Cryptanalysis of Luffa v2 Components

Khovratovich, Dmitry; Naya-Plasencia, Maŕıa; Röck, Andrea; Schläffer, Martin

doi:10.1007/978-3-642-19574-7_26

Cited by 21 publications

(24 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It should be noted that, by nature, this algebraic property is very different from the properties exploited in previously known distinguishers on the compression function of Luffa v2 (e.g. [9]). …”

Section: Higher-order Differentials For the Compression Function Of Lmentioning

confidence: 70%

Higher-Order Differential Properties of Keccak and Luffa

Boura

Canteaut

Cannière

2011

Lecture Notes in Computer Science

103

121

View full text Add to dashboard Cite

Abstract. In this paper, we identify higher-order differential and zerosum properties in the full Keccak-f permutation, in the Luffa v1 hash function and in components of the Luffa v2 algorithm. These structural properties rely on a new bound on the degree of iterated permutations with a nonlinear layer composed of parallel applications of a number of balanced Sboxes. These techniques yield zero-sum partitions of size 2 1575 for the full Keccak-f permutation and several observations on the Luffa hash family. We first show that Luffa v1 applied to one-block messages is a function of 255 variables with degree at most 251. This observation leads to the construction of a higher-order differential distinguisher for the full Luffa v1 hash function, similar to the one presented by Watanabe et al. on a reduced version. We show that similar techniques can be used to find all-zero higher-order differentials in the Luffa v2 compression function, but the additional blank round destroys this property in the hash function.

show abstract

Section: Higher-order Differentials For the Compression Function Of Lmentioning

confidence: 70%

Higher-Order Differential Properties of Keccak and Luffa

Boura

Canteaut

Cannière

2011

Lecture Notes in Computer Science

103

121

View full text Add to dashboard Cite

show abstract

“…However, for the case of w different permutations P i this is not immediately clear. We remark that a distinguisher for the permutation of Luffa is derived in [43].…”

Section: 10mentioning

confidence: 99%

Security Reductions of the Second Round SHA-3 Candidates

Andreeva

Mennink

Preneel

2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. In 2007, the US National Institute for Standards and Technology announced a call for the design of a new cryptographic hash algorithm in response to vulnerabilities identified in existing hash functions, such as MD5 and SHA-1. NIST received many submissions, 51 of which got accepted to the first round. At present, 14 candidates are left in the second round. An important criterion in the selection process is the SHA-3 hash function security and more concretely, the possible security reductions of the hash function to the security of its underlying building blocks. While some of the candidates are supported with firm security reductions, for most of the schemes these results are still incomplete. In this paper, we compare the state of the art provable security reductions of the second round candidates. We discuss all SHA-3 candidates at a high functional level, and analyze and summarize the security reduction results. Surprisingly, we derive some security bounds from the literature, which the hash function designers seem to be unaware of. Additionally, we generalize the well-known proof of collision resistance preservation, such that all SHA-3 candidates with a suffix-free padding are covered.

show abstract

“…Future work includes the search for even sparser truncated differential paths and the improvement of the given attacks by using the large degrees of available freedom. Also the separate search for differences and values as proposed in [12] and [8] may be used to improve the complexity of additional inbound phases.…”

Section: Resultsmentioning

confidence: 99%

Subspace Distinguisher for 5/8 Rounds of the ECHO-256 Hash Function

Schläffer

2011

Selected Areas in Cryptography

Self Cite

View full text Add to dashboard Cite

Abstract. In this work we present first results for the hash function of ECHO. We provide a subspace distinguisher for 5 rounds, near-collisions on 4.5 rounds and collisions for 4 out of 8 rounds of the ECHO-256 hash function. The complexities are 2 96 compression function calls for the distinguisher and near-collision attack, and 2 64 for the collision attack. The memory requirements are 2 64 for all attacks. Furthermore, we provide improved compression function attacks on ECHO-256 to get distinguishers on 7 rounds and near-collisions for 6 and 6.5 rounds. The compression function attacks also apply to ECHO-512. To get these results, we consider new and sparse truncated differential paths through ECHO. We are able to construct these paths by analyzing the combined MixColumns and BigMixColumns transformation. Since in these sparse truncated differential paths at most one fourth of all bytes of each ECHO state are active, missing degrees of freedom are not a problem. Therefore, we are able to mount a rebound attack with multiple inbound phases to efficiently find according message pairs for ECHO.

show abstract

Cryptanalysis of Luffa v2 Components

Cited by 21 publications

References 6 publications

Higher-Order Differential Properties of Keccak and Luffa

Higher-Order Differential Properties of Keccak and Luffa

Security Reductions of the Second Round SHA-3 Candidates

Subspace Distinguisher for 5/8 Rounds of the ECHO-256 Hash Function

Contact Info

Product

Resources

About