Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC

Martin R. Albrecht, Carlos Cid, Lorenzo Grassi, Dmitry Khovratovich, Reinhard Lüftenegger, Christian Rechberger, Markus Schofnegger

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

Abstract

The block cipher Jarvis and the hash function Friday, both members of the MARVELlous family of cryptographic primitives, were recently proposed as custom designs aimed at addressing bottlenecks involving practical applications of STARKs. In the proposal several types of algebraic attacks were ruled out, and security arguments from Rijndael/AES were used to inform the choice for the number of rounds, with extra security margin added. In this work we describe new algebraic attacks on Jarvis and Friday using Gröbner bases, showing that the proposed number of rounds is not sufficient to provide security. In Jarvis, the round function is obtained by combining a finite field inversion S-box with a full-degree linearised permutation polynomial. However, we show that even though the high degree of this polynomial should prevent some algebraic attacks (as claimed by the designers), their particular algebraic properties make the designs vulnerable to Gröbner basis attacks. Our analysis illustrates that block cipher designs for algebraic platforms such as STARKs, FHE or MPC may be particularly vulnerable to algebraic attacks. Finally, we argue that MiMC -- a cipher similar in structure to Jarvis -- is resistant against our proposed attack strategy.
Originalspracheenglisch
TitelASIACRYPT 2019
PublikationsstatusAngenommen/In Druck - 15 Aug 2019
VeranstaltungASIACRYPT 2019 - Kobe, Japan
Dauer: 8 Dez 201912 Dez 2019

Konferenz

KonferenzASIACRYPT 2019
LandJapan
OrtKobe
Zeitraum8/12/1912/12/19

Fingerprint

Polynomials
Hash functions

Schlagwörter

    Dies zitieren

    Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC. / Albrecht, Martin R.; Cid, Carlos; Grassi, Lorenzo; Khovratovich, Dmitry; Lüftenegger, Reinhard; Rechberger, Christian; Schofnegger, Markus.

    ASIACRYPT 2019. 2019.

    Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

    Albrecht, MR, Cid, C, Grassi, L, Khovratovich, D, Lüftenegger, R, Rechberger, C & Schofnegger, M 2019, Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC. in ASIACRYPT 2019., Kobe, Japan, 8/12/19.
    Albrecht MR, Cid C, Grassi L, Khovratovich D, Lüftenegger R, Rechberger C et al. Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC. in ASIACRYPT 2019. 2019
    Albrecht, Martin R. ; Cid, Carlos ; Grassi, Lorenzo ; Khovratovich, Dmitry ; Lüftenegger, Reinhard ; Rechberger, Christian ; Schofnegger, Markus. / Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC. ASIACRYPT 2019. 2019.
    @inproceedings{5bf9899917894e678fe822012730e937,
    title = "Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC",
    abstract = "The block cipher Jarvis and the hash function Friday, both members of the MARVELlous family of cryptographic primitives, were recently proposed as custom designs aimed at addressing bottlenecks involving practical applications of STARKs. In the proposal several types of algebraic attacks were ruled out, and security arguments from Rijndael/AES were used to inform the choice for the number of rounds, with extra security margin added. In this work we describe new algebraic attacks on Jarvis and Friday using Gr{\"o}bner bases, showing that the proposed number of rounds is not sufficient to provide security. In Jarvis, the round function is obtained by combining a finite field inversion S-box with a full-degree linearised permutation polynomial. However, we show that even though the high degree of this polynomial should prevent some algebraic attacks (as claimed by the designers), their particular algebraic properties make the designs vulnerable to Gr{\"o}bner basis attacks. Our analysis illustrates that block cipher designs for algebraic platforms such as STARKs, FHE or MPC may be particularly vulnerable to algebraic attacks. Finally, we argue that MiMC -- a cipher similar in structure to Jarvis -- is resistant against our proposed attack strategy.",
    keywords = "Gr{\"o}bner Basis, MARVELlous, Jarvis, Friday, MiMC, STARKs, Algebraic Cryptanalysis, Arithmetic Circuits",
    author = "Albrecht, {Martin R.} and Carlos Cid and Lorenzo Grassi and Dmitry Khovratovich and Reinhard L{\"u}ftenegger and Christian Rechberger and Markus Schofnegger",
    year = "2019",
    month = "8",
    day = "15",
    language = "English",
    booktitle = "ASIACRYPT 2019",

    }

    TY - GEN

    T1 - Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC

    AU - Albrecht, Martin R.

    AU - Cid, Carlos

    AU - Grassi, Lorenzo

    AU - Khovratovich, Dmitry

    AU - Lüftenegger, Reinhard

    AU - Rechberger, Christian

    AU - Schofnegger, Markus

    PY - 2019/8/15

    Y1 - 2019/8/15

    N2 - The block cipher Jarvis and the hash function Friday, both members of the MARVELlous family of cryptographic primitives, were recently proposed as custom designs aimed at addressing bottlenecks involving practical applications of STARKs. In the proposal several types of algebraic attacks were ruled out, and security arguments from Rijndael/AES were used to inform the choice for the number of rounds, with extra security margin added. In this work we describe new algebraic attacks on Jarvis and Friday using Gröbner bases, showing that the proposed number of rounds is not sufficient to provide security. In Jarvis, the round function is obtained by combining a finite field inversion S-box with a full-degree linearised permutation polynomial. However, we show that even though the high degree of this polynomial should prevent some algebraic attacks (as claimed by the designers), their particular algebraic properties make the designs vulnerable to Gröbner basis attacks. Our analysis illustrates that block cipher designs for algebraic platforms such as STARKs, FHE or MPC may be particularly vulnerable to algebraic attacks. Finally, we argue that MiMC -- a cipher similar in structure to Jarvis -- is resistant against our proposed attack strategy.

    AB - The block cipher Jarvis and the hash function Friday, both members of the MARVELlous family of cryptographic primitives, were recently proposed as custom designs aimed at addressing bottlenecks involving practical applications of STARKs. In the proposal several types of algebraic attacks were ruled out, and security arguments from Rijndael/AES were used to inform the choice for the number of rounds, with extra security margin added. In this work we describe new algebraic attacks on Jarvis and Friday using Gröbner bases, showing that the proposed number of rounds is not sufficient to provide security. In Jarvis, the round function is obtained by combining a finite field inversion S-box with a full-degree linearised permutation polynomial. However, we show that even though the high degree of this polynomial should prevent some algebraic attacks (as claimed by the designers), their particular algebraic properties make the designs vulnerable to Gröbner basis attacks. Our analysis illustrates that block cipher designs for algebraic platforms such as STARKs, FHE or MPC may be particularly vulnerable to algebraic attacks. Finally, we argue that MiMC -- a cipher similar in structure to Jarvis -- is resistant against our proposed attack strategy.

    KW - Gröbner Basis

    KW - MARVELlous

    KW - Jarvis

    KW - Friday

    KW - MiMC

    KW - STARKs

    KW - Algebraic Cryptanalysis

    KW - Arithmetic Circuits

    M3 - Conference contribution

    BT - ASIACRYPT 2019

    ER -

    Zugang zum Dokument