A Simple Deterministic Algorithm for Systems of Quadratic Polynomials over

Bouillaguet, Charles; Delaplace, Claire; Trimoska, Monika

doi:10.1137/1.9781611977066.22

Cited by 4 publications

(6 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In our attacks, we will adopt a simple version of the crossbred algorithm [JV17] to solve an overdefined system of quadratic equations, which is described in [BDT22]. This algorithm fits very well with our attacks on LowMC for its simplicity to bound the time complexity and to implement in practice.…”

Section: A Simple Version Of Crossbred Algorithm For Quadratic Equationsmentioning

confidence: 99%

“…The first attack is a new and simple guess-and-determine (GnD) attack on 3-round LowMC by using Banik et al's strategy [BBDV20] to linearize the 3-bit S-box, where we solve a system of quadratic equations with the standard linearization technique. The second attack is a much simpler yet more efficient GnD attack on 3-round LowMC by using a naive guess strategy to linearize the 3-bit S-box, where we solve quadratic equations with the simplified version of the crossbred algorithm [BDT22]. The third attack is for full-round (4-round) LowMC, where we still adopt the naive guess strategy but use Dinur's algorithm [Din21] to solve equations of degree 4.…”

Section: New Algebraic Attacks On Lowmcmentioning

confidence: 99%

“…2. By utilizing a simple version of the crossbred algorithm [JV17] proposed in [BDT22] to solve an overdefined quadratic equation system, our attacks on 3-round LowMC require negligible memory and can achieve better time-memory tradeoffs than Dinur's algorithm [Din21].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

New Low-Memory Algebraic Attacks on LowMC in the Picnic Setting

Liu

Meier

Sarkar

et al. 2022

ToSC

View full text Add to dashboard Cite

The security of the post-quantum signature scheme Picnic is highly related to the difficulty of recovering the secret key of LowMC from a single plaintext-ciphertext pair. Since Picnic is one of the alternate third-round candidates in NIST post-quantum cryptography standardization process, it has become urgent and important to evaluate the security of LowMC in the Picnic setting. The best attacks on LowMC with full S-box layers used in Picnic3 were achieved with Dinur’s algorithm. For LowMC with partial nonlinear layers, e.g. 10 S-boxes per round adopted in Picnic2, the best attacks on LowMC were published by Banik et al. with the meet-in-the-middle (MITM) method.In this paper, we improve the attacks on LowMC in a model where memory consumption is costly. First, a new attack on 3-round LowMC with full S-box layers with negligible memory complexity is found, which can outperform Bouillaguet et al.’s fast exhaustive search attack and can achieve better time-memory tradeoffs than Dinur’s algorithm. Second, we extend the 3-round attack to 4 rounds to significantly reduce the memory complexity of Dinur’s algorithm at the sacrifice of a small factor of time complexity. For LowMC instances with 1 S-box per round, our attacks are shown to be much faster than the MITM attacks. For LowMC instances with 10 S-boxes per round, we can reduce the memory complexity from 32GB (238 bits) to only 256KB (221 bits) using our new algebraic attacks rather than the MITM attacks, while the time complexity of our attacks is about 23.2 ∼ 25 times higher than that of the MITM attacks. A notable feature of our new attacks (apart from the 4-round attack) is their simplicity. Specifically, only some basic linear algebra is required to understand them and they can be easily implemented.

show abstract

Section: A Simple Version Of Crossbred Algorithm For Quadratic Equationsmentioning

confidence: 99%

Section: New Algebraic Attacks On Lowmcmentioning

confidence: 99%

See 1 more Smart Citation

New Low-Memory Algebraic Attacks on LowMC in the Picnic Setting

Liu

Meier

Sarkar

et al. 2022

ToSC

View full text Add to dashboard Cite

show abstract

“…In our attack, we will use a simple version of the crossbred algorithm for an overdefined quadratic equation system, which is described in [BDT22,LMSI22]. Suppose E(x) is a quadratic Boolean equation system, i.e.…”

Section: The Crossbred Algorithm For Quadratic Equationsmentioning

confidence: 99%

“…Specifically, we introduce nonlinear equations of degree 3 for the unknown variables in the online phase instead of enumerating them in [LSW + 22] and then solve the equation system effectively utilizing Dinur's algorithm [Din21]. In the key recovery phase, we introduce quadratic equations and use a simple version of the crossbred algorithm [BDT22,LMSI22] to solve an over-defined quadratic equation system, which successfully reduces the time complexity and relaxes the constraints on the number of active S-boxes caused by the linearization technique. In this way, we significantly extend the number of rounds for the difference enumeration attack on LowMC and improve the success probability from 0.5 to over 0.9.…”

Section: Introductionmentioning

confidence: 99%

Improved Attacks on LowMC with Algebraic Techniques

Sun,

Cui,

Wang

2023

ToSC

View full text Add to dashboard Cite

The LowMC family of SPN block cipher proposed by Albrecht et al. was designed specifically for MPC-/FHE-/ZKP-friendly use cases. It is especially used as the underlying block cipher of PICNIC, one of the alternate third-round candidate digital signature algorithms for NIST post-quantum cryptography standardization. The security of PICNIC is highly related to the difficulty of recovering the secret key of LowMC from a given plaintext/ciphertext pair, which raises new challenges for security evaluation under extremely low data complexity.In this paper, we improve the attacks on LowMC under low data complexity, i.e. 1 or 2 chosen plaintext/ciphertext pairs. For the difference enumeration attack with 2 chosen plaintexts, we propose new algebraic methods to better exploit the nonlinear relation inside the introduced variables based on the attack framework proposed by Liu et al. at ASIACRYPT 2022. With this technique, we significantly extend the number of attack rounds for LowMC with partial nonlinear layers and improve the success probability from around 0.5 to over 0.9. The security margin of some instances can be reduced to only 3/4 rounds. For the key-recovery attack using a single plaintext, we adopt a different linearization strategy to reduce the huge memory consumption caused by the polynomial methods for solving multivariate equation systems. The memory complexity reduces drastically for all 5-/6-round LowMC instances with full nonlinear layers at the sacrifice of a small factor of time complexity. For 5-round LowMC instances with a block size of 129, the memory complexity decreases from 286.46 bits to 248.18 bits while the time complexity even slightly reduces. Our results indicate that the security for different instances of LowMC under extremely low data complexity still needs further exploration.

show abstract