly.

    • According to the key schedule,

      $$\begin{aligned} K_{5,a}&=k_0, K_{5,b}=k_1+t_2, K_{5,c}=k_2+t_0, K_{5,d}=k_3+5, \\ K_{4,a}&=k_4, K_{4,b}=k_0+t_1, K_{4,c}=k_1+t_2, K_{4,d} =k_2+4, \end{aligned}$$

      where \(k_4=0x1bd11bdaa9fc1a22\oplus {\displaystyle \bigoplus \limits _{i=0}^3} k_{i}\) and \(t_2=t_0\oplus t_1\). Derive the key \(K=(k_0,k_1,k_2,k_3)\) and the tweak value \(T=(t_0,t_1)\):

      $$\begin{aligned} k_0&= K_{5,a}, \\ k_1&= K_{5,b}-((K_{4,b}-K_{5,a})\oplus (K_{5,c}-K_{4,d}+4)), \\ k_2&= K_{4,d}-4, \\ k_3&= K_{5,d}-5, \\ t_0&= K_{5,c}-K_{4,d}+4, \\ t_1&= K_{4,b}-K_{5,a}. \end{aligned}$$

      Then further deduce:

      $$\begin{aligned} K_{4,a}&= 0x1bd11bdaa9fc1a22\oplus K_{5,a}\oplus (K_{5,d}-5) \oplus (K_{4,d}-4) \oplus \\&\quad (K_{5,b}-((K_{4,b}-K_{5,a})\oplus (K_{5,c}-K_{4,d}+4))), \\ K_{4,c}&= K_{5,b}. \end{aligned}$$

    • Compute \(b_{16}=B_{16}-K_{4,b}\), \(d_{16}=D_{16}-K_{4,d}\) and \(a_{16}=A_{16}-K_{4,a}\). Modify the 15 conditions in \(b_{16}\), \(d_{16}\) and \(a_{16}\) by \(K_{4,b}\) and \(K_{4,d}\) respectively.

  4. 4.

    Compute \(K_0\), \(K_1\), \(K_2\), \(K_3\), \(K_{6}\), \(K_7\), \(K_8\) by \(K\) and \(T\), calculate \(\overline{h_{24}}\) to \(\overline{h_{32}}\) by \(h_{24}\), \(K_{6}\), \(K_7\) and \(K_8\) in the forward direction, and compute \(h_{15}\) to \(h_0\) by \(h_{16}\), \(K_0\), \(K_1\), \(K_2\) and \(K_3\) in the backward direction.

  5. 5.

    Let \(h_{20}'=h_{20}\oplus \varDelta h_{20}\), where \(\varDelta h_{20}\) is the difference of round 20 in Table 4. Let \(K'=(k_0,k_1,k_2,k_3+2^{63})\) and \(T'=(t_0+2^{63}, t_1)\), compute \(h_{19}'\sim h_0'\) and \(\overline{h_{20}'}\sim \overline{h_{32}'}\) by \(h_{20}'\), \(K'\) and \(T'\). Then check whether \(h_0\oplus h_0'=\varDelta h_0\) and \(\overline{h_{32}}\oplus \overline{h_{32}'}=\varDelta \overline{h_{32}}\), where \(\varDelta h_0\) and \(\varDelta \overline{h_{32}}\) are the differences in round 0 and round \(\overline{32}\) of Table 4. If so, output the message pair \((M=h_0, M'=h_0')\), the master key \(K=(k_0,k_1,k_2,k_3)\) and the tweak \(T=(t_0, t_1)\); otherwise, goto step 3.

Table 6. Free-start near collisions examples for Skein-256.
Full size table

Degrees of freedom analysis: We consider the degrees of freedom from the following four inspects:

  • The total degrees of the freedom come from the message \(M\), the master key \(K\) and the tweak value \(T\). For skein-256, we have \(256+256+128=640\) degrees of freedom to mount our attack. The number of conditions in our differentials is 488 (see Tables 7 and 8). Hence the degrees of freedom are sufficient to perform our attack.

  • The local degrees of the freedom from rounds 20 down to \(\overline{16}\) (group-1) are 256 which come from the chaining variables \(h_{20}=(a_{20},b_{20},c_{20},d_{20})\). The number of the conditions in these 5 rounds is 216. It is enough to find a pair \(h_{20}\) and \(h'_{20}\) so that the differential path of this part holds.

  • The conditions in \(\overline{h_{20}}\), \(h_{21}\), ... , \(h_{24}\) and \(c_{16}\) (group-2) are determined by \(K_5\) with 256-bit freedom degrees. While the number of conditions of this part is only 168, so it’s enough to search a right \(K_5\).

  • The degrees of the freedom from rounds \(\overline{24}\) to 32 and rounds 16 down to 0 are \(128\). The number of conditions of this part is 104. Consequently, it’s enough to search a partial-collision after the message modifications.

The complexity computation: The complexity of our attack includes three parts:

  • The first part is to find a right 256-bit chaining value \(h_{20}\) so that it satisfies the \(216\) conditions of \(h_{20}\), \(h_{19}\), \(h_{18}\), \(h_{17}\) and \(\overline{h_{16}}\) in Table 7. After the message modifications, there are 42 conditions remaining. Hence the complexity of this part is about \(2^{42}\) 32-round Skein-256 compression function operations.

  • The second part is to find a right 256-bit value \(K_5\) that satisfies the 168 conditions in Table 10. After message modifications, the complexity for this part is about \(2^{18}\).

  • The third part is to find a 128-bit value \(K_{4,b}\) and \(K_{4,d}\) that satisfies the 104 conditions in Table 11. After message modification, the complexity for this part is about \(2^{89}\).

As a result, the total complexity of our attack is about \(2^{42}+2^{18}+2^{89}\approx 2^{89}\) 32-round Skein-256 compression function operations. The complexity can be reduced further when considering the impact of additional paths.

4.5 Near-Collisions Examples for Skein-256

In order to verify our differential path in Table 4, we give an example of 24-round (4–28) near-collision without choosing the tweak. The complexity is about \(2^{26}\), and the Hamming distance is only 2. We also give two near-collision examples for 28-round Skein-256 in the free tweak setting. The first example is a near collision from rounds 0 to 28 with Hamming distance 34, and the second is from rounds 4 to 32 with Hamming distance 28. Even though the complexities of the attacks for the two near collisions were estimated to be about \(2^{46}\) and \(2^{43}\) respectively according to our differential path, we expect they will be lower in practice due to the impact of additional paths. They are confirmed by our implementations, and the practical complexities are about \(2^{44}\) and \(2^{41}\) for the two near collisions respectively. This also deduces the complexity of the partial-collision attack on 32-round Skein-256 by a factor of \(2^{2+2}=2^4\) resulting in an attack complexity \(2^{85}\). The near collisions are shown in Table 6.

4.6 Discussions about the Application to Skein-512

Our techniques can be also applied to Skein-512 and Skein-1024. Since Skein-512 is the primary proposal of Skein by the authors, we will mainly discuss how to apply our techniques to Skein-512: By selecting the differences for the master key \(K=(k_0,k_1,...,k_7)\) and the tweak value \(T=(t_0,t_1)\) as \(\varDelta k_7=2^{63}\) and \(\varDelta t_0=2^{63}\), we construct the first short differential path from rounds 37 to 52 with a 8-round zero-differential (from rounds 41 to 48) and the second short differential path from rounds 57 to 68 with a 4-round zero-differential in the middle. Similar to the attack on Skein-256, connecting the two differential paths (between round 53 and round 60) is also the most difficult part of the attack. Moreover, we consider the connection to be even harder than that of Skein-256 since now 512 bits have to be connected. By leveraging the strategy of Skein-256 on Skein-512 with more carefulness, we estimate that the complexity of the attack on Skein-512 reduced to 32 rounds with Hamming distance 55 is about \(2^{88}\) 32-round Skein-512 computations.

5 Conclusions

In this paper, we apply the rebound-type idea to the differential attack of the ARX-type hash algorithms and connect two specific short differentials into a long one. Utilizing our technique, we give three near-collision examples for 24 and 28 rounds Skein-256 compression function. The complexity of partial-collision attack on 32-round Skein-256 compression function is about \(2^{85}\). Our method has potential application to other ARX-type hash functions.