Out of Oddity - New Cryptanalytic Techniques against Symmetric Primitives Optimized for Integrity Proof Systems

The security and performance of many integrity proof systems like SNARKs, STARKs and Bulletproofs highly depend on the underlying hash function. For this reason several new proposals have recently been developed. These primitives obviously require an in-depth security evaluation, especially since their implementation constraints have led to less standard design approaches. This work compares the security levels offered by two recent families of such primitives, namely GMiMC and HadesMiMC. We exhibit low-complexity distinguishers against the GMiMC and HadesMiMC permutations for most parameters proposed in recently launched public challenges for STARK-friendly hash functions. In the more concrete setting of the sponge construction corresponding to the practical use in the ZK-STARK protocol, we present a practical collision attack on a round-reduced version of GMiMC and a preimage attack on some instances of HadesMiMC. To achieve those results, we adapt and generalize several cryptographic techniques to fields of odd characteristic.

[1]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[2]  Daniel Kales,et al.  Starkad and Poseidon: New Hash Functions for Zero Knowledge Proof Systems , 2019, IACR Cryptol. ePrint Arch..

[3]  Willi Meier,et al.  The Hash Function BLAKE , 2015, Information Security and Cryptography.

[4]  Florian Mendel,et al.  Rasta: A cipher with low ANDdepth and few ANDs per bit , 2018, IACR Cryptol. ePrint Arch..

[5]  Dragos Rotaru,et al.  Feistel Structures for MPC, and More , 2019, IACR Cryptol. ePrint Arch..

[6]  Raphael C.-W. Phan,et al.  Higher order differentiation over finite fields with applications to generalising the cube attack , 2014, Des. Codes Cryptogr..

[7]  David A. Wagner,et al.  Integral Cryptanalysis , 2002, FSE.

[8]  Jean-Charles Faugère,et al.  On the complexity of the F5 Gröbner basis algorithm , 2013, J. Symb. Comput..

[9]  Jean-Charles Faugère,et al.  Efficient Computation of Zero-Dimensional Gröbner Bases by Change of Ordering , 1993, J. Symb. Comput..

[10]  Dragos Rotaru,et al.  On a Generalization of Substitution-Permutation Networks: The HADES Design Strategy , 2020, IACR Cryptol. ePrint Arch..

[11]  Anne Canteaut,et al.  Higher-Order Differential Properties of Keccak and Luffa , 2011, FSE.

[12]  Xuejia Lai Higher Order Derivatives and Differential Cryptanalysis , 1994 .

[13]  Anne Canteaut,et al.  Stream Ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression , 2016, Journal of Cryptology.

[14]  G. V. Assche,et al.  Sponge Functions , 2007 .

[15]  Claude Carlet,et al.  Towards Stream Ciphers for Efficient FHE with Low-Noise Ciphertexts , 2016, EUROCRYPT.

[16]  Eli Ben-Sasson,et al.  Efficient Symmetric Primitives for Advanced Cryptographic Protocols (A Marvellous Contribution) , 2019, IACR Cryptol. ePrint Arch..

[17]  Xavier Bonnetain,et al.  Collisions on Feistel-MiMC and univariate GMiMC , 2019, IACR Cryptol. ePrint Arch..

[18]  Dawu Gu,et al.  Differential and Linear Cryptanalysis Using Mixed-Integer Linear Programming , 2011, Inscrypt.

[19]  Boaz Tsaban,et al.  Cryptanalysis of SP Networks with Partial Non-Linear Layers , 2015, EUROCRYPT.

[20]  Tomer Ashur,et al.  MARVELlous: a STARK-Friendly Family of Cryptographic Primitives , 2018, IACR Cryptol. ePrint Arch..

[21]  Willi Meier,et al.  Optimized Interpolation Attacks on LowMC , 2015, ASIACRYPT.

[22]  Amr M. Youssef,et al.  MILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics , 2017, IACR Trans. Symmetric Cryptol..

[23]  Chenqi Mou,et al.  Fast algorithm for change of ordering of zero-dimensional Gröbner bases with sparse multiplication matrices , 2011, ISSAC '11.

[24]  Mahdi Sajadieh,et al.  On construction of involutory MDS matrices from Vandermonde Matrices in GF(2q) , 2011, Designs, Codes and Cryptography.

[25]  Vincent Rijmen,et al.  Known-Key Distinguishers for Some Block Ciphers , 2007, ASIACRYPT.

[26]  A. Youssef On the Design of Linear Transformations for Substitution Permutation Encryption Networks , 2007 .

[27]  Martin R. Albrecht,et al.  Ciphers for MPC and FHE , 2015, IACR Cryptol. ePrint Arch..

[28]  Eli Ben-Sasson,et al.  Scalable, transparent, and post-quantum secure computational integrity , 2018, IACR Cryptol. ePrint Arch..

[29]  Marc Stevens,et al.  The First Collision for Full SHA-1 , 2017, CRYPTO.

[30]  Eli Ben-Sasson,et al.  Design of Symmetric-Key Primitives for Advanced Cryptographic Protocols , 2020, IACR Trans. Symmetric Cryptol..

[31]  Martin R. Albrecht,et al.  MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity , 2016, ASIACRYPT.

[32]  Florian Mendel,et al.  Higher-Order Cryptanalysis of LowMC , 2015, ICISC.

[33]  Marco Pedicini,et al.  Cube Attack in Finite Fields of Higher Order , 2011, AISC.

[34]  Christian Rechberger,et al.  Cryptanalysis of Low-Data Instances of Full LowMCv2 , 2018, IACR Cryptol. ePrint Arch..

[35]  Thomas Peyrin,et al.  Distinguishers for the Compression Function and Output Transformation of Hamsi-256 , 2010, ACISP.

[36]  Christopher Umans,et al.  Fast Modular Composition in any Characteristic , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[37]  Martin R. Albrecht,et al.  Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC , 2019, IACR Cryptol. ePrint Arch..

[38]  Guido Bertoni,et al.  Keccak sponge function family main document , 2009 .