Abstract
In this paper, we introduce Farfalle, a new permutation-based construction for building a pseudorandom function (PRF). The PRF takes as input a key and a sequence of arbitrary-length data strings, and returns an arbitrary-length output. It has a compression layer and an expansion layer, each involving the parallel application of a permutation. The construction also makes use of LFSR-like rolling functions for generating input and output masks and for updating the inner state during expansion. On top of the inherent parallelism, Farfalle instances can be very efficient because the construction imposes less requirements on the underlying primitive than, e.g., the duplex construction or typical block cipher modes. Farfalle has an incremental property: compression of common prefixes of inputs can be factored out. Thanks to its input-output characteristics, Farfalle is really versatile. We specify simple modes on top of it for authentication, encryption and authenticated encryption, as well as a wide block cipher mode. As a showcase, we present Kravatte, a very efficient instance of Farfalle based on Keccak-p[1600, nr] permutations and formulate concrete security claims against classical and quantum adversaries. The permutations in the compression and expansion layers of Kravatte have only 6 rounds apiece and the rolling functions are lightweight. We provide a rationale for our choices and report on software performance.
Highlights
Until recently, symmetric cryptography was dominated by block ciphers
The global construction is an instantiation of the HHFHFH mode as presented by Dan Bernstein at the Symmetric Cryptography Dagstuhl seminar in January 2016 [5], that is in turn based on work of Naor and Reingold [46], that is based on a paper by Stefan Lucks [42], that builds further on work of Luby and Rackoff [41]
Alred This was one of the first permutation-based modes proposed for message authentication codes (MAC) computation in [24, 26] and is mostly known for the instance Pelican-MAC based on AES [25]
Summary
Symmetric cryptography was dominated by block ciphers. With the exception of some dedicated stream ciphers, standards and commercial products performed encryption, authentication, authenticated encryption on top of a block cipher, often the AES [23], and even hashing is done with block-cipher-based modes. The Farfalle offering is built around a (composite) primitive and modes on top of it This primitive is a pseudorandom function (PRF) that takes as input a key and a string (or a sequence of strings), and produces an arbitrary-length output. The constructed PRF takes as input a key and a sequence of arbitrary-length data strings, and it generates an arbitrary-length output It consists of a mask derivation, a compression layer and an expansion layer, each of them involving the parallel application of a permutation. This can be exploited on many platforms, including on modern processors with single-instruction multiple-data (SIMD) units It can be made very efficient as the number of rounds in the permutations can be taken much smaller than in sponge-based modes, thanks to the fact that in Farfalle an adversary never has access to both the input and the output of a permutation call. Reference and optimized code for Kravatte is available in KeccakTools and in the Keccak code package, respectively [12, 16]
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
