Technical details

We refer to the Xoodoo cookbook for a formal definition.

Pseudo-code description of the permutations

The number of rounds n_r is a parameter.

Note that in no way should this pseudo-code description be considered as a formal and reference description of Xoodoo.

Xoodoo(A) {
  for i in 1-nr…0
    A = Round(A, RC[i])
  return A
}

Round[b](A,RC) {
  # θ step
  P[x] = A[x,0] xor A[x,1] xor A[x,2],                          for x in 0…3
  E[x] = rot(P[x-1], 5) xor rot(P[x-1], 14),                    for x in 0…3
  A[x,y] = A[x,y] xor E[x],                                     for (x, y) in (0…3, 0…2)

  # ρ West step
  A[x,1] = A[x-1,1],                                            for (x, y) in (0…3, 0…2)
  A[x,2] = rot(A[x,2], 11),                                     for (x, y) in (0…3, 0…2)

  # ι step
  A[0,0] = A[0,0] xor RC

  # χ step
  A[x,y] = A[x,y] xor ((not A[x,y+1]) and A[x,y+2]),            for (x, y) in (0…3, 0…2)

  # ρ East step
  A[x,1] = rot(A[x,1], 1),                                      for (x, y) in (0…3, 0…2)
  A[x,2] = rot(A[x-2,2], 8),                                    for (x, y) in (0…3, 0…2)

  return A
}

In the pseudo-code above, the following conventions are in use. All the operations on the x indices are done modulo 4 and on y modulo 3. A denotes the complete permutation state array, and A[x,y] denotes a particular lane in that state. P[x] and E[x] are intermediate variables. RC[i] are the round constants (see Table 1). rot(W,r) is the usual bitwise cyclic shift operation, moving bit at position i into position i+r (modulo 32 bits).