A Generalized Birthday Problem
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl
Fast Software Encryption
Distinguisher and Related-Key Attack on the Full AES-256
CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
Selected Areas in Cryptography
Higher order differential attack on step-reduced variants of Luffa v1
FSE'10 Proceedings of the 17th international conference on Fast software encryption
Subspace distinguisher for 5/8 rounds of the ECHO-256 hash function
SAC'10 Proceedings of the 17th international conference on Selected areas in cryptography
Higher-order differential properties of KECCAK and Luffa
FSE'11 Proceedings of the 18th international conference on Fast software encryption
Finding collisions for reduced Luffa-256 v2
ACISP'11 Proceedings of the 16th Australasian conference on Information security and privacy
How to improve rebound attacks
CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security
Known-Key distinguisher on round-reduced 3d block cipher
WISA'11 Proceedings of the 12th international conference on Information Security Applications
Unaligned rebound attack: application to keccak
FSE'12 Proceedings of the 19th international conference on Fast Software Encryption
Hi-index | 0.00 |
We develop a number of techniques for the cryptanalysis of the SHA-3 candidate Luffa, and apply them to various Luffa components. These techniques include a new variant of the rebound approach taking into account the specifics of Luffa. The main improvements include the construction of good truncated differential paths, the search for differences using multiple inbound phases and a fast final solution search via linear systems. Using these techniques, we are able to construct nontrivial semi-free-start collisions for 7 (out of 8 rounds) of Luffa-256 with a complexity of 2104 in time and 2102 in memory. This is the first analysis of a Luffa component other that the permutation of Luffa v1. Additionally, we provide new and more efficient distinguishers also for the full permutation of Luffa v2. For this permutation distinguisher, we use a new model which applies first a short test on all samples and then a longer test on a smaller subset of the inputs. We demonstrate that a set of right pairs for the given differential path can be found significantly faster than for a random permutation.