Abstract

Motivated by modern cryptographic use cases such as multi-party computation (MPC), homomorphic encryption (HE), and zero-knowledge (ZK) protocols, several symmetric schemes that are efficient in these scenarios have recently been proposed in the literature. Some of these schemes are instantiated with low-degree nonlinear functions, for example low-degree power maps (e.g., MiMC, HadesMiMC, Poseidon) or the Toffoli gate (e.g., Ciminion). Others (e.g., Rescue, Vision, Grendel) are instead instantiated via high-degree functions which are easy to evaluate in the target application. A recent example for the latter case is the hash function Grendel, whose nonlinear layer is constructed using the Legendre symbol. In this paper, we analyze high-degree functions such as the Legendre symbol or the modulo-2 operation as building blocks for the nonlinear layer of a cryptographic scheme over Fnp.Our focus regards the security analysis rather than the efficiency in the mentioned use cases. For this purpose, we present several new invertible functions that make use of the Legendre symbol or of the modulo-2 operation.Even though these functions often provide strong statistical properties and ensure a high degree after a few rounds, the main problem regards their small number of possible outputs, that is, only three for the Legendre symbol and only two for the modulo-2 operation. By fixing them, it is possible to reduce the overall degree of the function significantly. We exploit this behavior by describing the first preimage attack on full Grendel, and we verify it in practice.

Highlights

  • Modern cryptographic applications such as multi-party computation (MPC), homomorphic encryption (HE), and zero-knowledge (ZK) protocols have motivated the design of specific cryptographic schemes

  • In Grendel, F is defined via the Legendre symbol, which is a function from Fp to {−1, 0, 1} and which returns ±1 if the input is a quadratic residue or not

  • We emphasize that we focus on the security aspect of the symmetric schemes rather than their efficiency in MPC, FHE, or ZK applications

Read more

Summary

Introduction

Modern cryptographic applications such as multi-party computation (MPC), homomorphic encryption (HE), and zero-knowledge (ZK) protocols have motivated the design of specific cryptographic schemes. These are often defined over large prime fields Fp with the aim to increase efficiency in the above-mentioned use cases. In some cases, proving/verifying this second relation may be more efficient than proving/verifying y = F (x) This approach is used in Friday and Jarvis [AD18], Rescue/Vision [AAB+20], and more recently in Grendel [Sze21]. We propose an attack strategy against a scheme instantiated via any of these nonlinear layers We use this strategy to present a preimage attack on a sponge hash function instantiated with the full Grendel permutation

The Legendre Symbol and the Modulo-2 Operation
Section 4.2.1
Attack on Full Grendel
Related Work
Preliminaries
The Legendre Symbol
The Hash Function Grendel
Overview of Differential/Linear and Algebraic Cryptanalysis
Univariate Factorization and Root Finding
Gröbner Bases
Hermite’s Criterion and Invertible Maps over Fpn ≡ Fnp
The Permutation x → xd · (Lp(x) + α) over Fp
Grendel ’s Nonlinear S-Box x → xd · Lp(x)
F (x) = xd+ · (1 + Lp(x)) + xd− · (1 − Lp(x))
F (x) = α(x mod 2) · x2
F (x) = x · (1 − 2 · (x2 mod 2))
Nonlinear Layer over Fnp via a Local Map
F (x0, x1) = x0 · x1 · (1 + Lp(x1)) + (1 − Lp(x1)
High-Level Idea of the Attack
Computing Legendre Symbols
Finding the Preimage
Complexity of Finding the Roots and Verifying the Solution
Practical Verification
Restoring Security and Final Considerations
Gröbner Basis Attack
Security Against our Attacks
Attack on Grendel instantiated with d = 1
A Linear Cryptanalysis
Linear Property of x → xd · (Lp(x) + α)
Linear Property of x → xd+ · (1 + Lp(x)) + xd− · (1 − Lp(x))
Linear Property of x → α(x mod 2) · x2
Findings
Linear Property of x → (−1)x2 · xd
Full Text
Paper version not known

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Similar Papers

Paper Title
Journal
Date
Author
Secure computation in heterogeneous environments: how to bring multiparty computation closer to practice?
...
-
, et. al. ...
01 Jan 2012
Preserving Privacy for Distributed Genome-Wide Analysis Against Identity Tracing Attacks
Yanjun Zhang ... Guangdong Bai
IEEE Transactions on Dependable and Secure Computing | VOL. 20
Yanjun Zhang, et. al.Yanjun Zhang ... Guangdong Bai
01 Jul 2023
LPCP: An efficient Privacy-Preserving Protocol for Polynomial Calculation Based on CRT
Jiajian Tang ... Xiaolei Dong
Applied sciences | VOL. 12
Jiajian Tang, et. al.Jiajian Tang ... Xiaolei Dong
18 Mar 2022
Secure multiparty computation protocol based on homomorphic encryption and its application in blockchain
Haijun Bao ... Yekang Zhao
Heliyon | VOL. 10
Haijun Bao, et. al.Haijun Bao ... Yekang Zhao
01 Jul 2024
View more papers

More From: IACR Transactions on Symmetric Cryptology

Paper Title
Journal
Date
Author
Multiplex: TBC-Based Authenticated Encryption with Sponge-Like Rate
Yaobin Shen ... François-Xavier Standaert
IACR Transactions on Symmetric Cryptology | VOL. 2024
Yaobin Shen, et. al.Yaobin Shen ... François-Xavier Standaert
18 Jun 2024
Dynamic Cube Attacks against Grain-128AEAD
Chen Liu ... Tian Tian
IACR Transactions on Symmetric Cryptology | VOL. 2024
Chen Liu, et. al.Chen Liu ... Tian Tian
18 Jun 2024
Improved Conditional Cube Attacks on Ascon AEADs in Nonce-Respecting Settings
Kai Hu
IACR Transactions on Symmetric Cryptology | VOL. 2024
Kai HuKai Hu
18 Jun 2024
Cryptanalysis of Full-Round BipBip
Jinliang Wang ... Meiqin Wang
IACR Transactions on Symmetric Cryptology | VOL. 2024
Jinliang Wang, et. al.Jinliang Wang ... Meiqin Wang
18 Jun 2024
View more papers