Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fast Software Encryption 2007 1 Producing collisions for P ANAMA, instantaneously Joan Daemen and Gilles Van Assche STMicroelectronics.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Fast Software Encryption 2007 1 Producing collisions for P ANAMA, instantaneously Joan Daemen and Gilles Van Assche STMicroelectronics."— Presentation transcript:

1 Fast Software Encryption 2007 1 Producing collisions for P ANAMA, instantaneously Joan Daemen and Gilles Van Assche STMicroelectronics

2 Fast Software Encryption 2007 2 Outline Introduction Structure of a collision in P ANAMA Properties of the non-linear function Transferring equations Backtracking cost Producing the collision Conclusion

3 Fast Software Encryption 2007 3 Structure of P ANAMA Chaining value (CV) Starts from 0 Iterate with input blocks CV size > input block size ( l i ) Do blank iterations Iterate with output blocks Output mapping Collision in the CV → collision Blank iterations make it difficult otherwise

4 Fast Software Encryption 2007 4 Collision in the chaining value Differential trail input differences CV differences Collision differential trail Initial CV difference = 0 Final CV difference = 0

5 Fast Software Encryption 2007 5 Inside P ANAMA = state + buffer

6 Fast Software Encryption 2007 6 Shape of the differential Buffer collisions Atom Rijmen et al. Our attack State injection Five instances of … sub-collisions

7 Fast Software Encryption 2007 7 Sub-collision in state Two-round differential trail completely determined by 3-block input difference sequence State difference Two differentials over 

8 Fast Software Encryption 2007 8 P ANAMA’s state updating function ½

9 Fast Software Encryption 2007 9 Differential over ° a 0 =0 a 1 =1 a 9 =1 a 10 +a 11 =0 a 11 +a 12 =1 a 12 =0

10 Fast Software Encryption 2007 10 Differential over ° Given differential ( a ', c ' ) Linear conditions on the absolute value a Simple condition (1 bit) or parity conditions (2 bits) Location of conditions only determined by a ' Number of conditions is w(a ' ), weight of a '

11 Fast Software Encryption 2007 11 Transferring conditions Immediate satisfaction Bridge

12 Fast Software Encryption 2007 12 Counting conditions and degrees of freedom w(a ' )-8

13 Fast Software Encryption 2007 13 The backtracking cost w(a')w(a')w(a ' )-8 0-8 0 0 124 91 146 6-2 2-6 113 91 0-8 max ∑ w(a ' )-8

14 Fast Software Encryption 2007 14 Bridging

15 Fast Software Encryption 2007 15 Dependency removal

16 Fast Software Encryption 2007 16 Producing the collision Choose a differential Least number of conditions to be bridged Work out the equations Immediate satisfaction Bridges Dependencies Finally, it takes 35 input blocks 30 bridges So a total of 65 evaluations of the round function

17 Fast Software Encryption 2007 17 Conclusion P ANAMA hash function is broken Source file to generate collisions available The way forward: R ADIO G ATÚN Feedback from state to buffer Lower number of input words per round Backtracking cost Ongoing http://radiogatun.noekeon.org/panama

Download ppt "Fast Software Encryption 2007 1 Producing collisions for P ANAMA, instantaneously Joan Daemen and Gilles Van Assche STMicroelectronics."

Similar presentations

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
3- 1 Chapter 3 Introduction to Numerical Methods Second-order polynomial equation: analytical solution (closed-form solution): For many types of problems,

3- 1 Chapter 3 Introduction to Numerical Methods Second-order polynomial equation: analytical solution (closed-form solution): For many types of problems,
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
Some Properties of SSA Mooly Sagiv. Outline Why is it called Static Single Assignment form What does it buy us? How much does it cost us? Open questions.

Some Properties of SSA Mooly Sagiv. Outline Why is it called Static Single Assignment form What does it buy us? How much does it cost us? Open questions.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Hashing Algorithms: SHA-3 CSCI 5857: Encoding and Encryption.

Hashing Algorithms: SHA-3 CSCI 5857: Encoding and Encryption.
1 Nonlinear Control Design for LDIs via Convex Hull Quadratic Lyapunov Functions Tingshu Hu University of Massachusetts, Lowell.

1 Nonlinear Control Design for LDIs via Convex Hull Quadratic Lyapunov Functions Tingshu Hu University of Massachusetts, Lowell.
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.

Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
Towards SHA-3 Christian Rechberger, KU Leuven. Fundamental questions in CS theory Do oneway functions exist? Do collision-intractable functions exist?

Towards SHA-3 Christian Rechberger, KU Leuven. Fundamental questions in CS theory Do oneway functions exist? Do collision-intractable functions exist?
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Motion Analysis (contd.) Slides are from RPI Registration Class.

Motion Analysis (contd.) Slides are from RPI Registration Class.
Information Security and Management 11

Information Security and Management 11
DES 1 Data Encryption Standard DES 2 Data Encryption Standard  DES developed in 1970’s  Based on IBM Lucifer cipher  U.S. government standard  DES.

DES 1 Data Encryption Standard DES 2 Data Encryption Standard  DES developed in 1970’s  Based on IBM Lucifer cipher  U.S. government standard  DES.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Quantum Algorithms II Andrew C. Yao Tsinghua University & Chinese U. of Hong Kong.

Quantum Algorithms II Andrew C. Yao Tsinghua University & Chinese U. of Hong Kong.
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
MD4 1 MD4. MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin.

MD4 1 MD4. MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin.
By Hrishikesh Gadre Session I Introduction to EES Department of Mechanical Engineering Louisiana State University Engineering Equation.

By Hrishikesh Gadre Session I Introduction to EES Department of Mechanical Engineering Louisiana State University Engineering Equation.

Similar presentations

Ads by Google