80 research outputs found

    LIPIcs, Volume 251, ITCS 2023, Complete Volume

    Get PDF
    LIPIcs, Volume 251, ITCS 2023, Complete Volum

    New Design Techniques for Efficient Arithmetization-Oriented Hash Functions:Anemoi Permutations and Jive Compression Mode

    Get PDF
    Advanced cryptographic protocols such as Zero-knowledge (ZK) proofs of knowledge, widely used in cryptocurrency applications such as Zcash, Monero, Filecoin, Tezos, Topos, demand new cryptographic hash functions that are efficient not only over the binary field F2\mathbb{F}_2, but also over large fields of prime characteristic Fp\mathbb{F}_p. This need has been acknowledged by the wider community and new so-called Arithmetization-Oriented (AO) hash functions have been proposed, e.g. MiMC-Hash, Rescue-Prime, Poseidon, Reinforced Concrete and Griffin to name a few. In this paper we propose Anemoi: a new family of ZK-friendly permutations, that can be used to construct efficient hash functions and compression functions. The main features of these algorithms are that 1) they are designed to be efficient within multiple proof systems (e.g. Groth16, Plonk, etc.), 2) they contain dedicated functions optimised for specific applications (namely Merkle tree hashing and general purpose hashing), 3) they have highly competitive performance e.g. about a factor of 2 improvement over Poseidon and Rescue-Prime in terms of R1CS constraints, a 21%-35% Plonk constraint reduction over a highly optimized Poseidon implementation, as well as competitive native performance, running between two and three times faster than Rescue-Prime, depending on the field size. On the theoretical side, Anemoi pushes further the frontier in understanding the design principles that are truly entailed by arithmetization-orientation. In particular, we identify and exploit a previously unknown relationship between CCZ-equivalence and arithmetization-orientation. In addition, we propose two new standalone components that can be easily reused in new designs. One is a new S-box called Flystel, based on the well-studied butterfly structure, and the second is Jive -- a new mode of operation, inspired by the ``Latin dance\u27\u27 symmetric algorithms (Salsa, ChaCha and derivatives). Our design is a conservative one: it uses a very classical Substitution-Permutation Network structure, and our detailed analysis of algebraic attacks highlights can be of independent interest

    Propagation of Subspaces in Primitives with Monomial Sboxes: Applications to Rescue and Variants of the AES

    Get PDF
    Motivated by progress in the field of zero-knowledge proofs, so-called Arithmetization-Oriented (AO) symmetric primitives have started to appear in the literature, such as MiMC, Poseidon or Rescue. Due to the design constraints implied by this setting, these algorithms are defined using simple operations over large (possibly prime) fields. In particular, many rely on simple low-degree monomials for their non-linear layers, essentially using x ↦ x3 as an S-box. In this paper, we show that the structure of the material injected in each round (be it subkeys in a block cipher or round constants in a public permutation) could allow a specific pattern, whereby a well-defined affine space is mapped to another by the round function, and then to another, etc. Such chains of one-dimensional subspaces always exist over 2 rounds, and they can be extended to an arbitrary number of rounds, for any linear layer, provided that the round-constants are well chosen. As a consequence, for several ciphers like Rescue, or a variant of AES with a monomial Sbox, there exist some round-key sequences for which the cipher has an abnormally high differential uniformity, exceeding the size of the Sbox alphabet. Well-known security arguments, in particular based on the wide-trail strategy, have been reused in the AO setting by many designers. Unfortunately, our results show that such a traditional study may not be sufficient to guarantee security. To illustrate this, we present two new primitives (the tweakable block cipher Snare and the permutation-based hash function Stir) that are built using state-of-the-art security arguments, but which are actually deeply flawed. Indeed, the key schedule of Snare ensures the presence of a subspace chain that significantly simplifies an algebraic attack against it, and the round constants of Stir force the presence of a subspace chain aligned with the rate and capacity of the permutation. This in turns implies the existence of many easy-to-find solutions to the so-called CICO problem

    ARITHMETIZATION-ORIENTED APN FUNCTIONS

    Get PDF
    Recently, many cryptographic primitives such as homomorphic encryption (HE), multi-party computation (MPC) and zero-knowledge (ZK) protocols have been proposed in the literature which operate on prime field Fp\mathbb{F}_p for some large prime pp. Primitives that are designed using such operations are called arithmetization-oriented primitives. As the concept of arithmetization-oriented primitives is new, a rigorous cryptanalysis of such primitives is yet to be done. In this paper, we investigate arithmetization-oriented APN functions. More precisely, we investigate APN permutations in the CCZ-classes of known families of APN power functions over prime field Fp\mathbb{F}_p. Moreover, we present a new class of APN binomials over Fq\mathbb{F}_q obtained by modifying the planar function x2x^2 over Fq\mathbb{F}_q. We also present a class of binomials having differential uniformity at most 55 defined via the quadratic character over finite fields of odd characteristic. We give sufficient conditions for which this family of binomials is permutation. Computationally it is confirmed that the latter family contains new APN functions for some small parameters. We conjecture it to contain an infinite subfamily of APN functions

    Hiding Access-pattern is Not Enough! Veil: A Storage and Communication Efficient Volume-Hiding Algorithm

    Full text link
    This paper addresses volume leakage (i.e., leakage of the number of records in the answer set) when processing keyword queries in encrypted key-value (KV) datasets. Volume leakage, coupled with prior knowledge about data distribution and/or previously executed queries, can reveal both ciphertexts and current user queries. We develop a solution to prevent volume leakage, entitled Veil, that partitions the dataset by randomly mapping keys to a set of equi-sized buckets. Veil provides a tunable mechanism for data owners to explore a trade-off between storage and communication overheads. To make buckets indistinguishable to the adversary, Veil uses a novel padding strategy that allow buckets to overlap, reducing the need to add fake records. Both theoretical and experimental results show Veil to significantly outperform existing state-of-the-art

    A Degree Bound For The c-Boomerang Uniformity Of Permutation Monomials

    Full text link
    Let Fq\mathbb{F}_q be a finite field of characteristic pp. In this paper we prove that the cc-Boomerang Uniformity, c0c \neq 0, for all permutation monomials xdx^d, where d>1d > 1 and pdp \nmid d, is bounded by d2d^2. Further, we utilize this bound to estimate the cc-boomerang uniformity of a large class of Generalized Triangular Dynamical Systems, a polynomial-based approach to describe cryptographic permutations, including the well-known Substitution-Permutation Network

    AIM: Symmetric Primitive for Shorter Signatures with Stronger Security (Full Version)

    Get PDF
    Post-quantum signature schemes based on the MPC-in-the-Head (MPCitH) paradigm are recently attracting significant attention as their security solely depends on the one-wayness of the underlying primitive, providing diversity for the hardness assumption in post-quantum cryptography. Recent MPCitH-friendly ciphers have been designed using simple algebraic S-boxes operating on a large field in order to improve the performance of the resulting signature schemes. Due to their simple algebraic structures, their security against algebraic attacks should be comprehensively studied. In this paper, we refine algebraic cryptanalysis of power mapping based S-boxes over binary extension fields, and cryptographic primitives based on such S-boxes. In particular, for the Gröbner basis attack over F2\mathbb{F}_2, we experimentally show that the exact number of Boolean quadratic equations obtained from the underlying S-boxes is critical to correctly estimate the theoretic complexity based on the degree of regularity. Similarly, it turns out that the XL attack might be faster when all possible quadratic equations are found and used from the S-boxes. This refined cryptanalysis leads to more precise algebraic analysis of cryptographic primitives based on algebraic S-boxes. Considering the refined algebraic cryptanalysis, we propose a new one-way function, dubbed AIM\mathsf{AIM}, as an MPCitH-friendly symmetric primitive with high resistance to algebraic attacks. The security of AIM\mathsf{AIM} is comprehensively analyzed with respect to algebraic, statistical, quantum, and generic attacks. AIM\mathsf{AIM} is combined with the BN++ proof system, yielding a new signature scheme, dubbed AIMer\mathsf{AIMer}. Our implementation shows that AIMer\mathsf{AIMer} outperforms existing signature schemes based on symmetric primitives in terms of signature size and signing time

    Arion: Arithmetization-Oriented Permutation and Hashing from Generalized Triangular Dynamical Systems

    Full text link
    In this paper we propose the (keyed) permutation Arion and the hash function ArionHash over Fp\mathbb{F}_p for odd and particularly large primes. The design of Arion is based on the newly introduced Generalized Triangular Dynamical System (GTDS), which provides a new algebraic framework for constructing (keyed) permutation using polynomials over a finite field. At round level Arion is the first design which is instantiated using the new GTDS. We provide extensive security analysis of our construction including algebraic cryptanalysis (e.g. interpolation and Groebner basis attacks) that are particularly decisive in assessing the security of permutations and hash functions over Fp\mathbb{F}_p. From a application perspective, ArionHash is aimed for efficient implementation in zkSNARK protocols and Zero-Knowledge proof systems. For this purpose, we exploit that CCZ-equivalence of graphs can lead to a more efficient implementation of Arithmetization-Oriented primitives. We compare the efficiency of ArionHash in R1CS and Plonk settings with other hash functions such as Poseidon, Anemoi and Griffin. For demonstrating the practical efficiency of ArionHash we implemented it with the zkSNARK libraries libsnark and Dusk Network Plonk. Our result shows that ArionHash is significantly faster than Poseidon - a hash function designed for zero-knowledge proof systems. We also found that an aggressive version of ArionHash is considerably faster than Anemoi and Griffin in a practical zkSNARK setting

    Effective and Efficient Masking with Low Noise using Small-Mersenne-Prime Ciphers

    Get PDF
    Embedded devices used in security applications are natural targets for physical attacks. Thus, enhancing their side-channel resistance is an important research challenge. A standard solution for this purpose is the use of Boolean masking schemes, as they are well adapted to current block ciphers with efficient bitslice representations. Boolean masking guarantees that the security of an implementation grows exponentially in the number of shares under the assumption that leakages are sufficiently noisy (and independent). Unfortunately, it has been shown that this noise assumption is hardly met on low-end devices. In this paper, we therefore investigate techniques to mask cryptographic algorithms in such a way that their resistance can survive an almost complete lack of noise. Building on seed theoretical results of Dziembowski et al., we put forward that arithmetic encodings in prime fields can reach this goal. We first exhibit the gains that such encodings lead to thanks to a simulated information theoretic analysis of their leakage (with up to six shares). We then provide figures showing that on platforms where optimized arithmetic adders and multipliers are readily available (i.e., most MCUs and FPGAs), performing masked operations in small to medium Mersenne-prime fields as opposed to binary extension fields will not lead to notable implementation overheads. We compile these observations into a new AES-like block cipher, called AES-prime, which is well-suited to illustrate the remarkable advantages of masking in prime fields. We also confirm the practical relevance of our findings by evaluating concrete software (ARM Cortex-M3) and hardware (Xilinx Spartan-6) implementations. Our experimental results show that security gains over Boolean masking (and, more generally, binary encodings) can reach orders of magnitude despite the same amount of information being leaked per share

    Universally Composable NIZKs: Circuit-Succinct, Non-Malleable and CRS-Updatable

    Get PDF
    Non-interactive zero-knowledge proofs (NIZKs) and in particular succinct NIZK arguments of knowledge (so called zk-SNARKs) increasingly see real-world adoption in large and complex systems. A requirement that turns out to be important for NIZKs is ensuring non-malleability of proofs, which can be achieved via the property of simulation extractability (SE). Moreover, many zk-SNARKs require a trusted setup, i.e., a common reference string (CRS), and in practice it is desirable to reduce the trust in the CRS generation. Latter can be achieved via the notions of subversion or updatable CRS. Another important property when deployed in large and complex systems is the secure composition of protocols, e.g., via using the Universal Composability (UC) framework. Relying on the UC frameworks allows to arbitrarily and securely compose protocols in a modular way. In this work, we are interested in whether zk-SNARKs can provide all these desired properties. This is a tricky task as the UC framework rules out several natural techniques for such a construction. Our main result is to show that achieving these properties is indeed possible in a generic and modular way when slightly relaxing the succinctness properties of zk-SNARKs to those of a circuit-succinct NIZK which is not witness-succinct, i.e., by increasing the proof size of the underlying zk-SNARK by the size of the witness ww. We will argue that for various practical applications of zk-SNARKs this overhead is perfectly tolerable. Our starting point is a framework by Abdolmaleki et al. called Lamassu (ACM CCS\u2720) which we extend in several directions. Moreover, we implement our compiler on top of Sonic (ACM CCS\u2719) and provide benchmarks as well as a discussion on the choice of the required primitives
    corecore