Algebraic Attacks against Some Arithmetization-Oriented Primitives

Bariant, Augustin; Bouvier, Clémence; Leurent, Gaëtan; Perrin, Léo

doi:10.46586/tosc.v2022.i3.73-101

Cited by 11 publications

(5 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It is often used as a proxy to estimate the security provided by a public permutation as, for instance, the complexity of a key recovery does not apply in this context. It is actually the problem that had to be solved for the ZK Hash Function Cryptanalysis Bounties 2021 organized by Ethereum [Eth21], which was tackled in [BBLP22]. The CICO problem is defined as follows.…”

Section: The Weak Hash Function Stirmentioning

confidence: 99%

“…Indeed, it is tied to the specific model used to encode the evaluation of the primitive as an equation, or as a system of multi-variate equations, and this model is not unique. It has been shown for instance in [ACG + 19] and [BBLP22], that some of these primitives were much more vulnerable to such attacks than anticipated because of a clever re-writing of the involved equations.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Propagation of Subspaces in Primitives with Monomial Sboxes: Applications to Rescue and Variants of the AES

Boeuf,

Canteaut,

Perrin

2023

ToSC

View full text Add to dashboard Cite

Motivated by progress in the field of zero-knowledge proofs, so-called Arithmetization-Oriented (AO) symmetric primitives have started to appear in the literature, such as MiMC, Poseidon or Rescue. Due to the design constraints implied by this setting, these algorithms are defined using simple operations over large (possibly prime) fields. In particular, many rely on simple low-degree monomials for their non-linear layers, essentially using x ↦ x3 as an S-box.In this paper, we show that the structure of the material injected in each round (be it subkeys in a block cipher or round constants in a public permutation) could allow a specific pattern, whereby a well-defined affine space is mapped to another by the round function, and then to another, etc. Such chains of one-dimensional subspaces always exist over 2 rounds, and they can be extended to an arbitrary number of rounds, for any linear layer, provided that the round-constants are well chosen.As a consequence, for several ciphers like Rescue, or a variant of AES with a monomial Sbox, there exist some round-key sequences for which the cipher has an abnormally high differential uniformity, exceeding the size of the Sbox alphabet.Well-known security arguments, in particular based on the wide-trail strategy, have been reused in the AO setting by many designers. Unfortunately, our results show that such a traditional study may not be sufficient to guarantee security. To illustrate this, we present two new primitives (the tweakable block cipher Snare and the permutation-based hash function Stir) that are built using state-of-the-art security arguments, but which are actually deeply flawed. Indeed, the key schedule of Snare ensures the presence of a subspace chain that significantly simplifies an algebraic attack against it, and the round constants of Stir force the presence of a subspace chain aligned with the rate and capacity of the permutation. This in turns implies the existence of many easy-to-find solutions to the so-called CICO problem.

show abstract

Section: The Weak Hash Function Stirmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Propagation of Subspaces in Primitives with Monomial Sboxes: Applications to Rescue and Variants of the AES

Boeuf,

Canteaut,

Perrin

2023

ToSC

View full text Add to dashboard Cite

show abstract

“…In this section, we introduce a trick proposed by [35] which can help us skip two rounds without additional consumption when analyzing the permutation based on the SPN structure using the CICO problem.…”

Section: Techniques To Skip Spn Roundsmentioning

confidence: 99%

“…We introduce the Constrained Input/Constrained Output (CICO) problem [4] and exploit its solution to obtain preimages of the hash function of Grendel. In this way, we extend the previously proposed technique in [35] and improve the preimage attack by bypassing two additional rounds of the SPN structure. By introducing the CICO problem, our attack is capable of attacking two additional rounds compared to the attack presented in [22], as shown in Table 1.…”

mentioning

confidence: 99%

Algebraic Attacks against Grendel: An Arithmetization-Oriented Primitive with the Legendre Symbol

Zhang²,

Wang

et al. 2023

Symmetry

View full text Add to dashboard Cite

The rise of modern cryptographic protocols such as Zero-Knowledge proofs and secure Multi-party Computation has led to an increased demand for a new class of symmetric primitives. Unlike traditional platforms such as servers, microcontrollers, and desktop computers, these primitives are designed to be implemented in arithmetical circuits. In terms of security evaluation, arithmetization-oriented primitives are more complex compared to traditional symmetric cryptographic primitives. The arithmetization-oriented permutation Grendel employs the Legendre Symbol to increase the growth of algebraic degrees in its nonlinear layer. To analyze the security of Grendel thoroughly, it is crucial to investigate its resilience against algebraic attacks. This paper presents a preimage attack on the sponge hash function instantiated with the complete rounds of the Grendel permutation, employing algebraic methods. A technique is introduced that enables the elimination of two complete rounds of substitution permutation networks (SPN) in the sponge hash function without significant additional cost. This method can be combined with univariate root-finding techniques and Gröbner basis attacks to break the number of rounds claimed by the designers. By employing this strategy, our attack achieves a gain of two additional rounds compared to the previous state-of-the-art attack. With no compromise to its security margin, this approach deepens our understanding of the design and analysis of such cryptographic primitives.

show abstract

“…With respect to Poseidon, we emphasize that the input of Neptune π is multiplied by M (E) before the first S-Box layer is applied. This could make a difference in the case of algebraic attacks, since the invertible S-Box layer is defined via the concatenation of independent non-linear functions, as concretely shown in [BBLP22]. Indeed, if no initial diffusion/matrix multiplication takes place, one can potentially ignore the first S-Box layer (by replacing the initial value IV with the corresponding output via the S-Box layer).…”

Section: Initial Matrix Multiplicationmentioning

confidence: 99%

Invertible Quadratic Non-Linear Layers for MPC-/FHE-/ZK-Friendly Schemes over Fnp

Grassi

Onofri

Pedicini

et al. 2022

ToSC

View full text Add to dashboard Cite

Motivated by new applications such as secure Multi-Party Computation (MPC), Fully Homomorphic Encryption (FHE), and Zero-Knowledge proofs (ZK), many MPC-, FHE- and ZK-friendly symmetric-key primitives that minimize the number of multiplications over Fp for a large prime p have been recently proposed in the literature. This goal is often achieved by instantiating the non-linear layer via power maps x↦xd. In this paper, we start an analysis of new non-linear permutation functions over Fnp that can be used as building blocks in such symmetrickey primitives. Given a local map F : Fmp→ Fp, we limit ourselves to focus on S-Boxes over Fnp for n ≥ m defined as SF (x0, x1, . . . , xn−1) = y0|y1| . . . |yn−1 where yi := F(xi, xi+1, . . . , xi+m−1). As main results, we prove that• given any quadratic function F : F2p→ Fp, the corresponding S-Box SF over Fnp for n ≥ 3 is never invertible;• similarly, given any quadratic function F : F3p → Fp, the corresponding S-Box SF over Fnp for n ≥ 5 is never invertible.Moreover, for each p ≥ 3, we present (1st) generalizations of the Lai-Massey construction over Fnp defined as before via functions F : Fmp → Fp for each n = m ≥ 2 and (2nd) (non-trivial) quadratic functions F : F3p → Fp such that SF over Fnp for n ∈ {3, 4} is invertible. As an open problem for future work, we conjecture that for each m ≥ 1 there exists a finite integer nmax(m) such that SF over Fnp defined as before via a quadratic function F : Fmp →Fp is not invertible for each n ≥ nmax(m). Finally, as a concrete application, we propose Neptune, a variant of the sponge hash function Poseidon, whose non-linear layer is designed by taking into account the results presented in this paper. We show that this variant leads to a concrete multiplication reduction with respect to Poseidon.

show abstract

Algebraic Attacks against Some Arithmetization-Oriented Primitives

Cited by 11 publications

References 11 publications

Propagation of Subspaces in Primitives with Monomial Sboxes: Applications to Rescue and Variants of the AES

Propagation of Subspaces in Primitives with Monomial Sboxes: Applications to Rescue and Variants of the AES

Algebraic Attacks against Grendel: An Arithmetization-Oriented Primitive with the Legendre Symbol

Invertible Quadratic Non-Linear Layers for MPC-/FHE-/ZK-Friendly Schemes over Fnp

Contact Info

Product

Resources

About