[Next] [Up/Previous] [Index]

# Modified Panama

Having noted that in the cryptographic primitive Panama, it looks as if a differential attack only just misses being possible, I have taken the liberty of proposing variant with a few modifications (so don't blame Joan Daemen if, instead of making it more secure, I've ruined it) which is illustrated below:

The state transition function is modified:

the first thing I propose to do is to XOR words 0 through 7 of the state with words 9 through 16 of the state. I also use the least significant three bits of word 8 of the state to determine which of words 9 through 16 is XORed with word 0 (the remaining ones proceed in succession) to produce what I call "deep nonlinearity".

in Push cycles only, the word of the state that was XORed with word 9 of the state is also XORed with word 8 of the state. This makes the state transition function not invertible. This is not appropriate for Pull cycles, since it may lead to short cycling of the state transition function; but Push cycles are limited in number. This prevents recovery of the key from the state.

Then, one proceeds with the normal nonlinearity and bit dispersion steps.

An extra buffer injection step is added. This also makes it even more difficult to trace words through the state transition function.

Then, the regular diffusion and buffer injection steps take place.

The output from the state transition function is modified. During Pull cycles, the first eight words of the state are XORed into the buffer at the start, as before. During Push cycles, words 9 through 16 are also used; this does not seem to be excessively revealing of the state, and increases the speed of diffusion in the buffer.

During Pull cycles, the output is now only one word, and that word is the XOR of two words in the state, chosen by other bits of word 8. Limiting the output to one word changes the basic security of Panama from that of two rounds of the state transition function to that of sixteen rounds. Outputing the XOR of two unknown words further reduces the usefulness of the output for determining the internal state of the buffer.

Because of the enhanced diffusion and the noninvertibility of the Push cycle, instead of using 32 blank Pull cycles, I propose replacing the blank Pull with a blank Push - where an all-zero block is Pushed into the system.

[Next] [Up/Previous] [Index]