Out of Oddity – New Cryptanalytic Techniques against Symmetric Primitives Optimized for Integrity Proof Systems Tim Beyne, Anne Canteaut, Itai Dinur, Maria Eichlseder, Gregor Leander, Ga¨ etan Leurent, L´ eo Perrin, Mar´ ıa Naya Plasencia, Yu Sasaki, Yosuke Todo, Friedrich Wiemer Crypto 2020 - August 2020
Symmetric primitives optimized for a specific cost metric • FHE-friendly encryption: Low-MC [Albrecht et al. 15], Flip [M´ eaux et al. 16], Kreyvium [Canteaut et al. 16], Rasta [Dobraunig et al. 18]... • MPC-friendly block ciphers: MiMC [Albrecht et al. 16] and its variants • Primitives dedicated to new integrity proof systems (STARKs, SNARKs, Bulletproof) : hash functions specified as sequences of low-degree polynomials or low-degree rational maps over a finite field. Older examples: Cradic [Knudsen Nyberg 92], Misty [Matsui 97]. 1
SNARK-friendly and STARK-friendly primitives Performance. • the size of the polynomial relations representing the execution trace over a large finite field should be minimized. • finite fields of odd characteristic, especially prime fields, are suitable. Security. • algebraic attacks based on Gr¨ obner basis [Albrecht et al. 19]... • all other cryptanalytic techniques. 2
Focus on STARK-friendly primitives StarkWare challenges https://starkware.co/hash-challenge/ Keyed permutations. • GMiMC i.e. GMiMC erf over F p [Albrecht et al. 19] • HadesMiMC permutation: Starkad ( F 2 m ) and Poseidon ( F p ) [Grassi et al. 19] Hash functions. sponges using one of the previous functions as inner permutation. 3
Sponge construction Sponge construction with blocksize t and capacity c . output M 0 , . . . , M 7 M 8 , . . . , M 15 π π 4
Parameters Security level q (prime) q (binary) Variant log 2 q c t 2 61 + 20 × 2 32 + 1 2 63 64 4 12 128-d 2 4 128-a 2 125 + 266 × 2 64 + 1 2 125 128 128 bits 2 12 128-c 1 3 128-b 2 253 + 2 199 + 1 2 255 256 1 11 128-e 4 8 256-a 2 125 + 266 × 2 64 + 1 2 125 256 bits 128 4 14 256-b 5
Keypoints • generalization of attacks to fields of any characteristic. • use of the specific algebraic structure to improve classical attacks. 6
Outline • Integral attacks over fields of any characteristic • Integral distinguishers on the full GMiMC • Algebraically-controlled differential attacks on GMiMC 7
Integral attacks over F q When q = 2 m . For any F : F 2 m → F 2 m , for any (affine) subspace V ⊂ F m 2 with deg( F ) < | V | − 1 , � F ( x ) = 0 . x ∈ V Because, for V = b + � a 1 , . . . , a v � , � D a 1 D a 2 . . . D a v F ( b ) = F ( x ) x ∈ V Not valid in odd characteristic. 8
Integral attacks over F q When q = 2 m . For any F : F 2 m → F 2 m , for any (affine) subspace V ⊂ F m 2 with deg( F ) < | V | − 1 , � F ( x ) = 0 . x ∈ V Because, for V = b + � a 1 , . . . , a v � , � D a 1 D a 2 . . . D a v F ( b ) = F ( x ) x ∈ V Not valid in odd characteric. 9
But for any q For any exponent k with 0 ≤ k < q − 1 , x k = 0 � x ∈ F q General result. For any F : F q → F q with deg( F ) < q − 1 , � F ( x ) = 0 . x ∈ F q 10
However, this only works when an input is saturated For any F : F q → F q with deg( F ) < q − 1 , � F ( x ) = 0 . x ∈ F q Less general than the property over F 2 m : For any (affine) subspace V ⊂ F m 2 such that deg( F ) < | V | − 1 , � F ( x ) = 0 . x ∈ V 11
Using multiplicative subgroups Let G be a multiplicative subgroup of F × q . For any F : F q → F q such that deg( F ) < | G | , � F ( x ) = F (0) · | G | . x ∈ G 12
Integral attacks on GMiMC 13
GMiMC with 101 rounds RC 1 x 3 RC 2 x 3 RC 3 x 3 14
A differential property on (2 t − 2) rounds α t − 2 x f ( x ) α 1 α 2 x ∈ F q deg f = 3 ❄ ❄ ❄ ❄ ❄ ( t − 2) rounds ❄ ❄ ❄ ❄ ❄ x + γ 0 f ( x )+ γ 0 γ t − 4 γ t − 3 γ t − 2 ❄ ❄ ❄ ❄ ❄ 2 rounds x ′ ∈ F q ❄ ❄ ❄ ❄ ❄ γ t − 2 g ( x ′ ) x ′ γ 1 γ 2 deg g = 3 ❄ ❄ ❄ ❄ ❄ ( t − 2) rounds ❄ ❄ ❄ ❄ ❄ g ( x ′ )+ δ 1 x ′ + δ 1 δ t − 2 δ t − 1 δ t 15
A differential property on (2 t − 2) rounds α t − 2 x f ( x ) α 1 α 2 x ∈ F q deg f = 3 ❄ ❄ ❄ ❄ ❄ (2 t − 2) rounds x ′ ∈ F q g ( x ′ )+ δ 1 x ′ + δ 1 ❄ ❄ ❄ ❄ ❄ δ t − 2 δ t − 1 δ t deg g = 3 16
Integral distinguisher on GMiMC α t − 2 x f ( x ) α 1 α 2 x ∈ F q deg f = 3 ❄ ❄ ❄ ❄ ❄ (2 t − 2) rounds x ′ ∈ F q g ( x ′ )+ δ 1 x ′ + δ 1 ❄ ❄ ❄ ❄ ❄ δ t − 2 δ t − 1 δ t deg g = 3 ❄ ❄ ❄ ❄ ❄ ( ⌊ log 3 ( q − 2) ⌋− 1) rounds deg x z i = 3 r +1 < q − 1 ❄ ❄ ❄ ❄ ❄ z t − 2 z t − 1 z t z 1 z 2 for r ≤ ⌊ log 3 ( q − 2) ⌋− 1 ❄ ❄ ❄ ❄ ❄ ( t − 1) rounds � t i =2 v i − ( t − 2) v 1 ❄ ❄ ❄ ❄ ❄ is a linear combination of the z i v t − 2 v t − 1 v t v 1 v 2 17
Integral distinguisher on GMiMC With complexity q . After 3 t − 4 + ⌊ log 3 ( q − 2) ⌋ rounds, t � v i − ( t − 2) v 1 i =2 is a polynomial of degree at most ( q − 2) in x . ⇒ It sums to 0 when x varies in F q . Full nb of rounds Nb of rounds of the distinguisher log 2 q t 61 12 101 70 125 4 166 86 125 12 182 110 253 3 326 – 253 11 342 – 18
Integral distinguisher on GMiMC using multiplicative subgroups For q = 2 253 + 2 199 + 1 . After 3 t − 4 + ⌊ log 3 ( | G | − 1) ⌋ rounds, t � v i − ( t − 2) v 1 i =2 is a polynomial of degree at most ( | G | − 1) in x . ⇒ It sums to 0 when x varies in G . Full nb of rounds Nb of rounds of the distinguisher log 2 q t 61 12 101 70 125 4 166 86 125 12 182 110 85 with | G | = 2 128 253 3 326 109 with | G | = 2 128 253 11 342 19
Zero-sum distinguisher on GMiMC With a multiplicative subgroup G . After 4 t − 6 + 2 ⌊ log 3 ( | G | − 1) ⌋ rounds, t − 1 t � � u i − ( t − 2) u t v i − ( t − 2) v 1 and i =1 i =2 sum to 0 when x varies in G . Full nb of rounds Nb of rounds of the ZS | G | log 2 q t 61 12 101 118 q 2 33 · 167 · 211 ≃ 2 48 61 12 101 102 125 4 166 166 q 125 12 182 198 q 2 128 253 3 326 166 2 128 253 11 342 198 20
Algebraically-controlled differential attacks on GMiMC 21
Algebraically-controlled differential attacks Idea: use algebraic techniques to efficiently find hash function inputs that satisfy a differential characteristic (avoid expensive probabilistic cost) Method: represent the conditions of differential transitions as (efficiently solvable) algebraic equations Application to GMiMC: • exploit algebraic structure to penetrate deep into internal state • attack almost entirely algebraic — differential transitions too expensive to bypass probabilistically Results: • basic method on 3 t − 2 rounds of permutation • extend to more rounds and attack the hash function (e.g., practical 40-round collision on GMiMC-128-d) 22
Application to GMiMC Differential characteristic: ∆ 0 , ∆ ′ 0 arbitrary non-zero differences R S (∆ 0 , ∆ ′ → (∆ ′ 0 , 0 , . . . , 0) − 0 +∆ 1 , ∆ 1 , . . . , ∆ 1 , ∆ 0 ) ∆ 0 → ∆ 1 R S → (∆ 1 +∆ ′ 1 , . . . , ∆ 1 +∆ ′ 1 , ∆ 0 +∆ ′ 1 , ∆ ′ ∆ ′ → ∆ ′ − 0 +∆ 1 ) 0 +∆ 1 1 If ∆ 1 + ∆ ′ 1 = 0 , we get an iterative differential characteristic R t (∆ 0 , ∆ ′ → (∆ 0 − ∆ 1 , ∆ ′ 0 , 0 , . . . , 0) − 0 + ∆ 1 , 0 , . . . , 0) ∆ 1 + ∆ ′ 1 = 0 occurs with probability ≈ 1 /q Condition ∆ 1 + ∆ ′ 1 = 0 is viewed as an equation on values 23
Application to GMiMC Differential characteristic: ∆ 0 , ∆ ′ 0 arbitrary non-zero differences R S (∆ 0 , ∆ ′ → (∆ ′ 0 , 0 , . . . , 0) − 0 +∆ 1 , ∆ 1 , . . . , ∆ 1 , ∆ 0 ) ∆ 0 → ∆ 1 R S → (∆ 1 +∆ ′ 1 , . . . , ∆ 1 +∆ ′ 1 , ∆ 0 +∆ ′ 1 , ∆ ′ ∆ ′ → ∆ ′ − 0 +∆ 1 ) 0 +∆ 1 1 If ∆ 1 + ∆ ′ 1 = 0 , we get an iterative differential characteristic R t (∆ 0 , ∆ ′ → (∆ 0 − ∆ 1 , ∆ ′ 0 , 0 , . . . , 0) − 0 + ∆ 1 , 0 , . . . , 0) ∆ 1 + ∆ ′ 1 = 0 occurs with probability ≈ 1 /q Condition ∆ 1 + ∆ ′ 1 = 0 is viewed as an equation on values 24
Application to GMiMC Differential characteristic: ∆ 0 , ∆ ′ 0 arbitrary non-zero differences R S (∆ 0 , ∆ ′ → (∆ ′ 0 , 0 , . . . , 0) − 0 +∆ 1 , ∆ 1 , . . . , ∆ 1 , ∆ 0 ) ∆ 0 → ∆ 1 R S → (∆ 1 +∆ ′ 1 , . . . , ∆ 1 +∆ ′ 1 , ∆ 0 +∆ ′ 1 , ∆ ′ ∆ ′ → ∆ ′ − 0 +∆ 1 ) 0 +∆ 1 1 If ∆ 1 + ∆ ′ 1 = 0 , we get an iterative differential characteristic R t (∆ 0 , ∆ ′ → (∆ 0 − ∆ 1 , ∆ ′ 0 , 0 , . . . , 0) − 0 + ∆ 1 , 0 , . . . , 0) ∆ 1 + ∆ ′ 1 = 0 occurs with probability ≈ 1 /q Condition ∆ 1 + ∆ ′ 1 = 0 is viewed as an equation on values 25
A differential property on (2 t − 2) rounds α t − 2 x f ( x ) α 1 α 2 x ∈ F q deg f = 3 ❄ ❄ ❄ ❄ ❄ (2 t − 2) rounds x ′ ∈ F q g ( x ′ )+ δ 1 x ′ + δ 1 ❄ ❄ ❄ ❄ ❄ δ t − 2 δ t − 1 δ t deg g = 3 26
Recommend
More recommend