On Xoodoo Gilles Van Assche 1 based on joint work with Joan Daemen 2 - - PowerPoint PPT Presentation

on xoodoo
SMART_READER_LITE
LIVE PREVIEW

On Xoodoo Gilles Van Assche 1 based on joint work with Joan Daemen 2 - - PowerPoint PPT Presentation

Jan 20, 2023 243 likes •649 views

On Xoodoo Gilles Van Assche 1 based on joint work with Joan Daemen 2 , Seth Hoffert and Ronny Van Keer 1 1 STMicroelectronics 2 Radboud University Advances in Permutation-Based Cryptography Milano, Italy, October 2018 1 / 24 Outline 1 Xoodoo

slide-1
SLIDE 1

On Xoodoo

Gilles Van Assche1 based on joint work with Joan Daemen2, Seth Hoffert and Ronny Van Keer1

1STMicroelectronics 2Radboud University

Advances in Permutation-Based Cryptography Milano, Italy, October 2018

1 / 24

slide-2
SLIDE 2

Outline

1

Xoodoo

2

Trail bounds

3

Xoofff

2 / 24

slide-3
SLIDE 3

Xoodoo

Outline

1

Xoodoo

2

Trail bounds

3

Xoofff

3 / 24

slide-4
SLIDE 4

Xoodoo

What is Xoodoo?

Xoodoo · [noun, mythical] · /zu: du:/ · Alpine mammal that lives in compact herds, can survive avalanches and is appreciated for the wide trails it creates in the

  • landscape. Despite its fluffy appearance it is very ro-

bust and does not get distracted by side channels.

4 / 24

slide-5
SLIDE 5

Xoodoo

Xoodoo

Xoodoo cookbook: https://eprint.iacr.org/2018/767 [Keccak team with Seth Hoffert]

384-bit permutation Keccak philosophy ported to Gimli shape Main purpose: usage in Farfalle: Xoofff

Achouffe confjguration Effjcient on wide range of platforms

5 / 24

slide-6
SLIDE 6

Xoodoo

Xoodoo

Xoodoo cookbook: https://eprint.iacr.org/2018/767 [Keccak team with Seth Hoffert]

384-bit permutation Keccak philosophy ported to Gimli shape Main purpose: usage in Farfalle: Xoofff

Achouffe confjguration Effjcient on wide range of platforms

5 / 24

slide-7
SLIDE 7

Xoodoo

Xoodoo

Xoodoo cookbook: https://eprint.iacr.org/2018/767 [Keccak team with Seth Hoffert]

384-bit permutation Keccak philosophy ported to Gimli shape Main purpose: usage in Farfalle: Xoofff

Achouffe confjguration Effjcient on wide range of platforms

5 / 24

slide-8
SLIDE 8

Xoodoo

Xoodoo state

x y z state

State: 3 horizontal planes each consisting of 4 lanes

6 / 24

slide-9
SLIDE 9

Xoodoo

Xoodoo state

x y z plane

State: 3 horizontal planes each consisting of 4 lanes

6 / 24

slide-10
SLIDE 10

Xoodoo

Xoodoo state

x y z lane

State: 3 horizontal planes each consisting of 4 lanes

6 / 24

slide-11
SLIDE 11

Xoodoo

Xoodoo state

x y z column

State: 3 horizontal planes each consisting of 4 lanes

6 / 24

slide-12
SLIDE 12

Xoodoo

Xoodoo round function

θ ρwest χ ρeast

Iterated: nr rounds that differ only by round constant

7 / 24

slide-13
SLIDE 13

Xoodoo

Nonlinear mapping χ

Effect on one plane: 1 2

complement

χ as in Keccak-p, operating on 3-bit columns Involution and same propagation differentially and linearly

8 / 24

slide-14
SLIDE 14

Xoodoo

Mixing layer θ

+ =

column parity θ-effect fold

Column parity mixer: compute parity, fold and add to state Good average diffusion, identity for states in kernel

9 / 24

slide-15
SLIDE 15

Xoodoo

Mixing layer θ

+ =

column parity θ-effect fold

Column parity mixer: compute parity, fold and add to state Good average diffusion, identity for states in kernel

9 / 24

slide-16
SLIDE 16

Xoodoo

Plane shift ρeast

1 2

shift (2,8) shift (0,1)

After χ and before θ Shifts planes y = 1 and y = 2 over different directions

10 / 24

slide-17
SLIDE 17

Xoodoo

Plane shift ρwest

1 2

shift (0,11) shift (1,0)

After θ and before χ Shifts planes y = 1 and y = 2 over different directions

11 / 24

slide-18
SLIDE 18

Xoodoo

Xoodoo pseudocode

nr rounds from i = 1 − nr to 0, with a 5-step round function: θ : P ← A0 + A1 + A2 E ← P ≪ (1, 5) + P ≪ (1, 14) Ay ← Ay + E for y ∈ {0, 1, 2} ρwest : A1 ← A1 ≪ (1, 0) A2 ← A2 ≪ (0, 11) ι : A0,0 ← A0,0 + Ci χ : B0 ← A1 · A2 B1 ← A2 · A0 B2 ← A0 · A1 Ay ← Ay + By for y ∈ {0, 1, 2} ρeast : A1 ← A1 ≪ (0, 1) A2 ← A2 ≪ (2, 8)

12 / 24

slide-19
SLIDE 19

Xoodoo

Xoodoo software performance

width cycles/byte per round ARM Intel bytes Cortex M3 Skylake Keccak-p[1600, nr] 200 2.44 0.080 ChaCha 64 0.69 0.059 Gimli 48 0.91 0.074∗ Xoodoo 48 1.10 0.083

∗ on Intel Haswell

Xoodoo has slower rounds than Gimli but … … requires less rounds for equal security objectives!

13 / 24

slide-20
SLIDE 20

Xoodoo

Xoodoo software performance

width cycles/byte per round ARM Intel bytes Cortex M3 Skylake Keccak-p[1600, nr] 200 2.44 0.080 ChaCha 64 0.69 0.059 Gimli 48 0.91 0.074∗ Xoodoo 48 1.10 0.083

∗ on Intel Haswell

Xoodoo has slower rounds than Gimli but … … requires less rounds for equal security objectives!

13 / 24

slide-21
SLIDE 21

Xoodoo

Xoodoo software performance

width cycles/byte per round ARM Intel bytes Cortex M3 Skylake Keccak-p[1600, nr] 200 2.44 0.080 ChaCha 64 0.69 0.059 Gimli 48 0.91 0.074∗ Xoodoo 48 1.10 0.083

∗ on Intel Haswell

Xoodoo has slower rounds than Gimli but … … requires less rounds for equal security objectives!

13 / 24

slide-22
SLIDE 22

Trail bounds

Outline

1

Xoodoo

2

Trail bounds

3

Xoofff

14 / 24

slide-23
SLIDE 23

Trail bounds

Trail bounds in Xoodoo

# rounds: 1 2 3 4 5 6 differential: 2 8 36 ≥ 54 ≥ 56 ≥ 104 linear: 2 8 36 ≥ 54 ≥ 56 ≥ 104

15 / 24

slide-24
SLIDE 24

Trail bounds

Trail bounds in Xoodoo

# rounds: 1 2 3 4 5 6 differential: 2 8 36 ≥ 54 ≥ 56 ≥ 104 linear: 2 8 36 ≥ 54 ≥ 56 ≥ 104 Generating (a1, b1)

15 / 24

slide-25
SLIDE 25

Trail bounds

Trail bounds in Xoodoo

# rounds: 1 2 3 4 5 6 differential: 2 8 36 ≥ 54 ≥ 56 ≥ 104 linear: 2 8 36 ≥ 54 ≥ 56 ≥ 104 Generating (a1, b1) Extending forward by one round till weight 50

15 / 24

slide-26
SLIDE 26

Trail bounds

Trail bounds in Xoodoo

# rounds: 1 2 3 4 5 6 differential: 2 8 36 ≥ 54 ≥ 56 ≥ 104 linear: 2 8 36 ≥ 54 ≥ 56 ≥ 104 Generating (a2, b2)

15 / 24

slide-27
SLIDE 27

Trail bounds

Trail bounds in Xoodoo

# rounds: 1 2 3 4 5 6 differential: 2 8 36 ≥ 54 ≥ 56 ≥ 104 linear: 2 8 36 ≥ 54 ≥ 56 ≥ 104 Generating (a2, b2) Extending backward by one round till weight 50

15 / 24

slide-28
SLIDE 28

Trail bounds

Trail bounds in Xoodoo

# rounds: 1 2 3 4 5 6 differential: 2 8 36 ≥ 54 ≥ 56 ≥ 104 linear: 2 8 36 ≥ 54 ≥ 56 ≥ 104 Extending all 3-round trail cores to 6 rounds till weight 102

15 / 24

slide-29
SLIDE 29

Trail bounds

Using the tree-search approach

Set U of units with a total order relation ≺ Tree Node: subset of U, represented as a unit list a = (ui)i=1,...,n u1 ≺ u2 ≺ · · · ≺ un Children of a node a: a ∪ {un+1} ∀ un+1 : un ≺ un+1 Root: the empty set a = ∅

[Mella, Daemen, Van Assche, FSE 2017]

16 / 24

slide-30
SLIDE 30

Trail bounds

Defjnition of units

Units represent one bit at a time: Active bit in odd column (x, y, z) Bit in affected column (x, y, z, value 0/1) Active bit of an orbital (x, y, z) ⇒ allows for fjner-grained bounding

17 / 24

slide-31
SLIDE 31

Trail bounds

Properties of the trail search

DC

late early

θ ρwest Δχ ρeast LC

early late

θT ρ-1

west

corr χ ρ-1

east

Difference and mask propagation in χ follow the same rule ⇒ differential and linear trail search are almost identical

18 / 24

slide-32
SLIDE 32

Trail bounds

Properties of the trail search

Compared to trail search in Keccak-p: In Xoodoo, both χ and χ−1 have algebraic degree 2 ⇒ affjne-space extension in both directions

19 / 24

slide-33
SLIDE 33

Xoofff

Outline

1

Xoodoo

2

Trail bounds

3

Xoofff

20 / 24

slide-34
SLIDE 34

Xoofff

Xoofff = Farfalle + Xoodoo

pc

c

m0 k pc

c

m1 k … pc i

c

mi k pe

e

z0 k′ pe

e

z1 k′ … pe j

e

zj k′ K∥10∗ pb

i+2

c

pd

pb = pc = pd = pe = Xoodoo[6] Input mask rolling with LFSR, state rolling with NLFSR Target security: 128 bits, incl. multi-target and quantum adv.

21 / 24

slide-35
SLIDE 35

Xoofff

Xoofff = Farfalle + Xoodoo

pc

c

m0 k pc

c

m1 k … pc i

c

mi k pe

e

z0 k′ pe

e

z1 k′ … pe j

e

zj k′ K∥10∗ pb

i+2

c

pd

pb = pc = pd = pe = Xoodoo[6] Input mask rolling with LFSR, state rolling with NLFSR Target security: 128 bits, incl. multi-target and quantum adv.

21 / 24

slide-36
SLIDE 36

Xoofff

Xoofff = Farfalle + Xoodoo

pc

c

m0 k pc

c

m1 k … pc i

c

mi k pe

e

z0 k′ pe

e

z1 k′ … pe j

e

zj k′ K∥10∗ pb

i+2

c

pd

pb = pc = pd = pe = Xoodoo[6] Input mask rolling with LFSR, state rolling with NLFSR Target security: 128 bits, incl. multi-target and quantum adv.

21 / 24

slide-37
SLIDE 37

Xoofff

Xoofff = Farfalle + Xoodoo

pc

c

m0 k pc

c

m1 k … pc i

c

mi k pe

e

z0 k′ pe

e

z1 k′ … pe j

e

zj k′ K∥10∗ pb

i+2

c

pd

pb = pc = pd = pe = Xoodoo[6] Input mask rolling with LFSR, state rolling with NLFSR Target security: 128 bits, incl. multi-target and quantum adv.

21 / 24

slide-38
SLIDE 38

Xoofff

Xoofff applications and implementations

The Xoodoo Cookbook also specifjes: Xoofff-SANE: session AE relying on user nonce Xoofff-SANSE: session AE using SIV technique Xoofff-WBC: tweakable wide block cipher Keccak Code Package ⇓ eXtended Keccak Code Package

22 / 24

slide-39
SLIDE 39

Xoofff

Xoofff applications and implementations

The Xoodoo Cookbook also specifjes: Xoofff-SANE: session AE relying on user nonce Xoofff-SANSE: session AE using SIV technique Xoofff-WBC: tweakable wide block cipher Keccak Code Package ⇓ eXtended Keccak Code Package

22 / 24

slide-40
SLIDE 40

Conclusions

Any questions?

Thanks for your attention!

More information

https://eprint.iacr.org/2018/767

Some implementations

https://github.com/XoodooTeam/Xoodoo/ (ref. code in C++ and Python) https://github.com/XKCP/XKCP (C, Assembler) https://tinycrypt.wordpress.com/2018/02/06/… (C, Assembler)

23 / 24