2022
DOI: 10.46586/tosc.v2022.i1.5-37
|View full text |Cite
|
Sign up to set email alerts
|

The Legendre Symbol and the Modulo-2 Operator in Symmetric Schemes over Fnp

Abstract: Motivated by modern cryptographic use cases such as multi-party computation (MPC), homomorphic encryption (HE), and zero-knowledge (ZK) protocols, several symmetric schemes that are efficient in these scenarios have recently been proposed in the literature. Some of these schemes are instantiated with low-degree nonlinear functions, for example low-degree power maps (e.g., MiMC, HadesMiMC, Poseidon) or the Toffoli gate (e.g., Ciminion). Others (e.g., Rescue, Vision, Grendel) are instead instantiated via high-de… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
2
1

Citation Types

0
26
0

Year Published

2022
2022
2023
2023

Publication Types

Select...
4
2

Relationship

1
5

Authors

Journals

citations
Cited by 9 publications
(26 citation statements)
references
References 19 publications
0
26
0
Order By: Relevance
“…As a direct consequence, no quadratic function over F p for p ≥ 3 is invertible. 2 Other examples of invertible functions over F p for p ≥ 3 have been recently proposed in the literature via the Legendre symbol L p : F p → {−1, 0, 1} defined as L p (x) := x (p−1)/2 (recalled in Definition 3), and they include x → x • (α + L p (x)) where L p (α 2 − 1) = 1 introduced by Shallue [Sha12], x → x d •L p (x) where gcd(d+(p−1)/2, p−1) = 1 introduced by Szepieniec [Sze21], and their generalization proposed in [GKRS22].…”
Section: The Round Function and The Non-linear Layermentioning
confidence: 99%
“…As a direct consequence, no quadratic function over F p for p ≥ 3 is invertible. 2 Other examples of invertible functions over F p for p ≥ 3 have been recently proposed in the literature via the Legendre symbol L p : F p → {−1, 0, 1} defined as L p (x) := x (p−1)/2 (recalled in Definition 3), and they include x → x • (α + L p (x)) where L p (α 2 − 1) = 1 introduced by Shallue [Sha12], x → x d •L p (x) where gcd(d+(p−1)/2, p−1) = 1 introduced by Szepieniec [Sze21], and their generalization proposed in [GKRS22].…”
Section: The Round Function and The Non-linear Layermentioning
confidence: 99%
“…But if there are several rounds, each with only one S-box, between two rounds with a full S-box layer, we cannot state anything about the number of active S-boxes in these rounds, except that this number is not less than the number of rounds. It should be noted that the authors of [5] did not take this detail into account when constructing security estimates against linear and differential cryptanalysis, and, as a result, incorrect estimates were obtained.…”
Section: Security Estimates Of Non-binary Cipher Hadesmimc Against Di...mentioning
confidence: 99%
“…using statements 1 and 2 of Theorem 1 for powered and inverse S-boxes, respectively. Also in [5] the authors proposed to add two extra full rounds, just for any case. But adding two full rounds (one at the beginning, and one at the end) makes r full odd and does not increase security.…”
Section: Security Estimates Of Non-binary Cipher Hadesmimc Against Di...mentioning
confidence: 99%
See 2 more Smart Citations