MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity

  • Martin AlbrechtEmail author
  • Lorenzo Grassi
  • Christian Rechberger
  • Arnab Roy
  • Tyge Tiessen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10031)


We explore cryptographic primitives with low multiplicative complexity. This is motivated by recent progress in practical applications of secure multi-party computation (MPC), fully homomorphic encryption (FHE), and zero-knowledge proofs (ZK) where primitives from symmetric cryptography are needed and where linear computations are, compared to non-linear operations, essentially “free”. Starting with the cipher design strategy “LowMC” from Eurocrypt 2015, a number of bit-oriented proposals have been put forward, focusing on applications where the multiplicative depth of the circuit describing the cipher is the most important optimization goal.

Surprisingly, albeit many MPC/FHE/ZK-protocols natively support operations in \(\text {GF}({p})\) for large p, very few primitives, even considering all of symmetric cryptography, natively work in such fields. To that end, our proposal for both block ciphers and cryptographic hash functions is to reconsider and simplify the round function of the Knudsen-Nyberg cipher from 1995. The mapping \(F(x) := x^3\) is used as the main component there and is also the main component of our family of proposals called “MiMC”. We study various attack vectors for this construction and give a new attack vector that outperforms others in relevant settings.

Due to its very low number of multiplications, the design lends itself well to a large class of applications, especially when the depth does not matter but the total number of multiplications in the circuit dominates all aspects of the implementation. With a number of rounds which we deem secure based on our security analysis, we report on significant performance improvements in a representative use-case involving SNARKs.


Distributed cryptography Cryptanalysis Block ciphers Hash functions Zero knowledge 



We thank Alessandro Chiesa, Eran Tromer and Madars Virza for helpful discussions on SNARKs. The work in this paper has been partially supported by the Austrian Science Fund (project P26494-N15) and by the EU H2020 project Prismacloud (grant agreement nr. 644962). Albrecht was supported by EPSRC grant EP/L018543/1 “Multilinear Maps in Cryptography”.


  1. [AÅBL12]
    Abdelraheem, M.A., Ågren, M., Beelen, P., Leander, G.: On the distribution of linear biases: three instructive examples. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 50–67. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-32009-5_4 CrossRefGoogle Scholar
  2. [ADL+08]
    Arbitman, Y., Dogon, G., Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: Swifftx: a proposal for the SHA-3 standard. Submission to NIST (2008)Google Scholar
  3. [AGR+16]
    Albrecht, M., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: efficient encryption and cryptographic hashing with minimal multiplicative complexity. Cryptology ePrint Archive, Report 2016/492 (2016).
  4. [ÅHJM11]
    Ågren, M., Hell, M., Johansson, T., Meier, W.: Grain-128a: a new version of grain-128 with optional authentication. IJWMC 5(1), 48–59 (2011)CrossRefGoogle Scholar
  5. [Ajt96]
    Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: 28th ACM STOC, May 1996, pp. 99–108. ACM Press (1996)Google Scholar
  6. [ARS+15]
    Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_17 Google Scholar
  7. [ARS+16a]
    Albrecht, M., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. Cryptology ePrint Archive, Report 2016/687 (2016).
  8. [ARS+16b]
    Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. Cryptology ePrint Archive, Report 2016 (2016).
  9. [BBL+15]
    Banerjee, A., Brenner, H., Leurent, G., Peikert, C., Rosen, A.: SPRING: fast pseudorandom functions from rounded ring products. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 38–57. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46706-0_3 Google Scholar
  10. [BCG+14]
    Ben-Sasson, E., Chiesa, A., Garman, C., Green, M., Miers, I., Tromer, E., Virza, M.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy, SP 2014, Berkeley, CA, USA, 18–21 May 2014, pp. 459–474. IEEE Computer Society (2014)Google Scholar
  11. [BDPA08]
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-78967-3_11 CrossRefGoogle Scholar
  12. [BFS14]
    Bardet, M., Faugère, J.-C., Salvy, B.: On the complexity of the F5 Gröbner basis Algorithm. J. Symb. Comput. 70, 49–70 (2014)zbMATHCrossRefGoogle Scholar
  13. [BKW93]
    Becker, T., Kredel, H., Weispfenning, V.: Gröbner Bases: A Computational Approach to Commutative Algebra. Springer, New York (1993)zbMATHCrossRefGoogle Scholar
  14. [BMP13]
    Boyar, J., Matthews, P., Peralta, R.: Logic minimization techniques with applications to cryptology. J. Cryptology 26(2), 280–312 (2013)MathSciNetzbMATHCrossRefGoogle Scholar
  15. [BP12]
    Boyar, J., Peralta, R.: A small depth-16 circuit for the AES S-box. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) Information Security and Privacy Conference (SEC). IFIP Advances in Information and Communication Technology, vol. 376, pp. 287–298. Springer, Heidelberg (2012)Google Scholar
  16. [BSCG+13]
    Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., Virza, M.: SNARKs for C: verifying program executions succinctly and in zero knowledge. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 90–108. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40084-1_6 CrossRefGoogle Scholar
  17. [BSS+13]
    Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK families of lightweight block ciphers. Cryptology ePrint Archive, Report 2013/404 (2013).
  18. [Can97]
    Canteaut, A.: Differential cryptanalysis of feistel ciphers and differentially \(\delta \)-uniform mappings. In: Workshop on Selected Areas in Cryptography, SAC 1997, Workshop Record, pp. 172–184 (1997)Google Scholar
  19. [CCF+16]
    Canteaut, A., Carpov, S., Fontaine, C., Lepoint, T., Naya-Plasencia, M., Paillier, P., Sirdey, R.: Stream ciphers: a practical solution for efficient homomorphic-ciphertext compression. To appear in Proceedings of FSE 2016, available on Cryptology ePrint Archive, Report 2015/113 (2016).
  20. [CFH+15]
    Costello, C., Fournet, C., Howell, J., Kohlweiss, M., Kreuter, B., Naehrig, M., Parno, B., Zahur, S.: Geppetto: versatile verifiable computation. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, pp. 253–270. IEEE Computer Society (2015)Google Scholar
  21. [CGP+12]
    Carlet, C., Goubin, L., Prouff, E., Quisquater, M., Rivain, M.: Higher-order masking schemes for S-boxes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 366–384. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34047-5_21 CrossRefGoogle Scholar
  22. [CP08]
    Cannière, C., Preneel, B.: Trivium. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 244–266. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-68351-3_18 CrossRefGoogle Scholar
  23. [DPVAR00]
    Daemen, J., Peeters, M., Van Assche, G., Rijmen, V.: Nessie proposal: Noekeon. In: First Open NESSIE Workshop (2000)Google Scholar
  24. [DWBV+96]
    De Win, E., Bosselaers, A., Vandenberghe, S., De Gersem, P., Vandewalle, J.: A fast software implementation for arithmetic operations in GF(2n). In: Kim, K., Matsumoto, T. (eds.) Advances in Cryptology – ASIACRYPT ’96. Lecture Notes in Computer Science, vol. 1163, pp. 65–76. Springer, Berlin Heidelberg (1996)CrossRefGoogle Scholar
  25. [ENI13]
    ENISA. Algorithms, key sizes and parameters report – 2013 recommendations. Technical report, European Union Agency for Network and Information Security, October 2013Google Scholar
  26. [GLSV14]
    Grosso, V., Leurent, G., Standaert, F.-X., Varıcı, K.: LS-designs: bitslice encryption for efficient masked software implementations. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 18–37. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46706-0_2 Google Scholar
  27. [GP97]
    Guajardo, J., Paar, C.: Efficient algorithms for elliptic curve cryptosystems. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 342–356. Springer, Heidelberg (1997). doi: 10.1007/BFb0052247 CrossRefGoogle Scholar
  28. [GRR+16]
    Grassi, L., Rechberger, C., Rotaru, D., Scholl, P., Smart, N.: MPC-friendly symmetric key primitives. Cryptology ePrint Archive, Report 2016 (2016).
  29. [Has00]
    Hasan, M.A.: Look-up table-based large finite field multiplication in memory constrained cryptosystems. IEEE Trans. Comput. 49(7), 749–758 (2000)MathSciNetCrossRefGoogle Scholar
  30. [HMV93]
    Harper, G., Menezes, A., Vanstone, S.: Public-key cryptosystems with very small key lengths. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 163–173. Springer, Heidelberg (1993). doi: 10.1007/3-540-47555-9_14 CrossRefGoogle Scholar
  31. [JK97]
    Jakobsen, T., Knudsen, L.R.: The interpolation attack on block ciphers. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 28–40. Springer, Heidelberg (1997). doi: 10.1007/BFb0052332 CrossRefGoogle Scholar
  32. [KA98]
    Koc, C.K., Acar, T.: Montgomery multiplication in GF(2k). Des. Codes Crypt. 14(1), 57–69 (1998)MathSciNetzbMATHCrossRefGoogle Scholar
  33. [KN95]
    Knudsen, L.R., Nyberg, K.: Provable security against a differential attack. J. Crypt. 8(1), 27–37 (1995)MathSciNetzbMATHGoogle Scholar
  34. [KR11]
    Knudsen, L.R., Robshaw, M.: The Block Cipher Companion. Information Security and Cryptography. Springer, Heidelberg (2011)zbMATHCrossRefGoogle Scholar
  35. [Lab]
  36. [LMPR08]
    Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFT: a modest proposal for FFT hashing. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 54–72. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-71039-4_4 CrossRefGoogle Scholar
  37. [LMS13]
    Lebreton, R., Mehrabi, E., Schost, É.: On the complexity of solving bivariate systems: the case of non-singular solutions. In: Kauers, M. (ed.) International Symposium on Symbolic and Algebraic Computation, ISSAC’13, Boston, MA, USA, 26–29 June 2013, pp. 251–258. ACM (2013)Google Scholar
  38. [MJSC16]
    Méaux, P., Journault, A., Standaert, F.-X., Carlet, C.: Towards stream ciphers for efficient FHE with low-noise ciphertexts. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 311–343. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49890-3_13 CrossRefGoogle Scholar
  39. [MVO96]
    Menezes, A.J., Vanstone, S.A., Van Oorschot, P.C.: Handbook of Applied Cryptography, 1st edn. CRC Press Inc., Boca Raton (1996)zbMATHCrossRefGoogle Scholar
  40. [NIS14]
    NIST. DRAFT FIPS PUB 202, SHA-3 standard: permutation-based hash and extendable-output functions (2014)Google Scholar
  41. [NR97]
    Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. In: 38th Annual Symposium on Foundations of Computer Science, FOCS 1997, pp. 458–467. IEEE Computer Society (1997)Google Scholar
  42. [Nyb94]
    Nyberg, K.: Differentially uniform mappings for cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994). doi: 10.1007/3-540-48285-7_6 CrossRefGoogle Scholar
  43. [PH78]
    Pohlig, S.C., Hellman, M.E.: An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (corresp.). IEEE Trans. Inf. Theory 24(1), 106–110 (1978)MathSciNetzbMATHCrossRefGoogle Scholar
  44. [PHGR16]
    Parno, B., Howell, J., Gentry, C., Raykova, M.: Pinocchio: nearly practical verifiable computation. Commun. ACM 59(2), 103–112 (2016)CrossRefGoogle Scholar
  45. [Sho]
    Shoup, V.: Number theory library 5.5.2 (NTL) for C++.
  46. [Sto85]
    Stoss, H.-J.: The complexity of evaluating interpolation polynomials. Theor. Comput. Sci. 41, 319–323 (1985)MathSciNetzbMATHCrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Martin Albrecht
    • 1
    Email author
  • Lorenzo Grassi
    • 3
  • Christian Rechberger
    • 2
    • 3
  • Arnab Roy
    • 2
  • Tyge Tiessen
    • 2
  1. 1.Royal HollowayUniversity of LondonLondonUK
  2. 2.DTU ComputeTechnical University of Denmark Kongens LyngbyDenmark
  3. 3.IAIKGraz University of TechnologyGrazAustria

Personalised recommendations