Advertisement

Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC

  • Martin R. Albrecht
  • Carlos Cid
  • Lorenzo Grassi
  • Dmitry Khovratovich
  • Reinhard LüfteneggerEmail author
  • Christian Rechberger
  • Markus Schofnegger
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11923)

Abstract

The block cipher Jarvis and the hash function Friday, both members of the MARVELlous family of cryptographic primitives, are among the first proposed solutions to the problem of designing symmetric-key algorithms suitable for transparent, post-quantum secure zero-knowledge proof systems such as ZK-STARKs. In this paper we describe an algebraic cryptanalysis of Jarvis and Friday and show that the proposed number of rounds is not sufficient to provide adequate security. In Jarvis, the round function is obtained by combining a finite field inversion, a full-degree affine permutation polynomial and a key addition. Yet we show that even though the high degree of the affine polynomial may prevent some algebraic attacks (as claimed by the designers), the particular algebraic properties of the round function make both Jarvis and Friday vulnerable to Gröbner basis attacks. We also consider MiMC, a block cipher similar in structure to Jarvis. However, this cipher proves to be resistant against our proposed attack strategy. Still, our successful cryptanalysis of Jarvis and Friday does illustrate that block cipher designs for “algebraic platforms” such as STARKs, FHE or MPC may be particularly vulnerable to algebraic attacks.

Keywords

Gröbner basis MARVELlous Jarvis Friday MiMC ZK-STARKs Algebraic cryptanalysis Arithmetic circuits 

Notes

Acknowledgements

We thank Tomer Ashur for fruitful discussions about Jarvis, Friday, and a preliminary version of our analysis. The research described in this paper was supported by the Royal Society International Exchanges grant “Domain Specific Ciphers” (IES\R2\170211) and the “Lightest” project, which is partially funded by the European Commission as an Innovation Act as part of the Horizon 2020 program under grant agreement number 700321.

References

  1. [AC09]
    Albrecht, M., Cid, C.: Algebraic techniques in differential cryptanalysis. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 193–208. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03317-9_12CrossRefGoogle Scholar
  2. [AD18]
    Ashur, T., Dhooghe, S.: MARVELlous: A STARKFriendly Family of Cryptographic Primitives. Cryptology ePrint Archive, Report 2018/1098. https://eprint.iacr.org/2018/1098 (2018)
  3. [AG11]
    Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011, Part I. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22006-7_34CrossRefGoogle Scholar
  4. [Alb+14]
    Albrecht, M.R., Cid, C., Faugère, J.-C., Perret, L.: Algebraic Algorithms for LWE. Cryptology ePrint Archive, Report 2014/1018. http://eprint.iacr.org/2014/1018 (2014)
  5. [Alb+15]
    Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_17CrossRefGoogle Scholar
  6. [Alb+16]
    Albrecht, M., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: efficient encryption and cryptographic hashing with minimal multiplicative complexity. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 191–219. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53887-6_7CrossRefGoogle Scholar
  7. [Alb+19]
    Albrecht, M.R., Grassi, L., Perrin, L., Ramacher, S., Rechberger, C., Rotaru, D. et al.: Feistel Structures for MPC, and More. Cryptology ePrint Archive, Report 2019/397, to appear in ESORICS 2019. https://eprint.iacr.org/2019/397 (2019)Google Scholar
  8. [Aly+19]
    Aly, A., Ashur, T., Ben-Sasson, E., Dhooghe, S., Szepieniec, A.: Design of Symmetric-Key Primitives for Advanced Cryptographic Protocols. Cryptology ePrint Archive, Report 2019/426. https://eprint.iacr.org/2019/426 (2019)
  9. [Ash19]
    Ashur, T.: Private Communication, March 2019Google Scholar
  10. [Bar+05]
    Bardet, M., Faugere, J.C., Salvy, B., Yang, B.Y.: Asymptotic behaviour of the index of regularity of quadratic semi-regular polynomial systems. In: The Effective Methods in Algebraic Geometry Conference (MEGA), pp. 1–14 (2005)Google Scholar
  11. [BCP97]
    Bosma, W., Cannon, J., Playoust, C.: The MAGMA algebra system I: the user language. J. Symbolic Comput. 24, 235–265 (1997)MathSciNetCrossRefGoogle Scholar
  12. [Ben+14]
    Ben-Sasson, E., Chiesa, A., Garman, C., Green, M., Miers, I., Tromer, E., et al.: Zerocash: Decentralized Anonymous Payments from Bitcoin. Cryptology ePrint Archive, Report 2014/349 (2014). http://eprint.iacr.org/2014/349
  13. [Ben+18]
    Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable, transparent, and post-quantum secure computational integrity. Cryptology ePrint Archive, Report 2018/046. https://eprint.iacr.org/2018/046 (2018)
  14. [BFP12]
    Bettale, L., Faugère, J.-C., Perret, L.: Solving polynomial systems over finite fields: improved analysis of the hybrid approach. In: International Symposium on Symbolic and Algebraic Computation, ISSAC 2012, pp. 67–74. ACM (2012)Google Scholar
  15. [BPW06]
    Buchmann, J., Pyshkin, A., Weinmann, R.-P.: A zero-dimensional Gröbner basis for AES-128. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 78–88. Springer, Heidelberg (2006).  https://doi.org/10.1007/11799313_6CrossRefGoogle Scholar
  16. [BS18]
    Ben-Sasson, E.: State of the STARK, November 2018. https://drive.google.com/file/d/1Osa0MXu-04dfwn1YOSgN6CXOgWnsp-Tu/view
  17. [Buc65]
    Buchberger, B.: Ein Algorithmus zum Auffinden der Basiselemente des Restklassenringes nach einem nulldimensionalen Polynomideal. Ph.D. thesis, University of Innsbruck (1965)Google Scholar
  18. [Bun+18]
    Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy, pp. 315–334. IEEE Computer Society Press, May 2018.  https://doi.org/10.1109/SP.2018.00020
  19. [CB07]
    Courtois, N.T., Bard, G.V.: Algebraic cryptanalysis of the data encryption standard. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 152–169. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-77272-9_10CrossRefGoogle Scholar
  20. [CLO97]
    Cox, D.A., Little, J., O’Shea, D.: Ideals, Varieties, and Algorithms - An Introduction to Computational Algebraic Geometry and Commutative Algebra. Undergraduate Texts in Mathematics, 2nd edn. Springer, Heidelberg (1997).  https://doi.org/10.1007/978-3-319-16721-3CrossRefzbMATHGoogle Scholar
  21. [Cou03a]
    Courtois, N.T.: Fast algebraic attacks on stream ciphers with linear feedback. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 176–194. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-45146-4_11CrossRefGoogle Scholar
  22. [Cou03b]
    Courtois, N.T.: Higher order correlation attacks, XL algorithm and cryptanalysis of toyocrypt. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 182–199. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36552-4_13CrossRefGoogle Scholar
  23. [Fau+10]
    Faugère, J.-C., Gauthier, V., Otmani, A., Perret, L., Tillich, J.-P.: A Distinguisher for High Rate McEliece Cryptosystems. Cryptology ePrint Archive, Report 2010/331. http://eprint.iacr.org/2010/331 (2010)
  24. [Fau+15]
    Faugère, J.-C., Gligoroski, D., Perret, L., Samardjiska, S., Thomae, E.: A polynomial-time key-recovery attack on MQQ cryptosystems. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 150–174. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46447-2_7CrossRefzbMATHGoogle Scholar
  25. [Fau+93]
    Faugère, J.-C., Gianni, P.M., Lazard, D., Mora, T.: Efficient computation of zero-dimensional Gröbner bases by change of ordering. J. Symb. Comput. 16(4), 329–344 (1993)CrossRefGoogle Scholar
  26. [Fau02]
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: Mora, T. (ed.) Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation ISSAC, pp. 75-83. ACM Press, July 2002. ISBN 1-58113-484-3Google Scholar
  27. [Fau99]
    Faugere, J.-C.: A new efficient algorithm for computing Gröbner bases (F4). J. Pure Appl. Algebra 139(1–3), 61–88 (1999)MathSciNetCrossRefGoogle Scholar
  28. [FM11]
    Faugère, J.-C., Mou, C.: Fast algorithm for change of ordering of zero-dimensional Gröbner bases with sparse multiplication matrices. In: Schost, É., Emiris, I.Z. (eds.) Symbolic and Algebraic Computation, International Symposium, ISSAC 2011, pp. 115–122. ACM (2011).  https://doi.org/10.1145/1993886.1993908
  29. [FPP14]
    Faugère, J.-C., Perret, L., de Portzamparc, F.: Algebraic attack against variants of mceliece with goppa polynomial of a special form. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part I. LNCS, vol. 8873, pp. 21–41. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45611-8_2CrossRefGoogle Scholar
  30. [Fro85]
    Fröberg, R.: An inequality for Hilbert series of graded algebras. Mathematica Scandinavica 56, 117–144 (1985)MathSciNetCrossRefGoogle Scholar
  31. [Gen07]
    Genovese, G.: Improving the algorithms of Berlekamp and Niederreiter for factoring polynomials over finite fields. J. Symb. Comput. 42(1–2), 159–177 (2007)MathSciNetCrossRefGoogle Scholar
  32. [Gra+19]
    Grassi, L., Kales, D., Khovratovich, D., Roy, A., Rechberger, C., Schofnegger, M.: Starkad and Poseidon: New Hash Functions for Zero Knowledge Proof Systems. Cryptology ePrint Archive, Report 2019/458. https://eprint.iacr.org/2019/458 (2019)
  33. [Hop+19]
    Hopwood, D., Bowe, S., Hornby, T., Wilcox, N.: Zcash protocol specification: version 2019.0-beta-37 [Overwinter+Sapling]. Technical report, Zerocoin Electric Coin Company (2019). https://github.com/zcash/zips/blob/master/protocol/protocol.pdf
  34. [Hor72]
    Horowitz, E.: A fast method for interpolation using preconditioning. Inf. Process. Lett. (IPL) 1(4), 157–163 (1972)MathSciNetCrossRefGoogle Scholar
  35. [JK97]
    Jakobsen, T., Knudsen, L.R.: The interpolation attack on block ciphers. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 28–40. Springer, Heidelberg (1997).  https://doi.org/10.1007/BFb0052332CrossRefGoogle Scholar
  36. [KBN09]
    Khovratovich, D., Biryukov, A., Nikolic, I.: Speeding up collision search for byte-oriented hash functions. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 164–181. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-00862-7_11CrossRefGoogle Scholar
  37. [Knu95]
    Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995).  https://doi.org/10.1007/3-540-60590-8_16CrossRefGoogle Scholar
  38. [KR00]
    Kreuzer, M., Robbiano, L.: Computational Commutative Algebra, 1st edn. Springer, New York (2000)CrossRefGoogle Scholar
  39. [Kun73]
    Kung, H.-T.: Fast Evaluation and Interpolation. Technical report, Department of Computer Science, Carnegie-Mellon University, January 1973Google Scholar
  40. [LN96]
    Lidl, R., Niederreiter, H.: Finite Fields. Encyclopedia of Mathematics and its Applications, 2nd edn. Cambridge University Press (1996)Google Scholar
  41. [MR02]
    Murphy, S., Robshaw, M.J.B.: Essential algebraic structure within the AES. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 1–16. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-45708-9_1CrossRefGoogle Scholar
  42. [Par+13]
    Parno, B., Howell, J., Gentry, C., Raykova, M.: Pinocchio: nearly practical verifiable computation. In: 2013 IEEE Symposium on Security and Privacy, pp. 238–252. IEEE Computer Society Press, May 2013.  https://doi.org/10.1109/SP.2013.47
  43. [Ste+19]
    Stein, W., et al.: Sage Mathematics Software Version 8.6. The Sage Development Team (2019). http://www.sagemath.org
  44. [Wan+11]
    Wang, M., Sun, Y., Mouha, N., Preneel, B.: Algebraic techniques in differential cryptanalysis revisited. In: Parampalli, U., Hawkes, P. (eds.) ACISP 2011. LNCS, vol. 6812, pp. 120–141. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22497-3_9CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  • Martin R. Albrecht
    • 1
  • Carlos Cid
    • 1
    • 2
  • Lorenzo Grassi
    • 5
    • 6
  • Dmitry Khovratovich
    • 3
    • 4
    • 7
  • Reinhard Lüftenegger
    • 5
    Email author
  • Christian Rechberger
    • 5
  • Markus Schofnegger
    • 5
  1. 1.Information Security Group, Royal HollowayUniversity of LondonLondonUK
  2. 2.Simula UiBBergenNorway
  3. 3.Dusk NetworkAmsterdamThe Netherlands
  4. 4.ABDK ConsultingTallinnEstonia
  5. 5.IAIK, Graz University of TechnologyGrazAustria
  6. 6.Know-CenterGrazAustria
  7. 7.Evernym Inc.Salt Lake CityUSA

Personalised recommendations