Abstract
Farfalle, a permutation-based construction for building a pseudorandom function (PRF), is really versatile. It can be used for message authentication code, stream cipher, key derivation function, authenticated encryption and so on. Farfalle construction relies on a set of permutations and on so-called rolling functions: it can be split into a compression layer followed by a two-step expansion layer.
As one instance of Farfalle, Xoofff is very efficient on a wide range of platforms from low-end devices to high-end processors by combining the narrow permutation Xoodoo and the inherent parallelism of Farfalle. In this paper, we present key-recovery attacks on reduced-round Xoofff. After identifying a weakness in the expanding rolling function, we first propose practical attacks on Xoofff instantiated with 1-/2-round Xoodoo in the expansion layer. We next extend such attack on Xoofff instantiated with 3-/4-round Xoodoo in the expansion layer by making use of Meet-in-the-Middle algebraic attacks and the linearization technique. All attacks proposed here – which are independent of the details of the compression and/or middle layer – have been practically verified (either on the “real” Xoofff or on a toy-version Xoofff with block-size of 96 bits). As a countermeasure, we discuss how to slightly modified the rolling function for free to reduce the number of attackable rounds.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The source codes are public available at https://github.com/Tammy-Cui/AttackXoofff.
- 2.
Note that solving a system of \(x\ge 1\) linear equations in x variables corresponds to compute the inverse of a \(x\times x\) matrix. Hence, inverting such matrix costs \(\mathcal O(x^\omega )\) operations for \(2< \omega \le 3\) (e.g., using the fast Gaussian Elimination algorithm [12] which costs \(\mathcal O(x^3)\), while the memory cost to store such matrix is proportional to \(\mathcal O(x^2)\).
- 3.
Here we emphasize the relation between \(\rho _{west}\circ \theta (S^i)\) and \(\rho _{west}\circ \theta (S^{i+3})\) by highlighting the components of \(\rho _{west}\circ \theta (S^i)\) that are also in \(\rho _{west}\circ \theta (S^{i+3})\). We use the symbol “\(\star \)” to denote all other components.
References
Bernstein, D.J., et al.: Gimli : a cross-platform permutation. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 299–320. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_15
Bertoni, G., Daemen, J., Hoffert, S., Peeters, M., Assche, G.V., Keer, R.V.: Farfalle: parallel permutation-based cryptography. IACR Trans. Symmetric Cryptol. 2017(4), 1–38 (2017)
Bertoni, G., Daemen, J., Hoffert, S., Peeters, M., Assche, G.V., Keer, R.V.: The authenticated encryption schemes Kravatte-SANE and Kravatte-SANSE. Cryptology ePrint Archive, Report 2018/1012 (2018). https://eprint.iacr.org/2018/1012
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_11
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28496-0_19
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 313–314. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_19
Chaigneau, C., et al.: Key-recovery attacks on full Kravatte. IACR Trans. Symmetric Cryptol. 2018(1), 5–28 (2018)
Daemen, J., Hoffert, S., Assche, G.V., Keer, R.V.: The design of Xoodoo and Xoofff. IACR Trans. Symmetric Cryptol. 2018(4), 1–38 (2018)
Daemen, J., Hoffert, S., Peeters, M., Assche, G.V., Keer, R.V.: Xoodoo cookbook. Cryptology ePrint Archive, Report 2018/767 (2018)
Kipnis, A., Shamir, A.: Cryptanalysis of the HFE public key cryptosystem by relinearization. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 19–30. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_2
Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-60590-8_16
Koç, Ç.K., Arachchige, S.N.: A fast algorithm for gaussian elimination over GF(2) and its implementation on the GAPP. J. Parallel Distrib. Comput. 13(1), 118–122 (1991)
Liu, F., Isobe, T., Meier, W., Yang, Z.: Algebraic Attacks on Round-Reduced Keccak/Xoodoo. Cryptology ePrint Archive, Report 2020/346 (2020). https://eprint.iacr.org/2020/346
Zhou, H., Zong, R., Dong, X., Jia, K., Meier, W.: Interpolation Attacks on Round-Reduced Elephant, Kravatte and Xoofff. Cryptology ePrint Archive, Report 2020/781 (2020). https://eprint.iacr.org/2020/781
Acknowledgment
The symmetry property of the state rolling function presented in Sect. 3.1 has been found by Joan Daemen. Authors thank him for his suggestion to exploit such symmetry property as a possible starting point for key-recovery attacks on the expansion part of Xoofff. Authors also thank Reviewers for their valuable comments, and Kalikinkar Mandal for shepherding this final version of the paper. Lorenzo Grassi and Tingting Cui are supported by the European Research Council under the ERC advanced grant agreement under grant ERC-2017-ADG Nr. 788980 ESCADA. Besides that, Tingting Cui is also supported by NSFC Projects (No. 61902100).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Attack on Xoofff (2-round Xoodoo): Details for Step 2
Here we provide more details regarding the second step of the attack presented in Sect. 4.3.
In such a step, the attacker sets up a system of linear equations in 64 variables. Since the coefficients of the corresponding matrix are (in general) not independent, it is possible that the matrix is not invertible. Hence, more equations are in general necessary so as to have a good probability to find 64 independent linear equations. By practical tests we found that using 68, 70 and 73 output (consecutive) blocks, the probability of success (to find 64 linearly independent equations) is resp. \(29.7\%\), \(75.9\%\) and \(96.6\%\).
Here we analyze these probabilities from a theoretical point of view.
Lemma 3
If n-bit vectors \(\mathbf {a}_{0}, \mathbf {a}_{1},\ldots ,\mathbf {a}_{s-1}\) are linearly independent (\(s<n\)), then the probability that another random n-bit vector \(\mathbf {a}_{s}\) is linearly independent with such s vectors is \(\frac{2^{n}-2^{s} + 1}{2^{n}} \approx 1-2^{s-n}\).
Proof
The space \(\mathcal {S}\) spanned by \(\mathbf {a}_{0}, \mathbf {a}_{1},\ldots ,\mathbf {a}_{s-1}\) involves \(2^s-1\) (non-null) vectors. As long as \(\mathbf {a}_{s}\) does not belong to \(\mathcal {S}\), \(\mathbf {a}_{0}, \mathbf {a}_{1},\ldots ,\mathbf {a}_{s}\) are linear independent. Thus, \(\mathbf {a}_{s}\) has \(2^{n}-2^{s} + 1\) possible values, which means the probability is \(\frac{2^{n}-2^{s} + 1}{2^{n}}\). \(\square \)
In order to compute \(Prob(\mathbf {a}_{0},\mathbf {a}_{1}, \ldots , \mathbf {a}_{63} \text { linearly independent})\), we can use the law of total probability. Let \(\{B_n\}_n\) be a finite or countably infinite partition of a sample space. By the law of total probability: \( Prob(A) = \sum _{B_n} Prob(A \, | \, B_n) \cdot Prob(B_n). \) For each \(x\ge 1\), it follows that:
where note that
Working iteratively, it follows that \(Prob(\mathbf {a}_{0},\mathbf {a}_{1}, \ldots , \mathbf {a}_{63} \text { linearly independent})\) is equal to
This result matches the practical probability we found in our experiments.
It follows that, given 64 equations (which corresponds to 68 output blocks), at least 61 of them are linearly independent with probability (higher than) \(\frac{15}{16} \cdot \ldots \cdot \frac{2^{64} - 1}{2^{64}} \approx 88.5\%\). Also this theoretical result matches the one found in our practical tests.
B Specification of Toy-Version Xoofff
In this section, we specify the toy-version Xoofff, which is used to verify the linearization MitM attacks on Xoofff with reduced 3-/4-round Xoodoo. The round function of such toy-version Xoodoo is given in Algorithm 4. Meanwhile, the rolling function \(roll_{X_e}\) of the toy-version Xoofff updates a state A in the following way:
C Attack on Full-Round Xoofff without Constants
In this section, we propose an attack on the expansion part of Xoofff where no round constant is present in the round function. Such attack – that can potentially cover any number of rounds – is based on the following property:
Lemma 4
Consider two states \(S^1\) and \(S^2\) that satisfy the property \(S^1[x,y,z] = S^2[x-1,y,z]\) for all \(0\le x< 4\), \(0\le y <3\) and \(0\le z<32\). After one-round Xoodoo without \(\iota \) operation, the output \(C^1\) and \(C^2\) still satisfy the property \(C^1[x,y,z] = C^2[x-1,y,z]\).
Proof
By working as in the previous sections, note that:
The result follows immediately. \(\square \)
Due to the relation between the output of the rolling functions \(S^i\) and \(S^{i+3}\):
the probability of the event \(S^{i+3}[3,y,z] =S^{i}[0,y,z]\) for \(y=0,1,2\) and for each z is equal to \(2^{-96}\). Hence, given approximately \(3\cdot 2^{96}\) output blocks, the probability that there exists \(S^i\) and \(S^{i+3}\) that satisfy the previous property is \(1-(1-2^{-96})^{3\cdot 2^{96}} \approx 1 - e^{-3} \approx 95\%\): as a result, it is possible to break the scheme.
D Different Constant Addition (Equivalently, \(\iota \)) Operation
One of the weakness exploited to set up the attack is the fact that for each z
implies
since \(\iota [x,y,z] =0\) for each \((x,y) \ne (0,0)\).
What happens if \(\iota [x,y,z] \ne 0\)? Could this change (by itself) prevent the attack? As shown below, this is not the case.
Indeed, note that
if and only if
Hence, since \(\iota \) is public and known, these 6 output bits depend only on 3 bits. It follows that a distinguisher can still be set up. E.g., by considering
one can get a system of three linear equations in \(S_{\rho _{west}}^i[3,2], S_{\rho _{west}}^i[3,1], S_{\rho _{west}}^i[3,0]\). Once these 3 values are given, it is sufficient to check them against e.g. the 3 equalities that define \(\chi \circ \iota \circ \rho _{west}\circ \theta (S^i)[3,2], \chi \circ \iota \circ \rho _{west}\circ \theta (S^i)[3,1], \chi \circ \iota \circ \rho _{west}\circ \theta (S^i)[3,0]\).
In conclusion, changing the round constants cannot prevent the attacks described before.
E Higher-Order Differential on Xoofff
Given a function \(f:\mathbb F_2^n \rightarrow \mathbb F_2^n\) of algebraic degree d, consider a subspace \(\mathcal V \subseteq \mathbb F_2^n\) of dimension greater than d (that is, \(\dim (\mathcal V) \ge d+1\)). For each affine subspace \(\mathcal V \oplus v\), it is possible to show that
This is the property used in a higher-order differential attack [11].
The attack that we are going to present resembles the one already presented in [7]. Since \(\deg (\chi )=2\), the degree after r rounds of Xoodoo is upper bounded by \(2^r\): since the complexity of the attack cannot be greater than \(2^{128}\), we can cover at most 6 rounds using the zero-sum property. Hence:
-
we construct a subspace of dimension \(2^6+1=65\);
-
we exploit the zero-sum to find the key.
1.1 E.1 Idea of the Attack
Constructing the Subspace \(\mathcal V\) . In order to construct the subspace \(\mathcal V\), we just re-use the same strategy proposed in [7, Sect. 4.1]. Given an n-block padded message \(M= (m_0, ..., m_{n-1})\), let Acc(M) be the associated accumulator value \(\bigoplus _{i} p_c(m_i\oplus k_i^{in})\). Let \(M^0= (m_0^0,...,m^0_{n-1})\) and \(M^j= (m^1_0,..., m^1_{n-1})\) denote an arbitrary pair of padded messages such that \(m^0_l \ne m^1_l\) for all l. We define the following structure of \(2^n\) n-block messages:
where for each i:
As showed in [7, Sect. 4.1], \(\delta _i\) are linearly independent with overwhelming probability if \(n \ll b =384\) (independently of \(p_c(\cdot )\)).
Finding the Key. Given \(\mathcal V\), the strategy of the attack is to construct a system of equations that describe the last r rounds (where the final mask \(k^\prime \) is the variable) and solve it:
Note that the same output mask \(k^\prime \) is used in each output block: hence, the number of variables is independent of the number of considered output blocks. In order to solve the system, the idea is to use the linearization technique described before.
1.2 E.2 Cost of the Attack
In order to set up the attack, we just re-use the results presented in Sect. 5. In a linearization attack on 3-round Xoodoo, the number of variables in the system is upper bounded by \(2^{35.4}\). Hence:
-
at least, \(2^{35.4} \cdot 2^{65}\) pairs of input/output blocks are necessary to construct the system of equations to solve, for a total cost of \(2^{35.4} \cdot 2^{65} \cdot 2 = 2^{100.4}\) input/output blocks;
-
the cost to construct the system of equations is given by \(2^{100.4}\) XORs;
-
the cost to solve the system of equations is given by \(\mathcal O\left( (2^{35.4})^3\right) = 2^{106.2}\) operations and a memory cost of \(\mathcal O\left( (2^{35.4})^2\right) = 2^{70.8}\) bits.
Hence, the overall cost of the attack is approximately given by \(2^{100.4} + 2^{106.2} \approx 2^{106.3} \) operations.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Cui, T., Grassi, L. (2021). Algebraic Key-Recovery Attacks on Reduced-Round Xoofff. In: Dunkelman, O., Jacobson, Jr., M.J., O'Flynn, C. (eds) Selected Areas in Cryptography. SAC 2020. Lecture Notes in Computer Science(), vol 12804. Springer, Cham. https://doi.org/10.1007/978-3-030-81652-0_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-81652-0_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-81651-3
Online ISBN: 978-3-030-81652-0
eBook Packages: Computer ScienceComputer Science (R0)