Paper 2024/786

Modelling Ciphers with Overdefined Systems of Quadratic Equations: Application to Friday, Vision, RAIN and Biscuit

Fukang Liu, Tokyo Institute of Technology
Mohammad Mahzoun, Eindhoven University of Technology
Willi Meier, FHNW
Abstract

It is well-known that a system of equations becomes easier to solve when it is overdefined. In this work, we study how to overdefine the system of equations to describe the arithmetic oriented (AO) ciphers Friday, Vision, and RAIN, as well as a special system of quadratic equations over $\mathbb F_{2^{\ell}}$ used in the post-quantum signature scheme Biscuit. Our method is inspired by Courtois-Pieprzyk's and Murphy-Robshaw's methods to model AES with overdefined systems of quadratic equations over $\mathbb F_2$ and $\mathbb F_{2^8}$, respectively. However, our method is more refined and much simplified compared with Murphy-Robshaw's method, since it can take full advantage of the low-degree $\mathbb F_2$-linearized affine polynomials used in Friday and Vision, and the overdefined system of equations over $\mathbb F_{2^{\ell}}$ can be described in a clean way with our method. For RAIN, we instead consider quadratic Boolean equations rather than equations over large finite fields $\mathbb F_{2^{\ell}}$. Specifically, we demonstrate that the special structure of RAIN allows us to set up much more linearly independent quadratic Boolean equations than those obtained only with Courtois-Pieprzyk's method. Moreover, we further demonstrate that the underlying key-recovery problem in Biscuit (NIST PQC Round 1 Additional Signatures) can also be described by solving a much overdefined system of quadratic equations over $\mathbb F_{2^{\ell}}$. On the downside, the constructed systems of quadratic equations for these ciphers cannot be viewed as semi-regular, which makes it challenging to upper bound the complexity of the Gröbner basis attack. However, such a new modelling method can significantly improve the lower bound of the complexity of the Gröbner basis attacks on these ciphers, i.e., we view the complexity of solving a random system of quadratic equations of the same scale as the lower bound. How to better estimate the upper and lower bounds of the Gröbner basis attacks on these ciphers based on our modelling method is left as an open problem.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
FridayVisionRAINBiscuitoverdefined systemalgebraic attackGr\"{o}bner basis
Contact author(s)
liufukangs @ gmail com
mail @ mahzoun me
willimeier48 @ gmail com
History
2024-05-24: approved
2024-05-22: received
See all versions
Short URL
https://ia.cr/2024/786
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/786,
      author = {Fukang Liu and Mohammad Mahzoun and Willi Meier},
      title = {Modelling Ciphers with Overdefined Systems of Quadratic Equations: Application to Friday, Vision, {RAIN} and Biscuit},
      howpublished = {Cryptology ePrint Archive, Paper 2024/786},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/786}},
      url = {https://eprint.iacr.org/2024/786}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.