Abstract
In this paper, we present a new type of algebraic attack that applies to many recent arithmetization-oriented families of permutations, such as those used in Griffin, Anemoi, ArionHash, and XHash8, whose security relies on the hardness of the constrained-input constrained-output (CICO) problem. We refer to the attack as the FreeLunch approach: the monomial ordering is chosen so that the natural polynomial system encoding the CICO problem already is a Gröbner basis. In addition, we present a new dedicated resolution algorithm for FreeLunch systems of complexity lower than current state-of-the-art resolution algorithms.
We show that the FreeLunch approach challenges the security of full-round instances of Anemoi, Arion and Griffin, and we experimentally confirm these theoretical results. In particular, combining the FreeLunch attack with a new technique to bypass 3 rounds of Griffin, we recover a CICO solution for 7 out of 10 rounds of Griffin in less than four hours on one core of AMD EPYC 7352 (2.3 GHz).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
This seems to be a choice of pragmatism, as it seems easier to get tight bounds; nothing in their experiments suggests that \(\text {F}_5\) is faster.
- 2.
If the solving steps were meals of the day, the lunch would be free, hence FreeLunch.
- 3.
- 4.
We say that the permutation has t branches, or as we like to think of them, brunches.
- 5.
If a single variable is introduced in a round, we will ease notation by writing \(\boldsymbol{x}_i = x_i\), \(\boldsymbol{p}_i = p_i\) and \(\alpha _i\).
- 6.
The complexities correspond to the number of basic \(\mathbb {F}_p\) operations; writing them as number of calls to the primitive would yield lower but hard to compute numbers.
- 7.
A similar observation of bypassing rounds was already considered in [35, Section 6.2]. However, the authors only describe a method for bypassing a single round for \(t=3\) and do not consider the effect of having a larger t.
- 8.
References
Advanced Encryption Standard (AES): National Institute of Standards and Technology, NIST FIPS PUB 197, U.S. Department of Commerce, November 2001
Albrecht, M.R., et al.: Algebraic cryptanalysis of STARK-friendly designs: application to MARVELlous and MiMC. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11923, pp. 371–397. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_13
Albrecht, M., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: efficient encryption and cryptographic hashing with minimal multiplicative complexity. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 191–219. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_7
Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_17
Aly, A., Ashur, T., Ben-Sasson, E., Dhooghe, S., Szepieniec, A.: Design of symmetric-key primitives for advanced cryptographic protocols. IACR Trans. Symmetric Cryptol. 2020(3), 1–45 (2020). https://tosc.iacr.org/index.php/ToSC/article/view/8695
Ashur, T., Kindi, A., Mahzoun, M.: XHash8 and XHash12: efficient STARK-friendly hash functions. Cryptology ePrint Archive, Paper 2023/1045 (2023). https://eprint.iacr.org/2023/1045
Ashur, T., Kindi, A., Meier, W., Szepieniec, A., Threadbare, B.: Rescue-prime optimized. Cryptology ePrint Archive, Paper 2022/1577 (2022). https://eprint.iacr.org/2022/1577
Ashur, T., Mahzoun, M., Toprakhisar, D.: Chaghri - an FHE-friendly block cipher. In: Yin, H., Stavrou, A., Cremers, C., Shi, E. (eds.) Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS 2022, Los Angeles, CA, USA, 7–11 November 2022, pp. 139–150. ACM (2022). https://doi.org/10.1145/3548606.3559364
Bariant, A.: Algebraic cryptanalysis of full Ciminion. Cryptology ePrint Archive, Paper 2023/1283 (2023). https://eprint.iacr.org/2023/1283
Bariant, A., et al.: The algebraic freelunch efficient Gröbner basis attacks against arithmetization-oriented primitives. Cryptology ePrint Archive, Paper 2024/347 (2024). https://eprint.iacr.org/2024/347
Bariant, A., Bouvier, C., Leurent, G., Perrin, L.: Algebraic attacks against some arithmetization-oriented primitives. IACR Trans. Symmetric Cryptol. 2022(3), 73–101 (2022). https://tosc.iacr.org/index.php/ToSC/article/view/9850
Berthomieu, J., Neiger, V., El Din, M.S.: Faster change of order algorithm for Gröbner bases under shape and stability assumptions. In: Proceedings of the 2022 International Symposium on Symbolic and Algebraic Computation, pp. 409–418 (2022)
Bertoni, G., Daemen, J., Peters, M., Assche, G.V.: Cryptographic sponge functions (2011). https://keccak.team/files/CSF-0.1.pdf. Accessed 23 May 2024
Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system, I. The user language. J. Symbolic Comput. 24(3-4), 235–265 (1997). https://doi.org/10.1006/jsco.1996.0125. Computational algebra and number theory, London (1993)
Bouvier, C., et al.: New design techniques for efficient arithmetization-oriented hash functions: Anemoi permutations and Jive compression mode. In: Handschuh, H., Lysyanskaya, A. (eds.) Advances in Cryptology - CRYPTO 2023. Lecture Notes in Computer Science, vol. 14083, pp. 507–539. Springer Nature Switzerland, Cham (2023). https://doi.org/10.1007/978-3-031-38548-3_17
Buchberger, B.: A theoretical basis for the reduction of polynomials to canonical forms. ACM SIGSAM Bull. 10(3), 19–29 (1976)
Buchmann, J., Pyshkin, A., Weinmann, R.-P.: A zero-dimensional Gröbner basis for AES-128. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 78–88. Springer, Heidelberg (2006). https://doi.org/10.1007/11799313_6
Canteaut, A., et al.: Stream ciphers: a practical solution for efficient homomorphic-ciphertext compression. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 313–333. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_16
Canteaut, A., et al.: Stream ciphers: a practical solution for efficient homomorphic-ciphertext compression. J. Cryptol. 31(3), 885–916 (2018). https://doi.org/10.1007/S00145-017-9273-9
Cantor, D.G., Kaltofen, E.: On fast multiplication of polynomials over arbitrary algebras. Acta Informatica 28(7), 693–701 (1991)
Cosseron, O., Hoffmann, C., Méaux, P., Standaert, F.: Towards case-optimized hybrid homomorphic encryption - featuring the Elisabeth stream cipher. In: Agrawal, S., Lin, D. (eds.) ASIACRYPT 2022, Part III. LNCS, vol. 13793, pp. 32–67. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22969-5_2
Cox, D.A., Little, J., O’Shea, D.: Ideals, Varieties, and Algorithms. UTM, Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16721-3
Cox, D.A., Little, J.B., O’Shea, D.: Using Algebraic Geometry, Graduate Texts in Mathematics, vol. 185. Springer, New York (1998). https://doi.org/10.1007/978-1-4757-6911-1
Dobraunig, C., et al.: Rasta: a cipher with low ANDdepth and few ANDs per bit. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 662–692. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_22
Duval, S., Lallemand, V., Rotella, Y.: Cryptanalysis of the FLIP family of stream ciphers. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 457–475. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_17
Eisenbud, D.: Commutative Algebra: With a View Toward Algebraic Geometry, vol. 150. Springer, New York (2013). https://doi.org/10.1007/978-1-4612-5350-1
Faugère, J.C., Mou, C.: Sparse FGLM algorithms. J. Symb. Comput. 80, 538–569 (2017)
Faugère, J.-C., Gaudry, P., Huot, L., Renault, G.: Sub-cubic change of ordering for Gröbner basis: a probabilistic approach. In: Proceedings of the 39th International Symposium on Symbolic and Algebraic Computation, pp. 170–177 (2014)
Faugère, J.-C., Gianni, P., Lazard, D., Mora, T.: Efficient computation of zero-dimensional Gröbner bases by change of ordering. J. Symb. Comput. 16(4), 329–344 (1993)
Faugère, J.C.: A new efficient algorithm for computing Gröbner bases (\(\text{ F}_4\)). J. Pure Appl. Algebra 139(1–3), 61–88 (1999)
Faugère, J.C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (\(\text{ F}_5\)). In: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation, pp. 75–83 (2002)
Gilbert, H., Boissier, R.H., Jean, J., Reinhard, J.: Cryptanalysis of Elisabeth-4. In: Guo, J., Steinfeld, R. (eds.) ASIACRYPT 2023, Part III. LNCS, vol. 14440, pp. 256–284. Springer, Singapore (2023). https://doi.org/10.1007/978-981-99-8727-6_9
Gilbert, H., Peyrin, T.: Super-Sbox cryptanalysis: improved attacks for AES-like permutations. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 365–383. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13858-4_21
Giorgi, P., Jeannerod, C.P., Villard, G.: On the complexity of polynomial matrix computations. In: Proceedings of the 2003 International Symposium on Symbolic and Algebraic Computation, pp. 135–142 (2003)
Grassi, L., Hao, Y., Rechberger, C., Schofnegger, M., Walch, R., Wang, Q.: Horst meets fluid-SPN: Griffin for zero-knowledge applications. In: Handschuh, H., Lysyanskaya, A. (eds.) CRYPTO 2023, Part III. LNCS, vol. 14083, pp. 573–606. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-38548-3_19
Guido, B., Joan, D., Michaël, P., Gilles, V.: Cryptographic sponge functions (2011). https://keccak.team/files/CSF-0.1.pdf
Ha, J., Kim, S., Lee, B., Lee, J., Son, M.: Rubato: noisy ciphers for approximate homomorphic encryption. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part I. LNCS, vol. 13275, pp. 581–610. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-06944-4_20
Hart, W.B.: Flint: Fast Library for Number Theory. Computeralgebra-Rundbrief 49 (2011)
Hyun, S.G., Neiger, V., Schost, É.: Implementations of efficient univariate polynomial matrix algorithms and application to bivariate resultants. In: Proceedings ISSAC 2019, pp. 235–242. ACM (2019). https://doi.org/10.1145/3326229.3326272. https://github.com/vneiger/pml
Labahn, G., Neiger, V., Zhou, W.: Fast, deterministic computation of the Hermite normal form and determinant of a polynomial matrix. J. Complex. 42, 44–71 (2017)
Masure, L., Méaux, P., Moos, T., Standaert, F.: Effective and efficient masking with low noise using small-mersenne-prime ciphers. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023, Part IV. LNCS, vol. 14007, pp. 596–627. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30634-1_20
Méaux, P., Journault, A., Standaert, F.-X., Carlet, C.: Towards stream ciphers for efficient FHE with low-noise ciphertexts. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 311–343. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_13
Neiger, V., Schost, É.: Computing syzygies in finite dimension using fast linear algebra. J. Complex. 60, 101502 (2020). https://doi.org/10.1016/J.JCO.2020.101502
Roy, A., Steiner, M.J., Trevisani, S.: Arion: Arithmetization-Oriented Permutation and Hashing from Generalized Triangular Dynamical Systems (2023). https://arxiv.org/abs/2303.04639
Szepieniec, A., Ashur, T., Dhooghe, S.: Rescue-prime: a standard specification (SoK). Cryptology ePrint Archive, Paper 2020/1143 (2020). https://eprint.iacr.org/2020/1143
The PML team: PML: Polynomial Matrix Library (2023). Version 0.3. https://github.com/vneiger/pml
The Sage Developers: SageMath, the Sage Mathematics Software System (2022). https://www.sagemath.org
Shoup, V., et al.: NTL: a library for doing number theory. https://libntl.org/
Acknowledgements
This work has been facilitated through the COSINUS associate team between Inria and Simula. The authors would like to thank Gaëtan Leurent for the helpful insights on the new dedicated Gröbner basis solving algorithm, and Pierre Briaud and Carlos Cid for the good discussions in the early stages of this work. The authors would also like to thank Vincent Neiger for the proof-reading and the discussions on the algorithmic aspects of the Gröbner basis theory. The research in this paper was supported in part by the French DGA, and by the French grant 22-PECY-0010 (project CRYPTANALYSE). The work of Aurélien Bœuf, Axel Lemoine, and Léo Perrin was supported by the European Research Council (ERC, grant agreement no. 101041545 “ReSCALE”). Morten Øygarden has been supported by the Norwegian Research Council through the project qsIo2.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 International Association for Cryptologic Research
About this paper
Cite this paper
Bariant, A. et al. (2024). The Algebraic FreeLunch: Efficient Gröbner Basis Attacks Against Arithmetization-Oriented Primitives. In: Reyzin, L., Stebila, D. (eds) Advances in Cryptology – CRYPTO 2024. CRYPTO 2024. Lecture Notes in Computer Science, vol 14923. Springer, Cham. https://doi.org/10.1007/978-3-031-68385-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-031-68385-5_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-68384-8
Online ISBN: 978-3-031-68385-5
eBook Packages: Computer ScienceComputer Science (R0)
