on xoodoo
play

On Xoodoo Gilles Van Assche 1 based on joint work with Joan Daemen 2 - PowerPoint PPT Presentation

Jan 20, 2023 •243 likes •645 views

On Xoodoo Gilles Van Assche 1 based on joint work with Joan Daemen 2 , Seth Hoffert and Ronny Van Keer 1 1 STMicroelectronics 2 Radboud University Advances in Permutation-Based Cryptography Milano, Italy, October 2018 1 / 24 Outline 1 Xoodoo

  1. On Xoodoo Gilles Van Assche 1 based on joint work with Joan Daemen 2 , Seth Hoffert and Ronny Van Keer 1 1 STMicroelectronics 2 Radboud University Advances in Permutation-Based Cryptography Milano, Italy, October 2018 1 / 24

  2. Outline 1 Xoodoo 2 Trail bounds 3 Xoofff 2 / 24

  3. Xoodoo Outline 1 Xoodoo 2 Trail bounds 3 Xoofff 3 / 24

  4. Xoodoo What is Xoodoo? 4 / 24 Xoodoo · [noun, mythical] · /zu: du:/ · Alpine mammal that lives in compact herds, can survive avalanches and is appreciated for the wide trails it creates in the landscape. Despite its fluffy appearance it is very ro- bust and does not get distracted by side channels.

  5. Xoodoo Xoodoo Xoodoo cookbook: https://eprint.iacr.org/2018/767 [Keccak team with Seth Hoffert] 384-bit permutation Keccak philosophy ported to Gimli shape Main purpose: usage in Farfalle: Xoofff Achouffe confjguration Effjcient on wide range of platforms 5 / 24

  6. Xoodoo Xoodoo Xoodoo cookbook: https://eprint.iacr.org/2018/767 [Keccak team with Seth Hoffert] 384-bit permutation Keccak philosophy ported to Gimli shape Main purpose: usage in Farfalle: Xoofff Achouffe confjguration Effjcient on wide range of platforms 5 / 24

  7. Xoodoo Xoodoo Xoodoo cookbook: https://eprint.iacr.org/2018/767 [Keccak team with Seth Hoffert] 384-bit permutation Keccak philosophy ported to Gimli shape Main purpose: usage in Farfalle: Xoofff Achouffe confjguration Effjcient on wide range of platforms 5 / 24

  8. Xoodoo Xoodoo state State: 3 horizontal planes each consisting of 4 lanes 6 / 24 z y x state

  9. Xoodoo Xoodoo state State: 3 horizontal planes each consisting of 4 lanes 6 / 24 z y x plane

  10. Xoodoo Xoodoo state State: 3 horizontal planes each consisting of 4 lanes 6 / 24 z y x lane

  11. Xoodoo Xoodoo state State: 3 horizontal planes each consisting of 4 lanes 6 / 24 z y x column

  12. Xoodoo Xoodoo round function 7 / 24 χ ρ west ρ east θ Iterated: n r rounds that differ only by round constant

  13. Xoodoo Effect on one plane: Involution and same propagation differentially and linearly 8 / 24 Nonlinear mapping χ 2 1 complement 0 χ as in Keccak- p , operating on 3-bit columns

  14. Xoodoo Column parity mixer: compute parity, fold and add to state Good average diffusion, identity for states in kernel 9 / 24 Mixing layer θ + = column parity θ -e ff ect fold

  15. Xoodoo Column parity mixer: compute parity, fold and add to state Good average diffusion, identity for states in kernel 9 / 24 Mixing layer θ + = column parity θ -e ff ect fold

  16. Xoodoo 10 / 24 Plane shift ρ east shift (2,8) 2 shift (0,1) 1 0 After χ and before θ Shifts planes y = 1 and y = 2 over different directions

  17. Xoodoo 11 / 24 Plane shift ρ west shift (0,11) 2 shift (1,0) 1 0 After θ and before χ Shifts planes y = 1 and y = 2 over different directions

  18. Xoodoo Xoodoo pseudocode 12 / 24 n r rounds from i = 1 − n r to 0, with a 5-step round function: θ : P ← A 0 + A 1 + A 2 E ← P ≪ ( 1 , 5 ) + P ≪ ( 1 , 14 ) A y ← A y + E for y ∈ { 0 , 1 , 2 } ρ west : A 1 ← A 1 ≪ ( 1 , 0 ) A 2 ← A 2 ≪ ( 0 , 11 ) ι : A 0 , 0 ← A 0 , 0 + C i χ : B 0 ← A 1 · A 2 B 1 ← A 2 · A 0 B 2 ← A 0 · A 1 A y ← A y + B y for y ∈ { 0 , 1 , 2 } ρ east : A 1 ← A 1 ≪ ( 0 , 1 ) A 2 ← A 2 ≪ ( 2 , 8 )

  19. Xoodoo ChaCha … requires less rounds for equal security objectives! Xoodoo has slower rounds than Gimli but … 48 Xoodoo 48 Gimli Xoodoo software performance 64 200 bytes width cycles/byte per round ARM Intel 13 / 24 Cortex M3 Skylake Keccak- p [ 1600 , n r ] 2 . 44 0 . 080 0 . 69 0 . 059 0 . 074 ∗ 0 . 91 1 . 10 0 . 083 ∗ on Intel Haswell

  20. Xoodoo ChaCha … requires less rounds for equal security objectives! Xoodoo has slower rounds than Gimli but … 48 Xoodoo 48 Gimli Xoodoo software performance 64 200 bytes width cycles/byte per round ARM Intel 13 / 24 Cortex M3 Skylake Keccak- p [ 1600 , n r ] 2 . 44 0 . 080 0 . 69 0 . 059 0 . 074 ∗ 0 . 91 1 . 10 0 . 083 ∗ on Intel Haswell

  21. Xoodoo ChaCha … requires less rounds for equal security objectives! Xoodoo has slower rounds than Gimli but … 48 Xoodoo 48 Gimli Xoodoo software performance 64 200 bytes width cycles/byte per round ARM Intel 13 / 24 Cortex M3 Skylake Keccak- p [ 1600 , n r ] 2 . 44 0 . 080 0 . 69 0 . 059 0 . 074 ∗ 0 . 91 1 . 10 0 . 083 ∗ on Intel Haswell

  22. Trail bounds Outline 1 Xoodoo 2 Trail bounds 3 Xoofff 14 / 24

  23. Trail bounds 2 36 8 2 linear: Trail bounds in Xoodoo 8 36 differential: 6 5 4 3 2 1 # rounds: 15 / 24 ≥ 54 ≥ 56 ≥ 104 ≥ 54 ≥ 56 ≥ 104

  24. Trail bounds 2 36 8 2 linear: Trail bounds in Xoodoo 8 36 differential: 6 5 4 3 2 1 # rounds: 15 / 24 ≥ 54 ≥ 56 ≥ 104 ≥ 54 ≥ 56 ≥ 104 Generating ( a 1 , b 1 )

  25. Trail bounds 8 Extending forward by one round till weight 50 36 8 2 linear: Trail bounds in Xoodoo 36 15 / 24 2 differential: 6 5 4 3 2 1 # rounds: ≥ 54 ≥ 56 ≥ 104 ≥ 54 ≥ 56 ≥ 104 Generating ( a 1 , b 1 )

  26. Trail bounds 2 36 8 2 linear: Trail bounds in Xoodoo 8 36 differential: 6 5 4 3 2 1 # rounds: 15 / 24 ≥ 54 ≥ 56 ≥ 104 ≥ 54 ≥ 56 ≥ 104 Generating ( a 2 , b 2 )

  27. Trail bounds 8 Extending backward by one round till weight 50 36 8 2 linear: Trail bounds in Xoodoo 36 15 / 24 2 differential: 6 5 4 3 2 1 # rounds: ≥ 54 ≥ 56 ≥ 104 ≥ 54 ≥ 56 ≥ 104 Generating ( a 2 , b 2 )

  28. Trail bounds 2 Extending all 3-round trail cores to 6 rounds till weight 102 36 8 2 linear: Trail bounds in Xoodoo 8 36 differential: 6 5 4 3 2 1 # rounds: 15 / 24 ≥ 54 ≥ 56 ≥ 104 ≥ 54 ≥ 56 ≥ 104

  29. Trail bounds Using the tree-search approach Tree Node: subset of U , represented as a unit list Children of a node a : [Mella, Daemen, Van Assche, FSE 2017] 16 / 24 Set U of units with a total order relation ≺ a = ( u i ) i = 1 , ... , n u 1 ≺ u 2 ≺ · · · ≺ u n a ∪ { u n + 1 } ∀ u n + 1 : u n ≺ u n + 1 Root: the empty set a = ∅

  30. Trail bounds Defjnition of units Units represent one bit at a time: 17 / 24 Active bit in odd column ( x , y , z ) Bit in affected column ( x , y , z , value 0 / 1 ) Active bit of an orbital ( x , y , z ) ⇒ allows for fjner-grained bounding

  31. Trail bounds Properties of the trail search 18 / 24 Δχ corr χ DC LC late early early late ρ -1 ρ -1 ρ west ρ east west east θ T θ Difference and mask propagation in χ follow the same rule ⇒ differential and linear trail search are almost identical

  32. Trail bounds Properties of the trail search Compared to trail search in Keccak- p : 19 / 24 In Xoodoo, both χ and χ − 1 have algebraic degree 2 ⇒ affjne-space extension in both directions

  33. Xoofff Outline 1 Xoodoo 2 Trail bounds 3 Xoofff 20 / 24

  34. Xoofff Xoofff = Farfalle + Xoodoo Target security: 128 bits, incl. multi-target and quantum adv. Input mask rolling with LFSR, state rolling with NLFSR 21 / 24 K ∥ 10 ∗ p b k ′ k i + 2 c c p c p e m 0 z 0 e k ′ k c p c p e m 1 z 1 e p d … … k ′ i k c p c p e m i j z j e p b = p c = p d = p e = Xoodoo [ 6 ]

  35. Xoofff Xoofff = Farfalle + Xoodoo Target security: 128 bits, incl. multi-target and quantum adv. Input mask rolling with LFSR, state rolling with NLFSR 21 / 24 K ∥ 10 ∗ p b k ′ k i + 2 c c p c p e m 0 z 0 e k ′ k c p c p e m 1 z 1 e p d … … k ′ i k c p c p e m i j z j e p b = p c = p d = p e = Xoodoo [ 6 ]

  36. Xoofff Xoofff = Farfalle + Xoodoo Target security: 128 bits, incl. multi-target and quantum adv. Input mask rolling with LFSR, state rolling with NLFSR 21 / 24 K ∥ 10 ∗ p b k ′ k i + 2 c c p c p e m 0 z 0 e k ′ k c p c p e m 1 z 1 e p d … … k ′ i k c p c p e m i j z j e p b = p c = p d = p e = Xoodoo [ 6 ]

  37. Xoofff Xoofff = Farfalle + Xoodoo Target security: 128 bits, incl. multi-target and quantum adv. Input mask rolling with LFSR, state rolling with NLFSR 21 / 24 K ∥ 10 ∗ p b k ′ k i + 2 c c p c p e m 0 z 0 e k ′ k c p c p e m 1 z 1 e p d … … k ′ i k c p c p e m i j z j e p b = p c = p d = p e = Xoodoo [ 6 ]

  38. Xoofff Xoofff applications and implementations The Xoodoo Cookbook also specifjes: Xoofff-SANE: session AE relying on user nonce Xoofff-SANSE: session AE using SIV technique Xoofff-WBC: tweakable wide block cipher Keccak Code Package eXtended Keccak Code Package 22 / 24 ⇓

  39. Xoofff Xoofff applications and implementations The Xoodoo Cookbook also specifjes: Xoofff-SANE: session AE relying on user nonce Xoofff-SANSE: session AE using SIV technique Xoofff-WBC: tweakable wide block cipher Keccak Code Package eXtended Keccak Code Package 22 / 24 ⇓

  40. Conclusions Any questions? Thanks for your attention! More information https://eprint.iacr.org/2018/767 Some implementations https://github.com/XoodooTeam/Xoodoo/ (ref. code in C++ and Python) https://github.com/XKCP/XKCP (C, Assembler) https://tinycrypt.wordpress.com/2018/02/06/… (C, Assembler) 23 / 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

VTmt mtss ss Of Office ice Ho Hour ur De Dece cemb mber er 4, 4, 20 2019 Tom Faris

VTmt mtss ss Of Office ice Ho Hour ur De Dece cemb mber er 4, 4, 20 2019 Tom Faris

VTmt mtss ss Of Office ice Ho Hour ur De Dece cemb mber er 4, 4, 20 2019 Tom Faris & Julia Scheier - VTmtss Coordinators ES EST Ov Over ervie view Q&A Q&A In Inter ersec secti tion on of of ES EST T an and

561 views • 14 slides
Self-Advocacy Coffee Break May 15 th , 3:00 pm EST Coffee Break Agenda Introduction In the

Self-Advocacy Coffee Break May 15 th , 3:00 pm EST Coffee Break Agenda Introduction In the

Self-Advocacy Coffee Break May 15 th , 3:00 pm EST Coffee Break Agenda Introduction In the large group we will be discussing the question What is your dream job and why? Word of the week Self-Advocacy Exit question,

375 views • 6 slides
Notes on Support Vector Machines, COMP24111 Tingting Mu tingtingmu@manchester.ac.uk School of

Notes on Support Vector Machines, COMP24111 Tingting Mu tingtingmu@manchester.ac.uk School of

Notes on Support Vector Machines, COMP24111 Tingting Mu tingtingmu@manchester.ac.uk School of Computer Science University of Manchester Manchester M13 9PL, UK Editor: NA We start from introducing the notations to be used in this notes. We

308 views • 13 slides
k -means++ seeding Have seen that the k -means algorithm can output arbitrarily poor solutions, if

k -means++ seeding Have seen that the k -means algorithm can output arbitrarily poor solutions, if

k -means++ seeding Have seen that the k -means algorithm can output arbitrarily poor solutions, if started with a bad set of initial centroids k -means++ is a simple, probabilistic algorithm to compute initial centroids These centroids are

745 views • 8 slides
Phylogeny and Sequence Simulation with Hybridization Michael Woodhams School of Mathematics and

Phylogeny and Sequence Simulation with Hybridization Michael Woodhams School of Mathematics and

Phylogeny and Sequence Simulation with Hybridization Michael Woodhams School of Mathematics and Physics, University of Tasmania Image credits: witchwarrior101.blogspot.com.au thedrawinghands.deviantart.com eduardoleon.deviantart.com

424 views • 16 slides
1 Peter Series Lesson #132 May 31, 2018 Dean Bible Ministries www.deanbibleministries.org Dr.

1 Peter Series Lesson #132 May 31, 2018 Dean Bible Ministries www.deanbibleministries.org Dr.

1 Peter Series Lesson #132 May 31, 2018 Dean Bible Ministries www.deanbibleministries.org Dr. Robert L. Dean, Jr. Spiritual Gifts 1 Peter 4:1011; 1 Cor. 12; Eph. 4:11, 12 1 Pet. 4:8787, And above all things have fervent love for one

198 views • 19 slides
Week 15 - Monday What did we talk about last time? Timsort Tries Lab hours

Week 15 - Monday What did we talk about last time? Timsort Tries Lab hours

Week 15 - Monday What did we talk about last time? Timsort Tries Lab hours Wednesdays at 5 p.m. in The Point 113 Saturdays at noon in The Point 113 CS Club Tuesdays at 5 p.m. in The Point 113 (or next door in The

226 views • 21 slides
Object Oriented Programming COP3330 / CGS5409 Intro to Data Structures Vectors Linked

Object Oriented Programming COP3330 / CGS5409 Intro to Data Structures Vectors Linked

Object Oriented Programming COP3330 / CGS5409 Intro to Data Structures Vectors Linked Lists Queues Stacks C++ has some built-in methods of storing compound data in useful ways, like arrays and structs. Collectively

464 views • 28 slides
DC-DRF : Adaptive Multi- Resource Sharing at Public Cloud Scale ACM Symposium on Cloud

DC-DRF : Adaptive Multi- Resource Sharing at Public Cloud Scale ACM Symposium on Cloud

DC-DRF : Adaptive Multi- Resource Sharing at Public Cloud Scale ACM Symposium on Cloud Computing 2018 Ian A Kash, Greg OShea, Stavros Volos 1 Public Cloud DC hosting enterprise customers O(100K) servers, mostly small tenants 2

1.21k views • 87 slides
Announcements Reminder: Candidates on campus in next few weeks Day-by-day schedule may change,

Announcements Reminder: Candidates on campus in next few weeks Day-by-day schedule may change,

Announcements Reminder: Candidates on campus in next few weeks Day-by-day schedule may change, so check often Thursday Extra: Today @ 4:00 Tenure-track candidate #1 Kevin Angstadt, U. of Michigan All Computers Great and Small: Supporting

86 views • 8 slides
Sor$ng, Stacks, Queues Bryce Boe 2013/11/06 CS24, Fall 2013

Sor$ng, Stacks, Queues Bryce Boe 2013/11/06 CS24, Fall 2013

Sor$ng, Stacks, Queues Bryce Boe 2013/11/06 CS24, Fall 2013 Outline Finish Lab 5 Part 2 Review Lab 6 Review / Sor$ng / C++ Templates

193 views • 17 slides
The HISPACAT comparative database of syntactic constructions and its applications to syntactic

The HISPACAT comparative database of syntactic constructions and its applications to syntactic

Goals Theory Architecture Results Conclusions The HISPACAT comparative database of syntactic constructions and its applications to syntactic variation research Workshop on Research Infrastructure for Linguistic Variation Xavier Villalba

509 views • 20 slides
Data Structures and Object-Oriented Design VIII Spring 2014 Carola Wenk Collections and Maps

Data Structures and Object-Oriented Design VIII Spring 2014 Carola Wenk Collections and Maps

Data Structures and Object-Oriented Design VIII Spring 2014 Carola Wenk Collections and Maps The Collection interface is for storage and access, while a Map interface is geared towards associating keys with objects. Student database

644 views • 22 slides
Algorithms and Data Structures IS311 Algorithm Sequence of steps used to solve a problem

Algorithms and Data Structures IS311 Algorithm Sequence of steps used to solve a problem

Algorithms and Data Structures IS311 Algorithm Sequence of steps used to solve a problem Data Structures and Operates on collection of data Each element of collection - > data structure Java Collections Framework

421 views • 14 slides
General remarks Algorithms Algorithms Week 6 Oliver Oliver Kullmann Kullmann Dynamic

General remarks Algorithms Algorithms Week 6 Oliver Oliver Kullmann Kullmann Dynamic

CS 270 CS 270 General remarks Algorithms Algorithms Week 6 Oliver Oliver Kullmann Kullmann Dynamic Dynamic sets sets Data structures Simple Simple We start considering Part III Data Structures from implementa- implementa-

346 views • 10 slides
Functions and Methods Functions and Methods agentzh ( )

Functions and Methods Functions and Methods agentzh ( )

Functions and Methods Functions and Methods agentzh ( ) 2006.10 Consistent interface, Simple interface, rich interface C# seems to have hundreds of

755 views • 58 slides
Principles of Programming CM10227 Lecture D.2.: Conditionals, Recursion, Interesting Functions

Principles of Programming CM10227 Lecture D.2.: Conditionals, Recursion, Interesting Functions

Conditionals More on Functions Recursion Principles of Programming CM10227 Lecture D.2.: Conditionals, Recursion, Interesting Functions Dr. Marina De Vos University of Bath Ext: 5053 Academic Year 2012-2013 Lecture D.2. (MDV) Programming

1.21k views • 76 slides
A DFREE CITIES C ONFERENCE 2020 Henrieke Butijn, Climate Campaigner at BankTrack

A DFREE CITIES C ONFERENCE 2020 Henrieke Butijn, Climate Campaigner at BankTrack

BANKS AND CLIMATE CHAOS A DFREE CITIES C ONFERENCE 2020 Henrieke Butijn, Climate Campaigner at BankTrack henrieke@banktrack.org I NTRODUCING B ANK T RACK Civil society watchdog on private sector (commercial) banks Founded in 2003 Find

187 views • 14 slides
Managing the financial health of your business during COVID-19 Gavin Stuart | Partner 27 May

Managing the financial health of your business during COVID-19 Gavin Stuart | Partner 27 May

Managing the financial health of your business during COVID-19 Gavin Stuart | Partner 27 May 2020 Directors duties the same or changed? 1 Directors are still required to discharge their duties in the same manner as they did before

465 views • 9 slides
The Double Cover of the Icosahedral Symmetry Group and Quark Mass Textures Alexander Stuart

The Double Cover of the Icosahedral Symmetry Group and Quark Mass Textures Alexander Stuart

The Double Cover of the Icosahedral Symmetry Group and Quark Mass Textures Alexander Stuart UW-Madison September 1, 2011 Based on: L. Everett and A. Stuart, Phys.Lett.B698:131-139,2011. arXiv:1011.4928 [hep-ph] The Standard Model SU

794 views • 20 slides
HATTEN LAND LIMITED Building Tomorrow Together SGX-WeR1 Seminar Beyond Klang Valley 25 October

HATTEN LAND LIMITED Building Tomorrow Together SGX-WeR1 Seminar Beyond Klang Valley 25 October

HATTEN LAND LIMITED Building Tomorrow Together SGX-WeR1 Seminar Beyond Klang Valley 25 October 2017 Disclaimer Information in this presentation may contain forward-looking statements that reflect the current views of Hatten Land Limited (the

504 views • 32 slides
CSE 351: Week 6 Tom Bergan, TA 1 Today Questions on the midterm? Lab 3 2 Lab 3:

CSE 351: Week 6 Tom Bergan, TA 1 Today Questions on the midterm? Lab 3 2 Lab 3:

CSE 351: Week 6 Tom Bergan, TA 1 Today Questions on the midterm? Lab 3 2 Lab 3: Buffer Overflow This has a buffer overflow The Stack in getbuf() : int getbuf() { : char buf[36]; Gets(buf); return addr return 1; } saved regs

241 views • 9 slides
http://xkcd.com/1312/ Tony Hoares Hints on Programming Language Design CS 252:

http://xkcd.com/1312/ Tony Hoares Hints on Programming Language Design CS 252:

http://xkcd.com/1312/ Tony Hoares Hints on Programming Language Design CS 252: Advanced Programming Language Principles Introduction to Haskell Prof. Tom Austin San Jos State University Key traits of Haskell 1. Purely

711 views • 32 slides
Software Engineering I cs361 Test Driven Development What is Test Driven Development (TDD)

Software Engineering I cs361 Test Driven Development What is Test Driven Development (TDD)

Software Engineering I cs361 Test Driven Development What is Test Driven Development (TDD) Test-driven development ( TDD ) is a software development process based on three simple rules TDD Rules (From Uncle Bob Martin) 1. You are not allowed

386 views • 19 slides

More recommend