Linear Cryptanalysis and Its Variants with Fast Fourier Transformation Technique on MPC/FHE/ZK-Friendly \(\mathbb {F}_p\)-Based Ciphers

Abstract

The emergence of advanced cryptographic protocols has promoted the developments of many applications, such as secure multi-party computation (MPC). For this reason, new symmetric-key primitives have been designed to natively support the finite field \(\mathbb {F}_p\) with odd characteristic for better efficiencies. However, some well-studied symmetric cryptanalytic methods and techniques over \(\mathbb {F}_2^n\) cannot be applied to these new primitives over \(\mathbb {F}_p\) directly. Considering less standard design approaches adopted in these novel MPC-friendly ciphers, these proposals are in urgent need of full investigations; generalizations of the traditional cryptanalytic tools and techniques to \(\mathbb {F}_p\) will also contribute to better understand the security of these new designs.

In this paper, we first show that the Fast Fourier Transform (FFT) technique for the estimations of correlation, introduced by Collard et al. at ICISC 2007, can be applied to \(\mathbb {F}_p\) and significantly improves the complexity of Matsui’s Algorithm 2 over \(\mathbb {F}_p\). Then, we formalize the differential-linear (DL) cryptanalysis to \(\mathbb {F}_p\). Inspired by the differential-linear connectivity table (DLCT) introduced by Bar-On et al. at EUROCRYPT 2019, we also include the DLCT into the consideration, and find the relation between DLCT and differential distribution table (DDT) over \(\mathbb {F}_p\). Finally, we mount key recovery attacks on a version of HADESMiMC, which is a SHARK-like MPC-friendly block cipher proposed by Grassi et al. at EUROCRYPT 2020. We denote this version as HADESMiMC-128 in this paper. For linear cryptanalysis with the FFT technique, we can attack 7 rounds of HADESMiMC-128. For DL cryptanalysis, a 7-round key recovery attack of HADESMiMC-128 is also mounted but with better time and data complexity. It should be noted that the attacks are still far from threatening the security of the full 14-round HADESMiMC-128.

Appendices

A Constructions of HADES and MDS

MDS Matrices. All MDS matrices in the HADES strategy are Cauchy matrices.

Definition 8

(Cauchy Matrix). Let \(X=(x_1, \cdots ,x_t)\in \mathbb {F}_p^t\) and \(Y=(y_1, \cdots ,y_t)\in \mathbb {F}_p^t\) s.t.

• \(\forall i\ne j:x_i\ne x_j, y_i\ne y_j\),

• \(\forall i,j\in \{1,2,\cdots t\}:x_i+y_j\ne 0, x_i \ne y_j\).

Let M be the Cauchy matrix corresponding to (X, Y), then its entry at (i, j) is

$$M_{i,j} = \frac{1}{x_i+y_j}.$$

A Cauchy matrix is an MDS matrix.

Fig. 6.

Construction of HADES.

Practical Example. In the cryptanalysis of a concrete instance of HADESMiMC-128 working on GF(251), we select a pair (X, Y) randomly as below,

$$X=[250, 171, 161, 235, 93, 225, 229, 123, 122, 106, 246, 43, 55, 90, 186, 39],$$

$$Y=[87, 9, 179, 81, 139, 35, 169, 61, 195, 217, 110, 125, 230, 76, 175, 248],$$

and get the following \(16\times 16\) Cauchy matrix,

$$\left( \begin{array}{cccccccccccccccc} 108 &{} 157 &{} 55 &{} 91&{} 231 &{} 96 &{} 127 &{} 205 &{} 22 &{} 43 &{} 76 &{} 83 &{} 57 &{} 164 &{} 88 &{} 188 \\ 36 &{} 152&{} 71&{} 1&{} 234&{} 145&{} 110&{} 66&{} 227&{} 11&{} 159&{} 106&{} 82&{} 188&{} 37&{} 127 \\ 167 &{} 220&{} 110&{} 223&{} 41&{} 73&{} 197&{} 225&{} 153&{} 168&{} 113&{} 208&{} 52&{} 233&{} 189&{} 224 \\ 99 &{} 215&{} 77&{} 112&{} 100&{} 185&{} 105&{} 106&{} 122&{} 5&{} 243&{} 76&{} 156&{} 205&{} 30&{} 66 \\ 152 &{} 32&{} 12&{} 88&{} 66&{} 151&{} 137&{} 207&{} 95&{} 234&{} 183&{} 38&{} 129&{} 101&{} 192&{} 53 \\ 107 &{} 59&{} 105&{} 178&{} 20&{} 28&{} 165&{} 208&{} 101&{} 46&{} 3&{} 71&{} 16&{} 246&{} 219&{} 225 \\ 112 &{} 193&{} 8&{} 234&{} 118&{} 58&{} 181&{} 103&{} 74&{} 121&{} 174&{} 39&{} 35&{} 172&{} 105&{} 10 \\ 202 &{} 116 &{} 64 &{} 16&{} 137&{} 224&{} 49&{} 236&{} 15&{} 110&{} 237&{} 167&{} 32&{} 111&{} 235&{} 228 \\ 245 &{} 23 &{} 246 &{} 183 &{} 226 &{} 8 &{} 182 &{} 203 &{} 232 &{} 174 &{} 66 &{} 188 &{} 169 &{} 161 &{} 191 &{} 135 \\ 238 &{} 227 &{} 96 &{} 200 &{} 209 &{} 162 &{} 136 &{} 248 &{} 246 &{} 129 &{} 43 &{} 138 &{} 189 &{} 40 &{} 159 &{} 39 \\ 150 &{} 63 &{} 88 &{} 109 &{} 133 &{} 159 &{} 75 &{} 130 &{} 144 &{} 148 &{} 153 &{} 228 &{} 222 &{} 99 &{} 220 &{} 94 \\ 56 &{} 140 &{} 225 &{} 83 &{} 40 &{} 177 &{} 148 &{} 70 &{} 193 &{} 28 &{} 105 &{} 127 &{} 194 &{} 135 &{} 38 &{} 182 \\ 175 &{} 51 &{} 59 &{} 24 &{} 22 &{} 53 &{} 158 &{} 132 &{} 250 &{} 12 &{} 143 &{} 152 &{} 96 &{} 23 &{} 239 &{} 140 \\ 78 &{} 71 &{} 14 &{} 160 &{} 57 &{} 249 &{} 157 &{} 128 &{} 96 &{} 130 &{} 187 &{} 244 &{} 211 &{} 62 &{} 18 &{} 176 \\ 194 &{} 121 &{} 240 &{} 204 &{} 173 &{} 92 &{} 70 &{} 188 &{} 56 &{} 180 &{} 106 &{} 205 &{} 143 &{} 137 &{} 89 &{} 203 \\ 2 &{} 68 &{} 38 &{} 228 &{} 55 &{} 173 &{} 35 &{} 123 &{} 59 &{} 201 &{} 219 &{} 75 &{} 14 &{} 227 &{} 156 &{} 7 \\ \end{array} \right) $$

B Kronecker Product

Definition 9

(Kronecker Product \(\otimes \)). Assume A is a matrix of size \(m\times n\) and B is a matrix of size \(r\times s\), then the Kronecker Product of A and B is a matrix C of size \(mr\times ns\). In terms of formula :

$$ C=A\otimes B= \begin{pmatrix} a_{11}B &{} a_{12}B &{} \cdots &{} a_{1n}B \\ a_{21}B &{} a_{22}B &{} \cdots &{} a_{2n}B \\ \vdots &{} \vdots &{} \ddots &{} \vdots \\ a_{m1}B &{} a_{m2}B &{} \cdots &{} a_{mn}B \\ \end{pmatrix} $$

C The Construction of Searching Differential Model

Constraints Imposed by Modular Addition. Let \(\varDelta _{in}^1\) and \(\varDelta _{in}^2\) represent two input differences for modular addition, the output difference is \(\varDelta _{out}\). Then the character of modular addition due to \((\varDelta _{in}^1, \varDelta _{in}^2,\varDelta _{out})\) is of nonzero probability if and only if it fulfills \(\varDelta _{in}^1 + \varDelta _{in}^2 = \varDelta _{out}\).

Constraints Imposed by Linear Transformation. Let column vector \(\varDelta _{in}\) and \(\varDelta _{out}\) represent the input and output differences for linear transformation M. Then the character of M due to \((\varDelta _{in},\varDelta _{out})\) is of nonzero probability if and only if it fulfills \(\varDelta _{out}=M\cdot \varDelta _{in}\).

Constraints Imposed by k -Branch (\(k\ge 3\) ). Let \(\varDelta _{in}\) represent the input difference for k-branch, the output differences are \(\varDelta _{out}^1,\ \varDelta _{out}^2, \ \cdots , \ \varDelta _{out}^{k-1}\). The relation between these differences is \(\varDelta _{in}=\varDelta _{out}^1=\varDelta _{out}^2=\cdots =\varDelta _{out}^{k-1}\).

Then the character of k-branch due to \((\varDelta _{in}, \varDelta _{out}^1,\cdots ,\varDelta _{out}^{k-1})\) is of nonzero probability if and only if it fulfills \(\varDelta _{in}=\varDelta _{out}^1 = \varDelta _{out}^2 = \cdots = \varDelta _{out}^{k-1}\).

Constraints Describing the S-box Operation. Suppose \(\varDelta _{in}\) and \(\varDelta _{out}\) are the input and output differences of a bijective S-box S, which is defined over \(\mathbb {F}_p\). Use \(B[\varDelta _{in},\varDelta _{out}]\) as an indicator to represent whether it is a possible differential transitions of S. When \(B[\varDelta _{in},\varDelta _{out}] = 1\), it means that \(\varDelta _{in}{\mathop {\longrightarrow }\limits ^{S}}\varDelta _{out}\) is a possible transitions. Otherwise, it means an impossible transitions. Then, we have the relations

$$ \left\{ \begin{array}{ll} B[\varDelta _{in},\varDelta _{out}] = 1, &{} DDT(\varDelta _{in},\varDelta _{out}) \notin \{0,p\} \\ B[\varDelta _{in},\varDelta _{out}] = 0, &{} DDT(\varDelta _{in},\varDelta _{out}) = p \\ B[\varDelta _{in},\varDelta _{out}] = -1, &{} DDT(\varDelta _{in},\varDelta _{out}) = 0 \\ \end{array} \right. $$

Objective Function. Now, under the condition that \(B\ne -1\), we set up the objective function to be the sum of all indicators of all S-boxes. It corresponds to the number of active S-boxes, and can be added constraints to determine a lower bound of the distinguisher. Note that in the block cipher over \(\mathbb {F}_p\), the S-box is generally designed by using the power map, that is \(x^3\) and \(x\in \mathbb {F}_p\). Except the first row and first column for \((\varDelta _{in},\varDelta _{out})=(0,0)\), the DDT of \(x^3\) is kind of balanced, that is, the half of the entries are 2 and just one entry is 1 in each row and column. Thus, for any active S-box of \(x^3\), it almost has the probability \(\frac{2}{p}\). Naturally, we can directly count the number of S-boxes of the distinguisher to simplify the probability representation in the model for this kind of S-box.

D Linear Trails Under Other Primes and MDS Matrices

For each \(p\in \{227, 233, 239\}\), we randomly select 4 MDS matrices.

\(p=227\).

• Matrix1:

  $$ X = [205, 212, 217, 137, 101, 65, 133, 199, 126, 83, 178, 158, 107, 37, 55, 216], $$
  $$ Y = [52, 201, 25, 146, 159, 220, 114, 66, 182, 98, 135, 47, 197, 87, 54, 169]. $$

• Matrix2:

  $$ X = [163, 154, 18, 168, 141, 203, 217, 132, 221, 206, 55, 19, 130, 209, 72, 7], $$
  $$ Y = [215, 178, 148, 156, 57, 32, 15, 58, 138, 152, 118, 133, 224, 116, 60, 68]. $$

• Matrix3:

  $$ X = [152, 161, 106, 200, 172, 60, 94, 179, 20, 160, 176, 164, 195, 50, 187, 193], $$
  $$ Y = [198, 91, 115, 6, 183, 217, 41, 221, 219, 22, 101, 28, 148, 9, 88, 175]. $$

• Matrix4:

  $$ X = [226, 148, 161, 24, 91, 116, 3, 16, 222, 107, 14, 65, 102, 106, 200, 20], $$
  $$ Y = [174, 73, 163, 95, 58, 188, 146, 176, 205, 9, 132, 217, 155, 189, 122, 11]. $$

(See Tables 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 and 13).

Table 2. 6-round linear distinguisher (\(p=227\), matrix1) (hexadecimal representation).

Table 3. 6-round linear distinguisher (\(p=227\), matrix2) (hexadecimal representation).

Table 4. 6-round linear distinguisher (\(p=227\), matrix3) (hexadecimal representation).

Table 5. 6-round linear distinguisher (\(p=227\), matrix4) (hexadecimal representation).

\(p=233\).

• Matrix1:

  $$ X = [34, 80, 174, 199, 153, 19, 111, 1, 56, 150, 198, 119, 125, 60, 47, 78], $$
  $$ Y = [86, 196, 154, 178, 135, 219, 61, 194, 127, 170, 137, 43, 211, 68, 93, 4]. $$

• Matrix2:

  $$ X = [81, 27, 2, 10, 213, 71, 94, 181, 62, 74, 192, 111, 139, 23, 54, 115], $$
  $$ Y = [183, 228, 32, 166, 126, 70, 190, 11, 6, 91, 187, 216, 66, 33, 145, 7]. $$

• Matrix3:

  $$ X = [228, 65, 24, 172, 16, 124, 10, 197, 157, 27, 107, 44, 87, 84, 115, 92], $$
  $$ Y = [176, 173, 88, 139, 54, 208, 63, 15, 3, 86, 114, 83, 164, 155, 120, 82]. $$

• Matrix4:

  $$ X = [38, 8, 88, 226, 159, 188, 165, 103, 217, 137, 129, 140, 143, 157, 231, 110], $$
  $$ Y = [151, 179, 200, 4, 198, 114, 187, 94, 116, 199, 168, 219, 189, 81, 180, 191]. $$

Table 6. 6-round linear distinguisher (\(p=233\), matrix1) (hexadecimal representation).

Table 7. 6-round linear distinguisher (\(p=233\), matrix2) (hexadecimal representation).

Table 8. 6-round linear distinguisher (\(p=233\), matrix3) (hexadecimal representation).

Table 9. 6-round linear distinguisher (\(p=233\), matrix4) (hexadecimal representation).

\(p=239\).

• Matrix1:

  $$ X = [57, 46, 202, 32, 190, 104, 54, 174, 63, 114, 120, 27, 186, 35, 160, 115], $$
  $$ Y = [42, 91, 6, 44, 90, 131, 201, 164, 62, 39, 48, 70, 69, 127, 139, 158]. $$

• Matrix2:

  $$ X = [181, 218, 128, 122, 134, 236, 96, 195, 155, 156, 68, 15, 23, 217, 28, 85], $$
  $$ Y = [142, 42, 130, 215, 135, 148, 93, 50, 73, 174, 186, 7, 198, 150, 210, 30]. $$

• Matrix3:

  $$ X = [135, 34, 176, 227, 29, 22, 37, 218, 224, 119, 60, 75, 183, 214, 171, 88], $$
  $$ Y = [54, 225, 173, 85, 77, 137, 199, 203, 230, 27, 174, 65, 13, 131, 4, 32]. $$

• Matrix4:

  $$ X = [86, 157, 220, 85, 59, 227, 154, 206, 50, 84, 23, 125, 64, 105, 134, 103], $$
  $$ Y = [217, 40, 25, 43, 193, 49, 1, 160, 46, 94, 186, 97, 108, 161, 131, 37]. $$

Table 10. 6-round linear distinguisher (\(p=239\), matrix1) (hexadecimal representation).

Table 11. 6-round linear distinguisher (\(p=239\), matrix2) (hexadecimal representation).

Table 12. 6-round linear distinguisher (\(p=239\), matrix3) (hexadecimal representation).

Table 13. 6-round linear distinguisher (\(p=239\), matrix4) (hexadecimal representation).