In this work, we analyze keyed-hashing modes with respect to collision resistance in a blinded keyed hashing model for the attacker in both serial and parallel constructions to do compression functions in cryptography.
The serial construction is used in CBC-MAC for blockcipher-based or DonkeySponge for Permutation-based, while the parallel one is used in P-MAC (blockcipher-based) or Farfalle (Permutation-based).
We try to obtain collisions in this setting by using differential trails existing in the inner permutation (or underlying blockcipher). Eventually, we mount two different attack strategies for both constructions, by using a single trail core. Our attack takes use of a huge set of trails, all sharing the same trail core.
More precisely, the expected number of inputs that we need to take into account for finding a collision is 2^W where W is defined as the sum of the weoghts of the round differentials starting from the 2nd round and where the weight of the last round is divided by 2. Also, in the case of the parallel construction, W is twice as large as in the case of the serial construction.
So in the case of a collision attack based on a single trail core, under reasonable assumptions the parallel construction offers twice the security level than the serial construction.
This is joint work with Joan Daemen and Jonathan Fuchs.