Related-Key Differential Cryptanalysis of GMiMC Used in Post-Quantum Signatures

Abstract

With the urgency of the threat imposed by quantum computers, there is a strong interest in making the signature schemes quantum resistant. As the promising candidates to ensure post-quantum security, symmetric-key primitives, in particular the recent MPC/FHE/ZK-friendly hash functions or block ciphers, are providing another choice to build efficient and secure signature schemes that do not rely on any assumed hard problems. However, considering the intended use cases, many of these novel ciphers for advanced cryptographic protocols do not claim the related-key security.

In this paper, we initiate the study of the ignored related-key security of GMiMC proposed by Albrecht et al. at ESORICS 2019, some versions of which are optimized and designed to be used in post-quantum secure signatures. By investigating the potential threats of related-key attacks for GMiMC intended to be deployed as the underlying building block in post-quantum signature schemes, we then construct two kinds of iterative related-key differentials, from which not only do we explore its security margin against related-key attacks, but also collision attacks on its key space can be performed. For example, for GMiMC instance that beats the smallest signature size obtainable using LowMC, we can find its key collision using only about \(2^{10}\) key pairs. It worths noting that our current key collision attack is only applicable when the adversarial power is sufficiently strong (e.g., in the so-called multi-user setting), and it does not threaten the one-wayness of GMiMC. Furthermore, from the experiments of our related-key differentials, it can be observed that the differential clustering effect of GMiMC differs in both aspects: the choice of the finite field \(\mathbb {F}\) being \(\mathbb {F}_p\) or \(\mathbb {F}_2^n\), and the size of the finite field \(\mathbb {F}\).

Appendix SMT based Search Model of Matrix M in the Key Schedule of GMiMC

In this paper, we use STP [16] solver to perform the search of the matrix, which is a constraint solver (or SMT solver) aimed at solving constraints of bitvectors and arrays. In the following, we describe our SMT based search models by using CVC language⁷, which is the default input language of STP. And our codes of generating the SMT based search model of matrix M over \(\mathbb {F}_p\) and \(\mathbb {F}_2^n\) are provided at https://www.dropbox.com/sh/kxex7rqw440zes4/AAC1omTjoPoM5B8Ka19ErmjZa?dl=0.

The model of searching M over \(\mathbb {F}_p\): Each variable in SMT based model can be expressed by a bitvector, that is, a variable \(m_0 \in \mathbb {F}_p\) in the circulant matrix M can be represented by using \(n=\lceil \log _2p \rceil \) bits. An example of a non-zero variable \(m_0\in \mathbb {F}_5\) is:

As M is a left circulant matrix, for matrix \(M^i~(2\le i)\), the variable \(M^i[1,l]\) in the first row can be recursively expressed by

$$ M^i[1,l] \equiv \sum _{j=1}^{t-1}{(M^{i-1}[1,j]\times m_{(l+j)\mod ~t})}\mod ~p, $$

where \(0\le j,l \le t-1\). This relationship can be described by using the predicates: \(\textrm{BVPLUS}\), \(\textrm{BVMULT}\) and \(\textrm{BVMOD}\) in CVC language. Then, the number of zero entries of these \(t\times \lceil R/t \rceil \) variables is counted as an objective function to minimize during the search. Once we obtain a solution of M, it has to be checked whether it is invertible. If not, this solution should be excluded from the search model, and repeat the process until we find a proper one.

The model of searching M over \(\mathbb {F}_2^n\): Similar to the model over \(\mathbb {F}_2^n\), a variable \(m_0\in \mathbb {F}_2^n\) in the circulant matrix M can be represented by using n bits. An example of non-zero variable \(m_0\in \mathbb {F}_2^3\) is:

In the same way, the variable \(M^i[1,l]\) in the first row can be recursively expressed by

$$ M^i[1,l] \equiv \sum _{j=1}^{t-1}{M^{i-1}[1,j]\times m_{(l+j)\mod ~t}}, $$

where \(0\le j,l \le t-1\). Note that the addition here for \(\mathbb {F}_2^n\) is the XOR operation, the multiplication operation here is the field multiplication operation that needs the corresponding irreducible polynomial. By using the predicate \(\textrm{BVXOR}\) in CVC language, we can describe polynomial multiplication and modular polynomial operations by the SMT based model. Then, it follows the similar search process of that over \(\mathbb {F}_p\) presented above.