Out of Oddity – New Cryptanalytic Techniques Against Symmetric Primitives Optimized for Integrity Proof Systems

Beyne, Tim; Canteaut, Anne; Dinur, Itai; Eichlseder, Maria; Leander, Gregor; Leurent, Gaëtan; Naya-Plasencia, Maŕıa; Perrin, Léo; Sasaki, Yu; Todo, Yosuke; Wiemer, Friedrich

doi:10.1007/978-3-030-56877-1_11

Cited by 30 publications

(9 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Other Statistical Attacks The low differential probability protects Arion and ArionHash against classical and truncated differential attacks. We conclude that the full diffusion after two rounds protects Arion and ArionHash against impossible differential and zero-correlation attacks [14], boomerang attack [50], integral attack [11,21], multiple-of-n and mixture differential attacks [31,36]. Note that we mainly perform cryptanalysis for ensuring the security for the parameters that are suitbale for target applications.…”

Section: Definition 8 (See [5 Definition 6 15]mentioning

confidence: 98%

“…Our findings in Table 5 suggest that after two rounds Arion-π has already almost full density over F p . Higher-order differential attacks [11,39,40] exploit that higher differentials will vanish at some point. Since Arion achieves degrees greater than or equal to q − 2 in the input variables we expect Arion to resist against higher-order differentials and distinguishers.…”

Section: Algebraic Attacksmentioning

confidence: 99%

See 1 more Smart Citation

Arion: Arithmetization-Oriented Permutation and Hashing from Generalized Triangular Dynamical Systems

Johann¹,

Trevisani²

2023

Preprint

View full text Add to dashboard Cite

In this paper we propose the (keyed) permutation Arion and the hash function ArionHash over Fp for odd and particularly large primes. The design of Arion is based on the newly introduced Generalized Triangular Dynamical System (GTDS), which provides a new algebraic framework for constructing (keyed) permutation using polynomials over a finite field. At round level Arion is the first design which is instantiated using the new GTDS. We provide extensive security analysis of our construction including algebraic cryptanalysis (e.g. interpolation and Gröbner basis attacks) that are particularly decisive in assessing the security of permutations and hash functions over Fp. From a application perspective, ArionHash is aimed for efficient implementation in zkSNARK protocols and Zero-Knowledge proof systems. For this purpose, we exploit that CCZ-equivalence of graphs can lead to a more efficient implementation of Arithmetization-Oriented primitives. We compare the efficiency of ArionHash in R1CS and Plonk settings with other hash functions such as Poseidon, Anemoi and Griffin. For demonstrating the practical efficiency of ArionHash we implemented it with the zkSNARK libraries libsnark and Dusk Network Plonk. Our result shows that ArionHash is significantly faster than Poseidon -a hash function designed for zero-knowledge proof systems. We also found that an aggressive version of ArionHash is considerably faster than Anemoi and Griffin in a practical zkSNARK setting.

show abstract

Section: Definition 8 (See [5 Definition 6 15]mentioning

confidence: 98%

Section: Algebraic Attacksmentioning

confidence: 99%

Arion: Arithmetization-Oriented Permutation and Hashing from Generalized Triangular Dynamical Systems

Johann¹,

Trevisani²

2023

Preprint

View full text Add to dashboard Cite

show abstract

“…Number of rounds of GMiMC-erf: For full-data scenario, the designers [2, Table 2] take R T D ≥ 1 + t + (t 2 + t) × n 2(n−1) rounds to provide the resistance against truncated differential attacks for multivariate case under single-key setting. This bound then has been broken and extended to t(t − 2) rounds by Beyne et al [7]. For low-data scenario, an attacker has limited data access, that is given only one or two known plaintext-ciphertext pairs for the cryptanalysis, thus designers mainly consider Greatest Common Divisors (GCD) and Gröbner Basis attacks, the number of rounds to provide security is…”

Section: Specifications Of Gmimcmentioning

confidence: 99%

“…Contributions. On one hand, we investigate the potential threats of the relatedkey attacks for GMiMC-erf 7 when deployed as PRP/PRFs in the post-quantum signature schemes, which is the recommended version of GMiMC and aims at competing with LowMC in post-quantum signature applications.…”

Section: Introductionmentioning

confidence: 99%

“…We then construct two kinds of iterative related-key differentials to explore the security margin of GMiMC-erf under related-key setting, which are provided in Table 1. What calls for the attention is that our proposed related-key differentials are also constructed for collision attacks, it means that the output differences of our distinguishers must be zero, which are more demanding than the previous single-key truncated differentials [1,7] and supposed to be bounded by the birthday bound.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Related-Key Differential Cryptanalysis of GMiMC Used in Post-Quantum Signatures

Chen

Guo

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

With the urgency of the threat imposed by quantum computers, there is a strong interest in making the signature schemes quantum resistant. As the promising candidates to ensure post-quantum security, symmetric-key primitives, in particular the recent MPC/FHE/ZKfriendly hash functions or block ciphers, are providing another choice to build efficient and secure signature schemes that do not rely on any assumed hard problems. However, considering the intended use cases, many of these novel ciphers for advanced cryptographic protocols do not claim the related-key security. In this paper, we initiate the study of the ignored related-key security of GMiMC proposed by Albrecht et al. at ESORICS 2019, some versions of which are optimized and designed to be used in post-quantum secure signatures. By investigating the potential threats of related-key attacks for GMiMC intended to be deployed as the underlying building block in post-quantum signature schemes, we then construct two kinds of iterative related-key differentials, from which not only do we explore its security margin against related-key attacks, but also collision attacks on its key space can be performed. For example, for GMiMC instance that beats the smallest signature size obtainable using LowMC, we can find its key collision using only about 2 10 key pairs. It worths noting that our current key collision attack is only applicable when the adversarial power is sufficiently strong (e.g., in the so-called multi-user setting), and it does not threaten the one-wayness of GMiMC. Furthermore, from the experiments of our related-key differentials, it can be observed that the differential clustering effect of GMiMC differs in both aspects: the choice of the finite field F being Fp or F n 2 , and the size of the finite field F.

show abstract

Out of Oddity – New Cryptanalytic Techniques Against Symmetric Primitives Optimized for Integrity Proof Systems

Beyne

Canteaut

Dinur

et al. 2020

Advances in Cryptology – CRYPTO 2020

View full text Add to dashboard Cite

The security and performance of many integrity proof systems like SNARKs, STARKs and Bulletproofs highly depend on the underlying hash function. For this reason several new proposals have recently been developed. These primitives obviously require an in-depth security evaluation, especially since their implementation constraints have led to less standard design approaches. This work compares the security levels offered by two recent families of such primitives, namely GMiMC and HadesMiMC. We exhibit low-complexity distinguishers against the GMiMC and HadesMiMC permutations for most parameters proposed in recently launched public challenges for STARK-friendly hash functions. In the more concrete setting of the sponge construction corresponding to the practical use in the ZK-STARK protocol, we present a practical collision attack on a round-reduced version of GMiMC and a preimage attack on some instances of HadesMiMC. To achieve those results, we adapt and generalize several cryptographic techniques to fields of odd characteristic.

show abstract

Out of Oddity – New Cryptanalytic Techniques Against Symmetric Primitives Optimized for Integrity Proof Systems

Cited by 30 publications

References 25 publications

Arion: Arithmetization-Oriented Permutation and Hashing from Generalized Triangular Dynamical Systems

Arion: Arithmetization-Oriented Permutation and Hashing from Generalized Triangular Dynamical Systems

Related-Key Differential Cryptanalysis of GMiMC Used in Post-Quantum Signatures

Out of Oddity – New Cryptanalytic Techniques Against Symmetric Primitives Optimized for Integrity Proof Systems

Contact Info

Product

Resources

About