Difference between revisions of "LANE"
From The ECRYPT Hash Function Website
m (→The algorithm) |
Mschlaeffer (talk | contribs) (analysis updated) |
||
Line 18: | Line 18: | ||
== Cryptanalysis == | == Cryptanalysis == | ||
− | + | {| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" | |
+ | |- style="background:#efefef;" | ||
+ | | Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference | ||
+ | |- | ||
+ | | collision || hash || 384,512 || 3 P-rounds || 2<sup>94</sup> || 2<sup>133</sup> || [http://sac.ucalgary.ca/sites/sac.math.ucalgary.ca/files/u5/09_swu.pdf Wu,Feng,Wu] | ||
+ | |- | ||
+ | | semi-free-start collision || compression || 224,256 || 3 P-rounds || 2<sup>62</sup> || 2<sup>69</sup> || [http://sac.ucalgary.ca/sites/sac.math.ucalgary.ca/files/u5/09_swu.pdf Wu,Feng,Wu] | ||
+ | |- | ||
+ | | semi-free-start collision || compression || 384,512 || 3 P-rounds || 2<sup>62</sup> || 2<sup>69</sup> || [http://sac.ucalgary.ca/sites/sac.math.ucalgary.ca/files/u5/09_swu.pdf Wu,Feng,Wu] | ||
+ | |- | ||
+ | | semi-free-start collision || compression || 224,256 || 6 P-rounds || 2<sup>96</sup> || 2<sup>88</sup> || [http://eprint.iacr.org/2009/443.pdf Matusiewicz,Naya-Plasencia,Nikolic,Sasaki,Schläffer] | ||
+ | |- | ||
+ | | semi-free-start collision || compression || 512 || 8 P-rounds || 2<sup>224</sup> || 2<sup>128</sup> || [http://eprint.iacr.org/2009/443.pdf Matusiewicz,Naya-Plasencia,Nikolic,Sasaki,Schläffer] | ||
+ | |- | ||
+ | |} | ||
+ | |||
+ | A description of this table is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here]. | ||
+ | |||
+ | |||
+ | <bibtex> | ||
+ | @misc{laneWFW09, | ||
+ | author = {Shuang Wu and Dengguo Feng and Wenling Wu}, | ||
+ | title = {Cryptanalysis of the LANE Hash Function}, | ||
+ | url = {http://sac.ucalgary.ca/sites/sac.math.ucalgary.ca/files/u5/09_swu.pdf}, | ||
+ | howpublished = {Presentation, SAC}, | ||
+ | year = {2009}, | ||
+ | abstract = {The LANE hash function is designed by Sebastiaan Indesteege and Bart Preneel. It is now a first round candidate of NIST's SHA-3 competition. The LANE hash function contains four concrete designs with different digest length of 224, 256, 384 and 512. | ||
+ | The LANE hash function uses two permutations P and Q, which consist of different number of AES-like rounds. LANE-224/256 uses 6-round P and 3-round Q. LANE-384/512 uses 8-round P and 4-round Q. We will use LANE-n-(a,b) to denote a variant of LANE with a-round P, b-round Q and a digest length n. | ||
+ | We have found a semi-free start collision attack on reduced-round LANE-256-(3,3) with complexity of 2^62 compression function evaluations and 2^69 memory. This technique can be applied to LANE-512-(3,4) to get a semi-free start collision attack with the same complexity of 2^62 and 2^69 memory. We also propose a collision attack on LANE-512-(3,4) with complexity of 2^94 and 2^133 memory.}, | ||
+ | } | ||
+ | </bibtex> | ||
+ | |||
+ | <bibtex> | ||
+ | @misc{laneMNNSS09, | ||
+ | author = {Krystian Matusiewicz and Maria Naya-Plasencia and Ivica Nikolic and Yu Sasaki and Martin Schläffer}, | ||
+ | title = {Rebound Attack on the Full LANE Compression Function}, | ||
+ | url = {http://eprint.iacr.org/2009/443.pdf}, | ||
+ | howpublished = {Cryptology ePrint Archive, Report 2009/443}, | ||
+ | year = {2009}, | ||
+ | abstract = {In this work, we apply the rebound attack to the AES based SHA-3 candidate LANE. The hash function LANE uses a permutation based compression function, consisting of a linear message expansion and 6 parallel lanes. In the rebound attack on LANE, we apply several new techniques to construct a collision for the full compression function of LANE-256 and LANE-512. Using a relatively sparse truncated differential path, we are able to solve for a valid message expansion and colliding lanes independently. Additionally, we are able to apply the inbound phase more than once by exploiting the degrees of freedom in the parallel AES states. This allows us to construct semi-free-start collisions for full LANE-256 with $2^{96}$ compression function evaluations and $2^{88}$ memory, and for full LANE-512 with $2^{224}$ compression function evaluations and $2^{128}$ memory.}, | ||
+ | } | ||
+ | </bibtex> |
Revision as of 19:24, 14 September 2009
1 The algorithm
- Author(s): Sebastiaan Indesteege, Elena Andreeva, Christophe De Cannière, Orr Dunkelman, Emilia Käsper, Svetla Nikova, Bart Preneel, Elmar Tischhauser
- Website: http://www.cosic.esat.kuleuven.be/lane/
- NIST submission package: LANE.zip
- Specification:
Sebastiaan Indesteege - The LANE hash function
- ,2008
- http://www.cosic.esat.kuleuven.be/publications/article-1181.pdf
BibtexAuthor : Sebastiaan Indesteege
Title : The LANE hash function
In : -
Address :
Date : 2008
2 Cryptanalysis
Type of Analysis | Hash Function Part | Hash Size (n) | Parameters/Variants | Compression Function Calls | Memory Requirements | Reference |
collision | hash | 384,512 | 3 P-rounds | 294 | 2133 | Wu,Feng,Wu |
semi-free-start collision | compression | 224,256 | 3 P-rounds | 262 | 269 | Wu,Feng,Wu |
semi-free-start collision | compression | 384,512 | 3 P-rounds | 262 | 269 | Wu,Feng,Wu |
semi-free-start collision | compression | 224,256 | 6 P-rounds | 296 | 288 | Matusiewicz,Naya-Plasencia,Nikolic,Sasaki,Schläffer |
semi-free-start collision | compression | 512 | 8 P-rounds | 2224 | 2128 | Matusiewicz,Naya-Plasencia,Nikolic,Sasaki,Schläffer |
A description of this table is given here.
Shuang Wu, Dengguo Feng, Wenling Wu - Cryptanalysis of the LANE Hash Function
- ,2009
- http://sac.ucalgary.ca/sites/sac.math.ucalgary.ca/files/u5/09_swu.pdf
BibtexAuthor : Shuang Wu, Dengguo Feng, Wenling Wu
Title : Cryptanalysis of the LANE Hash Function
In : -
Address :
Date : 2009
Krystian Matusiewicz, Maria Naya-Plasencia, Ivica Nikolic, Yu Sasaki, Martin Schläffer - Rebound Attack on the Full LANE Compression Function