www.schneier.com/blog/archives/2008/10/the_skein_hash.html
Here's the paper: Executive Summary Skein is a new family of cryptographic hash functions. Its design combines speed, security, simplicity, and a great deal of flexibility in a modular package that is easy to analyze. Skein-512 -- our primary proposal -- hashes data at 61 clock cycles per byte on a 64-bit CPU. This means that on a 31 GHz x64 Core 2 Duo CPU, Skein hashes data at 500 MBytes/second per core -- almost twice as fast as SHA-512 and three times faster than SHA-256. An optional hash-tree mode speeds up parallelizable implementations even more. Skein-512 hashes short messages in about 1000 clock cycles. Its conservative design is based on the Threefish block cipher. Our current best attack on Threefish-512 is on 25 of 72 rounds, for a safety factor of 29 For comparison, at a similar stage in the standardization process, the AES encryption algorithm had an attack on 6 of 10 rounds, for a safety factor of only 17 Additionally, Skein has a number of provably secure properties, greatly increasing confidence in the algorithm. Using only three primitive operations, the Skein compression function can be easily understood and remembered. The rest of the algorithm is a straightforward iteration of this function. Skein is defined for three different internal state sizes -- 256 bits, 512 bits, and 1024 bits -- and any output size. This allows Skein to be a drop-in replacement for the entire SHA family of hash functions. A completely optional and extendable argument system makes Skein an efficient tool to use for a very large number of functions: a PRNG, a stream cipher, a key derivation function, authentication without the overhead of HMAC, and a personalization capability. All these features can be implemented with very low overhead. Together with the Threefish large-block cipher at Skein core, this design provides a full set of symmetric cryptographic primitives suitable for most modern applications. Skein is efficient on a variety of platforms, both hardware and software. Skein-512 can be implemented in about 200 bytes of state. Small devices, such as 8-bit smart cards, can implement Skein-256 using about 100 bytes of memory. Larger devices can implement the larger versions of Skein to achieve faster speeds. Skein was designed by a team of highly experienced cryptographic experts from academia and industry, with expertise in cryptography, security analysis, software, chip design, and implementation of real-world cryptographic systems. This breadth of knowledge allowed them to create a balanced design that works well in all environments.
Skein website for any updates -- new code, new results, new implementations, the proofs. It seems as if everyone -- including many amateurs -- is working on a hash function, and I predict that NIST will receive at least 80 submissions.
I've previously called this sort of thing a cryptographic demolition derby -- last one left standing wins -- but that's only half true. Certainly all the groups will spend the next couple of years trying to cryptanalyze each other, but in the end there will be a bunch of unbroken algorithms; NIST has stated that the goal of this process is not to choose the best standard but to choose a good standard. My advice is this: immediately sort them based on performance and features. Ask the cryptographic community to focus its attention on the top dozen, rather than spread its attention across all 80 -- although I also expect that most of the amateur submissions will be rejected by NIST for not being "complete and proper." Otherwise, people will break the easy ones and the better ones will go unanalyzed.
October 29, 2008 5:06 AM Sooner or later some dumb ass is going to ask why Skein is based on Threefish, which was (apparently, according to the intertubes) broken. Presumably it has to do with the differences in purpose of a hash as compared to a cipher?
October 29, 2008 5:36 AM >> My advice is this: immediately sort them based on performance and >> features. Ask the cryptographic community to focus its attention on >> the top dozen, rather than spread its attention across all 80 Great advice, but even if NIST doesn't do this, can't you (or some one else respected in the community) create this list anyway? I look forward to your comments on other submissions and the process as a whole, I find this all very interesting.
October 29, 2008 6:43 AM @ shadowfirebird > Threefish, which was (apparently, according to > the intertubes) broken. Er, I hope you're not talking about that joke paper which talks about "Fortytwofish". If you are, I'd better go look for a bomb shelter from the sonic boom generated by *that* whoosh!
I was starting to wonder where all the candidates were - this is only the second I know about after MD6, have I missed any others? I know of at least one other author with a candidate in the works, and I'm really hoping for an entrant inspired by Trivium.
October 29, 2008 8:22 AM In Practical Cryptography, you and Ferguson define a double-hashing technique to overcome weaknesses in the SHA family of algorithms. Is double-hashing a good general purpose approach to hashing, or only recommended for SHA? Does Skein overcome any need for your double-hashing technique?
October 29, 2008 8:22 AM Bruce, So a nice quite competition taken at a leasurly pace, without spleen venting or blood baths. After all how difficult is designing a hash, you just find a one way function and iterate... Seriously though it should prove both interesting and instructive. Personaly I would still like to see all the entrants analysed including the ones NIST rejects as not being compleate sometimes the seeds of odd ideas have a habit of blooming in other ways and areas.
October 29, 2008 8:44 AM @Clive Robinson The problem is that there are a lot of would be cryptographers that sux. Thats pretty bad and IMO as it should be just part of "due process". I really like the use of a tweak able block cipher as the building block.
October 29, 2008 8:55 AM As for "Skein" it is a word you hear in and around the Kingdom of Fife (Scotland) and in quite a few contexts. As Roxanne pointed out one use is for a twist of yarn usually used (but not exclusivly) for knitting or in the weaving process. You will also hear it used when refering to a flock of wild/water fowl when in flight. But when used as "Skein Dhu" it refers to something quite nasty with a bit of an edge on it that hides in a Scotsmans sock... Most of which appear to be appropriate as metaphores for a hash function.
October 29, 2008 9:15 AM Everything in Skein is little-endian -- except the bit padding for odd-sized inputs: it puts the last data bits in the MOST significant bit positions of the last byte -- which are not adjacent to the bits in the next-to-last byte when both are part of the same 64-bit word. The practical significance of this difference is extremely limited, but still: Why?
October 29, 2008 9:36 AM From the footnote on page 1 of the paper: "1A \skein"|pronounced nskann and rhymes with \rain"|is a loosely coiled length of yarn or thread wound on a reel."
October 29, 2008 10:03 AM @greg- You mean that my wonderful hash function based off of the famous, trusted, widely-used ROT13 cipher isn't likely to be accepted? Well, at least my submission based on ROT26 should be safe (since 26 is twice the size of 13).
If we make hashes slower, it takes a lot longer for an attacker to run a password cracker and figure out what combination of characters make that hash. If you mean this just for integrity checks, that's one thing, but password hashes need to be nice and slow.
October 29, 2008 1:24 PM Bruce, you mentioned in your summary that there can be parallel versions of Skein, as opposed to purely sequential versions. If I recall correctly, SHA and/or MD5 also had this trait, but the standard was to use a sequential version so it would require less memory on small devices. While small devices are still important, it seems that given the trend towards increasingly parallel machines, it's very important that this time around we develop a standard hash function that can be coded in an efficient sequential fashion, while also allowing it to take adv...
|
http://csua.com/feed/