Algebraic Key-Recovery Attacks on Reduced-Round Xoofff

Abstract

Farfalle, a permutation-based construction for building a pseudorandom function (PRF), is really versatile. It can be used for message authentication code, stream cipher, key derivation function, authenticated encryption and so on. Farfalle construction relies on a set of permutations and on so-called rolling functions: it can be split into a compression layer followed by a two-step expansion layer.

As one instance of Farfalle, Xoofff is very efficient on a wide range of platforms from low-end devices to high-end processors by combining the narrow permutation Xoodoo and the inherent parallelism of Farfalle. In this paper, we present key-recovery attacks on reduced-round Xoofff. After identifying a weakness in the expanding rolling function, we first propose practical attacks on Xoofff instantiated with 1-/2-round Xoodoo in the expansion layer. We next extend such attack on Xoofff instantiated with 3-/4-round Xoodoo in the expansion layer by making use of Meet-in-the-Middle algebraic attacks and the linearization technique. All attacks proposed here – which are independent of the details of the compression and/or middle layer – have been practically verified (either on the “real” Xoofff or on a toy-version Xoofff with block-size of 96 bits). As a countermeasure, we discuss how to slightly modified the rolling function for free to reduce the number of attackable rounds.

Appendices

A Attack on Xoofff (2-round Xoodoo): Details for Step 2

Here we provide more details regarding the second step of the attack presented in Sect. 4.3.

In such a step, the attacker sets up a system of linear equations in 64 variables. Since the coefficients of the corresponding matrix are (in general) not independent, it is possible that the matrix is not invertible. Hence, more equations are in general necessary so as to have a good probability to find 64 independent linear equations. By practical tests we found that using 68, 70 and 73 output (consecutive) blocks, the probability of success (to find 64 linearly independent equations) is resp. \(29.7\%\), \(75.9\%\) and \(96.6\%\).

Here we analyze these probabilities from a theoretical point of view.

Lemma 3

If n-bit vectors \(\mathbf {a}_{0}, \mathbf {a}_{1},\ldots ,\mathbf {a}_{s-1}\) are linearly independent (\(s<n\)), then the probability that another random n-bit vector \(\mathbf {a}_{s}\) is linearly independent with such s vectors is \(\frac{2^{n}-2^{s} + 1}{2^{n}} \approx 1-2^{s-n}\).

Proof

The space \(\mathcal {S}\) spanned by \(\mathbf {a}_{0}, \mathbf {a}_{1},\ldots ,\mathbf {a}_{s-1}\) involves \(2^s-1\) (non-null) vectors. As long as \(\mathbf {a}_{s}\) does not belong to \(\mathcal {S}\), \(\mathbf {a}_{0}, \mathbf {a}_{1},\ldots ,\mathbf {a}_{s}\) are linear independent. Thus, \(\mathbf {a}_{s}\) has \(2^{n}-2^{s} + 1\) possible values, which means the probability is \(\frac{2^{n}-2^{s} + 1}{2^{n}}\).    \(\square \)

In order to compute \(Prob(\mathbf {a}_{0},\mathbf {a}_{1}, \ldots , \mathbf {a}_{63} \text { linearly independent})\), we can use the law of total probability. Let \(\{B_n\}_n\) be a finite or countably infinite partition of a sample space. By the law of total probability: \( Prob(A) = \sum _{B_n} Prob(A \, | \, B_n) \cdot Prob(B_n). \) For each \(x\ge 1\), it follows that:

$$\begin{aligned}&\qquad Prob(\mathbf {a}_{0},\mathbf {a}_{1}, \ldots , \mathbf {a}_{x} \text { linearly independent}) \\ =&Prob(\mathbf {a}_{0},\mathbf {a}_{1}, \ldots , \mathbf {a}_{x} \text { linearly independent} \, | \, \mathbf {a}_{0},\mathbf {a}_{1}, \ldots , \mathbf {a}_{x-1} \text { linearly independent} ) \\&\qquad \times Prob(\mathbf {a}_{0},\mathbf {a}_{1}, \ldots , \mathbf {a}_{x-1} \text { linearly independent}) \end{aligned}$$

where note that

$$\begin{aligned} Prob(\mathbf {a}_{0},\mathbf {a}_{1}, \ldots , \mathbf {a}_{x} \text { linearly independent} \, | \, \mathbf {a}_{0},\mathbf {a}_{1}, \ldots , \mathbf {a}_{x-1} \text { linearly dependent} ) = 0. \end{aligned}$$

Working iteratively, it follows that \(Prob(\mathbf {a}_{0},\mathbf {a}_{1}, \ldots , \mathbf {a}_{63} \text { linearly independent})\) is equal to

$$\begin{aligned} \frac{2^{64} - 1}{2^{64}}\cdot \frac{2^{64} - 3}{2^{64}} \cdot \ldots \cdot \frac{2^{63} + 1}{2^{64}} \approx \frac{1}{2} \cdot \frac{3}{4} \cdot \frac{7}{8} \cdot \frac{15}{16} \cdot \ldots \cdot \frac{2^{64} - 1}{2^{64}} \approx 0.29. \end{aligned}$$

This result matches the practical probability we found in our experiments.

It follows that, given 64 equations (which corresponds to 68 output blocks), at least 61 of them are linearly independent with probability (higher than) \(\frac{15}{16} \cdot \ldots \cdot \frac{2^{64} - 1}{2^{64}} \approx 88.5\%\). Also this theoretical result matches the one found in our practical tests.

B Specification of Toy-Version Xoofff

In this section, we specify the toy-version Xoofff, which is used to verify the linearization MitM attacks on Xoofff with reduced 3-/4-round Xoodoo. The round function of such toy-version Xoodoo is given in Algorithm 4. Meanwhile, the rolling function \(roll_{X_e}\) of the toy-version Xoofff updates a state A in the following way:

$$\begin{aligned} A_{0,0} \leftarrow A_{0,1}\cdot&A_{0,2} \oplus (A_{0,0}\lll 3) \oplus (A_{0,1}\lll 5) \oplus 0\text{ x }00000007, \,\, B \leftarrow A_0 \lll (3,0),\\&A_0\leftarrow A_1, \qquad \qquad A_1\leftarrow A_2, \qquad \qquad A_2\leftarrow B. \end{aligned}$$

C Attack on Full-Round Xoofff without Constants

In this section, we propose an attack on the expansion part of Xoofff where no round constant is present in the round function. Such attack – that can potentially cover any number of rounds – is based on the following property:

Lemma 4

Consider two states \(S^1\) and \(S^2\) that satisfy the property \(S^1[x,y,z] = S^2[x-1,y,z]\) for all \(0\le x< 4\), \(0\le y <3\) and \(0\le z<32\). After one-round Xoodoo without \(\iota \) operation, the output \(C^1\) and \(C^2\) still satisfy the property \(C^1[x,y,z] = C^2[x-1,y,z]\).

Proof

By working as in the previous sections, note that:

$$\begin{aligned} \begin{bmatrix} {C^1[0,2] }&{} {C[1,2] }&{} { C[2,2]} &{}{ C[3,2]}\\ C^1[0,1] &{} C[1,1] &{} {{}C[2,1]} &{} {{} C[3,1]}\\ { C^1[0,0]} &{}{ C[1,0]} &{} { C[2,0]} &{}{ C[3,0]}\\ \end{bmatrix}&=\rho _{east}\circ \chi \circ \rho _{west}\circ \theta \left( \begin{bmatrix} {S^1[0,2] }&{} {S[1,2] }&{} { S[2,2]} &{}{ S[3,2]}\\ S^1[0,1] &{} S[1,1] &{} {{}S[2,1]} &{} {{} S[3,1]}\\ { S^1[0,0]} &{}{ S[1,0]} &{} { S[2,0]} &{}{ S[3,0]}\\ \end{bmatrix}\right) \\ \begin{bmatrix} {C[1,2] }&{} { C[2,2]} &{}{ C[3,2]} &{} {C^2[3,2] }\\ C[1,1] &{} {{}C[2,1]} &{} {{} C[3,1]} &{} C^2[3,1] \\ { C[1,0]} &{} { C[2,0]} &{}{ C[3,0]} &{} { C^2[3,0]}\\ \end{bmatrix}&=\rho _{east}\circ \chi \circ \rho _{west}\circ \theta \left( \begin{bmatrix} {S[1,2] }&{} { S[2,2]} &{}{ S[3,2]} &{} {S^2[3,2] }\\ S[1,1] &{} {{}S[2,1]} &{} {{} S[3,1]} &{} S^2[3,1] \\ { S[1,0]} &{} { S[2,0]} &{}{ S[3,0]} &{} { S^2[3,0]}\\ \end{bmatrix}\right) . \end{aligned}$$

The result follows immediately.    \(\square \)

Due to the relation between the output of the rolling functions \(S^i\) and \(S^{i+3}\):

$$ S^{i+3} = \begin{bmatrix} {S^{i}[1,2] }&{} { S^{i}[2,2]} &{}{ S^{i}[3,2]} &{} {S^{i+3}[3,2] }\\ S^{i}[1,1] &{} {{}S^{i}[2,1]} &{} {{} S^{i}[3,1]} &{} S^{i+3}[3,1] \\ { S^{i}[1,0]} &{} { S^{i}[2,0]} &{}{ S^{i}[3,0]} &{} { S^{i+3}[3,0]}\\ \end{bmatrix}. $$

the probability of the event \(S^{i+3}[3,y,z] =S^{i}[0,y,z]\) for \(y=0,1,2\) and for each z is equal to \(2^{-96}\). Hence, given approximately \(3\cdot 2^{96}\) output blocks, the probability that there exists \(S^i\) and \(S^{i+3}\) that satisfy the previous property is \(1-(1-2^{-96})^{3\cdot 2^{96}} \approx 1 - e^{-3} \approx 95\%\): as a result, it is possible to break the scheme.

D Different Constant Addition (Equivalently, \(\iota \)) Operation

One of the weakness exploited to set up the attack is the fact that for each z

$$ \rho _{west}\circ \theta (S^i) = \begin{bmatrix} \star &{} \star &{} \star &{} { S_{\rho _{west}}^i[3,2]} \\ \star &{} \star &{} \star &{}{ S_{\rho _{west}}^i[2,1]} \\ \star &{} \star &{} \star &{}{ S_{\rho _{west}}^i[3,0]} \\ \end{bmatrix} \text { iff } \rho _{west}\circ \theta (S^{i+3}) = \begin{bmatrix} \star &{} \star &{} { S_{\rho _{west}}^i[3,2]} &{}\star \\ \star &{} \star &{} { S_{\rho _{west}}^i[2,1]} &{} \star \\ \star &{} \star &{}{ S_{\rho _{west}}^i[3,0]} &{}\star \\ \end{bmatrix} $$

implies

$$ \chi \circ \iota \circ \rho _{west}\circ \theta (S^i) = \begin{bmatrix} \star &{} \star &{} \star &{} {S_{\chi }^i[3,2]} \\ \star &{} \star &{} \star &{}{ S^i_{\chi }[3,1]} \\ \star &{} \star &{} \star &{}{ S^i_{\chi }[3,0]} \\ \end{bmatrix} \text { iff } \chi \circ \iota \circ \rho _{west}\circ \theta (S^{i+3}) = \begin{bmatrix} \star &{} \star &{} { S^i_{\chi }[3,2]} &{}\star \\ \star &{} \star &{}{ S^i_{\chi }[3,1]}&{}\star \\ \star &{} \star &{}{ S^i_{\chi }[3,0]} &{}\star \\ \end{bmatrix} $$

since \(\iota [x,y,z] =0\) for each \((x,y) \ne (0,0)\).

What happens if \(\iota [x,y,z] \ne 0\)? Could this change (by itself) prevent the attack? As shown below, this is not the case.

Indeed, note that

$$\begin{aligned}&\chi \circ \iota \circ \rho _{west}\circ \theta (S^i)[3,2] =\biggl (S_{\rho _{west}}^i[3,2] \oplus S_{\rho _{west}}^i[3,0] \oplus S_{\rho _{west}}^i[3,1] \cdot S_{\rho _{west}}^i[3,0]\biggl ) \\&\qquad \oplus \biggl (\iota [3,2] \oplus \iota [3,0] \oplus \iota [3,1] \cdot \iota [3,0]\biggl ) \oplus \biggl (S_{\rho _{west}}^i[3,0] \cdot \iota [3,1] \oplus S_{\rho _{west}}^i[3,1] \cdot \iota [3,0] \biggl )\\&\chi \circ \iota \circ \rho _{west}\circ \theta (S^i)[3,1] =\biggl (S_{\rho _{west}}^i[3,1] \oplus S_{\rho _{west}}^i[3,2] \oplus S_{\rho _{west}}^i[3,2] \cdot S_{\rho _{west}}^i[3,0]\biggl ) \\&\qquad \oplus \biggl (\iota [3,1] \oplus \iota [3,2] \oplus \iota [3,2] \cdot \iota [3,0]\biggl ) \oplus \biggl (S_{\rho _{west}}^i[3,2] \cdot \iota [3,0] \oplus S_{\rho _{west}}^i[3,0] \cdot \iota [3,2] \biggl )\\&\chi \circ \iota \circ \rho _{west}\circ \theta (S^i)[3,0] =\biggl (S_{\rho _{west}}^i[3,1] \oplus S_{\rho _{west}}^i[3,0] \oplus S_{\rho _{west}}^i[3,2] \cdot S_{\rho _{west}}^i[3,1]\biggl ) \\&\qquad \oplus \biggl (\iota [3,1] \oplus \iota [3,0] \oplus \iota [3,2] \cdot \iota [3,2]\biggl ) \oplus \biggl (S_{\rho _{west}}^i[3,2] \cdot \iota [3,1] \oplus S_{\rho _{west}}^i[3,1] \cdot \iota [3,2] \biggl ) \end{aligned}$$

if and only if

$$\begin{aligned}&\chi \circ \iota \circ \rho _{west}\circ \theta (S^{i+3})[2,2] =\biggl (S_{\rho _{west}}^i[3,2] \oplus S_{\rho _{west}}^i[3,0] \oplus S_{\rho _{west}}^i[3,1] \cdot S_{\rho _{west}}^i[3,0]\biggl ) \\&\qquad \oplus \biggl (\iota [2,2] \oplus \iota [2,0] \oplus \iota [2,1] \cdot \iota [2,0]\biggl ) \oplus \biggl (S_{\rho _{west}}^i[3,0] \cdot \iota [2,1] \oplus S_{\rho _{west}}^i[3,1] \cdot \iota [2,0] \biggl )\\&\chi \circ \iota \circ \rho _{west}\circ \theta (S^{i+3})[2,1] =\biggl (S_{\rho _{west}}^i[3,1] \oplus S_{\rho _{west}}^i[3,2] \oplus S_{\rho _{west}}^i[3,2] \cdot S_{\rho _{west}}^i[3,0]\biggl ) \\&\qquad \oplus \biggl (\iota [2,1] \oplus \iota [2,2] \oplus \iota [2,2] \cdot \iota [2,0]\biggl ) \oplus \biggl (S_{\rho _{west}}^i[3,2] \cdot \iota [2,0] \oplus S_{\rho _{west}}^i[3,0] \cdot \iota [2,2] \biggl )\\&\chi \circ \iota \circ \rho _{west}\circ \theta (S^{i+3})[2,0] =\biggl (S_{\rho _{west}}^i[3,1] \oplus S_{\rho _{west}}^i[3,0] \oplus S_{\rho _{west}}^i[3,2] \cdot S_{\rho _{west}}^i[3,1]\biggl ) \\&\qquad \oplus \biggl (\iota [2,1] \oplus \iota [2,0] \oplus \iota [2,2] \cdot \iota [2,2]\biggl ) \oplus \biggl (S_{\rho _{west}}^i[3,2] \cdot \iota [2,1] \oplus S_{\rho _{west}}^i[3,1] \cdot \iota [2,2] \biggl ) \end{aligned}$$

Hence, since \(\iota \) is public and known, these 6 output bits depend only on 3 bits. It follows that a distinguisher can still be set up. E.g., by considering

$$\begin{aligned}&\chi \circ \iota \circ \rho _{west}\circ \theta (S^i)[3,2] \oplus \chi \circ \iota \circ \rho _{west}\circ \theta (S^{i+3})[2,2] \\&\chi \circ \iota \circ \rho _{west}\circ \theta (S^i)[3,1] \oplus \chi \circ \iota \circ \rho _{west}\circ \theta (S^{i+3})[2,1] \\&\chi \circ \iota \circ \rho _{west}\circ \theta (S^i)[3,0] \oplus \chi \circ \iota \circ \rho _{west}\circ \theta (S^{i+3})[2,0] \\ \end{aligned}$$

one can get a system of three linear equations in \(S_{\rho _{west}}^i[3,2], S_{\rho _{west}}^i[3,1], S_{\rho _{west}}^i[3,0]\). Once these 3 values are given, it is sufficient to check them against e.g. the 3 equalities that define \(\chi \circ \iota \circ \rho _{west}\circ \theta (S^i)[3,2], \chi \circ \iota \circ \rho _{west}\circ \theta (S^i)[3,1], \chi \circ \iota \circ \rho _{west}\circ \theta (S^i)[3,0]\).

In conclusion, changing the round constants cannot prevent the attacks described before.

E Higher-Order Differential on Xoofff

Given a function \(f:\mathbb F_2^n \rightarrow \mathbb F_2^n\) of algebraic degree d, consider a subspace \(\mathcal V \subseteq \mathbb F_2^n\) of dimension greater than d (that is, \(\dim (\mathcal V) \ge d+1\)). For each affine subspace \(\mathcal V \oplus v\), it is possible to show that

$$ \bigoplus _{x\in \mathcal V\oplus v} f(x) = 0. $$

This is the property used in a higher-order differential attack [11].

The attack that we are going to present resembles the one already presented in [7]. Since \(\deg (\chi )=2\), the degree after r rounds of Xoodoo is upper bounded by \(2^r\): since the complexity of the attack cannot be greater than \(2^{128}\), we can cover at most 6 rounds using the zero-sum property. Hence:

• we construct a subspace of dimension \(2^6+1=65\);

• we exploit the zero-sum to find the key.

1.1 E.1 Idea of the Attack

Constructing the Subspace \(\mathcal V\) . In order to construct the subspace \(\mathcal V\), we just re-use the same strategy proposed in [7, Sect. 4.1]. Given an n-block padded message \(M= (m_0, ..., m_{n-1})\), let Acc(M) be the associated accumulator value \(\bigoplus _{i} p_c(m_i\oplus k_i^{in})\). Let \(M^0= (m_0^0,...,m^0_{n-1})\) and \(M^j= (m^1_0,..., m^1_{n-1})\) denote an arbitrary pair of padded messages such that \(m^0_l \ne m^1_l\) for all l. We define the following structure of \(2^n\) n-block messages:

$$ \mathcal V \oplus v = Acc(M^0) \oplus \langle \delta _0, ..., \delta _n\rangle $$

where for each i:

$$ \delta _i = p_c(m_i^0\oplus k_i^{in}) \oplus p_c(m_i^1\oplus k_i^{in}). $$

As showed in [7, Sect. 4.1], \(\delta _i\) are linearly independent with overwhelming probability if \(n \ll b =384\) (independently of \(p_c(\cdot )\)).

Finding the Key. Given \(\mathcal V\), the strategy of the attack is to construct a system of equations that describe the last r rounds (where the final mask \(k^\prime \) is the variable) and solve it:

$$ \mathcal V \oplus v \xrightarrow {R^6(\cdot )} \text {zero-sum} \xleftarrow [{\text { mask-recovery}}]{k^\prime \oplus R^{-r}(\cdot )} \text { corresponding output blocks } \{C^i\}_i $$

Note that the same output mask \(k^\prime \) is used in each output block: hence, the number of variables is independent of the number of considered output blocks. In order to solve the system, the idea is to use the linearization technique described before.

1.2 E.2 Cost of the Attack

In order to set up the attack, we just re-use the results presented in Sect. 5. In a linearization attack on 3-round Xoodoo, the number of variables in the system is upper bounded by \(2^{35.4}\). Hence:

• at least, \(2^{35.4} \cdot 2^{65}\) pairs of input/output blocks are necessary to construct the system of equations to solve, for a total cost of \(2^{35.4} \cdot 2^{65} \cdot 2 = 2^{100.4}\) input/output blocks;

• the cost to construct the system of equations is given by \(2^{100.4}\) XORs;

• the cost to solve the system of equations is given by \(\mathcal O\left( (2^{35.4})^3\right) = 2^{106.2}\) operations and a memory cost of \(\mathcal O\left( (2^{35.4})^2\right) = 2^{70.8}\) bits.

Hence, the overall cost of the attack is approximately given by \(2^{100.4} + 2^{106.2} \approx 2^{106.3} \) operations.