# Threefish

Last updated
General Bruce Schneier, Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker 2008 Blowfish, Twofish 256, 512 or 1024 bits(key size is equal to block size) 256, 512 or 1024 bits 72 (80 for 1024-bit block size) 6.1 cpb on Core 2. [1]

Threefish is a symmetric-key tweakable block cipher designed as part of the Skein hash function, an entry in the NIST hash function competition. Threefish uses no S-boxes or other table lookups in order to avoid cache timing attacks; [1] its nonlinearity comes from alternating additions with exclusive ORs. In that respect, it is similar to Salsa20, TEA, and the SHA-3 candidates CubeHash and BLAKE.

Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext. The keys may be identical or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. This requirement that both parties have access to the secret key is one of the main drawbacks of symmetric key encryption, in comparison to public-key encryption.

The NIST hash function competition was an open competition held by the US National Institute of Standards and Technology (NIST) to develop a new hash function called SHA-3 to complement the older SHA-1 and SHA-2. The competition was formally announced in the Federal Register on November 2, 2007. "NIST is initiating an effort to develop one or more additional hash algorithms through a public competition, similar to the development process for the Advanced Encryption Standard (AES)." The competition ended on October 2, 2012 when the NIST announced that Keccak would be the new SHA-3 hash algorithm.

In cryptography, an S-box (substitution-box) is a basic component of symmetric key algorithms which performs substitution. In block ciphers, they are typically used to obscure the relationship between the key and the ciphertext — Shannon's property of confusion.

## Contents

Threefish and the Skein hash function were designed by Bruce Schneier, Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker.

Bruce Schneier is an American cryptographer, computer security professional, privacy specialist and writer. Schneier is a fellow at the Berkman Center for Internet & Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute. He has been working for IBM since they acquired Resilient Systems where Schneier was CTO. He is the author of several books on general security topics, computer security and cryptography. Schneier is also a contributing writer for The Guardian news organization.

Niels T. Ferguson is a Dutch cryptographer and consultant who currently works for Microsoft. He has worked with others, including Bruce Schneier, designing cryptographic algorithms, testing algorithms and protocols, and writing papers and books. Among the designs Ferguson has contributed to is the AES finalist block cipher algorithm Twofish as well as the stream cipher Helix and the Skein hash function.

Stefan Lucks is a researcher in the fields of communications security and cryptography. Lucks is known for his attack on Triple DES, and for extending Lars Knudsen's Square attack to Twofish, a cipher outside the Square family, thus generalising the attack into integral cryptanalysis. He has also co-authored attacks on AES, LEVIATHAN, and the E0 cipher used in Bluetooth devices, as well as publishing strong password-based key agreement schemes.

## Description of the cipher [1]

Threefish works on words of 64 bits (unsigned Little endian integers). ${\displaystyle N_{w}\in \{4,8,16\}}$ is the number of plaintext words and also of key words. The tweak consists of two words. All additions and subtractions are defined modulo ${\displaystyle 2^{64}}$.

The bit is a basic unit of information in information theory, computing, and digital communications. The name is a portmanteau of binary digit.

An integer is a number that can be written without a fractional component. For example, 21, 4, 0, and −2048 are integers, while 9.75, 5 1/2, and 2 are not.

### Key schedule

Threefish uses ${\displaystyle {\frac {N_{r}}{4}}+1}$ different round keys (${\displaystyle N_{r}}$: Number of rounds). To calculate these keys an additional key word ${\displaystyle k_{N_{w}}}$ is appended to the original key words ${\displaystyle k_{0},k_{1},\dots ,k_{N_{w}-1}}$. An additional tweak word ${\displaystyle t_{2}}$ is also appended to the tweak words ${\displaystyle t_{0},t_{1}}$.

${\displaystyle k_{N_{w}}=C_{240}\oplus k_{0}\oplus k_{1}\oplus \dots \oplus k_{N_{w}-1};\quad C_{240}={\text{0x1BD11BDAA9FC1A22}}}$
${\displaystyle t_{2}=t_{0}\oplus t_{1}}$

The purpose of the seemingly arbitrary constant ${\displaystyle C_{240}}$ is to frustrate some attacks that take advantage of the relationship between ${\displaystyle k_{N_{w}}}$ and the other keywords.

The round key words ${\displaystyle k_{s,i}}$ are now defined like this:

${\displaystyle k_{s,i}={\begin{cases}k_{(s+i){\bmod {(}}N_{w}+1)}&i=0,\dots ,N_{w}-4\\k_{(s+i){\bmod {(}}N_{w}+1)}+t_{s{\bmod {3}}}&i=N_{w}-3\\k_{(s+i){\bmod {(}}N_{w}+1)}+t_{(s+1){\bmod {3}}}&i=N_{w}-2\\k_{(s+i){\bmod {(}}N_{w}+1)}+s&i=N_{w}-1\end{cases}}}$

Here ${\displaystyle s=0,1,\dots ,N_{r}/4}$, and ${\displaystyle 4s}$ is the number of the round in which the round key is used.

### Mix function

The mix function takes a tuple of words ${\displaystyle (x_{0},x_{1})}$ and returns another tuple of words ${\displaystyle (y_{0},y_{1})}$. The function is defined like this:

${\displaystyle y_{0}=x_{0}+x_{1}\mod 2^{64}}$

${\displaystyle y_{1}=(x_{1}\lll R_{(d{\bmod {8}}),j})\oplus y_{0}}$

${\displaystyle R_{d,j}}$ is a fixed set of rotation constants chosen to achieve quick diffusion.

In cryptography, confusion and diffusion are two properties of the operation of a secure cipher identified by Claude Shannon in his 1945 classified report A Mathematical Theory of Cryptography. These properties, when present, work to thwart the application of statistics and other methods of cryptanalysis.

### Permute

The permutation step swaps the positions of the words according to a constant pattern. Bit-level permutation is not achieved in this step, but this is not necessary since the MIX functions provides bit-level permutations in the form of bitwise rotations.[ citation needed ] The Permute step and rotation constants in the MIX functions are chosen in such a way that the overall effect is complete diffusion of all the bits in a data block.[ citation needed ]

Because this permutation is fixed and independent of the key, the time needed to compute it does not provide information about the key or plaintext. This is important because on most modern microprocessors performance optimisations can make the time taken to compute an array operation dependent on where the data is stored in memory. In ciphers where array lookup depends on either the key or plaintext (as is the case for the substitution step in AES), it can make the cipher vulnerable to timing attacks by examining the time required for encryption. The permutation is therefore deliberately designed to ensure that it should execute in the same fashion independent of the key being used or the data encrypted.[ citation needed ]

In cryptography, a timing attack is a side channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms. Every logical operation in a computer takes time to execute, and the time can differ based on the input; with precise measurements of the time for each operation, an attacker can work backwards to the input.

### A full Threefish round

• if ${\displaystyle d\;{\bmod {\;}}4=0}$ the round key ${\displaystyle k_{d/4,i}}$ is added to word ${\displaystyle i}$
• the mix function is applied to consecutive words, the rotation widths depend on ${\displaystyle d}$ and the word number
• the words are permutated using a permutation independent from the round number

Threefish256 and Threefish512 apply this round 72 times (${\displaystyle d=0,1,\dots ,71}$). Threefish1024 applies it 80 times (${\displaystyle d=0,1,\dots ,79}$).

### Final operations

After all rounds are applied, the last round key is added to the words and the words are converted back to a string of bytes.

## Security

In October 2010, an attack that combines rotational cryptanalysis with the rebound attack was published. The attack mounts a known-key distinguisher against 53 of 72 rounds in Threefish-256, and 57 of 72 rounds in Threefish-512. It also affects the Skein hash function. [2] This is a follow-up to the earlier attack published in February, which breaks 39 and 42 rounds respectively. [3] In response to this attack, the Skein team tweaked the rotation constants used in Threefish and thereby the key schedule constants for round 3 of the NIST hash function competition. [1]

In 2009, a related key boomerang attack against a reduced round Threefish version was published. For the 32-round version, the time complexity is ${\displaystyle 2^{226}}$ and the memory complexity is ${\displaystyle 2^{12}}$; for the 33-round version, the time complexity is ${\displaystyle 2^{352.17}}$ with a negligible memory usage. The attacks also work against the tweaked version of Threefish: for the 32-round version, the time complexity is ${\displaystyle 2^{222}}$ and the memory complexity is ${\displaystyle 2^{12}}$; for the 33-round version, the time complexity is ${\displaystyle 2^{355.5}}$ with a negligible memory usage. [4]

## Related Research Articles

In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called a block, with an unvarying transformation that is specified by a symmetric key. Block ciphers operate as important elementary components in the design of many cryptographic protocols, and are widely used to implement encryption of bulk data.

A hash function is any function that can be used to map data of arbitrary size onto data of a fixed size. The values returned by a hash function are called hash values, hash codes, digests, or simply hashes. Hash functions are often used in combination with a hash table, a common data structure used in computer software for rapid data lookup. Hash functions accelerate table or database lookup by detecting duplicated records in a large file. One such application is finding similar stretches in DNA sequences. They are also useful in cryptography. A cryptographic hash function allows one to easily verify whether some input data map onto a given hash value, but if the input data is unknown it is deliberately difficult to reconstruct it by knowing the stored hash value. This is used for assuring integrity of transmitted data, and is the building block for HMACs, which provide message authentication.

A triangle wave is a non-sinusoidal waveform named for its triangular shape. It is a periodic, piecewise linear, continuous real function.

The Digital Signature Algorithm (DSA) is a Federal Information Processing Standard for digital signatures, based on the mathematical concept of modular exponentiations and the discrete logarithm problem.

Malleability is a property of some cryptographic algorithms. An encryption algorithm is "malleable" if it is possible to transform a ciphertext into another ciphertext which decrypts to a related plaintext. That is, given an encryption of a plaintext , it is possible to generate another ciphertext which decrypts to , for a known function , without necessarily knowing or learning .

In cryptography, a Feistel cipher is a symmetric structure used in the construction of block ciphers, named after the German-born physicist and cryptographer Horst Feistel who did pioneering research while working for IBM (USA); it is also commonly known as a Feistel network. A large proportion of block ciphers use the scheme, including the Data Encryption Standard (DES). The Feistel structure has the advantage that encryption and decryption operations are very similar, even identical in some cases, requiring only a reversal of the key schedule. Therefore, the size of the code or circuitry required to implement such a cipher is nearly halved.

In computer science, a one-way function is a function that is easy to compute on every input, but hard to invert given the image of a random input. Here, "easy" and "hard" are to be understood in the sense of computational complexity theory, specifically the theory of polynomial time problems. Not being one-to-one is not considered sufficient of a function for it to be called one-way.

In cryptography, the Elliptic Curve Digital Signature Algorithm (ECDSA) offers a variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography.

The Rabin cryptosystem is an asymmetric cryptographic technique, whose security, like that of RSA, is related to the difficulty of factorization. However the Rabin cryptosystem has the advantage that the problem on which it relies has been proven to be as hard as integer factorization, which is not currently known to be true of the RSA problem. It has the disadvantage that each output of the Rabin function can be generated by any of four possible inputs; if each output is a ciphertext, extra complexity is required on decryption to identify which of the four possible inputs was the true plaintext.

The Paillier cryptosystem, invented by and named after Pascal Paillier in 1999, is a probabilistic asymmetric algorithm for public key cryptography. The problem of computing n-th residue classes is believed to be computationally difficult. The decisional composite residuosity assumption is the intractability hypothesis upon which this cryptosystem is based.

Probabilistic encryption is the use of randomness in an encryption algorithm, so that when encrypting the same message several times it will, in general, yield different ciphertexts. The term "probabilistic encryption" is typically used in reference to public key encryption algorithms, however various symmetric key encryption algorithms achieve a similar property. To be semantically secure, that is, to hide even partial information about the plaintext, an encryption algorithm must be probabilistic.

Quadratic probing is an open addressing scheme in computer programming for resolving collisions in hash tables—when an incoming data's hash value indicates it should be stored in an already-occupied slot or bucket. Quadratic probing operates by taking the original hash index and adding successive values of an arbitrary quadratic polynomial until an open slot is found.

In cryptography, a message authentication code based on universal hashing, or UMAC, is a type of message authentication code (MAC) calculated choosing a hash function from a class of hash functions according to some secret (random) process and applying it to the message. The resulting digest or fingerprint is then encrypted to hide the identity of the hash function used. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message. UMAC is specified in RFC 4418, it has provable cryptographic strength and is usually a lot less computationally intensive than other MACs. UMAC's design is optimized for 32-bit architectures; a closely related variant of UMAC that is optimized for 64-bit architectures is given by VMAC.

The GOST hash function, defined in the standards GOST R 34.11-94 and GOST 34.311-95 is a 256-bit cryptographic hash function. It was initially defined in the Russian national standard GOST R 34.11-94 Information Technology – Cryptographic Information Security – Hash Function. The equivalent standard used by other member-states of the CIS is GOST 34.311-95.

Disk encryption is a special case of data at rest protection when the storage medium is a sector-addressable device. This article presents cryptographic aspects of the problem. For discussion of different software packages and hardware devices devoted to this problem see disk encryption software and disk encryption hardware.

In mathematics and computing, universal hashing refers to selecting a hash function at random from a family of hash functions with a certain mathematical property. This guarantees a low number of collisions in expectation, even if the data is chosen by an adversary. Many universal families are known, and their evaluation is often very efficient. Universal hashing has numerous uses in computer science, for example in implementations of hash tables, randomized algorithms, and cryptography.

In cryptography the Rabin signature algorithm is a method of digital signature originally proposed by Michael O. Rabin in 1979. The Rabin signature algorithm was one of the first digital signature schemes proposed, and it is the only one to relate the hardness of forgery directly to the problem of integer factorization. The Rabin signature algorithm is existentially unforgeable in the random oracle model assuming the integer factorization problem is intractable. The Rabin signature algorithm is also closely related to the Rabin cryptosystem.

Skein is a cryptographic hash function and one of five finalists in the NIST hash function competition. Entered as a candidate to become the SHA-3 standard, the successor of SHA-1 and SHA-2, it ultimately lost to NIST hash candidate Keccak.

Ideal lattices are a special class of lattices and a generalization of cyclic lattices. Ideal lattices naturally occur in many parts of number theory, but also in other areas. In particular, they have a significant place in cryptography. Micciancio defined a generalization of cyclic lattices as ideal lattices. They can be used in cryptosystems to decrease by a square root the number of parameters necessary to describe a lattice, making them more efficient. Ideal lattices are a new concept, but similar lattice classes have been used for a long time. For example cyclic lattices, a special case of ideal lattices, are used in NTRUEncrypt and NTRUSign.

A biclique attack is a variant of the meet-in-the-middle (MITM) method of cryptanalysis. It utilizes a biclique structure to extend the number of possibly attacked rounds by the MITM attack. Since biclique cryptanalysis is based on MITM attacks, it is applicable to both block ciphers and (iterated) hash-functions. Biclique attacks are known for having broken both full AES and full IDEA, though only with slight advantage over brute force. It has also been applied to the KASUMI cipher and preimage resistance of the Skein-512 and SHA-2 hash functions.

## References

1. Ferguson; et al. (2010-10-01). "The Skein Hash Function Family" (PDF). The paper in which Threefish was introduced.
2. Dmitry Khovratovich; Ivica Nikolic; Christian Rechberger (2010-10-20). "Rotational Rebound Attacks on Reduced Skein".
3. Dmitry Khovratovich & Ivica Nikolić (2010). "Rotational Cryptanalysis of ARX" (PDF). University of Luxembourg.
4. Jiazhe Chen; Keting Jia (2009-11-01). "Improved Related-key Boomerang Attacks on Round-Reduced Threefish-512".