Skip to main content

New Design Techniques for Efficient Arithmetization-Oriented Hash Functions: \(\texttt{Anemoi}\) Permutations and \(\texttt{Jive}\) Compression Mode

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2023 (CRYPTO 2023)

Abstract

Advanced cryptographic protocols such as Zero-knowledge (ZK) proofs of knowledge, widely used in cryptocurrency applications such as Zcash, Monero, Filecoin, Tezos, Topos, demand new cryptographic hash functions that are efficient not only over the binary field \(\mathbb {F}_2\), but also over large fields of prime characteristic \(\mathbb {F}_p\). This need has been acknowledged by the wider community and new so-called Arithmetization-Oriented (AO) hash functions have been proposed, e.g. MiMC-Hash, Rescue–Prime, Poseidon, Reinforced Concrete and Griffin to name a few.

In this paper we propose Anemoi: a new family of ZK-friendly permutations, that can be used to construct efficient hash functions and compression functions. The main features of these algorithms are that 1) they are designed to be efficient within multiple proof systems (e.g. Groth16, Plonk, etc.), 2) they contain dedicated functions optimised for specific applications (namely Merkle tree hashing and general purpose hashing), 3) they have highly competitive performance e.g. about a factor of 2 improvement over Poseidon and Rescue–Prime in terms of R1CS constraints, a 21%–35% Plonk constraint reduction over a highly optimized Poseidon implementation, as well as competitive native performance, running between two and three times faster than Rescue–Prime, depending on the field size.

On the theoretical side, Anemoi pushes further the frontier in understanding the design principles that are truly entailed by arithmetization-orientation. In particular, we identify and exploit a previously unknown relationship between CCZ-equivalence and arithmetization-orientation. In addition, we propose two new standalone components that can be easily reused in new designs. One is a new S-box called Flystel, based on the well-studied butterfly structure, and the second is \(\textsf{Jive}_{}\) – a new mode of operation, inspired by the “Latin dance” symmetric algorithms (Salsa, ChaCha and derivatives). Our design is a conservative one: it uses a very classical Substitution-Permutation Network structure, and our detailed analysis of algebraic attacks highlights can be of independent interest.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    “Factory” is here used in the sense of the programming design pattern, i.e. it is an object returning functions.

  2. 2.

    Starting from a given function F, applying any affine permutation of \(\mathbb {F}_{q}^{2}\) to its graph is unlikely to yield the graph of another function G. Indeed, this would require that the left hand side of \(\mathcal {L}(x, F(x))\) takes all the values in \(\mathbb {F}_{q}\) as x goes through \(\mathbb {F}_{q}\), which is a priori not the case. A mapping \(\mathcal {L}\) that does yield the graph of another function is called “admissible”, a concept that was extensively studied in [18].

  3. 3.

    The result of Li et al. covers all generalized butterflies, not just those corresponding to Flystel structures. In a Flystel, the first parameter (which we will denote a) is set to 1. Their results for the differential uniformity and the linearity hold only when \(\beta \ne (1+a)^\alpha \), meaning that we simply need to make sure that \(\beta \ne 0\). For the algebraic degree, the condition they give in their Theorem 5 to have a degree equal to \(n+1\) degenerates into \(\beta ^{2^{i+1}} = \beta ^{2^{i}+1}\), which is never the case as \(i > 0\).

  4. 4.

    The field order must have a bitlength of at least 10 bits. The aim of this restriction is to ensure that e.g. MDS matrices can be found as those might not be defined for small field sizes.

  5. 5.

    Recall that the branching number of a linear permutation L is the minimum over \(x \ne 0\) of \(\textrm{hw}(x) + \textrm{hw}\left( L(x) \right) \), where \(\textrm{hw}(x)\) denotes the Hamming weight of x.

  6. 6.

    We would expect the value of \(\kappa _{\alpha }\) to keep increasing with \(\alpha \) but the computations needed to estimate it become too costly as \(\alpha \) increases.

  7. 7.

    For readability, the selectors values have been omitted.

  8. 8.

    We refer here to original instantiations, in opposition to a common practice in the industry to tweak parameters (typically the MDS matrix layer). All instantiations here are original, paper versions for fair comparison.

  9. 9.

    Liu et al. originally utilized an earlier version of this work specifying 12 rounds in this setting.

References

  1. Polygon Miden. Repository, September 2022. https://github.com/maticnetwork/miden

  2. Albrecht, M., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: efficient encryption and cryptographic hashing with minimal multiplicative complexity. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 191–219. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_7

    Chapter  Google Scholar 

  3. Aly, A., Ashur, T., Ben-Sasson, E., Dhooghe, S., Szepieniec, A.: Design of symmetric-key primitives for advanced cryptographic protocols. IACR Trans. Symm. Cryptol. 2020(3), 1–45 (2020). https://doi.org/10.13154/tosc.v2020.i3.1-45

  4. Ambrona, M., Schmitt, A.L., Toledo, R.R., Willems, D.: New optimization techniques for PlonK’s arithmetization. Cryptology ePrint Archive, Paper 2022/462 (2022). https://eprint.iacr.org/2022/462

  5. Beierle, C., et al.: Lightweight AEAD and hashing using the Sparkle permutation family. IACR Trans. Symm. Cryptol. 2020(S1), 208–261 (2020). https://doi.org/10.13154/tosc.v2020.iS1.208-261

  6. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable, transparent, and post-quantum secure computational integrity. Cryptology ePrint Archive, Report 2018/046 (2018). https://eprint.iacr.org/2018/046

  7. Ben-Sasson, E., et al.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy, pp. 459–474. IEEE Computer Society Press, May 2014. https://doi.org/10.1109/SP.2014.36

  8. Ben-Sasson, E., Goldberg, L., Levit, D.: Stark friendly hash - survey and recommendation. Cryptology ePrint Archive, Report 2020/948 (2020). https://ia.cr/2020/948

  9. Bernstein, D.J.: The Salsa20 family of stream ciphers. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 84–97. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68351-3_8

    Chapter  Google Scholar 

  10. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 313–314. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_19

    Chapter  Google Scholar 

  11. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: ECRYPT Hash Workshop, vol. 9. Citeseer (2007)

    Google Scholar 

  12. Bos, J., Coster, M.: Addition chain heuristics. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 400–407. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_37

    Chapter  Google Scholar 

  13. Bouvier, C., Briaud, P., Chaidos, P., Perrin, L., Salen, R., Velichkov, V., Willems, D.: New design techniques for efficient arithmetization-oriented hash functions: Anemoi permutations and Jive compression mode. Cryptology ePrint Archive, Paper 2022/840 (2022). https://eprint.iacr.org/2022/840

  14. Bouvier, C., Briaud, P., Chaidos, P., Perrin, L., Velichkov, V.: Anemoi: exploiting the link between arithmetization-orientation and CCZ-equivalence. Cryptology ePrint Archive, Report 2022/840 (2022). https://eprint.iacr.org/2022/840

  15. Budaghyan, L., Carlet, C., Pott, A.: New classes of almost bent and almost perfect nonlinear polynomials. IEEE Trans. Inf. Theor. 52(3), 1141–1152 (2006)

    Article  MathSciNet  MATH  Google Scholar 

  16. Canteaut, A., Duval, S., Perrin, L.: A generalisation of Dillon’s APN permutation with the best known differential and nonlinear properties for all fields of size \(2^{4k+2}\). IEEE Trans. Inf. Theor. 63(11), 7575–7591 (2017). https://doi.org/10.1109/TIT.2017.2676807

    Article  MATH  Google Scholar 

  17. Canteaut, A., et al.: Saturnin: a suite of lightweight symmetric algorithms for post-quantum security. IACR Trans. Symm. Cryptol. 2020(S1), 160–207 (2020). 10.13154/tosc.v2020.iS1.160-207

    Google Scholar 

  18. Canteaut, A., Perrin, L.: On CCZ-equivalence, extended-affine equivalence, and function twisting. Finite Fields Appl. 56, 209–246 (2019). https://doi.org/10.1016/j.ffa.2018.11.008

    Article  MathSciNet  MATH  Google Scholar 

  19. Carlet, C., Charpin, P., Zinoviev, V.: Codes, bent functions and permutations suitable for DES-like cryptosystems. Des. Codes Crypt. 15(2), 125–156 (1998)

    Article  MathSciNet  MATH  Google Scholar 

  20. Dobraunig, C., Grassi, L., Guinet, A., Kuijsters, D.: Ciminion: symmetric encryption based on Toffoli-gates over large finite fields. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 3–34. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_1

    Chapter  Google Scholar 

  21. Duval, S., Leurent, G.: MDS matrices with lightweight circuits. IACR Trans. Symm. Cryptol. 2018(2), 48–78 (2018). https://doi.org/10.13154/tosc.v2018.i2.48-78

  22. Dworkin, M.: SHA-3 standard: permutation-based hash and extendable-output functions (2015–08-04 2015). https://doi.org/10.6028/NIST.FIPS.202

  23. Faugère, J., Gianni, P., Lazard, D., Mora, T.: Efficient computation of zero-dimensional gröbner bases by change of ordering. J. Symbolic Comput. 16(4), 329–344 (1993). https://doi.org/10.1006/jsco.1993.1051. https://www.sciencedirect.com/science/article/pii/S0747717183710515

  24. Faugére, J.C.: A new efficient algorithm for computing gröbner bases (f4). J. Pure Appl. Algebra 139(1), 61–88 (1999). https://doi.org/10.1016/S0022-4049(99)00005-5. https://www.sciencedirect.com/science/article/pii/S0022404999000055

  25. Faugère, J.C.: A new efficient algorithm for computing gröbner bases without reduction to zero (f5). In: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation, ISSAC 2002, pp. 75–83. Association for Computing Machinery, New York (2002). https://doi.org/10.1145/780506.780516. https://doi.org/10.1145/780506.780516

  26. Gabizon, A., Williamson, Z.J.: plookup: a simplified polynomial protocol for lookup tables. Cryptology ePrint Archive, Report 2020/315 (2020). https://eprint.iacr.org/2020/315

  27. Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989). https://doi.org/10.1137/0218012

  28. Grassi, L., Hao, Y., Rechberger, C., Schofnegger, M., Walch, R., Wang, Q.: A new Feistel approach meets fluid-SPN: Griffin for zero-knowledge applications. Cryptology ePrint Archive, Report 2022/403 (2022). https://eprint.iacr.org/2022/403

  29. Grassi, L., Khovratovich, D., Lüftenegger, R., Rechberger, C., Schofnegger, M., Walch, R.: Reinforced concrete: a fast hash function for verifiable computation. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS 2022, pp. 1323–1335. Association for Computing Machinery (2022). https://doi.org/10.1145/3548606.3560686

  30. Grassi, L., Khovratovich, D., Rechberger, C., Roy, A., Schofnegger, M.: Poseidon: a new hash function for zero-knowledge proof systems. In: Bailey, M., Greenstadt, R. (eds.) USENIX Security 2021, pp. 519–535. USENIX Association, August 2021

    Google Scholar 

  31. Grassi, L., Øygarden, M., Schofnegger, M., Walch, R.: From farfalle to megafono via Ciminion: the PRF hydra for MPC applications. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023, Part IV. LNCS, vol. 14007, pp. 255–286. Springer, Heidelberg, April 2023. https://doi.org/10.1007/978-3-031-30634-1_9

  32. Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016, Part II. LNCS, May 2016, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11

  33. Hirose, S.: Sequential hashing with minimum padding. In: NIST Workshop on Lightweight Cryptography 2016. National Institute of Standards and Technology (NIST) (2016)

    Google Scholar 

  34. Li, Y., Tian, S., Yu, Y., Wang, M.: On the generalization of butterfly structure. IACR Trans. Symm. Cryptol. 2018(1), 160–179 (2018). https://doi.org/10.13154/tosc.v2018.i1.160-179

  35. Liu, J., et al.: An efficient verifiable state for zk-EVM and beyond from the Anemoi hash function. Cryptology ePrint Archive, Paper 2022/1487 (2022). https://eprint.iacr.org/2022/1487

  36. Loustaunau, W.: An Introduction to Grobner Bases. American Mathematical Society (1994). https://books.google.is/books?id=Caoxi78WaIAC

  37. McLoughlin, M.B.: addchain: cryptographic addition chain generation in go. Repository, October 2021. https://github.com/mmcloughlin/addchain. https://doi.org/10.5281/zenodo.5622943

  38. Meckler, I., Rao, V., Ryan, M., Querol, A., Spadavecchia, J., Wong, D.: Mina book, kimchi specification. https://o1-labs.github.io/proof-systems/specs/kimchi.html#poseidon

  39. Nyberg, K.: Differentially uniform mappings for cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_6

    Chapter  Google Scholar 

  40. Perrin, L., Udovenko, A., Biryukov, A.: Cryptanalysis of a theorem: decomposing the only known solution to the big APN problem. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 93–122. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_4

    Chapter  Google Scholar 

  41. Szepieniec, A., Ashur, T., Dhooghe, S.: Rescue-prime: a standard specification (SoK). Cryptology ePrint Archive, Report 2020/1143 (2020). https://eprint.iacr.org/2020/1143

  42. Szepieniec, A., Lemmens, A., Sauer, J.F., Threadbare, B.: The tip5 hash function for recursive starks. Cryptology ePrint Archive, Paper 2023/107 (2023). https://eprint.iacr.org/2023/107

  43. Zero, P.: Plonky2. Repository, September 2022. https://github.com/mir-protocol/plonky2

Download references

Acknowledgements

We thank the reviewers of CRYPTO 2023 for providing insightful comments which helped improve the clarity of this paper. In particular, we would like to thank the shepherd for their assistance in finalizing the paper. We are also grateful to Markulf Kohlweiss, Antoine Rondelet and Duncan Tebbs for proofreading an earlier draft of this paper, and for providing insightful comments and suggestions. Additionally, we extend our thanks to Duncan Tebbs for providing an independent estimation of the Flystel circuit cost in terms of R1CS constraints. The work of Léo Perrin is supported by the European Research Council (ERC, grant agreement no. 101041545 “ReSCALE”). We thank Tomer Ashur for pointing out a mistake in Fig. 1 in a previous version of the paper. We also thank Miguel Ambrona and Raphaël Toledo for the idea of the quadratic custom gate and their contribution to the Plonk implementation.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Clémence Bouvier .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bouvier, C. et al. (2023). New Design Techniques for Efficient Arithmetization-Oriented Hash Functions: \(\texttt{Anemoi}\) Permutations and \(\texttt{Jive}\) Compression Mode. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14083. Springer, Cham. https://doi.org/10.1007/978-3-031-38548-3_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-38548-3_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-38547-6

  • Online ISBN: 978-3-031-38548-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics