Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC

  • Martin R. Albrecht
  • Carlos Cid
  • Lorenzo Grassi
  • Dmitry Khovratovich
  • Reinhard LüfteneggerEmail author
  • Christian Rechberger
  • Markus Schofnegger
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11923)


The block cipher Jarvis and the hash function Friday, both members of the MARVELlous family of cryptographic primitives, are among the first proposed solutions to the problem of designing symmetric-key algorithms suitable for transparent, post-quantum secure zero-knowledge proof systems such as ZK-STARKs. In this paper we describe an algebraic cryptanalysis of Jarvis and Friday and show that the proposed number of rounds is not sufficient to provide adequate security. In Jarvis, the round function is obtained by combining a finite field inversion, a full-degree affine permutation polynomial and a key addition. Yet we show that even though the high degree of the affine polynomial may prevent some algebraic attacks (as claimed by the designers), the particular algebraic properties of the round function make both Jarvis and Friday vulnerable to Gröbner basis attacks. We also consider MiMC, a block cipher similar in structure to Jarvis. However, this cipher proves to be resistant against our proposed attack strategy. Still, our successful cryptanalysis of Jarvis and Friday does illustrate that block cipher designs for “algebraic platforms” such as STARKs, FHE or MPC may be particularly vulnerable to algebraic attacks.


Gröbner basis MARVELlous Jarvis Friday MiMC ZK-STARKs Algebraic cryptanalysis Arithmetic circuits 



We thank Tomer Ashur for fruitful discussions about Jarvis, Friday, and a preliminary version of our analysis. The research described in this paper was supported by the Royal Society International Exchanges grant “Domain Specific Ciphers” (IES\R2\170211) and the “Lightest” project, which is partially funded by the European Commission as an Innovation Act as part of the Horizon 2020 program under grant agreement number 700321.


  1. [AC09]
    Albrecht, M., Cid, C.: Algebraic techniques in differential cryptanalysis. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 193–208. Springer, Heidelberg (2009). Scholar
  2. [AD18]
    Ashur, T., Dhooghe, S.: MARVELlous: A STARKFriendly Family of Cryptographic Primitives. Cryptology ePrint Archive, Report 2018/1098. (2018)
  3. [AG11]
    Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011, Part I. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011). Scholar
  4. [Alb+14]
    Albrecht, M.R., Cid, C., Faugère, J.-C., Perret, L.: Algebraic Algorithms for LWE. Cryptology ePrint Archive, Report 2014/1018. (2014)
  5. [Alb+15]
    Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015). Scholar
  6. [Alb+16]
    Albrecht, M., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: efficient encryption and cryptographic hashing with minimal multiplicative complexity. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 191–219. Springer, Heidelberg (2016). Scholar
  7. [Alb+19]
    Albrecht, M.R., Grassi, L., Perrin, L., Ramacher, S., Rechberger, C., Rotaru, D. et al.: Feistel Structures for MPC, and More. Cryptology ePrint Archive, Report 2019/397, to appear in ESORICS 2019. (2019)Google Scholar
  8. [Aly+19]
    Aly, A., Ashur, T., Ben-Sasson, E., Dhooghe, S., Szepieniec, A.: Design of Symmetric-Key Primitives for Advanced Cryptographic Protocols. Cryptology ePrint Archive, Report 2019/426. (2019)
  9. [Ash19]
    Ashur, T.: Private Communication, March 2019Google Scholar
  10. [Bar+05]
    Bardet, M., Faugere, J.C., Salvy, B., Yang, B.Y.: Asymptotic behaviour of the index of regularity of quadratic semi-regular polynomial systems. In: The Effective Methods in Algebraic Geometry Conference (MEGA), pp. 1–14 (2005)Google Scholar
  11. [BCP97]
    Bosma, W., Cannon, J., Playoust, C.: The MAGMA algebra system I: the user language. J. Symbolic Comput. 24, 235–265 (1997)MathSciNetCrossRefGoogle Scholar
  12. [Ben+14]
    Ben-Sasson, E., Chiesa, A., Garman, C., Green, M., Miers, I., Tromer, E., et al.: Zerocash: Decentralized Anonymous Payments from Bitcoin. Cryptology ePrint Archive, Report 2014/349 (2014).
  13. [Ben+18]
    Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable, transparent, and post-quantum secure computational integrity. Cryptology ePrint Archive, Report 2018/046. (2018)
  14. [BFP12]
    Bettale, L., Faugère, J.-C., Perret, L.: Solving polynomial systems over finite fields: improved analysis of the hybrid approach. In: International Symposium on Symbolic and Algebraic Computation, ISSAC 2012, pp. 67–74. ACM (2012)Google Scholar
  15. [BPW06]
    Buchmann, J., Pyshkin, A., Weinmann, R.-P.: A zero-dimensional Gröbner basis for AES-128. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 78–88. Springer, Heidelberg (2006). Scholar
  16. [BS18]
    Ben-Sasson, E.: State of the STARK, November 2018.
  17. [Buc65]
    Buchberger, B.: Ein Algorithmus zum Auffinden der Basiselemente des Restklassenringes nach einem nulldimensionalen Polynomideal. Ph.D. thesis, University of Innsbruck (1965)Google Scholar
  18. [Bun+18]
    Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy, pp. 315–334. IEEE Computer Society Press, May 2018.
  19. [CB07]
    Courtois, N.T., Bard, G.V.: Algebraic cryptanalysis of the data encryption standard. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 152–169. Springer, Heidelberg (2007). Scholar
  20. [CLO97]
    Cox, D.A., Little, J., O’Shea, D.: Ideals, Varieties, and Algorithms - An Introduction to Computational Algebraic Geometry and Commutative Algebra. Undergraduate Texts in Mathematics, 2nd edn. Springer, Heidelberg (1997). Scholar
  21. [Cou03a]
    Courtois, N.T.: Fast algebraic attacks on stream ciphers with linear feedback. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 176–194. Springer, Heidelberg (2003). Scholar
  22. [Cou03b]
    Courtois, N.T.: Higher order correlation attacks, XL algorithm and cryptanalysis of toyocrypt. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 182–199. Springer, Heidelberg (2003). Scholar
  23. [Fau+10]
    Faugère, J.-C., Gauthier, V., Otmani, A., Perret, L., Tillich, J.-P.: A Distinguisher for High Rate McEliece Cryptosystems. Cryptology ePrint Archive, Report 2010/331. (2010)
  24. [Fau+15]
    Faugère, J.-C., Gligoroski, D., Perret, L., Samardjiska, S., Thomae, E.: A polynomial-time key-recovery attack on MQQ cryptosystems. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 150–174. Springer, Heidelberg (2015). Scholar
  25. [Fau+93]
    Faugère, J.-C., Gianni, P.M., Lazard, D., Mora, T.: Efficient computation of zero-dimensional Gröbner bases by change of ordering. J. Symb. Comput. 16(4), 329–344 (1993)CrossRefGoogle Scholar
  26. [Fau02]
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: Mora, T. (ed.) Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation ISSAC, pp. 75-83. ACM Press, July 2002. ISBN 1-58113-484-3Google Scholar
  27. [Fau99]
    Faugere, J.-C.: A new efficient algorithm for computing Gröbner bases (F4). J. Pure Appl. Algebra 139(1–3), 61–88 (1999)MathSciNetCrossRefGoogle Scholar
  28. [FM11]
    Faugère, J.-C., Mou, C.: Fast algorithm for change of ordering of zero-dimensional Gröbner bases with sparse multiplication matrices. In: Schost, É., Emiris, I.Z. (eds.) Symbolic and Algebraic Computation, International Symposium, ISSAC 2011, pp. 115–122. ACM (2011).
  29. [FPP14]
    Faugère, J.-C., Perret, L., de Portzamparc, F.: Algebraic attack against variants of mceliece with goppa polynomial of a special form. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part I. LNCS, vol. 8873, pp. 21–41. Springer, Heidelberg (2014). Scholar
  30. [Fro85]
    Fröberg, R.: An inequality for Hilbert series of graded algebras. Mathematica Scandinavica 56, 117–144 (1985)MathSciNetCrossRefGoogle Scholar
  31. [Gen07]
    Genovese, G.: Improving the algorithms of Berlekamp and Niederreiter for factoring polynomials over finite fields. J. Symb. Comput. 42(1–2), 159–177 (2007)MathSciNetCrossRefGoogle Scholar
  32. [Gra+19]
    Grassi, L., Kales, D., Khovratovich, D., Roy, A., Rechberger, C., Schofnegger, M.: Starkad and Poseidon: New Hash Functions for Zero Knowledge Proof Systems. Cryptology ePrint Archive, Report 2019/458. (2019)
  33. [Hop+19]
    Hopwood, D., Bowe, S., Hornby, T., Wilcox, N.: Zcash protocol specification: version 2019.0-beta-37 [Overwinter+Sapling]. Technical report, Zerocoin Electric Coin Company (2019).
  34. [Hor72]
    Horowitz, E.: A fast method for interpolation using preconditioning. Inf. Process. Lett. (IPL) 1(4), 157–163 (1972)MathSciNetCrossRefGoogle Scholar
  35. [JK97]
    Jakobsen, T., Knudsen, L.R.: The interpolation attack on block ciphers. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 28–40. Springer, Heidelberg (1997). Scholar
  36. [KBN09]
    Khovratovich, D., Biryukov, A., Nikolic, I.: Speeding up collision search for byte-oriented hash functions. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 164–181. Springer, Heidelberg (2009). Scholar
  37. [Knu95]
    Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995). Scholar
  38. [KR00]
    Kreuzer, M., Robbiano, L.: Computational Commutative Algebra, 1st edn. Springer, New York (2000)CrossRefGoogle Scholar
  39. [Kun73]
    Kung, H.-T.: Fast Evaluation and Interpolation. Technical report, Department of Computer Science, Carnegie-Mellon University, January 1973Google Scholar
  40. [LN96]
    Lidl, R., Niederreiter, H.: Finite Fields. Encyclopedia of Mathematics and its Applications, 2nd edn. Cambridge University Press (1996)Google Scholar
  41. [MR02]
    Murphy, S., Robshaw, M.J.B.: Essential algebraic structure within the AES. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 1–16. Springer, Heidelberg (2002). Scholar
  42. [Par+13]
    Parno, B., Howell, J., Gentry, C., Raykova, M.: Pinocchio: nearly practical verifiable computation. In: 2013 IEEE Symposium on Security and Privacy, pp. 238–252. IEEE Computer Society Press, May 2013.
  43. [Ste+19]
    Stein, W., et al.: Sage Mathematics Software Version 8.6. The Sage Development Team (2019).
  44. [Wan+11]
    Wang, M., Sun, Y., Mouha, N., Preneel, B.: Algebraic techniques in differential cryptanalysis revisited. In: Parampalli, U., Hawkes, P. (eds.) ACISP 2011. LNCS, vol. 6812, pp. 120–141. Springer, Heidelberg (2011). Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  • Martin R. Albrecht
    • 1
  • Carlos Cid
    • 1
    • 2
  • Lorenzo Grassi
    • 5
    • 6
  • Dmitry Khovratovich
    • 3
    • 4
    • 7
  • Reinhard Lüftenegger
    • 5
    Email author
  • Christian Rechberger
    • 5
  • Markus Schofnegger
    • 5
  1. 1.Information Security Group, Royal HollowayUniversity of LondonLondonUK
  2. 2.Simula UiBBergenNorway
  3. 3.Dusk NetworkAmsterdamThe Netherlands
  4. 4.ABDK ConsultingTallinnEstonia
  5. 5.IAIK, Graz University of TechnologyGrazAustria
  6. 6.Know-CenterGrazAustria
  7. 7.Evernym Inc.Salt Lake CityUSA

Personalised recommendations