Xoodyak, a lightweight cryptographic scheme

In this paper, we present Xoodyak, a cryptographic primitive that can be used for hashing, encryption, MAC computation and authenticated encryption. Essentially, it is a duplex object extended with an interface that allows absorbing strings of arbitrary length, their encryption and squeezing output of arbitrary length. It inherently hashes the history of all operations in its state, allowing to derive its resistance against generic attacks from that of the full-state keyed duplex. Internally, it uses the Xoodoo[12] permutation that, with its width of 48 bytes, allows for very compact implementations. The choice of 12 rounds justifies a security claim in the hermetic philosophy: It implies that there are no shortcut attacks with higher success probability than generic attacks. The claimed security strength is 128 bits. We illustrate the versatility of Xoodyak by describing a number of use cases, including the ones requested by NIST in the lightweight competition. For those use cases, we translate the relatively detailed security claim that we make for Xoodyak into simple ones. Version of Xoodyak: v1 Version of this document: v1.1 (March 29, 2019)

[1]  Joan Daemen,et al.  The design of Xoodoo and Xoofff , 2018, IACR Trans. Symmetric Cryptol..

[2]  Stafford E. Tavares,et al.  On the Design of S-Boxes , 1985, CRYPTO.

[3]  Jian Guo,et al.  Non-full Sbox Linearization: Applications to Collision Attacks on Round-Reduced Keccak , 2017, CRYPTO.

[4]  Eli Biham,et al.  How to decrypt or even substitute DES-encrypted messages in 228 steps , 2002, Inf. Process. Lett..

[5]  Shu-jen H. Chang,et al.  SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash , 2016 .

[6]  Morris J. Dworkin,et al.  SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions , 2015 .

[7]  Yosuke Todo,et al.  Gimli : A Cross-Platform Permutation , 2017, CHES.

[8]  Willi Meier,et al.  Practical Key-recovery Attacks on Round-Reduced Ketje Jr, Xoodoo-AE and Xoodyak , 2019, IACR Cryptol. ePrint Arch..

[9]  Bart Mennink,et al.  Full-State Keyed Duplex with Built-In Multi-user Support , 2017, ASIACRYPT.

[10]  Ko Stoffelen,et al.  Column Parity Mixers , 2018, IACR Trans. Symmetric Cryptol..

[11]  Jian Guo,et al.  Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP , 2018, IACR Cryptol. ePrint Arch..

[12]  Guido Bertoni,et al.  Duplexing the sponge: single-pass authenticated encryption and other applications , 2011, IACR Cryptol. ePrint Arch..

[13]  Bart Mennink,et al.  Security of Full-State Keyed Sponge and Duplex: Applications to Authenticated Encryption , 2015, ASIACRYPT.

[14]  Joan Daemen,et al.  Differential Propagation Analysis of Keccak , 2012, FSE.

[15]  Patrick Schaumont,et al.  Side-channel countermeasure for SHA-3 at almost-zero area overhead , 2014, 2014 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[16]  B Guido,et al.  Cryptographic sponge functions , 2011 .

[17]  Hovav Shacham,et al.  Careful with Composition: Limitations of the Indifferentiability Framework , 2011, EUROCRYPT.

[18]  Markku-Juhani O. Saarinen Beyond Modes: Building a Secure Record Protocol from a Cryptographic Sponge Permutation , 2014, CT-RSA.

[19]  Joan Daemen,et al.  Xoodoo cookbook , 2018, IACR Cryptol. ePrint Arch..

[20]  Joan Daemen,et al.  Cipher and hash function design strategies based on linear and differential cryptanalysis , 1995 .

[21]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[22]  Michael Hamburg The STROBE protocol framework , 2017, IACR Cryptol. ePrint Arch..

[23]  Jens-Peter Kaps,et al.  Comparison of multi-purpose cores of Keccak and AES , 2015, 2015 Design, Automation & Test in Europe Conference & Exhibition (DATE).