Threefish

Threefish
General
Designers	Bruce Schneier, Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker
First published	2008
Related to	Blowfish, Twofish
Cipher detail
Key sizes	256, 512 or 1024 bits; (key size is equal to block size)
Block sizes	256, 512 or 1024 bits
Rounds	72 (80 for 1024-bit block size)
Speed	6.1 cpb on Core 2.
Best public cryptanalysis
	In October 2010, an attack that combines rotational cryptanalysis with the rebound attack was published. The attack mounts a known-key distinguisher against 53 of 72 rounds in Threefish-256, and 57 of 72 rounds in Threefish-512. It also affects the Skein hash function.

Last updated May 27, 2024

Threefish is a symmetric-key tweakable block cipher designed as part of the Skein hash function, an entry in the NIST hash function competition. Threefish uses no S-boxes or other table lookups in order to avoid cache timing attacks;^[1] its nonlinearity comes from alternating additions with exclusive ORs. In that respect, it is similar to Salsa20, TEA, and the SHA-3 candidates CubeHash and BLAKE.

Description of the cipher

Threefish works on words of 64 bits (unsigned Little endian integers). $w\in \{4,8,16\}$ is the number of plaintext words and also of key words. The tweak consists of two words. All additions and subtractions are defined modulo $2^{64}$ .

Key schedule

Threefish encrypts in $r$ rounds and uses ${\frac {r}{4}}+1$ different round keys. After every four rounds, and before the first, $w$ round key words are added to the $w$ data words. To calculate the round keys an additional key word $k_{w}$ is appended to the original key words $k_{0},k_{1},\dots ,k_{w-1}$ . Also, an additional tweak word $t_{2}$ is appended to the tweak words $t_{0},t_{1}$ .

k_{w}=C\oplus k_{0}\oplus k_{1}\oplus \dots \oplus k_{w-1};\quad C={\text{0x1BD11BDAA9FC1A22}}

t_{2}=t_{0}\oplus t_{1}

The purpose of the seemingly arbitrary constant $C$ is to frustrate some attacks that take advantage of the relationship between $k_{w}$ and the other keywords.

The round key words $k_{s,i}$ are now defined like this:

$k_{s,i}={\begin{cases}k_{(s+i){\bmod {(}}w+1)}&i=0,\dots ,w-4\\k_{(s+i){\bmod {(}}w+1)}+t_{s{\bmod {3}}}&i=w-3\\k_{(s+i){\bmod {(}}w+1)}+t_{(s+1){\bmod {3}}}&i=w-2\\k_{(s+i){\bmod {(}}w+1)}+s&i=w-1\end{cases}}$

Here $s=0,1,\dots ,r/4$ , where $4s$ is the number of the round in which the round key word $k_{s,i}$ is used.

Mix function

The mix function takes a tuple of words $(x_{0},x_{1})$ and returns another tuple of words $(y_{0},y_{1})$ . The function is defined like this:

$y_{0}=(x_{0}+x_{1}){\bmod {2}}^{64}$

$y_{1}=(x_{1}\lll R_{(d{\bmod {8}}),j})\oplus y_{0}$

$R_{d,j}$ is a fixed set of rotation constants chosen to achieve quick diffusion.

Permute

The permutation step swaps the positions of the words according to a constant pattern. Bit-level permutation is not achieved in this step, but this is not necessary since the MIX functions provides bit-level permutations in the form of bitwise rotations.^{[ citation needed ]} The Permute step and rotation constants in the MIX functions are chosen in such a way that the overall effect is complete diffusion of all the bits in a data block.^{[ citation needed ]}

Because this permutation is fixed and independent of the key, the time needed to compute it does not provide information about the key or plaintext. This is important because on most modern microprocessors performance optimisations can make the time taken to compute an array operation dependent on where the data is stored in memory. In ciphers where array lookup depends on either the key or plaintext (as is the case for the substitution step in AES), it can make the cipher vulnerable to timing attacks by examining the time required for encryption. The permutation is therefore deliberately designed to ensure that it should execute in the same fashion independent of the key being used or the data encrypted.^{[ citation needed ]}

A full Threefish round

if $d\;{\bmod {\;}}4=0$ the round key $k_{d/4,i}$ is added to word $i$
the mix function is applied to pairs of words, the rotation widths $R_{d{\bmod {8}},j}$ depend on round number $d$ and word pair $j\in \{0,\cdots ,w/2-1\}$
the words are permutated using a permutation independent from the round number

Threefish256 and Threefish512 apply this round $r=72$ times ( $d=0,1,\dots ,71$ ). Threefish1024 applies it 80 times ( $d=0,1,\dots ,79$ ).

Final operations

After all rounds are applied, the last round key words $k_{r/4,i}$ are added to the words and the words are converted back to a string of bytes.

Security

In October 2010, an attack that combines rotational cryptanalysis with the rebound attack was published. The attack mounts a known-key distinguisher against 53 of 72 rounds in Threefish-256, and 57 of 72 rounds in Threefish-512. It also affects the Skein hash function.^[2] This is a follow-up to the earlier attack published in February, which breaks 39 and 42 rounds respectively.^[3] In response to this attack, the Skein team tweaked the rotation constants used in Threefish and thereby the key schedule constants for round 3 of the NIST hash function competition.^[1]

In 2009, a related key boomerang attack against a reduced round Threefish version was published. For the 32-round version, the time complexity is $2^{226}$ and the memory complexity is $2^{12}$ ; for the 33-round version, the time complexity is $2^{352.17}$ with a negligible memory usage. The attacks also work against the tweaked version of Threefish: for the 32-round version, the time complexity is $2^{222}$ and the memory complexity is $2^{12}$ ; for the 33-round version, the time complexity is $2^{355.5}$ with a negligible memory usage.^[4]

Related Research Articles

In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called blocks. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage and exchange of data, where such data is secured and authenticated via encryption.

A hash function is any function that can be used to map data of arbitrary size to fixed-size values, though there are some hash functions that support variable length output. The values returned by a hash function are called hash values, hash codes, hash digests, digests, or simply hashes. The values are usually used to index a fixed-size table called a hash table. Use of a hash function to index a hash table is called hashing or scatter storage addressing.

The Digital Signature Algorithm (DSA) is a public-key cryptosystem and Federal Information Processing Standard for digital signatures, based on the mathematical concept of modular exponentiation and the discrete logarithm problem. DSA is a variant of the Schnorr and ElGamal signature schemes.

In cryptography, the Elliptic Curve Digital Signature Algorithm (ECDSA) offers a variant of the Digital Signature Algorithm (DSA) which uses elliptic-curve cryptography.

The Rabin cryptosystem is a family of public-key encryption schemes based on a trapdoor function whose security, like that of RSA, is related to the difficulty of integer factorization.

The Paillier cryptosystem, invented by and named after Pascal Paillier in 1999, is a probabilistic asymmetric algorithm for public key cryptography. The problem of computing n-th residue classes is believed to be computationally difficult. The decisional composite residuosity assumption is the intractability hypothesis upon which this cryptosystem is based.

KCDSA is a digital signature algorithm created by a team led by the Korea Internet & Security Agency (KISA). It is an ElGamal variant, similar to the Digital Signature Algorithm and GOST R 34.10-94. The standard algorithm is implemented over $, but an elliptic curve variant (EC-KCDSA) is also specified.$

In cryptography, a message authentication code based on universal hashing, or UMAC, is a type of message authentication code (MAC) calculated choosing a hash function from a class of hash functions according to some secret (random) process and applying it to the message. The resulting digest or fingerprint is then encrypted to hide the identity of the hash function used. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message. In contrast to traditional MACs, which are serializable, UMAC can be executed in parallel. Thus as machines continue to offer more parallel processing capabilities, the speed of implementing UMAC will increase.

Poly1305 is a universal hash family designed by Daniel J. Bernstein for use in cryptography.

The ElGamal signature scheme is a digital signature scheme which is based on the difficulty of computing discrete logarithms. It was described by Taher Elgamal in 1985.

The GOST hash function, defined in the standards GOST R 34.11-94 and GOST 34.311-95 is a 256-bit cryptographic hash function. It was initially defined in the Russian national standard GOST R 34.11-94 Information Technology – Cryptographic Information Security – Hash Function. The equivalent standard used by other member-states of the CIS is GOST 34.311-95.

The Blum–Goldwasser (BG) cryptosystem is an asymmetric key encryption algorithm proposed by Manuel Blum and Shafi Goldwasser in 1984. Blum–Goldwasser is a probabilistic, semantically secure cryptosystem with a constant-size ciphertext expansion. The encryption algorithm implements an XOR-based stream cipher using the Blum-Blum-Shub (BBS) pseudo-random number generator to generate the keystream. Decryption is accomplished by manipulating the final state of the BBS generator using the private key, in order to find the initial seed and reconstruct the keystream.

Disk encryption is a special case of data at rest protection when the storage medium is a sector-addressable device. This article presents cryptographic aspects of the problem. For an overview, see disk encryption. For discussion of different software packages and hardware devices devoted to this problem, see disk encryption software and disk encryption hardware.

In mathematics and computing, universal hashing refers to selecting a hash function at random from a family of hash functions with a certain mathematical property. This guarantees a low number of collisions in expectation, even if the data is chosen by an adversary. Many universal families are known, and their evaluation is often very efficient. Universal hashing has numerous uses in computer science, for example in implementations of hash tables, randomized algorithms, and cryptography.

For a cryptographic hash function, a MASH-1 is a hash function based on modular arithmetic.

In cryptography, M8 is a block cipher designed by Hitachi in 1999. It is a modification of Hitachi's earlier M6 algorithm, designed for greater security and high performance in both hardware and 32-bit software implementations. M8 was registered by Hitachi in March 1999 as ISO/IEC 9979-0020.

Skein is a cryptographic hash function and one of five finalists in the NIST hash function competition. Entered as a candidate to become the SHA-3 standard, the successor of SHA-1 and SHA-2, it ultimately lost to NIST hash candidate Keccak.

SHA-3 is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015. Although part of the same series of standards, SHA-3 is internally different from the MD5-like structure of SHA-1 and SHA-2.

In discrete mathematics, ideal lattices are a special class of lattices and a generalization of cyclic lattices. Ideal lattices naturally occur in many parts of number theory, but also in other areas. In particular, they have a significant place in cryptography. Micciancio defined a generalization of cyclic lattices as ideal lattices. They can be used in cryptosystems to decrease by a square root the number of parameters necessary to describe a lattice, making them more efficient. Ideal lattices are a new concept, but similar lattice classes have been used for a long time. For example, cyclic lattices, a special case of ideal lattices, are used in NTRUEncrypt and NTRUSign.

Badger is a Message Authentication Code (MAC) based on the idea of universal hashing and was developed by Boesgaard, Scavenius, Pedersen, Christensen, and Zenner. It is constructed by strengthening the ∆-universal hash family MMH using an ϵ-almost strongly universal (ASU) hash function family after the application of ENH, where the value of ϵ is $. Since Badger is a MAC function based on the universal hash function approach, the conditions needed for the security of Badger are the same as those for other universal hash functions such as UMAC.$

References

1 2 3 Ferguson, Niels; Lucks, Stefan; Schneier, Bruce; Whiting, Doug; Bellare, Mihir; Kohno, Tadayoshi; Callas, Jon; Walker, Jesse (October 1, 2010), The Skein Hash Function Family (PDF), archived from the original (PDF) on 2014-08-24 The paper in which Threefish was introduced.
1 2 Khovratovich, Dmitry; Nikolic, Ivica; Rechberger, Christian (2014). "Rotational Rebound Attacks on Reduced Skein". Journal of Cryptology. 27 (3): 452–479. doi:10.1007/S00145-013-9150-0.
↑ Khovratovich, Dmitry; Nikolic, Ivica (2010). "Rotational Cryptanalysis of ARX". In Hong, Seokhie; Iwata, Tetsu (eds.). Fast Software Encryption, 17th International Workshop, FSE 2010, Seoul, Korea, February 7–10, 2010, Revised Selected Papers. Lecture Notes in Computer Science. Vol. 6147. Springer. pp. 333–346. doi:10.1007/978-3-642-13858-4_19.
↑ Chen, Jiazhe; Jia, Keting (2010). "Improved Related-Key Boomerang Attacks on Round-Reduced Threefish-512". In Kwak, Jin; Deng, Robert H.; Won, Yoojae; Wang, Guilin (eds.). Information Security, Practice and Experience, 6th International Conference, ISPEC 2010, Seoul, Korea, May 12–13, 2010. Proceedings. Lecture Notes in Computer Science. Vol. 6047. Springer. pp. 1–18. doi:10.1007/978-3-642-12827-1_1.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[skein-1] 1 2 3 Ferguson, Niels; Lucks, Stefan; Schneier, Bruce; Whiting, Doug; Bellare, Mihir; Kohno, Tadayoshi; Callas, Jon; Walker, Jesse (October 1, 2010), The Skein Hash Function Family (PDF), archived from the original (PDF) on 2014-08-24 The paper in which Threefish was introduced.

[rotational-rebound-2] 1 2 Khovratovich, Dmitry; Nikolic, Ivica; Rechberger, Christian (2014). "Rotational Rebound Attacks on Reduced Skein". Journal of Cryptology. 27 (3): 452–479. doi:10.1007/S00145-013-9150-0.

[3] Khovratovich, Dmitry; Nikolic, Ivica (2010). "Rotational Cryptanalysis of ARX". In Hong, Seokhie; Iwata, Tetsu (eds.). Fast Software Encryption, 17th International Workshop, FSE 2010, Seoul, Korea, February 7–10, 2010, Revised Selected Papers. Lecture Notes in Computer Science. Vol. 6147. Springer. pp. 333–346. doi:10.1007/978-3-642-13858-4_19.

[4] Chen, Jiazhe; Jia, Keting (2010). "Improved Related-Key Boomerang Attacks on Round-Reduced Threefish-512". In Kwak, Jin; Deng, Robert H.; Won, Yoojae; Wang, Guilin (eds.). Information Security, Practice and Experience, 6th International Conference, ISPEC 2010, Seoul, Korea, May 12–13, 2010. Proceedings. Lecture Notes in Computer Science. Vol. 6047. Springer. pp. 1–18. doi:10.1007/978-3-642-12827-1_1.

[1]

[2]

[3]

[4]