, Producing collisions for P ANAMA , instantaneously - - PowerPoint PPT Presentation

Fast Software Encryption 2007

1

Producing collisions for P Producing collisions for PANAMA

ANAMA,

, instantaneously instantaneously

Joan Daemen and Gilles Van Assche

STMicroelectronics

Fast Software Encryption 2007

2

Outline Outline

• Introduction
• Structure of a collision in PANAMA
• Properties of the non-linear function
• Transferring equations
• Backtracking cost
• Producing the collision
• Conclusion

Fast Software Encryption 2007

3

Structure of P Structure of PANAMA

ANAMA

• Chaining value (CV)
• Starts from 0
• Iterate with input blocks
• CV size > input block size (li)
• Do blank iterations
• Iterate with output blocks
• Output mapping
• Collision in the CV → collision
• Blank iterations make it difficult otherwise

Input block Round Input block Round ... Round Round Output block Round Output block ... Blank iterations

Fast Software Encryption 2007

4

Collision in the chaining value Collision in the chaining value

• Differential trail
• input differences
• CV differences
• Collision differential trail
• Initial CV difference = 0
• Final CV difference = 0

s0

p0

Round ... DP

t0 s0

Round DP

t0 s0

Round DP

t0 s0

p0 p0

Fast Software Encryption 2007

5

Inside P Inside PANAMA = state + buffer

ANAMA = state + buffer

LFSR Non-linear function ½ Input State

Buffer

Fast Software Encryption 2007

6

Buffer Input

Shape of the differential Shape of the differential

• Buffer collisions
• Atom
• Rijmen et al.
• Our attack
• State injection
• Five instances of …
• sub-collisions

Buffer Input Buffer Input

Fast Software Encryption 2007

7

Sub-collision in state Sub-collision in state

• Two-round differential trail
• completely determined by
• 3-block input difference

sequence

• State difference
• Two differentials over ρ

½ ½

p’1 p’2 p’3 V’ W’

Fast Software Encryption 2007

8

P PANAMA’s state updating function

ANAMA’s state updating function ½

½

° ¼ µ

a9 a10 a11 a12 a13 a14 a15 a16 a0 a1 a2 a3 a4 a5 a6 a7 a8 A9 A10 A11 A12 A13 A14 A15 A16 A0 A1 A2 A3 A5 A4 A6 A7 A8

1 3 6 10 15 21 28 4 13 23 2 14 27 9 24 8

Fast Software Encryption 2007

9

P PANAMA’s state updating function

ANAMA’s state updating function ½

½

° ¼ µ

a9 a10 a11 a12 a13 a14 a15 a16 a0 a1 a2 a3 a4 a5 a6 a7 a8 A9 A10 A11 A12 A13 A14 A15 A16 A0 A1 A2 A3 A5 A4 A6 A7 A8

1 3 6 10 15 21 28 4 13 23 2 14 27 9 24 8

Fast Software Encryption 2007

10

Differential over Differential over °

°

1 1 1 1

a0

°

1 1 1 1

c0 a a+a0

Fast Software Encryption 2007

11

Differential over Differential over °

°

a0=0 a2=1 a9=1 a10+a11=1 a11+a12=1 a13=0

1 1 1 1

a0

°

1 1 1 1

c0 a a+a0

1 1 1 1

a0

°

1 1 1 1

c0 a a+a0

Fast Software Encryption 2007

12

Differential over Differential over °

°

a0=0 a2=1 a9=1 a10+a11=1 a11+a12=1 a13=0

1 1 1 1

a0

°

1 1 1 1

c0 a a+a0

1 1 1 1

a0

°

1 1 1 1

c0 a a+a0

1 1 1 1 1

…

1 1 1 1 1 1

…

1 1 1 1 1 1

…

1 1 1 1 1 1

…

1

Fast Software Encryption 2007

13

Differential over Differential over °

°

• Given differential (a', c')
• Linear conditions on the absolute value a
• Simple condition (1 bit) or parity conditions (2 bits)
• Location of conditions only determined by a'
• Number of conditions is w(a '), weight of a'

Fast Software Encryption 2007

14

Transferring conditions Transferring conditions

a(j) p(j) a(j{1) p(j{1)

Immediate satisfaction Bridge

Fast Software Encryption 2007

15

Counting conditions and Counting conditions and degrees of freedom degrees of freedom

w(a')-8 w(a')-8 w(a')-8 w(a')-8

Fast Software Encryption 2007

16

The backtracking cost The backtracking cost

• 8

1 9 3 11

• 6

2

• 2

6 6 14 1 9 4 12

• 8
• 8
• 8

w(a')-8 w(a')

max ∑ w(a')-8

s0

p0

Round ... DP

t0 s0

Round DP

t0 s0

Round DP

t0 s0

p0 p0

Fast Software Encryption 2007

17

Bridging Bridging

° ¼ µ

a9 a10 a11 a12 a13 a14 a15 a16 a0 a1 a2 a3 a4 a5 a6 a7 a8 A9 A10 A11 A12 A13 A14 A15 A16 A0 A1 A2 A3 A5 A4 A6 A7 A8

1 3 6 10 15 21 28 4 13 23 2 14 27 9 24 8

° ¼ µ

a9 a10 a11 a12 a13 a14 a15 a16 a0 a1 a2 a3 a4 a5 a6 a7 a8 A9 A10 A11 A12 A13 A15 A16 A0 A1 A2 A3 A5 A4 A6 A7 A8

1 3 6 10 15 21 28 4 13 23 2 14 27 9 8

A14

24

Fast Software Encryption 2007

18

Dependency removal Dependency removal

° ¼ µ

a9 a10 a11 a12 a13 a14 a15 a16 a0 a1 a2 a3 a4 a5 a6 a7 a8 A9 A10 A11 A12 A13 A15 A16 A0 A1 A2 A3 A5 A4 A6 A7 A8

1 3 6 10 21 28 4 13 2 14 27 9 8

A14

23 15 24

Fast Software Encryption 2007

19

Dependency removal Dependency removal

° ¼ µ

a9 a10 a11 a12 a13 a14 a15 a16 a0 a1 a2 a3 a4 a5 a6 a7 a8 A9 A10 A11 A12 A13 A15 A16 A0 A1 A2 A3 A5 A4 A6 A7 A8

1 3 6 10 21 28 4 13 2 14 27 9 8

A14

23 15 24

1 3 2

Fast Software Encryption 2007

20

Dependency removal Dependency removal

° ¼ µ

a9 a10 a11 a12 a13 a14 a15 a16 a0 a1 a2 a3 a4=0 a5 a6 a7 a8 A9 A10 A11 A12 A13 A15 A16 A0 A1 A2 A3 A5 A4 A6 A7 A8

1 3 6 10 21 28 4 13 23 2 14 27 9 8

A14

24 15

Fast Software Encryption 2007

21

Dependency removal Dependency removal

° ¼ µ

a9 a10 a11 a12 a13 a14 a15 a16 a0 a1 a2=1 a3 a5 a6 a7 a8 A9 A10 A11 A12 A13 A15 A16 A0 A1 A2 A3 A5 A4 A6 A7 A8

1 3 6 10 15 21 28 4 13 23 2 14 27 9 8

A14

24

a4=0

Fast Software Encryption 2007

22

Producing the collision Producing the collision

• Choose a differential
• Least number of conditions to be bridged
• Work out the equations
• Immediate satisfaction
• Bridges
• Dependencies
• Finally, it takes
• 35 input blocks
• 30 bridges
• So a total of 65 evaluations of the round function

Fast Software Encryption 2007

23

Conclusion Conclusion

• PANAMA hash function is broken
• Source file to generate collisions available
• The way forward: RADIOGATÚN
• Feedback from state to buffer
• Lower number of input words per round
• Backtracking cost
• Ongoing

http://radiogatun.noekeon.org/panama