Abstract
This paper presents a cryptanalysis of full Kravatte, an instantiation of the Farfalle construction of a pseudorandom function (PRF) with variable input and output length. This new construction, proposed by Bertoni et al., introduces an efficiently parallelizable and extremely versatile building block for the design of symmetric mechanisms, e.g. message authentication codes or stream ciphers. It relies on a set of permutations and on so-called rolling functions: it can be split into a compression layer followed by a two-step expansion layer. The key is expanded and used to mask the inputs and outputs of the construction. Kravatte instantiates Farfalle using linear rolling functions and permutations obtained by iterating the Keccak round function.We develop in this paper several attacks against this PRF, based on three different attack strategies that bypass part of the construction and target a reduced number of permutation rounds. A higher order differential distinguisher exploits the possibility to build an affine space of values in the cipher state after the compression layer. An algebraic meet-in-the-middle attack can be mounted on the second step of the expansion layer. Finally, due to the linearity of the rolling function and the low algebraic degree of the Keccak round function, a linear recurrence distinguisher can be found on intermediate states of the second step of the expansion layer. All the attacks rely on the ability to invert a small number of the final rounds of the construction. In particular, the last two rounds of the construction together with the final masking by the key can be algebraically inverted, which allows to recover the key.The complexities of the devised attacks, applied to the Kravatte specifications published on the IACR ePrint in July 2017, or the strengthened version of Kravatte recently presented at ECC 2017, are far below the security claimed.
Highlights
Farfalle is an efficiently parallelizable permutation-based construction of a variable input and output length pseudorandom function (PRF) recently proposed by Bertoni et al [BDH+16]
We proposed in this paper several key-recovery attack strategies breaking the security claims of the recent PRF proposal Kravatte
The attacks are primarily focused on either the convergence point or the divergence point of the high-level structure that allows to compress virtually any number of blocks to a single one in an incremental way, and to expand a single block to almost any number of output blocks. The properties of these two sensitive points of the computation, where all the input information is packed into a single block, together with the low algebraic degree of the Keccak-p permutation, are leveraged in our attacks
Summary
Farfalle is an efficiently parallelizable permutation-based construction of a variable input and output length pseudorandom function (PRF) recently proposed by Bertoni et al [BDH+16]. The attacks all rely on the capacity to “invert” up to two of the last rounds of the expansion layer despite a final masking of the output values by a key block This can be done algebraically, by expressing the intermediate values as a function of the Kravatte output block and of the unknown key block, setting up a system of multivariate polynomial equations, and solving this system by linearization. This is more efficient than expected from the algebraic degree of the inverse of the last rounds due to the limited diffusion in a small number of iterations of the inverse round function of Keccak.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
