Date: Thu, 9 Apr 2009 17:46:51 -0400
From: Nicky Mouha
Subject: Re: OFFICIAL COMMENT: LUX
Hi,
The attack strategy is completely valid, but some hexadecimal values in the formula are incorrect. To demonstrate this, I've uploaded a distinguisher for all digest sizes of LUX at http://www.nickymouha.be/software-en.html
All credit for this distinguisher should go to Shuang Wu, Dengguo Feng and Wenling Wu. The only thing I did is correct some calculation errors and trivially extend the results to LUX-384/512.
Kind regards,
Nicky
Niels Ferguson wrote:
> I have not validated this attack, but if I understand the results correctly, LUX-256 can be seen as a 200-bit hash function with a post-processing function that stretches the 200 bits into a 256-bit result. That means it can't be used in SP 800-90 Hash-DRBG, it generates weak keys if used in a normal hash-based KDF, has reduced security for HMAC-LUX, etc.
>
> A minor point: We can drop the memory requirements for collision finding from 2100 (2228 for LUX-512) to a constant size by using Floyd's or Brent's cycle finding algorithm.
> Regards,
>
> Niels
>
> ________________________________________
> From: hash-forum@nist.gov [hash-forum@nist.gov] On Behalf Of Watanabe Dai [dai.watanabe.td@hitachi.com]
> Sent: Wednesday, April 08, 2009 8:02 PM
> To: Multiple recipients of list
> Subject: OFFICIAL COMMENT: LUX
>
> Dear all,
>
> I looked at Wu et. al's report [1] on LUX and I believe that
> their observation can obviously be extended to a collision
> attack and a second preimage attack which would be labeled
> orange in the SHA-3 zoo according to their computational
> complexities.
> The following is the brief sketch of the attacks.
>
>
> == Wu et. al's observation
>
> Let H=(h0, h1, ..., h7) be the hash value and
> hi=(ai, bi, ci, di) be its byte expression.
> Then the following relation holds for 0* 0xf7*ai + 0x4c*bi + 0xf4*ci + di = 0x4e * S(a(i-1))......(1)
> See [1] Section 3.1 for more detail.
>
>
> == What does it mean?
>
> Eq.(1) means that 4 bytes of hi of the output determine
> 1 byte of h(i-1).
> In other words, LUX-256 has undesirable property that
> the 56(=8*7) bits of the output are determined by
> the remaining 256-56=200 bits without extra computational
> cost.
> It obviously reduces the complexity of the birthday attack
> and the second preimage attack.
>
>
> == Collision attack and second preimage attack
>
> Find a partial collision such that
> bi=bi',ci=ci',di=di' for 0<=i<8 and a7=a7'.
> With help of Eq.(1) and the fact that S is a permutation,
> we have ai=ai' for 0<=i<7.
>
> === Complexity of collision attack
> * Hash function call: 2^{(3*8+1)*8/2} = 2100.
> * Memory: 2100.
>
> === Complexity of second preimage attack
> * Hash function call: 2200,
> * Memory: none.
>
>
> == LUX-512
>
> LUX-512 has the same weakness as LUX-256 so that the 56(=8*7) bits
> of the output are determined by the remaining 512-56=456 bits.
> In the similar manner to the attacks on LUX-256, the collision
> attack and the second preimage attack require 2^{456/2}=2228
> and 2456 complexity respectively.
>
>
> [1] Shuang Wu, Dengguo Feng, Wenling Wu
> Cryptanalysis of the Hash Function LUX-256
> http://ehash.iaik.tugraz.at/uploads/3/36/Analysis_LUX_1.pdf
>
> Regards,
> Dai Watanabe
>
*