Abstract
Symmetric cryptographic primitives with low multiplicative complexity have been proposed to improve the performance of emerging applications such as secure Multi-Party Computation. However, primitives composed of round functions with low algebraic degree require a careful evaluation to assess their security against algebraic cryptanalysis, and in particular interpolation attacks. This paper proposes new low-memory interpolation attacks on symmetric key primitives of low degree. Moreover, we present generic attacks on block ciphers with a simple key schedule; our attacks require either constant memory or constant data complexity. The improved attack is applied to the block cipher MiMC which aims to minimize the number of multiplications in large finite fields. As a result, we can break MiMC-129/129 with 38 rounds with time and data complexity \(2^{65.5}\) and \(2^{60.2}\) respectively and with negligible memory; this attack invalidates one of the security claims of the designers. Our attack indicates that for MiMC-129/129 the full 82 rounds are necessary even with restrictions on the memory available to the attacker. For variants of MiMC with larger keys, we present new attacks with reduced complexity. Our results do not affect the security claims of the full round MiMC.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Albrecht, M.R., et al.: Algebraic cryptanalysis of STARK-friendly designs: application to MARVELlous and MiMC. Cryptology ePrint Archive, Report 2019/419 (2019). https://eprint.iacr.org/2019/419
Albrecht, M.R., et al.: Feistel structures for MPC, and more. Cryptology ePrint Archive, Report 2019/397 (2019). https://eprint.iacr.org/2019/397
Albrecht, M., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: efficient encryption and cryptographic hashing with minimal multiplicative complexity. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 191–219. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_7
Albrecht, M.R., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: efficient encryption and cryptographic hashing with minimal multiplicative complexity. Cryptology ePrint Archive, Report 2016/492 (2016). https://eprint.iacr.org/2016/492
Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_17
Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable, transparent, and post-quantum secure computational integrity. Cryptology ePrint Archive, Report 2018/046 (2018). https://eprint.iacr.org/2018/046
Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., Virza, M.: SNARKs for C: verifying program executions succinctly and in zero knowledge. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 90–108. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_6
Canteaut, A., et al.: Stream ciphers: a practical solution for efficient homomorphic-ciphertext compression. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 313–333. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_16
Daemen, J., Rijmen, V.: The Design of Rijndael: AES - the advanced encryption standard. In: Information Security and Cryptography. Springer (2002)
Dinur, I., Liu, Y., Meier, W., Wang, Q.: Optimized interpolation attacks on LowMC. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 535–560. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_22
Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_16
Dobraunig, C., et al.: Rasta: a cipher with low ANDdepth and few ANDs per bit. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 662–692. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_22
Duval, S., Lallemand, V., Rotella, Y.: Cryptanalysis of the FLIP family of stream ciphers. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 457–475. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_17
von zur Gathen, J., Gerhard, J.: Modern Computer Algebra, 3rd edn. Cambridge University Press (2013)
Grassi, L., Rechberger, C., Rotaru, D., Scholl, P., Smart, N.P.: MPC-friendly symmetric key primitives. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016, pp. 430–443 (2016)
Jakobsen, T., Knudsen, L.R.: The interpolation attack on block ciphers. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 28–40. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052332
Jakobsen, T., Knudsen, L.R.: Attacks on block ciphers of low algebraic degree. J. Cryptol. 14(3), 197–210 (2001)
Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-60590-8_16
Lai, X.: Higher order derivatives and differential cryptanalysis. In: Communications and Cryptography. The Springer International Series in Engineering and Computer Science, vol. 276, pp. 227–233 (1994)
Méaux, P., Journault, A., Standaert, F.-X., Carlet, C.: Towards stream ciphers for efficient FHE with low-noise ciphertexts. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 311–343. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_13
Nyberg, K.: Differentially uniform mappings for cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_6
Nyberg, K., Knudsen, L.R.: Provable security against a differential attack. J. Cryptol. 8(1), 27–37 (1995)
Rechberger, C., Soleimany, H., Tiessen, T.: Cryptanalysis of low-data instances of full LowMCv2. IACR Trans. Symmetric Cryptol. 2018(3), 163–181 (2018). https://doi.org/10.13154/tosc.v2018.i3.163-181, https://tosc.iacr.org/index.php/ToSC/article/view/7300
Shannon, C.E.: Communication theory of secrecy systems. Bell Syst. Tech. J. 28(4), 656–715 (1949)
Shimoyama, T., Moriai, S., Kaneko, T.: Improving the higher order differential attack and cryptanalysis of the KN cipher. In: Okamoto, E., Davida, G., Mambo, M. (eds.) ISW 1997. LNCS, vol. 1396, pp. 32–42. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0030406
Stoß, H.: The complexity of evaluating interpolation polynomials. Theor. Comput. Sci. 41, 319–323 (1985)
Sun, B., Qu, L., Li, C.: New Cryptanalysis of block ciphers with low algebraic degree. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 180–192. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03317-9_11
Todo, Y., Isobe, T., Hao, Y., Meier, W.: Cube attacks on non-blackbox polynomials based on division property. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part III. LNCS, vol. 10403, pp. 250–279. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_9
Wang, Q., Hao, Y., Todo, Y., Li, C., Isobe, T., Meier, W.: Improved division property based cube attacks exploiting algebraic properties of superpoly. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part I. LNCS, vol. 10991, pp. 275–305. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_10
Acknowledgement
The authors thank the anonymous reviewers for many helpful comments. The work is supported by the Research Council KU Leuven under the grant C16/15/058 and by the European Union’s Horizon 2020 research and innovation programme under grant agreement No. H2020-MSCA-ITN-2014-643161 ECRYPT-NET.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Algorithm for Computing \(E(K,x_i)-y_i\)
A Algorithm for Computing \(E(K,x_i)-y_i\)
This section describes the algorithm to obtain the explicit expression of \(E(K,x_i)-y_i\) which is used in Step 3 of the GCD attacks in Sect. 4.2. Recall that here K is the variable and \((x_i,y_i)\) is an input/output pair corresponding to some plaintext/ciphertext pair.
-
1.
Select \(d^{R_{\texttt {KA}}(r,\ell )}+1\) different values \(\alpha _0,\cdots ,\alpha _{d^{R_{\texttt {KA}}(r,\ell )}}\in \) \(\mathbb {F}_{q}\) .
-
2.
Compute \(\beta _j=E(\alpha _j,x_i)-y_i\) for \(i=0,1\) and \(0\le j \le d^{R_{\texttt {KA}}(r,\ell )}\).
-
3.
Interpolate the polynomial \(g_i(x)\) such that \(g_i(\alpha _j)=\beta _j\) for \(i=0,1\) and \(0\le j \le d^{R_{\texttt {KA}}(r,\ell )}\).
First observe that the iterative structure of \(E(K,x_i)-y_i\) enables us to evaluate \(E(\alpha _j,x_i)-y_i\) round by round. In each round one needs to evaluate a polynomial with constant degree, which can be done in constant time. Hence, each \(\beta _j\) is obtained with complexity only \(O(R_{\texttt {KA}}(r,\ell ))\) though the degree is \(d^{R_{\texttt {KA}}(r,\ell )}\). It follows that the second step has time complexity \(O(R_{\texttt {KA}}(r,\ell )d^{R_{\texttt {KA}}(r,\ell )})\). The third step is a standard polynomial interpolation with complexity \(O(R_{\texttt {KA}}(r,\ell )d^{R_{\texttt {KA}}(r,\ell )})\). Hence, the total time complexity is \(O(R_{\texttt {KA}}(r,\ell )d^{R_{\texttt {KA}}(r,\ell )})\). The memory complexities of the algorithm is \(O(R_{\texttt {KA}}(r,\ell )d^{R_{\texttt {KA}}(r,\ell )})\) due to the polynomial interpolation in the third step [14].
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Li, C., Preneel, B. (2020). Improved Interpolation Attacks on Cryptographic Primitives of Low Algebraic Degree. In: Paterson, K., Stebila, D. (eds) Selected Areas in Cryptography – SAC 2019. SAC 2019. Lecture Notes in Computer Science(), vol 11959. Springer, Cham. https://doi.org/10.1007/978-3-030-38471-5_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-38471-5_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-38470-8
Online ISBN: 978-3-030-38471-5
eBook Packages: Computer ScienceComputer Science (R0)