Difference between revisions of "Luffa"
From The ECRYPT Hash Function Website
Mschlaeffer (talk | contribs) m |
Mschlaeffer (talk | contribs) (desingers' analysis added, table sorted) |
||
| Line 58: | Line 58: | ||
=== Hash function === | === Hash function === | ||
| − | Here we list results on the | + | Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter. |
Recommended security parameter: '''8''' rounds | Recommended security parameter: '''8''' rounds | ||
| Line 81: | Line 81: | ||
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference | | Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference | ||
|- | |- | ||
| + | | distinguisher || permutation || || 4 rounds || ? || - || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier] | ||
| + | |- | ||
| pseudo-2nd preimage || hash || all || || 1 || - || [http://eprint.iacr.org/2009/224.pdf Jia] | | pseudo-2nd preimage || hash || all || || 1 || - || [http://eprint.iacr.org/2009/224.pdf Jia] | ||
|- | |- | ||
| Line 87: | Line 89: | ||
| pseudo-preimage || hash || 512 || || 2<sup>171</sup> || - || [http://eprint.iacr.org/2009/224.pdf Jia] | | pseudo-preimage || hash || 512 || || 2<sup>171</sup> || - || [http://eprint.iacr.org/2009/224.pdf Jia] | ||
|- | |- | ||
| − | | | + | | semi-free-start collision || hash || all || any || 2<sup>256*(w-1)/w</sup> || - || [http://www.sdl.hitachi.co.jp/crypto/luffa/Luffa_v2_SupportingDocument_20090915.pdf submission document] |
| + | |- | ||
| + | | semi-free-start collision || hash || 512 || any || 2<sup>204.8</sup> || - || [http://www.sdl.hitachi.co.jp/crypto/luffa/Luffa_v2_SupportingDocument_20090915.pdf submission document] | ||
| + | |- | ||
| + | | non-randomness || permutation || || 8 rounds || 2<sup>224</sup> || - || [http://www.sdl.hitachi.co.jp/crypto/luffa/Luffa_v2_SupportingDocument_20090915.pdf submission document] | ||
|- | |- | ||
|} | |} | ||
| Line 93: | Line 99: | ||
| + | |||
| + | <bibtex> | ||
| + | @misc{hamsiAM9, | ||
| + | author = {Jean-Philippe Aumasson and Willi Meier}, | ||
| + | title = {Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi}, | ||
| + | url = {http://www.131002.net/data/papers/AM09.pdf}, | ||
| + | howpublished = {NIST mailing list} | ||
| + | year = {2009}, | ||
| + | abstract = {We present a new type of distinguisher, called zero-sum distinguisher, and apply it to reduced versions of the Keccak-f permutation. We obtain practical and deterministic distinguishers on up to 9 rounds, and shortcut distinguishers on up to 16 rounds, out of 18 in total. These observations do not seem to affect the security of Keccak. We also briefly describe application of zero-sum distinguishers to the core permutations of Luffa and Hamsi.}, | ||
| + | </bibtex> | ||
<bibtex> | <bibtex> | ||
| Line 104: | Line 120: | ||
abstract = {In this paper, we show some pseudo-collision and pseudo-second-preimage examples for the SHA-3 candidate algorithm Luffa. The pseudo-collision and pseudo-second-preimage can be obtained easily by the message injection function. At the same time, the pseudo-preimage attacks are shown in this paper. For Luffa-224/256, only two iteration functions is needed to get the pseudo-preimage. We need $2^{127}$ and $2^{171}$ to get the pseudo-preimage for Luffa-384 and Luffa-512 respectively. }, | abstract = {In this paper, we show some pseudo-collision and pseudo-second-preimage examples for the SHA-3 candidate algorithm Luffa. The pseudo-collision and pseudo-second-preimage can be obtained easily by the message injection function. At the same time, the pseudo-preimage attacks are shown in this paper. For Luffa-224/256, only two iteration functions is needed to get the pseudo-preimage. We need $2^{127}$ and $2^{171}$ to get the pseudo-preimage for Luffa-384 and Luffa-512 respectively. }, | ||
} | } | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
</bibtex> | </bibtex> | ||
Revision as of 18:24, 15 February 2010
1 The algorithm
- Author(s): Christophe De Canniere, Hisayoshi Sato, Dai Watanabe
- Website: http://www.sdl.hitachi.co.jp/crypto/luffa/
- NIST submission package:
- round 1: LuffaUpdate.zip (old version: Luffa.zip)
- round 2: Luffa_Round2_Update.zip (old version: Luffa_Round2.zip)
Christophe De Canniere, Hisayoshi Sato, Dai Watanabe - Hash Function Luffa: Specification
- ,2009
- http://www.sdl.hitachi.co.jp/crypto/luffa/Luffa_v2_Specification_20091002.pdf
BibtexAuthor : Christophe De Canniere, Hisayoshi Sato, Dai Watanabe
Title : Hash Function Luffa: Specification
In : -
Address :
Date : 2009
Christophe De Canniere, Hisayoshi Sato, Dai Watanabe - Hash Function Luffa: Supporting Document
- ,2009
- http://www.sdl.hitachi.co.jp/crypto/luffa/Luffa_v2_SupportingDocument_20090915.pdf
BibtexAuthor : Christophe De Canniere, Hisayoshi Sato, Dai Watanabe
Title : Hash Function Luffa: Supporting Document
In : -
Address :
Date : 2009
Christophe De Canniere, Hisayoshi Sato, Dai Watanabe - Hash Function Luffa: Specification
- ,2008
- http://ehash.iaik.tugraz.at/uploads/e/ea/Luffa_Specification.pdf
BibtexAuthor : Christophe De Canniere, Hisayoshi Sato, Dai Watanabe
Title : Hash Function Luffa: Specification
In : -
Address :
Date : 2008
Christophe De Canniere, Hisayoshi Sato, Dai Watanabe - Hash Function Luffa: Supporting Document
- ,2008
- http://ehash.iaik.tugraz.at/uploads/f/fe/Luffa_SupportingDocument.pdf
BibtexAuthor : Christophe De Canniere, Hisayoshi Sato, Dai Watanabe
Title : Hash Function Luffa: Supporting Document
In : -
Address :
Date : 2008
2 Cryptanalysis
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.
A description of the tables is given here.
2.1 Hash function
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.
Recommended security parameter: 8 rounds
| Type of Analysis | Hash Size (n) | Parameters | Compression Function Calls | Memory Requirements | Reference |
2.2 Building blocks
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).
| Type of Analysis | Hash Function Part | Hash Size (n) | Parameters/Variants | Compression Function Calls | Memory Requirements | Reference |
| distinguisher | permutation | 4 rounds | ? | - | Aumasson,Meier | |
| pseudo-2nd preimage | hash | all | 1 | - | Jia | |
| pseudo-preimage | hash | 256 | 2127 | - | Jia | |
| pseudo-preimage | hash | 512 | 2171 | - | Jia | |
| semi-free-start collision | hash | all | any | 2256*(w-1)/w | - | submission document |
| semi-free-start collision | hash | 512 | any | 2204.8 | - | submission document |
| non-randomness | permutation | 8 rounds | 2224 | - | submission document |
Jean-Philippe Aumasson, Willi Meier - Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi
- ,2009
- http://www.131002.net/data/papers/AM09.pdf
BibtexAuthor : Jean-Philippe Aumasson, Willi Meier
Title : Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi
In : -
Address :
Date : 2009
Keting Jia - Pseudo-Collision, Pseudo-Preimage and Pseudo-Second-Preimage Attacks on Luffa
