Collisions on Permutations-based cryptography

In order to build MAC (Message Authentication Code) using a permutation, two main strategies face each other: the serial strategy (Sponge) and the parallel strategy (Farfalle). In this talk, we study precisely how to use differential trails in order to get collisions on MAC. We compare both design rationale, in order to analyze more in depth the underlying security of such constructions. Our goal consist to concretely evaluate the cost of collision search algorithms. We try to understand which strategy is optimal in term of performance and security.