Improved Interpolation Attacks on Cryptographic Primitives of Low Algebraic Degree

Abstract

Symmetric cryptographic primitives with low multiplicative complexity have been proposed to improve the performance of emerging applications such as secure Multi-Party Computation. However, primitives composed of round functions with low algebraic degree require a careful evaluation to assess their security against algebraic cryptanalysis, and in particular interpolation attacks. This paper proposes new low-memory interpolation attacks on symmetric key primitives of low degree. Moreover, we present generic attacks on block ciphers with a simple key schedule; our attacks require either constant memory or constant data complexity. The improved attack is applied to the block cipher MiMC which aims to minimize the number of multiplications in large finite fields. As a result, we can break MiMC-129/129 with 38 rounds with time and data complexity \(2^{65.5}\) and \(2^{60.2}\) respectively and with negligible memory; this attack invalidates one of the security claims of the designers. Our attack indicates that for MiMC-129/129 the full 82 rounds are necessary even with restrictions on the memory available to the attacker. For variants of MiMC with larger keys, we present new attacks with reduced complexity. Our results do not affect the security claims of the full round MiMC.

A Algorithm for Computing \(E(K,x_i)-y_i\)

This section describes the algorithm to obtain the explicit expression of \(E(K,x_i)-y_i\) which is used in Step 3 of the GCD attacks in Sect. 4.2. Recall that here K is the variable and \((x_i,y_i)\) is an input/output pair corresponding to some plaintext/ciphertext pair.

1. 1.

   Select \(d^{R_{\texttt {KA}}(r,\ell )}+1\) different values \(\alpha _0,\cdots ,\alpha _{d^{R_{\texttt {KA}}(r,\ell )}}\in \) \(\mathbb {F}_{q}\) .

2. 2.

   Compute \(\beta _j=E(\alpha _j,x_i)-y_i\) for \(i=0,1\) and \(0\le j \le d^{R_{\texttt {KA}}(r,\ell )}\).

3. 3.

   Interpolate the polynomial \(g_i(x)\) such that \(g_i(\alpha _j)=\beta _j\) for \(i=0,1\) and \(0\le j \le d^{R_{\texttt {KA}}(r,\ell )}\).

First observe that the iterative structure of \(E(K,x_i)-y_i\) enables us to evaluate \(E(\alpha _j,x_i)-y_i\) round by round. In each round one needs to evaluate a polynomial with constant degree, which can be done in constant time. Hence, each \(\beta _j\) is obtained with complexity only \(O(R_{\texttt {KA}}(r,\ell ))\) though the degree is \(d^{R_{\texttt {KA}}(r,\ell )}\). It follows that the second step has time complexity \(O(R_{\texttt {KA}}(r,\ell )d^{R_{\texttt {KA}}(r,\ell )})\). The third step is a standard polynomial interpolation with complexity \(O(R_{\texttt {KA}}(r,\ell )d^{R_{\texttt {KA}}(r,\ell )})\). Hence, the total time complexity is \(O(R_{\texttt {KA}}(r,\ell )d^{R_{\texttt {KA}}(r,\ell )})\). The memory complexities of the algorithm is \(O(R_{\texttt {KA}}(r,\ell )d^{R_{\texttt {KA}}(r,\ell )})\) due to the polynomial interpolation in the third step [14].