Paper 2020/1201

Algebraic Key-Recovery Attacks on Reduced-Round Xoofff

Tingting Cui and Lorenzo Grassi


Farfalle, a permutation-based construction for building a pseudorandom function (PRF), is really versatile. It can be used for message authentication code, stream cipher, key derivation function, authenticated encryption and so on. Farfalle construction relies on a set of permutations and on so-called rolling functions: it can be split into a compression layer followed by a two-step expansion layer. As one instance of Farfalle, Xoofff is very efficient on a wide range of platforms from low-end devices to high-end processors by combining the narrow permutation Xoodoo and the inherent parallelism of Farfalle. In this paper, we present key-recovery attacks on reduced-round Xoofff. After identifying a weakness in the expanding rolling function, we first propose practical attacks on Xoofff instantiated with 1-/2-round Xoodoo in the expansion layer. We next extend such attack on Xoofff instantiated with 3-/4-round Xoodoo in the expansion layer by making use of Meet-in-the-Middle algebraic attacks and the linearization technique. All attacks proposed here -- which are independent of the details of the compression and/or middle layer -- have been practically verified (either on the "real" Xoofff or on a toy-version Xoofff with block-size of 96 bits). As a countermeasure, we discuss how to slightly modified the rolling function for free to reduce the number of attackable rounds.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. SAC 2020
FarfalleXoofffXoodooKey-Recovery Attacks
Contact author(s)
Tingting Cui @ ru nl
l grassi @ science ru nl
2020-10-06: received
Short URL
Creative Commons Attribution


      author = {Tingting Cui and Lorenzo Grassi},
      title = {Algebraic Key-Recovery Attacks on Reduced-Round Xoofff},
      howpublished = {Cryptology ePrint Archive, Paper 2020/1201},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.