Paper 2018/767

Xoodoo cookbook

Joan Daemen, Seth Hoffert, Michaël Peeters, Gilles Van Assche, and Ronny Van Keer


This document presents Xoodoo, a 48-byte cryptographic permutation that allows very efficient symmetric crypto on a wide range of platforms and a suite of cryptographic functions built on top of it. The central function in this suite is Xoofff, obtained by instantiating Farfalle with Xoodoo. Xoofff is what we call a deck function and can readily be used for MAC computation, stream encryption and key derivation. The suite includes two session authenticated encryption (SAE) modes: Xoofff-SANE and Xoofff-SANSE. Both are built on top of Xoofff and differ in their robustness with respect to nonce misuse. Other members of the suite are a tweakable wide block cipher Xoofff-WBC and authenticated encryption mode Xoofff-WBC-AE, obtained by instantiating the Farfalle-WBC and Farfalle-WBC-AE constructions with Xoofff. Finally, for lightweight applications, we define Xoodyak, a cryptographic scheme that can be used for hashing, encryption, MAC computation and authenticated encryption. Essentially, it is a duplex object extended with an interface that allows absorbing strings of arbitrary length, their encryption and squeezing output of arbitrary length. This paper is a specification and security claim reference for the Xoodoo suite. It is a standing document: over time, we may extend the Xoodoo suite, and we will update it accordingly.

Note: Added Xoodyak

Available format(s)
Publication info
Preprint. MINOR revision.
permutation-based cryptoFarfalleduplex constructiondec functionshashingdeck functionsauthenticated encryption
Contact author(s)
joan @ cs ru nl
2019-03-14: revised
2018-08-25: received
See all versions
Short URL
Creative Commons Attribution


      author = {Joan Daemen and Seth Hoffert and Michaël Peeters and Gilles Van Assche and Ronny Van Keer},
      title = {Xoodoo cookbook},
      howpublished = {Cryptology ePrint Archive, Paper 2018/767},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.