Guido Bertoni^{3}, Joan Daemen^{2}, Seth Hoffert, Michaël Peeters^{1}, Gilles Van Assche^{1} and Ronny Van Keer^{1}

^{1}STMicroelectronics - ^{2}Radboud University - ^{3}Security Pattern

Xoodoo-*p* is a set of 384-bit cryptographic permutations parameterized by their round count.
The round function works on 12 words of 32 bits, which makes it efficient even on low-end processors.
At the core of Xoodyak and of Xoofff, it has excellent propagation properties.

Synopsis | The Xoodoo permutations |
---|---|

Designed by | Joan Daemen, Seth Hoffert, Gilles Van Assche and Ronny Van Keer |

Parameterized by | The number of rounds n_{r} |

Instances | The instances are denoted Xoodoo[n_{r}]. |

We refer to the Xoodoo cookbook for a formal definition.

The number of rounds *n*_{r} is a parameter.

Note that in no way should this pseudo-code description be considered as a formal and reference description of Xoodoo.

```
Xoodoo(A) {
for i in 1-nr…0
A = Round(A, RC[i])
return A
}
Round[b](A,RC) {
# θ step
P[x] = A[x,0] xor A[x,1] xor A[x,2], for x in 0…3
E[x] = rot(P[x-1], 5) xor rot(P[x-1], 14), for x in 0…3
A[x,y] = A[x,y] xor E[x], for (x, y) in (0…3, 0…2)
# ρ West step
A[x,1] = A[x-1,1], for (x, y) in (0…3, 0…2)
A[x,2] = rot(A[x,2], 11), for (x, y) in (0…3, 0…2)
# ι step
A[0,0] = A[0,0] xor RC
# χ step
A[x,y] = A[x,y] xor ((not A[x,y+1]) and A[x,y+1]), for (x, y) in (0…3, 0…2)
# ρ East step
A[x,1] = rot(A[x,1], 1), for (x, y) in (0…3, 0…2)
A[x,2] = rot(A[x-2,2], 8), for (x, y) in (0…3, 0…2)
return A
}
```

In the pseudo-code above, the following conventions are in use. All the operations on the `x`

indices are done modulo 4 and on `y`

modulo 3. `A`

denotes the complete permutation state array, and `A[x,y]`

denotes a particular lane in that state. `P[x]`

and `E[x]`

are intermediate variables. `RC[i]`

are the round constants (see Table 1). `rot(W,r)`

is the usual bitwise cyclic shift operation, moving bit at position `i`

into position `i+r`

(modulo 32 bits).

RC[-11] | 0x00000058 | RC[-5] | 0x00000060 |
---|---|---|---|

RC[-10] | 0x00000038 | RC[-4] | 0x0000002C |

RC[-9] | 0x000003C0 | RC[-3] | 0x00000380 |

RC[-8] | 0x000000D0 | RC[-2] | 0x000000F0 |

RC[-7] | 0x00000120 | RC[-1] | 0x000001A0 |

RC[-6] | 0x00000014 | RC[0] | 0x00000012 |