# Threefish

Last updated
General Bruce Schneier, Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker 2008 Blowfish, Twofish 256, 512 or 1024 bits(key size is equal to block size) 256, 512 or 1024 bits 72 (80 for 1024-bit block size) 6.1 cpb on Core 2. [1]

Threefish is a symmetric-key tweakable block cipher designed as part of the Skein hash function, an entry in the NIST hash function competition. Threefish uses no S-boxes or other table lookups in order to avoid cache timing attacks; [1] its nonlinearity comes from alternating additions with exclusive ORs. In that respect, it is similar to Salsa20, TEA, and the SHA-3 candidates CubeHash and BLAKE.

## Contents

Threefish and the Skein hash function were designed by Bruce Schneier, Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker.

## Description of the cipher

Threefish works on words of 64 bits (unsigned Little endian integers). ${\displaystyle N_{w}\in \{4,8,16\}}$ is the number of plaintext words and also of key words. The tweak consists of two words. All additions and subtractions are defined modulo ${\displaystyle 2^{64}}$.

### Key schedule

Threefish uses ${\displaystyle {\frac {N_{r}}{4}}+1}$ different round keys (${\displaystyle N_{r}}$: Number of rounds). To calculate these keys an additional key word ${\displaystyle k_{N_{w}}}$ is appended to the original key words ${\displaystyle k_{0},k_{1},\dots ,k_{N_{w}-1}}$. An additional tweak word ${\displaystyle t_{2}}$ is also appended to the tweak words ${\displaystyle t_{0},t_{1}}$.

${\displaystyle k_{N_{w}}=C_{240}\oplus k_{0}\oplus k_{1}\oplus \dots \oplus k_{N_{w}-1};\quad C_{240}={\text{0x1BD11BDAA9FC1A22}}}$
${\displaystyle t_{2}=t_{0}\oplus t_{1}}$

The purpose of the seemingly arbitrary constant ${\displaystyle C_{240}}$ is to frustrate some attacks that take advantage of the relationship between ${\displaystyle k_{N_{w}}}$ and the other keywords.

The round key words ${\displaystyle k_{s,i}}$ are now defined like this:

${\displaystyle k_{s,i}={\begin{cases}k_{(s+i){\bmod {(}}N_{w}+1)}&i=0,\dots ,N_{w}-4\\k_{(s+i){\bmod {(}}N_{w}+1)}+t_{s{\bmod {3}}}&i=N_{w}-3\\k_{(s+i){\bmod {(}}N_{w}+1)}+t_{(s+1){\bmod {3}}}&i=N_{w}-2\\k_{(s+i){\bmod {(}}N_{w}+1)}+s&i=N_{w}-1\end{cases}}}$

Here ${\displaystyle s=0,1,\dots ,N_{r}/4}$, and ${\displaystyle 4s}$ is the number of the round in which the round key is used.

### Mix function

The mix function takes a tuple of words ${\displaystyle (x_{0},x_{1})}$ and returns another tuple of words ${\displaystyle (y_{0},y_{1})}$. The function is defined like this:

${\displaystyle y_{0}=x_{0}+x_{1}\mod 2^{64}}$

${\displaystyle y_{1}=(x_{1}\lll R_{(d{\bmod {8}}),j})\oplus y_{0}}$

${\displaystyle R_{d,j}}$ is a fixed set of rotation constants chosen to achieve quick diffusion.

### Permute

The permutation step swaps the positions of the words according to a constant pattern. Bit-level permutation is not achieved in this step, but this is not necessary since the MIX functions provides bit-level permutations in the form of bitwise rotations.[ citation needed ] The Permute step and rotation constants in the MIX functions are chosen in such a way that the overall effect is complete diffusion of all the bits in a data block.[ citation needed ]

Because this permutation is fixed and independent of the key, the time needed to compute it does not provide information about the key or plaintext. This is important because on most modern microprocessors performance optimisations can make the time taken to compute an array operation dependent on where the data is stored in memory. In ciphers where array lookup depends on either the key or plaintext (as is the case for the substitution step in AES), it can make the cipher vulnerable to timing attacks by examining the time required for encryption. The permutation is therefore deliberately designed to ensure that it should execute in the same fashion independent of the key being used or the data encrypted.[ citation needed ]

### A full Threefish round

• if ${\displaystyle d\;{\bmod {\;}}4=0}$ the round key ${\displaystyle k_{d/4,i}}$ is added to word ${\displaystyle i}$
• the mix function is applied to consecutive words, the rotation widths depend on ${\displaystyle d}$ and the word number
• the words are permutated using a permutation independent from the round number

Threefish256 and Threefish512 apply this round 72 times (${\displaystyle d=0,1,\dots ,71}$). Threefish1024 applies it 80 times (${\displaystyle d=0,1,\dots ,79}$).

### Final operations

After all rounds are applied, the last round key is added to the words and the words are converted back to a string of bytes.

## Security

In October 2010, an attack that combines rotational cryptanalysis with the rebound attack was published. The attack mounts a known-key distinguisher against 53 of 72 rounds in Threefish-256, and 57 of 72 rounds in Threefish-512. It also affects the Skein hash function. [2] This is a follow-up to the earlier attack published in February, which breaks 39 and 42 rounds respectively. [3] In response to this attack, the Skein team tweaked the rotation constants used in Threefish and thereby the key schedule constants for round 3 of the NIST hash function competition. [1]

In 2009, a related key boomerang attack against a reduced round Threefish version was published. For the 32-round version, the time complexity is ${\displaystyle 2^{226}}$ and the memory complexity is ${\displaystyle 2^{12}}$; for the 33-round version, the time complexity is ${\displaystyle 2^{352.17}}$ with a negligible memory usage. The attacks also work against the tweaked version of Threefish: for the 32-round version, the time complexity is ${\displaystyle 2^{222}}$ and the memory complexity is ${\displaystyle 2^{12}}$; for the 33-round version, the time complexity is ${\displaystyle 2^{355.5}}$ with a negligible memory usage. [4]

## Related Research Articles

In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called blocks. It uses an unvarying transformation, that is, it uses a symmetric key. They are specified elementary components in the design of many cryptographic protocols and are widely used to implement the encryption of large amounts of data, including data exchange protocols.

The Digital Signature Algorithm (DSA) is a Federal Information Processing Standard for digital signatures, based on the mathematical concept of modular exponentiation and the discrete logarithm problem. DSA is a variant of the Schnorr and ElGamal signature schemes.

Malleability is a property of some cryptographic algorithms. An encryption algorithm is "malleable" if it is possible to transform a ciphertext into another ciphertext which decrypts to a related plaintext. That is, given an encryption of a plaintext , it is possible to generate another ciphertext which decrypts to , for a known function , without necessarily knowing or learning .

In cryptography, a Feistel cipher is a symmetric structure used in the construction of block ciphers, named after the German-born physicist and cryptographer Horst Feistel who did pioneering research while working for IBM (USA); it is also commonly known as a Feistel network. A large proportion of block ciphers use the scheme, including the US Data Encryption Standard, the Soviet/Russian GOST and the more recent Blowfish and Twofish ciphers. In a Feistel cipher, encryption and decryption are very similar operations, and both consist of iteratively running a function called a "round function" a fixed number of times.

In computer science, a one-way function is a function that is easy to compute on every input, but hard to invert given the image of a random input. Here, "easy" and "hard" are to be understood in the sense of computational complexity theory, specifically the theory of polynomial time problems. Not being one-to-one is not considered sufficient for a function to be called one-way.

In cryptography, the Elliptic Curve Digital Signature Algorithm (ECDSA) offers a variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography.

The Rabin cryptosystem is an asymmetric cryptographic technique, whose security, like that of RSA, is related to the difficulty of integer factorization. However the Rabin cryptosystem has the advantage that it has been mathematically proven to be computationally secure against a chosen-plaintext attack as long as the attacker cannot efficiently factor integers, while there is no such proof known for RSA. It has the disadvantage that each output of the Rabin function can be generated by any of four possible inputs; if each output is a ciphertext, extra complexity is required on decryption to identify which of the four possible inputs was the true plaintext.

The Paillier cryptosystem, invented by and named after Pascal Paillier in 1999, is a probabilistic asymmetric algorithm for public key cryptography. The problem of computing n-th residue classes is believed to be computationally difficult. The decisional composite residuosity assumption is the intractability hypothesis upon which this cryptosystem is based.

In cryptography, a message authentication code based on universal hashing, or UMAC, is a type of message authentication code (MAC) calculated choosing a hash function from a class of hash functions according to some secret (random) process and applying it to the message. The resulting digest or fingerprint is then encrypted to hide the identity of the hash function used. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message.

The ElGamal signature scheme is a digital signature scheme which is based on the difficulty of computing discrete logarithms. It was described by Taher Elgamal in 1985.

The GOST hash function, defined in the standards GOST R 34.11-94 and GOST 34.311-95 is a 256-bit cryptographic hash function. It was initially defined in the Russian national standard GOST R 34.11-94 Information Technology – Cryptographic Information Security – Hash Function. The equivalent standard used by other member-states of the CIS is GOST 34.311-95.

The Blum–Goldwasser (BG) cryptosystem is an asymmetric key encryption algorithm proposed by Manuel Blum and Shafi Goldwasser in 1984. Blum–Goldwasser is a probabilistic, semantically secure cryptosystem with a constant-size ciphertext expansion. The encryption algorithm implements an XOR-based stream cipher using the Blum-Blum-Shub (BBS) pseudo-random number generator to generate the keystream. Decryption is accomplished by manipulating the final state of the BBS generator using the private key, in order to find the initial seed and reconstruct the keystream.

Disk encryption is a special case of data at rest protection when the storage medium is a sector-addressable device. This article presents cryptographic aspects of the problem. For an overview, see disk encryption. For discussion of different software packages and hardware devices devoted to this problem, see disk encryption software and disk encryption hardware.

In cryptography, a one-way compression function is a function that transforms two fixed-length inputs into a fixed-length output. The transformation is "one-way", meaning that it is difficult given a particular output to compute inputs which compress to that output. One-way compression functions are not related to conventional data compression algorithms, which instead can be inverted exactly or approximately to the original data.

In mathematics and computing, universal hashing refers to selecting a hash function at random from a family of hash functions with a certain mathematical property. This guarantees a low number of collisions in expectation, even if the data is chosen by an adversary. Many universal families are known, and their evaluation is often very efficient. Universal hashing has numerous uses in computer science, for example in implementations of hash tables, randomized algorithms, and cryptography.

In cryptography the Rabin signature algorithm is a method of digital signature originally proposed by Michael O. Rabin in 1979. The Rabin signature algorithm was one of the first digital signature schemes proposed, and it is the only one to relate the hardness of forgery directly to the problem of integer factorization. The Rabin signature algorithm is existentially unforgeable in the random oracle model assuming the integer factorization problem is intractable. The Rabin signature algorithm is also closely related to the Rabin cryptosystem.

MASH-1 is a hash function based on modular arithmetic.

Skein is a cryptographic hash function and one of five finalists in the NIST hash function competition. Entered as a candidate to become the SHA-3 standard, the successor of SHA-1 and SHA-2, it ultimately lost to NIST hash candidate Keccak.

In discrete mathematics, ideal lattices are a special class of lattices and a generalization of cyclic lattices. Ideal lattices naturally occur in many parts of number theory, but also in other areas. In particular, they have a significant place in cryptography. Micciancio defined a generalization of cyclic lattices as ideal lattices. They can be used in cryptosystems to decrease by a square root the number of parameters necessary to describe a lattice, making them more efficient. Ideal lattices are a new concept, but similar lattice classes have been used for a long time. For example cyclic lattices, a special case of ideal lattices, are used in NTRUEncrypt and NTRUSign.

LSH is a cryptographic hash function designed in 2014 by South Korea to provide integrity in general-purpose software environments such as PCs and smart devices. LSH is one of the cryptographic algorithms approved by the Korean Cryptographic Module Validation Program (KCMVP). And it is the national standard of South Korea.

## References

1. Ferguson; et al. (2010-10-01). "The Skein Hash Function Family" (PDF).Cite journal requires |journal= (help) The paper in which Threefish was introduced.
2. Dmitry Khovratovich; Ivica Nikolic; Christian Rechberger (2010-10-20). "Rotational Rebound Attacks on Reduced Skein".Cite journal requires |journal= (help)
3. Dmitry Khovratovich & Ivica Nikolić (2010). "Rotational Cryptanalysis of ARX" (PDF). University of Luxembourg.Cite journal requires |journal= (help)
4. Jiazhe Chen; Keting Jia (2009-11-01). "Improved Related-key Boomerang Attacks on Round-Reduced Threefish-512".