Threefish

Threefish
General
Designers	Bruce Schneier, Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker
First published	2008
Related to	Blowfish, Twofish
Cipher detail
Key sizes	256, 512 or 1024 bits; (key size is equal to block size)
Block sizes	256, 512 or 1024 bits
Rounds	72 (80 for 1024-bit block size)
Speed	6.1 cpb on Core 2.
Best public cryptanalysis
	In October 2010, an attack that combines rotational cryptanalysis with the rebound attack was published. The attack mounts a known-key distinguisher against 53 of 72 rounds in Threefish-256, and 57 of 72 rounds in Threefish-512. It also affects the Skein hash function.

Last updated December 13, 2024

Threefish is a symmetric-key tweakable block cipher designed as part of the Skein hash function, an entry in the NIST hash function competition. Threefish uses no S-boxes or other table lookups in order to avoid cache timing attacks;^[1] its nonlinearity comes from alternating additions with exclusive ORs. In that respect, it is similar to Salsa20, TEA, and the SHA-3 candidates CubeHash and BLAKE.

Description of the cipher

Threefish works on words of 64 bits (unsigned Little endian integers). $w\in \{4,8,16\}$ is the number of plaintext words and also of key words. The tweak consists of two words. All additions and subtractions are defined modulo $2^{64}$ .

Key schedule

Threefish encrypts in $r$ rounds and uses ${\frac {r}{4}}+1$ different round keys. After every four rounds, and before the first, $w$ round key words are added to the $w$ data words. To calculate the round keys an additional key word $k_{w}$ is appended to the original key words $k_{0},k_{1},\dots ,k_{w-1}$ . Also, an additional tweak word $t_{2}$ is appended to the tweak words $t_{0},t_{1}$ .

k_{w}=C\oplus k_{0}\oplus k_{1}\oplus \dots \oplus k_{w-1};\quad C={\text{0x1BD11BDAA9FC1A22}}

t_{2}=t_{0}\oplus t_{1}

The purpose of the seemingly arbitrary constant $C$ is to frustrate some attacks that take advantage of the relationship between $k_{w}$ and the other keywords.

The round key words $k_{s,i}$ are now defined like this:

$k_{s,i}={\begin{cases}k_{(s+i){\bmod {(}}w+1)}&i=0,\dots ,w-4\\k_{(s+i){\bmod {(}}w+1)}+t_{s{\bmod {3}}}&i=w-3\\k_{(s+i){\bmod {(}}w+1)}+t_{(s+1){\bmod {3}}}&i=w-2\\k_{(s+i){\bmod {(}}w+1)}+s&i=w-1\end{cases}}$

Here $s=0,1,\dots ,r/4$ , where $4s$ is the number of the round in which the round key word $k_{s,i}$ is used.

Mix function

The mix function takes a tuple of words $(x_{0},x_{1})$ and returns another tuple of words $(y_{0},y_{1})$ . The function is defined like this:

$y_{0}=(x_{0}+x_{1}){\bmod {2}}^{64}$

$y_{1}=(x_{1}\lll R_{(d{\bmod {8}}),j})\oplus y_{0}$

$R_{d,j}$ is a fixed set of rotation constants chosen to achieve quick diffusion.

Permute

The permutation step swaps the positions of the words according to a constant pattern. Bit-level permutation is not achieved in this step, but this is not necessary since the MIX functions provides bit-level permutations in the form of bitwise rotations.^{[ citation needed ]} The Permute step and rotation constants in the MIX functions are chosen in such a way that the overall effect is complete diffusion of all the bits in a data block.^{[ citation needed ]}

Because this permutation is fixed and independent of the key, the time needed to compute it does not provide information about the key or plaintext. This is important because on most modern microprocessors performance optimisations can make the time taken to compute an array operation dependent on where the data is stored in memory. In ciphers where array lookup depends on either the key or plaintext (as is the case for the substitution step in AES), it can make the cipher vulnerable to timing attacks by examining the time required for encryption. The permutation is therefore deliberately designed to ensure that it should execute in the same fashion independent of the key being used or the data encrypted.^{[ citation needed ]}

A full Threefish round

if $d\;{\bmod {\;}}4=0$ the round key $k_{d/4,i}$ is added to word $i$
the mix function is applied to pairs of words, the rotation widths $R_{d{\bmod {8}},j}$ depend on round number $d$ and word pair $j\in \{0,\cdots ,w/2-1\}$
the words are permutated using a permutation independent from the round number

Threefish256 and Threefish512 apply this round $r=72$ times ( $d=0,1,\dots ,71$ ). Threefish1024 applies it 80 times ( $d=0,1,\dots ,79$ ).

Final operations

After all rounds are applied, the last round key words $k_{r/4,i}$ are added to the words and the words are converted back to a string of bytes.

Security

In October 2010, an attack that combines rotational cryptanalysis with the rebound attack was published. The attack mounts a known-key distinguisher against 53 of 72 rounds in Threefish-256, and 57 of 72 rounds in Threefish-512. It also affects the Skein hash function.^[2] This is a follow-up to the earlier attack published in February, which breaks 39 and 42 rounds respectively.^[4] In response to this attack, the Skein team tweaked the rotation constants used in Threefish and thereby the key schedule constants for round 3 of the NIST hash function competition.^[1]

In 2009, a related key boomerang attack against a reduced round Threefish version was published. For the 32-round version, the time complexity is $2^{226}$ and the memory complexity is $2^{12}$ ; for the 33-round version, the time complexity is $2^{352.17}$ with a negligible memory usage. The attacks also work against the tweaked version of Threefish: for the 32-round version, the time complexity is $2^{222}$ and the memory complexity is $2^{12}$ ; for the 33-round version, the time complexity is $2^{355.5}$ with a negligible memory usage.^[5]

Related Research Articles

In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called blocks. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage and exchange of data, where such data is secured and authenticated via encryption.

The Digital Signature Algorithm (DSA) is a public-key cryptosystem and Federal Information Processing Standard for digital signatures, based on the mathematical concept of modular exponentiation and the discrete logarithm problem. In a public-key cryptosystem, two keys are generated: data can only be encrypted with the public key and encrypted data can only be decrypted with the private key. DSA is a variant of the Schnorr and ElGamal signature schemes.

In cryptography, a Feistel cipher is a symmetric structure used in the construction of block ciphers, named after the German-born physicist and cryptographer Horst Feistel, who did pioneering research while working for IBM; it is also commonly known as a Feistel network. A large number of block ciphers use the scheme, including the US Data Encryption Standard, the Soviet/Russian GOST and the more recent Blowfish and Twofish ciphers. In a Feistel cipher, encryption and decryption are very similar operations, and both consist of iteratively running a function called a "round function" a fixed number of times.

In cryptography, the Elliptic Curve Digital Signature Algorithm (ECDSA) offers a variant of the Digital Signature Algorithm (DSA) which uses elliptic-curve cryptography.

KCDSA is a digital signature algorithm created by a team led by the Korea Internet & Security Agency (KISA). It is an ElGamal variant, similar to the Digital Signature Algorithm and GOST R 34.10-94. The standard algorithm is implemented over $, but an elliptic curve variant (EC-KCDSA) is also specified.$

In cryptography, a universal hashing message authentication code, or UMAC, is a message authentication code (MAC) calculated using universal hashing, which involves choosing a hash function from a class of hash functions according to some secret (random) process and applying it to the message. The resulting digest or fingerprint is then encrypted to hide the identity of the hash function that was used. A variation of the scheme was first published in 1999. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message. In contrast to traditional MACs, which are serializable, a UMAC can be executed in parallel. Thus, as machines continue to offer more parallel-processing capabilities, the speed of implementing UMAC can increase.

Poly1305 is a universal hash family designed by Daniel J. Bernstein in 2002 for use in cryptography.

The ElGamal signature scheme is a digital signature scheme which is based on the difficulty of computing discrete logarithms. It was described by Taher Elgamal in 1985.

The GOST hash function, defined in the standards GOST R 34.11-94 and GOST 34.311-95 is a 256-bit cryptographic hash function. It was initially defined in the Russian national standard GOST R 34.11-94 Information Technology – Cryptographic Information Security – Hash Function. The equivalent standard used by other member-states of the CIS is GOST 34.311-95.

The Blum–Goldwasser (BG) cryptosystem is an asymmetric key encryption algorithm proposed by Manuel Blum and Shafi Goldwasser in 1984. Blum–Goldwasser is a probabilistic, semantically secure cryptosystem with a constant-size ciphertext expansion. The encryption algorithm implements an XOR-based stream cipher using the Blum-Blum-Shub (BBS) pseudo-random number generator to generate the keystream. Decryption is accomplished by manipulating the final state of the BBS generator using the private key, in order to find the initial seed and reconstruct the keystream.

Disk encryption is a special case of data at rest protection when the storage medium is a sector-addressable device. This article presents cryptographic aspects of the problem. For an overview, see disk encryption. For discussion of different software packages and hardware devices devoted to this problem, see disk encryption software and disk encryption hardware.

In cryptography, a one-way compression function is a function that transforms two fixed-length inputs into a fixed-length output. The transformation is "one-way", meaning that it is difficult given a particular output to compute inputs which compress to that output. One-way compression functions are not related to conventional data compression algorithms, which instead can be inverted exactly or approximately to the original data.

In mathematics and computing, universal hashing refers to selecting a hash function at random from a family of hash functions with a certain mathematical property. This guarantees a low number of collisions in expectation, even if the data is chosen by an adversary. Many universal families are known, and their evaluation is often very efficient. Universal hashing has numerous uses in computer science, for example in implementations of hash tables, randomized algorithms, and cryptography.

For a cryptographic hash function, a MASH-1 is a hash function based on modular arithmetic.

<span class="mw-page-title-main">Key encapsulation mechanism</span> Public-key cryptosystem

In cryptography, a key encapsulation mechanism, or KEM, is a public-key cryptosystem that allows a sender to generate a short secret key and transmit it to a receiver securely, in spite of eavesdropping and intercepting adversaries. Modern standards for public-key encryption of arbitrary messages are usually based on KEMs.

In cryptography, M8 is a block cipher designed by Hitachi in 1999. It is a modification of Hitachi's earlier M6 algorithm, designed for greater security and high performance in both hardware and 32-bit software implementations. M8 was registered by Hitachi in March 1999 as ISO/IEC 9979-0020.

Skein is a cryptographic hash function and one of five finalists in the NIST hash function competition. Entered as a candidate to become the SHA-3 standard, the successor of SHA-1 and SHA-2, it ultimately lost to NIST hash candidate Keccak.

SHA-3 is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015. Although part of the same series of standards, SHA-3 is internally different from the MD5-like structure of SHA-1 and SHA-2.

A biclique attack is a variant of the meet-in-the-middle (MITM) method of cryptanalysis. It utilizes a biclique structure to extend the number of possibly attacked rounds by the MITM attack. Since biclique cryptanalysis is based on MITM attacks, it is applicable to both block ciphers and (iterated) hash-functions. Biclique attacks are known for having weakened both full AES and full IDEA, though only with slight advantage over brute force. It has also been applied to the KASUMI cipher and preimage resistance of the Skein-512 and SHA-2 hash functions.

In cryptography, a known-key distinguishing attack is an attack model against symmetric ciphers, whereby an attacker who knows the key can find a structural property in cipher, where the transformation from plaintext to ciphertext is not random. There is no common formal definition for what such a transformation may be. The chosen-key distinguishing attack is strongly related, where the attacker can choose a key to introduce such transformations.

References

1 2 3 Ferguson, Niels; Lucks, Stefan; Schneier, Bruce; Whiting, Doug; Bellare, Mihir; Kohno, Tadayoshi; Callas, Jon; Walker, Jesse (October 1, 2010), The Skein Hash Function Family (PDF), archived from the original (PDF) on 2014-08-24 The paper in which Threefish was introduced.
1 2 Khovratovich, Dmitry; Nikolic, Ivica; Rechberger, Christian (2014). "Rotational Rebound Attacks on Reduced Skein". Journal of Cryptology. 27 (3): 452–479. doi:10.1007/S00145-013-9150-0.
↑ Schneier, Bruce (January 17, 2023). "Threefish - Schneier on Security". Schneier on Security. Retrieved December 12, 2024.
↑ Khovratovich, Dmitry; Nikolic, Ivica (2010). "Rotational Cryptanalysis of ARX". In Hong, Seokhie; Iwata, Tetsu (eds.). Fast Software Encryption, 17th International Workshop, FSE 2010, Seoul, Korea, February 7–10, 2010, Revised Selected Papers. Lecture Notes in Computer Science. Vol. 6147. Springer. pp. 333–346. doi:10.1007/978-3-642-13858-4_19.
↑ Chen, Jiazhe; Jia, Keting (2010). "Improved Related-Key Boomerang Attacks on Round-Reduced Threefish-512". In Kwak, Jin; Deng, Robert H.; Won, Yoojae; Wang, Guilin (eds.). Information Security, Practice and Experience, 6th International Conference, ISPEC 2010, Seoul, Korea, May 12–13, 2010. Proceedings. Lecture Notes in Computer Science. Vol. 6047. Springer. pp. 1–18. doi:10.1007/978-3-642-12827-1_1.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[skein-1] 1 2 3 Ferguson, Niels; Lucks, Stefan; Schneier, Bruce; Whiting, Doug; Bellare, Mihir; Kohno, Tadayoshi; Callas, Jon; Walker, Jesse (October 1, 2010), The Skein Hash Function Family (PDF), archived from the original (PDF) on 2014-08-24 The paper in which Threefish was introduced.

[rotational-rebound-2] 1 2 Khovratovich, Dmitry; Nikolic, Ivica; Rechberger, Christian (2014). "Rotational Rebound Attacks on Reduced Skein". Journal of Cryptology. 27 (3): 452–479. doi:10.1007/S00145-013-9150-0.

[schneier-threefish-3] Schneier, Bruce (January 17, 2023). "Threefish - Schneier on Security". Schneier on Security. Retrieved December 12, 2024.

[4] Khovratovich, Dmitry; Nikolic, Ivica (2010). "Rotational Cryptanalysis of ARX". In Hong, Seokhie; Iwata, Tetsu (eds.). Fast Software Encryption, 17th International Workshop, FSE 2010, Seoul, Korea, February 7–10, 2010, Revised Selected Papers. Lecture Notes in Computer Science. Vol. 6147. Springer. pp. 333–346. doi:10.1007/978-3-642-13858-4_19.

[5] Chen, Jiazhe; Jia, Keting (2010). "Improved Related-Key Boomerang Attacks on Round-Reduced Threefish-512". In Kwak, Jin; Deng, Robert H.; Won, Yoojae; Wang, Guilin (eds.). Information Security, Practice and Experience, 6th International Conference, ISPEC 2010, Seoul, Korea, May 12–13, 2010. Proceedings. Lecture Notes in Computer Science. Vol. 6047. Springer. pp. 1–18. doi:10.1007/978-3-642-12827-1_1.

[1]

[2]

[3]

[4]

[5]