Skein (hash function)

Last updated
Skein
Skein permutation.png
General
Designers Bruce Schneier, Niels Ferguson, et al.
Derived from Threefish
Certification SHA-3 finalist
Detail
Digest sizes arbitrary
Structure Unique Block Iteration
Rounds72 (256 & 512 block size), 80 (1024 block size)
Speed6.1 cpb on Core 2. [1]
Threefish Mix Function Skein Mix Function.png
Threefish Mix Function

Skein is a cryptographic hash function and one of five finalists in the NIST hash function competition. Entered as a candidate to become the SHA-3 standard, the successor of SHA-1 and SHA-2, it ultimately lost to NIST hash candidate Keccak. [2]

Contents

The name Skein refers to how the Skein function intertwines the input, similar to a skein of yarn. [1]

History

Skein was created by Bruce Schneier, Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas and Jesse Walker.

Skein is based on the Threefish tweakable block cipher compressed using Unique Block Iteration (UBI) chaining mode, a variant of the Matyas–Meyer–Oseas hash mode, [3] while leveraging an optional low-overhead argument-system for flexibility.

Skein's algorithm and a reference implementation was given to public domain. [4]

Functionality

Skein supports internal state sizes of 256, 512 and 1024 bits, and arbitrary output sizes. [5]

The authors claim 6.1 cycles per byte for any output size on an Intel Core 2 Duo in 64-bit mode. [6]

The core of Threefish is based on a MIX function that transforms 2 64-bit words using a single addition, rotation by a constant and XOR. The UBI chaining mode combines an input chaining value with an arbitrary length input string and produces a fixed size output.

Threefish's nonlinearity comes entirely from the combination of addition operations and exclusive-ORs; it does not use S-boxes. The function is optimized for 64-bit processors, and the Skein paper defines optional features such as randomized hashing, parallelizable tree hashing, a stream cipher, personalization, and a key derivation function.

Cryptanalysis

In October 2010, an attack that combines rotational cryptanalysis with the rebound attack was published. The attack finds rotational collisions for 53 of 72 rounds in Threefish-256, and 57 of 72 rounds in Threefish-512. It also affects the Skein hash function. [7] This is a follow-up to the earlier attack published in February, which breaks 39 and 42 rounds respectively. [8]

The Skein team tweaked the key schedule constant for round 3 of the NIST hash function competition, to make this attack less effective, even though they believe the hash would still be secure without these tweaks. [1]

Examples of Skein hashes

Hash values of empty string.

Skein-256-256("") c8877087da56e072870daa843f176e9453115929094c3a40c463a196c29bf7ba Skein-512-256("") 39ccc4554a8b31853b9de7a1fe638a24cce6b35a55f2431009e18780335d2621 Skein-512-512("") bc5b4c50925519c290cc634277ae3d6257212395cba733bbad37a4af0fa06af41fca7903d06564fea7a2d3730dbdb80c1f85562dfcc070334ea4d1d9e72cba7a

Even a small change in the message will (with overwhelming probability) result in a mostly different hash, due to the avalanche effect. For example, adding a period to the end of the sentence:

Skein-512-256("The quick brown fox jumps over the lazy dog") b3250457e05d3060b1a4bbc1428bc75a3f525ca389aeab96cfa34638d96e492a Skein-512-256("The quick brown fox jumps over the lazy dog.") 41e829d7fca71c7d7154ed8fc8a069f274dd664ae0ed29d365d919f4e575eebb Skein-512-512("The quick brown fox jumps over the lazy dog") 94c2ae036dba8783d0b3f7d6cc111ff810702f5c77707999be7e1c9486ff238a7044de734293147359b4ac7e1d09cd247c351d69826b78dcddd951f0ef912713 Skein-512-512("The quick brown fox jumps over the lazy dog.") 658223cb3d69b5e76e3588ca63feffba0dc2ead38a95d0650564f2a39da8e83fbb42c9d6ad9e03fbfde8a25a880357d457dbd6f74cbcb5e728979577dbce5436

Related Research Articles

HMAC Computer communications hash algorithm

In cryptography, an HMAC is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and authenticity of a message.

The MD5 message-digest algorithm is a cryptographically broken but still widely used hash function producing a 128-bit hash value. Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. It can still be used as a checksum to verify data integrity, but only against unintentional corruption. It remains suitable for other non-cryptographic purposes, for example for determining the partition for a particular key in a partitioned database, and may be preferred due to lower computational requirements than more recent Secure Hash Algorithms.

In cryptography, SHA-1 is a cryptographically broken but still widely used hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as a hexadecimal number, 40 digits long. It was designed by the United States National Security Agency, and is a U.S. Federal Information Processing Standard.

Cryptographic hash function Hash function that is suitable for use in cryptography

A cryptographic hash function (CHF) is a mathematical algorithm that maps data of an arbitrary size to a bit array of a fixed size. It is a one-way function, that is, a function for which it is practically infeasible to invert or reverse the computation. Ideally, the only way to find a message that produces a given hash is to attempt a brute-force search of possible inputs to see if they produce a match, or use a rainbow table of matched hashes. Cryptographic hash functions are a basic tool of modern cryptography.

In cryptography, Tiger is a cryptographic hash function designed by Ross Anderson and Eli Biham in 1995 for efficiency on 64-bit platforms. The size of a Tiger hash value is 192 bits. Truncated versions can be used for compatibility with protocols assuming a particular hash size. Unlike the SHA-2 family, no distinguishing initialization values are defined; they are simply prefixes of the full Tiger/192 hash value.

SHA-2 is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compression function itself built using the Davies–Meyer structure from a specialized block cipher.

FORK-256 is a hash algorithm designed in response to security issues discovered in the earlier SHA-1 and MD5 algorithms. After substantial cryptanalysis, the algorithm is considered broken.

sha1sum is a computer program that calculates and verifies SHA-1 hashes. It is commonly used to verify the integrity of files. It is installed by default on most Linux distributions. Typically distributed alongside sha1sum are sha224sum, sha256sum, sha384sum and sha512sum, which use a specific SHA-2 hash function and b2sum, which uses the BLAKE2 cryptographic hash function.

RadioGatún Cryptographic hash primitive

RadioGatún is a cryptographic hash primitive created by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. It was first publicly presented at the NIST Second Cryptographic Hash Workshop, held in Santa Barbara, California, on August 24–25, 2006, as part of the NIST hash function competition. The same team that developed RadioGatún went on to make considerable revisions to this cryptographic primitive, leading to the Keccak SHA-3 algorithm.

Threefish Block cipher

Threefish is a symmetric-key tweakable block cipher designed as part of the Skein hash function, an entry in the NIST hash function competition. Threefish uses no S-boxes or other table lookups in order to avoid cache timing attacks; its nonlinearity comes from alternating additions with exclusive ORs. In that respect, it is similar to Salsa20, TEA, and the SHA-3 candidates CubeHash and BLAKE.

The NIST hash function competition was an open competition held by the US National Institute of Standards and Technology (NIST) to develop a new hash function called SHA-3 to complement the older SHA-1 and SHA-2. The competition was formally announced in the Federal Register on November 2, 2007. "NIST is initiating an effort to develop one or more additional hash algorithms through a public competition, similar to the development process for the Advanced Encryption Standard (AES)." The competition ended on October 2, 2012 when NIST announced that Keccak would be the new SHA-3 hash algorithm.

SHA-3 is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015. Although part of the same series of standards, SHA-3 is internally different from the MD5-like structure of SHA-1 and SHA-2.

Grøstl is a cryptographic hash function submitted to the NIST hash function competition by Praveen Gauravaram, Lars Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, and Søren S. Thomsen. Grøstl was chosen as one of the five finalists of the competition. It uses the same S-box as AES in a custom construction. The authors claim speeds of up to 21.4 cycles per byte on an Intel Core 2 Duo, and 9.6 cycles/byte on an Intel i7 with AES-NI.

JH is a cryptographic hash function submitted to the NIST hash function competition by Hongjun Wu. Though chosen as one of the five finalists of the competition, in 2012 JH ultimately lost to NIST hash candidate Keccak. JH has a 1024-bit state, and works on 512-bit input blocks. Processing an input block consists of three steps:

  1. XOR the input block into the left half of the state.
  2. Apply a 42-round unkeyed permutation (encryption function) to the state. This consists of 42 repetitions of:
    1. Break the input into 256 4-bit blocks, and map each through one of two 4-bit S-boxes, the choice being made by a 256-bit round-dependent key schedule. Equivalently, combine each input block with a key bit, and map the result through a 5→4 bit S-box.
    2. Mix adjacent 4-bit blocks using a maximum distance separable code over GF(24).
    3. Permute 4-bit blocks so that they will be adjacent to different blocks in following rounds.
  3. XOR the input block into the right half of the state.

bcrypt is a password-hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher and presented at USENIX in 1999. Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.

In cryptography, rotational cryptanalysis is a generic cryptanalytic attack against algorithms that rely on three operations: modular addition, rotation and XOR — ARX for short. Algorithms relying on these operations are popular because they are relatively cheap in both hardware and software and run in constant time, making them safe from timing attacks in common implementations.

BLAKE is a cryptographic hash function based on Daniel J. Bernstein's ChaCha stream cipher, but a permuted copy of the input block, XORed with round constants, is added before each ChaCha round. Like SHA-2, there are two variants differing in the word size. ChaCha operates on a 4×4 array of words. BLAKE repeatedly combines an 8-word hash value with 16 message words, truncating the ChaCha result to obtain the next hash value. BLAKE-256 and BLAKE-224 use 32-bit words and produce digest sizes of 256 bits and 224 bits, respectively, while BLAKE-512 and BLAKE-384 use 64-bit words and produce digest sizes of 512 bits and 384 bits, respectively.

Streebog is a cryptographic hash function defined in the Russian national standard GOST R 34.11-2012 Information Technology – Cryptographic Information Security – Hash Function. It was created to replace an obsolete GOST hash function defined in the old standard GOST R 34.11-94, and as an asymmetric reply to SHA-3 competition by the US National Institute of Standards and Technology. The function is also described in RFC 6986 and one out of hash functions in ISO/IEC 10118-3:2018.

Kupyna is a cryptographic hash function defined in the Ukrainian national standard DSTU 7564:2014. It was created to replace an obsolete GOST hash function defined in the old standard GOST 34.11-95, similar to Streebog hash function standardized in Russia.

Dmitry Khovratovich is a cryptographer, currently a Lead Cryptographer for the Dusk Network, researcher for the Ethereum Foundation, and member of the International Association for Cryptologic Research. He developed, together with Alex Biryukov, the Equihash Proof-of-work algorithm which is currently being used as consensus mechanism for the Zcash cryptocurrency, and the Argon2 key derivation function, which won the Password Hashing Competition in July 2015.

References

  1. 1 2 3 Ferguson; et al. (2010-10-01). "The Skein Hash Function Family" (PDF).{{cite journal}}: Cite journal requires |journal= (help)
  2. "NIST Selects Winner of Secure Hash Algorithm (SHA-3) Competition". NIST . 2012-10-02. Retrieved 2012-10-02.
  3. http://www.skein-hash.info/sites/default/files/skein1.3.pdf p. 6
  4. skein_NIST_CD_121508.zip on skein-hash.info, skein.c "Implementation of the Skein hash function. Source code author: Doug Whiting, 2008. This algorithm and source code is released to the public domain."
  5. "Now From Bruce Schneier, the Skein Hash Function". Slashdot. 2008-10-31. Retrieved 2008-10-31.
  6. Paper describing the hash function, Version 1.3 (2010-10-01)
  7. Dmitry Khovratovich; Ivica Nikolic; Christian Rechberger (2010-10-20). "Rotational Rebound Attacks on Reduced Skein". Cryptology ePrint Archive.
  8. Dmitry Khovratovich & Ivica Nikolić (2010). "Rotational Cryptanalysis of ARX" (PDF). University of Luxembourg.{{cite journal}}: Cite journal requires |journal= (help)

Implementations

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.