Algebraic Attacks on RAIN and AIM Using Equivalent Representations

Abstract

It has been an important research topic to design novel symmetric-key primitives for advanced protocols like secure multiparty computation (MPC), fully homomorphic encryption (FHE) and zero-knowledge proof systems (ZK). Many such existing primitives adopt quite different design strategies from conventional block ciphers. One notable feature is that many of these ciphers are defined over a large finite field and the power map is commonly used to construct the nonlinear component due to its strong resistance against the differential and linear cryptanalysis. In this paper, we target the MPC-friendly ciphers AIM and RAIN used for the post-quantum signature schemes AIMer (CCS 2023 and NIST PQC Round 1 Additional Signatures) and Rainer (CCS 2022), respectively. Specifically, we could find equivalent representations of the 2-round RAIN and the full-round AIM respectively, which make them vulnerable to either the polynomial method or the simplified crossbred algorithm or the fast exhaustive search attack. Consequently, we could break 2-round RAIN with the 128/192/256-bit key in only $2^{116}/2^{171}/2^{224}$ bit operations. For the full-round AIM with the 128/192/256-bit key, we could break them in $2^{136.2}/2^{200.7}/2^{265}$ bit operations, which are equivalent to about $2^{115}/2^{178}/2^{241}$ calls of the underlying primitive