## Cryptology ePrint Archive: Report 2021/474

Algebraic Attacks on Rasta and Dasta Using Low-Degree Equations

Fukang Liu and Santanu Sarkar and Willi Meier and Takanori Isobe

Abstract: Rasta and Dasta are two fully homomorphic encryption friendly symmetric-key primitives proposed at CRYPTO 2018 and ToSC 2020, respectively. We point out that the designers of Rasta and Dasta neglected an important property of the $\chi$ operation. Combined with the special structure of Rasta and Dasta, this property directly leads to significantly improved algebraic cryptanalysis. Especially, it enables us to theoretically break 2 out of 3 instances of full Agrasta, which is the aggressive version of Rasta with the block size only slightly larger than the security level in bits. We further reveal that Dasta is more vulnerable to our attacks than Rasta for its usage of a linear layer composed of an ever-changing bit permutation and a deterministic linear transform. Based on our cryptanalysis, the security margins of Dasta and Rasta parameterized with $(n,\kappa,r)\in\{(327,80,4),(1877,128,4),(3545,256,5)\}$ are reduced to only 1 round, where $n$, $\kappa$ and $r$ denote the block size, the claimed security level and the number of rounds, respectively. These parameters are of particular interest as the corresponding ANDdepth is the lowest among those that can be implemented in reasonable time and target the same claimed security level.

Category / Keywords: secret-key cryptography / Rasta, Dasta, Agrasta, chi operation, linearization, algebraic attack

Original Publication (with minor differences): IACR-ASIACRYPT-2021

Date: received 13 Apr 2021, last revised 6 Sep 2021

Contact author: liufukangs at 163 com, takanori isobe at ai u-hyogo ac jp, willimeier48 at gmail com, santanu at iitm ac in

Available format(s): PDF | BibTeX Citation

Short URL: ia.cr/2021/474

[ Cryptology ePrint archive ]