The design of Xoodoo and Xoofff

This paper presents Xoodoo, a 48-byte cryptographic permutation with excellent propagation properties. Its design approach is inspired by Keccak-p, while it is dimensioned like Gimli for efficiency on low-end processors. The structure consists of three planes of 128 bits each, which interact per 3-bit columns through mixing and nonlinear operations, and which otherwise move as three independent rigid objects. We analyze its differential and linear propagation properties and, in particular, prove lower bounds on the weight of trails using the tree search-based technique of Mella et al. (ToSC 2017). Xoodoo’s primary target application is in the Farfalle construction that we instantiate for the doubly-extendable cryptographic keyed (or deck) function Xoofff. Combining a relatively narrow permutation with the parallelism of Farfalle results in very efficient schemes on a wide range of platforms, from low-end devices to high-end processors with vector instructions.

[1]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[2]  Daniel J. Bernstein,et al.  The Salsa20 Family of Stream Ciphers , 2008, The eSTREAM Finalists.

[3]  Jérémy Jean,et al.  Key-Recovery Attacks on Full Kravatte , 2018, IACR Trans. Symmetric Cryptol..

[4]  Stafford E. Tavares,et al.  On the Design of S-Boxes , 1985, CRYPTO.

[5]  Vincent Rijmen,et al.  The MAC function Pelican 2 . 0 , 2014 .

[6]  Joan Daemen,et al.  Xoodoo cookbook , 2018, IACR Cryptol. ePrint Arch..

[7]  Joan Daemen,et al.  New techniques for trail bounds and application to differential trails in Keccak , 2017, IACR Trans. Symmetric Cryptol..

[8]  G. Brassard,et al.  Quantum Amplitude Amplification and Estimation , 2000, quant-ph/0005055.

[9]  Bart Mennink,et al.  Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption , 2016, IACR Cryptol. ePrint Arch..

[10]  Vincent Rijmen,et al.  Plateau characteristics , 2007, IET Inf. Secur..

[11]  Vincent Rijmen,et al.  Refinements of the ALRED construction and MAC security claims , 2010, IET Inf. Secur..

[12]  Joan Daemen,et al.  Cipher and hash function design strategies based on linear and differential cryptanalysis , 1995 .

[13]  Peter Schwabe,et al.  SHA-3 on ARM11 Processors , 2012, AFRICACRYPT.

[14]  Guido Bertoni,et al.  Farfalle: parallel permutation-based cryptography , 2017, IACR Trans. Symmetric Cryptol..

[15]  Naofumi Homma,et al.  Cryptographic Hardware and Embedded Systems – CHES 2017 , 2017, Lecture Notes in Computer Science.

[16]  Thomas Peyrin,et al.  Tweaks and Keys for Block Ciphers: The TWEAKEY Framework , 2014, ASIACRYPT.

[17]  Gregor Leander,et al.  A Cryptanalysis of PRINTcipher: The Invariant Subspace Attack , 2011, CRYPTO.

[18]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[19]  Ko Stoffelen,et al.  Column Parity Mixers , 2018, IACR Trans. Symmetric Cryptol..

[20]  Joan Daemen,et al.  Differential Propagation Analysis of Keccak , 2012, FSE.