Team Keccak

Guido Bertoni³, Joan Daemen², Seth Hoffert, Michaël Peeters¹, Gilles Van Assche¹ and Ronny Van Keer¹
¹STMicroelectronics - ²Radboud University - ³Security Pattern

6 December 2017

Farfalle construction and Kravatte pseudo-random function

We are glad to announce the final version of the Farfalle construction and of the Kravatte pseudo-random function and encryption schemes.

First published in late 2016 on IACR ePrint, an update of our paper Farfalle: parallel permutation-based cryptography was accepted at the journal Transactions on Symmetric Cryptography (ToSC). We will present it at the yearly Fast Software Encryption (FSE) conference in Brugge, Belgium, in March 2018.

Farfalle is a new generic construction for building a pseudo-random function (PRF) exploiting the parallel evaluation of a cryptographic permutation. The PRF takes as input a key and a sequence of arbitrary-length data strings, and returns an arbitrary-length output. To an adversary not knowing the key, these output bits look like independent uniformly-drawn random bits. Farfalle can readily be used for stream encryption and MAC computation, and we define several modes for authenticated encryption on top of it.
Kravatte is a high-speed instance of Farfalle based on Keccak-p[1600] permutations, claimed to resist against classical and quantum adversaries. Modes for authentication, encryption and authenticated encryption are defined accordingly.

In the last couple of months, we applied some changes to both Farfalle and Kravatte¹. This was due to prompt third-party cryptanalysis by different researchers. First Ling Song and Jian Guo contacted us with a key recovery cube attack on the (full) previous version of Kravatte. Then a second team of cryptanalysts (who wish to stay anonymous at this point, as their paper is under submission) sent us the description of even more powerful attacks targeting the expansion layer specifically. Consequently, we modified Kravatte by taking 6 rounds for all four permutation instances. And to counteract the attacks of the second team, we made a more fundamental change by adopting a non-linear rolling function in the expansion layer. We realize that switching from a linear rolling function to a non-linear one is a change in philosophy, and we discuss it in the paper.

The optimized code in the KCP and the reference implementation in KeccakTools are in sync.

¹To distinguish the latest version of Kravatte from the previous one, we call it Kravatte Achouffe.