Difference between revisions of "Luffa"

Revision as of 15:07, 6 December 2010

1 The algorithm

Author(s): Christophe De Canniere, Hisayoshi Sato, Dai Watanabe
Website: http://www.sdl.hitachi.co.jp/crypto/luffa/
NIST submission package:
- round 1: LuffaUpdate.zip (old version: Luffa.zip)
- round 2: Luffa_Round2_Update.zip (old version: Luffa_Round2.zip)

Christophe De Canniere, Hisayoshi Sato, Dai Watanabe - Hash Function Luffa: Specification

,2009

http://www.sdl.hitachi.co.jp/crypto/luffa/Luffa_v2_Specification_20091002.pdf
Bibtex

Author : Christophe De Canniere, Hisayoshi Sato, Dai Watanabe
Title : Hash Function Luffa: Specification
In : -
Address :
Date : 2009

Christophe De Canniere, Hisayoshi Sato, Dai Watanabe - Hash Function Luffa: Supporting Document

,2009

http://www.sdl.hitachi.co.jp/crypto/luffa/Luffa_v2_SupportingDocument_20090915.pdf
Bibtex

Author : Christophe De Canniere, Hisayoshi Sato, Dai Watanabe
Title : Hash Function Luffa: Supporting Document
In : -
Address :
Date : 2009

Christophe De Canniere, Hisayoshi Sato, Dai Watanabe - Hash Function Luffa: Specification

,2008

http://ehash.iaik.tugraz.at/uploads/e/ea/Luffa_Specification.pdf
Bibtex

Author : Christophe De Canniere, Hisayoshi Sato, Dai Watanabe
Title : Hash Function Luffa: Specification
In : -
Address :
Date : 2008

Christophe De Canniere, Hisayoshi Sato, Dai Watanabe - Hash Function Luffa: Supporting Document

,2008

http://ehash.iaik.tugraz.at/uploads/f/fe/Luffa_SupportingDocument.pdf
Bibtex

Author : Christophe De Canniere, Hisayoshi Sato, Dai Watanabe
Title : Hash Function Luffa: Supporting Document
In : -
Address :
Date : 2008

2 Cryptanalysis

We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.

A description of the tables is given here.

Recommended security parameter: 8 rounds

2.1 Hash function

Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.

Type of Analysis	Hash Size (n)	Parameters	Compression Function Calls	Memory Requirements	Reference
collision	256	4 rounds	2⁹⁰	-	Preneel,Yoshida,Watanabe

2.2 Building blocks

Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.

Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).

Type of Analysis	Hash Function Part	Hash Size (n)	Parameters/Variants	Compression Function Calls	Memory Requirements	Reference
semi-free-start collision	hash	256	7 rounds	2¹⁰⁴	2¹⁰²	Khovratovich,Naya-Plasencia,Röck,Schläffer
distinguisher	round function	256	8 rounds	2¹⁰⁴	2¹⁰²	Khovratovich,Naya-Plasencia,Röck,Schläffer
distinguisher	permutation		8 rounds	2^116.3	?	Khovratovich,Naya-Plasencia,Röck,Schläffer
distinguisher	permutation		8 rounds	2⁸²	-	Aumasson,Meier
free-start 2nd preimage	hash	all		1	-	Jia
free-start preimage	hash	256		2¹²⁷	-	Jia
free-start preimage	hash	512		2¹⁷¹	-	Jia
semi-free-start collision	hash	all	any	2^256*(w-1)/w	-	submission document
semi-free-start collision	hash	512	any	2^204.8	-	submission document
non-randomness	permutation		8 rounds	2²²⁴	-	submission document

Bart Preneel, Hirotaka Yoshida, Dai Watanabe - Finding Collisions for Reduced Luffa-256 v2

,2010

http://www.sdl.hitachi.co.jp/crypto/luffa/FindingCollisionsForReducedLuffa-256v2_20101108.pdf
Bibtex

Author : Bart Preneel, Hirotaka Yoshida, Dai Watanabe
Title : Finding Collisions for Reduced Luffa-256 v2
In : -
Address :
Date : 2010

Dmitry Khovratovich, Maria Naya-Plasencia, Andrea Röck, Martin Schläffer - Cryptanalysis of Luffa v2 Components

SAC ,2010

http://online.tugraz.at/tug_online/voe_main2.getVollText?pDocumentNr=163671&pCurrPk=52053
Bibtex

Author : Dmitry Khovratovich, Maria Naya-Plasencia, Andrea Röck, Martin Schläffer
Title : Cryptanalysis of Luffa v2 Components
In : SAC -
Address :
Date : 2010

Jean-Philippe Aumasson, Willi Meier - Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi

,2009

http://www.131002.net/data/papers/AM09.pdf
Bibtex

Author : Jean-Philippe Aumasson, Willi Meier
Title : Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi
In : -
Address :
Date : 2009

Keting Jia - Pseudo-Collision, Pseudo-Preimage and Pseudo-Second-Preimage Attacks on Luffa

,2009

http://eprint.iacr.org/2009/224.pdf
Bibtex

Author : Keting Jia
Title : Pseudo-Collision, Pseudo-Preimage and Pseudo-Second-Preimage Attacks on Luffa
In : -
Address :
Date : 2009

@@ Line 65: / Line 65: @@
 | Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements ||   Reference
 |-
-| || || || || ||
+| collision || 256 || 4 rounds || 2<sup>90</sup> || - || [http://www.sdl.hitachi.co.jp/crypto/luffa/FindingCollisionsForReducedLuffa-256v2_20101108.pdf Preneel,Yoshida,Watanabe]
 |-
 |}
@@ Line 80: / Line 80: @@
 | Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements ||   Reference
 |-
+| semi-free-start collision || hash || 256 || 7 rounds || 2<sup>104</sup> || 2<sup>102</sup> || [http://online.tugraz.at/tug_online/voe_main2.getVollText?pDocumentNr=163671&pCurrPk=52053 Khovratovich,Naya-Plasencia,Röck,Schläffer]
+|-
+| distinguisher || round function || 256 || 8 rounds || 2<sup>104</sup> || 2<sup>102</sup> || [http://online.tugraz.at/tug_online/voe_main2.getVollText?pDocumentNr=163671&pCurrPk=52053  Khovratovich,Naya-Plasencia,Röck,Schläffer]
+|-
+| distinguisher || permutation ||  || 8 rounds || 2<sup>116.3</sup> || ? || [http://online.tugraz.at/tug_online/voe_main2.getVollText?pDocumentNr=163671&pCurrPk=52053  Khovratovich,Naya-Plasencia,Röck,Schläffer]
+|-
 | distinguisher || permutation ||  || 8 rounds || 2<sup>82</sup> || - || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier]
 |-
-| pseudo-2nd preimage || hash || all ||  || 1 || - || [http://eprint.iacr.org/2009/224.pdf Jia]
+| free-start 2nd preimage || hash || all ||  || 1 || - || [http://eprint.iacr.org/2009/224.pdf Jia]
 |-
-| pseudo-preimage || hash || 256 ||  || 2<sup>127</sup> || - || [http://eprint.iacr.org/2009/224.pdf Jia]
+| free-start preimage || hash || 256 ||  || 2<sup>127</sup> || - || [http://eprint.iacr.org/2009/224.pdf Jia]
 |-
-| pseudo-preimage || hash || 512 ||  || 2<sup>171</sup> || - || [http://eprint.iacr.org/2009/224.pdf Jia]
+| free-start preimage || hash || 512 ||  || 2<sup>171</sup> || - || [http://eprint.iacr.org/2009/224.pdf Jia]
 |-
 | semi-free-start collision || hash || all || any || 2<sup>256*(w-1)/w</sup> || - || [http://www.sdl.hitachi.co.jp/crypto/luffa/Luffa_v2_SupportingDocument_20090915.pdf submission document]
@@ Line 97: / Line 103: @@
+<bibtex>
+@misc{luffaPYW10,
+  author    = {Bart Preneel, Hirotaka Yoshida, Dai Watanabe},
+  title     = {Finding Collisions for Reduced Luffa-256 v2},
+  url        = {http://www.sdl.hitachi.co.jp/crypto/luffa/FindingCollisionsForReducedLuffa-256v2_20101108.pdf},
+  howpublished = {NIST mailing list}
+  year      = {2010},
+  abstract  = {Luffa is a family of cryptographic hash functions that has been selected as a second round SHA-3 candidate. This paper presents the first collision finding analysis of Luffa-256 v2 which is the 256-bit hash function in the Luffa family. We show that collisions for 4 out of 8 steps of Luffa can be found with complexity $2^{90}$ using sophisticated message modification techniques. Furthermore, we present a security analysis which shows how diﬃcult it is to apply the same approach to Luffa-256 v2 reduced to 5 steps: the resulting attack would require a complexity of $2^{224}$. This analysis can be seen as an indication that the full 8 steps of the Luffa-256 v2 hash function has a large security margin against differential collision search with message modification technique.},
+</bibtex>
+<bibtex>
+@inproceedings{sacKNRS10,
+  author = {Dmitry Khovratovich, Maria Naya-Plasencia, Andrea Röck, Martin Schläffer},
+  title = {Cryptanalysis of Luffa v2 Components},
+  url = {http://online.tugraz.at/tug_online/voe_main2.getVollText?pDocumentNr=163671&pCurrPk=52053},
+  booktitle  = {SAC},
+  year       = {2010},
+  series     = {LNCS},
+  publisher  = {Springer},
+  note = {To appear}
+  abstract = {We develop a number of techniques for the cryptanalysis of the SHA-3 candidate Luffa, and apply them to various Luffa components. These techniques include a new variant of the rebound approach taking into account the specifics of Luffa. The main improvements include the construction of good truncated differential paths, the search for differences using multiple inbound phases and a fast final solution search via linear systems. Using these techniques, we are able to construct non-trivial semi-free-start collisions for 7 (out of 8 rounds) of Luffa-256 with a complexity of $2^{104}$ in time and $2^{102}$ in memory. This is the first analysis of a Luffa component other that the permutation of Luffa v1. Additionally, we provide new and more efficient distinguishers also for the full permutation of Luffa v2. For this permutation distinguisher, we use a new model which applies first a short test on all samples and then a longer test on a smaller subset of the inputs. We demonstrate that a set of right pairs for the given differential path can be found significantly faster than for a random permutation.}
+</bibtex>
 <bibtex>

Difference between revisions of "Luffa"

Revision as of 15:07, 6 December 2010

Contents

1 The algorithm

2 Cryptanalysis

2.1 Hash function

2.2 Building blocks

Navigation menu

Views

Personal tools

Navigation

Search

Tools