Abstract
The block cipher Jarvis and the hash function Friday, both members of the MARVELlous family of cryptographic primitives, are among the first proposed solutions to the problem of designing symmetric-key algorithms suitable for transparent, post-quantum secure zero-knowledge proof systems such as ZK-STARKs. In this paper we describe an algebraic cryptanalysis of Jarvis and Friday and show that the proposed number of rounds is not sufficient to provide adequate security. In Jarvis, the round function is obtained by combining a finite field inversion, a full-degree affine permutation polynomial and a key addition. Yet we show that even though the high degree of the affine polynomial may prevent some algebraic attacks (as claimed by the designers), the particular algebraic properties of the round function make both Jarvis and Friday vulnerable to Gröbner basis attacks. We also consider MiMC, a block cipher similar in structure to Jarvis. However, this cipher proves to be resistant against our proposed attack strategy. Still, our successful cryptanalysis of Jarvis and Friday does illustrate that block cipher designs for “algebraic platforms” such as STARKs, FHE or MPC may be particularly vulnerable to algebraic attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We omit optimisations related to the trace layout.
- 2.
The ciphers were announced among high anticipation of the audience at the prime Ethereum conference DevCon4, held in November 2018 [BS18].
- 3.
As suggested in Sect. 3.3, our attack proceeds by running steps 1 and 2 twice, and recovering the last variable via the GCD computation, thus reducing the complexity of step 3.
- 4.
- 5.
This property was observed by Tomer Ashur and Alan Szepieniec and shared with us during personal communication.
- 6.
We note that this situation is somewhat analogous to the one described in [BPW06].
References
Albrecht, M., Cid, C.: Algebraic techniques in differential cryptanalysis. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 193–208. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03317-9_12
Ashur, T., Dhooghe, S.: MARVELlous: A STARKFriendly Family of Cryptographic Primitives. Cryptology ePrint Archive, Report 2018/1098. https://eprint.iacr.org/2018/1098 (2018)
Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011, Part I. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22006-7_34
Albrecht, M.R., Cid, C., Faugère, J.-C., Perret, L.: Algebraic Algorithms for LWE. Cryptology ePrint Archive, Report 2014/1018. http://eprint.iacr.org/2014/1018 (2014)
Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_17
Albrecht, M., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: efficient encryption and cryptographic hashing with minimal multiplicative complexity. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 191–219. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_7
Albrecht, M.R., Grassi, L., Perrin, L., Ramacher, S., Rechberger, C., Rotaru, D. et al.: Feistel Structures for MPC, and More. Cryptology ePrint Archive, Report 2019/397, to appear in ESORICS 2019. https://eprint.iacr.org/2019/397 (2019)
Aly, A., Ashur, T., Ben-Sasson, E., Dhooghe, S., Szepieniec, A.: Design of Symmetric-Key Primitives for Advanced Cryptographic Protocols. Cryptology ePrint Archive, Report 2019/426. https://eprint.iacr.org/2019/426 (2019)
Ashur, T.: Private Communication, March 2019
Bardet, M., Faugere, J.C., Salvy, B., Yang, B.Y.: Asymptotic behaviour of the index of regularity of quadratic semi-regular polynomial systems. In: The Effective Methods in Algebraic Geometry Conference (MEGA), pp. 1–14 (2005)
Bosma, W., Cannon, J., Playoust, C.: The MAGMA algebra system I: the user language. J. Symbolic Comput. 24, 235–265 (1997)
Ben-Sasson, E., Chiesa, A., Garman, C., Green, M., Miers, I., Tromer, E., et al.: Zerocash: Decentralized Anonymous Payments from Bitcoin. Cryptology ePrint Archive, Report 2014/349 (2014). http://eprint.iacr.org/2014/349
Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable, transparent, and post-quantum secure computational integrity. Cryptology ePrint Archive, Report 2018/046. https://eprint.iacr.org/2018/046 (2018)
Bettale, L., Faugère, J.-C., Perret, L.: Solving polynomial systems over finite fields: improved analysis of the hybrid approach. In: International Symposium on Symbolic and Algebraic Computation, ISSAC 2012, pp. 67–74. ACM (2012)
Buchmann, J., Pyshkin, A., Weinmann, R.-P.: A zero-dimensional Gröbner basis for AES-128. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 78–88. Springer, Heidelberg (2006). https://doi.org/10.1007/11799313_6
Ben-Sasson, E.: State of the STARK, November 2018. https://drive.google.com/file/d/1Osa0MXu-04dfwn1YOSgN6CXOgWnsp-Tu/view
Buchberger, B.: Ein Algorithmus zum Auffinden der Basiselemente des Restklassenringes nach einem nulldimensionalen Polynomideal. Ph.D. thesis, University of Innsbruck (1965)
Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy, pp. 315–334. IEEE Computer Society Press, May 2018. https://doi.org/10.1109/SP.2018.00020
Courtois, N.T., Bard, G.V.: Algebraic cryptanalysis of the data encryption standard. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 152–169. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77272-9_10
Cox, D.A., Little, J., O’Shea, D.: Ideals, Varieties, and Algorithms - An Introduction to Computational Algebraic Geometry and Commutative Algebra. Undergraduate Texts in Mathematics, 2nd edn. Springer, Heidelberg (1997). https://doi.org/10.1007/978-3-319-16721-3
Courtois, N.T.: Fast algebraic attacks on stream ciphers with linear feedback. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 176–194. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_11
Courtois, N.T.: Higher order correlation attacks, XL algorithm and cryptanalysis of toyocrypt. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 182–199. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36552-4_13
Faugère, J.-C., Gauthier, V., Otmani, A., Perret, L., Tillich, J.-P.: A Distinguisher for High Rate McEliece Cryptosystems. Cryptology ePrint Archive, Report 2010/331. http://eprint.iacr.org/2010/331 (2010)
Faugère, J.-C., Gligoroski, D., Perret, L., Samardjiska, S., Thomae, E.: A polynomial-time key-recovery attack on MQQ cryptosystems. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 150–174. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_7
Faugère, J.-C., Gianni, P.M., Lazard, D., Mora, T.: Efficient computation of zero-dimensional Gröbner bases by change of ordering. J. Symb. Comput. 16(4), 329–344 (1993)
Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: Mora, T. (ed.) Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation ISSAC, pp. 75-83. ACM Press, July 2002. ISBN 1-58113-484-3
Faugere, J.-C.: A new efficient algorithm for computing Gröbner bases (F4). J. Pure Appl. Algebra 139(1–3), 61–88 (1999)
Faugère, J.-C., Mou, C.: Fast algorithm for change of ordering of zero-dimensional Gröbner bases with sparse multiplication matrices. In: Schost, É., Emiris, I.Z. (eds.) Symbolic and Algebraic Computation, International Symposium, ISSAC 2011, pp. 115–122. ACM (2011). https://doi.org/10.1145/1993886.1993908
Faugère, J.-C., Perret, L., de Portzamparc, F.: Algebraic attack against variants of mceliece with goppa polynomial of a special form. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part I. LNCS, vol. 8873, pp. 21–41. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_2
Fröberg, R.: An inequality for Hilbert series of graded algebras. Mathematica Scandinavica 56, 117–144 (1985)
Genovese, G.: Improving the algorithms of Berlekamp and Niederreiter for factoring polynomials over finite fields. J. Symb. Comput. 42(1–2), 159–177 (2007)
Grassi, L., Kales, D., Khovratovich, D., Roy, A., Rechberger, C., Schofnegger, M.: Starkad and Poseidon: New Hash Functions for Zero Knowledge Proof Systems. Cryptology ePrint Archive, Report 2019/458. https://eprint.iacr.org/2019/458 (2019)
Hopwood, D., Bowe, S., Hornby, T., Wilcox, N.: Zcash protocol specification: version 2019.0-beta-37 [Overwinter+Sapling]. Technical report, Zerocoin Electric Coin Company (2019). https://github.com/zcash/zips/blob/master/protocol/protocol.pdf
Horowitz, E.: A fast method for interpolation using preconditioning. Inf. Process. Lett. (IPL) 1(4), 157–163 (1972)
Jakobsen, T., Knudsen, L.R.: The interpolation attack on block ciphers. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 28–40. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052332
Khovratovich, D., Biryukov, A., Nikolic, I.: Speeding up collision search for byte-oriented hash functions. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 164–181. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00862-7_11
Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-60590-8_16
Kreuzer, M., Robbiano, L.: Computational Commutative Algebra, 1st edn. Springer, New York (2000)
Kung, H.-T.: Fast Evaluation and Interpolation. Technical report, Department of Computer Science, Carnegie-Mellon University, January 1973
Lidl, R., Niederreiter, H.: Finite Fields. Encyclopedia of Mathematics and its Applications, 2nd edn. Cambridge University Press (1996)
Murphy, S., Robshaw, M.J.B.: Essential algebraic structure within the AES. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 1–16. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_1
Parno, B., Howell, J., Gentry, C., Raykova, M.: Pinocchio: nearly practical verifiable computation. In: 2013 IEEE Symposium on Security and Privacy, pp. 238–252. IEEE Computer Society Press, May 2013. https://doi.org/10.1109/SP.2013.47
Stein, W., et al.: Sage Mathematics Software Version 8.6. The Sage Development Team (2019). http://www.sagemath.org
Wang, M., Sun, Y., Mouha, N., Preneel, B.: Algebraic techniques in differential cryptanalysis revisited. In: Parampalli, U., Hawkes, P. (eds.) ACISP 2011. LNCS, vol. 6812, pp. 120–141. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22497-3_9
Acknowledgements
We thank Tomer Ashur for fruitful discussions about Jarvis, Friday, and a preliminary version of our analysis. The research described in this paper was supported by the Royal Society International Exchanges grant “Domain Specific Ciphers” (IES\R2\170211) and the “Lightest” project, which is partially funded by the European Commission as an Innovation Act as part of the Horizon 2020 program under grant agreement number 700321.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Polynomials of Section 4.2
In Sect. 4.2, we search for monic affine polynomials D, E such that the equality
is satisfied, where B, C are monic affine polynomials of degree 4. In particular, given
the goal is to find
such that \( D(B) = E(C). \)
By comparing the corresponding coefficients of D(B) and E(C), we obtain a system of 5 linear equations in the 6 variables \(d_0, d_1, d_2, e_0, e_1, e_2\):
This system can be solved to recover D and E.
B Constants \(\alpha _i\), \(\beta _i\), \(\gamma _i\), and \(\delta _i\) for the Round Keys
Each round key \(k_{i+1} = \frac{1}{k_i} + c_{i}\) in Jarvis can be written as
where \(\alpha _i\), \(\beta _i\), \(\gamma _i\), and \(\delta _i\) are constants. By simple computation, note that:
-
\(i = 0\):
$$\begin{aligned} k_1 = \frac{1}{k_0} + c_{0} = \frac{c_{0} k_0 + 1}{k_0}, \end{aligned}$$and \(\alpha _0 = c_{0}, \beta _0 = 1, \gamma _0 = 1, \delta _0 = 0\);
-
\(i = 1\):
$$\begin{aligned} k_2 = \frac{1}{k_1} + c_{1} = \frac{(c_{0} c_{1} + 1) k_0 + c_{1}}{c_{0} k_0 + 1}, \end{aligned}$$and \(\alpha _1 = 1 + c_{0} c_{1}, \beta _1 = c_{1}, \gamma _1 = c_{0}, \delta _1 = 1\);
-
\(i = 2\):
$$\begin{aligned} k_3 = \frac{1}{k_2} + c_{2} = \frac{(c_{0} c_{1} c_{2} + c_{0} + c_{2}) k_0 + c_{1} c_{2} + 1}{(c_{0} c_{1} + 1) k_0 + c_{1}}, \end{aligned}$$and \(\alpha _2 = c_{0} c_{1} c_{2} + c_{0} + c_{2}, \beta _2 = c_{1} c_{2} + 1, \gamma _2 = c_{0} c_{1} + 1, \delta _2 = c_{1}\);
and so on. Thus, we can derive recursive formulas to calculate the remaining values for generic \(i \ge 0\):
C System of Equations from Section 7
The system of equations is constructed by symbolically computing \(A_{\textsc {AES}{}}^{-1}(\hat{C}(x))\), as described in Sect. 7, and setting all coefficients for degrees \(8, 16, 32, 64, 128\) to \(0\). These are five possible degrees and the following equations are the sum of all coefficients belonging to each of these degrees:
By practical tests we found that no (nontrivial) coefficients \(\hat{c}_1, \hat{c}_2, \hat{c}_4\) satisfy all previous equalities, which means that there are no polynomials \(\hat{B}\) and \(\hat{C}\) both of degree \(4\) that satisfy \(A_{\textsc {AES}{}}(X) = (\hat{C} \circ \hat{B}^{-1})(X)\).
Rights and permissions
Copyright information
© 2019 International Association for Cryptologic Research
About this paper
Cite this paper
Albrecht, M.R. et al. (2019). Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC. In: Galbraith, S., Moriai, S. (eds) Advances in Cryptology – ASIACRYPT 2019. ASIACRYPT 2019. Lecture Notes in Computer Science(), vol 11923. Springer, Cham. https://doi.org/10.1007/978-3-030-34618-8_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-34618-8_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-34617-1
Online ISBN: 978-3-030-34618-8
eBook Packages: Computer ScienceComputer Science (R0)