Cryptology ePrint Archive: Report 2021/1533

The Legendre Symbol and the Modulo-2 Operator in Symmetric Schemes over (F_p)^n

Lorenzo Grassi and Dmitry Khovratovich and Sondre Rønjom and Markus Schofnegger

Abstract: Motivated by modern cryptographic use cases such as multi-party computation (MPC), homomorphic encryption (HE), and zero-knowledge (ZK) protocols, several symmetric schemes that are efficient in these scenarios have recently been proposed in the literature. Some of these schemes are instantiated with low-degree nonlinear functions, for example low-degree power maps (e.g., MiMC, HadesMiMC, Poseidon) or the Toffoli gate (e.g., Ciminion). Others (e.g., Rescue, Vision, Grendel) are instead instantiated via high-degree functions which are easy to evaluate in the target application. A recent example for the latter case is the hash function Grendel, whose nonlinear layer is constructed using the Legendre symbol.

In this paper, we analyze high-degree functions such as the Legendre symbol or the modulo-2 operation as building blocks for the nonlinear layer of a cryptographic scheme over (F_p)^n. Our focus regards the security analysis rather than the efficiency in the mentioned use cases. For this purpose, we present several new invertible functions that make use of the Legendre symbol or of the modulo-2 operation.

Even though these functions often provide strong statistical properties and ensure a high degree after a few rounds, the main problem regards their small number of possible outputs, that is, only three for the Legendre symbol and only two for the modulo-2 operation. By guessing them, it is possible to reduce the overall degree of the function significantly. We exploit this behavior by describing the first preimage attack on full Grendel, and we verify it in practice.

Category / Keywords: secret-key cryptography / Legendre Symbol, Modulo-2 Operator, Grendel, Preimage Attack

Date: received 19 Nov 2021

Contact author: L Grassi at cs ru nl, khovratovich at gmail com, Sondre Ronjom at uib no, markus schofnegger at tugraz at

Available format(s): PDF | BibTeX Citation

Version: 20211122:113039 (All versions of this report)

Short URL: ia.cr/2021/1533


[ Cryptology ePrint archive ]