Algebraic Attacks on Round-Reduced Rain and Full AIM-III

Abstract

Picnic is a NIST PQC Round 3 Alternate signature candidate that builds upon symmetric primitives following the MPC-in-the-head paradigm. Recently, researchers have been exploring more secure/efficient signature schemes from conservative one-way functions based on AES, or new low-complexity one-way functions like Rain (CCS 2022) and AIM (CCS 2023 and Round 1 Additional Signatures announced by NIST PQC). The signature schemes based on Rain and AIM are currently the most efficient among MPC-in-the-head-based schemes, making them promising post-quantum digital signature candidates.

However, the exact hardness of these new one-way functions deserves further study and scrutiny. This work presents algebraic attacks on Rain and AIM for certain instances, where one-round Rain can be compromised in \(2^{n/2}\) for security parameter \(n\in \{128,192,256\}\), and two-round Rain can be broken in \(2^{120.3}\), \(2^{180.4}\), and \(2^{243.1}\) encryptions, respectively. Additionally, we demonstrate an attack on AIM-III (which aims at 192-bit security) with a complexity of \(2^{186.5}\) encryptions. These attacks exploit the algebraic structure of the power function over fields with characteristic 2, which provides potential insights into the algebraic structures of some symmetric primitives and thus might be of independent interest.

A Toy Examples of Attacks on Reduced-Round Rain

In this section, we concretely present toy examples for one-round Rain and two-round Rain, which would help the readers understand our attacks via examples. We choose the field \(\mathbb F _{2^4}\) with irreducible polynomial \(f(x)=x^4+x+1\).

Notation. For an element \(a_0+a_1x+a_2x^2+a_3x^3\) of field \(\mathbb F _{2^4}\), \(a_i\in \mathbb F _2\), we may express it in several equivalent forms:

1. 1.

   Polynomial representation, i.e. \(a_0+a_1x+a_2x^2+a_3x^3\).

2. 2.

   Binary representation, i.e. \(a_0a_1a_2a_3\).

3. 3.

   Vector of \(\mathbb F _2\), i.e. \((a_0,a_1,a_2,a_3)\)

Concretely, \(1+x+x^3\) is equivalent to 1101 or (1, 1, 0, 1). And 1 is equivalent to 1000 or (1, 0, 0, 0). We also use the notation \((1,1,0,1)^2=(1+x+x^3)^2=1+x^3=(1,0,0,1)\)

Power Function. We first show the square function over \(\mathbb F _{2^4}\) is linear.

$$\begin{aligned} & (a_0+a_1x+a_2x^2+a_3x^3)^2 \bmod f(x) \\ & = (a_0+a_1x^2+a_2x^4+a_3x^6) \bmod f(x) \\ & = a_0+a_1x^2+a_2(x+1)+a_3(x^3+x^2) \\ & = (a_0+a_2)+a_2x+(a_1+a_3)x^2+a_3x^3 \end{aligned}$$

So we can use the notation \((a_0,a_1,a_2,a_3)^2=(a_0+a_2,a_2,a_1+a_3,a_3)\). Similarly, we can have \((a_0,a_1,a_2,a_3)^4=(a_0+a_1+a_2+a_3,a_1+a_3,a_2+a_3,a_3)\).

Parameter Sets. We choose \(P=0000,c^{(1)}=0010,c^{(2)}=0001,k=0100\) and

$$M_1=\begin{bmatrix} 1 &{} 0 &{} 1 &{} 0\\ 0 &{} 1 &{} 0 &{} 0\\ 0 &{} 0 &{} 1 &{} 0\\ 1 &{} 0 &{} 0 &{} 1\\ \end{bmatrix}, \quad M_2=\begin{bmatrix} 1 &{} 1 &{} 0 &{} 0\\ 0 &{} 0 &{} 1 &{} 0\\ 0 &{} 1 &{} 0 &{} 0\\ 1 &{} 0 &{} 0 &{} 1\\ \end{bmatrix}, \quad M_2^{-1}=\begin{bmatrix} 1 &{} 0 &{} 1 &{} 0\\ 0 &{} 0 &{} 1 &{} 0\\ 0 &{} 1 &{} 0 &{} 0\\ 1 &{} 0 &{} 1 &{} 1\\ \end{bmatrix} . $$

For convenience, we precompute some values and list them on Table 6. Let \(d=3\). As you can see, \(x^d,x\ne 0\) takes only \(15/3=5\) possible choices.

Table 6. Table for \(\mathbb F _{2^4}\).

1.1 A.1 One-Round Rain

The encryption of one-round Rain (Fig. 6) is :

$$\begin{aligned} P=0000 \xrightarrow {\oplus k \oplus c^{(1)}} 0110 \xrightarrow {x^{-1}}1110 \xrightarrow {M_1(\cdot )} 0111 \xrightarrow {\oplus k} 0011=C . \end{aligned}$$

(6)

We guess the value of \((P+k+c^{(1)})^3\) over \((2^4-1)/3=5\) possible choices. Suppose we guess \((P+k+c^{(1)})^3=1\). The following steps will be repeated for each guess, here we only show the execution for the correct guess which is \((P+k+c^{(1)})^3=1\). So we have

$$\begin{aligned} (P+k+c^{(1)})^{-1} & =(P+k+c^{(1)})^{14} \nonumber \\ & =(P+k+c^{(1)})^{3\cdot 4} \cdot (P+k+c^{(1)})^2 \nonumber \\ & =(P+k+c^{(1)})^2 \nonumber \\ & =(k_0,k_1,k_2+ 1,k_3)^2 \nonumber \\ & =(k_0+ k_2+ 1,k_2+ 1,k_1+ k_3,k_3) \end{aligned}$$

(7)

$$\begin{aligned} \xrightarrow {M_1(\cdot )} & (k_0+ k_1+ k_2+ k_3+ 1,k_2+ 1,k_1+ k_3,k_0+ k_2+ k_3+ 1) \nonumber \\ \xrightarrow {\oplus k} & (k_1+ k_2+ k_3+ 1,k_1+ k_2+ 1,k_1+ k_2+ k_3,k_0+ k_2+ 1) \nonumber \\ & = (0,0,1,1) \nonumber \\ & = C \end{aligned}$$

By solving the linear equations, we can obtain two candidate keys \(k^*=0100\) and \(k^{**}=0010\). Given the public input P and output C, it is easy to check by executing the one-round encryption in Eq. (6) that \(k^*\) is the correct key.

Fig. 6.

Rain permutation with \(r=1\).

1.2 A.2 Two-Round Rain

We follow the notations and the parameter choices as in the attack on one-round Rain. The encryption of two-round Rain (Fig. 7) is :

Fig. 7.

Rain permutation with \(r=2\).

• We linearize the first S-box by guessing \((P+k+c^{(1)})^3=1\) as in the previous attack on one-round. Then we have the following linear equations:

  $$\begin{aligned} 0 & =(P+k+c^{(1)})^4 + (P+k+c^{(1)}) \\ & = (k_0,k_1,k_2+1,k_3)^4 + (k_0,k_1,k_2+1,k_3) \\ & = (k_0+k_1+k_2+k_3+1,k_1+k_3,k_2+k_3+1,k_3) + (k_0,k_1,k_2+1,k_3) \\ & = (k_1+k_2+k_3+1,k_3,k_3,0) \end{aligned}$$

  This gives us two linearly independent equations:

  $$ \left\{ \begin{array}{rl} k_1+k_2&{}=1\\ k_3&{}=0\\ \end{array} \right. $$

  Consequently, we can decide on two free variables \(k_0,k_2\) and two basic variables \(k_1=k_2+1,k_3=0\).

• Next, we compute the input of the second S-box \(M_1(P+k+c^{(1)})^{-1}\). Substituting \(M_1\) as we choose and substituting the expression of \((P+k+c^{(1)})^{-1}\) as in Eq. (7), we get the following

  

  Backward, represent the output of the second S-box and we have

  

  Because the multiplication of the input and the output of the second S-box equals 1, thus we can write down the following quadratic equations:

  $$\begin{aligned} (0,0,1,k_0+k_2)\cdot (k_0+k_2+1,k_2,k_2+1,k_0+k_2+1) &= 1\\ \rightarrow (k_0k_2+1,k_2,k_0k_2+k_0,k_2)&= 1 \end{aligned}$$

  By solving the linear equation, we can obtain a candidate key \(k^*=0100\). Given the public input P and the output C, it is easy to check that \(k^*\) is the correct key by executing two-round Rain encryption.