[Resource Topic] 2009/224: Pseudo-Cryptanalysis of Luffa

Welcome to the resource topic for 2009/224

Pseudo-Cryptanalysis of Luffa

Authors: Keting Jia, Yvo Desmedt, Lidong Han, Xiaoyun Wang


In this paper, we present the pseudo-collision, pseudo-second-preimage and pseudo-preimage attacks on the SHA-3 candidate algorithm Luffa. The pseudo-collisions and pseudo-second-preimages can be found easily by computing the inverse of the message injection function at the beginning of Luffa. We explain in details the pseudo-preimage attacks. For Luffa-224/256, given the hash value, only 2 iteration computations are needed to get a pseudo-preimage. For Luffa-384, finding a pseudo-preimage needs about 2^{64} iteration computations with 2^{67} bytes memory by the extended generalized birthday attack. For Luffa-512, the complexity is 2^{128} iteration computations with 2^{132} bytes memory. It is noted that, we can find the pseudo-collision pairs and the pseudo-second images only changing a few different bits of initial values. That is directly converted to the forgery attack on NMAC in related key cases.

ePrint: https://eprint.iacr.org/2009/224

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .