Difference between revisions of "Luffa"
From The ECRYPT Hash Function Website
m (added link to LuffaUpdate.zip) |
Mschlaeffer (talk | contribs) m (analysis update) |
||
| Line 39: | Line 39: | ||
|- | |- | ||
| pseudo-preimage || hash || 512 || || 2<sup>171</sup> || - || [http://eprint.iacr.org/2009/224.pdf Jia] | | pseudo-preimage || hash || 512 || || 2<sup>171</sup> || - || [http://eprint.iacr.org/2009/224.pdf Jia] | ||
| + | |- | ||
| + | | distinguisher || permutation || || 4 rounds || ? || - || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier] | ||
|- | |- | ||
|} | |} | ||
| Line 55: | Line 57: | ||
abstract = {In this paper, we show some pseudo-collision and pseudo-second-preimage examples for the SHA-3 candidate algorithm Luffa. The pseudo-collision and pseudo-second-preimage can be obtained easily by the message injection function. At the same time, the pseudo-preimage attacks are shown in this paper. For Luffa-224/256, only two iteration functions is needed to get the pseudo-preimage. We need $2^{127}$ and $2^{171}$ to get the pseudo-preimage for Luffa-384 and Luffa-512 respectively. }, | abstract = {In this paper, we show some pseudo-collision and pseudo-second-preimage examples for the SHA-3 candidate algorithm Luffa. The pseudo-collision and pseudo-second-preimage can be obtained easily by the message injection function. At the same time, the pseudo-preimage attacks are shown in this paper. For Luffa-224/256, only two iteration functions is needed to get the pseudo-preimage. We need $2^{127}$ and $2^{171}$ to get the pseudo-preimage for Luffa-384 and Luffa-512 respectively. }, | ||
} | } | ||
| + | </bibtex> | ||
| + | |||
| + | <bibtex> | ||
| + | @misc{hamsiAM9, | ||
| + | author = {Jean-Philippe Aumasson and Willi Meier}, | ||
| + | title = {Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi}, | ||
| + | url = {http://www.131002.net/data/papers/AM09.pdf}, | ||
| + | howpublished = {NIST mailing list} | ||
| + | year = {2009}, | ||
| + | abstract = {We present a new type of distinguisher, called zero-sum distinguisher, and apply it to reduced versions of the Keccak-f permutation. We obtain practical and deterministic distinguishers on up to 9 rounds, and shortcut distinguishers on up to 16 rounds, out of 18 in total. These observations do not seem to affect the security of Keccak. We also briefly describe application of zero-sum distinguishers to the core permutations of Luffa and Hamsi.}, | ||
</bibtex> | </bibtex> | ||
Revision as of 19:48, 14 September 2009
1 The algorithm
- Author(s): Christophe De Canniere, Hisayoshi Sato, Dai Watanabe
- Website: http://www.sdl.hitachi.co.jp/crypto/luffa/
- NIST submission package: Luffa.zip, LuffaUpdate.zip
Christophe De Canniere, Hisayoshi Sato, Dai Watanabe - Hash Function Luffa: Specification
- ,2008
- http://ehash.iaik.tugraz.at/uploads/e/ea/Luffa_Specification.pdf
BibtexAuthor : Christophe De Canniere, Hisayoshi Sato, Dai Watanabe
Title : Hash Function Luffa: Specification
In : -
Address :
Date : 2008
Christophe De Canniere, Hisayoshi Sato, Dai Watanabe - Hash Function Luffa: Supporting Document
- ,2008
- http://ehash.iaik.tugraz.at/uploads/f/fe/Luffa_SupportingDocument.pdf
BibtexAuthor : Christophe De Canniere, Hisayoshi Sato, Dai Watanabe
Title : Hash Function Luffa: Supporting Document
In : -
Address :
Date : 2008
2 Cryptanalysis
| Type of Analysis | Hash Function Part | Hash Size (n) | Parameters/Variants | Compression Function Calls | Memory Requirements | Reference |
| pseudo-2nd preimage | hash | all | 1 | - | Jia | |
| pseudo-preimage | hash | 256 | 2127 | - | Jia | |
| pseudo-preimage | hash | 512 | 2171 | - | Jia | |
| distinguisher | permutation | 4 rounds | ? | - | Aumasson,Meier |
A description of this table is given here.
Keting Jia - Pseudo-Collision, Pseudo-Preimage and Pseudo-Second-Preimage Attacks on Luffa
- ,2009
- http://eprint.iacr.org/2009/224.pdf
BibtexAuthor : Keting Jia
Title : Pseudo-Collision, Pseudo-Preimage and Pseudo-Second-Preimage Attacks on Luffa
In : -
Address :
Date : 2009
Jean-Philippe Aumasson, Willi Meier - Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi
