Skip to main content

Hitachi

Hitachi Crypto Technology

News

10 Dec. 2010
  • NIST announced the finalists and Luffa was not selected. We appreciate all contributions (Security evaluations, implementations, ...) to Luffa. This page is archived for the academic research.
3 Dec. 2010
  • Implementation package for eBASHis updated. This update includes new assembly codes for Intel Core2 Duo (32-bit mode) to which we applied the techniques presented by Oliveira and López.
8 Nov. 2010
  • A new security evaluation reportis uploaded. The report deals with the collision resistance of Luffa-256 under the normal setting (No (semi)-free-start setting).
5 Nov. 2010
21 Sep. 2010
  • Implementation package for eBASHis updated. This update includes new assembly codes for Intel Core2 Duo to which we applied the techniques presented by Oliveira and López.
30 Aug. 2010
10 Aug. 2010
23 Jun. 2010
  • Implementation package for eBASH is also updated. The performance on Intel Core i5 is slightly improved.
  • Two links to our presentation files at ESC2010 and FSE2010 are added.
7 Apr. 2010
  • Additional implementations package is updated. Now the zip file includes all codes which are used in our self-evaluation.
  • An implementation package for eBash is also uploaded.
25 Mar. 2010
  • Known implementation results are listed.
2 Oct. 2009
  • Thanks to Stefan Tillich, a bug in the specification is fixed. Please see the update packagefor the detail.
24 Sep. 2009
  • Thanks to Miroslav Knežević and Ingrid Verbauwhede, their hardware implementation result on Luffa v1 is updated to that on Luffa v2.
11 Sep. 2009
  • The Round 1 data is archived.

What is Luffa?

the chaining of Luffa

Luffa is a new family of hash functions submitted to NIST for their cryptographic hash algorithm competition.

Luffa is a variant of a sponge function proposed by Bertoni et al., whose security is based only on the randomness of the underlying permutation. Different from the original sponge, Luffa uses plural permutations in parallel and a stronger messsage injection function as depicted in the above figure.

Supplemental Information

The list of the newer coming security reports on security analysis, software and hardware implementations will be provided here.

Security Analysis

  • Dai Watanabe, ``How to generate the Sbox of Luffa,'' Early Symmetric Crypto Seminar, ESC2010, January 2010.
  • Dai Watanabe, Yasuo Hatano, Tsuyoshi Yamada, and Toshinobu Kaneko, ``Higher Order Differential Attack on Step-Reduced Variants of Luffa v1,'' Fast Software Encryption, FSE2010, February 2010.
  • Dmitry Khovratovich, Maria Naya-Plasencia, Andrea Roeck, Martin Schlaeffer, ``Cryptanalysis of Luffa v2 components,'' Selected Areas in Cryptography, SAC2010, August 2010.
  • Bart Preneel, Hirotaka Yoshida, and Dai Watanabe, ``Finding Collisions for Reduced Luffa-256 v2,'' (PDF format, 165 kBytes) .

Software Implementations

Luffa-256
Reference Platform Throughput (cycles/byte) Notes
Supporting document Intel Core2 Duo E6600 2400 MHz (64-bit mode) 26.2ANSI C
16.3C+SSE intrinsics
13.3Assembly
Intel Core2 Duo E6600 2400 MHz (32-bit mode) 31.2ANSI C
19.8C+SSE intrinsics
13.8Assembly
ARM ARM926EJ-S (4KB cache) 91.1ANSI C
AVR ATmega9515 (8KB flash memory + 512B RAM) 732.1808B ROM + 134B RAM
Renesas H8/38024F (32KB flash memory + 1KB RAM) 1624.8976B ROM + 144B RAM
Oikawa et al. ATI Radeon HD5750 9272.3 MbpsC + OpenCL, with memory transfer, processing 4096 independent messages
21906.0 MbpsC + OpenCL, without memory transfer, processing 4096 independent messages
NVIDIA GeForce GTX260 25335.0 MbpsC + OpenCL, with memory transfer, processing 6912 independent messages
15053.3 MbpsC + OpenCL, without memory transfer, processing 6912 independent messages
Luffa-384
Reference Platform Throughput (cycles/byte) Notes
Supporting document Intel Core2 Duo E6600 2400 MHz (64-bit mode) 40.2ANSI C
18.5C+SSE intrinsics
15.0Assembly
Intel Core2 Duo E6600 2400 MHz (32-bit mode) 46.7ANSI C
22.3C+SSE intrinsics
15.5Assembly
ARM ARM926EJ-S (4KB cache) 129.5ANSI C
AVR ATmega9515 (8KB flash memory + 512B RAM) 1055.4934B ROM + 166B RAM
Renesas H8/38024F (32KB flash memory + 1KB RAM) 2296.81136B ROM + 176B RAM
Luffa-512
Reference Platform Throughput (cycles/byte) Notes
Supporting document Intel Core2 Duo E6600 2400 MHz (64-bit mode) 55.6ANSI C
31.7C+SSE intrinsics
23.8Assembly
Intel Core2 Duo E6600 2400 MHz (32-bit mode) 64.9ANSI C
36.0C+SSE intrinsics
26.8Assembly
ARM ARM926EJ-S (4KB cache) 169.7ANSI C
AVR ATmega9515 (8KB flash memory + 512B RAM) 1427.01040B ROM + 198B RAM
Renesas H8/38024F (32KB flash memory + 1KB RAM) 3028.81312B ROM + 208B RAM

Hardware Implementations

Luffa-256
Reference Technology Size Throughput Clock frequency Notes
Supporting document ASIC, UMC 0.13 µm 30.8 KGE31960.0 Mbps1124 MHz Fully autonomous, Throughput optimized
19.6 KGE98.7 Mbps344 MHz Fully autonomous, Area optimized
Namin and Hasan ASIC, STM 90 nm 122 KGE25702 Mbps (9.96 ns per 256-bit data processing)100 MHz (9.96 ns delay) Imple. of Luffa v1, Core functionality (A full round processing + output function + I/O registers)
FPGA, Altera Stratix III 16552 ALUT12042 Mbps47 MHz
Knežević and Verbauwhede ASIC, UMC 0.13 µm 18.3 KGE2461.5 Mbps250 MHz Fully autonomous, Area optimized
Tillich et al. ASIC, UMC 0.18 µm 45.0 KGE13741 Mbps483 MHz Fully autonomous, Throughput optimized
Kobayashi et al. FPGA, Xilinx Virtex-5 1048 slices6343 Mbps223 MHz Fully autonomous, Throughput optimized
1002 Mbps Fully autonomous, including communication overheads by proposed interface
Mikami et al. ASIC, TSMC 10.3 KGE538 Mbps806 MHz Fully autonomous, Area optimized
FPGA, Xilinx Virtex-5 548 slices1660 Mbps162 MHz
355 slices33.3 Mbps50 MHz
Luffa-384
Reference Technology Size Throughput Clock frequency Notes
Supporting document ASIC, UMC 0.13 µm 50.1 KGE23126.0 Mbps813 MHz Fully autonomous, Throughput optimized
29.5 KGE73.8 Mbps344 MHz Fully autonomous, Area optimized
Knežević and Verbauwhede ASIC, UMC 0.13 µm 27.1 KGE1882.4 Mbps250 MHz Fully autonomous, Area optimized
Luffa-512
Reference Technology Size Throughput Clock frequency Notes
Supporting document ASIC, UMC 0.13 µm 65.1 KGE19617.0 Mbps690 MHz Fully autonomous, Throughput optimized
39.8 KGE35.2 Mbps344 MHz Area optimized
Knežević and Verbauwhede ASIC, UMC 0.13 µm 37.3 KGE1523.8 Mbps250 MHz Fully autonomous, Area optimized

Trademarks

  • Altera and Stratix are registered trademarks of Altera Corporation in the U.S. and other countries.
  • ARM is a registered trademark and ARM926EJ-S is the name of products of ARM Limited in the United States and/or other countries.
  • ATI Radeon is a name of products of Advanced Micro Devices, Inc. in the United States and/or other countries.
  • Atmel and AVR are registered trademarks of Atmel Corporation in the United States and/or other countries.
  • Intel is a registered trademark and Core is the name of products of Intel Corporation in the U.S. and other countries.
  • NVIDIA and GeForce are registered trademarks of NVIDIA Corporation in the United States and/or other countries.
  • OpenCL is a name of products of Apple Inc. in the United States and/or other countries.
  • Renesas and H8 are registered trademarks of Renesas Technology Corporation in the United States and/or other countries.
  • TSMC is a registered trademark of TSMC, Ltd. in Taiwan and other countries/regions.
  • Xilinx and Virtex are registered trademarks of Xilinx, Inc. in the United States and other countries.