Paper 2022/342

From Farfalle to Megafono via Ciminion: The PRF Hydra for MPC Applications

Lorenzo Grassi, Morten Øygarden, Markus Schofnegger, and Roman Walch


Ciminion is an MPC-friendly pseudo-random function (PRF) recently proposed at Eurocrypt’21. As in the case of other MPC-friendly constructions proposed in the literature (e.g., MiMC, HadesMiMC, Rescue), it aims to minimize the number of multiplications in large finite fields. While MiMC, HadesMiMC, and Rescue are block ciphers, Ciminion is a (modified) Farfalle-like cryptographic function. At the current state of the art, it achieves the best performance in MPC applications. However, Ciminion has a critical weakness. Its security highly relies on the independence of its subkeys, which is achieved by using an expensive key schedule. Many MPC use cases involving symmetric PRFs rely on secretly shared symmetric keys, and hence the expensive key schedule must also be computed in MPC. As a result, Ciminion’s performance is significantly reduced in these use cases. In this paper, we solve this problem. Following the approach introduced by Ciminion’s designers, we propose Megafono, a modified version of Farfalle designed for achieving a small multiplicative complexity without any key schedule. Following this strategy, we present the PRF Hydra, which utilizes both a Lai-Massey construction and a novel construction we name Amaryllises in its nonlinear layer. Amaryllises can be seen as a generalized variant of a Lai-Massey scheme, which allows us to further decrease the multiplicative complexity of Hydra. Based on an extensive security analysis, we implement Hydra in an MPC framework. The results show that it outperforms all MPC-friendly schemes currently published in the literature.

Available format(s)
Secret-key cryptography
Publication info
Preprint. MINOR revision.
MegafonoHydraFarfalleCiminionLai-MasseyAmaryllisesMPC Applications
Contact author(s)
lgrassi @ science ru nl
morten oygarden @ simula no
markus schofnegger @ tugraz at
roman walch @ iaik tugraz at
2022-03-14: received
Short URL
Creative Commons Attribution


      author = {Lorenzo Grassi and Morten Øygarden and Markus Schofnegger and Roman Walch},
      title = {From Farfalle to Megafono via Ciminion: The PRF Hydra for MPC Applications},
      howpublished = {Cryptology ePrint Archive, Paper 2022/342},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.