Paper 2022/1210

On the Field-Based Division Property: Applications to MiMC, Feistel MiMC and GMiMC (Full Version)

Jiamin Cui, School of Cyber Science and Technology, Shandong University, Qingdao, Shandong, China., Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Qingdao, Shandong, China.
Kai Hu, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.
Meiqin Wang, School of Cyber Science and Technology, Shandong University, Qingdao, Shandong, China., Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Qingdao, Shandong, China., Quan Cheng Shandong Laboratory.
Puwen Wei, School of Cyber Science and Technology, Shandong University, Qingdao, Shandong, China., Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Qingdao, Shandong, China.
Abstract

Recent practical applications using advanced cryptographic protocols such as multi-party computations (MPC) and zero-knowledge proofs (ZKP) have prompted a range of novel symmetric primitives described over large finite fields, characterized as arithmetization-oriented AO ciphers. Such designs, aiming to minimize the number of multiplications over fields, have a high risk of being vulnerable to algebraic attacks, especially to the higher-order differential attack. Thus, it is significant to carefully evaluate the growth of their algebraic degree. However, the degree estimation for AO ciphers has been a challenge for cryptanalysts due to the lack of general and accurate methods. In this paper, we extend the division property, a state-of-the-art framework for finding the upper bound of the algebraic degree over binary fields, to the scope of $\mathbb{F}_{2^n}$. It is a generic method to detect the algebraic degree for AO ciphers, even applicable to Feistel ciphers which have no better bounds than the trivial exponential one. In this general division property, our idea is to evaluate whether the polynomial representation of a block cipher contains some specific monomials. With a deep investigation of the arithmetical feature, we introduce the propagation rules of monomials for field-based operations, which can be efficiently modeled using the bit-vector theory of SMT. Then the new searching tool for degree estimation can be constructed due to the relationship between the algebraic degree and the exponents of monomials. We apply our new framework to some important AO ciphers, including Feistel MiMC, GMiMC, and MiMC. For Feistel MiMC, we show that the algebraic degree grows significantly slower than the native exponential bound. For the first time, we present a secret-key higher-order differential distinguisher for up to 124 rounds, much better than the 83-round distinguisher for Feistel MiMC permutation proposed at CRYPTO 2020. We also exhibit a full-round zero-sum distinguisher with a data complexity of $2^{251}$. Our method can be further extended for the general Feistel structure with more branches and exhibit higher-order differential distinguishers against the practical instance of GMiMC for up to 50 rounds. For MiMC in SP-networks, our results correspond to the exact algebraic degree proved by Bouvier et al. We also point out that the number of rounds in MiMC's specification is not sufficient to guarantee the security against the higher-order differential attack for MiMC-like schemes with different exponents. The investigation of different exponents provides some guidance on the cipher design.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
A minor revision of an IACR publication in ASIACRYPT 2022
Keywords
Degree Evaluation Division Property Finite Field MiMC Feistel Network
Contact author(s)
cuijiamin @ mail sdu edu cn
kai hu @ ntu edu sg
mqwang @ sdu edu cn
pwei @ sdu edu cn
History
2022-09-14: approved
2022-09-13: received
See all versions
Short URL
https://ia.cr/2022/1210
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2022/1210,
      author = {Jiamin Cui and Kai Hu and Meiqin Wang and Puwen Wei},
      title = {On the Field-Based Division Property: Applications to {MiMC}, Feistel {MiMC} and {GMiMC} (Full Version)},
      howpublished = {Cryptology {ePrint} Archive, Paper 2022/1210},
      year = {2022},
      url = {https://eprint.iacr.org/2022/1210}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.