on xoodoo
play

On Xoodoo Gilles Van Assche 1 based on joint work with Joan Daemen 2 - PowerPoint PPT Presentation

Jan 20, 2023 •243 likes •645 views

On Xoodoo Gilles Van Assche 1 based on joint work with Joan Daemen 2 , Seth Hoffert and Ronny Van Keer 1 1 STMicroelectronics 2 Radboud University Advances in Permutation-Based Cryptography Milano, Italy, October 2018 1 / 24 Outline 1 Xoodoo

  1. On Xoodoo Gilles Van Assche 1 based on joint work with Joan Daemen 2 , Seth Hoffert and Ronny Van Keer 1 1 STMicroelectronics 2 Radboud University Advances in Permutation-Based Cryptography Milano, Italy, October 2018 1 / 24

  2. Outline 1 Xoodoo 2 Trail bounds 3 Xoofff 2 / 24

  3. Xoodoo Outline 1 Xoodoo 2 Trail bounds 3 Xoofff 3 / 24

  4. Xoodoo What is Xoodoo? 4 / 24 Xoodoo · [noun, mythical] · /zu: du:/ · Alpine mammal that lives in compact herds, can survive avalanches and is appreciated for the wide trails it creates in the landscape. Despite its fluffy appearance it is very ro- bust and does not get distracted by side channels.

  5. Xoodoo Xoodoo Xoodoo cookbook: https://eprint.iacr.org/2018/767 [Keccak team with Seth Hoffert] 384-bit permutation Keccak philosophy ported to Gimli shape Main purpose: usage in Farfalle: Xoofff Achouffe confjguration Effjcient on wide range of platforms 5 / 24

  6. Xoodoo Xoodoo Xoodoo cookbook: https://eprint.iacr.org/2018/767 [Keccak team with Seth Hoffert] 384-bit permutation Keccak philosophy ported to Gimli shape Main purpose: usage in Farfalle: Xoofff Achouffe confjguration Effjcient on wide range of platforms 5 / 24

  7. Xoodoo Xoodoo Xoodoo cookbook: https://eprint.iacr.org/2018/767 [Keccak team with Seth Hoffert] 384-bit permutation Keccak philosophy ported to Gimli shape Main purpose: usage in Farfalle: Xoofff Achouffe confjguration Effjcient on wide range of platforms 5 / 24

  8. Xoodoo Xoodoo state State: 3 horizontal planes each consisting of 4 lanes 6 / 24 z y x state

  9. Xoodoo Xoodoo state State: 3 horizontal planes each consisting of 4 lanes 6 / 24 z y x plane

  10. Xoodoo Xoodoo state State: 3 horizontal planes each consisting of 4 lanes 6 / 24 z y x lane

  11. Xoodoo Xoodoo state State: 3 horizontal planes each consisting of 4 lanes 6 / 24 z y x column

  12. Xoodoo Xoodoo round function 7 / 24 χ ρ west ρ east θ Iterated: n r rounds that differ only by round constant

  13. Xoodoo Effect on one plane: Involution and same propagation differentially and linearly 8 / 24 Nonlinear mapping χ 2 1 complement 0 χ as in Keccak- p , operating on 3-bit columns

  14. Xoodoo Column parity mixer: compute parity, fold and add to state Good average diffusion, identity for states in kernel 9 / 24 Mixing layer θ + = column parity θ -e ff ect fold

  15. Xoodoo Column parity mixer: compute parity, fold and add to state Good average diffusion, identity for states in kernel 9 / 24 Mixing layer θ + = column parity θ -e ff ect fold

  16. Xoodoo 10 / 24 Plane shift ρ east shift (2,8) 2 shift (0,1) 1 0 After χ and before θ Shifts planes y = 1 and y = 2 over different directions

  17. Xoodoo 11 / 24 Plane shift ρ west shift (0,11) 2 shift (1,0) 1 0 After θ and before χ Shifts planes y = 1 and y = 2 over different directions

  18. Xoodoo Xoodoo pseudocode 12 / 24 n r rounds from i = 1 − n r to 0, with a 5-step round function: θ : P ← A 0 + A 1 + A 2 E ← P ≪ ( 1 , 5 ) + P ≪ ( 1 , 14 ) A y ← A y + E for y ∈ { 0 , 1 , 2 } ρ west : A 1 ← A 1 ≪ ( 1 , 0 ) A 2 ← A 2 ≪ ( 0 , 11 ) ι : A 0 , 0 ← A 0 , 0 + C i χ : B 0 ← A 1 · A 2 B 1 ← A 2 · A 0 B 2 ← A 0 · A 1 A y ← A y + B y for y ∈ { 0 , 1 , 2 } ρ east : A 1 ← A 1 ≪ ( 0 , 1 ) A 2 ← A 2 ≪ ( 2 , 8 )

  19. Xoodoo ChaCha … requires less rounds for equal security objectives! Xoodoo has slower rounds than Gimli but … 48 Xoodoo 48 Gimli Xoodoo software performance 64 200 bytes width cycles/byte per round ARM Intel 13 / 24 Cortex M3 Skylake Keccak- p [ 1600 , n r ] 2 . 44 0 . 080 0 . 69 0 . 059 0 . 074 ∗ 0 . 91 1 . 10 0 . 083 ∗ on Intel Haswell

  20. Xoodoo ChaCha … requires less rounds for equal security objectives! Xoodoo has slower rounds than Gimli but … 48 Xoodoo 48 Gimli Xoodoo software performance 64 200 bytes width cycles/byte per round ARM Intel 13 / 24 Cortex M3 Skylake Keccak- p [ 1600 , n r ] 2 . 44 0 . 080 0 . 69 0 . 059 0 . 074 ∗ 0 . 91 1 . 10 0 . 083 ∗ on Intel Haswell

  21. Xoodoo ChaCha … requires less rounds for equal security objectives! Xoodoo has slower rounds than Gimli but … 48 Xoodoo 48 Gimli Xoodoo software performance 64 200 bytes width cycles/byte per round ARM Intel 13 / 24 Cortex M3 Skylake Keccak- p [ 1600 , n r ] 2 . 44 0 . 080 0 . 69 0 . 059 0 . 074 ∗ 0 . 91 1 . 10 0 . 083 ∗ on Intel Haswell

  22. Trail bounds Outline 1 Xoodoo 2 Trail bounds 3 Xoofff 14 / 24

  23. Trail bounds 2 36 8 2 linear: Trail bounds in Xoodoo 8 36 differential: 6 5 4 3 2 1 # rounds: 15 / 24 ≥ 54 ≥ 56 ≥ 104 ≥ 54 ≥ 56 ≥ 104

  24. Trail bounds 2 36 8 2 linear: Trail bounds in Xoodoo 8 36 differential: 6 5 4 3 2 1 # rounds: 15 / 24 ≥ 54 ≥ 56 ≥ 104 ≥ 54 ≥ 56 ≥ 104 Generating ( a 1 , b 1 )

  25. Trail bounds 8 Extending forward by one round till weight 50 36 8 2 linear: Trail bounds in Xoodoo 36 15 / 24 2 differential: 6 5 4 3 2 1 # rounds: ≥ 54 ≥ 56 ≥ 104 ≥ 54 ≥ 56 ≥ 104 Generating ( a 1 , b 1 )

  26. Trail bounds 2 36 8 2 linear: Trail bounds in Xoodoo 8 36 differential: 6 5 4 3 2 1 # rounds: 15 / 24 ≥ 54 ≥ 56 ≥ 104 ≥ 54 ≥ 56 ≥ 104 Generating ( a 2 , b 2 )

  27. Trail bounds 8 Extending backward by one round till weight 50 36 8 2 linear: Trail bounds in Xoodoo 36 15 / 24 2 differential: 6 5 4 3 2 1 # rounds: ≥ 54 ≥ 56 ≥ 104 ≥ 54 ≥ 56 ≥ 104 Generating ( a 2 , b 2 )

  28. Trail bounds 2 Extending all 3-round trail cores to 6 rounds till weight 102 36 8 2 linear: Trail bounds in Xoodoo 8 36 differential: 6 5 4 3 2 1 # rounds: 15 / 24 ≥ 54 ≥ 56 ≥ 104 ≥ 54 ≥ 56 ≥ 104

  29. Trail bounds Using the tree-search approach Tree Node: subset of U , represented as a unit list Children of a node a : [Mella, Daemen, Van Assche, FSE 2017] 16 / 24 Set U of units with a total order relation ≺ a = ( u i ) i = 1 , ... , n u 1 ≺ u 2 ≺ · · · ≺ u n a ∪ { u n + 1 } ∀ u n + 1 : u n ≺ u n + 1 Root: the empty set a = ∅

  30. Trail bounds Defjnition of units Units represent one bit at a time: 17 / 24 Active bit in odd column ( x , y , z ) Bit in affected column ( x , y , z , value 0 / 1 ) Active bit of an orbital ( x , y , z ) ⇒ allows for fjner-grained bounding

  31. Trail bounds Properties of the trail search 18 / 24 Δχ corr χ DC LC late early early late ρ -1 ρ -1 ρ west ρ east west east θ T θ Difference and mask propagation in χ follow the same rule ⇒ differential and linear trail search are almost identical

  32. Trail bounds Properties of the trail search Compared to trail search in Keccak- p : 19 / 24 In Xoodoo, both χ and χ − 1 have algebraic degree 2 ⇒ affjne-space extension in both directions

  33. Xoofff Outline 1 Xoodoo 2 Trail bounds 3 Xoofff 20 / 24

  34. Xoofff Xoofff = Farfalle + Xoodoo Target security: 128 bits, incl. multi-target and quantum adv. Input mask rolling with LFSR, state rolling with NLFSR 21 / 24 K ∥ 10 ∗ p b k ′ k i + 2 c c p c p e m 0 z 0 e k ′ k c p c p e m 1 z 1 e p d … … k ′ i k c p c p e m i j z j e p b = p c = p d = p e = Xoodoo [ 6 ]

  35. Xoofff Xoofff = Farfalle + Xoodoo Target security: 128 bits, incl. multi-target and quantum adv. Input mask rolling with LFSR, state rolling with NLFSR 21 / 24 K ∥ 10 ∗ p b k ′ k i + 2 c c p c p e m 0 z 0 e k ′ k c p c p e m 1 z 1 e p d … … k ′ i k c p c p e m i j z j e p b = p c = p d = p e = Xoodoo [ 6 ]

  36. Xoofff Xoofff = Farfalle + Xoodoo Target security: 128 bits, incl. multi-target and quantum adv. Input mask rolling with LFSR, state rolling with NLFSR 21 / 24 K ∥ 10 ∗ p b k ′ k i + 2 c c p c p e m 0 z 0 e k ′ k c p c p e m 1 z 1 e p d … … k ′ i k c p c p e m i j z j e p b = p c = p d = p e = Xoodoo [ 6 ]

  37. Xoofff Xoofff = Farfalle + Xoodoo Target security: 128 bits, incl. multi-target and quantum adv. Input mask rolling with LFSR, state rolling with NLFSR 21 / 24 K ∥ 10 ∗ p b k ′ k i + 2 c c p c p e m 0 z 0 e k ′ k c p c p e m 1 z 1 e p d … … k ′ i k c p c p e m i j z j e p b = p c = p d = p e = Xoodoo [ 6 ]

  38. Xoofff Xoofff applications and implementations The Xoodoo Cookbook also specifjes: Xoofff-SANE: session AE relying on user nonce Xoofff-SANSE: session AE using SIV technique Xoofff-WBC: tweakable wide block cipher Keccak Code Package eXtended Keccak Code Package 22 / 24 ⇓

  39. Xoofff Xoofff applications and implementations The Xoodoo Cookbook also specifjes: Xoofff-SANE: session AE relying on user nonce Xoofff-SANSE: session AE using SIV technique Xoofff-WBC: tweakable wide block cipher Keccak Code Package eXtended Keccak Code Package 22 / 24 ⇓

  40. Conclusions Any questions? Thanks for your attention! More information https://eprint.iacr.org/2018/767 Some implementations https://github.com/XoodooTeam/Xoodoo/ (ref. code in C++ and Python) https://github.com/XKCP/XKCP (C, Assembler) https://tinycrypt.wordpress.com/2018/02/06/… (C, Assembler) 23 / 24

Recommend

More recommend