A Generalized Birthday Problem
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Keying Hash Functions for Message Authentication
CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
Enhancing the security of perfect blind DL-signatures
Information Sciences: an International Journal
Full key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
Forgery and partial key-recovery attacks on HMAC and NMAC using hash collisions
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
The second-preimage attack on MD4
CANS'05 Proceedings of the 4th international conference on Cryptology and Network Security
Efficient collision search attacks on SHA-0
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Finding collisions in the full SHA-1
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Cryptanalysis of the hash functions MD4 and RIPEMD
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
How to break MD5 and other hash functions
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Second preimages on n-bit hash functions for much less than 2n work
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Hi-index | 0.05 |
In this paper, we present the pseudo-collision, pseudo-second-preimage and pseudo-preimage attacks on the SHA-3 candidate algorithm Luffa. The pseudo-collisions and pseudo-second-preimages can be found easily by computing the inverse of the message injection function at the beginning of Luffa. We explain in details the pseudo-preimage attacks. For Luffa-224/256, given the hash value, only 2 iteration computations are needed to get a pseudo-preimage. For Luffa-384, finding a pseudo-preimage needs about 264 iteration computations with 267 bytes memory by the extended generalized birthday attack. For Luffa-512, the complexity is 2128 iteration computations with 2132 bytes memory. It is noted that, we can find the pseudo-collision pairs and the pseudosecond images only changing a few different bits of initial values. That is directly converted to the forgery attack on NMAC in related key cases.