International Association
for Cryptologic Research

In this paper, we study differential attacks against ARX schemes. We

build upon the generalized characteristics of de Cannière and Rechberger

and the multi-bit constraints of Leurent. We describe a more efficient

way to propagate multi-bit constraints, that allows us to use the

complete set of 2^32 2.5-bit constraints, instead of the reduced sets

used by Leurent.

As a result, we are able to build complex non-linear differential

characteristics for reduced versions of the hash function Skein. We

present several characteristics for use in various attack scenarios;

this results in attacks with a relatively low complexity, in relatively

strong settings. In particular, we show practical free-start and

semi-free-start collision attacks for 20 rounds and 12 rounds of

Skein-256, respectively.

To the best of our knowledge, these are the first examples of complex

differential trails are build for pure ARX designs. We believe this is

an important work to assess the security of ARX designs against

differential cryptanalysis. Our improved tools will be publicly available

with the final version of this paper.