Pseudo-cryptanalysis of Luffa

Authors:
Keting Jia;Yvo Desmedt;Lidong Han;Xiaoyun Wang
Affiliations:
Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, China and Institute for Advanced Study, Tsinghua University, China;Department of Computer Science, University College London, UK;Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, China;Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, China and Institute for Advanced Study, Tsinghua University, China
Venue:
Inscrypt'10 Proceedings of the 6th international conference on Information security and cryptology
Year:
2010

Citing 11
Cited 0

A Generalized Birthday Problem

CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Keying Hash Functions for Message Authentication

CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
Enhancing the security of perfect blind DL-signatures

Information Sciences: an International Journal
Full key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5

CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
Forgery and partial key-recovery attacks on HMAC and NMAC using hash collisions

ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
The second-preimage attack on MD4

CANS'05 Proceedings of the 4th international conference on Cryptology and Network Security
Efficient collision search attacks on SHA-0

CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Finding collisions in the full SHA-1

CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Cryptanalysis of the hash functions MD4 and RIPEMD

EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
How to break MD5 and other hash functions

EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Second preimages on n-bit hash functions for much less than 2n work

EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques

Quantified Score

Hi-index	0.05

Visualization

Abstract

In this paper, we present the pseudo-collision, pseudo-second-preimage and pseudo-preimage attacks on the SHA-3 candidate algorithm Luffa. The pseudo-collisions and pseudo-second-preimages can be found easily by computing the inverse of the message injection function at the beginning of Luffa. We explain in details the pseudo-preimage attacks. For Luffa-224/256, given the hash value, only 2 iteration computations are needed to get a pseudo-preimage. For Luffa-384, finding a pseudo-preimage needs about 264 iteration computations with 267 bytes memory by the extended generalized birthday attack. For Luffa-512, the complexity is 2128 iteration computations with 2132 bytes memory. It is noted that, we can find the pseudo-collision pairs and the pseudosecond images only changing a few different bits of initial values. That is directly converted to the forgery attack on NMAC in related key cases.