Embed Size (px)
Citation preview
Fast Software Encryption 2007
1
Producing collisions for PProducing collisions for PANAMAANAMA,, instantaneouslyinstantaneously
Joan Daemen and Gilles Van Assche
STMicroelectronics
Fast Software Encryption 2007
2
OutlineOutline
• Introduction• Structure of a collision in PANAMA
• Properties of the non-linear function• Transferring equations• Backtracking cost• Producing the collision• Conclusion
Fast Software Encryption 2007
3
Structure of PStructure of PANAMAANAMA
• Chaining value (CV)• Starts from 0
• Iterate with input blocks• CV size > input block size (li)
• Do blank iterations• Iterate with output blocks
• Output mapping
• Collision in the CV → collision• Blank iterations make it difficult otherwise
0
Input block
Round
Input block
Round
...
Round
Round
Output block
Round
Output block
...
Blank iterations
Fast Software Encryption 2007
4
Collision in the chaining valueCollision in the chaining value
• Differential trail• input differences• CV differences
• Collision differential trail• Initial CV difference = 0• Final CV difference = 0
s0
p0
Round
...
DPt0
s0
RoundDPt0
s0
RoundDPt0
s0
p0
p0
Fast Software Encryption 2007
5
Inside PInside PANAMA = state + bufferANAMA = state + buffer
LFSR
Non-linear function ½
Input
State
Buffer
Fast Software Encryption 2007
6
BufferInput
Shape of the differentialShape of the differential
• Buffer collisions• Atom• Rijmen et al.• Our attack
• State injection• Five instances of …• sub-collisions
BufferInput
BufferInput
Fast Software Encryption 2007
7
Sub-collision in stateSub-collision in state
• Two-round differential trail• completely determined by
• 3-block input difference sequence
• State difference
• Two differentials over
½
½
p’1
p’2
p’3
V’
W’
Fast Software Encryption 2007
8
PPANAMA’s state updating function ANAMA’s state updating function ½½
0
°
¼
µ
a9 a10 a11 a12 a13 a14 a15 a16 a0 a1 a2 a3 a4 a5 a6 a7 a8
A9 A10 A11 A12 A13 A14 A15 A16 A0 A1 A2 A3 A5A4 A6 A7 A8
1 3 6 10 15 21 28 413 23 2 14 27 9 24 8
Fast Software Encryption 2007
9
Differential over Differential over °°a0=0a1=1a9=1a10+a11=0a11+a12=1a12=0
1 1 1 1a0
°1 1 1 1c0
aa+a0
1 1 1 1a0
°1 1 1 1c0
aa+a0
11111…
1
11111…
1
11111…
1
11111…
1
Fast Software Encryption 2007
10
Differential over Differential over °°
• Given differential (a', c')• Linear conditions on the absolute value a
• Simple condition (1 bit) or parity conditions (2 bits)
• Location of conditions only determined by a'• Number of conditions is w(a '), weight of a'
Fast Software Encryption 2007
11
Transferring conditionsTransferring conditions
a(j )
p(j )
a(j{1)
p(j{1)
a(j )
p(j )
a(j{1)
p(j{1)
a(j )
p(j )
a(j{1)
p(j{1)
Immediate satisfaction
Bridge
Fast Software Encryption 2007
12
Counting conditions and Counting conditions and degrees of freedomdegrees of freedom
w(a')-8
w(a')-8
w(a')-8
w(a')-8
Fast Software Encryption 2007
13
The backtracking costThe backtracking cost
w(a') w(a')-80 -8
0 -8
0 -8
12 4
9 1
14 6
6 -2
2 -6
11 3
9 1
0 -8
max ∑ w(a')-8
s0
p0
Round
...
DPt0
s0
RoundDPt0
s0
RoundDPt0
s0
p0
p0
Fast Software Encryption 2007
14
BridgingBridging
0
°
¼
µ
a9 a10 a11 a12 a13 a14 a15 a16 a0 a1 a2 a3 a4 a5 a6 a7 a8
A9 A10 A11 A12 A13 A14 A15 A16 A0 A1 A2 A3 A5A4 A6 A7 A8
1 3 6 10 15 21 28 413 23 2 14 27 9 24 8
0
°
¼
µ
a9 a10 a11 a12 a13 a14 a15 a16 a0 a1 a2 a3 a4 a5 a6 a7 a8
A9 A10 A11 A12 A13 A15 A16 A0 A1 A2 A3 A5A4 A6 A7 A8
1 3 6 10 15 21 28 413 23 2 14 27 9 8
A14
24
Fast Software Encryption 2007
15
Dependency removalDependency removal
0
°
¼
µ
a9 a10 a11 a12 a13 a14 a15 a16 a0 a1 a2 a3 a4 a5 a6 a7 a8
A9 A10 A11 A12 A13 A15 A16 A0 A1 A2 A3 A5A4 A6 A7 A8
1 3 6 10 15 21 28 413 23 2 14 27 9 8
A14
24
0
°
¼
µ
a9 a10 a11 a12 a13 a14 a15 a16 a0 a1 a2 a3 a4 a5 a6 a7 a8
A9 A10 A11 A12 A13 A15 A16 A0 A1 A2 A3 A5A4 A6 A7 A8
1 3 6 10 21 28 413 2 14 27 9 8
A14
23
1524 0
°
¼
µ
a9 a10 a11 a12 a13 a14 a15 a16 a0 a1 a2 a3 a4=0 a5 a6 a7 a8
A9 A10 A11 A12 A13 A15 A16 A0 A1 A2 A3 A5A4 A6 A7 A8
1 3 6 10 21 28 413 23 2 14 27 9 8
A14
24
150
°
¼
µ
a9 a10 a11 a12 a13 a14 a15 a16 a0 a1 a2=1 a3 a5 a6 a7 a8
A9 A10 A11 A12 A13 A15 A16 A0 A1 A2 A3 A5A4 A6 A7 A8
1 3 6 10 15 21 28 413 23 2 14 27 9 8
A14
24
a4=0
1
32
Fast Software Encryption 2007
16
Producing the collisionProducing the collision
• Choose a differential• Least number of conditions to be bridged
• Work out the equations• Immediate satisfaction• Bridges• Dependencies
• Finally, it takes• 35 input blocks• 30 bridges• So a total of 65 evaluations of the round function
Fast Software Encryption 2007
17
ConclusionConclusion
• PANAMA hash function is broken• Source file to generate collisions available
• The way forward: RADIOGATÚN
• Feedback from state to buffer• Lower number of input words per round• Backtracking cost• Ongoing
http://radiogatun.noekeon.org/panama
