Skip to main content
SpringerLink
Log in

On the Security of Keyed Hashing Based on Public Permutations

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2023 (CRYPTO 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14083))

Included in the following conference series:

Abstract

Doubly-extendable cryptographic keyed functions (deck) generalize the concept of message authentication codes (MAC) and stream ciphers in that they support variable-length strings as input and return variable-length strings as output. A prominent example of building deck functions is Farfalle, which consists of a set of public permutations and rolling functions that are used in its compression and expansion layers. By generalizing the compression layer of Farfalle, we prove its universality in terms of the probability of differentials over the public permutation used in it. As the compression layer of Farfalle is inherently parallel, we compare it to a generalization of a serial compression function inspired by Pelican-MAC. The same public permutation may result in different universalities depending on whether the compression is done in parallel or serial. The parallel construction consistently performs better than the serial one, sometimes by a big factor. We demonstrate this effect using Xoodoo \([3]\), which is a round-reduced variant of the public permutation used in the deck function Xoofff.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_1

    Chapter  Google Scholar 

  2. Bellare, M., Kilian, J., Rogaway, P.: The security of cipher block chaining. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 341–358. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_32

    Chapter  Google Scholar 

  3. Bernstein, D.J.: How to stretch random functions: The security of protected counter sums. J. Cryptol. 12(3), 185–192 (1999). https://doi.org/10.1007/s001459900051

    Article  MathSciNet  MATH  Google Scholar 

  4. Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005). https://doi.org/10.1007/11502760_3

    Chapter  Google Scholar 

  5. Bertoni, G., Daemen, J., Hoffert, S., Peeters, M., Van Assche, G., Van Keer, R.: Farfalle: parallel permutation-based cryptography. IACR Trans. Symmetric Cryptol. 2017(4), 1–38 (2017). https://tosc.iacr.org/index.php/ToSC/article/view/801

  6. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_11

    Chapter  Google Scholar 

  7. Black, J., Rogaway, P.: A block-cipher mode of operation for parallelizable message authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_25

    Chapter  Google Scholar 

  8. Bordes, N., Daemen, J., Kuijsters, D., Van Assche, G.: Thinking outside the superbox. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12827, pp. 337–367. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84252-9_12

    Chapter  Google Scholar 

  9. Daemen, J.: Cipher and hash function design, strategies based on linear and differential cryptanalysis, PhD Thesis. K.U.Leuven (1995). http://jda.noekeon.org/

  10. Daemen, J., Hoffert, S., Peeters, M., Assche, G.V., Keer, R.V.: Xoodoo cookbook. Cryptology ePrint Archive, Paper 2018/767 (2018). https://eprint.iacr.org/2018/767

  11. Daemen, J., Hoffert, S., Van Assche, G., Van Keer, R.: DC-Xoodoo-3r.txt (2018). https://github.com/KeccakTeam/Xoodoo/blob/master/XooTools/Trails/DC-Xoodoo-3r.txt/

  12. Daemen, J., Hoffert, S., Van Assche, G., Van Keer, R.: The design of Xoodoo and Xoofff. IACR Trans. Symmetric Cryptol. 2018(4), 1–38 (2018), https://doi.org/10.13154/tosc.v2018.i4.1-38

  13. Daemen, J., Mella, S., Van Assche, G.: Tighter trail bounds for Xoodoo. Cryptology ePrint Archive, Paper 2022/1088 (2022). https://eprint.iacr.org/2022/1088

  14. Daemen, J., Mennink, B., Van Assche, G.: Full-State Keyed Duplex with Built-In Multi-user Support. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 606–637. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_21

    Chapter  MATH  Google Scholar 

  15. Daemen, J., Rijmen, V.: A new MAC construction ALRED and a specific instance ALPHA-MAC. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 1–17. Springer, Heidelberg (2005). https://doi.org/10.1007/11502760_1

    Chapter  Google Scholar 

  16. Daemen, J., Rijmen, V.: The Pelican MAC Function. IACR Cryptol. ePrint Arch. 2005, 88 (2005). http://eprint.iacr.org/2005/088

  17. Daemen, J., Rijmen, V.: Refinements of the ALRED construction and MAC security claims. IET Inf. Secur. 4(3), 149–157 (2010). https://doi.org/10.1049/iet-ifs.2010.0015

    Article  Google Scholar 

  18. Daemen, J., Van Assche, G.: Differential propagation analysis of keccak. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 422–441. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34047-5_24

    Chapter  Google Scholar 

  19. Dobraunig, C., Mennink, B.: Security of the Suffix Keyed Sponge. IACR Trans. Symmetric Cryptol. 2019(4), 223–248 (2019). https://doi.org/10.13154/tosc.v2019.i4.223-248

  20. Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–162 (1997). https://doi.org/10.1007/s001459900025

    Article  MathSciNet  MATH  Google Scholar 

  21. Iwata, T., Kurosawa, K.: OMAC: one-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-39887-5_11

    Chapter  Google Scholar 

  22. Luykx, A., Preneel, B., Tischhauser, E., Yasuda, K.: A MAC mode for lightweight block ciphers. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 43–59. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_3

    Chapter  Google Scholar 

  23. McGrew, D.A., Viega, J.: The use of galois message authentication code (GMAC) in IPsec ESP and AH. RFC 4543, 1–14 (2006). https://doi.org/10.17487/RFC4543

  24. Shoup, V.: On fast and provably secure message authentication based on universal hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 313–328. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_24

    Chapter  Google Scholar 

  25. Stinson, D.R.: On the connections between universal hashing, combinatorial designs and error-correcting codes. Electron. Colloquium Comput. Complex. 2(52) (1995). http://eccc.hpi-web.de/eccc-reports/1995/TR95-052/index.html

  26. Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981). https://doi.org/10.1016/0022-0000(81)90033-7

    Article  MathSciNet  MATH  Google Scholar 

Download references

Acknowledgments

The authors would like to thank Bart Mennink for his valuable inputs during the finalization of this paper. Joan Daemen and Jonathan Fuchs are supported by the European Research Council under the ERC advanced grant agreement under grant ERC-2017-ADG Nr. 788980 ESCADA.

Author information

Authors and Affiliations

  1. Radboud University, Nijmegen, The Netherlands

    Jonathan Fuchs & Joan Daemen

  2. Université Paris-Saclay, UVSQ, CNRS, Versailles, France

    Yann Rotella

Authors
  1. Jonathan Fuchs
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yann Rotella
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Joan Daemen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jonathan Fuchs .

Editor information

Editors and Affiliations

  1. Rambus Inc., San Jose, CA, USA

    Helena Handschuh

  2. Brown University, Providence, RI, USA

    Anna Lysyanskaya

A Xoodoo Specification

A Xoodoo Specification

We quote the specification of the Xoodoo round function, taken verbatim from the Xoodoo Cookbook [10].

Xoodoo is a family of permutations parameterized by its number of rounds \(r\) and denoted \({\textsc {Xoodoo}[r]}\).

Xoodoo has a classical iterated structure: It iteratively applies a round function to a state. The state consists of 3 equally sized horizontal planes, each one consisting of 4 parallel 32-bit lanes. Similarly, the state can be seen as a set of 128 columns of 3 bits, arranged in a \(4\times 32\) array. The planes are indexed by y, with plane \(y=0\) at the bottom and plane \(y=2\) at the top. Within a lane, we index bits with z. The lanes within a plane are indexed by x, so the position of a lane in the state is determined by the two coordinates (xy). The bits of the state are indexed by (xyz) and the columns by (xz). Sheets are the arrays of three lanes on top of each other and they are indexed by x. The Xoodoo state is illustrated in Fig. 3.

Fig. 3.
figure 3

Toy version of the Xoodoo state, with lanes reduced to 8 bits, and different parts of the state highlighted. [10]

Full size image
Table 3. Notational conventions [10]
Full size table
figure c
Table 4. The round constants \(c_i\) with \(-11 \le i \le 0\), in hexadecimal notation (the least significant bit is at \(z=0\)) [10].
Full size table

The permutation consists of the iteration of a round function \(\mathrm {R_{i}}\) that has 5 steps: a mixing layer \(\theta \), a plane shifting \({\rho _\textrm{west}}\), the addition of round constants \(\iota \), a non-linear layer \(\chi \) and another plane shifting \({\rho _\textrm{east}}\).

We specify Xoodoo in Algorithm 3, completely in terms of operations on planes and use thereby the notational conventions we specify in Table 3 and 4.

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Fuchs, J., Rotella, Y., Daemen, J. (2023). On the Security of Keyed Hashing Based on Public Permutations. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14083. Springer, Cham. https://doi.org/10.1007/978-3-031-38548-3_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-38548-3_20

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-38547-6

  • Online ISBN: 978-3-031-38548-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation