Cryptanalysis of Ciminion

Abstract

AbstractCiminion is a symmetric cryptographic algorithm proposed by Dobraunig et al. in EUROCRYPT 2021, which is based on Toffoli-Gates over \(\mathbb {F}_{2^n}\) or \(\mathbb {F}_p\). This cipher is a multiparty computation (MPC), fully-homomorphic encryption (FHE) and zero-knowledge (ZK) friendly symmetric-key primitive due to its low multiplicative complexity. There is currently no published third-party cryptanalysis of this algorithm. In this paper, we give the first analysis on Ciminion based on higher order differential cryptanalysis and integral cryptanalysis. We consider the three sets of instances, i.e., “standard” set, “conservative” set and the instances used in MPC application, and construct the corresponding reduced-round distinguishers over \(\mathbb {F}_{2^n}\) and \(\mathbb {F}_p\), respectively. On the other hand, we observe a linear relation between the input and output of the round function and conclude a new set of weak random numbers based on this observation. For an aggressive evolution of Ciminion called Aiminion, we recover the subkeys under these weak random numbers. Although we cannot recover the master key, the information disclosure of the subkeys also poses certain potential threats to the cryptographic algorithm. Our results can provide guidance for designers to choose round random numbers.KeywordsCiminionAiminionHigher order differential cryptanalysisIntegral cryptanalysisDistinguisherWeak random numbers