Luffa
1 The algorithm
- Author(s): Christophe De Canniere, Hisayoshi Sato, Dai Watanabe
- Website: http://www.sdl.hitachi.co.jp/crypto/luffa/
- NIST submission package:
- round 1: LuffaUpdate.zip (old version: Luffa.zip)
- round 2: Luffa_Round2_Update.zip (old version: Luffa_Round2.zip)
Christophe De Canniere, Hisayoshi Sato, Dai Watanabe - Hash Function Luffa: Specification
- ,2009
- http://www.sdl.hitachi.co.jp/crypto/luffa/Luffa_v2_Specification_20091002.pdf
BibtexAuthor : Christophe De Canniere, Hisayoshi Sato, Dai Watanabe
Title : Hash Function Luffa: Specification
In : -
Address :
Date : 2009
Christophe De Canniere, Hisayoshi Sato, Dai Watanabe - Hash Function Luffa: Supporting Document
- ,2009
- http://www.sdl.hitachi.co.jp/crypto/luffa/Luffa_v2_SupportingDocument_20090915.pdf
BibtexAuthor : Christophe De Canniere, Hisayoshi Sato, Dai Watanabe
Title : Hash Function Luffa: Supporting Document
In : -
Address :
Date : 2009
Christophe De Canniere, Hisayoshi Sato, Dai Watanabe - Hash Function Luffa: Specification
- ,2008
- http://ehash.iaik.tugraz.at/uploads/e/ea/Luffa_Specification.pdf
BibtexAuthor : Christophe De Canniere, Hisayoshi Sato, Dai Watanabe
Title : Hash Function Luffa: Specification
In : -
Address :
Date : 2008
Christophe De Canniere, Hisayoshi Sato, Dai Watanabe - Hash Function Luffa: Supporting Document
- ,2008
- http://ehash.iaik.tugraz.at/uploads/f/fe/Luffa_SupportingDocument.pdf
BibtexAuthor : Christophe De Canniere, Hisayoshi Sato, Dai Watanabe
Title : Hash Function Luffa: Supporting Document
In : -
Address :
Date : 2008
2 Cryptanalysis
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.
A description of the tables is given here.
Recommended security parameter: 8 rounds
2.1 Hash function
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.
| Type of Analysis | Hash Size (n) | Parameters | Compression Function Calls | Memory Requirements | Reference |
| collision | 256 | 4 rounds | 290 | - | Preneel,Yoshida,Watanabe |
2.2 Building blocks
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).
| Type of Analysis | Hash Function Part | Hash Size (n) | Parameters/Variants | Compression Function Calls | Memory Requirements | Reference |
| distinguisher | hash | 256 | Round 1 | 2251 | - | Boura,Canteaut,DeCanniere |
| distinguisher | permutation | 8 rounds | 2252 | - | Boura,Canteaut,DeCanniere | |
| semi-free-start collision | hash | 256 | 7 rounds | 2104 | 2102 | Khovratovich,Naya-Plasencia,Röck,Schläffer |
| distinguisher | round function | 256 | 8 rounds | 2104 | 2102 | Khovratovich,Naya-Plasencia,Röck,Schläffer |
| distinguisher | permutation | 8 rounds | 2116.3 | ? | Khovratovich,Naya-Plasencia,Röck,Schläffer | |
| distinguisher | permutation | 8 rounds | 282 | - | Aumasson,Meier | |
| free-start 2nd preimage | hash | all | 1 | - | Jia | |
| free-start preimage | hash | 256 | 2127 | - | Jia | |
| free-start preimage | hash | 512 | 2171 | - | Jia | |
| semi-free-start collision | hash | all | any | 2256*(w-1)/w | - | submission document |
| semi-free-start collision | hash | 512 | any | 2204.8 | - | submission document |
| non-randomness | permutation | 8 rounds | 2224 | - | submission document |
Christina Boura, Anne Canteaut, Christophe De Canni\`ere - Higher-order differential properties of Keccak and Luffa
- ,2010
- http://eprint.iacr.org/2010/589.pdf
BibtexAuthor : Christina Boura, Anne Canteaut, Christophe De Canni\`ere
Title : Higher-order differential properties of Keccak and Luffa
In : -
Address :
Date : 2010
Bart Preneel, Hirotaka Yoshida, Dai Watanabe - Finding Collisions for Reduced Luffa-256 v2
- ,2010
- http://www.sdl.hitachi.co.jp/crypto/luffa/FindingCollisionsForReducedLuffa-256v2_20101108.pdf
BibtexAuthor : Bart Preneel, Hirotaka Yoshida, Dai Watanabe
Title : Finding Collisions for Reduced Luffa-256 v2
In : -
Address :
Date : 2010
Dmitry Khovratovich, Maria Naya-Plasencia, Andrea Röck, Martin Schläffer - Cryptanalysis of Luffa v2 Components
- SAC ,2010
- http://online.tugraz.at/tug_online/voe_main2.getVollText?pDocumentNr=163671&pCurrPk=52053
BibtexAuthor : Dmitry Khovratovich, Maria Naya-Plasencia, Andrea Röck, Martin Schläffer
Title : Cryptanalysis of Luffa v2 Components
In : SAC -
Address :
Date : 2010
Jean-Philippe Aumasson, Willi Meier - Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi
- ,2009
- http://www.131002.net/data/papers/AM09.pdf
BibtexAuthor : Jean-Philippe Aumasson, Willi Meier
Title : Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi
In : -
Address :
Date : 2009
Keting Jia - Pseudo-Collision, Pseudo-Preimage and Pseudo-Second-Preimage Attacks on Luffa
