Higher Order Differential Attack on Step-Reduced Variants of Luffa v1

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6147)


In this paper, a higher order differential attack on the hash function Luffa v1 is discussed. We confirmed that the algebraic degree of the permutation Q j which is an important non-linear component of Luffa grows slower than an ideal case both by the theoretical and the experimental approaches. According to our estimate, we can construct a distinguisher for step-reduced variants of Luffa v1 up to 7 out of 8 steps by using a block message. The attack for 7 steps requires 2216 messages. As far as we know, this is the first report which investigates the algebraic property of Luffa v1. Besides, this attack does not pose any threat to the security of the full-step of Luffa v1 nor Luffa v2.


Hash function Luffa Higher order differential attack Non-randomness 


  1. 1.
    Aumasson, J.-P., Dinur, I., Meier, W., Shamir, A.: Cube Testers and Key Recovery Attacks On Reduced-Round MD6 and Trivium. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 1–22. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  2. 2.
    Aumasson, J.-P., Dinur, I., Henzen, L., Meier, W., Shamir, A.: Efficient FPGA Implementations of High-Dimensional Cube Testers on the Stream Cipher Grain-128. In: Special-purpose Hardware for Attacking Cryptographic Systems, SHARCS 2009 (2009)Google Scholar
  3. 3.
    Aumasson, J.P., Meier, W.: Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi (2009),
  4. 4.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge Functions. In: Ecrypt Hash Workshop (2007)Google Scholar
  5. 5.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the Indifferentiability of the Sponge Construction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    De Cannière, C., Sato, H., Watanabe, D.: Hash Function Luffa: Specification. Submission to NIST SHA-3 Competition (2008),
  7. 7.
    De Cannière, C., Sato, H., Watanabe, D.: Hash Function Luffa: Supporting Document. Submission to NIST SHA-3 Competition (2008),
  8. 8.
    Daemen, J., Knudsen, L., Rijmen, V.: The Block Cipher Square. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  9. 9.
    Dinur, I., Shamir, A.: Cube Attacks on Tweakable Black Box Polynomials. Cryptology ePrint Archive, Report 2008/385Google Scholar
  10. 10.
    Knudsen, L.R.: Truncated and Higher Order Differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995)Google Scholar
  11. 11.
    Lai, X.: Higher order derivatives and differential cryptanalysis. In: Proc. Symposium on Communication, Coding and Cryptography, pp. 227–233. Kluwer Academic Publishers, Dordrecht (1994)Google Scholar
  12. 12.
    National Institute of Standards and Technology, Secure Hash Standard (SHS), FIPS 180-2 (2002)Google Scholar
  13. 13.
    National Institute of Standards and Technology, Cryptographic hash project,

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  1. 1.Systems Development Laboratory, Hitachi, LtdTotsuka-kuJapan
  2. 2.Science University of TokyoNodaJapan

Personalised recommendations