Linear Cryptanalysis and Its Variants with Fast Fourier Transformation Technique on MPC/FHE/ZK-Friendly $$\mathbb {F}_p$$-Based Ciphers

Abstract

The emergence of advanced cryptographic protocols has promoted the developments of many applications, such as secure multi-party computation (MPC). For this reason, new symmetric-key primitives have been designed to natively support the finite field $$\mathbb {F}_p$$ with odd characteristic for better efficiencies. However, some well-studied symmetric cryptanalytic methods and techniques over $$\mathbb {F}_2^n$$ cannot be applied to these new primitives over $$\mathbb {F}_p$$ directly. Considering less standard design approaches adopted in these novel MPC-friendly ciphers, these proposals are in urgent need of full investigations; generalizations of the traditional cryptanalytic tools and techniques to $$\mathbb {F}_p$$ will also contribute to better understand the security of these new designs. In this paper, we first show that the Fast Fourier Transform (FFT) technique for the estimations of correlation, introduced by Collard et al. at ICISC 2007, can be applied to $$\mathbb {F}_p$$ and significantly improves the complexity of Matsui’s Algorithm 2 over $$\mathbb {F}_p$$ . Then, we formalize the differential-linear (DL) cryptanalysis to $$\mathbb {F}_p$$ . Inspired by the differential-linear connectivity table (DLCT) introduced by Bar-On et al. at EUROCRYPT 2019, we also include the DLCT into the consideration, and find the relation between DLCT and differential distribution table (DDT) over $$\mathbb {F}_p$$ . Finally, we mount key recovery attacks on a version of HADESMiMC, which is a SHARK-like MPC-friendly block cipher proposed by Grassi et al. at EUROCRYPT 2020. We denote this version as HADESMiMC-128 in this paper. For linear cryptanalysis with the FFT technique, we can attack 7 rounds of HADESMiMC-128. For DL cryptanalysis, a 7-round key recovery attack of HADESMiMC-128 is also mounted but with better time and data complexity. It should be noted that the attacks are still far from threatening the security of the full 14-round HADESMiMC-128.