Producing collisions for P ANAMA , Producing collisions for P ANAMA , instantaneously instantaneously Joan Daemen and Gilles Van Assche STMicroelectronics Fast Software Encryption 2007 1
Outline Outline • Introduction • Structure of a collision in P ANAMA • Properties of the non-linear function • Transferring equations • Backtracking cost • Producing the collision • Conclusion Fast Software Encryption 2007 2
Structure of P ANAMA Structure of P ANAMA 0 Input block • Chaining value (CV) Round • Starts from 0 Input block • Iterate with input blocks Round • CV size > input block size ( l i ) ... • Do blank iterations Blank Round • Iterate with output blocks iterations • Output mapping Round • Collision in the CV → collision Output block • Blank iterations make it difficult otherwise Round Output block ... Fast Software Encryption 2007 3
s 0 Collision in the chaining value Collision in the chaining value p 0 t 0 DP Round s 0 • Differential trail • input differences p 0 • CV differences t 0 • Collision differential trail DP Round s 0 • Initial CV difference = 0 • Final CV difference = 0 ... p 0 t 0 DP Round s 0 Fast Software Encryption 2007 4
Inside P ANAMA = state + buffer Inside P ANAMA = state + buffer LFSR Input Buffer State Non-linear function ½ Fast Software Encryption 2007 5
Shape of the differential Shape of the differential Buffer Buffer Buffer • Buffer collisions Input Input Input • Atom • Rijmen et al. • Our attack • State injection • Five instances of … • sub-collisions Fast Software Encryption 2007 6
Sub-collision in state Sub-collision in state p’ 1 • Two-round differential trail • completely determined by ½ • 3-block input difference sequence V’ • State difference p’ 2 • Two differentials over ρ W’ ½ p’ 3 Fast Software Encryption 2007 7
P ANAMA’s state updating function P ANAMA’s state updating function ½ ½ a 9 a 10 a 11 a 12 a 13 a 14 a 15 a 16 a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 ° ¼ 13 23 14 27 24 10 15 21 28 2 9 8 0 1 3 6 4 µ A 9 A 10 A 11 A 12 A 13 A 14 A 15 A 16 A 0 A 1 A 2 A 3 A 4 A 5 A 6 A 7 A 8 Fast Software Encryption 2007 8
P ANAMA’s state updating function P ANAMA’s state updating function ½ ½ a 9 a 10 a 11 a 12 a 13 a 14 a 15 a 16 a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 ° ¼ 13 23 14 27 24 10 15 21 28 2 9 8 0 1 3 6 4 µ A 9 A 10 A 11 A 12 A 13 A 14 A 15 A 16 A 0 A 1 A 2 A 3 A 4 A 5 A 6 A 7 A 8 Fast Software Encryption 2007 9
Differential over ° Differential over ° a a + a 0 1 1 1 1 a 0 ° 1 1 1 1 c 0 Fast Software Encryption 2007 10
a 0 =0 Differential over ° Differential over ° a 2 =1 a 9 =1 a 10 + a 11 =1 a 11 + a 12 =1 a 13 =0 a a a + a 0 a + a 0 1 1 1 1 1 1 1 1 a 0 a 0 ° ° 1 1 1 1 1 1 1 1 c 0 c 0 Fast Software Encryption 2007 11
a 0 =0 Differential over ° Differential over ° a 2 =1 a 9 =1 a 10 + a 11 =1 a 11 + a 12 =1 a 13 =0 a a a + a 0 a + a 0 1 1 1 1 1 1 1 1 1 1 1 1 a 0 a 0 1 1 1 1 1 1 1 1 ° ° 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 c 0 c 0 … … … … 1 1 1 1 Fast Software Encryption 2007 12
Differential over ° Differential over ° • Given differential ( a ' , c ' ) • Linear conditions on the absolute value a • Simple condition (1 bit) or parity conditions (2 bits) • Location of conditions only determined by a ' • Number of conditions is w ( a ' ) , weight of a ' Fast Software Encryption 2007 13
Transferring conditions Transferring conditions p ( j {1) a ( j {1) Bridge Immediate p ( j ) satisfaction a ( j ) Fast Software Encryption 2007 14
Counting conditions and Counting conditions and degrees of freedom degrees of freedom w ( a ' )-8 w ( a ' )-8 w ( a ' )-8 w ( a ' )-8 Fast Software Encryption 2007 15
s 0 The backtracking cost The backtracking cost p 0 t 0 w ( a ' ) w ( a ' )-8 DP Round s 0 0 -8 0 -8 p 0 max ∑ w ( a ' )-8 0 -8 t 0 12 4 DP Round 9 1 s 0 14 6 ... 6 -2 p 0 2 -6 t 0 11 3 DP Round 9 1 s 0 0 -8 Fast Software Encryption 2007 16
Bridging Bridging a 9 a 9 a 10 a 10 a 11 a 11 a 12 a 12 a 13 a 13 a 14 a 14 a 15 a 15 a 16 a 16 a 0 a 0 a 1 a 1 a 2 a 2 a 3 a 3 a 4 a 4 a 5 a 5 a 6 a 6 a 7 a 7 a 8 a 8 ° ° ¼ ¼ 13 13 23 23 14 14 27 27 24 24 10 10 15 15 21 21 28 28 2 2 9 9 8 8 0 0 1 1 3 3 6 6 4 4 µ µ A 9 A 9 A 10 A 10 A 11 A 11 A 12 A 12 A 13 A 13 A 14 A 14 A 15 A 15 A 16 A 16 A 0 A 0 A 1 A 1 A 2 A 2 A 3 A 3 A 4 A 4 A 5 A 5 A 6 A 6 A 7 A 7 A 8 A 8 Fast Software Encryption 2007 17
Dependency removal Dependency removal a 9 a 10 a 11 a 12 a 13 a 14 a 15 a 16 a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 ° ¼ 13 23 14 27 24 10 15 21 28 2 9 8 0 1 3 6 4 µ A 9 A 10 A 11 A 12 A 13 A 14 A 15 A 16 A 0 A 1 A 2 A 3 A 4 A 5 A 6 A 7 A 8 Fast Software Encryption 2007 18
Dependency removal Dependency removal a 9 a 10 a 11 a 12 a 13 a 14 a 15 a 16 a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 1 ° ¼ 3 13 23 14 27 24 10 15 21 28 2 9 8 0 1 3 6 4 2 µ A 9 A 10 A 11 A 12 A 13 A 14 A 15 A 16 A 0 A 1 A 2 A 3 A 4 A 5 A 6 A 7 A 8 Fast Software Encryption 2007 19
Dependency removal Dependency removal a 9 a 10 a 11 a 12 a 13 a 14 a 15 a 16 a 0 a 1 a 2 a 3 a 4 =0 a 5 a 6 a 7 a 8 ° ¼ 13 23 14 27 24 10 15 21 28 2 9 8 0 1 3 6 4 µ A 9 A 10 A 11 A 12 A 13 A 14 A 15 A 16 A 0 A 1 A 2 A 3 A 4 A 5 A 6 A 7 A 8 Fast Software Encryption 2007 20
Dependency removal Dependency removal a 9 a 10 a 11 a 12 a 13 a 14 a 15 a 16 a 0 a 1 a 2 =1 a 3 a 4 =0 a 5 a 6 a 7 a 8 ° ¼ 13 23 14 27 24 10 15 21 28 2 9 8 0 1 3 6 4 µ A 9 A 10 A 11 A 12 A 13 A 14 A 15 A 16 A 0 A 1 A 2 A 3 A 4 A 5 A 6 A 7 A 8 Fast Software Encryption 2007 21
Producing the collision Producing the collision • Choose a differential • Least number of conditions to be bridged • Work out the equations • Immediate satisfaction • Bridges • Dependencies • Finally, it takes • 35 input blocks • 30 bridges • So a total of 65 evaluations of the round function Fast Software Encryption 2007 22
Conclusion Conclusion • P ANAMA hash function is broken • Source file to generate collisions available • The way forward: R ADIO G ATÚN • Feedback from state to buffer • Lower number of input words per round • Backtracking cost • Ongoing http://radiogatun.noekeon.org/panama Fast Software Encryption 2007 23
Recommend
More recommend
