Fast Software Encryption 20071
Producing collisions for PProducing collisions for PANAMAANAMA,, instantaneouslyinstantaneously
Joan Daemen and Gilles Van Assche
STMicroelectronics
Fast Software Encryption 20072
OutlineOutline
• Introduction• Structure of a collision in PANAMA• Properties of the non-linear function• Transferring equations• Backtracking cost• Producing the collision• Conclusion
Fast Software Encryption 20073
Structure of PStructure of PANAMAANAMA
• Chaining value (CV)• Starts from 0
• Iterate with input blocks• CV size > input block size (li)
• Do blank iterations• Iterate with output blocks
• Output mapping• Collision in the CV → collision
• Blank iterations make it difficult otherwise
0
Input block
Round
Input block
Round
...
Round
Round
Output block
Round
Output block
...
Blank iterations
Fast Software Encryption 20074
Collision in the chaining valueCollision in the chaining value
• Differential trail• input differences• CV differences
• Collision differential trail• Initial CV difference = 0• Final CV difference = 0
s0
p0
Round
...
DP
t0
s0
RoundDP
t0
s0
RoundDP
t0
s0
p0
p0
Fast Software Encryption 20075
Inside PInside PANAMA = state + bufferANAMA = state + buffer
LFSR
Non-linear function ½
Input
State
Buffer
Fast Software Encryption 20076
BufferInput
Shape of the differentialShape of the differential
• Buffer collisions• Atom• Rijmen et al.• Our attack
• State injection• Five instances of …• sub-collisions
BufferInput
BufferInput
Fast Software Encryption 20077
Sub-collision in stateSub-collision in state
• Two-round differential trail• completely determined by
• 3-block input difference sequence
• State difference • Two differentials over ρ
½
½
p’1
p’2
p’3
V’
W’
Fast Software Encryption 20078
PPANAMA’s state updating function ANAMA’s state updating function ½½
0
°
¼
µ
a9 a10 a11 a12 a13 a14 a15 a16 a0 a1 a2 a3 a4 a5 a6 a7 a8
A9 A10 A11 A12 A13 A14 A15 A16 A0 A1 A2 A3 A5A4 A6 A7 A8
1 3 6 10 15 21 28 413 23 2 14 27 9 24 8
Fast Software Encryption 20079
PPANAMA’s state updating function ANAMA’s state updating function ½½
0
°
¼
µ
a9 a10 a11 a12 a13 a14 a15 a16 a0 a1 a2 a3 a4 a5 a6 a7 a8
A9 A10 A11 A12 A13 A14 A15 A16 A0 A1 A2 A3 A5A4 A6 A7 A8
1 3 6 10 15 21 28 413 23 2 14 27 9 24 8
Fast Software Encryption 200710
Differential over Differential over °°
1 1 1 1a0
°
1 1 1 1c0
aa+a0
Fast Software Encryption 200711
Differential over Differential over °°a0=0
a2=1
a9=1
a10+a11=1
a11+a12=1
a13=0
1 1 1 1a0
°
1 1 1 1c0
aa+a0
1 1 1 1a0
°
1 1 1 1c0
aa+a0
Fast Software Encryption 200712
Differential over Differential over °°a0=0
a2=1
a9=1
a10+a11=1
a11+a12=1
a13=0
1 1 1 1a0
°
1 1 1 1c0
aa+a0
1 1 1 1a0
°
1 1 1 1c0
aa+a0
11111…
1
11111…
1
11111…
1
11111…
1
Fast Software Encryption 200713
Differential over Differential over °°
• Given differential (a', c')• Linear conditions on the absolute value a
• Simple condition (1 bit) or parity conditions (2 bits)• Location of conditions only determined by a'• Number of conditions is w(a '), weight of a'
Fast Software Encryption 200714
Transferring conditionsTransferring conditions
a(j)
p(j)
a(j{1)
p(j{1)
Immediate satisfaction
Bridge
Fast Software Encryption 200715
Counting conditions and Counting conditions and degrees of freedomdegrees of freedom
w(a')-8
w(a')-8
w(a')-8
w(a')-8
Fast Software Encryption 200716
The backtracking costThe backtracking cost
-8019311
-62-2661419412
-80-80-80
w(a')-8w(a')
max ∑ w(a')-8
s0
p0
Round
...
DP
t0
s0
RoundDP
t0
s0
RoundDP
t0
s0
p0
p0
Fast Software Encryption 200717
BridgingBridging
0
°
¼
µ
a9 a10 a11 a12 a13 a14 a15 a16 a0 a1 a2 a3 a4 a5 a6 a7 a8
A9 A10 A11 A12 A13 A14 A15 A16 A0 A1 A2 A3 A5A4 A6 A7 A8
1 3 6 10 15 21 28 413 23 2 14 27 9 24 8
0
°
¼
µ
a9 a10 a11 a12 a13 a14 a15 a16 a0 a1 a2 a3 a4 a5 a6 a7 a8
A9 A10 A11 A12 A13 A15 A16 A0 A1 A2 A3 A5A4 A6 A7 A8
1 3 6 10 15 21 28 413 23 2 14 27 9 8
A14
24
Fast Software Encryption 200718
Dependency removalDependency removal
0
°
¼
µ
a9 a10 a11 a12 a13 a14 a15 a16 a0 a1 a2 a3 a4 a5 a6 a7 a8
A9 A10 A11 A12 A13 A15 A16 A0 A1 A2 A3 A5A4 A6 A7 A8
1 3 6 10 21 28 413 2 14 27 9 8
A14
23
1524
Fast Software Encryption 200719
Dependency removalDependency removal
0
°
¼
µ
a9 a10 a11 a12 a13 a14 a15 a16 a0 a1 a2 a3 a4 a5 a6 a7 a8
A9 A10 A11 A12 A13 A15 A16 A0 A1 A2 A3 A5A4 A6 A7 A8
1 3 6 10 21 28 413 2 14 27 9 8
A14
23
1524
1
32
Fast Software Encryption 200720
Dependency removalDependency removal
0
°
¼
µ
a9 a10 a11 a12 a13 a14 a15 a16 a0 a1 a2 a3 a4=0 a5 a6 a7 a8
A9 A10 A11 A12 A13 A15 A16 A0 A1 A2 A3 A5A4 A6 A7 A8
1 3 6 10 21 28 413 23 2 14 27 9 8
A14
24
15
Fast Software Encryption 200721
Dependency removalDependency removal
0
°
¼
µ
a9 a10 a11 a12 a13 a14 a15 a16 a0 a1 a2=1 a3 a5 a6 a7 a8
A9 A10 A11 A12 A13 A15 A16 A0 A1 A2 A3 A5A4 A6 A7 A8
1 3 6 10 15 21 28 413 23 2 14 27 9 8
A14
24
a4=0
Fast Software Encryption 200722
Producing the collisionProducing the collision
• Choose a differential• Least number of conditions to be bridged
• Work out the equations• Immediate satisfaction• Bridges• Dependencies
• Finally, it takes• 35 input blocks• 30 bridges• So a total of 65 evaluations of the round function
Fast Software Encryption 200723
ConclusionConclusion
• PANAMA hash function is broken• Source file to generate collisions available
• The way forward: RADIOGATÚN• Feedback from state to buffer• Lower number of input words per round• Backtracking cost• Ongoing
http://radiogatun.noekeon.org/panama
Top Related