Skip to main content

Horst Meets Fluid-SPN: Griffin for Zero-Knowledge Applications

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2023 (CRYPTO 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14083))

Included in the following conference series:

  • 1558 Accesses

Abstract

Zero-knowledge (ZK) applications form a large group of use cases in modern cryptography, and recently gained in popularity due to novel proof systems. For many of these applications, cryptographic hash functions are used as the main building blocks, and they often dominate the overall performance and cost of these approaches.

Therefore, in the last years several new hash functions were built in order to reduce the cost in these scenarios, including Poseidon and Rescue among others. These hash functions often look very different from more classical designs such as AES or SHA-2. For example, they work natively over prime fields rather than binary ones. At the same time, for example Poseidon and Rescue share some common features, such as being SPN schemes and instantiating the nonlinear layer with invertible power maps. While this allows the designers to provide simple and strong arguments for establishing their security, it also introduces crucial limitations in the design, which may affect the performance in the target applications.

In this paper, we propose the Horst construction, in which the addition in a Feistel scheme \((x,y)\mapsto (y+F(x), x)\) is extended via a multiplication, i.e., \((x,y)\mapsto (y\times G(x) + F(x), x)\).

By carefully analyzing the performance metrics in SNARK and STARK protocols, we show how to combine an expanding Horst scheme with a Rescue-like SPN scheme in order to provide security and better efficiency in the target applications. We provide an extensive security analysis for our new design Griffin and a comparison with all current competitors.

Author list in alphabetical order.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The name Horst (due to the cryptographer Horst Feistel) has been chosen in order to emphasize the link between \((x,y) \mapsto (y+F(x), x)\) and \((y,x) \mapsto (x,y\times G(x) + F(x))\).

  2. 2.

    The griffin is a legendary creature with the body, tail, and back legs of a lion, and the head and wings of an eagle. The name Griffin has been chosen since our design merges ideas of a Fluid-SPN and a construction as the Horst one.

  3. 3.

    A fluid material continuously deforms (flows) under an applied external force. In our case, the scheme adapts its algebraic representation to the target protocol.

  4. 4.

    The constants \(\beta \), \(\gamma \), and \(\delta \) are omitted in this description.

  5. 5.

    Note that \(x\mapsto x^d\) costs \(\textrm{hw}(d) + \lfloor \log _2(d)\rfloor -1\) multiplications (see [35] for details).

  6. 6.

    The condition \(2^{3\kappa } \le p^t\) implies the condition \(2^{2\kappa } \le p^t\) for the compression case, since \(2^{2\kappa }\le 2^{3\kappa }\le p^t\). For the sponge case, the combination of \(c \ge \left\lceil 2 \kappa / \log _2(p) \right\rceil \) and \(c \le 2t/3\) implies \(2t/3\ge \left\lceil 2 \kappa / \log _2(p) \right\rceil \), that is, \(2^\kappa \le p^{t/3}\).

  7. 7.

    Griffin-\(\pi \) may be used also with \(d\notin \{3,5,7,11\}\). However, the security analysis and the number of rounds must be adapted for this case.

  8. 8.

    We use the smallest \(\alpha \ge 2\) such that the resulting matrix is MDS.

  9. 9.

    Note that \(\min \{d,1/d\} = d\) in our case.

  10. 10.

    An analysis for this case is given in [30, Lemma 4].

  11. 11.

    https://extgit.iaik.tugraz.at/krypto/zkfriendlyhashzoo/-/tree/master/bellman.

  12. 12.

    \(p_\text {BLS381}=\texttt {0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001}\),

    \(p_\text {BN254}=\texttt {0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593f0000001}\).

  13. 13.

    https://docs.rs/bellman_ce/0.3.5/bellman_ce/.

References

  1. Albrecht, M.R., et al.: Algebraic cryptanalysis of STARK-friendly designs: application to MARVELlous and MiMC. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11923, pp. 371–397. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_13

    Chapter  Google Scholar 

  2. Albrecht, M.R., et al.: Feistel structures for MPC, and more. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 151–171. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_8

    Chapter  Google Scholar 

  3. Albrecht, M., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: efficient encryption and cryptographic hashing with minimal multiplicative complexity. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 191–219. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_7

    Chapter  Google Scholar 

  4. Aly, A., Ashur, T., Ben-Sasson, E., Dhooghe, S., Szepieniec, A.: Design of symmetric-key primitives for advanced cryptographic protocols. IACR Trans. Symmetric Cryptol. 2020(3), 1–45 (2020)

    Google Scholar 

  5. Ames, S., Hazay, C., Ishai, Y., Venkitasubramaniam, M.: Ligero: lightweight sublinear arguments without a trusted setup. In: CCS, pp. 2087–2104. ACM (2017)

    Google Scholar 

  6. Bardet, M., Faugére, J.C., Salvy, B., Yang, B.Y.: Asymptotic behaviour of the degree of regularity of semi-regular polynomial systems. In: Proceedings of MEGA, vol. 5 (2005)

    Google Scholar 

  7. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable, transparent, and post-quantum secure computational integrity. Cryptology ePrint Archive, Report 2018/46 (2018)

    Google Scholar 

  8. Ben-Sasson, E., Chiesa, A., Riabzev, M., Spooner, N., Virza, M., Ward, N.P.: Aurora: transparent succinct arguments for R1CS. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 103–128. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_4

    Chapter  Google Scholar 

  9. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_11

    Chapter  Google Scholar 

  10. Beyne, T., et al.: Out of oddity – new cryptanalytic techniques against symmetric primitives optimized for integrity proof systems. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 299–328. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_11

    Chapter  Google Scholar 

  11. Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-38424-3_1

    Chapter  Google Scholar 

  12. Biryukov, A., Perrin, L., Udovenko, A.: Reverse-engineering the S-Box of Streebog, Kuznyechik and STRIBOBr1. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 372–402. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_15

    Chapter  Google Scholar 

  13. Black, J., Rogaway, P., Shrimpton, T.: Black-box analysis of the block-cipher-based hash-function constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–335. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_21

    Chapter  Google Scholar 

  14. Boura, C., Canteaut, A., De Cannière, C.: Higher-order differential properties of Keccak and Luffa. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 252–269. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21702-9_15

    Chapter  Google Scholar 

  15. Bouvier, C., et al.: New design techniques for efficient arithmetization-oriented hash functions: Anemoi Permutations and Jive Compression Mode. IACR Cryptology ePrint Archive, p. 840 (2022)

    Google Scholar 

  16. Buchberger, B.: Ein Algorithmus zum Auffinden der Basiselemente des Restklassenringes nach einem nulldimensionalen Polynomideal. Ph.D. thesis, University of Innsbruck (1965)

    Google Scholar 

  17. Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: IEEE Symposium on Security and Privacy, pp. 315–334. IEEE Computer Society (2018)

    Google Scholar 

  18. Coron, J.-S., Patarin, J., Seurin, Y.: The random oracle model and the ideal cipher model are equivalent. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 1–20. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_1

    Chapter  Google Scholar 

  19. Cox, D.A., Little, J., O’Shea, D.: Ideals, Varieties, and Algorithms - An Introduction to Computational Algebraic Geometry and Commutative Algebra, 2nd edn. Undergraduate Texts in Mathematics. Springer, Cham (1997). https://doi.org/10.1007/978-3-319-16721-3

  20. de la Cruz Jiménez, R.A.: On some methods for constructing almost optimal s-boxes and their resilience against side-channel attacks. IACR Cryptology ePrint Archive, p. 618 (2018)

    Google Scholar 

  21. Daemen, J., Rijmen, V.: The wide trail design strategy. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 222–238. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45325-3_20

    Chapter  Google Scholar 

  22. Dai, Y., Steinberger, J.: Indifferentiability of 8-round Feistel networks. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 95–120. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_4

    Chapter  Google Scholar 

  23. Dobraunig, C., Grassi, L., Guinet, A., Kuijsters, D.: Ciminion: symmetric encryption based on Toffoli-Gates over large finite fields. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 3–34. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_1

    Chapter  Google Scholar 

  24. Dolmatov, V., Degtyarev, A.: GOST R 34.11-2012: Hash function. RFC 6986, pp. 1–40 (2013)

    Google Scholar 

  25. Duval, S., Leurent, G.: MDS matrices with lightweight circuits. IACR Trans. Symmetric Cryptol. 2018(2), 48–78 (2018)

    Article  Google Scholar 

  26. Federal Agency on Technical Regulation and Metrology: GOST R 34.12-2015: Block cipher (2015)

    Google Scholar 

  27. Gabizon, A., Williamson, Z.J.: plookup: a simplified polynomial protocol for lookup tables. IACR Cryptology ePrint Archive, p. 315 (2020)

    Google Scholar 

  28. Gabizon, A., Williamson, Z.J., Ciobotaru, O.: PLONK: permutations over Lagrange-bases for Oecumenical noninteractive arguments of knowledge. Cryptology ePrint Archive, Report 2019/953 (2019)

    Google Scholar 

  29. Grassi, L.: On Generalizations of the Lai-Massey scheme: the blooming of amaryllises. IACR Cryptology ePrint Archive, p. 1245 (2022)

    Google Scholar 

  30. Grassi, L., Hao, Y., Rechberger, C., Schofnegger, M., Walch, R., Wang, Q.: Horst meets Fluid-SPN: Griffin for zero-knowledge applications. IACR Cryptology ePrint Archive, p. 403 (2022)

    Google Scholar 

  31. Grassi, L., Khovratovich, D., Lüftenegger, R., Rechberger, C., Schofnegger, M., Walch, R.: Reinforced concrete: fast hash function for zero knowledge proofs and verifiable computation. Cryptology ePrint Archive, Report 2021/1038 (2021). Accepted at ACM CCS 2022

    Google Scholar 

  32. Grassi, L., Khovratovich, D., Rechberger, C., Roy, A., Schofnegger, M.: Poseidon: a new hash function for zero-knowledge proof systems. In: USENIX Security Symposium, pp. 519–535. USENIX Association (2021)

    Google Scholar 

  33. Grassi, L., Khovratovich, D., Rønjom, S., Schofnegger, M.: The Legendre symbol and the Modulo-2 operator in symmetric schemes over Fnp preimage attack on full Grendel. IACR Trans. Symmetric Cryptol. 2022(1), 5–37 (2022)

    Article  Google Scholar 

  34. Grassi, L., Lüftenegger, R., Rechberger, C., Rotaru, D., Schofnegger, M.: On a generalization of substitution-permutation networks: the HADES design strategy. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 674–704. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_23

    Chapter  Google Scholar 

  35. Grassi, L., Onofri, S., Pedicini, M., Sozzi, L.: Invertible quadratic non-linear layers for MPC-/FHE-/ZK-friendly schemes over Fnp: application to Poseidon. IACR Trans. Symmetric Cryptol. 2022(3), 20–72 (2022)

    Article  Google Scholar 

  36. Grassi, L., Rechberger, C., Rotaru, D., Scholl, P., Smart, N.P.: MPC-friendly symmetric key primitives. In: CCS, pp. 430–443. ACM (2016)

    Google Scholar 

  37. Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11

    Chapter  Google Scholar 

  38. Hoang, V.T., Rogaway, P.: On generalized Feistel networks. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 613–630. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_33

    Chapter  Google Scholar 

  39. Hougaard, H.B.: 3-round Feistel is not superpseudorandom over any group. IACR Cryptology ePrint Archive, p. 675 (2021)

    Google Scholar 

  40. Jakobsen, T., Knudsen, L.R.: The interpolation attack on block ciphers. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 28–40. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052332

    Chapter  Google Scholar 

  41. Klimov, A., Shamir, A.: Cryptographic applications of T-functions. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 248–261. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24654-1_18

    Chapter  Google Scholar 

  42. Kölbl, S., Lauridsen, M.M., Mendel, F., Rechberger, C.: Haraka V2 - efficient short-input hashing for post-quantum applications. IACR Trans. Symmetric Cryptol. 2016(2), 1–29 (2016)

    Google Scholar 

  43. Lai, X., Massey, J.L.: A proposal for a new block encryption standard. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 389–404. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46877-3_35

    Chapter  Google Scholar 

  44. Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: Rebound distinguishers: results on the full whirlpool compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 126–143. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_8

    Chapter  Google Scholar 

  45. Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)

    Article  MathSciNet  MATH  Google Scholar 

  46. Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_33

    Chapter  Google Scholar 

  47. Matusiewicz, K., Naya-Plasencia, M., Nikolić, I., Sasaki, Yu., Schläffer, M.: Rebound attack on the full Lane compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 106–125. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_7

    Chapter  Google Scholar 

  48. Maurer, U., Pietrzak, K.: The security of many-round Luby-Rackoff pseudo-random permutations. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 544–561. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_34

    Chapter  Google Scholar 

  49. Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The Rebound attack: cryptanalysis of reduced whirlpool and Grostl. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03317-9_16

    Chapter  Google Scholar 

  50. Mollin, R.A., Small, C.: On permutation polynomials over finite fields. Int. J. Math. Math. Sci. 10, 535–543 (1987)

    Google Scholar 

  51. National Institute of Standards and Technology: SHA-3 Standard: Permutation-based hash and extendable-output functions. Federal Information Processing Standards Publication (FIPS) (2015)

    Google Scholar 

  52. Nyberg, K.: Generalized Feistel networks. In: Kim, K., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 91–104. Springer, Heidelberg (1996). https://doi.org/10.1007/BFb0034838

    Chapter  Google Scholar 

  53. Patarin, J.: About Feistel schemes with six (or more) rounds. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 103–121. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-69710-1_8

    Chapter  Google Scholar 

  54. Patarin, J.: Generic attacks on Feistel schemes. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 222–238. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_14

    Chapter  Google Scholar 

  55. Patel, S., Ramzan, Z., Sundaram, G.S.: Luby-Racko. ciphers: why XOR is not so exclusive. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 271–290. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36492-7_18

    Chapter  Google Scholar 

  56. Polygon: Introducing Plonky2 (2022). https://blog.polygon.technology/introducing-plonky2/

  57. Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: a synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_31

    Chapter  Google Scholar 

  58. Szepieniec, A.: On the use of the Legendre symbol in symmetric cipher design. IACR Cryptology ePrint Archive, p. 984 (2021)

    Google Scholar 

  59. Szepieniec, A., Ashur, T., Dhooghe, S.: Rescue-prime: a standard specification (SoK). Cryptology ePrint Archive, Report 2020/1143 (2020)

    Google Scholar 

  60. Zcash: ZCash protocol specification (2021). https://github.com/zcash/zips/blob/master/protocol/protocol.pdf

  61. Zheng, Y., Matsumoto, T., Imai, H.: On the construction of block ciphers provably secure and not relying on any unproved hypotheses. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 461–480. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_42

    Chapter  Google Scholar 

Download references

Acknowledgments

The authors thank all reviewers for their suggestions on how to improve the quality of the paper. We also thank them for the suggestion of the name Horst, for pointing out the similarity between Horst and the S-box used in Streebog, and for pointing out a mistake in the differential security analysis of Griffin. We thank Danny Willems for pointing out an optimization in the Plonk arithmetization for Griffin. Lorenzo Grassi is supported by the German Research Foundation (DFG) within the framework of the Excellence Strategy of the Federal Government and the States - EXC 2092 CaSa - 39078197. Roman Walch is supported by the “DDAI” COMET Module within the COMET – Competence Centers for Excellent Technologies Programme, funded by the Austrian Federal Ministry for Transport, Innovation and Technology (bmvit), the Austrian Federal Ministry for Digital and Economic Affairs (bmdw), the Austrian Research Promotion Agency (FFG), the province of Styria (SFG) and partners from industry and academia. The COMET Programme is managed by FFG. Yonglin Hao is supported by National Natural Science Foundation of China (Grant No. 62002024), National Key Research and Development Program of China (No. 2018YFA0306404). Qingju Wang was funded, in part, by Huawei Technologies Co., Ltd (Agreement No.: YBN2020035184) when she was working at the University of Luxembourg.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Markus Schofnegger .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Grassi, L., Hao, Y., Rechberger, C., Schofnegger, M., Walch, R., Wang, Q. (2023). Horst Meets Fluid-SPN: Griffin for Zero-Knowledge Applications. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14083. Springer, Cham. https://doi.org/10.1007/978-3-031-38548-3_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-38548-3_19

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-38547-6

  • Online ISBN: 978-3-031-38548-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics