Abstract
With the urgency of the threat imposed by quantum computers, there is a strong interest in making the signature schemes quantum resistant. As the promising candidates to ensure post-quantum security, symmetric-key primitives, in particular the recent MPC/FHE/ZK-friendly hash functions or block ciphers, are providing another choice to build efficient and secure signature schemes that do not rely on any assumed hard problems. However, considering the intended use cases, many of these novel ciphers for advanced cryptographic protocols do not claim the related-key security.
In this paper, we initiate the study of the ignored related-key security of GMiMC proposed by Albrecht et al. at ESORICS 2019, some versions of which are optimized and designed to be used in post-quantum secure signatures. By investigating the potential threats of related-key attacks for GMiMC intended to be deployed as the underlying building block in post-quantum signature schemes, we then construct two kinds of iterative related-key differentials, from which not only do we explore its security margin against related-key attacks, but also collision attacks on its key space can be performed. For example, for GMiMC instance that beats the smallest signature size obtainable using LowMC, we can find its key collision using only about \(2^{10}\) key pairs. It worths noting that our current key collision attack is only applicable when the adversarial power is sufficiently strong (e.g., in the so-called multi-user setting), and it does not threaten the one-wayness of GMiMC. Furthermore, from the experiments of our related-key differentials, it can be observed that the differential clustering effect of GMiMC differs in both aspects: the choice of the finite field \(\mathbb {F}\) being \(\mathbb {F}_p\) or \(\mathbb {F}_2^n\), and the size of the finite field \(\mathbb {F}\).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
One of GMiMC variants with expanding round functions.
- 3.
In this paper, when discussing a Picnic-style signature, we consider that its underlying symmetric-key primitive LowMC is replaced with GMiMC, which is designed to compete with LowMC in some ZK use-cases.
- 4.
It is well known that the cubic function is Almost Perfect Non-linear (APN), then probability is bounded above by \(2/|\mathbb {F}_p|\).
- 5.
Other choice of x has the similar results.
- 6.
This is the default choice for GF(\(2^3\)) in software tool SAGE [26] that we perform the experiments in this paper. Other choice of irreducible polynomials has the similar results.
- 7.
Please refer to the brief introduction via https://github.com/stp/stp/blob/ee83ef70ffeb386575f7452095b52406894b0489/docs/cvc-input-language.rst.
References
Albrecht, M.R., et al.: Feistel structures for MPC, and more. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 151–171. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_8
Albrecht, M.R., et al.: Feistel structures for MPC, and more. IACR Cryptol. ePrint Arch, p. 397 (2019). https://eprint.iacr.org/2019/397
Albrecht, M., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: efficient encryption and cryptographic hashing with minimal multiplicative complexity. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 191–219. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_7
Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_17
Aly, A., Ashur, T., Ben-Sasson, E., Dhooghe, S., Szepieniec, A.: Design of symmetric-key primitives for advanced cryptographic protocols. IACR Trans. Symmetric Cryptol. 2020(3), 1–45 (2020). https://doi.org/10.13154/tosc.v2020.i3.1-45
Aumasson, J.P., et al.: \(\text{SPHINCS}^+\). In: Submission to NIST Post-Quantum Cryptography project (2020). https://sphincs.org/data/sphincs+-round3-specification.pdf
Beyne, T., et al.: Out of oddity – new cryptanalytic techniques against symmetric primitives optimized for integrity proof systems. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 299–328. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_11
Biham, E.: New types of cryptanalytic attacks using related keys. J. Crypt. 7(4), 229–246 (1994). https://doi.org/10.1007/BF00203965
Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J. Crypt. 4(1), 3–72 (1991). https://doi.org/10.1007/BF00630563
Boneh, D., Eskandarian, S., Fisch, B.: Post-quantum EPID signatures from symmetric primitives. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 251–271. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12612-4_13
Chase, M., et al.: The picnic signature scheme. In: Submission to NIST Post-Quantum Cryptography Project (2020). https://github.com/microsoft/Picnic/blob/master/spec/design-v2.2.pdf
Chase, M., et al.: Post-quantum zero-knowledge and signatures from symmetric-key primitives. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1825–1842 (2017). https://doi.org/10.1145/3133956.3133997
Chen, L., et al.: Report on post-quantum cryptography, vol. 12. US Department of Commerce, National Institute of Standards and Technology (2016)
Derler, D., Ramacher, S., Slamanig, D.: Post-quantum zero-knowledge proofs for accumulators with applications to ring signatures from symmetric-key primitives. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 419–440. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_20
Eichlseder, M., Kales, D.: Clustering related-tweak characteristics: application to MANTIS-6. IACR Trans. Symmetric Cryptol. 2018(2), 111–132 (2018). https://doi.org/10.13154/tosc.v2018.i2.111-132
Ganesh, V., Dill, D.L.: A decision procedure for bit-vectors and arrays. In: Computer Aided Verification, 19th International Conference, CAV 2007, pp. 519–531 (2007). https://doi.org/10.1007/978-3-540-73368-3_52
Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Breaking symmetric cryptosystems using quantum period finding. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 207–237. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_8
Knudsen, L.R.: Cryptanalysis of LOKI. In: Imai, H., Rivest, R.L., Matsumoto, T. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 22–35. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-57332-1_2
Knudsen, L.R., Kohno, T.: Analysis of RMAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 182–191. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-39887-5_14
Kuwakado, H., Morii, M.: Security on the quantum-type even-mansour cipher. In: Proceedings of the International Symposium on Information Theory and its Applications, ISITA 2012, Honolulu, HI, USA, October 28–31(2012), pp. 312–316, 2012. https://ieeexplore.ieee.org/document/6400943/
Leander, G., May, A.: Grover meets Simon – quantumly attacking the FX-construction. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 161–178. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_6
Leurent, G., Pernot, C., Schrottenloher, A.: Clustering effect in Simon and Simeck. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13090, pp. 272–302. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_10
Nyberg, K., Knudsen, L.R.: Provable security against differential cryptanalysis. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 566–574. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_41
Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, Santa Fe, New Mexico, USA, 20–22 November 1994, pp. 124–134 (1994). https://doi.org/10.1109/SFCS.1994.365700
Simon, D.R.: On the power of quantum computation. In: 35th Annual Symposium on Foundations of Computer Science, Santa Fe, New Mexico, USA, 20–22 November 1994, pp. 116–123 (1994). https://doi.org/10.1109/SFCS.1994.365701
The Sage Developers: SageMath, the Sage mathematics software system (Version 8.8). https://www.sagemath.org
Wang, M., Sun, Y., Tischhauser, E., Preneel, B.: A model for structure attacks, with applications to PRESENT and serpent. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 49–68. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34047-5_4
Acknowledgements
This research is supported by the National Research Foundation, Singapore under its Strategic Capability Research Centres Funding Initiative, the Nanyang Technological University in Singapore under Start-up Grant 04INS000397C230, and Ministry of Education in Singapore under Grants RG91/20 and MOE2019-T2-1-060, the National Key Research and Development Program of China (Grant No. 2018YFA0704702), the National Natural Science Foundation of China (Grant No. 62032014), the Major Basic Research Project of Natural Science Foundation of Shandong Province, China (Grant No. ZR202010220025), the National Key R &D Program of China (Grant No. 2022YFB2701700), Shandong Provincial Natural Science Foundation (Grant No. ZR2020MF053) and the National Natural Science Foundation of China (Grant No. 62002202). Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not reflect the views of National Research Foundation, Singapore.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix SMT based Search Model of Matrix M in the Key Schedule of GMiMC
Appendix SMT based Search Model of Matrix M in the Key Schedule of GMiMC
In this paper, we use STP [16] solver to perform the search of the matrix, which is a constraint solver (or SMT solver) aimed at solving constraints of bitvectors and arrays. In the following, we describe our SMT based search models by using CVC languageFootnote 7, which is the default input language of STP. And our codes of generating the SMT based search model of matrix M over \(\mathbb {F}_p\) and \(\mathbb {F}_2^n\) are provided at https://www.dropbox.com/sh/kxex7rqw440zes4/AAC1omTjoPoM5B8Ka19ErmjZa?dl=0.
The model of searching M over \(\mathbb {F}_p\): Each variable in SMT based model can be expressed by a bitvector, that is, a variable \(m_0 \in \mathbb {F}_p\) in the circulant matrix M can be represented by using \(n=\lceil \log _2p \rceil \) bits. An example of a non-zero variable \(m_0\in \mathbb {F}_5\) is:
As M is a left circulant matrix, for matrix \(M^i~(2\le i)\), the variable \(M^i[1,l]\) in the first row can be recursively expressed by
where \(0\le j,l \le t-1\). This relationship can be described by using the predicates: \(\textrm{BVPLUS}\), \(\textrm{BVMULT}\) and \(\textrm{BVMOD}\) in CVC language. Then, the number of zero entries of these \(t\times \lceil R/t \rceil \) variables is counted as an objective function to minimize during the search. Once we obtain a solution of M, it has to be checked whether it is invertible. If not, this solution should be excluded from the search model, and repeat the process until we find a proper one.
The model of searching M over \(\mathbb {F}_2^n\): Similar to the model over \(\mathbb {F}_2^n\), a variable \(m_0\in \mathbb {F}_2^n\) in the circulant matrix M can be represented by using n bits. An example of non-zero variable \(m_0\in \mathbb {F}_2^3\) is:
In the same way, the variable \(M^i[1,l]\) in the first row can be recursively expressed by
where \(0\le j,l \le t-1\). Note that the addition here for \(\mathbb {F}_2^n\) is the XOR operation, the multiplication operation here is the field multiplication operation that needs the corresponding irreducible polynomial. By using the predicate \(\textrm{BVXOR}\) in CVC language, we can describe polynomial multiplication and modular polynomial operations by the SMT based model. Then, it follows the similar search process of that over \(\mathbb {F}_p\) presented above.
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Chen, S. et al. (2023). Related-Key Differential Cryptanalysis of GMiMC Used in Post-Quantum Signatures. In: Seo, SH., Seo, H. (eds) Information Security and Cryptology – ICISC 2022. ICISC 2022. Lecture Notes in Computer Science, vol 13849. Springer, Cham. https://doi.org/10.1007/978-3-031-29371-9_3
Download citation
DOI: https://doi.org/10.1007/978-3-031-29371-9_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-29370-2
Online ISBN: 978-3-031-29371-9
eBook Packages: Computer ScienceComputer Science (R0)