## Cryptology ePrint Archive: Report 2021/474

Algebraic Attacks on Rasta and Dasta Using Low-Degree Equations

Fukang Liu and Takanori Isobe and Willi Meier

Abstract: Rasta and Dasta are two fully homomorphic encryption friendly symmetric-key primitives proposed at CRYPTO 2018 and ToSC 2020, respectively. We point out that the designers of Rasta and Dasta neglected an important property of the $\chi$ operation. Combined with the special structure of Rasta and Dasta, this property directly leads to significantly improved algebraic cryptanalysis. Especially, it enables us to theoretically break 2 out of 3 instances of full Agrasta, which is the aggressive version of Rasta with the block size only slightly larger than the security level in bits. We further reveal that Dasta is more vulnerable to our attacks than Rasta for its usage of a linear layer composed of an ever-changing bit permutation and a deterministic linear transform. Based on our cryptanalysis, the security margins of Dasta and Rasta parameterized with $(n,\kappa,r)\in\{(327,80,4),(1877,128,4),(3545,256,5)\}$ are reduced to only 1 round, where $n$, $\kappa$ and $r$ denote the block size, the claimed security level and the number of rounds, respectively. These parameters are of particular interest as the corresponding ANDdepth is the lowest among those that can be implemented in reasonable time and target the same claimed security level.

Category / Keywords: secret-key cryptography / Rasta, Dasta, Agrasta, chi operation, linearization, algebraic attack

Date: received 13 Apr 2021, last revised 21 Apr 2021

Contact author: liufukangs at 163 com,takanori isobe@ai u-hyogo ac jp,willimeier48@gmail com

Available format(s): PDF | BibTeX Citation

Note: This is a major revision. A new form of exploitable cubic equation is found with sagemath. In addition, we add a section called Discussions before Conclusion.

Short URL: ia.cr/2021/474

[ Cryptology ePrint archive ]