Paper 2010/589

Higher-order differential properties of Keccak and Luffa

Christina Boura, Anne Canteaut, and Christophe De Cannière

Abstract

In this paper, we identify higher-order differential and zero-sum properties in the full Keccak-f permutation, in the Luffa v1 hash function, and in components of the Luffa v2 algorithm. These structural properties rely on a new bound on the degree of iterated permutations with a nonlinear layer composed of parallel applications of smaller balanced Sboxes. These techniques yield zero-sum partitions of size $2^{1590}$ for the full Keccak-f permutation and several observations on the Luffa hash family. We first show that Luffa v1 applied to one-block messages is a function of 255 variables with degree at most 251. This observation leads to the construction of a higher-order differential distinguisher for the full Luffa v1 hash function, similar to the one presented by Watanabe et al. on a reduced version. We show that similar techniques can be used to find all-zero higher-order differentials in the Luffa v2 compression function, but the additional blank round destroys this property in the hash function.

Note: Correction on the typo in the ANF of the Sbox in Luffa v2 (first line of Page 9)

Metadata
Available format(s)
PDF PS
Category
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Keywords
Hash functionsdegreehigher-order differentialszero-sumsSHA-3
Contact author(s)
Anne Canteaut @ inria fr
History
2010-11-24: last of 2 revisions
2010-11-20: received
See all versions
Short URL
https://ia.cr/2010/589
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2010/589,
      author = {Christina Boura and Anne Canteaut and Christophe De Cannière},
      title = {Higher-order differential properties of Keccak and Luffa},
      howpublished = {Cryptology ePrint Archive, Paper 2010/589},
      year = {2010},
      note = {\url{https://eprint.iacr.org/2010/589}},
      url = {https://eprint.iacr.org/2010/589}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.