Abstract
Zero-knowledge (ZK) applications form a large group of use cases in modern cryptography, and recently gained in popularity due to novel proof systems. For many of these applications, cryptographic hash functions are used as the main building blocks, and they often dominate the overall performance and cost of these approaches.
Therefore, in the last years several new hash functions were built in order to reduce the cost in these scenarios, including Poseidon and Rescue among others. These hash functions often look very different from more classical designs such as AES or SHA-2. For example, they work natively over prime fields rather than binary ones. At the same time, for example Poseidon and Rescue share some common features, such as being SPN schemes and instantiating the nonlinear layer with invertible power maps. While this allows the designers to provide simple and strong arguments for establishing their security, it also introduces crucial limitations in the design, which may affect the performance in the target applications.
In this paper, we propose the Horst construction, in which the addition in a Feistel scheme \((x,y)\mapsto (y+F(x), x)\) is extended via a multiplication, i.e., \((x,y)\mapsto (y\times G(x) + F(x), x)\).
By carefully analyzing the performance metrics in SNARK and STARK protocols, we show how to combine an expanding Horst scheme with a Rescue-like SPN scheme in order to provide security and better efficiency in the target applications. We provide an extensive security analysis for our new design Griffin and a comparison with all current competitors.
Author list in alphabetical order.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The name Horst (due to the cryptographer Horst Feistel) has been chosen in order to emphasize the link between \((x,y) \mapsto (y+F(x), x)\) and \((y,x) \mapsto (x,y\times G(x) + F(x))\).
- 2.
The griffin is a legendary creature with the body, tail, and back legs of a lion, and the head and wings of an eagle. The name Griffin has been chosen since our design merges ideas of a Fluid-SPN and a construction as the Horst one.
- 3.
A fluid material continuously deforms (flows) under an applied external force. In our case, the scheme adapts its algebraic representation to the target protocol.
- 4.
The constants \(\beta \), \(\gamma \), and \(\delta \) are omitted in this description.
- 5.
Note that \(x\mapsto x^d\) costs \(\textrm{hw}(d) + \lfloor \log _2(d)\rfloor -1\) multiplications (see [35] for details).
- 6.
The condition \(2^{3\kappa } \le p^t\) implies the condition \(2^{2\kappa } \le p^t\) for the compression case, since \(2^{2\kappa }\le 2^{3\kappa }\le p^t\). For the sponge case, the combination of \(c \ge \left\lceil 2 \kappa / \log _2(p) \right\rceil \) and \(c \le 2t/3\) implies \(2t/3\ge \left\lceil 2 \kappa / \log _2(p) \right\rceil \), that is, \(2^\kappa \le p^{t/3}\).
- 7.
Griffin-\(\pi \) may be used also with \(d\notin \{3,5,7,11\}\). However, the security analysis and the number of rounds must be adapted for this case.
- 8.
We use the smallest \(\alpha \ge 2\) such that the resulting matrix is MDS.
- 9.
Note that \(\min \{d,1/d\} = d\) in our case.
- 10.
An analysis for this case is given in [30, Lemma 4].
- 11.
- 12.
\(p_\text {BLS381}=\texttt {0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001}\),
\(p_\text {BN254}=\texttt {0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593f0000001}\).
- 13.
References
Albrecht, M.R., et al.: Algebraic cryptanalysis of STARK-friendly designs: application to MARVELlous and MiMC. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11923, pp. 371–397. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_13
Albrecht, M.R., et al.: Feistel structures for MPC, and more. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 151–171. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_8
Albrecht, M., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: efficient encryption and cryptographic hashing with minimal multiplicative complexity. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 191–219. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_7
Aly, A., Ashur, T., Ben-Sasson, E., Dhooghe, S., Szepieniec, A.: Design of symmetric-key primitives for advanced cryptographic protocols. IACR Trans. Symmetric Cryptol. 2020(3), 1–45 (2020)
Ames, S., Hazay, C., Ishai, Y., Venkitasubramaniam, M.: Ligero: lightweight sublinear arguments without a trusted setup. In: CCS, pp. 2087–2104. ACM (2017)
Bardet, M., Faugére, J.C., Salvy, B., Yang, B.Y.: Asymptotic behaviour of the degree of regularity of semi-regular polynomial systems. In: Proceedings of MEGA, vol. 5 (2005)
Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable, transparent, and post-quantum secure computational integrity. Cryptology ePrint Archive, Report 2018/46 (2018)
Ben-Sasson, E., Chiesa, A., Riabzev, M., Spooner, N., Virza, M., Ward, N.P.: Aurora: transparent succinct arguments for R1CS. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 103–128. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_4
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_11
Beyne, T., et al.: Out of oddity – new cryptanalytic techniques against symmetric primitives optimized for integrity proof systems. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 299–328. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_11
Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-38424-3_1
Biryukov, A., Perrin, L., Udovenko, A.: Reverse-engineering the S-Box of Streebog, Kuznyechik and STRIBOBr1. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 372–402. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_15
Black, J., Rogaway, P., Shrimpton, T.: Black-box analysis of the block-cipher-based hash-function constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–335. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_21
Boura, C., Canteaut, A., De Cannière, C.: Higher-order differential properties of Keccak and Luffa. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 252–269. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21702-9_15
Bouvier, C., et al.: New design techniques for efficient arithmetization-oriented hash functions: Anemoi Permutations and Jive Compression Mode. IACR Cryptology ePrint Archive, p. 840 (2022)
Buchberger, B.: Ein Algorithmus zum Auffinden der Basiselemente des Restklassenringes nach einem nulldimensionalen Polynomideal. Ph.D. thesis, University of Innsbruck (1965)
Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: IEEE Symposium on Security and Privacy, pp. 315–334. IEEE Computer Society (2018)
Coron, J.-S., Patarin, J., Seurin, Y.: The random oracle model and the ideal cipher model are equivalent. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 1–20. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_1
Cox, D.A., Little, J., O’Shea, D.: Ideals, Varieties, and Algorithms - An Introduction to Computational Algebraic Geometry and Commutative Algebra, 2nd edn. Undergraduate Texts in Mathematics. Springer, Cham (1997). https://doi.org/10.1007/978-3-319-16721-3
de la Cruz Jiménez, R.A.: On some methods for constructing almost optimal s-boxes and their resilience against side-channel attacks. IACR Cryptology ePrint Archive, p. 618 (2018)
Daemen, J., Rijmen, V.: The wide trail design strategy. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 222–238. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45325-3_20
Dai, Y., Steinberger, J.: Indifferentiability of 8-round Feistel networks. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 95–120. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_4
Dobraunig, C., Grassi, L., Guinet, A., Kuijsters, D.: Ciminion: symmetric encryption based on Toffoli-Gates over large finite fields. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 3–34. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_1
Dolmatov, V., Degtyarev, A.: GOST R 34.11-2012: Hash function. RFC 6986, pp. 1–40 (2013)
Duval, S., Leurent, G.: MDS matrices with lightweight circuits. IACR Trans. Symmetric Cryptol. 2018(2), 48–78 (2018)
Federal Agency on Technical Regulation and Metrology: GOST R 34.12-2015: Block cipher (2015)
Gabizon, A., Williamson, Z.J.: plookup: a simplified polynomial protocol for lookup tables. IACR Cryptology ePrint Archive, p. 315 (2020)
Gabizon, A., Williamson, Z.J., Ciobotaru, O.: PLONK: permutations over Lagrange-bases for Oecumenical noninteractive arguments of knowledge. Cryptology ePrint Archive, Report 2019/953 (2019)
Grassi, L.: On Generalizations of the Lai-Massey scheme: the blooming of amaryllises. IACR Cryptology ePrint Archive, p. 1245 (2022)
Grassi, L., Hao, Y., Rechberger, C., Schofnegger, M., Walch, R., Wang, Q.: Horst meets Fluid-SPN: Griffin for zero-knowledge applications. IACR Cryptology ePrint Archive, p. 403 (2022)
Grassi, L., Khovratovich, D., Lüftenegger, R., Rechberger, C., Schofnegger, M., Walch, R.: Reinforced concrete: fast hash function for zero knowledge proofs and verifiable computation. Cryptology ePrint Archive, Report 2021/1038 (2021). Accepted at ACM CCS 2022
Grassi, L., Khovratovich, D., Rechberger, C., Roy, A., Schofnegger, M.: Poseidon: a new hash function for zero-knowledge proof systems. In: USENIX Security Symposium, pp. 519–535. USENIX Association (2021)
Grassi, L., Khovratovich, D., Rønjom, S., Schofnegger, M.: The Legendre symbol and the Modulo-2 operator in symmetric schemes over Fnp preimage attack on full Grendel. IACR Trans. Symmetric Cryptol. 2022(1), 5–37 (2022)
Grassi, L., Lüftenegger, R., Rechberger, C., Rotaru, D., Schofnegger, M.: On a generalization of substitution-permutation networks: the HADES design strategy. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 674–704. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_23
Grassi, L., Onofri, S., Pedicini, M., Sozzi, L.: Invertible quadratic non-linear layers for MPC-/FHE-/ZK-friendly schemes over Fnp: application to Poseidon. IACR Trans. Symmetric Cryptol. 2022(3), 20–72 (2022)
Grassi, L., Rechberger, C., Rotaru, D., Scholl, P., Smart, N.P.: MPC-friendly symmetric key primitives. In: CCS, pp. 430–443. ACM (2016)
Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11
Hoang, V.T., Rogaway, P.: On generalized Feistel networks. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 613–630. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_33
Hougaard, H.B.: 3-round Feistel is not superpseudorandom over any group. IACR Cryptology ePrint Archive, p. 675 (2021)
Jakobsen, T., Knudsen, L.R.: The interpolation attack on block ciphers. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 28–40. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052332
Klimov, A., Shamir, A.: Cryptographic applications of T-functions. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 248–261. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24654-1_18
Kölbl, S., Lauridsen, M.M., Mendel, F., Rechberger, C.: Haraka V2 - efficient short-input hashing for post-quantum applications. IACR Trans. Symmetric Cryptol. 2016(2), 1–29 (2016)
Lai, X., Massey, J.L.: A proposal for a new block encryption standard. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 389–404. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46877-3_35
Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: Rebound distinguishers: results on the full whirlpool compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 126–143. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_8
Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)
Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_33
Matusiewicz, K., Naya-Plasencia, M., Nikolić, I., Sasaki, Yu., Schläffer, M.: Rebound attack on the full Lane compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 106–125. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_7
Maurer, U., Pietrzak, K.: The security of many-round Luby-Rackoff pseudo-random permutations. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 544–561. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_34
Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The Rebound attack: cryptanalysis of reduced whirlpool and Grostl. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03317-9_16
Mollin, R.A., Small, C.: On permutation polynomials over finite fields. Int. J. Math. Math. Sci. 10, 535–543 (1987)
National Institute of Standards and Technology: SHA-3 Standard: Permutation-based hash and extendable-output functions. Federal Information Processing Standards Publication (FIPS) (2015)
Nyberg, K.: Generalized Feistel networks. In: Kim, K., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 91–104. Springer, Heidelberg (1996). https://doi.org/10.1007/BFb0034838
Patarin, J.: About Feistel schemes with six (or more) rounds. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 103–121. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-69710-1_8
Patarin, J.: Generic attacks on Feistel schemes. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 222–238. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_14
Patel, S., Ramzan, Z., Sundaram, G.S.: Luby-Racko. ciphers: why XOR is not so exclusive. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 271–290. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36492-7_18
Polygon: Introducing Plonky2 (2022). https://blog.polygon.technology/introducing-plonky2/
Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: a synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_31
Szepieniec, A.: On the use of the Legendre symbol in symmetric cipher design. IACR Cryptology ePrint Archive, p. 984 (2021)
Szepieniec, A., Ashur, T., Dhooghe, S.: Rescue-prime: a standard specification (SoK). Cryptology ePrint Archive, Report 2020/1143 (2020)
Zcash: ZCash protocol specification (2021). https://github.com/zcash/zips/blob/master/protocol/protocol.pdf
Zheng, Y., Matsumoto, T., Imai, H.: On the construction of block ciphers provably secure and not relying on any unproved hypotheses. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 461–480. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_42
Acknowledgments
The authors thank all reviewers for their suggestions on how to improve the quality of the paper. We also thank them for the suggestion of the name Horst, for pointing out the similarity between Horst and the S-box used in Streebog, and for pointing out a mistake in the differential security analysis of Griffin. We thank Danny Willems for pointing out an optimization in the Plonk arithmetization for Griffin. Lorenzo Grassi is supported by the German Research Foundation (DFG) within the framework of the Excellence Strategy of the Federal Government and the States - EXC 2092 CaSa - 39078197. Roman Walch is supported by the “DDAI” COMET Module within the COMET – Competence Centers for Excellent Technologies Programme, funded by the Austrian Federal Ministry for Transport, Innovation and Technology (bmvit), the Austrian Federal Ministry for Digital and Economic Affairs (bmdw), the Austrian Research Promotion Agency (FFG), the province of Styria (SFG) and partners from industry and academia. The COMET Programme is managed by FFG. Yonglin Hao is supported by National Natural Science Foundation of China (Grant No. 62002024), National Key Research and Development Program of China (No. 2018YFA0306404). Qingju Wang was funded, in part, by Huawei Technologies Co., Ltd (Agreement No.: YBN2020035184) when she was working at the University of Luxembourg.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Grassi, L., Hao, Y., Rechberger, C., Schofnegger, M., Walch, R., Wang, Q. (2023). Horst Meets Fluid-SPN: Griffin for Zero-Knowledge Applications. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14083. Springer, Cham. https://doi.org/10.1007/978-3-031-38548-3_19
Download citation
DOI: https://doi.org/10.1007/978-3-031-38548-3_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38547-6
Online ISBN: 978-3-031-38548-3
eBook Packages: Computer ScienceComputer Science (R0)