Keywords

1 Introduction

The emergence of cryptographic protocols with advanced functionalities, such as fully homomorphic encryption, multi-party computation and new types of proof systems, has led to a strong demand for new symmetric primitives offering good performance in the context of these specific applications. Indeed, as emphasized by Katz  [26] in his invited lecture at CRYPTO 2019, symmetric-key cryptography has an important role to play in the further practical advancement of these applications. However, the standard criteria which govern the design of symmetric primitives are usually not appropriate in the context of these applications. For instance, the cost of the homomorphic evaluation of a symmetric primitive is mainly determined by its multiplicative size and depth  [6]. Similarly, the area of integrity proof systems, like SNARKs, STARKs, Bulletproofs, is asking for symmetric primitives optimized for yet another cost metric. Moreover, the use of hash functions that are defined over finite fields of odd characteristic, in particular over prime fields is desirable in many such applications. One example of such a use case is the zero-knowledge proof system deployed in the Zcash cryptocurrency. Another very interesting example is the ZK-STARK protocol  [13], which is expected to be deployed on top of the Ethereum blockchain within the next year: it uses as a building-block a collision-resistant hash function, and the performance of the proof system highly depends on the number of arithmetic operations required for describing the hash function (see  [7] for details).

Therefore, several new ciphers and hash functions have been proposed in the last five years for these advanced protocols. They include several FHE-friendly symmetric encryption schemes such as LowMC  [6], FLIP  [31], Kreyvium  [20] and Rasta  [22], some MPC-friendly block ciphers such as MiMC  [5] and its variants  [3, 24], and some primitives dedicated to proof systems such as the functions from the Marvellous family, including Jarvis, Friday  [8], Vision and Rescue  [7].

However, all these primitives are very innovative constructions and the implementation constraints which govern their designs may have introduced some unexpected weaknesses. This was the case for LowMC, which was broken a few weeks after its publication  [21, 23, 32]. More recently, a practical attack against Jarvis has been mounted  [2], showing that some of these designs are probably not mature enough for practical applications and require a more in-depth security evaluation. In particular, several of these primitives are defined over an odd prime field, a setting in which most of the classical cryptanalytic tools, and therefore also related security arguments, do not apply directly. This includes linear cryptanalysis and its variants, integral attacks and higher-order differential or cube attacks.

Our Contributions. This work analyses the security of two families of such primitives. To be concrete, we focus on the concrete proposals of STARK-friendly hash functions which have been specified in the context of a public competition launched by StarkWare IndustriesFootnote 1. We aim to compare the security levels offered, for similar parameters, by two families of primitives: GMiMC  [3, 4] and HadesMiMC  [24, 25]. More precisely, we evaluate the resistance of these two primitives against several general types of attacks: attacks exploiting differential properties, integral attacks and advanced algebraic attacks. As a result, we present low-complexity distinguishers against the GMiMC and HadesMiMC permutations for most parameters proposed in the challenges. In the more concrete setting of the sponge construction corresponding to the practical use in the ZK-STARK protocol, we describe a collision attack on a round-reduced version of GMiMC and a preimage attack on some instances of HadesMiMC. Our findings for the most efficient variants of the primitives are summarized in Table 1.

From a technical point, our results required to adapt and generalize several cryptanalytic techniques to fields of odd characteristic. In particular, for integral attacks, we demonstrate that instead of using sums over additive subgroups as usually done for ciphers over \(\mathbb {F}_2^n\), it is possible to use any multiplicative subgroup of \(\mathbb {F}_q^\times \) with similar impact. Interestingly, this seems to suggest that finite fields \(\mathbb {F}_q\) with a limited number of multiplicative subgroups might be preferable, i.e. one might want to avoid \(q-1\) being smooth. This implies that the fields which are suitable for implementing FFT may be more vulnerable to integral attacks. We expect that these general insights have applications beyond our concrete cryptanalytic results.

An additional technical contribution of this paper is the use of algebraic techniques for ensuring that transitions of a differential characteristic for a hash function hold for many rounds without paying the typical expensive probabilistic cost. In particular, we exploit the algebraic structure of the hash function to penetrate deep into its state and represent the conditions for the differential transitions as algebraic equations that can be efficiently solved. We refer to these attacks as algebraically controlled differential attacks. Algebraic techniques have been previously used in combination with differential attacks (for example, in the recent cryptanalysis of SHA-1  [36]). However, unlike prior work, in our setting each differential transition is very expensive to bypass probabilistically. Hence, our attacks are almost entirely algebraic and use dedicated techniques to ensure that the algebraic equations can be efficiently solved.

Table 1. Distinguishers on the GMiMC and HadesMiMC permutations and attacks breaking the corresponding sponge hash functions. The variants aiming at \(128\)-bit security operate on \(t=12\) elements in \(\mathbb {F}_q\) with \(q=2^{61} + 20 \times 2^{32} + 1\). The variants aiming at \(256\)-bit security operate on \(t=14\) elements in \(\mathbb {F}_q\) with \(q=2^{125}+266 \times 2^{64}+1\). The last attack (\(^*\)) only applies when the linear layer has a low multiplicative order. Attacks on full versions are typeset in bold.
Full size table

Organization of the Paper. The following section describes the two STARK-friendly primitives considered in the paper and their concrete instances. Section 3 details how integral attacks can be mounted over finite fields of any characteristic. Following this new framework, Sect. 4 exhibits low-complexity integral distinguishers on the full GMiMC permutation. Several differential attacks on round-reduced GMiMC are then detailed in Sect. 5, including a practical collision attack on the corresponding hash function. Section 6 presents two attacks on HadesMiMC: a general integral distinguisher covering all but two rounds of the permutation, and a preimage attack on the hash function which applies in the specific case where the MDS matrix defining the linear layer has a low multiplicative order.

2 STARK-Friendly Primitives

This paper focuses on two families of primitives, which are recent evolutions of the block cipher MiMC designed by Albrecht et al. in 2016 [5], and offer much more flexibility than the original construction:

  • , designed by Albrecht et al.  [3, 4]

  • , proposed by Grassi et al.  [24, 25], for which two versions are distinguished depending on the characteristic of the underlying field: Starkad over a field of characteristic \(2\), and Poseidon over a prime field.

2.1 Expected Security Level

GMiMC and HadesMiMC are two block ciphers but both of them can be turned into permutations by replacing the round-keys by fixed independent and randomly chosen round-constants. Based on these primitives, hash functions are obtained by applying the sponge construction  [14, 15] depicted in Fig. 1 and using the primitive as an inner permutation.

Fig. 1.
figure 1

Sponge construction with inner permutation \(\pi \), internal state with \(t=12\) words and capacity \(c=4\).

Full size image

In the following, we extensively use the following notation: the sponge operates on a state composed of \(t\) elements in a finite field \(\mathbb {F}_q\). The main parameters which determine the security level of the sponge construction with respect to generic attacks are its capacity \(c\) and the size of the underlying alphabet \(\mathbb {F}_q\). Namely, a random sponge whose capacity consists of \(c\) elements in \(\mathbb {F}_q\) provides a generic security level corresponding to \(\frac{c}{2} \log _2 q\) queries both for collision and (second)-preimage resistance  [14].

The primary cryptanalytic goal is to exhibit collision or preimage attacks on some weakened variants of the hash functions. However, the existence of a property which distinguishes a given cryptographic function from an ideal function of the same size is also commonly considered as a weakness (see e.g.  [11, Page 19] for a discussion). In our context, since our attacks do not make any assumptions about the round-constants in the inner permutations, our distinguishers are related to the known-key model for block ciphers  [28].

While a distinguisher on \(\pi \) cannot always be turned into a distinguisher for the hash function, it invalidates the security arguments provided by the indifferentiability proof of the sponge construction  [15]. For this reason, the authors of Keccak advocate following the so-called hermetic sponge strategy  [16, Page 13], i.e. using the sponge construction with an inner permutation that should not have any structural distinguisher (other than the existence of a compact description).

2.2 Concrete Instances

The different members in each of these families are determined by the triple \((c,t,q)\) representing respectively the number of words in the capacity, the number of words in the state and the field size. In the following, when referring to practical examples, we will focus on the values \((c,t,q)\) considered in the StarkWare challenges given in Table 2. To each triple \((c,t,q)\) correspond two variants: over a prime field and over a binary field, and the exact values of \(q\) are detailed in Table 2. Performance in terms of trace size, proving time, and verification cost, are essential criteria for choosing a STARK-friendly hash function. Implementation results show that, for each family of hash functions, the variant 128-d (for the target \(128\)-bit security) is by far the most efficient  [35]. For this reason, some attacks in the paper focus more specifically on this member in the three families, i.e., on sponges whose internal state consists of \(t=12\) words in a finite field \(\mathbb {F}_q\) of order close to \(2^{64}\) and with capacity \(c=4\). It is also worth noticing that, in terms of performance and suitability, odd prime fields are more STARK-friendly than binary fields for a given size.

Table 2. Parameters proposed for the permutation and sponge construction.
Full size table

2.3 Specifications of GMiMC

GMiMC is a family of block ciphers designed by Albrecht et al. in 2019  [3] based on different types of Feistel networks using \(x \mapsto x^3\) over the field corresponding to the branch alphabet as the round function. Among the variants proposed by the designers, we focus on the one chosen in the StarkWare challenges and depicted in Fig. 2, namely the variant using an unbalanced Feistel network with an expanding round function, named \(\mathsf {GMiMC}_{\mathsf {erf}}\). In the whole paper, the rounds (and round constants) are numbered starting from \(1\), and the branches are numbered from \(1\) to \(t\) where Branch \(1\) is the leftmost branch. For the sake of simplicity, this particular variant will be called GMiMC. A specificity of GMiMC is that the designers’ security claims concern the primitive instantiated over a prime field. They mention that “even if GMiMC can be instantiated over \(\mathbb {F}_{2^n}\), [they] do not provide the number of rounds to guarantee security in this scenario”.

In the block cipher setting with a key size equal to \(n=\log _2 q\) bits, the key schedule is trivial, i.e. the master key is added to the input of the cube function at every round. This very simple key schedule is a major weakness  [18]. However, it seems difficult to leverage the underlying property in the hash function setting we are focusing on.

2.4 Specifications of HadesMiMC

HadesMiMC is a family of permutations described by Grassi et al. in  [25] which follows a new design strategy for block ciphers called HADES. The HADES construction aims to decrease the number of Sboxes relative to a traditional Substitution-Permutation Network, while guaranteeing that the cipher still resists all known attacks, including differential and linear cryptanalysis and algebraic attacks. Reducing the number of Sboxes is especially important in many applications and this was traditionally achieved by using a partial substitution-layer, i.e., an Sbox layer which does not operate on the whole internal state. However, several attacks on this type of constructions, e.g.  [12, 21, 23, 32] show that it is much more difficult to estimate the security level of these constructions than that of classical SPNs. The basic principle of the HADES construction is then to combine both aspects: the inner rounds in the cipher have a partial Sbox layer to increase the resistance to algebraic attacks at a reduced implementation cost, whereas the outer rounds consist of traditional SPN rounds, with a full Sbox layer (Fig. 3). The resistance against statistical attacks is analyzed by removing the inner rounds, while the resistance to algebraic attacks, e.g. the evolution of the algebraic degree over the cipher, involves the inner rounds.

Fig. 2.
figure 2

One round of the GMiMC permutation with \(t=12\).

Full size image
Fig. 3.
figure 3

The HadesMiMC construction with \(t=6\).

Full size image

HadesMiMC  [25, Section 3] is then a keyed permutation following the HADES construction dedicated to MPC applications or to STARK proof systems, where the Sbox is defined by the cube mapping over a finite field and the linear layer \(L\) corresponds to a \((t \times t)\)-MDS matrix. Two concrete instantiations of HadesMiMC are then detailed by Grassi et al. in  [24], namely:

  • Starkad operates on \(t\) elements in a binary field of odd absolute degree (which guarantees that the cube mapping is bijective);

  • Poseidon operates on \(t\) elements in a prime field \(\mathbb {F}_p\) with \(p \bmod {3} \ne 1\).

In both cases the partial rounds consist of a single Sbox operating on the last coordinate of the state. For all parameters we consider, the number of full rounds is equal to \(8\) and the number of partial rounds varies between \(40\) and \(88\).

3 Integral Attacks over Fields of Any Characteristic

The notion of integral attacks has been introduced by Knudsen and Wagner  [29] and captures several variants including saturation attacks and higher-order differential attacks. These attacks have been used for cryptanalyzing many ciphers, but to our best knowledge, all of them operate on a binary field. Indeed, the main property behind these attacks is that, for any \(F: \mathbb {F}_{2}^m \rightarrow \mathbb {F}_{2}^m\) and for any affine subspace \(V \subset \mathbb {F}_2^m\),

$$\begin{aligned} \sum _{x \in V} F(x) =0 \end{aligned}$$

when \(\deg F < \dim V\). This comes from the fact that the sum of the images by \(F\) of all inputs in \(V\) corresponds to a value of a derivative of \(F\) of order \((\dim V)\)  [30]. It follows that this derivative has degree at most \((\deg (F)-\dim V)\) and thus vanishes when \(\deg F < \dim V\). It is then possible to saturate some input bits of \(F\) and to use as a distinguishing property the fact that the output bits are balanced, i.e. they sum to zero. The fact that the sum over all \(x \in V\) of \(F(x)\) corresponds to the value of a higher-order derivative does not hold anymore in odd characteristic, and the same technique cannot be applied directly.

Higher-order differentials over \(\mathbb {F}_q\) then need to use a generalized notion of differentiation as analyzed in  [34] (see also  [1]). However, we can show that for the particular case of saturation attacks, the same technique can be used in the general case of a field \(\mathbb {F}_q\) – even in odd characteristic. Indeed, we can exploit the following result.

Proposition 1

For any \(F: \mathbb {F}_q \rightarrow \mathbb {F}_q\) with \(\deg (F) < q-1\),

$$\begin{aligned} \sum _{x \in \mathbb {F}_q} F(x) = 0\;. \end{aligned}$$

Proof

The result is due to following well-known property: for any exponent \(k\) with \(1 \le k \le q-2\), \(\sum _{x \in \mathbb {F}_q} x^k =0\). Moreover, when \(k=0\), we have \(\sum _{x \in \mathbb {F}_q} x^0 = q=0\).   \(\square \)

Proposition 1 can be generalized to the multivariate case, i.e. to functions from \(\mathbb {F}_q^k\) to \(\mathbb {F}_q\).

Corollary 1

For any \(F: \mathbb {F}_q^t \rightarrow \mathbb {F}_q\) with \(\deg (F) < k(q-1)\) and any affine subspace \(V \subseteq \mathbb {F}_q^t\) of dimension at least k, \(\sum _{x \in V} F(x) = 0\).

Proof

Let \(V\) be an affine space of dimension \(\kappa \ge k\) and \(A\) an affine permutation over \(\mathbb {F}_q^t\) such that \(A(V) = \{(y,0,\ldots ,0)~|~y \in \mathbb {F}_q^\kappa \}\). Then,

$$\begin{aligned} \sum _{x \in V} F(x) = \sum _{x \in V} (F \circ A^{-1})(A(x)) = \sum _{y_1, \ldots , y_\kappa \in \mathbb {F}_q} (F \circ A^{-1})(y_1, \ldots , y_\kappa ,0,\ldots , 0). \end{aligned}$$

Since \(\deg (F \circ A^{-1}) = \deg F < k(q-1)\), \((F \circ A^{-1})\) consists of monomials of the form \(y_1^{i_1} y_2^{i_2}\ldots y_\kappa ^{i_\kappa }\) with at least one exponent \(i_j<q-1\). Then, \(\sum _{y_j \in \mathbb {F}_q} y_j^{i_j}=0\), implying that

$$\begin{aligned} \sum _{y_1, \ldots , y_\kappa \in \mathbb {F}_q}y_1^{i_1} y_2^{i_2}\ldots y_\kappa ^{i_\kappa }=0, \end{aligned}$$

which leads to \(\sum _{x \in V} F(x)=0\).

Based on this observation, a saturation attack with data complexity \(q^k\) can be mounted whenever the degree of \(F\) as a polynomial over \(\mathbb {F}_q\) is strictly less than \(k(q-1)\), even if \(\mathbb {F}_q\) is a field of odd characteristic.

Now, we generalize the notion of integral distinguishers to multiplicative subgroups using the following property.

Proposition 2

Let \(\mathbb {G}\) be a multiplicative subgroup of \(\mathbb {F}_q^\times \). For any \(F: \mathbb {F}_q \rightarrow \mathbb {F}_q\) such that \(\deg (F) < |\mathbb {G}|\), \(\sum _{x \in \mathbb {G}} F(x) - F(0)\cdot |\mathbb {G}| = 0\).

This is a strict generalization of Proposition 1, for which \(|\mathbb {G}| = q - 1\).

Proof

The result is a direct consequence of the following well-known property: for any exponent \(k\) with \(1 \le k \le |\mathbb {G}|-1\), \(\sum _{x \in \mathbb {G}} x^k = 0\). Moreover, when \(k=0\), we have \(\sum _{x \in \mathbb {G}} x^0 = |\mathbb {G}|\).    \(\square \)

We also note that Corollary 1 can be straightforwardly adapted to multiplicative subgroups. The power of summing over multiplicative subgroups (rather than over the entire field \(\mathbb {F}_q\)) comes from the fact that if \(\mathbb {F}_q\) contains small multiplicative subgroups (as for the fields used for the concrete instances specified in Table 2), the complexity of the attacks may be fine-tuned and significantly reduced. In the next sections, such attacks will be applied to both GMiMC and HadesMiMC.

4 Integral Distinguishers on the Full GMiMC

4.1 Integral Distinguisher on GMiMC

Using Corollary 1, we can exhibit a distinguisher for \((3t-4+ \lfloor \log _3(q-2)\rfloor )\) rounds of GMiMC. A remarkable property is that this distinguisher holds for any finite field. It is obtained by saturating a single branch of the Feistel network and consequently has data complexity \(q\). Indeed, we choose a set of inputs where the \((t-2)\) leftmost branches are inactive, while the rightmost branch is determined by the value of Branch \((t-1)\). More precisely, we consider a set of inputs of the form

$$\begin{aligned} \mathcal {X} = \{(\alpha _1, \ldots , \alpha _{t-2}, x, f(x))~|~x \in \mathbb {F}_q\} \end{aligned}$$
(1)

where the \(\alpha _i\) are arbitrary constants in \(\mathbb {F}_q\) and \(f\) is defined by

$$\begin{aligned} f(x) = -\Big (x + \sum _{i=1}^{t-2} \beta _i + \mathsf {RC}_{t-1}\Big )^3 - x - 2 \sum _{i=1}^{t-2} \beta _i - \mathsf {RC}_{t-1}-\mathsf {RC}_t \end{aligned}$$

and \(\beta _1, \ldots , \beta _{t-2}\) are constant values derived from \(\alpha _1, \ldots , \alpha _{t-2}\) by

$$\begin{aligned} \beta _1=(\alpha _1+\mathsf {RC}_1)^3 \text{ and } \beta _{i+1} = \Big (\alpha _{i + 1} + \sum _{j=1}^i \beta _j + \mathsf {RC}_{i+1}\Big )^3\;. \end{aligned}$$

Let us first consider the first \((t-2)\) rounds. We observe that, at Round \(i\), \(1 \le i \le t-2\), the output of the Sbox corresponds to \(\beta _i\) and is added to all branches except the leftmost branch of the input. It follows that the output of Round \((t-2)\) corresponds to

$$\begin{aligned} \textstyle (x+\sum _{i=1}^{t-2} \beta _i, f(x) + \sum _{i=1}^{t-2} \beta _i, \gamma _1, \ldots , \gamma _{t-2}) \end{aligned}$$

where \((\gamma _1, \ldots , \gamma _{t-2})\) are constants (see Figure 4 in  [17]).

Therefore, if \(x'\) denotes the value of Branch \(1\), i.e., \(x'=x+\sum _{i=1}^{t-2} \beta _i\), we have that Branch \(2\) corresponds to

$$\begin{aligned} f\left( x'-\sum _{i=1}^{t-2} \beta _i\right) + \sum _{i=1}^{t-2} \beta _i = -\left( x' + \mathsf {RC}_{t-1}\right) ^3 - x' - \mathsf {RC}_{t-1}-\mathsf {RC}_t\;. \end{aligned}$$

The inputs of Round \(t\) are then

$$\begin{aligned} \{(-x'-\mathsf {RC}_t -\mathsf {RC}_{t-1}, \gamma _1+(x'+\mathsf {RC}_{t-1})^3, \ldots , \gamma _{t-2}+(x'+\mathsf {RC}_{t-1})^3, x')~|~x' \in \mathbb {F}_q\} \end{aligned}$$

and the inputs of Round \((t+1)\) are

$$\begin{aligned} \{( \gamma _1, \ldots , \gamma _{t-2}, x'-(x'+\mathsf {RC}_{t-1})^3, -x'-\mathsf {RC}_t -\mathsf {RC}_{t-1})~|~x' \in \mathbb {F}_q\}\;. \end{aligned}$$

The following \((t-2)\) rounds do not activate the Sbox, implying that the input set at Round \((2t-1)\) has the form

$$\begin{aligned} \{(x'-(x'+\mathsf {RC}_{t-1})^3+\delta _1, -x'+\delta _2, \delta _3, \ldots , \delta _t)~|~x' \in \mathbb {F}_q\} \end{aligned}$$
(2)

for some fixed values \(\delta _1, \ldots , \delta _{t}\) determined by the constants. Each coordinate of this input word can then be seen as a \(q\)-ary polynomial in \(x'\) of degree at most three. It follows that, after \(r\) additional rounds, the set (2) is transformed into a set of elements \((z_1, \ldots , z_{t})\), whose coordinates have degree at most \(3^{r+1}\). Proposition 1 then implies that all \(z_i\) are balanced if \(3^{r+1} \le q-2\), i.e., if \(r \le \lfloor \log _3(q-2) \rfloor -1\).

Adding \((t-1)\) Rounds. We can add some more rounds by using the following relation over \((t-1)\) rounds of GMiMC.

Proposition 3

Let \((x_1, \ldots , x_{t})\) and \((y_1, \ldots , y_{t})\) denote the input and output of \((t-1)\) rounds of GMiMC.

$$\begin{aligned} \sum _{i=2}^{t} y_i - (t-2) y_{1} = \sum _{i=1}^{t-1} x_i - (t-2) x_{t}\;. \end{aligned}$$
(3)

Proof

Let \((x_1^\ell , \ldots , x_{t}^\ell )\) denote the input of Round \(\ell \). It can be observed that, for any \(i,j \in \{1,\ldots , t-1\}\),

$$\begin{aligned} x_i^\ell = x_{i+1}^{\ell -1} + (x_j^{\ell } - x_{j+1}^{\ell -1}) \text{ and } x_{t}^\ell = x_1^{\ell -1}\;. \end{aligned}$$

It follows that, for any \(j\), \(1 \le j \le (t-1)\),

$$\begin{aligned} \sum _{i=1}^{t} x_i^{\ell } - (t-1) x_{j}^{\ell } = \sum _{i=1}^{t} x_i^{\ell -1} - (t-1) x_{j+1}^{\ell -1}\;. \end{aligned}$$

By applying this equality \((t-1)\) times, we deduce (3).    \(\square \)

From the previous proposition, we deduce that after a total of \(R= 3t-4 + \lfloor \log _3(q-2) \rfloor \) rounds the output \((v_1, \ldots , v_{t})\) of GMiMC satisfies \(\sum _{i=2}^{t} v_i - (t-2) v_{1}=\sum _{i=1}^{t-1} z_i - (t-2) z_{t}\), which is a polynomial in \(x\) of degree at most \((q-2)\). This leads to a distinguisher with complexity \(q\) on \(R\) rounds, i.e., \(70\) rounds for the parameters we focus on.

4.2 Zero-Sum Distinguishers on the Full Permutation

Saturating a Single Branch. Since we are analyzing a permutation (or a family of permutations parameterized by the round-constants), there is no secret material involved in the computation, implying that a distinguisher can be built from some internal states in the middle of the primitive, not only from inputs and outputs, exactly as in the known-key setting for block ciphers  [28]. This leads to zero-sum distinguishers, which were introduced by Aumasson and Meier  [10] and exhibited for several hash functions, including SHA-3  [9, 19].

The previously described distinguisher can be extended by \((t-2+\lfloor \log _3(q-2) \rfloor )\) rounds backwards. This is realized by choosing the internal states after \((t-2+\lfloor \log _3(q-2) \rfloor )\) rounds in \(\mathcal {X}\), as defined by (1). The inverse of one round of GMiMC is still a round of a Feistel network of the same form and it has degree three over \(\mathbb {F}_q\). Then, the coordinates \((y_1, \ldots , y_{t})\) of the images of the elements in \(\mathcal {X}\) by \(r\) backward rounds can be seen as univariate polynomials in \(x\) with degree at most \(3^{r+1}\). Exactly as in the forward direction, after \((\lfloor \log _3(q-2) \rfloor -1)\) rounds, the degree of these polynomials cannot exceed \((q-2)\).

Based on Proposition 3, we can then add \((t-1)\) rounds backwards. Indeed, the input of the first round of the permutation \((u_1, \ldots , u_{t})\) is related to the output of Round \((t-1)\), i.e. \((y_1, \ldots , y_{t})\), by

$$\begin{aligned} \sum _{i=2}^{t} y_i - (t-2) y_{1} = \sum _{i=1}^{t-1} u_i - (t-2) u_{t}\;, \end{aligned}$$

and the left-hand term of this equation is a polynomial in \(x\) of degree at most \((q-2)\), implying that \(\big (\sum _{i=1}^{t-1} u_i - (t-2) u_{t}\big )\) sum to zero.

Similarly, we can apply the previously described distinguisher in the forward direction, and deduce that the outputs \((v_1, \ldots , v_{t})\) of the permutation after \((3t-4+\lfloor \log _3(q-2) \rfloor )\) additional rounds are such that \(\big (\sum _{i=2}^{t} v_i - (t-2) v_{1}\big )\) sum to zero. This leads to a distinguisher with complexity \(q\) for a total of \((4t-6+2\lfloor \log _3(q-2) \rfloor )\) rounds, which is higher than the number of rounds proposed in all StarkWare challenges, except in the case where \(q\) exceeds the claimed security level (see Table 3).

Saturating Two Branches. When \(t \ge 4\), it is possible to exhibit a similar distinguisher on more rounds with complexity \(q^2\) by saturating two branches. In this case, we start from Round \(m\) in the middle with a set of internal states

$$\begin{aligned} \mathcal {Y} = \{(\alpha _1, \ldots , \alpha _{t-4}, x, f(x),g(y),y)~|~x,y \in \mathbb {F}_q\}\; \end{aligned}$$

where

$$\begin{aligned} f(x)= & {} -\Big (x + \sum _{i=1}^{t-4} \beta _i + \mathsf {RC}_{m+t-4}\Big )^3 - x - 2 \sum _{i=1}^{t-4} \beta _i - \mathsf {RC}_{m+t-4}-\mathsf {RC}_{m+t-3} \\ g(y)= & {} (y+\mathsf {RC}_{m-1})^3 - y-\mathsf {RC}_{m-1}-\mathsf {RC}_{m-2} \end{aligned}$$

and \(\beta _1, \ldots , \beta _{t-4}\) are defined as before by replacing \(\mathsf {RC}_i\) by \(\mathsf {RC}_{m+i-1}\).

Computing Forwards. As depicted on Figure 5 in  [17], the corresponding set at the input of Round \((m+t-4)\) is then of the form

$$\begin{aligned} \{(x' , -\left( x' + \mathsf {RC}_{m+t-4}\right) ^3 - x'- \mathsf {RC}_{m+t-4}-\mathsf {RC}_{m+t-3}, \gamma _1(y), \ldots , \gamma _{t-2}(y)) \mathrel \vert x',y \in \mathbb {F}_q\} \end{aligned}$$

where \((\gamma _1, \ldots , \gamma _{t-2})\) are some values which depend on \(y\) only. After two more rounds, we then get some internal states whose \((t-2)\) leftmost branches do not depend on \(x'\). It follows that each coordinate of the input of Round \((m+2t-4)\) is a polynomial in \(x'\) and \(y\) of degree at most three in \(x'\). After \((\lfloor \log _3(q-2) \rfloor -1)\) rounds, we get that each coordinate is a polynomial of degree at most \((q-2)\) in \(x'\). Then, with the same technique as before, we can add \((t-1)\) rounds and show that the output of the permutation \((v_1, \ldots , v_{t})\) is such that the linear combination \(\big (\sum _{i=1}^{t-1} v_i - (t-2) v_{t}\big )\) sums to zero after \((3t-6+\lfloor \log _3(q-2) \rfloor )\) rounds.

Computing Backwards. Starting from Round \(m\) and computing backwards, we get that the input of Round \((m-1)\) is of the form

$$\begin{aligned} (y, \alpha _1 - (y+\mathsf {RC}_{m- 1})^3 , \ldots , x- (y+\mathsf {RC}_{m - 1})^3 , f(x)- (y+\mathsf {RC}_{m - 1})^3,-y-\mathsf {RC}_{m - 1}-\mathsf {RC}_{m - 2}) \end{aligned}$$

and the input of Round \((m-2)\) equals

$$\begin{aligned} (-y-\mathsf {RC}_{m-1}-\mathsf {RC}_{m-2}, y+ (y+\mathsf {RC}_{m-1})^3, \alpha _1 , \ldots , x , f(x))\;. \end{aligned}$$

Then, the following \((t-2)\) rounds do not activate the Sbox, implying that all the coordinates of the input of Round \((m-t)\) are polynomials in \(x\) and \(y\) of degree at most three in \(y\). We deduce that the input \((u_1, \ldots , u_{t})\) of Round \((m-2t+2-\lfloor \log _3(q-2)\rfloor )\) is such that the linear combination \(\big (\sum _{i=1}^{t-1} u_i - (t-2) u_{t}\big )\) sums to zero. This zero-sum distinguisher then covers a total of \((5t-8+2\lfloor \log _3(q-2) \rfloor )\) rounds which is detailed in Table 3 for the relevant parameters.

Table 3. Number of rounds of GMiMC covered by the zero-sum distinguishers of complexity \(q\) and \(q^2\).
Full size table

4.3 Exploiting Integral Distinguishers over Multiplicative Subgroups

A noticeable shortcoming of the integral attacks over \(\mathbb {F}_q\), as demonstrated by Table 3, is that they do not give any result for primitives over large fields \(\mathbb {F}_q\) (for which \(\log _2 q \approx 256\)). However, by exploiting integral distinguishers over multiplicative subgroups of \(\mathbb {F}_q\) (e.g., for the specific choice of \(q = 2^{253} + 2^{199} + 1\)), we obtain essentially the same results for GMiMC instances with large q as we obtain for instances with small q. For example, in Sect. 4.1 we derived an integral distinguisher on \(R= 3t-4 + \lfloor \log _3(q-2) \rfloor \) rounds, with complexity q. By exploiting any multiplicative subgroup of size \(|\mathbb {G}| = 2^{s}\) for \(s \le 199\) when \(q = 2^{253} + 2^{199} + 1\), we obtain an integral distinguisher on \(R= 3t-4 + \lfloor \log _3(|\mathbb {G}|-1) \rfloor \) with complexity \(|\mathbb {G}| + 1\).

Moreover, even for smaller fields, we can fine-tune the size of \(\mathbb {G}\) to reduce the complexity of the attack. This is relevant especially for cases where an attack with complexity q can reach more rounds than the ones used by the primitive (which is indeed the case, as shown in Table 3). For example, as derived in Sect. 4.2, we have a zero-sum property for \(4t-6+2\lfloor \log _3(q-2) \rfloor \) rounds with complexity q. For the GMiMC variant with \(q = 2^{61} + 20 \times 2^{32} + 1\) and \(t=12\), we use a subgroup of size \(2^{33} \cdot 167 \cdot 211 \approx 2^{48}\) (which divides \(q-1\)), and obtain a zero-sum property for \(4t-6+2\lfloor \log _3(2^{48}-1) \rfloor = 102\) rounds, with complexity of about \(2^{48}\) (which covers the full permutation).

5 Differential Attacks on Round-Reduced GMiMC

5.1 Impossible Differential Attacks

We present a new impossible differential for \((3t-4)\) rounds, which improves the previous one for \((2t-2)\) rounds presented by the designers [4, Page 46].

The previous impossible differential exploits the following probability one propagation for \((t-1)\) rounds: \((0,\ldots ,0,\alpha ) \rightarrow (\alpha ,0,\ldots ,0)\) where \(\alpha \) is a non-zero difference. Hence, \((0,\ldots ,0,\alpha )\) never propagates to \((\beta ,0,\ldots ,0)\) after \(2t-2\) rounds for any \(\beta \). The designers concluded that conservatively 2t rounds are secure when the security level corresponds to the block size n.

We show that \((0,\ldots ,0,\alpha _1) {\mathop {\nrightarrow }\limits ^{\mathcal {R}^{3t-4}}} (\beta _1,0,\ldots ,0)\) is an impossible propagation, where \(\alpha _1,\beta _1\) are non-zero differences satisfying \(\alpha _1 \ne \beta _1\). That is, we include \(t-2\) more rounds in the middle compared to the property presented by the designers.

The intuition for why the above differential is impossible is as follows. When \((0,\ldots ,0,\alpha _1)\) is propagated, the output difference of the cube mapping is 0 for the first \(t-1\) rounds and is unpredictable for the next \(t/2 - 1\) rounds. We denote them by \(\alpha _2, \alpha _3, \ldots , \alpha _{t/2}\). Similarly, we extend \((0,\ldots ,0,\beta _1)\) by \(t/2 - 1\) rounds backwards, using the notation \(\beta _2, \beta _3, \ldots , \beta _{t/2}\). Here, to be a valid propagation, those differences must be equal in all the branches, which yields a system of t linear equations with \(2(t/2 - 1) = t-2\) variables. By solving the system, we obtain that \(\alpha _1 = \beta _1\) is a necessary condition to obtain a valid differential propagation. In other words, for any \(\alpha _1,\beta _1\) with \(\alpha _1 \ne \beta _1\), the propagation is impossible. A detailed analysis of this property is provided in  [17].

5.2 A Differential Distinguisher

The original paper  [4, Appendix D] analyzes the resistance of GMiMC against differential attacks. Most notably, the designers exhibit a differential characteristic over \((t+1)\) rounds with two active Sboxes, with probability \(2^{-(2n+2)}\) where \(n = \log _2 q\) and they conjecture that the corresponding differential is optimal. They deduce that

$$\begin{aligned} R = 2+ (t+1)\Big \lceil \frac{tn}{2(n-1)}\Big \rceil \text{ rounds } \end{aligned}$$

are sufficient to resist differential cryptanalysis in the sense that the data complexity of the attack exceeds the size of the full codebook. For instance, when \(t=12\) and \(n =61\), this corresponds to \(93\) rounds out of \(101\).

A Better Differential. We exhibit another differential, over \(t\) rounds, which leads to a much more efficient attack. Let \(\alpha \) and \(\alpha '\) be two differences in \(\mathbb {F}_q\). Then, the difference \((0, \ldots , 0, \alpha , \alpha ')\) propagates through \(t\) rounds of the permutation as

$$\begin{aligned} (0, \ldots , 0, \alpha , \alpha ')&\overset{\mathcal {R}^{t-2}}{\longrightarrow }(\alpha , \alpha ', 0 \ldots , 0) \\&\overset{\mathcal {R}}{\longrightarrow }(\alpha '+ \beta , \beta , \ldots , \beta , \alpha )\\&\overset{\mathcal {R}}{\longrightarrow }(\beta +\beta ', \ldots , \beta +\beta ', \alpha +\beta ', \alpha '+\beta ), \end{aligned}$$

where \(\alpha \overset{S}{\rightarrow }\beta \) denotes the Sbox transition occurring at Round \((t-1)\) and \(\alpha ' + \beta \overset{S}{\rightarrow }\beta '\) the Sbox transition occurring at Round \(t\).

It follows that, for any possible value of \(\beta \), we obtain the following \(t\)-round differential as soon as \(\beta '= -\beta \), which occurs with probability \(2^{-n}\) on average:

$$\begin{aligned} (0, \ldots , 0, \alpha , \alpha ') \overset{\mathcal {R}^{t}}{\longrightarrow }(0, \ldots , 0, \alpha -\beta , \alpha '+\beta )\;. \end{aligned}$$

Since this probability does not depend on the choice of \(\alpha \) and \(\alpha '\), this differential can be iterated several times to cover more rounds.

For instance, when \(t=12\) and \(n=61\), the \(101\) rounds of GMiMC can be decomposed into \(8\) blocks of \(t=12\) rounds, followed by \(5\) rounds. We then get a differential of the form

$$\begin{aligned} (0, \ldots , 0, \alpha , \alpha ') \longrightarrow (0,0,0,0,0, \gamma , \gamma ',0,0,0,0,0) \end{aligned}$$

over the full cipher for some unknown \(\gamma , \gamma '\) with probability at least

$$\begin{aligned} P=(2^{-61})^8 = 2^{-488} \end{aligned}$$

since the characteristic over the last 5 rounds has probability one. This leads to a differential distinguisher over the full permutation with complexity \(P^{-1}=2^{488}\) which is much lower than the size of the full codebook (\(2^{732}\)).

It is worth noticing that \(P\) is a lower bound on the probability of the \(101\)-round differential since we considered pairs following some specific characteristics by fixing the forms of some differences at intermediate rounds. Some additional input pairs may lead to an output difference of the same form but not to these specific intermediate differences.

Improving the Complexity of the Distinguisher with Structures. The data complexity of the previous distinguisher can be improved by using structures of inputs. Here, a structure is a set of \(2^{2n}\) inputs of the form \(\mathcal {S}_c=\{(c_1, \ldots , c_{t-2}, x,y)~|~x, y \in \mathbb {F}_p\}\). The difference between any two elements in the same structure has the form \((0, \ldots , 0, \alpha , \alpha ')\). It follows that, from any structure, we can construct \(2^{4n-1}\) pairs of inputs whose difference conforms with the differential. Then, the number of structures required to obtain \(P^{-1}=2^{8n}\) pairs with an appropriate difference is

$$\begin{aligned} 2^{8n -4n+1} = 2^{4n+1}, \end{aligned}$$

leading to an overall data complexity of \(2^{6n+1}= 2^{367}\). The time complexity is equal to the data complexity here since the distinguisher consists in identifying the output pairs which coincide on all output words except the two in the middle. This does not require computing all pairs of elements in each structure, but only to store the values \(\pi (x), x \in \mathcal {S}_c\) according to their first coordinates.

This differential distinguisher does not lead to an attack with complexity below the target security level. However, this must be considered as an unsuitable property since its complexity is much lower than what we expect for a randomly chosen permutation on a set of size \(2^{732}\).

It is worth noticing that, if we restrict ourselves to distinguishers with complexity below the target security level of \(128\) bits, then we can use at most \(2^{128}/2^{2n}=2^6\) structures. Therefore, we can derive from these structures \(2^{6+4n-1}\) i.e. \(2^{249}\) pairs of inputs conforming with the differential. These pairs be can used to distinguish \(4\) blocks of \(t\) rounds since the differential has probability at least \(2^{-244}\). Moreover, a valid pair propagates to a differential of the form \((\gamma ,\gamma ',0,0,0,0,0,0,0,0,0,0)\) with probability one over \((t-2)\) rounds, and we can extend it by a few more rounds by considering the number of state words that have the same difference. After another 6 rounds, the pair has a differential of the form

$$\begin{aligned} (\varDelta ,\varDelta ,\varDelta ,\varDelta ,\varDelta ,\varDelta ,*,*,*,*,*,*), \end{aligned}$$

with probability one, where \(*\) is an unknown difference that we do not care about. This differential form has a constraint of the size 5n: the left-most six state words have an identical difference. The number of queries to satisfy the same property for a randomly chosen permutation is lower bounded by \(2^{5n/2} \approx 2^{152.5}\). This implies that we can distinguish \(4t+(t-2)+(t-6) = 64\) rounds of GMiMC from a randomly chosen permutation with complexity less than \(2^{128}\).

Improved Distinguisher Using Three Active Words. If we consider a differential with only two active words, the biggest structure we can build is of size \(2^{2n},\) which limits the advantage of using structures in reducing the cost of the distinguishers. Let us now consider the following differential:

$$\begin{aligned}&~(0, \ldots , 0, \alpha , \alpha ', \alpha '') \\[-3pt] \overset{\mathcal {R}^{t-3}}{\longrightarrow }&~(\alpha , \alpha ', \alpha '', 0 \ldots , 0) \\ \overset{\mathcal {R}}{\longrightarrow }&~(\alpha '+ \beta , \alpha ''+ \beta , \beta , \ldots , \beta , \alpha )\\ \overset{\mathcal {R}}{\longrightarrow }&~(\alpha ''+ \beta +\beta ', \beta +\beta ', \beta +\beta ', \ldots , \beta +\beta ', \alpha +\beta ', \alpha ')\\ \overset{\mathcal {R}}{\longrightarrow }&~(\beta +\beta '+\beta '', \ldots , \beta +\beta '+\beta '', \alpha +\beta '+\beta '', \alpha '+\beta +\beta '', \alpha ''+ \beta +\beta '), \end{aligned}$$

where \(\alpha \overset{S}{\rightarrow }\beta \), \(\alpha '+\beta \overset{S}{\rightarrow }\beta '\) and \(\alpha ''+\beta +\beta ' \overset{S}{\rightarrow }\beta ''\) denote the Sbox transitions occurring at Round \((t-2)\), at Round \((t-1)\) and at Round \(t\).

As with the previous differential, if \(\beta +\beta '+\beta ''=0\), which occurs with probability \(2^{-n}\) on average, we have:

$$\begin{aligned} (0, \ldots , 0, \alpha , \alpha ', \alpha '') \overset{\mathcal {R}^{t}}{\longrightarrow }(0, \ldots , 0, \alpha -\beta , \alpha '+\beta +\beta '', \alpha ''-\beta '')\;. \end{aligned}$$

Again, the probability of this transition is independent of the values of \(\alpha \), \(\alpha '\) and \(\alpha ''\), so it can be iterated with probability \(2^{-n}.\)

For this differential, we can build structures of size \(2^{3n}\). This will allow us to consider around \(2^{6n}\) pairs with the required input differential, so we can expect to be able to iterate the characteristic for 6t rounds. The total distinguisher will cover \(6t+(t-3)\) rounds. As for the previous one, we can add 4 more rounds, generating an output state with 8 words having the same difference with a cost of \(2^{3n},\) compared to a cost of \(2^{7n/2}\) for a random permutation. For GMiMC with \(t=12\), this allows to distinguish 85 rounds with a cost of \(2^{3n}\). By repeating this procedure \(2^{n}\) times, we can expect t more round to be covered, and distinguish the whole permutation with 101 rounds with a complexity of \(2^{5n}=2^{320}\) and having 9 words with a zero difference (as we do not need to add the final four rounds).

Let us point out that using four instead of three words would not improve the number of rounds attacked on GMiMC-128-d, as the cost of one structure is already the same as the cost of obtaining the 8 non-zero differences in the output for a random permutation. Nevertheless, in the case of the GMiMC variant 256-b with \(t=14\), if we use a similar differential with four active words, we can distinguish up to \(8t+(t-4)= 122\) rounds while finding 10 words with no difference and with a complexity of about \(2^{4n}=2^{500}\).

To determine whether further improvements of these differentials are possible, we have searched for other differential characteristics with a Mixed-Integer Linear Programming (MILP) model. We conclude that the previously described characteristics are essentially optimal for the defined search space, and refer to  [17] for details.

5.3 Algebraically Controlled Differential Attacks

In this section, we show how to use algebraic techniques to efficiently find inputs that satisfy a given differential characteristic. The basic idea is to represent the initial state of the permutation symbolically by assigning variables to some of its branches, while the remaining branches are assigned constant values. We then compute the permutation symbolically for several rounds. Namely, for each round, we derive a polynomial expression for each branch of the internal state in terms of the allocated variables.

We repeat this process starting from two initial states (representing two inputs to the permutation), perhaps assigning them different variables. We can now represent the difference between the internal states at each round in these two computations using polynomial expressions in the allocated variables. In particular, each differential transition of the given differential characteristic (whose probability is smaller than one) is expressed as a polynomial equation in the variables. Collecting the equations for all differential transitions, we obtain a system of polynomial equations, whose solution immediately gives two inputs to the permutation that satisfy the differential characteristic. For this approach to be useful, the equation system has to be efficiently solvable, which generally implies that we cannot allocate too many variables and need to minimize the algebraic degree of the polynomial equations.

Next, we discuss the complexity of solving equation systems of a specific form that we encounter in the remainder of this section. We then demonstrate the basic attack approach with an example and continue with more involved attacks.

Solving Polynomial Equation Systems with Few Variables. Some of our attacks in the remainder of this section reduce to solving equation systems over \(\mathbb {F}_q\). When possible, we solved the systems in practice using the MAGMA software. However, it is also important to understand the complexity of our attacks on stronger variants of the cryptosystem, where they become impractical. In this section, we will only consider systems with one or two variables and estimate the complexity of solving such systems below. We note that in Sect. 6.2 we encounter equation systems with more variables. Solving such equations is more involved and we will have to use a different estimation, which is heuristic (but standard).

Solving a univariate polynomial equation over \(\mathbb {F}_q\) of degree d is done by factoring the polynomial. Asymptotically, the best known algorithm for this problem was published in  [27] and has complexity of about \(d^{1.5 + o(1)}\) bits operations. We note, however, that the o(1) expression in the exponent hides a non-negligible term. Solving two bivariate polynomial equations \(P_1(x,y) = 0\) and \(P_2(x,y) = 0\) of total degrees \(d_1\) and \(d_2\) (respectively) can be done by computing the resultantFootnote 2 of the two polynomials, which is a univariate polynomial in x of degree \(d_1 \cdot d_2\). We then compute the roots of the resultant (by factoring it) and for each such root \(\bar{x}\), we compute the common roots of \(P_1(\bar{x},y)\) and \(P_2(\bar{x},y)\) (using a GCD algorithm). In general, the heaviest step in this process is factoring the resultant.

Satisfying \(3t-2\) Rounds. We show how to efficiently satisfy \(3t-2\) rounds of the iterative differential characteristic of Sect. 5,

$$\begin{aligned} (0, \ldots , 0, \mu _0, \mu '_0)&\overset{\mathcal {R}^{t-2}}{\longrightarrow }(\mu _0, \mu '_0, 0 \ldots , 0) \\&\overset{\mathcal {R}}{\longrightarrow }(\mu '_0 + \mu _1, \mu _1, \ldots , \mu _1, \mu _0)\\&\overset{\mathcal {R}}{\longrightarrow }(\mu _1+\mu '_1, \ldots , \mu _1+\mu '_1, \mu _0+\mu '_1, \mu '_0+\mu _1), \end{aligned}$$

where we require that \(\mu _1+\mu '_1 = 0\).

Consider an initial state of the permutation of the form

$$\begin{aligned} X_0 = (\alpha _1, \ldots , \alpha _{t-2}, x, f(x)), \end{aligned}$$

where the \(\alpha _i\) are constants in \(\mathbb {F}_q\), x is a variable and the function f(x) is described in Sect. 4 (see (1)). Then, as described in Sect. 4, the internal state at Round \((t-2)\) is described as

$$ X_{t-2} = \textstyle (x+\sum _{i=1}^{t-2} \beta _i, f(x) + \sum _{i=1}^{t-2} \beta _i, \gamma _1, \ldots , \gamma _{t-2}), $$

while the state at Round \((2t-2)\) is described as

$$ X_{2t-2} = (x'-(x'+\mathsf {RC}_{t-1})^3+\delta _1, -x'+\delta _1, \delta _2, \ldots , \delta _{t}), $$

where \(x' = x + \sum _{i=1}^{t-2} \beta _i\). Starting from Round \((2t-2)\), the algebraic degree of the branches generally grows by a multiplicative factor of 3 per round, namely, the algebraic degree of Round \((2t-2+r)\) is at most \(3^{r+1}\).

Next, consider another initial state of the permutation of the form

$$\begin{aligned} Y_0 = (\alpha _1, \ldots , \alpha _{t-2}, y, f(y)), \end{aligned}$$

where the initial constants \(\alpha _i\) are identical to those of \(X_0\). Note that the initial difference between the states is of the form

$$\begin{aligned} \varDelta _0 = X_0 - Y_0 = (0, \ldots , 0,\mu _0(x,y), \mu '_0(x,y)). \end{aligned}$$

Then, the state \(Y_{2t-2}\) after Round \((2t-2)\) is described as

$$ Y_{2t-2} = (y'-(y'+\mathsf {RC}_{t-1})^3+\delta _1, -y'+\delta _2, \delta _3, \ldots , \delta _{t}). $$

Therefore, the choice of the initial states of the two inputs, assures that \((2t-2)\) rounds of the differential characteristic are satisfied with probability one. At round 2t, we have

$$\begin{aligned}&\varDelta _{2t} = X_{2t} - Y_{2t} = \\&(\mu _2(x,y) + \mu '_2(x,y), \ldots , \mu _2(x,y) + \mu '_2(x,y), \mu _1(x,y) + \mu '_2(x,y), \mu '_1(x,y) + \mu _2(x,y)), \end{aligned}$$

and we require \(\mu _2(x,y) +\mu '_2(x,y) = 0\), which is a polynomial equation of degree \(3^{2+1} = 27\) in the variables xy. Since we have 2 variables and only one equation in \(\mathbb {F}_q\), we can set one of the variables to an arbitrary constant and solve a univariate polynomial equation in the other variable. We expect one solution on average, which gives an input pair that satisfies the differential characteristic for 2t rounds. Since the next \((t-2)\) rounds are satisfied with probability one, we can satisfy \(3t-2\) rounds at the cost of solving a univariate polynomial equation over \(\mathbb {F}_q\) of degree 27 (which has very low complexity).

Satisfying \(4t-2\) Rounds in an Inside-Out Setting. In an inside-out setting, the differential characteristic can be extended from \((3t-2)\) rounds to \((4t-2)\) rounds algebraically, by adding t rounds before the initial state. Indeed, since the initial state is described by polynomials of degree 3, the state at round \((-2)\) can be described by polynomials of degree 27:

$$\begin{aligned} \varDelta _{-2} =&X_{-2} - Y_{-2} = (\mu _{-1}(x,y) +\mu '_{-1}(x,y), \ldots ,\\ {}&\quad \mu _{-1}(x,y) +\mu '_{-1}(x,y), \lambda _1(x,y)+\mu '_{-1}(x,y), \lambda '_1(x,y)+\mu _{-1}(x,y)). \end{aligned}$$

Thus, we require \(\mu _{-1}(x,y) +\mu '_{-1}(x,y) = 0\) in addition to \(\mu _2(x,y) +\mu '_2(x,y) = 0\). This defines a system of two equations of degree 27 in two variables. Any solution with \(x \ne y\) defines a pair of states that satisfies a differential characteristic from round \((-t)\) to round \((3t-2)\), because rounds \((-t)\) to \((-2)\) are satisfied with probability 1.

To solve the system, we first divide each equation by \((y-x)\) to eliminate trivial solutions with \(x = y\). Then we compute a Gröbner basis of the resulting system. Using the MAGMA software, this can be done in less than one minute on a standard PC (solving the system also has very low complexity by our theoretical estimate). Moreover, this can be extended to a distinguisher on 66 rounds by considering a truncated difference in the input and output. We give an example in Figure 6 of  [17].

Satisfying \(4t-4\) Rounds. If we want to use the differential in a collision attack, we must preserve the value of some initial state words, and we cannot use the inside-out technique. We describe an alternative technique, using a modified differential with four active state words:

$$\begin{aligned}&~(0, \ldots , 0, \mu _0, \mu '_0, \mu ''_0, \mu '''_0)\\[-3pt] \overset{\mathcal {R}^{t-4}}{\longrightarrow }&~(\mu _0, \mu '_0, \mu ''_0, \mu '''_0, 0 \ldots , 0) \\ \overset{\mathcal {R}}{\longrightarrow }&~(\mu '_0 + \mu _1, \mu ''_0 + \mu _1, \mu '''_0 + \mu _1, \mu _1, \ldots , \mu _1, \mu _0)\\ \overset{\mathcal {R}}{\longrightarrow }&~(\mu ''_0 + \mu _1 + \mu '_1, \mu '''_0 + \mu _1 + \mu '_1, \mu _1 + \mu '_1, \ldots , \mu _1 + \mu '_1, \mu _0 + \mu '_1, \mu '_0 + \mu _1)\\ \overset{\mathcal {R}}{\longrightarrow }&~(\mu '''_0 + \mu _1 + \mu '_1 + \mu ''_1, \mu _1 + \mu '_1 + \mu ''_1, \ldots , \mu _1 + \mu '_1 + \mu ''_1, \mu _0 + \mu '_1 + \mu ''_1, \\&\qquad \mu '_0 + \mu _1 + \mu ''_1, \mu ''_0 + \mu _1 + \mu '_1)\\[-2pt] \overset{\mathcal {R}}{\longrightarrow }&~(\varvec{\mu }_1, \ldots , \varvec{\mu }_1, \mu _0 + \varvec{\mu }_1 - \mu _1, \mu '_0 + \varvec{\mu }_1 - \mu '_1, \mu ''_0 + \varvec{\mu }_1 - \mu ''_1, \mu '''_0 + \varvec{\mu }_1 - \mu '''_1)\\ \text {with}&~\varvec{\mu }_1 = \mu _1 + \mu '_1 + \mu ''_1 + \mu '''_1. \end{aligned}$$

As in Sect. 5.2, we require that \(\varvec{\mu }_1 = 0\). This happens with probability \(2^{-n}\), and results in an iterative truncated characteristic \((0, \ldots , 0, *, *, *, *) \overset{\mathcal {R}^t}{\longrightarrow }(0, \ldots , 0, *, *, *, *)\).

As in the previous attack, we build an initial state with special relations to control the first t rounds with probability one:

$$\begin{aligned} X_0 = (\alpha _1, \ldots , \alpha _{t-4}, x, f(x), y, f(y)). \end{aligned}$$

This ensures that the state at Round \((2t-4)\) is of the form:

$$ X_{2t-4} = (x'-(x'+\mathsf {RC}_{t-1})^3+\delta _1, -x'+\delta _2, y'-(y'+\mathsf {RC}_{t-1})^3+\delta _3, -y'+\delta _4, \delta _5, \ldots , \delta _{t}). $$

Instead of considering two different states with this shape (with four unknown in total), we will consider one variable state and one fixed state with \((x, y) = (0, 0)\). When we consider the state at Round (2t), we have

$$\begin{aligned}&\varDelta _{2t} = X_{2t} - X_{2t}(0,0) = \\&(\varvec{\mu }_2, \ldots , \varvec{\mu }_2, \mu _1 + \varvec{\mu }_2 - \mu _2, \mu '_1 + \varvec{\mu }_2 - \mu '_2, \mu ''_1 + \varvec{\mu }_2 - \mu ''_2, \mu '''_1 + \varvec{\mu }_2 - \mu '''_2) \end{aligned}$$

Where \((\mu _1, \mu '_1, \mu ''_1, \mu '''_1)\) are polynomials of degree 3, 1, 3, and 1 respectively (as seen in \(X_{2t-4}\)), and \((\mu _2, \mu '_2, \mu ''_2, \mu '''_2)\) are polynomials of degree 9, 27, 81, and 243, with \(\varvec{\mu }_2 = \mu _2 + \mu '_2 + \mu ''_2 + \mu '''_2\). All polynomials have variables x and \(x'\), and \(X_{2t}(0,0)\) is a vector of constants. We now require \(\varvec{\mu }_2(x, x') = 0\), and we can simplify the state using this assumption:

$$\begin{aligned} X_{2t} = X_{2t}(0,0) + (0, \ldots , 0, \mu _1 - \mu _2, \mu '_1 - \mu '_2, \mu ''_1 - \mu ''_2, \mu '''_1 + \mu _2 + \mu '_2 + \mu ''_2). \end{aligned}$$

We obtain an expression of degree \((0, \ldots , 0, 9, 27, 81, 81)\).

When we focus on Round (3t), we can now express the condition of the differential as a polynomial of degree 729. Therefore, we have a system of two equations of degree 243 and 729 in two variables. To estimate the complexity of solving the system, recall that we factor the resultant of these polynomials in time \(d^{1.5 + o(1)}\) bit operations. In our case, \(d = 243 \cdot 729 = 177,147\).

Any solution with \((x, y) \ne (0,0)\) defines a state such that (X(xy), X(0, 0)) satisfies the differential characteristic up to round \((4t-4)\), because rounds (4t) to \((4t-4)\) are satisfied with probability one.

Extending the Differentials. All these attacks can be extended probabilistically by finding about q different input pairs that satisfy the differential characteristic (each pair is found by choosing different constants \(\alpha _i\) in the initial state). With high probability, one of these input pairs will also satisfy the next differential transitions, and follow the characteristic for t more rounds.

5.4 Reduced-Round Collision Attacks

We can build collisions on a reduced number of rounds by using the same ideas as for the previous structural or algebraic differential distinguishers. The additional constraint that we have now compared to distinguishers is that any values that need to be chosen must be assigned to the rate part, i.e. the 8 left-most words in GMiMC-128-d, and the capacity part, i.e. the 4 right-most words in GMiMC-128-d, will be fixed to a known value we cannot choose.

Building Collisions with Structures. We won’t use the 3-word differential but the 2-word one, as using the full 2n structure from the 2-word one already implies a complexity equivalent to that of a generic collision attack. Instead of having \(t = 12\) free rounds at the beginning, we will have only 8, due to the 4 words reserved for the capacity. With a cost of \(2^{r\cdot n}\) we can then go through \(r\cdot t\) rounds maintaining the same differential. Finally, we can freely add \((t-2)\) rounds that preserve the differences in the rate part and, consequently, can finally be cancelled:

$$\begin{aligned} (0, \ldots , 0, \alpha , \alpha ',0,0,0,0) \overset{\mathcal {R}^{t-6}}{\longrightarrow }(\alpha , \alpha ', 0 \ldots , 0) \overset{\mathcal {R}^{r\cdot t}}{\longrightarrow }( \beta , \beta ',0 \ldots , 0), \end{aligned}$$

This differential has a probability of \(2^{-r\cdot t}\), and would allow to build collisions up to \(3t-6\) rounds, so for 30 rounds for GMiMC-128-d. If we use structures we can improve this: if we build a structure of size \(2^{x}\), with the cost of the structure we can verify a probability up to \(2^{-2x}.\) If we choose structures of size \(2^{3n/2}\), we can consider \(r=3\). This would provide collisions for \(4t-6\) rounds. For GMiMC-128-d this implies collisions on 42 rounds with a cost of \(2^{92},\) and for GMiMC-256 it implies collisions on 50 rounds with a complexity of \(2^{187}\).

Building Collisions with Algebraically Controlled Techniques. To use the algebraically controlled techniques in a collision attack, we must not use any difference in the inner part of the sponge. As noted, in the case of GMiMC-128-d, we have \(c=4\), therefore, we start from a state

$$\begin{aligned} X_0 = (\alpha _1, \ldots , \alpha _4, x, f(x), y, f(y), \alpha _9, \ldots , \alpha _{12}) \end{aligned}$$

and we have a characteristic over \(4t-4-c = 40\) rounds. In MAGMA, this takes a few minutes using less than 3 GB of RAM. We give an example of a conforming pair in Figure AAA in  [17], where all the \(\alpha \) constants have been set to zero. This attack can be extended to t more rounds probabilistically, with (asymptotic) complexity of \(q \cdot d^{1.5 + o(1)}\) bit operations. In our case, \(d = 177,147\) and we obtain an estimate of about \(2^{90}\) if we ignore the o(1) term.

6 Attacks on HadesMiMC

This section describes two types of attacks against HadesMiMC, which both exploit the propagation of affine subspaces over the partial rounds. The first one is an integral distinguisher covering all rounds except the first two rounds for most sets of parameters. The second one is a preimage attack on the full function which applies when the MDS matrix defining the linear layer has, up to multiplication by a scalar, a low multiplicative order. It is worth noticing that, while the designers of HadesMiMC do not mention any requirements on this MDS matrix, they provide several suggestions. For Starkad and Poseidon, Cauchy matrices are used  [24]. In  [17], we identify weak instances from this class of matrices. Alternatively, the HadesMiMC authors propose  [25, Appendix B] the use of a matrix of the form \(A \times B^{-1}\) where both \(A\) and \(B\) are Vandermonde matrices with generating elements \(a_i\) and \(b_i\). In this case, if \(a_i = b_i + r\) for some \(r \in \mathbb {F}_{q}\), then the resulting MDS matrix will be an involution for \(\mathbb {F}_q\) of characteristic two  [33]. Similarly, in characteristic \(p \ne 2\), one obtains an involution whenever \(a_i = -b_i\).

6.1 Integral Distinguishers

In HadesMiMC, the number of rounds has been chosen by the designers in such a way that, when each coordinate of the output is expressed as a polynomial in \(t\) variables over \(\mathbb {F}_q\), then the degree of this polynomial in each input is close to \((q-1)\), which is the behaviour expected for a randomly chosen permutation. Assuming that the degree grows as \(3^r\) for \(r\) rounds (which is an upper bound), \(\lceil \log _3(t(q-1))\rceil \) rounds are enough to get a polynomial of total degree \((q-1)t\). For the concrete parameters, i.e. \(t=12\) and \(q=2^{61}+20\times 2^{32}+1\) for Poseidon, we get that \(41\) rounds (out of 48 in total) are necessary to achieve maximal degree. For Starkad with \(t=12\) and \(q=2^{63}\), \(43\) rounds (out of 51 in total) are necessary.

An Integral Property. Our idea to improve upon the trivial bound above by a few partial rounds is to choose a specific subspace of inputs. Indeed, we are going to construct a one-dimensional subspace V such that \(t-1\) partial rounds will map any coset \(V+v_0\) onto a coset of another one-dimensional subspace W. Adding at most \(\lfloor \log _3(q-2)\rfloor \) rounds (either full or partial), ensures that the conditions of Corollary 1 are satisfied and thus the outputs sum to zero.

$$\begin{aligned} V+v_0 {\mathop {\longrightarrow }\limits ^{\mathcal {R}_p^{t-1}}} W+w_0 {\mathop {\longrightarrow }\limits ^{\deg < q-1}} \text{ zero } \text{ sum. } \end{aligned}$$

Let us denote by \(V\) a linear subspace of internal states after the Sbox layer of the last of the first \(R_f/2\) full rounds (see Fig. 4). Then, this subspace leads to an affine subspace at the input of the first partial round, which is a coset of \(L(V)\). The following lemma guarantees the existence of a nontrivial vector space L(V) such that any coset of L(V) is mapped to a coset of \(W = L^t(V)\) after \(t - 1\) partial rounds.

Lemma 1

Let \(F : \mathbb {F}_q^t \rightarrow \mathbb {F}_q^t\) denote a permutation obtained from \(r \ge 1\) partial HadesMiMC rounds instantiated with linear layer L. If L has multiplicative order h up to multiplication by a scalar, then there exists a vector space V with \(\dim V \ge t - \min \{h, r\}\) such that \(F(x + V) \subseteq F(x) + L^r(V)\) for all \(x \in \mathbb {F}_q^t\).

Proof

Let \(V = \langle \delta _t, L^T(\delta _t), \ldots , (L^T)^{r - 1}(\delta _t)\rangle ^\perp \) where \(\delta _t=(0, \ldots ,0,1)\). Clearly, \(\dim V\) satisfies the desired lower bound. It suffices to show that for all \(x \in \mathbb {F}_q^t\) and \(v \in V\), \(F(x + v) = F(x) + L^r(v)\). Let \(F = R_r \circ \cdots \circ R_1\). Since the last coordinate of any \(v\) in V is zero, i.e. \(v \perp \delta _t\), the image of \(x+V\) by the partial Sbox layer is a coset of \(V\). It follows that \(R_1(x + v) = R_1(x) + L(v)\). Similarly, for Round \(i = 2, \ldots , r\), it holds that \(R_i(x_i + L^{i-1}(v)) = R_i(x_i) + L^i(v)\) if \(L^{i - 1}(v) \perp \delta _t\) or equivalently \(v \perp (L^\top )^{i - 1} (\delta _t)\).    \(\square \)

Let us consider any coordinate \(y\) of the output of the permutation after adding r additional (partial or full) rounds. When \(z_0\) varies in \(V\), these output words correspond to the images by the additional rounds of the elements \(z_1\) in a coset of \(W=L^{t}(V)\), which we denote by \(\gamma +W\) (see Fig. 4). As the polynomial corresponding to the r additional rounds has degree at most \(3^{r}\), it then follows using Corollary 1 that

$$\begin{aligned} \sum _{z_0 \in V} y(z_0) = \sum _{z_1 \in \gamma +W} y(z_1) = \sum _{x \in \mathbb {F}_q} P(x) = 0\;, \end{aligned}$$

as long as r is at most \(\lfloor \log _3(q-2)\rfloor \).

Thus, in total this covers \((t-1)+\lfloor \log _3(q-2)\rfloor \) rounds, starting after the first full rounds. For most sets of concrete parameters, this actually exceeds the recommended number of rounds in the forward direction for both Poseidon and Starkad. Furthermore, Lemma 1 implies that if the linear layer L has multiplicative order less than \(t - 1\), then the distinguisher covers an arbitrary number of partial rounds.

Fig. 4.
figure 4

Zero-sum distinguisher against Poseidon and Starkad covering \((2+4)\) full rounds and all partial rounds.

Full size image

Zero-Sum Distinguishers over \(\mathbb {F}_q\). By extending the above-mentioned approach in the backwards direction, we can construct a zero-sum distinguisher with a (slightly) extended number of rounds as depicted on Fig. 4. The problem is that contrary to the case of GMiMC, the inverse round function in HadesMiMC is very different from the round function itself, and it has a much higher degree. Indeed, the inverse of the cube mapping over \(\mathbb {F}_q\) is the power function \(x \mapsto x^{(2q - 1)/3}\). By using classical bounds on the degree, we cannot guarantee a degree lower than \((q-2)\) for more than a single round backwards.

However, V being one dimensional allows to overcome one additional layer of Sboxes, and thus one additional round. Namely, as V is a one-dimensional space there exists a vector \(v=(v_1,\dots ,v_t) \in \mathbb {F}_q^t \) such that

$$\begin{aligned} V= \{ \left( x \, v_1, x \, v_2, \ldots , x \, v_{t}\right) ~|~x\in \mathbb {F}_q \}. \end{aligned}$$

The image of V under the inverse of the full Sbox layer consists of all the vectors in \(\mathbb {F}_{q}^{t}\) of the form

$$\begin{aligned} \big ((x \, v_1)^{1/3}, \ldots , (x \, v_{t})^{1/3}\big ) = x^{1/3} \, \big (v_1^{1/3}, \ldots , v_{t}^{1/3}\big ). \end{aligned}$$

As a consequence, this image is again a one-dimensional vector space having the same form, namely \(U= \{ x' \, (u_1, \ldots , u_t)~|~x'\in \mathbb {F}_q\}\) where \(u_i=v_i^{1/3}\) for all \(0 \le i < t\). It is worth noticing that this particular structure does not propagate over more rounds because of the addition of a round constant. Then, any coordinate at the input of the previous round \(y'\) is the image of an element \(z'_0=x'u\) in \(U\) by an affine layer, followed by the inverse of Sbox, i.e., by \(x\mapsto x^{1/3}\) (see Fig. 4). We can then consider this mapping as a function of \(x'\in \mathbb {F}_q\), and express it as a polynomial \(Q\) with coefficients in \(\mathbb {F}_q\). Since the degree of this polynomial is the degree of the inverse Sbox, it does not exceed \((q-2)\). Using the notion from Fig. 4, we then have

$$\begin{aligned} \sum _{z_0 \in V} y'(z_0) = \sum _{z'_0 \in U} y'(z_0') = \sum _{x' \in \mathbb {F}_q} Q(x) = 0\;. \end{aligned}$$

For most sets of proposed parameters, this provides a zero-sum distinguisher with data complexity q on HadesMiMC for all but the two initial rounds, i.e. for \(2+4\) full rounds (2 at the beginning and 4 at the end), and all partial rounds, as detailed in Table 4. Again, for instantiations of HadesMiMC with a linear layer of multiplicative order less than \(t - 1\), the distinguisher covers an arbitrary number of partial rounds.

Table 4. Number of rounds of HadesMiMC covered by the zero-sum distinguisher of complexity \(q\).
Full size table

6.2 Finding Preimages by Linearization of the Partial Rounds

This section shows that, when the linear layer in HadesMiMC has a low multiplicative order, the propagation of linear subspaces through all partial rounds leads to a much more powerful attack. Indeed, we now show that the existence of perfect linear approximations over the partial rounds of HadesMiMC, as detailed in Lemma 2, can be used to setup a simplified system of equations for finding preimages, leading to a full-round preimage attack.

Lemma 2

Let \(F : \mathbb {F}_q^t \rightarrow \mathbb {F}_q^t \) denote a permutation obtained from \(r \ge 1\) partial HadesMiMC rounds instantiated with linear layer L and round constants \(c_1, \ldots , c_r\). Let \(V \subset \mathbb {F}_q^t\) be the vector space \(V = \langle L(\delta _t), L^2 (\delta _t), \ldots , L^{r} (\delta _t)\rangle ^\perp \), where \(\delta _t=(0, \ldots ,0,1)\). Then, for all \(x \in \mathbb {F}_q^t\) and \(v \in V\),

$$\begin{aligned} v \cdot F(x) = v \cdot L^r (x) + \sum _{i = 1}^r v \cdot L^{r + 1 - i}(c_i), \end{aligned}$$

where \(u \cdot v\) denotes the usual scalar product in \(\mathbb {F}_q^t\). Furthermore, if L has multiplicative order h, then \(\dim V \ge t - \min \{h, r\}\).

Proof

Let \(F_r = R_r \circ R_{r-1} \circ \cdots \circ R_1\), where \(R_i\) denotes the ith partial round of HadesMiMC, namely \(R_i(x) = L\circ S (x+c_{i})\). We proceed by induction on r. For \(r=1\), we have, for any \(v\) and \(x\),

$$\begin{aligned} v \cdot R_1(x) = L^T(v) \cdot S(x+c_1) = L^T(v) \cdot (x+c_1) = v \cdot L(x) + v \cdot L(c_1) \end{aligned}$$

if the last coordinate of \(L^T(v)\) is zero, or equivalently \(L^T(v)\cdot \delta _t = v \cdot L(\delta _t)=0\).

Let us now consider Round \(r\) and \(v \in \langle L(\delta _t), L^2 (\delta _t), \ldots , L^{r} (\delta _t)\rangle ^\perp \). For any \(y \in \mathbb {F}_q^t\), we have

$$\begin{aligned} v \cdot R_r(y) = L^T(v) \cdot S(y+c_r) = L^T(v) \cdot (y+c_r) \end{aligned}$$

since \(L^T(v) \cdot \delta _t = v \cdot L(\delta _t)=0\). Letting \(y = F_{r-1}(x)\), it follows that

$$\begin{aligned} v \cdot F_r(x) = L^{ T} (v) \cdot F_{r - 1}(x) + L^{ T} (v) \cdot c_r = L^{ T} (v) \cdot L^{r - 1} (x) + \sum _{i = 1}^{r-1} L^{ T} (v) \cdot L^{r - i}(c_i) + L^{ T} (v) \cdot c_r \end{aligned}$$

where the last equality is deduced from the induction hypothesis using that \(L^T(v)\) belongs to \(\langle L(\delta _t), \ldots ,L^{r-1} (\delta _t)\rangle ^\perp \). Finally, it is easy to see that the dimension of \(V^\perp \) can be upper bounded as \(\dim V^\perp \le \min \{h, r, t\}.\) Hence, \(\dim V \ge t - \min \{h, r\}\).    \(\square \)

Suppose that L is such that the vector space V from Lemma 2 is of dimension d. It will be shown that, if d is sufficiently large, such an instantiation of HadesMiMC is vulnerable to preimage attacks for some choices of the rate and capacity parameters of the sponge construction. In particular, when the MDS matrix L is an involution, we obtain \(d = t - 2\).

By Lemma 2, there exists a matrix \(U_1 \in \mathbb {F}_q^{d \times t}\) such that \(U_1F(x) = U_1(L^r(x) + a)\) for a known constant a. Indeed, let the rows of \(U_1\) be a basis for V. Furthermore, let \(U_2 \in \mathbb {F}_q^{(t - d) \times t}\) be a matrix with row space complementary to the row space of \(U_1\). For each x, it holds that

$$\begin{aligned} \begin{aligned} U_1y&= U_1(L^r(x) + \textstyle \sum _{i = 1}^r L^{r + 1 - i}(c_i))\\ U_2y&= U_2 F(x). \end{aligned} \end{aligned}$$
(4)

Consider a HadesMiMC permutation in a sponge construction with rate k and capacity \(c = t - k\). Computing preimages of a one-block message \((y_1, \ldots , y_k) \in \mathbb {F}_q^k\) then corresponds to solving the system of equations \([F(x\Vert \mathsf {IV})]_i = y_i\), \(i = 1, \ldots , k\) in the unknowns \(x_{1}, \ldots , x_k\).

The idea of the attack is simple: for each guess of \(U_2 F(x) \in \mathbb {F}_q^{t - d}\), replace the equations for the partial rounds by the affine relations (4) and solve the resulting system of equations. In order to ensure that the ideal generated by these equations is zero-dimensional, we should have \(k \le d\), which always holds when \(L\) is an involution unless \(c=1\). Note that we focus on the case where the number of output elements is equal to the rate. This is the most challenging setting. Indeed, if the output size is smaller than the rate – as in some of the StarkWare challenges – then the preimage problem will typically have many solutions. This allows the attacker to partially or completely avoid the guessing phase. If further degrees of freedom remain after fixing \(U_2 F(x)\) completely, one or more input elements may be fixed to an arbitrary value.

In  [17], we show that the total time cost of the attack can be estimated as

$$\begin{aligned} 2\gamma \,(2\pi )^{-\omega /2} \,k^{2 - \omega {/}2}\,e^{\omega k}\,3^{(\omega k + 1)(R_F - 1)}\,q^{t - d} \end{aligned}$$

where \(\omega \) is the asymptotic exponent of the time complexity of matrix multiplication and \(\gamma \) is such that the cost of computing the row-reduced echelon form of an \(m \times n\) matrix is \(\gamma m n^\omega \).

For example, for an involutive L, \(R_F = 8\) and an arbitrary number of partial rounds, Fig. 5a shows for which choices of q and t an improvement over the generic security of the sponge construction is obtained. The insecure instances are shaded in grey. Note that this domain corresponds to a conservative estimate for the cost of row-echelon reduction, i.e. \(\omega = 3\) and \(\gamma = 3/2\). The cost itself is shown in Fig. 5b. We stress that these figures correspond to the most challenging case, i.e. assuming that the hash output is of length k and no shorter.

Fig. 5.
figure 5

Cost analysis of the preimage attack on HadesMiMC with an involutive linear layer and \(R_F = 8\). The shaded areas correspond to parameters for which the attack improves over the \(q^{\min \{k, c/2\}}\) security level.

Full size image

For the concrete Starkad and Poseidon instances specified in Table 2, we obtain better-than-generic attacks on some variants assuming that the hash output has length \(c \le k\) (Table 5). Indeed, provided that \(c \le d / 2 = t / 2 - 1\), a sufficiently large number of preimages is likely to exist so that it is no longer necessary to guess \(U_2 F(x)\). In addition, input variables may be fixed until only c free variables remain. This leads to a computational cost of \(2\gamma \,(2\pi )^{-\omega /2} \,c^{2 - \omega / 2}\,e^{\omega c}\,3^{(\omega c + 1)(R_F - 1)}\). Note that, for these instances, we do not obtain relevant preimage attacks when the output size exceeds \(t/2 - 1\).

Table 5. Overview of the computational cost (measured in \(\mathbb {F}_q\) operations) of the preimage attack on different instances of Poseidon and Starkad, assuming an involutive linear layer. These estimates assume that the hash output has length c. For the variants 128-a, 128-b and 128-d, the attack does not improve over the generic security level of the sponge.
Full size table

7 Conclusions

Our analysis of STARK-friendly primitives clearly shows that the concrete instances of GMiMC and HadesMiMC proposed in the StarkWare challenges present several major weaknesses, independently from the choice of the underlying finite field. At a first glance, the third contender involved in the challenges, namely Vision for the binary field and Rescue for the prime fields  [7], seems more resistant to the cryptanalytic techniques we have used against the other two primitives. This seems rather expected since Vision and Rescue follow a more classical SPN construction with full Sbox layers; for similar parameters, they include a larger number of Sboxes which may prevent them from the unsuitable behaviours we have exhibited on the other primitives.

Another important aspect of our work is the extension of higher-order differential and integral attacks to primitives operating on any finite field, even with odd characteristic, while these attacks were previously defined over binary fields only. This points out that the notion of symmetric primitives over a prime field, which has been introduced very recently, needs to be further analyzed in order to get a rigorous assessment on its security. While decades of research have produced efficient cryptanalytic tools and security criteria for primitives defined over \(\mathbb {F}_2\), establishing the right tools to analyze primitives over \(\mathbb {F}_q\) for odd q raises many new and interesting open questions.