Algebraic Attacks Research Articles

Discrete mathematics for strengthening multivariate polynomial cryptography by addressing vulnerabilities

Multivariate Polynomial Cryptography (MPC) has emerged as a promising candidate for securing digital communication in the post-quantum era. Despite its potential, existing MPC schemes exhibit vulnerabilities that compromise their effectiveness against both classical and quantum attacks. This paper leverages discrete mathematics to address these vulnerabilities, providing a robust mathematical foundation for enhancing the security and efficiency of MPC schemes. The paper begins by identifying critical weaknesses in current MPC algorithms, such as susceptibility to algebraic attacks and high computational overhead. Using tools from discrete mathematics, particularly in combinatorics and algebra, novel multivariate quadratic equations are proposed, designed to be computationally infeasible for quantum algorithms to solve. The approach involves constructing new cryptographic primitives that improve resistance to known attack vectors while maintaining practical performance levels. This research fills a significant gap in the field by providing a rigorous mathematical framework for the development of more secure MPC schemes. Comprehensive security proofs and performance analyses demonstrate that these enhanced MPC constructions offer a viable path forward for post-quantum cryptography. The findings underscore the critical role of discrete mathematics in advancing the field and ensuring the future security of digital communications.

Filter generators with increased resistance against algebraic attacks

Filter generators form one of the best known and most studied classes of key stream generators used in synchronous stream ciphers. Each such generator consists of a binary linear shift register with a primitive feedback polynomial and a nonlinear Boolean function, which has a number of requirements related to the condition of generator security against known attacks. One such requirement is the high algebraic immunity of the generator's filter function; this parameter characterises security filter generator against modern algebraic attacks. In certain cases, this requirement is too restrictive in sense of practicality, as it increases the computational or circuit complexity of the key stream generation algorithm. This makes the actuality of increasing the resistance of filter generators with fixed filter functions, that have limited (low) algebraic immunity. The paper proposes to solve this problem by modifying the feedback function of the linear shift register. the security of the proposed generators against algebraic attacks is investigated and is shown that (under certain natural conditions) such generators are more secure at the same initial state length as compared to traditional filter generators. The proposed solution seems to be useful for practical application in advanced hardware-oriented stream ciphers design.

Algebraic Attacks on RAIN and AIM Using Equivalent Representations

Designing novel symmetric-key primitives for advanced protocols like secure multiparty computation (MPC), fully homomorphic encryption (FHE) and zero-knowledge proof systems (ZK), has been an important research topic in recent years. Many such existing primitives adopt quite different design strategies from conventional block ciphers. Notable features include that many of these ciphers are defined over a large finite field, and that a power map is commonly used to construct the nonlinear component due to its efficiency in these applications as well as its strong resistance against the differential and linear cryptanalysis. In this paper, we target the MPC-friendly ciphers AIM and RAIN used for the post-quantum signature schemes AIMer (CCS 2023 and NIST PQC Round 1 Additional Signatures) and Rainier (CCS 2022), respectively. Specifically, we can find equivalent representations of 2-round RAIN and full-round AIM, respectively, which make them vulnerable to either the polynomial method, or the crossbred algorithm, or the fast exhaustive search attack. Consequently, we can break 2-round RAIN with the 128/192/256-bit key in only 2111/2170/2225 bit operations. For full-round AIM with the 128/192/256-bit key, we could break them in 2136.2/2200.7/2265 bit operations, which are equivalent to about 2115/2178/2241 calls of the underlying primitives. In particular, our analysis indicates that AIM does not reach the required security levels by the NIST competition.

Propagation of Subspaces in Primitives with Monomial Sboxes: Applications to Rescue and Variants of the AES

Motivated by progress in the field of zero-knowledge proofs, so-called Arithmetization-Oriented (AO) symmetric primitives have started to appear in the literature, such as MiMC, Poseidon or Rescue. Due to the design constraints implied by this setting, these algorithms are defined using simple operations over large (possibly prime) fields. In particular, many rely on simple low-degree monomials for their non-linear layers, essentially using x ↦ x3 as an S-box.In this paper, we show that the structure of the material injected in each round (be it subkeys in a block cipher or round constants in a public permutation) could allow a specific pattern, whereby a well-defined affine space is mapped to another by the round function, and then to another, etc. Such chains of one-dimensional subspaces always exist over 2 rounds, and they can be extended to an arbitrary number of rounds, for any linear layer, provided that the round-constants are well chosen.As a consequence, for several ciphers like Rescue, or a variant of AES with a monomial Sbox, there exist some round-key sequences for which the cipher has an abnormally high differential uniformity, exceeding the size of the Sbox alphabet.Well-known security arguments, in particular based on the wide-trail strategy, have been reused in the AO setting by many designers. Unfortunately, our results show that such a traditional study may not be sufficient to guarantee security. To illustrate this, we present two new primitives (the tweakable block cipher Snare and the permutation-based hash function Stir) that are built using state-of-the-art security arguments, but which are actually deeply flawed. Indeed, the key schedule of Snare ensures the presence of a subspace chain that significantly simplifies an algebraic attack against it, and the round constants of Stir force the presence of a subspace chain aligned with the rate and capacity of the permutation. This in turns implies the existence of many easy-to-find solutions to the so-called CICO problem.

Probabilistic algebraic attack on plantlet lightweight stream cipher

Probabilistic algebraic attack on plantlet lightweight stream cipher

Searching for an Efficient System of Equations Defining the AES Sbox for the QUBO Problem

The time complexity of solving the QUBO problem depends mainly on the number of logical variables in the problem. This paper focuses mainly on finding a system of equations that uniquely defines the Sbox of the AES cipher and simultaneously allows us to obtain the smallest known optimization problem in the QUBO form for the algebraic attack on the AES cipher. A novel method of searching for an efficient system of equations using linear-feedback shift registers has been presented in order to perform that task efficiently. Transformation of the AES cipher to the QUBO problem, using the identified efficient system, is presented in this paper as well. This method allows us to reduce the target QUBO problem for AES-128 by almost 500 logical variables, compared to our previous results, and allows us to perform the algebraic attack using quantum annealing four times faster.

Algebraic Attacks against Grendel: An Arithmetization-Oriented Primitive with the Legendre Symbol

The rise of modern cryptographic protocols such as Zero-Knowledge proofs and secure Multi-party Computation has led to an increased demand for a new class of symmetric primitives. Unlike traditional platforms such as servers, microcontrollers, and desktop computers, these primitives are designed to be implemented in arithmetical circuits. In terms of security evaluation, arithmetization-oriented primitives are more complex compared to traditional symmetric cryptographic primitives. The arithmetization-oriented permutation Grendel employs the Legendre Symbol to increase the growth of algebraic degrees in its nonlinear layer. To analyze the security of Grendel thoroughly, it is crucial to investigate its resilience against algebraic attacks. This paper presents a preimage attack on the sponge hash function instantiated with the complete rounds of the Grendel permutation, employing algebraic methods. A technique is introduced that enables the elimination of two complete rounds of substitution permutation networks (SPN) in the sponge hash function without significant additional cost. This method can be combined with univariate root-finding techniques and Gröbner basis attacks to break the number of rounds claimed by the designers. By employing this strategy, our attack achieves a gain of two additional rounds compared to the previous state-of-the-art attack. With no compromise to its security margin, this approach deepens our understanding of the design and analysis of such cryptographic primitives.

Revisiting algebraic attacks on MinRank and on the rank decoding problem

Revisiting algebraic attacks on MinRank and on the rank decoding problem

An ultra-lightweight block cipher with string transformations

Security efficiency and hardware efficiency are equally important when designing a block cipher. In this paper, we propose a new block cipher that uses string transformations and requires less memory and fewer computational resources, making it suitable for highly constrained environments. We compare the performance of our design with AES-128 and quasigroup-based block cipher INRU in the cipher block chaining (CBC) mode of operation using the National Institute of Standards and Technology (NIST) test suite. We then analyze our design against the standard linear, differential, and algebraic attacks. Choosing suitable S-boxes and a quasigroup of a smaller order does not compromise the security of the cipher, but the storage space is reduced compared with AES-128 and INRU.

IVLBC: An Involutive Lightweight Block Cipher for Internet of Things

Nowadays, the use of the Internet of Things has reached a commanding height in a new round of economic and technological upsurge. Its data transmission security has attracted much attention. It is well known that substitution permutation networks (SPNs) ciphers with high diffusion are not advantageous in unified encryption and decryption circuits with extremely resources constrained. Although some research has been carried out to address this issue, there are still insufficiencies. In this article, we propose a new 64-bit lightweight block cipher based on SPN named IVLBC, whose key allows 80 and 128 bits. The components of IVLBC are involutions. In particular, we propose a Feistel with tree structure to obtain a compact and involutive S-box. Also, the nibble-based involutive permutation is proposed to obtain the involutive permutation. Decryption can reuse encrypted code and circuitry in both software and hardware implementations. We prove that the costs of IVLBC are less than PRESENT, PRINCE, Midori, I-PRESENTTM, CRAFT, etc., in unified encryption and decryption circuits. In addition, we conduct other performance tests on IVLBC such as the differential attack, linear attack, integral attack, algebraic attack, invariant attacks, etc.

Efficient image encryption algorithm based on dynamic high-performance S-box and hyperchaotic system

With the development of information technology, security, low latency, and instant messaging have become a major demand. To solve this problem, this paper designs a secure and efficient image cipher algorithm. Firstly, a new four-dimensional hyperchaotic system with strong chaotic performance is proposed. Secondly, a dynamic high-performance S-box generation algorithm is proposed based on GF(28) by improving the method of generating S-boxes in AES, selecting suitable irreducible polynomial as well as affine matrix, precomputing the corresponding affine multiplication matrix as well as multiplication inverse matrix. The S-box algebraic expressions generated by this algorithm have 255 terms and are more resistant to algebraic attacks than AES. Finally, based on the four-dimensional hyperchaotic system and dynamic high-performance S-box generation algorithm, the new image cipher algorithm that can encrypt and decrypt images of arbitrary size is proposed. The image cipher algorithm consists of two rounds of interleaved permutation, two rounds of dynamic S-box substitution and cyclic shift permutation with fixed point. Cyclic shift permutation with fixed point and dynamic S-box substitution ensure that the plaintext transformation can be transferred to the entire image. Through testing, analysis and comparison, the algorithm has proven to be a secure and efficient image cipher algorithm.

A new algebraic attack on DASTA

As a fully homomorphic encryption friendly symmetric-key primitive, DASTA was invented by Hebborn at Fast Software Encryption 2020. A new fixed linear layer design concept is introduced in the DASTA stream cipher so that its AND depth and the number of ANDs per encrypted bit are quite small. Currently, the security of the DASTA stream cipher has received extensive attention. Note that the best-known attack (i.e., algebraic attack) on DASTA still has a very high data complexity. It appears to be an important task to reduce the data complexity of the attack on DASTA. In this article, a new algebraic attack on DASTA is proposed. More specifically, the key feed-forward operation, the properties of the nonlinear layer and the invariance from the linear layer are successfully utilized in the attack. In particular, the nonlinear relation of internal states in DASTA is linearized effectively. In this case, more secret key bit equations with low algebraic degrees are collected by fixing the bit. It is illustrated that four ( r − 1 )-round instances of the DASTA cipher family are theoretically broken by the attack, where r is the iterative number of round operations. Compared with the results of previous algebraic attacks, our approach achieves more favorable data complexity.

A Substitution Box for Lightweight Ciphers to Secure Internet of Things

The Internet of Things is a resource-constrained device that demands lightweight cryptographic solutions to achieve high performance and optimal security. In lightweight ciphers Substitution Box (S-box) plays an important role as it enables confusion property. However, it is one of the costlier operations. The design and construction of such S-boxes for Internet of Things (IoT) devices are crucial..Hence, we propose a 4-bit, highly Nonlinear, Bijective, Balanced S-box called Feather S-box to enable confusion in lightweight ciphers. The hardware performance of Feather S-Box is analysed in terms of Area and Critical Path-Delay cost. While examining the Area Delay-Product and Power-Delay Product, it shows 23% and 19% lower than PRESENT cipher and 12% lesser than GIFT and KATAN ciphers. The security analysis of the proposed S-Box is also done in terms of Nonlinearity, Bijective, Balanced, Global Avalanche characteristics, resistance to Algebraic attack, Side-channel attacks, Differential and Linear Cryptanalysis. The Feather S-box also exhibts good cryptographic properties such as Nonlinearity and immunity against Algebraic attacks. Moreover, it offers good resistance against Side-channel attack, Differential and Linear Cryptanalysis. We also observed that the Feather S-box has the highest immunity against Differential and Linear Cryptanalysis except for the SKINNY cipher.

Design, Hardware Implementation on FPGA and Performance Analysis of Three Chaos-Based Stream Ciphers

In this paper, we come up with three secure chaos-based stream ciphers, implemented on an FPGA board, for data confidentiality and integrity. To do so, first, we performed the statistical security and hardware metrics of certain discrete chaotic map models, such as the Logistic, Skew-Tent, PWLCM, 3D-Chebyshev map, and 32-bit LFSR, which are the main components of the proposed chaotic generators. Based on the performance analysis collected from the discrete chaotic maps, we then designed, implemented, and analyzed the performance of three proposed robust pseudo-random number generators of chaotic sequences (PRNGs-CS) and their corresponding stream ciphers. The proposed PRNGs-CS are based on the predefined coupling matrix M. The latter achieves a weak mixing of the chaotic maps and a chaotic multiplexing technique or XOR operator for the output function. Therefore, the randomness of the sequences generated is expanded as well as their lengths, and divide-and-conquer attacks on chaotic systems are avoided. In addition, the proposed PRNGs-CS contain polynomial mappings of at least degree 2 or 3 to make algebraic attacks very difficult. Various experimental results obtained and analysis of performance in opposition to different kinds of numerical and cryptographic attacks determine the high level of security and good hardware metrics achieved by the proposed chaos system. The proposed system outperformed the state-of-the-art works in terms of high-security level and a high throughput which can be considered an alternative to the standard methods.

Multiplicative Complexity of XOR Based Regular Functions

XOR-AND Graphs (XAGs) are an enrichment of the classical AND-Inverter Graphs (AIGs) with XOR nodes. In particular, XAGs are networks composed by ANDs, XORs, and inverters. Besides several emerging technologies applications, XAGs are often exploited in cryptography-related applications based on the multiplicative complexity of a Boolean function. The multiplicative complexity of a function is the minimum number of AND gates (i.e., multiplications) that are sufficient to represent the function over the basis {AND, XOR, NOT}. In fact, the minimization of the number of AND gates is important for high-level cryptography protocols such as secure multiparty computation, where processing AND gates is more expensive than processing XOR gates. Moreover, it is an indicator of the degree of vulnerability of the circuit, as a small number of AND gates corresponds to a high vulnerability to algebraic attacks. In this paper we study the multiplicative complexity of Boolean functions characterized by two particular regularities, called autosymmetry and D-reducibility. Moreover, we exploit these regularities for decreasing the number of AND nodes in XAGs. The experimental results validate the proposed approaches.

Security Analysis of DBTRU Cryptosystem

DBTRU was proposed by Thang and Binh in 2015. As a variant of NTRU, the integer polynomial ring is replaced by two binary truncated polynomial rings . DBTRU has some advantages over NTRU in terms of security and performance. In this paper, we propose a polynomial-time linear algebra attack against the DBTRU cryptosystem, which can break DBTRU for all recommended parameter choices. The paper shows that the plaintext can be achieved in less than 1 s via the linear algebra attack on a single PC.

Algebraic Attacks against Some Arithmetization-Oriented Primitives

Recent advanced Zero-Knowledge protocols, along with other high-level constructions such as Multi-Party Computations (MPC), have highlighted the need for a new type of symmetric primitives that are not optimized for speed on the usual platforms (desktop computers, servers, microcontrollers, RFID tags...), but for their ability to be implemented using arithmetic circuits.Several primitives have already been proposed to satisfy this need. In order to enable an efficient arithmetization, they operate over large finite fields, and use round functions that can be modelled using low degree equations. The impact of these properties on their security remains to be completely assessed. In particular, algebraic attacks relying on polynomial root-finding become extremely relevant. Such attacks work by writing the cryptanalysis as systems of polynomial equations over the large field, and solving them with off-the-shelf tools (SageMath, NTL, Magma, . . . ).The need for further analysis of these new designs has been recently highlighted by the Ethereum Foundation, as it issued bounties for successful attacks against round-reduced versions of several of them.In this paper, we show that the security analysis performed by the designers (or challenge authors) of four such primitives is too optimistic, and that it is possible to improve algebraic attacks using insights gathered from a careful study of the round function.First, we show that univariate polynomial root-finding can be of great relevance n practice, as it allows us to solve many of the Ethereum Foundation’s challenges on Feistel–MiMC. Second, we introduce a trick to essentially shave off two full rounds at little to no cost for Substitution-Permutation Networks (SPN). This can be combined with univariate (resp. multivariate) root-finding, which allowed to solve some challenges for Poseidon (resp. Rescue–Prime). Finally, we also find an alternative way to set up a system of equations to attack Ciminion, leading to much faster attacks than expected by the designers.

New Low-Memory Algebraic Attacks on LowMC in the Picnic Setting

The security of the post-quantum signature scheme Picnic is highly related to the difficulty of recovering the secret key of LowMC from a single plaintext-ciphertext pair. Since Picnic is one of the alternate third-round candidates in NIST post-quantum cryptography standardization process, it has become urgent and important to evaluate the security of LowMC in the Picnic setting. The best attacks on LowMC with full S-box layers used in Picnic3 were achieved with Dinur’s algorithm. For LowMC with partial nonlinear layers, e.g. 10 S-boxes per round adopted in Picnic2, the best attacks on LowMC were published by Banik et al. with the meet-in-the-middle (MITM) method.In this paper, we improve the attacks on LowMC in a model where memory consumption is costly. First, a new attack on 3-round LowMC with full S-box layers with negligible memory complexity is found, which can outperform Bouillaguet et al.’s fast exhaustive search attack and can achieve better time-memory tradeoffs than Dinur’s algorithm. Second, we extend the 3-round attack to 4 rounds to significantly reduce the memory complexity of Dinur’s algorithm at the sacrifice of a small factor of time complexity. For LowMC instances with 1 S-box per round, our attacks are shown to be much faster than the MITM attacks. For LowMC instances with 10 S-boxes per round, we can reduce the memory complexity from 32GB (238 bits) to only 256KB (221 bits) using our new algebraic attacks rather than the MITM attacks, while the time complexity of our attacks is about 23.2 ∼ 25 times higher than that of the MITM attacks. A notable feature of our new attacks (apart from the 4-round attack) is their simplicity. Specifically, only some basic linear algebra is required to understand them and they can be easily implemented.

An algebraic attack to the Bluetooth stream cipher E0

In this paper we study the security of the Bluetooth stream cipher E0 from the viewpoint it is a “difference stream cipher”, that is, it is defined by a system of explicit difference equations over the finite field GF(2). This approach highlights some issues of the Bluetooth encryption such as the invertibility of its state transition map, a special set of 14 bits of its 132-bit state which when guessed implies linear equations among the other bits and finally a small number of spurious keys, with 83 guessed bits, which are compatible with a keystream of about 60 bits. Exploiting these issues, we implement an algebraic attack using Gröbner bases, SAT solvers and Binary Decision Diagrams. Testing activities suggest that the version based on Gröbner bases is the best one and it is able to attack E0 in about 279 seconds on an Intel i9 CPU. To the best of our knowledge, this work improves any previous attack based on a short keystream, hence fitting with Bluetooth specifications.

A Novel Virtual Optical Image Encryption Scheme Created by Combining Chaotic S-Box with Double Random Phase Encoding.

The double random phase encoding (DRPE) system plays a significant role in encrypted systems. However, it is a linear system that leads to security holes in encrypted systems. To tackle this issue, this paper proposes a novel optical image encryption scheme that combines a chaotic S-box, DRPE, and an improved Arnold transformation (IAT). In particular, the encryption scheme designs a chaotic S-box to substitute an image. The chaotic S-box has the characteristics of high nonlinearity and low differential uniformity and is then introduced to enhance the security of the DRPE system. Chaotic S-boxes are resistant to algebraic attacks. An IAT is used to scramble an image encoded by the DRPE system. Meanwhile, three chaotic sequences are obtained by a nonlinear chaotic map in the proposed encryption scheme. One of them is used for XOR operation, and the other two chaotic sequences are explored to generate two random masks in the DRPE system. Simulation results and performance analysis show that the proposed encryption scheme is efficient and secure.