Paper 2024/886

A New Security Evaluation Method Based on Resultant for Arithmetic-Oriented Algorithms

Hong-Sen Yang, PLA Information Engineering University
Qun-Xiong Zheng, PLA Information Engineering University
Jing Yang, PLA Information Engineering University
Quan-feng Liu, PLA Information Engineering University
Deng Tang, Shanghai Jiao Tong University
Abstract

The rapid development of advanced cryptographic applications like multi-party computation (MPC), fully homomorphic encryption (FHE), and zero-knowledge (ZK) proofs have motivated the designs of the so-called arithmetic-oriented (AO) primitives. Efficient AO primitives typically build over large fields and use large S-boxes. Such design philosophy brings difficulties in the cryptanalysis of these primitives as classical cryptanalysis methods do not apply well. The generally recognized attacks against these primitives are algebraic attacks, especially Groebner basis attacks. Thus, the numbers of security rounds are usually derived through the complexity of solving the system of algebraic equations using Groebner bases. In this paper, we propose a novel framework for algebraic attacks against AO primitives. Instead of using Groebner basis, we use resultants to solve a system of multivariate equations that can better exploit the algebraic structures of AO primitives. We employ several techniques to reduce the dimensions of the resultants and avoid rapid increases in degrees, including meet-in-the-middle modeling, variable substitutions, and fast Lagrange interpolation. We apply our attack to three mainstream AO cryptographic primitives: Rescue-Prime, Anemoi, and Jarvis. For Rescue-Prime, we theoretically prove that the final univariate equation has a degree of at most a specific power of three and practically attack five rounds for the first time. We attack the full-round of Anemoi with complexity 2^110.10, which has been claimed to provide 127 bits of security. We also give the first practical attack against eight rounds of Anemoi over a 55-bit prime field. For Jarvis, we improve the existing practical attack by a factor of 100. Therefore, we point out that our analysis framework can be used as a new evaluation method for AO designs.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
A minor revision of an IACR publication in ASIACRYPT 2024
DOI
https://doi.org/10.1007/978-981-96-0941-3_15
Keywords
Resultantarithmetic-oriented primitivesRescue-PrimeAnemoiJarvisnew evaluation method
Contact author(s)
moonlight0833 @ outlook com
qunxiong_zheng @ 163 com
yangjingfi @ 163 com
liuquanfeng1022 @ 163 com
dengtang @ sjtu edu cn
History
2024-12-06: revised
2024-06-03: received
See all versions
Short URL
https://ia.cr/2024/886
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/886,
      author = {Hong-Sen Yang and Qun-Xiong Zheng and Jing Yang and Quan-feng Liu and Deng Tang},
      title = {A New Security Evaluation Method Based on Resultant for Arithmetic-Oriented Algorithms},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/886},
      year = {2024},
      doi = {https://doi.org/10.1007/978-981-96-0941-3_15},
      url = {https://eprint.iacr.org/2024/886}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.