Bruce Schneier

 

Home

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography

Contact Information

 

Schneier on Security

A blog covering security and security technology.

« Robert Sawyer's Alibis | Main | Printing Police Handcuff Keys »

September 15, 2009

Skein News

Skein is one of the 14 SHA-3 candidates chosen by NIST to advance to the second round. As part of the process, NIST allowed the algorithm designers to implement small "tweaks" to their algorithms. We've tweaked the rotation constants of Skein. This change does not affect Skein's performance in any way.

The revised Skein paper contains the new rotation constants, as well as information about how we chose them and why we changed them, the results of some new cryptanalysis, plus new IVs and test vectors. Revised source code is here.

The latest information on Skein is always here.

Tweaks were due today, September 15. Now the SHA-3 process moves into the second round. According to NIST's timeline, they'll choose a set of final round candidate algorithms in 2010, and then a single hash algorithm in 2012. Between now and then, it's up to all of us to evaluate the algorithms and let NIST know what we want. Cryptanalysis is important, of course, but so is performance.

Here's my 2008 essay on SHA-3. The second-round algorithms are: BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein. You can find details on all of them, as well as the current state of their cryptanalysis, here.

In other news, we're making Skein shirts available to the public. Those of you who attended the First Hash Function Candidate Conference in Leuven, Belgium, earlier this year might have noticed the stylish black Skein polo shirts worn by the Skein team. Anyone who wants one is welcome to buy it, at cost. Details (with photos) are here. All orders must be received before 1 October, and then we'll have all the shirts made in one batch.

Posted on September 15, 2009 at 6:10 AM25 CommentsView Blog Reactions

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

I've always wondered, what's in it for the winning algorithm? Is it just the honour? Or will NIST purchase a ''license'' in some form?

Posted by: curious at September 15, 2009 6:43 AM

"I've always wondered, what's in it for the winning algorithm?"

Fame and glory, nothing more.

Every group that submitted had to explicitly sign away any rights to both the algorithm and the software implementations.

Posted by: Bruce Schneier at September 15, 2009 6:53 AM

These tweaks looks good.

Posted by: Ilya at September 15, 2009 7:17 AM

Also t-shirt business.

Posted by: Guybrush at September 15, 2009 8:11 AM

A recent study (http://eprint.iacr.org/2009/438) attacks Skein up to 35 rounds out of 72. Would you please give comments on it? Thanks!

Posted by: Steven at September 15, 2009 8:27 AM

"A recent study (http://eprint.iacr.org/2009/438) attacks Skein up to 35 rounds out of 72. Would you please give comments on it? Thanks!"

It's a really good paper, with a whole series of attacks against reduced-round Threefish.

The particular result you mention is a "known-related-key boomerang distinguisher." The complexity of the attack against Threefish-512 is 2^478, making it slightly better than brute force but still completely impractical forever. (The attack is 2^83 more complex than it is against 34 rounds, which gives you some idea of how the difficulty of attacking Threefish increases with the number of rounds.) While it's certainly possible that this attack might be pushed a few rounds with some new and clever cryptanalysis, there's no way in the world it'll ever get anywhere near 72 rounds. The paper says: "our results conclude that at least 36 rounds of Threefish seem required for optimal security guarantees."

We talk more about the paper in Section 9.5 of the Skein document.

Posted by: Bruce Schneier at September 15, 2009 8:37 AM

"Blue Midnight Wish".
Is there a secret to coming up with these names? Something that makes the quoted not be sorta ridiculous? I mean, no one will ever say they used Blue Midnight Wish for anything, and calling it BMW doesn't seem to really do the trick either... At least "Blowfish" has a good ring to it....

Posted by: NotSoAnonymousWhenOnline at September 15, 2009 9:02 AM

Revision files still not posted to skein-hash.info, 404s all around. Reading your local copy here.

Posted by: Vincent at September 15, 2009 9:07 AM

"Revision files still not posted to skein-hash.info, 404s all around. Reading your local copy here."

I know; we're working on it. Download the new paper and files here:

http://www.schneier.com/skein.html

Posted by: Bruce Schneier at September 15, 2009 9:19 AM

A quick google doesn't give much info on cipher modes with tweakable block ciphers. Does anyone know if theres been much work in that direction?

Posted by: greg at September 15, 2009 10:50 AM

@greg:
It's probably named like this:
http://www.nytimes.com/2001/10/13/books/...

Also known as "Do you want your grandchildren to say you were in Blue Spoon?"

Posted by: wiredog at September 15, 2009 12:31 PM

Whoops! The above was a reply to NotSoAnonymousWhenOnline

Posted by: wiredog at September 15, 2009 12:33 PM

Bruce, you should know that this page won't load on Firefox - it just gives an error, "The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression.", and will not load the page at all, let alone allowing me to read or post comments.

Posted by: Sanjaya at September 15, 2009 12:48 PM

i have viewed these blogs for a long time with firefox without any problems.

Posted by: gilberto at September 15, 2009 3:05 PM

The issue seems to be cleared up in any case.

Posted by: Sanjaya at September 15, 2009 3:12 PM

The winning algorithm will presumably be known as SHA-3, and its name during the contest will fade away. AES was formerly known as Rijndael; at least Blue Midnight Wish is easier to pronounce.

Posted by: g at September 15, 2009 3:18 PM

Blue Midnight Wish makes me think of Harold and The Purple Crayon.

Posted by: bob at September 15, 2009 8:52 PM

nice_dude3: I think Schneiers submissions in past competitions like this and his experience working in the field of cryptology more than makes up for not having a career in the university world.

With that said I actually dont know if Schneier has a Ph.D or not :-)

Posted by: Daniel Wijk at September 16, 2009 2:32 AM

@nice_dude3

You dont need to be qualified in any way to make a SHA-3 Submission, among the Submitters was even a 15 year old:
http://www.cio.com/article/461164/...

Posted by: anonymous at September 16, 2009 2:33 AM

@ Daniel Wijk,

"With that said I actually dont know if Schneier has a Ph.D or not :-)"

It does not mater, I have posted about this in the past.

A Ph.D is not like a "taught" degree (BSc, MSc etc) it is for "research ability".

As many older Ph.D's will grudgingly admit their research choice was "kind of made for them" by those assessing them.

The big problem with a Ph.D is that the research is normaly a small increment on existing knowledge and often lacks any real originality.

This is due in part to the people assessing you, they have little way to judge highly original work.

But a pertanent question to ask is not "Has Bruce a Ph.D?" but "Is there a Ph.D for Bruce's originality?".

As far as "standing" in the "field of endeveor" I think Bruce has proved himself way beyond what most Ph.D's could ever hope to do.

Also I suspect that his work on his various systems and the "writing up" he has done would be regarded as sufficient by many.

Posted by: Clive Robinson at September 16, 2009 9:05 AM

Clive Robinson: I agree, there is few people in his field that we have knowledge about who can speak with authority on these matters and come out as credible as Bruce.

Posted by: Daniel Wijk at September 16, 2009 9:11 AM

"A quick google doesn't give much info on cipher modes with tweakable block ciphers. Does anyone know if theres been much work in that direction?"

All normal block cipher modes work with tweakable block ciphers. The tweak is just an additional input that can be used to "personalize" the cipher.

Posted by: Bruce Schneier at September 16, 2009 9:12 AM

@Bruce 'an additional input that can be used to "personalize" the cipher"


So roughly the same notion as a salt?

Posted by: David at September 16, 2009 12:58 PM

@David: With Threefish at least, you can have a different tweak for each block of each message without a performance hit, which isn't true of all salts. For instance, a tweak could be helpful for making a secure but still parallelizable mode for hard disk encryption.

Posted by: Randall at September 16, 2009 2:39 PM

That's quite the sexy t-shirt model.

Posted by: Chuck Norris at September 17, 2009 8:49 PM

Post a comment




E-mail is optional and will not be displayed on the site.


Remember Me?


Powered by Movable Type. Photo at top by Steve Woit.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Blog Menu

Search


blog only
essays and op eds only
whole site

Blog Home Page
100 Latest Comments

Archives by Date

2009 J F M A M J J A S O N
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D

Support Bloggers' Rights!
Latest Book
Schneier on Security

more books by Bruce Schneier

Syndication
Full Text Feed
Excerpts Feed

Download Feed For E-Book Readers
Follow on Twitter

Translations
German
Italian (selected entries)
Crypto-Gram Newsletter
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more