Solving Degree Bounds For Iterated Polynomial Systems

For Arithmetization-Oriented ciphers and hash functions Gr\"obner basis attacks are generally considered as the most competitive attack vector. Unfortunately, the complexity of Gr\"obner basis algorithms is only understood for special cases, and it is needless to say that these cases do not apply to most cryptographic polynomial systems. Therefore, cryptographers have to resort to experiments, extrapolations and hypotheses to assess the security of their designs. One established measure to quantify the complexity of linear algebra-based Gr\"obner basis algorithms is the so-called solving degree. Caminata \&Gorla revealed that under a certain genericity condition on a polynomial system the solving degree is always upper bounded by the Castelnuovo-Mumford regularity and henceforth by the Macaulay bound, which only takes the degrees and number of variables of the input polynomials into account. In this paper we extend their framework to iterated polynomial systems, the standard polynomial model for symmetric ciphers and hash functions. In particular, we prove solving degree bounds for various attacks on MiMC, Feistel-MiMC, Feistel-MiMC-Hash, Hades and GMiMC. Our bounds fall in line with the hypothesized complexity of Gr\"obner basis attacks on these designs, and to the best of our knowledge this is the first time that a mathematical proof for these complexities is provided. Moreover, by studying polynomials with degree falls we can prove lower bounds on the Castelnuovo-Mumford regularity for attacks on MiMC, Feistel-MiMC and Feistel-MiMC-Hash provided that only a few solutions of the corresponding iterated polynomial system originate from the base field. Hence, regularity-based solving degree estimations can never surpass a certain threshold, a desirable property for cryptographic polynomial systems.


Introduction
With the increasing adaption of Multi-Party Computation (MPC) and Zero-Knowledge (ZK) proof systems new ciphers and hash functions are needed to implement these constructions efficiently without compromising security. These new cryptographic primitives are commonly referred to as Arithmetization-Oriented (AO) designs. The main objective of AO is to minimize multiplicative complexity, the minimum number of multiplications needed to evaluate a function. However, this comes at a cost: a very simple algebraic representation. Examples [GØSW23] and Arion [RST23]. Unfortunately, with AO an often-neglected threat reemerged in cryptography: Gröbner bases. While being a minor concern for well-established ciphers like the Advanced Encryption Standard (AES) [DR20,BPW06], certain proposed AO designs have already been broken with off-the-shelf computing hardware and standard implementations of Gröbner bases, see for example [ACG + 19, GKRS22]. Therefore, to ensure computational security against Gröbner basis attacks cryptographers ask for tight complexity bounds of Gröbner basis computations [AAB + 20,SS21].
Unfortunately, the Gröbner basis cryptanalysis of the aforementioned AO designs is lacking mathematical rigor. Broadly speaking, the Gröbner basis analysis of AO designs usually falls into the following categories: (I) It is assumed that the polynomial system satisfies some genericity condition for which Gröbner basis complexity estimates are known. E.g., being regular or semi-regular.
(II) Empirical complexities from small scale experiments are extrapolated.
In this paper on the other hand, we present a rigor mathematical formalism to derive provable complexity estimates for cryptographic polynomial systems. In particular, we prove Gröbner basis complexity estimates for various attacks on MiMC, Feistel-MiMC, Feistel-MiMC-Hash, Hades and GMiMC. We note that our bounds fall in line with the hypothesized cost of Gröbner basis attacks on these designs (see [GLR + 20, §4.3] and [AGP + 19, §4.1.1]).
To the best of our knowledge these are the first rigor mathematical proofs for the Gröbner basis cryptanalysis of these designs. Moreover, for MiMC, Feistel-MiMC and Feistel-MiMC-Hash we prove limitations of our complexity estimations, i.e., we derive lower bounds which can never be surpassed by our estimation method. The cryptographic constructions of our interest all follow the same design principle. Let F q be a finite field with q elements and let n ≥ 1 be an integer, one chooses a round function R : F n q × F n q → F n q , which depends on the input variable x and the key variable y, and then iterates it r times with respect to the input variable. Such a design admits a very simple model of keyed iterated polynomials where F R denotes the polynomial vector representing the round function R, the x i 's intermediate state variables, y the key variable and x 0 , x r ∈ F n q a plain/cipher text pair given by the encryption function. This leads us to standard Gröbner basis attacks on ciphers which proceeds in four steps: (1) Model the cipher function with an iterated system of polynomials.
(2) Compute a Gröbner basis with respect to an efficient term order, e.g., the degree reverse lexicographic order.
(3) Perform a term order conversion to an elimination order, e.g., the lexicographic order.
Let us for the moment assume that a Gröbner basis has already been found and focus on the complexity of the remaining steps. Let I ⊂ F q [x 1 , . . . , x n ] be a zero-dimensional ideal modeling a cipher, and denote with d = dim Fq (F q [x 1 , . . . , x n ]/I) the F q -vector space dimension of the quotient space. With the original FGLM algorithm [FGLM93] the complexity of term order conversion is O n · d 3 , but improved versions with probabilistic methods achieve O (n · d ω ) [FGHR14], where 2 ≤ ω < 2.37286, and sparse linear algebra algorithms [FM17] achieve O √ n · d 2+ n−1 n . To extract the F q -valued roots of the univariate polynomial most efficiently we compute its greatest common divisor with the field equation x q − x via the algorithm of Bariant et al. [BBLP22,§3.1]. The complexity of this step is then O d · log(q) · log(d) · log log(d) + d · log(d) 2 · log log(d) , provided that d ≤ q else one has to replace the roles of d and q in the complexity estimate.
Furthermore, in [FP19] it was proven that one can also use d to upper bound the complexity of linear algebra-based Gröbner basis algorithms. Since d is in general not known one has to estimate d via the Bézout bound.
To the best of our knowledge, the aforementioned AO designs all admit a very high quotient space dimension. Hence, to improve the capabilities of Gröbner basis attacks one must reduce this dimension. For this problem we have two generic approaches: (i) Alter the standard representation, e.g., choose polynomials in the model which approximate the round function with high probability. This approach was successfully deployed in [ACG + 19, GKRS22].
(ii) Add polynomials to the system to remove parasitic solutions that lie in algebraic closure. E.g., the polynomial system for an additional plain/cipher pair or the field equations. This approach is the concern of this paper.
If one successfully filters all solutions from the algebraic closure, then one expects that steps (2)-(4) are not a major concern anymore. Therefore, we need tight estimates for the complexity of Gröbner basis computations.

Contributions & Related Work
Our main tool to bound the complexity of Gröbner basis computations will be the solving degree of linear algebra-based Gröbner basis algorithms which was first formalized in [DS13]. Linear algebra-based Gröbner basis algorithms perform Gaussian elimination on matrices associated to a polynomial system. Given the number of equations, the number of variables and the solving degree one can then estimate the maximal size of these matrices and henceforth also the cost of Gaussian elimination. In [CG21] the solving degree was upper bounded via the Castelnuovo-Mumford regularity if the polynomial system is in generic coordinates. This genericity notion can be traced back to the influential work of Bayer & Stillman [BS87]. In essence, Hence, if a polynomial system is in generic coordinates, then we can estimate the complexity of a Gröbner basis computation via the degrees of the input polynomials.
Our paper is divided into two parts. In the first part (Sections 2 to 5), we develop a rigor framework for complexity estimates of attacks on MiMC, Feistel-MiMC, Feistel-MiMC-Hash, Hades and GMiMC. To streamline the application of the technique developed by Caminata & Gorla, we prove in Theorem 3.2 that a polynomial system is in generic coordinates if and only if it admits a finite degree of regularity [BFS04]. This in turn permits efficient proofs that the keyed iterated polynomial systems of MiMC, Feistel-MiMC, Feistel-MiMC-Hash, Hades and GMiMC are in generic coordinates.
In the second part (Sections 7 and 8), we study polynomials with degree falls. For an inhomogeneous polynomial system F = {f 1 , . . . , f m } ⊂ K[x 1 , . . . , x m ] a polynomial f ∈ (F ) has a degree fall in d, if for every possible construction f = m i=1 g i · f i there is at least one i such that deg (g i · f i ) ≥ d but deg (f ) < d.
We define the last fall degree as the largest integer d for which there exists a polynomial f ∈ (F ) with a degree fall in d. For polynomial systems in generic coordinates we prove that the last fall degree is equal to the satiety of F hom (Theorem 7.4). Moreover, it is wellknown that the satiety of F hom is always upper bounded by the Castelnuovo-Mumford regularity of F hom . Therefore, if we find a polynomial with a degree fall in (F ) then we immediately have a lower bound for the Castelnuovo-Mumford regularity of F hom . As consequence one then has a limit on the capabilities of Castelnuovo-Mumford regularitybased complexity estimates.
We note that a different notion of last fall degree was already introduced by Huang et al. [HKY15,HKYY18]. Therefore, in Remark 7.6 we discuss the difference between Huang et al.'s and our notion of last fall degree.
Let MiMC with r rounds be defined over F q and assume that the MiMC polynomial systems have fewer than three solutions in F q , applying our bounds we obtain the following ranges on the Castelnuovo-Mumford regularity. For MiMC and the field equation for the key variable we have, see Examples 5.1 and 8.3, q + 2 · r − 2 ≤ reg I MiMC + (y q − y) ≤ q + 2 · r. (2) For the two plain/cipher text attack on MiMC we have, see Examples 5.3 and 8.5, 4 · r − 3 ≤ reg (I MiMC,1 + I MiMC,2 ) ≤ 4 · r + 1. ( For a Feistel-2n/n network based on the MiMC round function we have, see Examples 5.4 and 8.7, 2 · r − 1 ≤ reg I MiMC-2n/n ≤ 2 · r + 1. For a Feistel-2n/n network based on the MiMC round function operated in sponge mode [BDPV08] we have for the preimage attack, see Examples 5.5 and 8.9, q + 2 · r − 6 ≤ reg I preimage + (x q 2 − x 2 ) ≤ q + 2 · r − 2. (5)

Organization Of The Paper
In Section 2 we will formally introduce univariate keyed iterated polynomial systems (Section 2.1), the MiMC cipher, Feistel-2n/n networks, and recall required definitions and results for the solving degree (Section 2.2) and generic coordinates (Section 2.3). In Section 3 we prove that being in generic coordinates is equivalent for the ideal of the highest degree components to be zero-dimensional (Theorem 3.2). Moreover, we prove that a large class of univariate keyed iterated polynomial systems, including MiMC polynomial systems, is already in generic coordinates (Theorem 3.8). As preparation for our bounds on the solving degree we study in Section 4 properties of the lexicographic Gröbner basis of the univariate keyed iterated polynomial system and Feistel-2n/n. In Section 5 we finally provide upper bounds for the solving degree of various attacks on MiMC and MiMC-2n/n. In Section 6 we extend our framework to multivariate ciphers, in particular we investigate when the keyed iterated polynomial systems for Substitution-Permutation and generalized Feistel Networks are in generic coordinates. In Figure 1 we provide a directed graph to illustrate the derivation of the main results of the first part of the paper.  In Section 7 we investigate polynomials with degree falls and the last fall degree. In particular, we establish that for a polynomial system in generic coordinates the last fall degree is equal to the satiety (Theorem 7.4). Moreover, under a mild condition on the degree of the regularity we prove that the satiety and the Castelnuovo-Mumford regularity are equal (Proposition 7.7). In Section 8 we construct polynomials with degree falls for the keyed iterated polynomial systems for univariate ciphers and Feistel-2n/n. Finally, this yields regularity lower bounds for various attacks on MiMC, Feistel-MiMC and Feistel-MiMC-Hash. In Figure 2 we provide a directed graph to illustrate the derivation of the main results of the second part of the paper.

Preliminaries
By K we will always denote a field, byK its algebraic closure, and we abbreviate the polynomial ring P = K[x 1 , . . . , x n ] if the base field and the number of variables are clear from context. If I ⊂ K[x 1 , . . . , x n ] is an ideal, then we denote the zero locus of I overK as If moreover I is homogeneous, then we denote the projective zero locus overK by . , x n ] be a polynomial, and let x 0 be an additional variable, we call the homogenization of f with respect to x 0 , and analog for the homogenization of ideals the dehomogenization of F with respect to x 0 , and analog for the dehomogenization of homogeneous ideals I deh = f deh | f ∈ I . Further, we will always assume that we can extend a term order on K[x 1 , . . . , x n ] to a term order on K[x 0 , . . . , x n ] according to [CG21,Definition 8].
For a homogeneous ideal I ⊂ P and an integer d ≥ 0 we denote and for inhomogeneous ideals I ⊂ P we denote For a term order > and an ideal I ⊂ P we denote with in > (I) = {LT > (f ) | f ∈ I} the initial ideal of I, i.e. the ideal of leading terms of I, with respect to >.
Every polynomial f ∈ [x 1 , . . . , x n ] can be written as the usual ideal quotient, and with the saturation of I with respect to J. Let I, m ∈ K[x 0 , . . . , x n ] be homogeneous ideals where m = (x 0 , . . . , x n ), then we call I sat = I : m ∞ the saturation of I.
Let > be a term order on P , we recall the definition of Buchberger's S-polynomial of f, g ∈ P with respect to > (cf. [CLO15, Chapter 2 §6 Definition 4]). Denote with x γ = lcm LT > (f ), LT > (g) , then the S-polynomial is defined as We will often encounter the lexicographic and the degree reverse lexicographic term order which we will abbreviate as LEX and DRL respectively.

Keyed Iterated Polynomial Systems
A natural description of an univariate keyed function over a finite field is to write the function as composition of low degree polynomials. This idea leads us to the general notion of keyed iterated polynomial systems.
Definition 2.1 (Univariate keyed iterated polynomial system). Let K be a field, let g 1 , . . . , g n ∈ K[x, y] be non-constant polynomials, and let p, c ∈ K be field elements which will commonly be called plain/cipher pair. We say that f 1 , . . . , f n ∈ K[x 1 , . . . , x n−1 , y] is an univariate keyed iterated polynomial system, if the polynomials are of the form . . .
Moreover, we require that Before we continue we discuss why the zero locus must contain K-valued points. Let us for the moment replace p with the symbolic variable x and ignore c. Iteratively we can now substitute f 1 , . . . , f n−1 into g n (x n−1 , y), then we obtain a polynomial f in the variables x and y. We can view f : K × K → K as a keyed function, where y is the key variable. The intersection condition states that if f (p, y) = c, then there must exist y ∈ K that satisfies the equation. I.e., all computations involving a Gröbner basis for f 1 , . . . , f n are non-trivial, that is 1 / ∈ (f 1 , . . . , f n ).

MiMC
Our main example of an univariate keyed iterated polynomial system is MiMC, an AO cipher proposed in [AGR + 16, §2.1]. It is based on the cubing map x → x 3 over finite fields. If F q is a field with q elements, then cubing induces a permutation if gcd (3, q − 1) = 1, see [LN97,7.8. Theorem]. Let k ∈ F q denote the key, let r ∈ N be the number of rounds, and let c 1 , . . . , c r ∈ F q be round constants. Then the round function of MiMC is defined as The MiMC cipher function is now defined as which is a permutation for every fixed key k. Given a plain/cipher pair (p, c) ∈ F 2 q it is straight-forward to describe the univariate keyed iterated polynomial system I MiMC ⊂ F q [x 1 , . . . , x r−1 , y] for MiMC It was first observed in [ACG + 19] that for the DRL term order this system is already a Gröbner basis. It is now straight-forward to compute that For all proposals of MiMC one has that at least r ≥ 60. Hence, using this Gröbner basis we do not expect a successful key recovery with today's computational capabilities.

Feistel-MiMC
With the Feistel network we can construct block ciphers with cubing as round function. Note that a Feistel network induces a permutation irrespective of the size or characteristic of the finite field F q . A very special case is the Feistel-2n/n network which encrypts two message blocks of size n with a key of size n. As previously, let F q be a finite field, let r be the number of rounds, let k ∈ F q denote the key, and let c 1 , . . . , c r ∈ F q be round constants. Then the MiMC-2n/n [AGR + 16, §2.1] round function is defined as Again the cipher is defined as iteration of the round functions with respect to the plaintext variables Analog to MiMC we can model Feistel-MiMC with a "multivariate" system of keyed iterated polynomials.
Definition 2.2 (Keyed iterated polynomial system for Feistel-2n/n). Let K be a field, let g 1 , . . . , g n ∈ K[x, y] be non-constant polynomials, and let (p L , p R ), (c L , c R ) ∈ K 2 be field elements which will commonly be called plain/cipher pair. We say that f L,1 , f R,1 , . . . , f L,n , f R,n ∈ K[x L,1 , x R,1 , . . . , x L,n−1 , x R,n−1 , y] is keyed iterated polynomial system for Feistel-2n/n, if the polynomials are of the form Moreover, we require that
For any term order > on P and any non-trivial ideal I a finite >-Gröbner basis exists. For a general introduction to Gröbner bases we refer to [CLO15]. Today two classes of Gröbner basis algorithms are known: Buchberger's algorithm and linear algebra-based algorithms. In this paper we are only concerned with the latter. These algorithms perform Gaussian elimination on the Macaulay matrices which under certain conditions produces a Gröbner basis. This idea can be traced back to [Laz83], examples for modern linear algebra-based algorithms are F4 [Fau99] and Matrix-F5 [Fau02].
The Macaulay matrices are defined as follows, let F = {f 1 , . . . , f m } ⊂ P be a system of homogeneous polynomials and fix a term order >. The homogeneous Macaulay matrix M d has columns indexed by monomials in P d sorted from left to right with respect to >, and the rows of M d are indexed by polynomials s·f i , where s ∈ P is a monomial such that deg (s · f i ) = d. The entry of the row s · f i at the column t is then simply the coefficient of the polynomial s · f i at the monomial t. For an inhomogeneous system we replace M d with M ≤d and similar the degree equality with an inequality. By performing Gaussian elimination on M 0 , . . . , M d respectively M ≤d for a large enough value of d one produces a >-Gröbner basis for F .
Obviously, the size of the Macaulay matrices M d and M ≤d depends on d, therefore following the idea of [DS13] we define the solving degree as follows. Algorithms like F4/5 perform Gaussian elimination on the Macaulay matrix for increasing values of d, such an algorithm needs a stopping criterion to decide whether a Gröbner basis has already been found. Algorithms like the method we described perform Gaussian elimination on a single matrix M ≤d for a large enough value of d. For these class of algorithms one would like to find sharp bounds on d via the solving degree to keep the Macaulay matrix as small as possible. Nevertheless, for both classes of algorithms one may choose to artificially stop a computation in the degree corresponding to the solving degree. Due to this reason we consider the solving degree as a complexity measure of Gröbner basis computations and do not discuss termination criteria further.
Let F = {f 1 , . . . , f m } ⊂ P be a system of polynomials, and let F hom be its homogenization in P [x 0 ]. One has that F hom ⊆ (F ) hom and it is easy to construct examples for which the inclusion is strict. Nevertheless, it was demonstrated in [CG21, Theorem 7] that for the DRL term order one still has that (20)

Complexity Estimates Via The Solving Degree
Storjohann [Sto00, §2.2] has shown that a reduced row echelon form of a matrix A ∈ K n×m , where K is a field and r = rank (A), can be computed in O n · m · r ω−2 field operations, where 2 ≤ ω < 2.37286 is a linear algebra constant [AW21].
. , x n ] be a system of homogeneous polynomials. It is well-known that the number of monomials in P of degree d is given by the binomial coefficient where H 2 (p) = −p · log 2 (p) − (1 − p) · log 2 (1 − p) denotes the binary entropy (cf. [CJ06, Lemma 17.5.1]). Moreover, since in general N (n, d) ≫ m · d we absorb the factor m · d into the implied constant. Therefore, for solving degree d and number of variables n, we estimate the bit complexity κ of a Gröbner basis attack via

Solving Degree & Castelnuovo-Mumford Regularity
The mathematical foundation to estimate the solving degree via the Macaulay bound draws heavily from commutative and homological algebra. For readers unfamiliar with the latter subject we point out that Definition 2.5, the notion of generic coordinates, is the key mathematical technique in this paper. Although this notion dates at least back to the influential work of Bayer & Stillman [BS87], it was just recently revealed by Caminata & Gorla [CG21] that for the DRL term order the solving degree of a polynomial system in generic coordinates can always be upper bounded by the Macaulay bound. Although the theory requires heavy mathematical machinery, we will discuss in Section 2.3.1 that being in generic coordinates can be verified with rather simple arithmetic operations. For a concise treatment and as reference point for interested readers we now introduce the mathematical details that serve as foundation of our theory. The Castelnuovo-Mumford regularity is a well-established invariant from commutative algebra and algebraic geometry. We recap the definition from [Eis05, Chapter 4]. Let P = K[x 0 , . . . , x n ] be the polynomial ring and let be a graded complex of free P -modules, where F i = j P (−a i,j ).
Definition 2.4. The Castelnuovo-Mumford regularity of F is defined as By Hilbert's Syzygy theorem [Eis05, Theorem 1.1] any finitely graded P -module has a finite free graded resolution. I.e., for every homogeneous ideal I ⊂ P the regularity of I is computable.
Before we can introduce the connection between Castelnuovo-Mumford regularity and solving degree we must introduce the notion of generic coordinates from [BS87]. Let I ⊂ P be an ideal, and let r ∈ P . We use the shorthand notation "r ∤ 0 mod I" for expressing that r is not a zero-divisor on P/I. In general, computing the saturation of an ideal is a difficult problem on its own, but if a homogeneous ideal is in generic coordinates, then the saturation is exactly the homogenization of its dehomogenization.
Proof. "⇒": Let F ∈ I sat = I : m ∞ , then there exists an N ≥ 0 such that x N 0 · F ∈ I. On the other hand by [KR05,Proposition 4.3.5] we have that I deh hom = I : x ∞ 0 , so also F ∈ I deh hom . Now let F ∈ I deh hom , since F deh ∈ I deh = (1) then also by [KR05, Proposition 4.3.5] there must exist an N ≥ 0 such that x N 0 ·F ∈ I. By definition I ⊂ I sat so also x N 0 ·F ∈ I sat . By assumption x 0 ∤ 0 mod I sat , hence we must already have that x N −1 0 · F ∈ J sat . Iterating this argument we conclude that F ∈ J sat . "⇐": We have the ideal equality I sat = I deh hom = I : x ∞ 0 , so We provide a simple counterexample to the ideal equality when the ideal is not in generic coordinates.
Example 2.7. Let K be a field and let I = x 2 , y · z ⊂ K[x, y, z] be an ideal where we consider z as the homogenization variable. Then I sat = I but I : z ∞ = (x 2 , y).
Let us now present the connection between the solving degree and the Castelnuovo-Mumford regularity. (1) Let F ⊂ P be a system of homogeneous polynomials and assume that (F ) is in generic coordinates overK. Then (2) Let F = {f 1 , . . . , f r } ⊂ P be a system of polynomials, which is not homogeneous. Let In particular, if m > n and d = d 1 , then sd DRL (F ) ≤ (n + 1) · (d − 1) + 1.
A sufficient condition for a polynomial system to be in generic coordinates is that the system contains the field equations or their fake Weil descent. Assume that one of the following holds: Moreover, if m > n and d = d 1 , then Let us apply this bound to MiMC.
Example 2.11 (MiMC and all field equations I). Let MiMC be defined over F q , and let r be the number of rounds. Denote the ideal of all field equations by F , and the MiMC ideal with I MiMC . Then by Theorem 2.10 the solving degree is bounded by However, this bound is very unsatisfying, because it only takes the field equations into account except for one summand. On the other hand, it suffices to add only the field equation for the key variable to I MiMC to restrict all solutions to F r q . However, this modification is not covered by Theorem 2.10.

The Caminata-Gorla Technique
Since we are going to emulate the proof of Theorem 2.10 several times in this paper, we recapitulate its main argument. By [BS87, Theorem 2.4] a homogeneous ideal I ⊂ P = K[x 0 , . . . , x n ] with dim (P/I) = 1 and |Z + (I)| < ∞ is in generic coordinates if and only if in DRL (I) is in generic coordinates. Assume that then by the projective weak Nullstellenstz [CLO15, Chapter 8 §3 Theorem 8] there exists some r ≥ 1 such that m r = (x 0 , . . . , x n ) r ⊂ in DRL (I), x 0 . This also implies that for Let g be a monomial, we do a case distinction.
• For gcd (g, x 0 ) = 1, we increase the power of g until x ri i | g M · f , for some 1 ≤ i ≤ n and M ≥ 1, hence g M · f ∈ in DRL (I).
• For gcd (g, x 0 ) = 1, we use the factorization 1 Let B be a basis of in DRL (I) and B ′ be basis of in DRL (I), x 0 . If m r ⊂ in DRL (I), x 0 for some r ≥ 1, then for all 0 ≤ i ≤ n there exists a smallest integer r i ∈ Z such that x r i i ∈ B ′ . Observe that a monomial m ∈ B is also an element of B ′ if x 0 ∤ m. Conversely, any basis element from B ′ different to x 0 must come from B. Now let g ∈ m be a polynomial, then we can find N ≥ 0 big enough so that for every monomial present in g one of the two previous cases applies. So if x 0 · f ∈ in DRL (I) sat we also have that f ∈ in DRL (I) sat . Hence, x 0 ∤ 0 mod in DRL (I) sat and by [BS87,Theorem 2.4] also x 0 ∤ 0 mod I sat .
Finally, in practice Equation (26) can efficiently be checked with the following ideal equality [BS87, Lemma 2.2]

Characterization Of Polynomial Systems In Generic Coordinates
The Caminata-Gorla technique implies that every polynomial system F which contains equations for every i is already in generic coordinates, see [CG21,Remark 13]. Though, the polynomial systems of our interest are not of this form in general, e.g. the keyed iterated polynomial system for MiMC. However, it is already implicit in the Caminata-Gorla technique that for an inhomogeneous ideal to be in generic coordinates the associated ideal of the highest degree components has to be zero-dimensional. If this is the case, then we can indeed find equations To formally prove this observation we need the following lemma.

Lemma 3.1. Let K be a field, and let
Proof. Let P = K[x 1 , . . . , x n ], by the isomorphism theorems for rings we have that . I is radical, so f has to be reduced. Since I is also a monomial ideal this implies that f = x 0 . Now we can prove the following characterization of generic coordinates.

Theorem 3.2. Let K be an algebraically closed field, and let
Then the following are equivalent.
(1) F hom is in generic coordinates.
(1) ⇒ (4)": Let F hom be in generic coordinates and suppose that Z + F hom = ∅. Then by the projective weak Nullstellensatz [CLO15, Chapter 8 §3 Theorem 8] x k 0 ∈ F hom , where k ≥ 1. In particular, this implies that 1 ∈ F hom deh = (F ), a contradiction to (F ) = (1). So Z + F hom = 0, then by Lemma 2.6 we have that By assumption (F ) is zero-dimensional, so for every [Kem11,Theorem 5.11] and [CLO15, Chapter 5 §3 Theorem 6]. Therefore, f hom ∈ F hom sat . By definition of the saturation, for every s ∈ m there exists an integer Without loss of generality we can assume that f is homogeneous, so we can represent it as is homogeneous for all i. Now we split the g i 's and f i 's as We can now further decompose We can also decompose the left-hand side of the last equation f = f top + x 0 ·f , and by rearranging we yield that [Kem11,Theorem 5.11] and [CLO15, Chapter 5 §3 Theorem 6] this implies zero-dimensionality of (F top ).
For the claim we can work through the arguments of the previous claim in a backwards manner. Since (F top ) is homogeneous and zero-dimensional we can find . , x n ] be monomials such that deg (s) = deg (t) and x 0 ∤ s and x 0 | t. For compatibility with homogenization we have set x 0 as least variable with respect to DRL, this immediately implies that s > DRL t and the claim follows.
" "(2) ⇒ (1)": Assume that To apply [BS87, Theorem 2.4] in the Caminata-Gorla technique (Section 2.3.1) we have to show that dim F hom = 1. By the equivalence of (2) and (4) we know that Assume the latter, then there exists a homogeneous f ∈ F hom such that LM Thus, 1 ∈ F hom deh = (F ), a contradiction to the non-triviality of F . So in DRL (F hom ) = (x 1 , . . . , x n ). Note that this also implies that Z + F hom = ∅ by a contraposition of the equivalence in the projective weak Nullstellensatz [CLO15, Chapter 8 §3 Theorem 3]. It is well-known that F hom and in DRL F hom have the same affine Hilbert function, see [CLO15, Chapter 9 §3 Proposition 4]. Moreover, for any ideal I ⊂ K[x 0 , . . . , x n ] the affine Hilbert polynomials of I and √ I have the same degree, see [CLO15, Chapter 9 §3 Proposition 6]. Since dimension of an affine ideal is equal to the degree of the affine Hilbert polynomial, see [Kem11,Theorem 11.13], the two previous observations imply that Combining, all our previous observations we yield that dim Z + F hom = 0, and it is well-known that zero-dimensional projective varieties have only finitely many points, i.e. Z + F hom < ∞, see [CLO15, Chapter 9 §4 Proposition 6]. To apply the Caminata- Finally, by our initial assumption and the projective weak Nullstellensatz [CLO15, Chapter 8 §3 Theorem 3] we have So we can apply the Caminata-Gorla technique (Section 2.3.1) to deduce that x 0 ∤ 0 mod F hom sat .
As consequence, we can conclude that every zero-dimensional affine polynomial system has a set of generators that is in generic coordinates.

For every DRL Gröbner basis
The third equivalence in Theorem 3.2 also provides an efficient criterion to show that the homogenization of an affine polynomial system is not in generic coordinates.

Corollary 3.4. Let K be an algebraically closed field, and let
Another quantity that is often studied in the Gröbner basis complexity literature is the so-called degree of regularity of a polynomial system.

Definition 3.5 (Degree of regularity, [BFS04, Definition 4]). Let K be a field, and let
It follows from the projective weak Nullstellensatz [CLO15, Chapter 8 §3 Theorem 8] and [Kem11,Theorem 5.11 Corollary 3.6. Let K be an algebraically closed field, and let Then F hom is in generic coordinates if and only if d reg (F ) < ∞.
Theorem 3.2 also significantly simplifies application of the Caminata-Gorla technique. For an inhomogeneous polynomial system F ⊂ K[x 1 , . . . , x n ] we can verify (2) as follows.
(2) Extract the highest degree components via F top = F hom mod (x 0 ). Utilizing Theorem 3.2 we can finally provide an elementary proof that a keyed iterated polynomial system is in generic coordinates.
Theorem 3.8. Let K be an algebraically closed field, and let P = K[x 1 , . . . , x n−1 , y]. Let F = {f 1 , . . . , f n } ⊂ P be an univariate keyed iterated system of polynomials such that Then every non-trivial homogeneous ideal I ⊂ P [x 0 ] with Z + (I) = ∅ and F hom ⊂ I is in generic coordinates.

LEX Gröbner Bases Of Keyed Iterated Polynomial Systems
In this section we investigate the lexicographic Gröbner basis of univariate keyed iterated polynomial systems and Feistel-2n/n polynomial systems. Consequently, we will see that the solving degree of MiMC and all field equations can be upper bounded by MiMC and the field equation for the key variable, and that under a mild assumption also Feistel-2n/n polynomial systems are in generic coordinates. Moreover, understanding the degrees of polynomials in the lexicographic Gröbner basis will be a key ingredient in the proofs of the Castelnuovo-Mumford regularity lower bounds.
The following lemma certainly has been proven by many students of computer algebra.
be polynomials in one variable such that deg (f 1 ) > 0, and let be an ideal.
(1) Every f ∈ K[x 1 , . . . , x n ] can be written uniquely as f = q + r where q ∈ I and r ∈ K[x 1 ] with either r = 0 or deg (r) < deg (f 1 ). ( If we use the LEX term order x 2 > . . . > x n > x 1 , then it's easy to see that the generators of I are already a LEX Gröbner basis. Now we establish that the LEX Gröbner basis of an univariate keyed iterated polynomial system has exactly the shape of Lemma 4.1.

Lemma 4.2 (Keyed Iterated Shape Lemma I).
Let K be a field, let f 1 , . . . , f n ∈ K[x 1 , . . . , x n−1 , y] be an univariate keyed iterated polynomial system together with the LEX term order x 1 > . . . > x n−1 > y. Letf 1 , . . . ,f n ∈ K[x 1 , . . . , x n−1 , y] be constructed via the following iteration: with respect to the LEX term order. ( . . ,f n is a LEX Gröbner basis of I. (3) If |K| = q, then I + (y q − y) = f 1 , . . . ,f n−1 , gcd f n , y q − y , and this ideal is radical. In particular, and Proof. For (1), follows from the construction of thef i 's. For (2), if we record the "quotients" which we drop in the modulo operation in the construction of thef i 's, then we can reconstruct the f i 's with thef i 's. So thef i 's are indeed an ideal basis. Moreover, they have coprime leading monomials under LEX, so by [CLO15, Chapter 2 §9 Theorem 3, Proposition 4] they are a LEX Gröbner basis of I.
. . ,f n−1 , d is an ideal basis of I + (y q − y), and again the leading monomials are pairwise coprime under LEX, so they are a Gröbner basis of I + (y q − y). Since y q − y is square-free also d must be square-free, so by Lemma 4.1 I + (y q − y) is a radical ideal. It is obvious from the shape of thef i 's that already Z I + (y q − y) ⊂ F n q . Now we can conclude from Hilbert's Nullstellensatz and [Gao09, Theorem 3.1.2] that I + (y q − y) = I + (x q 1 − x 1 , . . . , y q − y). For the inequality observe that the Macaulay matrix of the polynomial system with one field equation is a submatrix of the Macaulay matrix of the polynomial system with all field equations. So the claim follows.
With an additional assumption on the leading monomials of an univariate keyed iterated polynomial system we can compute the degrees in the LEX Gröbner basis. Corollary 4.3. Let K field, and let f 1 , . . . , f n ∈ K[x 1 , . . . , x n−1 , y] be an univariate keyed iterated polynomial system such that Letf 1 , . . . ,f n be the LEX Gröbner basis of f 1 , . . . , f n . Then Proof. The assertion follows straight-forward from the monomial assumption and the LEX Gröbner basis construction procedure.
Conversely, we can transform any lexicographic Gröbner basis with the shape of Lemma 4.1 into an univariate keyed iterated polynomial system. Lemma 4.4 (Keyed Iterated Shape Lemma II). Let K be a field, and assume that the ideal I ⊂ K[x 1 , . . . , y] has a LEX Gröbner basis of the form Then I has an ideal basis of the form I.e., the ideal is generated by an univariate keyed iterated polynomial system.
Proof. For the proof we work with the DRL term order x 1 > . . . > x n−1 > y. Let f 1 , . . . , f n denote the polynomials in the LEX Gröbner basis, and letf 1 , . . . ,f n denote the polynomials that we claim are the univariate keyed iterated basis. We Note that the keyed iterated system from Lemma 4.4 is in general not a DRL Gröbner basis. We present a simple counterexample.
Example 4.5. Let K be a field, and let The respective keyed iterated polynomial system of I is then given by but the DRL Gröbner basis of I is given by With Lemma 4.1 (1) and Lemma 4.2 we can transform every polynomial f ∈ K[x 1 , . . . , x n , y] into an univariate polynomialf ∈ K[y] using only ideal operations, i.e. by performing division by remainder with respect to the LEX Gröbner basis. Understanding the degree of these univariate polynomials will be our main ingredient in proving lower bounds on the regularity. Proposition 4.6. Let K be a field, and let I = (f 1 , . . . , f n ) ⊂ P = K[x 1 , . . . , x n−1 , y] be an ideal generated by an univariate keyed iterated polynomial system such that Let f ∈ P be a polynomial, then we denote withf ∈ K[y] the unique univariate polynomial obtained via division by remainder of f by I with respect to LEX. Then (1) Let a ∈ P \ in DRL (I) be a monomial, in the computation ofâ via division by remainder there is never a reduction modulo the univariate LEX polynomial.
(2) Let a, b ∈ P \ in DRL (I) be monomials such that a|b, thenâ|b and deg (â) ≤ deg b . ( . Then (4) The degree ofŝ i is given by , then any monomial a ∈ P \ in DRL (I) divides m. So if there is a reduction modulof n in the construction ofâ, then there also must be a reduction in the construction ofm. Via Corollary 4.3 let us compute Since deg f n = n k=1 d k , there cannot be a reduction modulof n in the construction of m anymore. So we have already computed deg (m). By contraposition the claim follows.
For (2) and (3), by (1) there is no reduction modulof n in the construction ofâ,b and c, so the claims follow from standard polynomial arithmetic.
For (4), the computation is analog to the degree computation in (1) For (5), we do a downwards induction. Assume that there is a monomial t ∈ P \ in DRL (I) such that t = s i , deg (t) ≤ deg (s i ) and deg t > deg (ŝ i ). The monomial t must differ from s i in at least one variable. Assume that the difference is in the variable x n−1 , then t must divide the monomial Let us compute the degree of the LEX remainder degree analog to (1) and (4) On the other hand, by (2) we have that deg t ≤ deg (û n−1 ). Therefore, t has to coincide with s i on x n−1 , else we already have deg t < deg (ŝ i ). Now we replace s i and t by s i /x dn−1 n−1 and t/x dn−1 n−1 respectively, then we perform the same argument for x n−2 . Inductively we now conclude that either t = s i or deg t < deg (ŝ i ).

LEX & DRL Gröbner Bases For Feistel-2n/n
Having studied the LEX Gröbner basis of univariate keyed iterated polynomial systems we now describe LEX and DRL Gröbner bases of Feistel-2n/n polynomial systems, see Definition 2.2.

Then
(1) For the DRL term order (2) If we remove the linear polynomials from the DRL Gröbner basis G, then this downsized polynomial system H ⊂ P = K[x R,2 , . . . , x R,n−1 , x L,n−1 , y] is already a zerodimensional Gröbner basis. Moreover, H hom , f hom R,n is in generic coordinates over K.
(3) For the LEX term order x R,2 > . . . > x R,n−1 > x L,n−1 > y the Gröbner basis of (H) is of the form are constructed analog to the LEX Gröbner basis in Lemma 4.2.
(4) The degree off i is given by Observe that only a finite number of monomials of P is not contained in in DRL (H). I.e., dim K P/ in DRL (H) < ∞ as K-vector space and by a well-known equivalence from commutative algebra (see [Kem11,Theorem 5.11]) this implies zero-dimensionality. Lastly, being in generic coordinates is proven analog to Theorem 3.8.
We provide a counterexample that in general the generators of the DRL Gröbner basis of Feistel-2n/n cannot be transformed into an univariate keyed iterated polynomial system.
Example 4.8. Consider MiMC-2n/n over F 13 with the round constants and plain/cipher pair The downsized DRL Gröbner basis is But the univariate keyed iterated generators of this system are

LEX & DRL Gröbner Bases For Univariate Keyed Iterated Polynomial Systems With Two Plain/Cipher Texts
If one has multiple plain/cipher text samples for a cipher, then one can combine the respective iterated polynomial systems into a joint system and compute its Gröbner basis. Analog to Lemma 4.2 and Proposition 4.6 we now describe LEX and DRL Gröbner bases for a two plain/cipher text attack on an univariate cipher. With the same assumptions as in Theorem 3.8 we can also prove that the polynomial system of a two plain/cipher text attack is in generic coordinates.
(3) Every polynomial f ∈ P can be uniquely written as f = q + r where q ∈ I and r ∈ K[v 1 , y].
(4) Let f ∈ K[v 1 , y], then f ∈ I if and only if f ∈ f n ,h n .
(5) If in addition K is algebraically closed, then F hom is in generic coordinates. Proof.
(1) follows from [CLO15, Chapter 2 §9 Theorem 3, Proposition 4], the proof of (2) is identical to Lemma 4.2 (2), and (3) follows from polynomial division with the LEX Gröbner basis. For (4), let f ∈ K[v 1 , y] and f ∈ I. First we divide f by f n ,h n with respect to LEX and we denote the remainder by r f ∈ P . All operations in the division algorithm are performed in the variables v 1 and y, therefore also r f ∈ K[v 1 , y]. Since f ∈ I also r f ∈ I, and by construction we cannot further reduce r f by f n ,h n . Therefore, the leading monomial of r f must be divisible by at least one of the variables u 1 , . . . , u n−1 , v 2 , . . . , v n−1 . Since r f ∈ K[v 1 , y] this is only possible if r f = 0. The other direction is trivial.
We also note that it is straight-forward to generalize statement (5) to any number of plain/cipher text pairs.

Adding A Minimal Number Of Field Equations
In the original bound for MiMC, see Example 2.11, we had to include all field equations into the system, but as we saw in Lemma 4.2 it suffices to include a single field equation to limit all solutions to the base field.
Example 5.1 (MiMC and one field equation I). Let MiMC be defined over F q , and let r be the number of rounds. We denote with I MiMC the MiMC ideal. It follows from Lemma 4.2 (3) that one only needs to include the field equation for the key variable y to limit all solutions to F q . Hence, by applying Corollary 2.9 and Theorem 3.8 to this system we yield sd DRL I MiMC + (y q − y) ≤ q + 2 · r.
As an immediate consequence we can also improve the bound of the attack with all field equations.
Moreover, small scale experiments indicate that the solving degree of this attack is always less than or equal to q + r − 1.
Since the MiMC polynomials are already a DRL Gröbner basis, we can also replace the field equation y q − y by its remainder r y modulo I MiMC with respect to DRL. Then the solving degree bound becomes Let r ≥ ⌈log 3 (q)⌉, then experimentally we observed that deg (r y ) ≤ 2 · ⌈log 3 (q)⌉ .
In the following table we provide bit complexity estimates for a Gröbner basis computation of MiMC and the field equation for the key for an optimal adversary with ω = 2. For ease of computation we estimated the logarithm of the binomial coefficient with Equation (24).

The Two Plain/Cipher Text Attack
Intuitively, with a single plain/cipher pair one can construct a fully determined system of polynomials for a cipher. By adding more plain/cipher pairs one constructs an overdetermined system, and it is expected that the additional information reduces the difficulty of solving the system. Let I, J ⊂ P be ideals representing a cipher for different plain/cipher pairs. Combining these two systems into a single system geometrically corresponds to the intersection of two varieties, i.e., Let us now apply these considerations to MiMC.

Example 5.3 (MiMC and two plain/cipher pairs I). Let
MiMC be defined over F q , let r be the number of rounds, and let (p 1 , c 1 ), (p 2 , c 2 ) ∈ F 2 q be two distinct plain/cipher pairs generated with the same key by a MiMC encoding function. For these pairs we can construct the univariate polynomials f 1 , f 2 ∈ F q [y] in the respective LEX Gröbner basis of degree 3 r . These two polynomials must have at least one common root, namely the key k ∈ F q . If one divides f 1 and f 2 by y − k and considers them as random polynomials, then with high probability they are coprime. Now let I 1 ⊂ F q [u 1 , . . . , u r−1 , y] and I 2 ⊂ F q [v 1 , . . . , v r−1 , y] denote the ideals corresponding to the plain/cipher pairs. Then, with high probability Z(I 1 + I 2 ) contains only a single point. By Corollary 2.9 and Proposition 4.9 (5) we now obtain the following bound for the solving degree of I 1 + I 2 sd DRL (I MiMC,1 + I MiMC,2 ) ≤ 4 · r + 1.
In the following table we provide bit complexity estimates for a Gröbner basis computation of MiMC and two plain/cipher texts for an optimal adversary with ω = 2. For ease of computation we estimated the logarithm of the binomial coefficient with Equation (24).

Feistel-MiMC
Interestingly, MiMC-2n/n behaves very similar to the two plaintext attack on MiMC, in the sense that with high probability the standard polynomial model of MiMC-2n/n does not have any solutions in the algebraic closure and its Gröbner basis is expected to be linear.
Example 5.4 (MiMC-2n/n I). Let F q be a finite field, let r be the number of rounds, and let k ∈ F q denote the key. Suppose we are given a plain/cipher pair (p L , p R ) , (c L , c R ) ∈ F 2 q for MiMC-2n/n generated by the key k. By substituting this pair into the cipher function we obtain two univariate polynomials F y (p L , p R ) − (c L , c R ) = (0, 0) in the key variable y. These polynomials have at least one common root, namely y − k. If we divide these polynomials by y − k and consider them as random polynomials, then with high probability they are coprime. Now, to launch an efficient Gröbner basis attack we first compute the downsized DRL Gröbner basis of the Feistel-2n/n polynomial system from Proposition 4.7 (1). Then we add the missing polynomial and compute the Gröbner basis. By Proposition 4.7 (2) the polynomial system is in generic coordinates, therefore we can also apply Corollary 2.9 to obtain the following bound for the solving degree sd DRL I MiMC-2n/n ≤ 2 · r + 1.
In the following table we provide bit complexity estimates for a Gröbner basis computation of Feistel-MiMC for an optimal adversary with ω = 2. For ease of computation we estimated the logarithm of the binomial coefficient with Equation (24).

Feistel-MiMC-Hash
For Feistel-MiMC-Hash the Feistel-MiMC permutation is instantiated in the sponge framework [BDPV08]. For a preimage attack on Feistel-MiMC-Hash we have to, as the name suggest, compute a preimage to a given hash value α ∈ F q . We have two generic choices to do so. First, we can guess the second permutation output value and then simply invert the permutation. If the preimage is of the form (β, 0), for some β ∈ F q , then the attack was successful. Though, the success probability of this approach is 1/q, and q is at least a 64-bit prime number, which is too small for a practical attack. Second, we can use an indeterminate x 2 for the second permutation output, then we have to find a solution for the equation Further, for the preimage problem we have only one generic choice of polynomials to restrict all solutions to the base field: field equations.
Example 5.5 (Feistel-MiMC-Hash preimage attack I). Let F q be a finite field, and let r be the number of rounds. We can construct the polynomial system for Feistel-MiMC-Hash from the one for the keyed permutation, see Definition 2.2, by setting y = 0, p L = x 1 , p R = 0, c L = α and c R = x 2 , where x 1 and x 2 are indeterminates and α ∈ F q is the hash value. Moreover, we choose the DRL term order such that the intermediate state variables are naturally ordered, x 1 > x 2 and all intermediate state variables are bigger than x 2 . Analog to Proposition 4.7 we can compute the DRL Gröbner basis of the system by substituting the linear polynomials into the non-linear ones, but this time we do not have to remove any linear polynomial. Since p R = 0 there are only r − 1 polynomials of degree 3 in r − 1 variables. To find a solution (if it exists) we now either have to compute the LEX Gröbner basis and factor a polynomial of degree 3 r−1 or add the field equation for x 2 to the polynomial system. For the latter case we obtain the following bound on the solving degree sd DRL I hash + (x q 2 − x 2 ) ≤ q + 2 · r − 2. Analog to the field equation attack on MiMC we can also compute the remainder of the field equation modulo the DRL Gröbner basis to further reduce the solving degree. Note that the solving degrees of Examples 5.1 and 5.5 differ only by 2, therefore we refer to Table 1 for the complexity of Gröbner basis computations of Feistel-MiMC-Hash.

Multivariate Ciphers In Generic Coordinates
So far all our complexity estimates are only applicable to univariate ciphers and two branch Feistel networks. Naturally, one would like to extend the theory to more advanced multivariate constructions. Therefore, in Section 6.1 we derive that Substitution-Permutation Network (SPN) based ciphers are in generic coordinates, hence we can apply the Macaulay bound to estimate the solving degree. In Section 6.2 we study three classes of generalized Feistel Networks for which we derive efficient criteria to check whether the corresponding polynomial systems are in generic coordinates.
For starters, let us fix some notation. Let n, r ≥ 1 be integers, n always denotes the number of blocks n and r the number of rounds of a cipher. Throughout this section we will denote plaintext variables with x = (x 1 , . . . , x n ) ⊺ and key variables with y = (y 1 , . . . , y n ) ⊺ . With we denote the key addition function, and with we denote affine permutations where A ∈ GL n (F q ) and c ∈ F q . For 1 ≤ i ≤ r let A (1) , . . . , A (r) : F n q → F n q be affine permutations and let P (1) , . . . , P (r) : F n q → F n q some arbitrary permutations. Then a block cipher without key schedule is defined to be the following composition where the composition is taken with respect to the plaintext variable.
and let y = (y 1 , . . . , y n ) ⊺ denote the key variables. Let p, c ∈ F n q be a plain/cipher text pair given by the block cipher C n,r Since every function F n q → F q can be represented with polynomials, we define the multivariate keyed iterated polynomial system F = f (1) , . . . , f (r) ⊂ F q x (1) , . . . , x (r−1) , y for the cipher C n,r as If a key schedule is applied we have two options for the polynomial model. Either we substitute the key schedule directly into Equation (36) or we add additional iterated key schedule equations to F .
We start with the formal definition of SPN-based ciphers.
Definition 6.1 (SPN cipher). Let F q be a finite field, and let n, r ≥ 1 be integers.

2) Let f ∈ F q [x] be permutation polynomial. Then the partial Substitution-Permutation
Network is defined as (3) For 1 ≤ n ≤ r, let S (i) : F n q → F n q be either a full or a partial Substitution-Permutation Network and let A i : F n q → F n q be an affine permutation. Then the SPN cipher is defined as where the composition is taken with respect to the plaintext variable.
Under a mild assumption on the first round of a SPN cipher C n,r we can compute a DRL Gröbner basis of the multivariate keyed iterated polynomial system. Theorem 6.2. Let F q be a finite field, let F q be its algebraic closure, let n, r ≥ 1 be integers, and let C n,r : F n q × F n q → F n q be a SPN cipher such that S (1) is a full SPN and every univariate permutation polynomial in S (1) has degree greater than 1. Let F = f (1) , . . . , f (r) ⊂ P = F q x (1) , . . . , x (r−1) , y be the multivariate keyed iterated polynomial system for C n,r , and let

Then
(1) G is a DRL Gröbner basis.
(2) Every homogeneous ideal I ⊂ P [x 0 ] such that Z + (I) = ∅ and G hom ⊂ I is in generic coordinates.
Proof. For (1), we consider the DRL term order x  Let us now apply Theorem 6.2 to a cipher that utilizes partial as well as full SPNs: the Hades strategy [GLR + 20], a cipher for MPC applications. The keyed Hades permutation starts with r f full SPNs, then it applies r p partial SPNs and it finishes with another applications of r f full SPNs. So, in total Hades has r = 2 · r f + r p many rounds. All SPNs apply the same univariate permutation x d for some appropriate d. Hades has an affine key schedule [GLR + 20, §3.1], and it is straight-forward to incorporate an affine key schedule into the multivariate keyed iterated polynomial system from Equation (36). Moreover, an affine key schedule does not affect the proof of Theorem 6.2 as long as the master key as added before application of the first SPN. Example 6.3 (Solving degree bounds for Hades). Let F q be a finite field, let n ≥ 1 denote the number of branches, and let d ∈ Z >1 be an integer such that gcd (d, q − 1) = 1. Let r f , r p ≥ 1 denote the number full and partial rounds, and let I Hades denote the Hades ideal. Then by Corollary 2.9 and Theorem 6.2 sd DRL (I Hades ) ≤ (d − 1) · (2 · n · r f + r p ) + 1. Now let I Hades,1 and I Hades,2 denote Hades ideals for two different plain/cipher text pairs. It is straight-forward to extend Theorem 6.2 to I Hades,1 + I Hades,2 , cf. Proposition 4.9 (5), therefore by Corollary 2.9 sd DRL (I Hades,1 + I Hades,2 ) ≤ 2 · (d − 1) · (2 · r f + r p ) + 1.
The Hades designers use Equation (22) (36). To justify this approach the authors hypothesized that the Hades polynomial system is a generic polynomial system in the sense of Fröberg's conjecture [Frö85,Par10]. With Theorem 6.2 and Example 6.3 this hypothesis can be bypassed, and we have proven that the complexity estimation of the Hades designers is indeed mathematically sound.
In the following table we provide bit complexity estimates for a Gröbner basis computation of Hades where we use the Macaulay bound of the keyed iterated Hades polynomial system as minimal baseline of the solving degree for an optimal adversary with ω = 2. We assume that the key schedule equations have been substituted into Equation (36), therefore there are (2 · r f + r p ) · n many variables and equations. For ease of computation we estimated the logarithm of the binomial coefficient with Equation (24). Table 4: Complexity estimation of Gröbner basis computation for Hades via the Macaulay bound for I Hades with ω = 2 over a finite field F q such that gcd (d, q − 1) = 1. r f r p n d κ (bits) 4 10 2 3 164.6 4 10 2 5 220.8 We also mention that it is straight-forward to compute Hades' quotient space dimension dim Fq (I Hades ) = d 2·n·r f +rp . (37)

Feistel Networks
The second permutation that has been dominant in block cipher design in the past is the so-called Feistel Network, named after its inventor Horst Feistel. For example, the predecessor of AES the Data Encryption Standard (DES) [DES77] is based on the Feistel Network. Moreover, so-called unbalanced generalized Feistel Networks have been proposed for Arithmetization-Oriented designs [AGP + 19]. We start with the formal definition of Feistel-based ciphers.
(2) For 1 ≤ n ≤ r, let F (i) : F n q → F n q be a generalized Feistel Network and let A i : F n q → F n q be an affine permutation. Then the Feistel cipher is defined as where the composition is taken with respect to the plaintext variable.
For special types of Feistel ciphers we can derive efficient criteria to verify whether the corresponding multivariate keyed iterated polynomial system is in generic coordinates.
Theorem 6.5. Let F q be a finite field, let F q be its algebraic closure, let n, r ≥ 1 be integers, and let C n,r : F n q × F n q → F n q be a Feistel cipher. Let F = f (1) , . . . , f (r) ⊂ P = F q x (1) , . . . , x (r−1) , y be a multivariate keyed iterated polynomial system for C n,r .
Then every homogeneous ideal I ⊂ P [x 0 ] such that Z(I) = ∅ and G hom ⊂ I is in generic coordinates if the following linear system has rank r 0 andŷ = (y 1 , 0, . . . , 0). 1 and a i,2 , . . . , a i,n ∈ F q , and assume that Then every homogeneous ideal I ⊂ P [x 0 ] such that Z(I) = ∅ and G hom ⊂ I is in generic coordinates if the following linear system has rank r · n n k=2 a 1,k · y k = 0, Proof. For all cases we show that √ G top = (x 1 , . . . , x n ). For (1), note that for all 1 ≤ i ≤ r we have that the degree of the first component of g (i) is deg f (i) and 1 for the other components. Substituting x 0 = 0 into G hom we yield from the first components of the g (i) hom 's that y . Now we substitute these coordinates into the remaining equations. This yields the linear system from the assertion. If the linear system is of rank r · (n − 1), then √ G hom = (x 1 , . . . , x n ).
For (2), note that for 1 ≤ i ≤ r and 1 ≤ j ≤ n − 1 we have that deg . Now we substitute x 0 = 0 into G hom , in the i th round in the (n − 1) th component this yields x For (3), after substituting x 0 = 0 into G hom we obtain for the first branch of each round n k=2 a 1,k · y k where 2 ≤ i ≤ r. Combining these linear equations with the remaining equations from G hom we obtain the linear system from the assertion.
The Feistel Networks from Theorem 6.5 (1) and (3) are also known as expanding round function (erf) and contracting round function (crf) respectively. An example for block ciphers with these round functions is the GMiMC family [AGP + 19, §2.1], which is targeted for MPC applications. Moreover, the designers of GMiMC use Equation (22) and the Macaulay bound (Corollary 2.9) to estimate the resistance of GMiMC against Gröbner basis attacks, see [AGP + 19, §4.1.1]. To justify this approach the authors hypothesized that the GMiMC polynomial systems are generic polynomial systems in the sense of Fröberg's conjecture [Frö85,Par10]. With Theorem 6.5 this hypothesis can be bypassed for GMiMC without a key schedule. For GMiMC an affine key schedule was proposed, hence one can extend Theorem 6.5 to this scenario by replacing the key variables with intermediate key variables after the first round and by adding the linear part of the affine key schedule to the linear systems. Thus, we have derived efficient criteria to verify that the complexity estimations of the GMiMC designers can indeed be mathematically sound.
Example 6.6 (Solving degree bounds for GMiMC). Let F q be a finite field, let n, r ≥ 1 denote the number of branches and rounds, and let d ≥ 1 be the degree of the degree increasing function. In the proof of Theorem 6.5 we saw that GMiMC erf polynomial system can be transformed so that there is only one non-liner polynomial in every round. Therefore, GMiMC crf and GMiMC erf have the same bound Macaulay bound. Let I GMiMC be a GMiMC ideal and assume that n and r are such that the corresponding matrix from Theorem 6.5 has full rank, i.e. GMiMC is in generic coordinates. Therefore, by Corollary 2.9 sd DRL (I GMiMC ) ≤ (d − 1) · r + 1. Now let I GMiMC,1 and I GMiMC,2 denote GMiMC ideals for two different plain/cipher text pairs. It is straight-forward to extend Theorem 6.5 to I GMiMC,1 + I GMiMC,2 , cf. Proposition 4.9 (5). Provided that n and r are such that I GMiMC,1 + I GMiMC,2 is in generic coordinates we have by Corollary 2.9 sd DRL (I GMiMC,1 + I GMiMC,2 ) ≤ 2 · (d − 1) · r + 1.
For small primes we applied Theorem 6.5 to GMiMC crf and GMiMC erf without key schedules. Depending on the parameters n and r we noticed a highly regular pattern when the matrices from the theorem have full rank. In Table 5 we record this pattern for small sample parameters.  (x 1 , . . . , x n ) → (x n , x 1 , . . . , x n−1 ) in the affine layer and without key schedules. We observed that for the shift permutation (x 1 , . . . , x n ) → (x n , x 1 , . . . , x n−1 ) in the affine layer the matrix criteria for GMiMC crf and GMiMC erf behave identical. On the other hand, if we instantiate GMiMC with the circulant matrix circ(1, . . . , n) 2 , then we observed that GMiMC erf is always in generic coordinates and for GMiMC crf the criterion is identical to Table 5.
In the Table 6 we provide bit complexity estimates for a Gröbner basis computation of GMiMC where we use the Macaulay bound of the keyed iterated GMiMC polynomial system as minimal baseline of the solving degree for an optimal adversary with ω = 2. We assume that the key schedule equations have been substituted into Equation (36), therefore there are r·n many variables and equations. For ease of computation we estimated the logarithm of the binomial coefficient with Equation (24). Table 6: Complexity estimation of Gröbner basis computation for GMiMC via the Macaulay bound with ω = 2 over any finite field F q .

The Problem With Sponge Constructions & Generic Coordinates
Let us return to the sponge construction [BDPV07,BDPV08]. Let P : F n q → F n q be an arbitrary permutation which we instantiate in sponge mode with capacity 1 < c < n and rate r = n − c. Let IV ∈ F c q be a fixed initial value, and let α ∈ F q be a hash output. To find a preimage x ∈ F r q we have to solve the equation where y ∈ F n−1 q is an indeterminate variable. First, we observe that this polynomial system is only fully determined if c = n − 1, else one always has r + n − 1 > n many 2 We understand circulant matrices as right shift circulant matrices, i.e. circ(a 1 , . . . , an) =    a 1 a 2 . . . a n−1 an an a 1 . . . a n−2 a n−1 .
variables for x and y. Otherwise, we have to guess some entries of x and y which we expect to be successful with probability 1/q. Second, if we model the sponge P with iterated polynomials, then the Caminata-Gorla technique (Section 2.3.1) will fail whenever the last round of P is non-linear in all its components. In this case, after homogenizing the keyed iterated polynomial system and setting x 0 = 0 we will always remove the variables coming from y from the equations. So Theorem 3.2 (2) cannot be satisfied, and the naive homogenization of a sponge polynomial system cannot be in generic coordinates. We illustrate this property with a simple example.
Example 6.7. We work over the field F 5 . We consider a SPN sponge function based on the cubing map with n = 2 and r = 3 where the first and the last round are full SPNs and the middle round is a partial SPN. In every round the mixing matrix is circ(1, 2) and all round constants are 0. The matrix is also applied before application of the first SPN. For hash value 0 the iterated polynomial system F ⊂ F 5 x (1) 1 , x (2) 2 x in , y out is Note that (F ) is zero-dimensional. Let x 0 denote the homogenization variable. Then I sat = F hom sat is generated by 2 3 + 2 · y out · x 2 0 = 0, 2 · x 2 0 = 0, y out · x 4 0 = 0. Hence, after reducing modulo (x 0 ) we remove the variable y out .
To resolve this problem we have to add additional polynomials to the system. Over finite fields we can always add the field equations for y though for Arithmetization-Oriented designs this introduces high degree equations to a low degree polynomial system. On the other hand, we could add the inverse of the last round of an iterated construction to the polynomial system to introduce polynomials with leading monomials in y. Though, in general we also expect that this trick introduces high degree equations.

The Problem With Non-Affine Key Schedules & Generic Coordinates
We face a similar obstacle for the Caminata-Gorla technique if we deploy a non-affine key schedule. For sake of example let us return to MiMC with the key schedule for 2 ≤ i ≤ r and y 1 ∈ F q the master key. We then add the i th key in the i th round. Obviously, we then have to add the equations y 3 i−1 − y i = 0 to the MiMC keyed iterated polynomial system. Now we homogenize this new system and set x 0 = 0, like in Theorem 3.8 we can iterate through the rounds to deduce that y 1 = . . . = y r−1 = x 1 = . . . = x r−2 = 0. But for the last round we obtain that y r + x r−1 = 0, and we do not have any more equations left to cancel one of the variables. Again, we would have to add polynomials to the system to fix our method like the field equations, or if possible the inverse of the last key schedule equation.

The Satiety & Polynomials With Degree Falls
We now return to studying MiMC, Feistel-MiMC and Feistel-MiMC-Hash. In Section 5 we derived solving degree estimates for various attacks on these primitives. A natural question for the cryptanalyst is tightness of these bounds. To partly answer this question we derive Castelnuovo-Mumford regularity lower bounds for the attacks on these primitives. Essentially, if we find a non-trivial lower bound for the Castelnuovo-Mumford regularity, then regularity-based complexity estimates can never improve upon the lower bound.
In this section we develop the theoretical foundation for our regularity lower bounds. First we introduce the notion of last fall degree of F ⊂ P , that is the largest d ∈ Z ∪ {∞} such that the row space of the inhomogeneous Macaulay matrix M ≤d is unequal to (F ) ≤d (as K-vector space). Then we prove that in generic coordinates the last fall degree of F is equal to the satiety of F hom , another invariant associated to F hom closely related to the regularity.
Let I ⊂ P = K[x 0 , . . . , x n ] be a homogeneous ideal, it is well-known that the saturation I sat = I : m ∞ is the unique largest ideal J ⊂ P such that there exists m ≥ 0 and for all l ≥ m one has I l = J l . This motivates the following definition.
. , x n ] be a polynomial system, and let M ≤d be the inhomogeneous Macaulay matrix in degree d. We denote with the row space of M ≤d .
Definition 7.2. Let K be a field, and let F ⊂ K[x 1 , . . . , x n ] be a polynomial system.
(1) For any f ∈ (F ) let (2) If d f > deg (f ), then we say that f has a degree fall in degree d f . We say that F has a degree fall if there is an f ∈ (F ) such that f has a degree fall. Else we say that F has no degree falls.
(3) Let W F ,∞ = (F ) and V F ,−1 = ∅. The last fall degree of F is Next we collect some alternative characterizations of the last fall degree.
Proposition 7.3. Let K be a field, and let F ⊂ P = K[x 1 , . . . , x n ] be a polynomial system.
Proof. For (1), let d be as asserted. By definition of the last fall degree d F ≥ d. If d = ∞, then the claim is trivial. So let us assume that d < ∞. If f ∈ (F ) is such that deg (f ) ≤ d F , then by definition of the last fall degree f ∈ W F ,dF . Therefore, we have that For (3), since the last fall degree is finite by assumption the supremum from (2) is indeed a maximum.
If a polynomial system is in generic coordinates, then one can guarantee that the last fall degree is finite.
Theorem 7.4. Let K be a field, and let F = {f 1 , . . . , f m } ⊂ K[x 1 , . . . , x n ] be an inhomogeneous polynomial system such that F hom in generic coordinates and Z + F hom = 0. If d ≥ sat F hom is an integer, then In particular, Then by [KR05,Proposition 4.3.2] This already implies that d F ≤ sat F hom . Suppose that the inequality is strict and let e = sat F hom − 1, then any f ∈ (F ) ≤e can be constructed as Multiplying this equation by x e−d 0 lifts it to (F ) hom e . Since f ∈ (F ) ≤e was arbitrary we can then conclude On the other hand, by Lemma 2.6 F hom sat = (F ) hom , so A contradiction to the minimality of sat F hom . So we indeed have that d F = sat (F ).
Corollary 7.5. Let K be a field, and let F = {f 1 , . . . , f m } ⊂ K[x 1 , . . . , x n ] be an inhomogeneous polynomial system such that F hom in generic coordinates and Z + F hom = 0.
If f ∈ (F ) has a degree fall in d f , then Proof. This is a consequence of Proposition 7.3 and Theorem 7.4.
So by Equation (40) the construction of a polynomial with a degree fall yields a lower bound on the regularity of F hom .
Remark 7.6. We note that the first notion of "last fall degree" already appeared in Huang et al. [HKY15,HKYY18]. They define their last fall degree as follows: Let F ⊂ P = K[x 1 , . . . , x n ] be a polynomial system the vector space of constructible polynomials Analog to Definition 7.2 Huang et al. define the last fall degree as Finally, it follows easily from the definitions that We finish this section by revealing another relation between the degree of regularity, the satiety and the Castelnuovo-Mumford regularity.
Proposition 7.7. Let K be an algebraically closed field, and let F ⊂ K[x 1 , . . . , x n ] be a polynomial system, and let G be the reduced DRL Gröbner basis of (F ). Assume that A contradiction to d reg (G) < d reg (F ), so sat F hom ≥ d reg (G).

Lower Bounds For The Satiety Of Iterated Polynomial Systems
In this section we prove lower bounds for the Castelnuovo-Mumford regularity of attacks on MiMC, Feistel-MiMC and Feistel-MiMC-Hash. Essentially, we will achieve this by constructing S-polynomials with degree falls.

Lower Bound For Univariate Keyed Iterated Polynomial Systems With A Field Equation
Before we present the theorem we first outline our proof strategy for all results in this section. First we pick a polynomial f ∈ (I, g), where I is an ideal with known DRL and LEX Gröbner bases and g is an additional polynomial, and assume that f does not have a degree fall in some degree d f . Now we express as sum f = f I + f g · g, where f I ∈ I, that is compatible with d f and rearrange this equation such that the right-hand side only consists of elements of I, i.e. f − f g · g = f I . Additionally, we reduce f g modulo I with respect to DRL, so without loss of generality we can assume that no monomial of f g is an element of in DRL (I). Then we use the LEX Gröbner basis of I to transform the left-hand side into an univariate polynomial. Finally, we compare the degrees of the univariate left-hand side polynomial and the univariate LEX polynomial of I. If f has a degree fall, then we expect that the degree of the left-hand side polynomial is less than the degree of the univariate LEX polynomial, i.e. we have constructed a contradiction.  . . . , f n ), and (iv)f n has less than d 1 many roots in F q . Then Proof. Without loss of generality we can assume that LC DRL (f 1 ) = 1. Let I = (f 1 , . . . , f n ), and let . We consider the S-polynomial has a degree fall in q, so we also have that deg (s) < d s . For a contradiction let us assume that s does not have a degree fall in d s , i.e., where deg (s i · f i ) < d s for all 1 ≤ i ≤ n + 1. Expanding the definition for s and by rearranging we yield that Via division by remainder we can split s n+1 = s I + s r , where s I ∈ I and no term of s r lies in in DRL (I). Note that for a degree compatible term order the degree of polynomials involved in the division by remainder algorithm can never reach d s . Now we move s I ·f n+1 to the right-hand side of the equation, so without loss of generality we can assume that no term of s n+1 lies in in DRL (I). Via the LEX Gröbner basis of I, see Lemma 4.2, we can transform any polynomial in g ∈ F q [x 1 , . . . , x n−1 , y] into an univariate polynomial g ∈ K[y] such that g ≡ĝ mod (f 1 , . . . , f n ) by simply substituting x i →f i . Via the substitution we now obtain univariate polynomialŝ By our assumption that s does not have a degree fall, we have that deg (s n+1 ) < deg (x γ ).
So by Proposition 4.6 (5) we also have that deg f sn+1 < deg f γ . Recall that the degree off γ is given by Proposition 4.6 (4), Combining Lemma 4.1 (2) and Equation (44) we now conclude that wheref n is the univariate polynomial in the LEX Gröbner basis of I. I.e., f γ +f sn+1 · f n+1 must be a multiple off n . By Assumption (iv)f n has less than d 1 many roots in F q and f n+1 = a∈Fq (y − a) is a square-free polynomial, so Before our final step we recall the following property of univariate polynomial greatest common divisors: If p, q, r ∈ K[x], K a field, and gcd (p, r) = 1, then gcd (p, q · r) = gcd (p, q). Combining this property with Equation (46) we conclude that the following equation must be truef On the other hand, by Equations (45) and (47) we have that A contradiction.

Remark 8.2.
(1) If the number of roots off n in F q is greater than or equal to d 1 , then one can still apply the strategy in the proof to obtain a weaker upper bound. It suffices to choose for a suitable j > 1 such that the degrees of the polynomials in the final gcd equation yield a contradiction.
(2) We note that small non-trivial bounds can also be proven without Assumption (iv).
In particular, one can prove that One considers the polynomials x 1 · S DRL (f 1 , f n+1 ) and x 2 1 · S DRL (f 1 , f n+1 ) respectively, and then applies the same strategy as in the proof of Theorem 8.1 to deduce that these polynomials have degree falls.
Let us now apply the lower bound to MiMC. Example 8.3 (MiMC and one field equation II). Let MiMC be defined over F q , and let r be the number of rounds. The first two conditions of Theorem 8.1 are trivially satisfied by MiMC. For the third assumption, if we considerf n , the univariate polynomial in the LEX Gröbner basis, as random polynomial, then for q large enough it has on average only one root in F q (cf. [Leo06]). Thus, with high probability we can assume that MiMC has only one root in F q . Now we pick a random k ∈ F q and evaluate whether MiMC(p, k) = c or not. If the equality is true we can return K as proper key guess, otherwise it implies that f n+1 / ∈ I MiMC . So we can combine Example 5.1 and Theorem 8.1 to obtain the following range for the solving degree of MiMC and one field equation Small scale experiments indicate that the solving degree of this attack is always equal to q + 2r − 1.
Recall from Section 5.1 that we can always replace y q − y by its remainder r y modulo I MiMC with respect to DRL. For any polynomial system F ⊂ P such that F hom is in generic coordinates we have by Corollary 3.6 and [CG23, Theorem 5.3] that Obviously, this bound also applies to the scenario of Theorem 8.1, though under the assumptions of the theorem F top ⊂ P is a DRL Gröbner basis since f top 1 = y d1 | y q .
Therefore, in DRL (F top ) = y d1 , x d2 1 , . . . , x dn n−1 . Note that a homogeneous ideal and its DRL initial ideal have to have the same degree of regularity, and it is easy to see that i.e. the degree of regularity is equal to the Macaulay bound.
For MiMC experimentally, we observed that the highest degree component of r y is always a monomial and y d1−1 | r y . To compute the degree of regularity one then computes the DRL Gröbner basis of (F top ) and utilizes it to compute the Hilbert series h of in DRL (F top ). The degree of regularity is then given by deg (h) + 1.
Under some additional assumptions on r y we can adapt the proof of Theorem 8.1. Suppose that the highest degree component of r y is of the form , where j ≥ 1, and consider the S-polynomial Again we assume that s does not have a degree fall in d s = deg (r y ) + n i=j+1 (d i − 1). By rearranging we then yield that where deg (s y ) ≤ deg (x γ ). Now we transform again to univariate polynomials in y via the LEX Gröbner basis. Obviously, r y ≡ y q − y mod I, and the univariate degree of y · x γ + s y can again be computed by Proposition 4.
we can then again construct a contradiction via the greatest common divisor. Under these additional assumptions one then has the lower bound In case of MiMC, if there is an unique solution for the key variable, then we obtain the lower bound and if there is less than 8 solutions for the key variable, then we obtain the lower bound

Lower Bound For The Two Plain/Cipher Text Attack Of Univariate Keyed Iterated Polynomial Systems
Now we turn to the attack with two plain/cipher texts. Note that for this lower bound we only work with the DRL term order.
Then for the polynomial system F = {f 1 , . . . , f n , h 1 , . . . , h n } ⊂ F q [u 1 , . . . , u n , v 1 , . . . , v n , y] we have that Proof. Without loss of generality we can assume that LC DRL (f 1 ) = LC DRL (h 1 ). To construct a polynomial with degree fall we use a similar strategy as in the proof of Theorem 8.1, but f n+1 will be replaced by h 1 . It is trivial to conclude with Assumptions (i) and (iii) that has a degree fall in d 1 and that it has DRL leading monomial y d , where d ≥ 2. Now let We want to prove that has a degree fall in For a contradiction assume that we can construct s below d s with F , i.e., Additionally, we perform division on remainder on s h1 and h 1 by I, and replace them by their remainderss h1 andh 1 = h 1 −f 1 which do not have monomials in in DRL (I), therefore (x γ +s h1 ) · (f 1 − h 1 ) ∈ I.
By construction and Assumption (iii), we have then , h 1 ), and we can conclude that So we have constructed a polynomial in I whose leading monomial is not contained in the initial ideal in DRL (I). A contradiction.
Let us apply this theorem to MiMC.
Example 8.5 (MiMC and two plain/cipher pairs II). Let F q be a finite field of odd characteristic, let MiMC be defined over F q , and let r be the number of rounds. Let p 1 , p 2 ∈ F q be two different plaintexts, then the polynomial has the leading term (p 1 − p 2 ) · y 2 . Therefore, we can apply Theorem 8.4 to MiMC. Combined with Example 5.3 we have then following range for the solving degree for this attack 4 · r − 3 ≤ reg (I MiMC,1 + I MiMC,2 ) ≤ 4 · r + 1.
Also, with high probability there is also just one element in the zero locus of the ideal. Moreover, small scale experiments indicate that the solving degree of this attack is always equal to 4 · r.
Let us again consider the bound implied by Equation (48). In the scenario of Theorem 8.4, it is easy to see that (F top ) is a DRL Gröbner basis and that in DRL (F top ) = y d1 , u d2 1 , . . . , u dn n−1 , v d2 1 , . . . , v dn n−1 , therefore i.e. it coincides with the one from the theorem. Note that this bound also holds for deg (g i ) ≥ 2 for all 1 ≤ i ≤ n. While the regularity lower bounds coincide one should keep in mind that we proved a bound on the last fall degree respectively the satiety and that in general only sat F hom ≤ reg F hom , so unless the regularity coincides with the satiety our bound is slightly more general.

Lower Bound For Feistel-MiMC
Recall that the DRL Gröbner basis of Feistel-MiMC, see Proposition 4.7 (1), is almost an univariate keyed iterated polynomial system. Therefore, we can utilize the same strategy as for MiMC and a field equation to prove the lower bound for Feistel-2n/n. Theorem 8.6. Let F q be a finite field, let n ≥ 2 be an integer, and let F = {f L,1 , f R,1 , . . . , f L,n , f R,n } ⊂ F q [x L,1 , x R,1 , . . . , x L,n−1 , x R,n−1 , y] be a keyed iterated polynomial system for Feistel-2n/n such that (iii) d 1 ≤ d n and f L,n has the monomial y dn , and (iv) the greatest common divisor of the univariate polynomials in y that represent the left and the right branch have degree less than d 1 . Then Moreover, if deg (f L,i ) ≥ d for all 2 ≤ i ≤ n, then d F ≥ d + (n − 2) · (d − 1) .
Proof. By Assumption (i) and (ii) we can efficiently compute the DRL Gröbner basis of F \ {f R,n } with Proposition 4.7 (1). Next we remove the linear polynomials from the Gröbner basis, we denote this stripped down base with G = {f L,1 , . . . ,f L,n } ⊂ P = F q [x R,2 , . . . , x R,n−1 , x L,n−1 , y]. Let x γ = n−1 i=2 x di−1 R,i , and let t ∈ P be the polynomial which is obtained by substituting x L,n−1 → c R intof L,n = f L,n . Note that this substitution can be constructed via t =f L,n +t · f R,n , wheret ∈ F q [x L,n−1 , y] and LM DRL (t) = x dn−1 L,n−1 , and by Assumption (iii) deg (t) = d n . Now we consider the polynomial s = x γ · S DRL t,f L,1 .
By Assumption (iii) S DRL (f L,1 , t) has a degree fall in d n . For a contradiction we now assume that s does not have a degree fall in d s = d n + n−1 i=2 (d i − 1), i.e.
where deg s i ·f L,i < d s for all 1 ≤ i ≤ n and deg (s n+1 ) < d s − 1. By expanding t we can further rewrite the last equation as x γ ·t − s n+1 · f R,n ∈ (G).
Without loss of generality we can assume that no monomial present in x γ ·t and s n+1 is an element of in DRL (G). Note that by construction With the LEX Gröbner basis of (G), see Proposition 4.7 (3), we now construct univariate polynomialsf γ ,f sn−1 ,f R ,t ∈ F q [y] such that x γ ≡f γ , s n+1 ≡f sn+1 , f R,n ≡f R ,t ≡t mod (G) .
By Proposition 4.7 (6) the leading monomial of x γ ·t has the largest univariate degree among all monomials in m ∈ P \ in DRL (G) with deg (m) ≤ deg x γ ·t , therefore by Proposition 4.7 (5) Denote withf L the univariate polynomial in the LEX Gröbner basis of (G), this is exactly the polynomial that describes encoding in the left branch of Feistel-2n/n. Similar the univariate polynomialf R ∈ F q [y] equivalent to f R,n represents encoding in the right branch of Feistel-2n/n. By Lemma 4.1 and elementary properties of the polynomial greatest common divisor the following equality must be true Proposition 4.7 (4) we have the following inequality A contradiction.
Applying the theorem to MiMC-2n/n we obtain the following range on the solving degree.
Example 8.7 (MiMC-2n/n II). Let MiMC-2n/n be defined over F q , and let r be the number of rounds. We construct the downsized DRL polynomial system from Proposition 4.7 F ∪ {f L,r } and embed it into the polynomial ring which has only the variables present in the system. Let f L , f R ∈ F q [y] be the univariate polynomials that represent encryption in the left and the right branch. If we consider them as random polynomials and divide them with y − k, where k ∈ F q is the key, then with high probability they are coprime. Combining Example 5.4 and Theorem 8.6 we now obtain the following range for the solving degree of MiMC-2n/n 2 · r − 1 ≤ reg I MiMC-2n/n ≤ 2 · r + 1.
Small scale experiments indicate that the solving degree of this attack is always equal to 2 · r.
Let us again compare Theorem 8.6 to Equation (48), since in DRL (F top ) = y d1 1 , x d2 R,2 , . . . , x dn−1 R,n−1 , y dn , x L,n−1 we have So if d n > d 1 , then the bound from the theorem is an improvement.

Lower Bound For Feistel-MiMC-Hash
We have seen in Proposition 4.7 and Section 5.4 that the LEX Gröbner basis of the preimage attack of Feistel-MiMC-Hash has the shape of Lemma 4.1. Further, we had to include the field equation for the variable x 2 to remove the parasitic solutions from the algebraic closure of F q . Consequently, to prove a lower bound on the solving degree we have a mix of the situations in Theorems 8.1 and 8.6. At this point we expect the reader to be familiar with our techniques, therefore we just mention the polynomials for which it can be proven that they have a degree fall.
Theorem 8.8. Let F q be a finite field, let n ≥ 3 be an integer, and let {f L,1 , f R,1 , . . . , f L,n , f R,n } ⊂ K[x L,1 , x R,1 , . . . , x L,n−1 , x R,n−1 , x 1 , x 2 ] denote the keyed iterated polynomial system for the Feistel-2n/n-Hash preimage attack Feistel-2n/n where α ∈ F q . Assume that the keyed iterated polynomial system of Feistel-2n/n-Hash is such that (ii) f i has the monomial x di L,i−1 for all 2 ≤ i ≤ n, and (iii) the univariate polynomialf ∈ F q [x 2 ] of the LEX Gröbner basis of Feistel-2n/n has less than d 2 many roots in F q .
Then for the polynomial system F = {f L,1 , f R,1 , . . . , f L,n , f R,n , x q 2 − x 2 } we have that Sketch of proof. As a preparation one has to extend Proposition 4.7 to Feistel-Hash. To do so one sets y = 0 and introduces two variables x 1 , x 2 and sets p L = x 1 , p R = 0, c L = α, where α is the hash value, and c R = x 2 . Now one orders the variables as x R,n−1 > x L,n−1 > . . . > x R,1 > x L,1 > x 1 > x 2 for the DRL and LEX term order. Now one can extend Proposition 4.7 (1)-(6) to Feistel-Hash. We denote with g ∈ G the polynomial in the DRL Gröbner basis with leading monomial y d2 1 . Let then the polynomial s = x γ · S DRL (g, y q 1 − y 1 ) has a degree fall in q + (d n − 1) + n−1 i=3 (d i − 1). For the attacks on Feistel-MiMC-Hash we now obtain the following solving degree ranges. Example 8.9 (Feistel-MiMC-Hash preimage attack II). Let Feistel-MiMC-Hash be defined over F q , and let r be the number of round. Under the assumptions of Theorem 8.8 we obtain with Example 5.5 the following range of the solving degree of the Feistel-MiMC-Hash preimage attack together with a field equation q + 2 · r − 6 ≤ reg I preimage + (x q 2 − x 2 ) ≤ q + 2 · r − 2.
Small scale experiments indicate that the solving degree of the preimage attack is always equal to q + 2r − 3.
Like for MiMC and the field equation we can replace x q 2 − x 2 by its remainder and obtain a lower bound on d F via Equation (48).

Discussion
In this paper we utilized a rigorous mathematical framework to prove Gröbner basis complexity estimates for various AO designs. For Hades and the GMiMC family we proved that the Gröbner basis cryptanalysis of these designs is indeed mathematically sound. Our analysis of the MiMC family revealed that for mildly overdetermined systems we can compute small ranges for Castelnuovo-Mumford regularity, hence putting a limit on the capabilities of regularity-based solving degree estimates. Arguably, since our regularity/solving degree estimates for MiMC polynomial systems that involve field equations exceed the size of the underlying field, these bounds do not have direct cryptographic implications. Instead they should be viewed as showcase that for well-behaved cryptographic polynomial systems provable upper as well as lower bounds for the regularity are achievable. Moreover, as we discussed below Examples 5.1 and 8.3 these bounds can be significantly improved via an auxiliary division by remainder computation. The reason why we did not work with the remainder directly is quite simple: For every possible MiMC instantiation and plain/cipher text sample the remainder polynomial is different. So unless one can reveal structural properties of the remainder polynomial one has to do an individual analysis for every possible instantiation. On the other hand, by working with the field equation itself we could keep our analysis generic.
To the best of our knowledge this paper is the first time that AO Gröbner basis analysis has been performed without evasion to assumptions and hypotheses that most likely fail in practice. Of course, from an AO designer's point of view this raises the question whether more advanced AO primitives are also provable in generic coordinates. We point out that recent designs like Reinforced Concrete [GKL + 22], Anemoi [BBC + 23], Griffin [GHR + 23] and Arion [RST23] have deviated heavily from classical design strategies, and these deviations seem to be in conflict with elementary applications of the Caminata-Gorla technique. For example one of the Reinforced Concrete permutations over F p is of the form   x where d ∈ Z >1 such that gcd (d, p − 1) = 1 and α i , β i ∈ F p are such that α 2 i − 4 ·β i are nonsquares in F p . Let us naively apply the Caminata-Gorla technique for this permutation. After homogenizing it and substituting x 0 = 0 we yield that x d 1 = x 2 · x 2 1 = x 3 · x 2 2 = 0, but it is not true that x 1 = x 2 = x 3 = 0 is the only solution over F p to these equations. Hence, our proving technique for generic generators fails. We also want to point out that we face a similar situation for Griffin and Arion.
For all our regularity lower bounds we were given a DRL Gröbner basis together with an additional polynomial. Via careful analysis of the arithmetic of the polynomial systems we could then discover polynomials with degree falls. Of course, we would like to provide lower bounds in the presence of two or more additional equations. Our readers might also recall that the attack on MiMC with all field equations was missing in Section 8. From small scale experiments we raise the following conjecture for this attack.  (f 1 , . . . , f n ), and (iv) the univariate LEX polynomial has less than d 1 many roots in F q .
Then the polynomial has a degree fall for the polynomial system F + F .
We expect that a resolution to this MiMC problem will also reveal insight into the more general cryptographic polynomial systems.