Proving Resistance Against Infinitely Long Subspace Trails: How to Choose the Linear Layer

Grassi, Lorenzo; Rechberger, Christian; Schofnegger, Markus

doi:10.46586/tosc.v2021.i2.314-352

Cited by 5 publications

(6 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…is a MDS matrix that prevents the existence of invariant subspace trails for the internal rounds -we refer to [GRS21] for a detailed description on how to choose such matrices;…”

Section: Masta Pasta and Rubato For Fhe Protocolsmentioning

confidence: 99%

See 1 more Smart Citation

Bounded Surjective Quadratic Functions over Fnp for MPC-/ZK-/FHE-Friendly Symmetric Primitives

Grassi

2023

ToSC

View full text Add to dashboard Cite

Motivated by new applications such as secure Multi-Party Computation (MPC), Fully Homomorphic Encryption (FHE), and Zero-Knowledge proofs (ZK), many MPC-, FHE- and ZK-friendly symmetric-key primitives that minimize the< number of multiplications over Fp for a large prime p have been recently proposed in the literature. These symmetric primitives are usually defined via invertible functions, including (i) Feistel and Lai-Massey schemes and (ii) SPN constructions instantiated with invertible non-linear S-Boxes. However, the “invertibility” property is actually never required in any of the mentioned applications.In this paper, we discuss the possibility to set up MPC-/FHE-/ZK-friendly symmetric primitives instantiated with non-invertible bounded surjective functions. In contrast to one-to-one functions, each output of a l-bounded surjective function admits at most l pre-images. The simplest example is the square map x → x2 over Fp for a prime p ≥ 3, which is (obviously) 2-bounded surjective. When working over Fnp for n ≥ 2, we set up bounded surjective functions by re-considering the recent results proposed by Grassi, Onofri, Pedicini and Sozzi at FSE/ToSC 2022 as starting points. Given a quadratic local map F : Fmp → Fp for m ∈ {1, 2, 3}, they proved that the shift-invariant non-linear function over Fnp defined as SF (x0, x1, . . . , xn−1) = y0∥y1∥ . . . ∥yn−1 where yi := F(xi, xi+1) is never invertible for any n ≥ 2 · m − 1. Here, we prove that • the quadratic function F : Fmp → Fp for m ∈ {1, 2} that minimizes the probability of having a collision for SF over Fnp is of the form F(x0, x1) = x20 + x1 (or equivalent);• the function SF over Fnp defined as before via F(x0, x1) = x20 +x1 (or equivalent) is 2n-bounded surjective.As concrete applications, we propose modified versions of the MPC-friendly schemes MiMC, HadesMiMC, and (partially of) Hydra, and of the FHE-friendly schemes Masta, Pasta, and Rubato. By instantiating them with the bounded surjective quadratic functions proposed in this paper, we are able to improve the security and/or the performances in the target applications/protocols.

show abstract

“…is a MDS matrix that prevents the existence of invariant subspace trails for the internal rounds -we refer to [GRS21] for a detailed description on how to choose such matrices;…”

Section: Masta Pasta and Rubato For Fhe Protocolsmentioning

confidence: 99%

“…is an invertible matrix that aims for destroying the invariant subspace trails of the Lai-Massey construction -we refer to [GRS21,GØSW23] for all details regarding how to construct/choose the matrix M I ;…”

Section: Masta Pasta and Rubato For Fhe Protocolsmentioning

confidence: 99%

Bounded Surjective Quadratic Functions over Fnp for MPC-/ZK-/FHE-Friendly Symmetric Primitives

Grassi

2023

ToSC

View full text Add to dashboard Cite

show abstract

“…In the same paper, authors also set up preimage attacks on the sponge hash function instantiated with the full-round permutation P π in the case of a weak MDS matrix M such that M 2 is a multiple of the identity, and so, for which an invariant subspace trail that covers all the internal rounds with probability 1 exists (see also [KR21]). In [GRS21], Grassi et al showed how to properly choose the MDS matrix M in order to prevent this (and similar) attack(s).…”

Section: Poseidon and The Hades Design Strategymentioning

confidence: 99%

“…where d ≥ 3 is the smallest integer such that gcd(d, p − 1) = 1. The linear layer is defined via an invertible matrix M (I) ∈ F t×t p that must prevent arbitrary-long subspace trails for the Partial-SPN scheme I (R I −1) • • • • • I (0) , as explained in [GRS21].…”

Section: Neptunementioning

confidence: 99%

“…As shown in [GRS21, GSW + 21], the matrix M (I) must be chosen in order to guarantee that no subspace X i is invariant for an arbitrary number of internal rounds, and more generally, that no subspace trail can cover any arbitrary number of internal rounds. We suggest to make used the tool presented in [GRS21] in order to properly choose the matrix M (I) for this goal. This implies that no more than t − 1 internal rounds can be covered without activating any S-Box x → x d .…”

Section: Statistical Attacksmentioning

confidence: 99%

See 1 more Smart Citation

Invertible Quadratic Non-Linear Layers for MPC-/FHE-/ZK-Friendly Schemes over Fnp

Grassi

Onofri

Pedicini

et al. 2022

ToSC

Self Cite

View full text Add to dashboard Cite

Motivated by new applications such as secure Multi-Party Computation (MPC), Fully Homomorphic Encryption (FHE), and Zero-Knowledge proofs (ZK), many MPC-, FHE- and ZK-friendly symmetric-key primitives that minimize the number of multiplications over Fp for a large prime p have been recently proposed in the literature. This goal is often achieved by instantiating the non-linear layer via power maps x↦xd. In this paper, we start an analysis of new non-linear permutation functions over Fnp that can be used as building blocks in such symmetrickey primitives. Given a local map F : Fmp→ Fp, we limit ourselves to focus on S-Boxes over Fnp for n ≥ m defined as SF (x0, x1, . . . , xn−1) = y0|y1| . . . |yn−1 where yi := F(xi, xi+1, . . . , xi+m−1). As main results, we prove that• given any quadratic function F : F2p→ Fp, the corresponding S-Box SF over Fnp for n ≥ 3 is never invertible;• similarly, given any quadratic function F : F3p → Fp, the corresponding S-Box SF over Fnp for n ≥ 5 is never invertible.Moreover, for each p ≥ 3, we present (1st) generalizations of the Lai-Massey construction over Fnp defined as before via functions F : Fmp → Fp for each n = m ≥ 2 and (2nd) (non-trivial) quadratic functions F : F3p → Fp such that SF over Fnp for n ∈ {3, 4} is invertible. As an open problem for future work, we conjecture that for each m ≥ 1 there exists a finite integer nmax(m) such that SF over Fnp defined as before via a quadratic function F : Fmp →Fp is not invertible for each n ≥ nmax(m). Finally, as a concrete application, we propose Neptune, a variant of the sponge hash function Poseidon, whose non-linear layer is designed by taking into account the results presented in this paper. We show that this variant leads to a concrete multiplication reduction with respect to Poseidon.

show abstract

From Farfalle to Megafono via Ciminion: The PRF Hydra for MPC Applications

Grassi

Øygarden

Schofnegger³

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Proving Resistance Against Infinitely Long Subspace Trails: How to Choose the Linear Layer

Cited by 5 publications

References 23 publications

Bounded Surjective Quadratic Functions over Fnp for MPC-/ZK-/FHE-Friendly Symmetric Primitives

Bounded Surjective Quadratic Functions over Fnp for MPC-/ZK-/FHE-Friendly Symmetric Primitives

Invertible Quadratic Non-Linear Layers for MPC-/FHE-/ZK-Friendly Schemes over Fnp

From Farfalle to Megafono via Ciminion: The PRF Hydra for MPC Applications

Contact Info

Product

Resources

About