Threefish

Threefish
General
Designers	Bruce Schneier, Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker
First published	2008
Related to	Blowfish, Twofish
Cipher detail
Key sizes	256, 512 or 1024 bits; (key size is equal to block size)
Block sizes	256, 512 or 1024 bits
Rounds	72 (80 for 1024-bit block size)
Speed	6.1 cpb on Core 2.
Best public cryptanalysis
	In October 2010, an attack that combines rotational cryptanalysis with the rebound attack was published. The attack mounts a known-key distinguisher against 53 of 72 rounds in Threefish-256, and 57 of 72 rounds in Threefish-512. It also affects the Skein hash function.

Last updated October 15, 2022

Threefish is a symmetric-key tweakable block cipher designed as part of the Skein hash function, an entry in the NIST hash function competition. Threefish uses no S-boxes or other table lookups in order to avoid cache timing attacks;^[1] its nonlinearity comes from alternating additions with exclusive ORs. In that respect, it is similar to Salsa20, TEA, and the SHA-3 candidates CubeHash and BLAKE.

Description of the cipher

Threefish works on words of 64 bits (unsigned Little endian integers). $w\in \{4,8,16\}$ is the number of plaintext words and also of key words. The tweak consists of two words. All additions and subtractions are defined modulo $2^{64}$ .

Key schedule

Threefish encrypts in $r$ rounds and uses ${\frac {r}{4}}+1$ different round keys. After every four rounds, and before the first, $w$ round key words are added to the $w$ data words. To calculate the round keys an additional key word $k_{w}$ is appended to the original key words $k_{0},k_{1},\dots ,k_{w-1}$ . Also, an additional tweak word $t_{2}$ is appended to the tweak words $t_{0},t_{1}$ .

k_{w}=C\oplus k_{0}\oplus k_{1}\oplus \dots \oplus k_{w-1};\quad C={\text{0x1BD11BDAA9FC1A22}}

t_{2}=t_{0}\oplus t_{1}

The purpose of the seemingly arbitrary constant $C$ is to frustrate some attacks that take advantage of the relationship between $k_{w}$ and the other keywords.

The round key words $k_{s,i}$ are now defined like this:

$k_{s,i}={\begin{cases}k_{(s+i){\bmod {(}}w+1)}&i=0,\dots ,w-4\\k_{(s+i){\bmod {(}}w+1)}+t_{s{\bmod {3}}}&i=w-3\\k_{(s+i){\bmod {(}}w+1)}+t_{(s+1){\bmod {3}}}&i=w-2\\k_{(s+i){\bmod {(}}w+1)}+s&i=w-1\end{cases}}$

Here $s=0,1,\dots ,r/4$ , where $4s$ is the number of the round in which the round key word $k_{s,i}$ is used.

Mix function

The mix function takes a tuple of words $(x_{0},x_{1})$ and returns another tuple of words $(y_{0},y_{1})$ . The function is defined like this:

$y_{0}=(x_{0}+x_{1}){\bmod {2}}^{64}$

$y_{1}=(x_{1}\lll R_{(d{\bmod {8}}),j})\oplus y_{0}$

$R_{d,j}$ is a fixed set of rotation constants chosen to achieve quick diffusion.

Permute

The permutation step swaps the positions of the words according to a constant pattern. Bit-level permutation is not achieved in this step, but this is not necessary since the MIX functions provides bit-level permutations in the form of bitwise rotations.^{[ citation needed ]} The Permute step and rotation constants in the MIX functions are chosen in such a way that the overall effect is complete diffusion of all the bits in a data block.^{[ citation needed ]}

Because this permutation is fixed and independent of the key, the time needed to compute it does not provide information about the key or plaintext. This is important because on most modern microprocessors performance optimisations can make the time taken to compute an array operation dependent on where the data is stored in memory. In ciphers where array lookup depends on either the key or plaintext (as is the case for the substitution step in AES), it can make the cipher vulnerable to timing attacks by examining the time required for encryption. The permutation is therefore deliberately designed to ensure that it should execute in the same fashion independent of the key being used or the data encrypted.^{[ citation needed ]}

A full Threefish round

if $d\;{\bmod {\;}}4=0$ the round key $k_{d/4,i}$ is added to word $i$
the mix function is applied to pairs of words, the rotation widths $R_{d{\bmod {8}},j}$ depend on round number $d$ and word pair $j\in \{0,\cdots ,w/2-1\}$
the words are permutated using a permutation independent from the round number

Threefish256 and Threefish512 apply this round $r=72$ times ( $d=0,1,\dots ,71$ ). Threefish1024 applies it 80 times ( $d=0,1,\dots ,79$ ).

Final operations

After all rounds are applied, the last round key words $k_{r/4,i}$ are added to the words and the words are converted back to a string of bytes.

Security

In October 2010, an attack that combines rotational cryptanalysis with the rebound attack was published. The attack mounts a known-key distinguisher against 53 of 72 rounds in Threefish-256, and 57 of 72 rounds in Threefish-512. It also affects the Skein hash function.^[2] This is a follow-up to the earlier attack published in February, which breaks 39 and 42 rounds respectively.^[3] In response to this attack, the Skein team tweaked the rotation constants used in Threefish and thereby the key schedule constants for round 3 of the NIST hash function competition.^[1]

In 2009, a related key boomerang attack against a reduced round Threefish version was published. For the 32-round version, the time complexity is $2^{226}$ and the memory complexity is $2^{12}$ ; for the 33-round version, the time complexity is $2^{352.17}$ with a negligible memory usage. The attacks also work against the tweaked version of Threefish: for the 32-round version, the time complexity is $2^{222}$ and the memory complexity is $2^{12}$ ; for the 33-round version, the time complexity is $2^{355.5}$ with a negligible memory usage.^[4]

Related Research Articles

In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called blocks. They are specified elementary components in the design of many cryptographic protocols and are widely used to encrypt large amounts of data, including in data exchange protocols. It uses blocks as an unvarying transformation.

A hash function is any function that can be used to map data of arbitrary size to fixed-size values. The values returned by a hash function are called hash values, hash codes, digests, or simply hashes. The values are usually used to index a fixed-size table called a hash table. Use of a hash function to index a hash table is called hashing or scatter storage addressing.

The Digital Signature Algorithm (DSA) is a Federal Information Processing Standard for digital signatures, based on the mathematical concept of modular exponentiation and the discrete logarithm problem. DSA is a variant of the Schnorr and ElGamal signature schemes.

In computer science, a one-way function is a function that is easy to compute on every input, but hard to invert given the image of a random input. Here, "easy" and "hard" are to be understood in the sense of computational complexity theory, specifically the theory of polynomial time problems. Not being one-to-one is not considered sufficient for a function to be called one-way.

In cryptography, the Elliptic Curve Digital Signature Algorithm (ECDSA) offers a variant of the Digital Signature Algorithm (DSA) which uses elliptic-curve cryptography.

The Rabin cryptosystem is a family of public-key encryption schemes based on a trapdoor function whose security, like that of RSA, is related to the difficulty of integer factorization.

The Paillier cryptosystem, invented by and named after Pascal Paillier in 1999, is a probabilistic asymmetric algorithm for public key cryptography. The problem of computing n-th residue classes is believed to be computationally difficult. The decisional composite residuosity assumption is the intractability hypothesis upon which this cryptosystem is based.

KCDSA is a digital signature algorithm created by a team led by the Korea Internet & Security Agency (KISA). It is an ElGamal variant, similar to the Digital Signature Algorithm and GOST R 34.10-94. The standard algorithm is implemented over $, but an elliptic curve variant (EC-KCDSA) is also specified.$

In cryptography, a message authentication code based on universal hashing, or UMAC, is a type of message authentication code (MAC) calculated choosing a hash function from a class of hash functions according to some secret (random) process and applying it to the message. The resulting digest or fingerprint is then encrypted to hide the identity of the hash function used. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message.

Poly1305 is a universal hash family designed by Daniel J. Bernstein for use in cryptography.

The ElGamal signature scheme is a digital signature scheme which is based on the difficulty of computing discrete logarithms. It was described by Taher Elgamal in 1985.

The Blum–Goldwasser (BG) cryptosystem is an asymmetric key encryption algorithm proposed by Manuel Blum and Shafi Goldwasser in 1984. Blum–Goldwasser is a probabilistic, semantically secure cryptosystem with a constant-size ciphertext expansion. The encryption algorithm implements an XOR-based stream cipher using the Blum-Blum-Shub (BBS) pseudo-random number generator to generate the keystream. Decryption is accomplished by manipulating the final state of the BBS generator using the private key, in order to find the initial seed and reconstruct the keystream.

Disk encryption is a special case of data at rest protection when the storage medium is a sector-addressable device. This article presents cryptographic aspects of the problem. For an overview, see disk encryption. For discussion of different software packages and hardware devices devoted to this problem, see disk encryption software and disk encryption hardware.

In cryptography, a one-way compression function is a function that transforms two fixed-length inputs into a fixed-length output. The transformation is "one-way", meaning that it is difficult given a particular output to compute inputs which compress to that output. One-way compression functions are not related to conventional data compression algorithms, which instead can be inverted exactly or approximately to the original data.

In mathematics and computing, universal hashing refers to selecting a hash function at random from a family of hash functions with a certain mathematical property. This guarantees a low number of collisions in expectation, even if the data is chosen by an adversary. Many universal families are known, and their evaluation is often very efficient. Universal hashing has numerous uses in computer science, for example in implementations of hash tables, randomized algorithms, and cryptography.

For a cryptographic hash function, a MASH-1 is a hash function based on modular arithmetic.

In cryptography, M8 is a block cipher designed by Hitachi in 1999. It is a modification of Hitachi's earlier M6 algorithm, designed for greater security and high performance in both hardware and 32-bit software implementations. M8 was registered by Hitachi in March 1999 as ISO/IEC 9979-0020.

Skein is a cryptographic hash function and one of five finalists in the NIST hash function competition. Entered as a candidate to become the SHA-3 standard, the successor of SHA-1 and SHA-2, it ultimately lost to NIST hash candidate Keccak.

In discrete mathematics, ideal lattices are a special class of lattices and a generalization of cyclic lattices. Ideal lattices naturally occur in many parts of number theory, but also in other areas. In particular, they have a significant place in cryptography. Micciancio defined a generalization of cyclic lattices as ideal lattices. They can be used in cryptosystems to decrease by a square root the number of parameters necessary to describe a lattice, making them more efficient. Ideal lattices are a new concept, but similar lattice classes have been used for a long time. For example, cyclic lattices, a special case of ideal lattices, are used in NTRUEncrypt and NTRUSign.

A biclique attack is a variant of the meet-in-the-middle (MITM) method of cryptanalysis. It utilizes a biclique structure to extend the number of possibly attacked rounds by the MITM attack. Since biclique cryptanalysis is based on MITM attacks, it is applicable to both block ciphers and (iterated) hash-functions. Biclique attacks are known for having broken both full AES and full IDEA, though only with slight advantage over brute force. It has also been applied to the KASUMI cipher and preimage resistance of the Skein-512 and SHA-2 hash functions.

References

1 2 3 Ferguson; et al. (2010-10-01). "The Skein Hash Function Family" (PDF).{{cite journal}}: Cite journal requires |journal= (help) The paper in which Threefish was introduced.
1 2 Dmitry Khovratovich; Ivica Nikolic; Christian Rechberger (2010-10-20). "Rotational Rebound Attacks on Reduced Skein". Cryptology ePrint Archive.
↑ Dmitry Khovratovich & Ivica Nikolić (2010). "Rotational Cryptanalysis of ARX" (PDF). University of Luxembourg.{{cite journal}}: Cite journal requires |journal= (help)
↑ Jiazhe Chen; Keting Jia (2009-11-01). "Improved Related-key Boomerang Attacks on Round-Reduced Threefish-512". Cryptology ePrint Archive.

External links

"The Skein Hash Function Family" Homepage of the Skein Hash Function Family.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[skein-1] 1 2 3 Ferguson; et al. (2010-10-01). "The Skein Hash Function Family" (PDF).{{cite journal}}: Cite journal requires |journal= (help) The paper in which Threefish was introduced.

[rotational-rebound-2] 1 2 Dmitry Khovratovich; Ivica Nikolic; Christian Rechberger (2010-10-20). "Rotational Rebound Attacks on Reduced Skein". Cryptology ePrint Archive.

[3] Dmitry Khovratovich & Ivica Nikolić (2010). "Rotational Cryptanalysis of ARX" (PDF). University of Luxembourg.{{cite journal}}: Cite journal requires |journal= (help)

[4] Jiazhe Chen; Keting Jia (2009-11-01). "Improved Related-key Boomerang Attacks on Round-Reduced Threefish-512". Cryptology ePrint Archive.

[1]

[2]

[3]

[4]