Invertible Quadratic Non-Linear Layers for MPC-/FHE-/ZK-Friendly Schemes over F np Application to Poseidon

. Motivated by new applications such as secure Multi-Party Computation (MPC), Fully Homomorphic Encryption (FHE), and Zero-Knowledge proofs (ZK), many MPC-, FHE-and ZK-friendly symmetric-key primitives that minimize the number of multiplications over F p for a large prime p have been recently proposed in the literature. This goal is often achieved by instantiating the non-linear layer via power maps x 7→ x d . In this paper, we start an analysis of new non-linear permutation functions over F np that can be used as building blocks in such symmetric-key primitives. Given a local map F : F mp → F p , we limit ourselves to focus on S-Boxes over F np for n ≥ m deﬁned as S ( x 0 , x 1 , . . . , x n − 1 ) = y 0 k y 1 k . . . k y n − 1 where y i := F ( x i , x i +1 , . . . , x i + m − 1 ). As main results, we prove that

• given any quadratic function F : F 2 p → Fp, the corresponding S-Box S over F n p for n ≥ 3 is never invertible; • similarly, given any quadratic function F : F 3 p → Fp, the corresponding S-Box S over F n p for n ≥ 5 is never invertible.Moreover, for each p ≥ 3, we present (1st) generalizations of the Lai-Massey construction over F n p defined as before via functions F : F m p → Fp for each n = m ≥ 2 and (2nd) (non-trivial) quadratic functions F : F 3 p → Fp such that S over F n p for n ∈ {3, 4} is invertible.As an open problem for future work, we conjecture that for each m ≥ 1 there exists a finite integer nmax(m) such that S over F n p defined as before via a quadratic function F : F m p → Fp is not invertible for each n ≥ nmax(m).Finally, as a concrete application, we propose Neptune, a variant of the sponge hash function Poseidon, whose non-linear layer is designed by taking into account the results presented in this paper.We show that this variant leads to a concrete multiplication reduction with respect to Poseidon.

The Round Function and the Non-Linear Layer
Symmetric cryptographic schemes including ciphers, permutations and hash functions are typically designed by iterating an efficiently implementable round function a sufficient number of times in order to guarantee the desired security level.Focusing on Substitution-Permutation Network (SPN) schemes, this round function is usually composed of two layers, a non-linear one and a linear one.In more details, consider a SPN scheme over F t p for a prime p ≥ 3 and t ≥ 1.The round function is usually defined as for each x ∈ F t p , where • S-Box : F t p → F t p is the non-linear layer (or substitution layer); • M ∈ F t×t p is an invertible matrix; • c ∈ F t p is a round constant or a secret key.Focusing on the non-linear layer, it is usually composed of parallel independent non-linear functions.Let 1 ≤ n ≤ t be a divisor of t, and let S : F n p → F n p be an invertible non-linear function.Given x = (x 0 , x 1 , . . ., x t−1 ) ∈ F t p , the substitution layer is usually defined as S-Box(x) := S(x 0 , . . ., x n−1 ) S(x n , . . ., x 2n−1 ) . . .S(x t−n , . . ., x t−1 ), where • • denotes concatenation.
For each z ∈ F n p , the S-Box S(z) = y 0 y 1 . . .y n−1 ∈ F n p is defined as where F 0 , F 1 , . . ., F n−1 : F n p → F p are potentially distinct functions.In this paper, we limit ourselves to consider the case in which each value y i ∈ F p is specified according to a single local map F : F m p → F p for a certain m ≤ n.More formally: Definition 1.Let p ≥ 3 be a prime integer.Let 1 ≤ m ≤ n, and let F : F m p → F p be a non-linear function.The function S over F n p is defined as S(x 0 , x 1 , . . ., x n−1 ) := y 0 y 1 . . .y n−1 (3) where for each i ∈ {0, 1, . . ., n − 1}, where the sub-indexes are taken modulo n.
In the following, we sometimes use the notation S F to highlight the local function F that defines S.
One of the most well known examples of this kind of non-linear layer is the chi-function over F n 2 defined via the local map χ : first introduced by Wolfram [Wol85] and then re-considered and analyzed by Daemen [Dae95].
It is used as a building component in many designs, including Keccak [BPVA + 11,BDPA13], Rasta [DEG + 18], Subterranean [DMMR20], among many others.Other examples of local maps F : F m 2 → F 2 for which the corresponding S over F n 2 defined as in Def. 1 is invertible are listed in [Dae95,App. A.3].
In this paper, we only focus on quadratic functions F : F m p → F p for a prime p ≥ 3, studying the properties and the multiplicative cost of the corresponding function S over F n p defined as in Def. 1.

Our Contributions
Related Works: Invertible Functions over F n p .Well known examples of invertible functions over F n p are recalled in Sect.3, and include -among others -the power maps x → x d (whose invertibility is proved using Hermite's criterion) and their generalizations, the Dickson polynomials.
Probably, the most well known example of a function F : F m p → F p for which the corresponding function S over F n p for n = m is a permutation is the Lai-Massey construction [LM90].In the case n = m = 2, the function F is e.g. of the form F (x 0 , x 1 ) = x 0 + (x 0 − x 1 ) 2 .In Prop.5, we present generalizations of such function over F m p for even m = n, that is, F (x 0 , x 1 , . . ., x n−1 ) = ) 2 , which we prove to be invertible if the matrix circ(γ 0 , γ 1 , . . ., γ n−1 ) ∈ F n×n p is invertible.
Invertible Quadratic Functions.Even if the Lai-Massey constructions just presented can be efficiently computed (from the point of view of the multiplicative complexity), a cryptographic scheme based only on such non-linear functions can be potentially broken using e.g. an invariant subspace attack [Vau99] if e.g. the linear layer is not chosen appropriately.For this reason, we look for other quadratic functions as possible building block of a MPC-/ FHE-/ZK-friendly symmetric-key primitive, and we find the following: for which S over F 3 p defined as in Def. 1 is invertible if p = 2 mod 3 by carefully choosing ψ i , α, β, γ as given in Prop.9; for which S over F 3 p defined as in Def. 1 is invertible if p = 1 mod 3 by carefully choosing α, β, γ, ε, ε as given in Prop.10.These two functions cover all possible values of p ≥ 3, and they can be computed via only three F p -multiplications, that is, t F p -multiplications per round.For comparison, a nonlinear layer instantiated via the power map x → x d -where d ≥ 3 so that gcd(d, p − 1) = 1 -requires t • ( log 2 (d) + hw(d) − 1) ≥ 2 • t F p -multiplications,2 which is at least a double the cost required for functions in the two families just proposed.
Non-Existence Results.As main results of this paper: • in Theorem 3, we prove that there is no quadratic function F : F 2 p → F p such that the corresponding function S over F n p for n ≥ 3 defined as in Def. 1 is a permutation; • in Theorem 4, we prove that there is no quadratic function F : F 3 p → F p such that the corresponding function S over F n p for n ≥ 5 defined as in Def. 1 is a permutation.Both results are also supported by our practical experiments, as given in Sect.5.3.2.Regarding the case m = n = 2, in Prop.8 we prove that the only quadratic function F : F 2 p → F p for which S over F 2 p defined as in Def. 1 is invertible is a Lai-Massey function of the form F (x 0 , x 1 ) = α • x 0 + β • x 1 + γ • (x 0 − x 1 ) 2 for α = ±β.
Focusing on the case m = 3, it is some-way surprising when comparing the binary case and the prime case.Indeed, while e.g. the function S over F n 2 defined as in Def. 1 instantiated via the local map χ defined as in (5) is known to be a permutation for each odd n ≥ 3, here we prove that there is no equivalent of the chi-function when working with a quadratic function F : F 3 p → F p for a prime integer p ≥ 3.As an open problem for future work, we conjecture that for each m ≥ 1 there exists a finite integer n max (m) such that S over F n p defined as in Def. 1 via a quadratic function F : F m p → F p is not invertible for each n ≥ n max (m) (see Conjecture 1 for details).Our results and observations suggest that if such conjecture is true, then n max (m) growths linearly with m (more specifically, n max (m) = 2 • m − 1).
Neptune as a Concrete Application.Estimating the impact of quadratic non-linear layers in the design of a generic MPC-/FHE-/ZK-friendly iterative symmetric scheme is in general very hard, since many factors play a crucial role in determining the performance of the scheme in the target applications (e.g., the number of rounds required for its security -and so the overall multiplicative complexity -does not depend only on the details of the non-linear layer, but also on the details of the linear layer, on the possible attack scenarios, on the security level, and so on).For this reason, we focus on Poseidon -a sponge hash function [BDPV07,BDPA08] recently proposed for ZK applications -and we show a possible way to modify it based on the non-linear layers presented in this paper in order to reduce its multiplicative complexity.
Poseidon is a sponge hash function, whose internal permutation is based on the Hades design strategy [GLR + 20], proposed at Eurocrypt 2020.Its main feature and novelty regards the use of both rounds with full S-Box layer and rounds with partial S-Box layer in order to achieve both security and good performance.Here, we take this concept to its extremes.Instead of limiting ourselves to consider an uneven distribution of the S-Boxes, we propose to use two different round functions, one for the internal part and one for the external one.In Sect.7, we propose a new sponge hash function called Neptune over F t p , a variant of the hash function Poseidon in which • the power maps x → x d in the external full rounds are replaced by a concatenation of independent S-Boxes defined over F 2 p via the Lai-Massey construction; • the power map x → x d in the internal partial rounds remains unchanged, but the matrix that instantiates the linear layer of the internal partial rounds is different from the one proposed for the external full rounds.
As we show in there, these changes have the effect of (largely) reducing the multiplicative complexity of Poseidon in the case of large t 1.

Preliminary
Notation.Let p be a prime number (unless specified otherwise, we always assume p ≥ 3).Let F p denote the field of integer numbers modulo p.We use small letters to denote either parameters/indexes or variables and greek letters to denote fixed elements in F p .Given x ∈ F n p , we denote by x i its i-th component for each i ∈ {0, 1, . . ., n − 1}, that is, x = (x 0 , x 1 , . . ., x n−1 ) or x = x 0 x 1 . . .x n−1 , where • • denotes concatenation.We use capital letters to denote functions from F m p to F p for m ≥ 1, e.g., F : F m p → F p and the calligraphic font to denote functions over F n p for n > 1, e.g., S : F n p → F n p .We use the fraktur font (e.g., X) to denote sets of elements, where |X| denotes the cardinality of the set X. We denote by e i ∈ F n p the vector with 1 in the i-th component (for i ∈ {0, 1, . . ., n − 1}), and 0 in all others.We denote by circ(µ 0 , µ 1 , . . ., µ n−1 ) ∈ F n×n p a circulant matrix circ(µ0, µ1, . . ., µn−1)

Class of Equivalence
First, we introduce a relation for classifying functions with similar properties.
Definition 2 (Class of Equivalence).Let q = p r where p ≥ 2 is a prime and r ≥ 1.Let F, F : F m q → F q be two functions.F and F are similar -denoted as • ω ∈ F q \ {0} and ψ ∈ F q .
Proposition 1.Let F, F : F m q → F q be two similar functions.Let S F , S F : F n q → F n q be two functions defined as in Def. 1 induced respectively by F and F .Then, S F is invertible if and only if S F is invertible.
Proof.By definition of F and S F , we have that [S F (x 0 , x 1 , . . ., x n−1 )] i = F (x i , x i+1 , . . ., x i+m−1 ), where the sub-indexes are taken modulo n.Since F (x) = ω•F (M×x+ν)+ψ for each x ∈ F m p , it follows that where diag(ω, ω, . . ., ω) ∈ F n×n q is an invertible matrix and where ψ = (ψ, ψ, . . ., ψ) ∈ F n q .Since the two diagonal matrices are invertible, then S F is equal to S F pre-composed and post-composed with two invertible affine functions.This implies that S F is invertible if and only if S F is invertible.
Note that this result is not true if one changes the equivalence class defined in Def. 2 by considering generic matrices M ∈ F m×m q and/or generic ν ∈ F m q .

A Necessary Condition for Inverbility
As the next step, we recall a necessary condition that a function F has to satisfy for S to be invertible.
Definition 3 (Balanced Function).Let q = p r where p ≥ 2 is a prime and r ≥ 1.Let F : F m q → F q .We say that F is balanced if and only if the pre-image of every element in F q has the same cardinality, i.e. |{x ∈ F m q | F (x) = y}| = q n−1 for each y ∈ F q .
Proposition 2. Let q = p r where p ≥ 2 is a prime and r ≥ 1.Given F : F m q → F q , let S over F n q defined as in Def. 1.If F is not balanced, then S is not invertible.
The proof of this well known result is given in App. A. A concrete application of it is given in the following proposition: Proposition 3. Let p ≥ 2 be a prime number.Let F : F 2 p → F p be defined as in (7).If α 2,0 = α 0,2 = 0, then F is not a balanced function.
Corollary 1.Let F : F 2 2 → F 2 be a quadratic function.Then, the function S over F n 2 for n ≥ 2 defined as in Def. 1 is not invertible.

Hermite's Criterion and Known Permutation Polynomials (PPs) over F p
Given a non-linear function , a characterization of which F is or not a permutation polynomial is given by Hermite's criterion.
Theorem 1 (Hermite's Criterion [MP13]).Let q = p r , where p ≥ 2 is a prime and r is a positive integer.Then a polynomial F ∈ F q [x] is a Permutation Polynomial (PP) of F q if and only if the following two conditions hold: 1. the reduction of (F (x)) q−1 mod (x q − x) is monic polynomial of degree q − 1; 2. for each integer t with 1 ≤ t ≤ q − 2 and t = 0 mod p, the reduction of (F (x)) t mod (x q − x) has degree ≤ q − 2.
Applying the previous criteria on a generic function over F q in order to establish if it is a PP or not is in general computational demanding.However, for certain special classes of polynomials, including the power maps and the Dickson polynomials, this question is easy to answer.
Power Maps.As we have already mentioned in the introduction, non-linear functions of many cryptographic schemes over F p are power maps x → x d .
Theorem 2 ( [MP13, Sect.8]).Let q = p r , where p ≥ 2 is a prime and r is a positive integer.The function As it is well known, this means that the choice of the exponent d depends on the prime field if one aims to guarantee invertibility.Obviously, this also implies that no quadratic function over F p for p ≥ 3 is invertible.Indeed, consider the generic quadratic function F (x) = α • x 2 + β • x + γ.Via the change of variable y = x − β/(2α), we obtain F (y) = αy 2 + γ, which is not invertible since F (y) = F (−y) for each y ∈ F p .
Dickson Polynomials.Dickson polynomials generalize power maps.Let q = p r , where p ≥ 3 is a prime and r is a positive integer.Let α ∈ F q fixed.The Dickson polynomial D d,α (x) of degree d with parameter α over F q is defined as Note that Dickson polynomials reduce to power maps for α = 0.As proved e.g. in [MP13], the Dickson polynomial D d,α (x) is a PP of F q if and only if gcd(d, q 2 − 1) = 1.

Permutation Polynomials via the Legendre Symbol
Here we recall some properties of the Legendre symbol used in the following.
Definition 4. Let p ≥ 3 be a prime number.An integer α is a quadratic residue modulo p if it is congruent to a perfect square modulo p, and it is a quadratic non-residue modulo p otherwise.Nag51]).The Legendre symbol has the following properties: Moreover, particular identities include: For completeness, we point out that some permutations based on the Legendre symbol have been proposed in the literature:

(Generalized) Lai-Massey Functions
Other classes of invertible functions over F n p include the generalization of the Lai-Massey construction (x 0 , x 1 ) → (y 0 , y 1 ) = (x 0 + H(x 0 − x 1 ), x 1 + H(x 0 − x 1 )) proposed in [LM90], whose invertibility relies on the fact that y 0 − y 1 = x 0 − x 1 .Proposition 5. Let p ≥ 2 be a prime integer.Let n = m ≥ 2 such that either n is a multiple of p (i.e., n = 0 mod p) or n is even (i.e., n = 2n ), Given where then the function S : F n p → F n p defined as in Def. 1 is invertible.Proof.Let y = S(x).By definition of S and since H is an even function for n = 0 mod 2: where µ := i µ i = 0 since M is invertible by assumption.Let z := M −1 × y ∈ F n p .The overall costruction is invertible since The simplest example of a function that satisfies the previous assumptions is obtained by choosing H(x) = β • x 2 + γ for β, γ ∈ F p and M =circ(1, 0, . . ., 0) ∈ F n p .In such a case, computing S over F n p requires just one F p -multiplication.
Proposition 6.Let p ≥ 2 be a prime integer.Let where H : F p → F p is an even function, where M = circ(µ 0 , . . ., µ n−1 ) ∈ F n×n p is an invertible matrix and where γ ∈ F p \ {0}.Then, the function S : F n p → F n p defined as in Def. 1 is invertible.
Proof.Let y = S(x).Working as before, note that since H is an even function, where µ := i µ i = 0 since M is invertible.The overall construction is invertible by noting that x i − x i+1 = z i − z i+1 , where z := M −1 × y.
If n ≥ 3, then evaluating S costs n F p -multiplications (and just one multiplication for the case n = 2).

Function
must satisfy in order to guarantee that S can be a permutation.
Proposition 7. Let p ≥ 3 be a prime integer.Let F : F m p → F p be defined as in (7).Let α (2) , α (1) ∈ F p be the sum of the coefficients of the monomials of degree l, that is for each l ∈ {1, 2}.If α (2) = α (1) = 0 or α (2) = 0, the function S over F n p defined as in Def. 1 is not a permutation for each n ≥ m.

Analysis of the Case n = 2
Here we prove that the only quadratic function F : F 2 p → F p for which S is invertible over ) 2 where γ 0 = ±γ 1 .Proposition 8. Let p ≥ 3 be a prime integer, and let F : F 2 p → F p be a quadratic function.The non-linear function S defined as in Def. 1 is invertible over F 2 p if and only if where γ 0 = ±γ 1 .

Analysis of the Case n ≥ 3
As one of the main results of this paper, we prove that given any quadratic function F : F 2 p → F p , then the function S over F n p defined as in Def. 1 is never invertible for each n ≥ 3. Theorem 3. Let p ≥ 3 be a prime integer.Let F : F 2 p → F p be a function of degree 2. The function S over F n p defined as in Def. 1 is never a permutation for each n ≥ 3.
Proof.Due to the results given in Prop.7, here we limit ourselves to consider the case We first prove the result for the case n = 3.Our goal is to prove that for each function F : F 2 p → F p of degree 2 defined as in (7), it is possible to find a collision, that is, two different inputs x, y ∈ F 3 p such that S(x) = S(y): In order to generalize this result for n ≥ 4, we assume x 0 = y 0 = ẑ.Note that one such collision is found for n = 3, a collision for n ≥ 4 can be easily set up by working with x, y ∈ F n p where x i = y i = ẑ for each i ≥ 3. Indeed, this implies that F (x i , x i+1 ) = F (y i , y i+1 ) = 0 for each i ∈ {3, . . ., n − 1}.Just for simplicity, we fix ẑ = 0.

Analysis of the Case n = 3
Here we present two non-trivial quadratic functions F : F 3 p → F p (one for p = 2 mod 3 and one for p = 1 mod 3) for which the corresponding function S over F 3 p is a permutation.

Case: p = 2 mod 3
First, we present a family of functions F : F 3 p → F p for which the corresponding function S over F 3 p is a permutation if p = 2 mod 3. Three F p -multiplications are sufficient for computing S.

Case: p = 1 mod 3
Next, we present a family of functions F : F 3 p → F p for which the corresponding function S over F 3 p is a permutation if p = 1 mod 3. Again, three F p -multiplications are sufficient for computing S.
Proposition 10.Let p ≥ 7 be a prime integer such that p = 1 mod 3.
Let F : F 3 p → F p be defined as The function S defined as in Def. 1 over F 3 p is invertible.Note that the case α = β = γ has been already analyzed in Prop.6.
First of all, note that ω, τ, ψ = 0 and that the following equations are always satisfied.In particular, focusing on the last one, we have that Indeed, the solutions of this last equality are {β + , β − } as defined in (10), recalling that −3 is a quadratic residue modulo p for p = 1 mod 3 (see Prop. 4).
In order to prove the result, we show how to invert S(x) = y.Given y i = F (x i , x i+1 , x i+2 ) for each i ∈ {0, 1, 2} (where the sub-indexes are taken modulo 3), note that ω and where ω, ε = 0 by assumption.By taking the difference between y 1 and y 2 and by substituting x 0 , we obtain: where the coefficient of (x 1 − x 2 ) 2 is equal to zero due to assumption on β = β ± .As a result, we have a linear equation in x 1 with ω 2 • ε = 0 as coefficient, hence we have By substituing x 0 , x 1 in e.g. the third equation , we get a linear equation in x 2 of the form: where Since the coefficient ε + 3 • ε of x 2 is different from zero by assumption, the system of equations has a unique solution for any given y 1 , y 2 , y 3 and S is invertible.

An Example for the Case n = 4
Here we limit ourselves to present an example of a quadratic function F : F 3 p → F p for which S over F 4 p is invertible.Such function is constructed based on the following result.Proposition 11.Let q = p r where p ≥ 2 is a prime and r is a positive integer.Given 2 ≤ g ≤ h, let G : F g q → F q be a function for which S G defined over , where the sub-indexes are taken modulo h) is invertible.
Let m := (g − 1) • (z + 1) + 1 and n := h • (z + 1) for any integer z ≥ 0. Let F : F m q → F q be defined as (Note that F depends only on the variables x i for which the sub-index i is a multiple of z + 1.)The function S F defined over F n q as in Def. 1 is invertible.Proof.The result is obviously true for z = 0 (for which m = g and n = h).So, let's assume z ≥ 1.Let y = S F (x).The system of n equations y i = F (x i , x i+1 , . . ., x i+m−1 for each i ∈ {0, 1, . . ., n − 1} can be split into z + 1 independent systems, each one consisting of h equations of the form The invertibility of each one of these sub-systems follows from the fact that S G is invertible by assumption.
The following corollary follows immediately.
Corollary 2. Let p ≥ 3 be a prime integer, and let m ≥ 2. Let G : F 2 p → F p be a function for which S G over F 2 p defined as in Def. 1 is invertible.Let F : F m p → F p be defined as Based on these results, given p such that γ 0 = ±γ 2 , then S F defined over F 4 q as in Def. 1 is invertible.

Analysis of the Case n ≥ 5
As a main result of this work, we prove that given any quadratic function F : F 3 p → F p , then S over F n p defined as in Def. 1 is never invertible for n ≥ 5.
Theorem 4. Let p ≥ 3 be a prime integer.Let F : F 3 p → F p be a function of degree 2. The function S over F n p defined as in Def. 1 is never a permutation for each n ≥ 5.As highlighted in the introduction, this result is quite surprising if compared to the F 2 case, for which it is well known that the function S over F n 2 instantiated via the local map χ defined as in ( 5) is a permutation for each odd n ≥ 3.

The Roadmap for the Proof of Theorem 4
The detailed proof of Theorem 4 is given in Sect.6.Here we limit ourselves to present the roadmap of such proof.
In order to prove Theorem 4, we consider separately the following cases: 1. the function F : F 3 p → F p depends on at most two input variables (equivalently, it is independent of at least one variable): due to the result given in Theorem 3, we know that the corresponding S is never invertible (note that the case F (x 0 , x 1 , x 2 ) = G(x 0 , x 2 ) reduces to the one studied in Theorem 3);

the function
is a function of degree 2; 4. for each variable x i , there is at least one monomial of degree two that depends on it.
The second case is studied in Lemma 1, the third case is studied in Lemma 2, while the last case is studied in Lemma 3. Since the proofs of these Lemmas are similar to the one given for Theorem 3, here we present a sketch of the proofs for each one of the cited Lemmas, and we refer to Sect.6 for all the details.Lemma 1.Let p ≥ 3 be a prime integer.Let F : F 3 p → F p be a function of degree 2 defined as The function S over F n p defined as in Def. 1 is never a permutation for each n ≥ 5.
We refer to Sect.6.1 for the proof.The idea of the proof is the following.In order to find a collision, we study separately the cases (1st) α 0,0,2 , α 2,0,0 = 0 and (2nd) α 0,0,2 = 0 or α 2,0,0 = 0 (note that at least two terms among α 0,0,2 , α 0,2,0 , α 2,0,0 are different from zero, since α (2) = 0): • in the first case, we show that the result is true for n = 5 by finding two different inputs x, y ∈ F 5 p such that x 0 = y 0 = x 1 = y 1 = ẑ ∈ F p and S(x) = S(y) ∈ F 5 p and x = y.This is done by solving a system of (linear) equations.The collision over F n p for n ≥ 6 is obtained by working with x = x ẑ ẑ . . .ẑ and y = y ẑ ẑ . . .ẑ ∈ F n p ; • in the second case, we construct a collision directly over F n p .The condition for the collision corresponds on a system of linear equation in (x i + y i ).By choosing in an appropriate way the differences (x i − y i ), it is possible to find a non-trivial collision for such system of equations.
Lemma 2. Let p ≥ 3 be a prime integer.Let G : F 2 p → F p be a function of degree 2, and let F : F3 p → F p be a function of degree 2 defined as The function S over F n p defined as in Def. 1 is never a permutation for each n ≥ 5.
We refer to Sect.6.2 for the proof.The idea of the proof is the following.First of all, the case In the other cases, in order to find a collision, we study separately the cases (1st) n = 2n + 1 ≥ 5 odd and (2nd) n = 2n + 2 ≥ 6 even: • in the first case, we consider two inputs x, y ∈ F n p such that x i = y i for each i odd and x j = y j for each j even.The collision is found by solving a system of (linear) equations in x i for i odd and in (x j + y j ) for j even; • the strategy for the second case is similar.The only difference regards the choice of the input x, y ∈ F n p which are defined as x i = y i for each i = n − 1 odd and x j = y j for each j even and j = n − 1. Lemma 3. Let p ≥ 3 be a prime integer.Let F : F 3 p → F p be a function of degree 2 defined as in ( 7), such that is a quadratic function or for each variable x 0 and x 2 there is at least one monomial of degree two that depends on it.The function S F over F n p defined as in Def. 1 is never a permutation for each n ≥ 5.
The idea of the proof -given in details in Sect.6.3 -is the following.First of all, we show that the result is true for n = 5 by finding two different inputs x, y ∈ F 5 p such that x 0 = y 0 = x 1 = y 1 = ẑ ∈ F p and S(x) = S(y) ∈ F 5 p and x = y.In particular: • if α 1,0,1 = 0, then it is sufficient that x and y are different by a single component in order to find a collision.In this case, the condition for the collision corresponds to a system of linear equation in ẑ and the two variables that are equal in x and y; • if α 1,0,1 = 0, then at least two components of x and y should be different in order to find a collision.Again, the collision is found by solving a system of linear equations.
The collision over F n p for n ≥ 6 is obtained by working with x = x ẑ ẑ . . .ẑ and y = y ẑ ẑ . . .ẑ ∈ F n p .

Practical Verification
The theoretical results just given are supported by our practical verification, for which no quadratic function F that induces an invertible S is found.For our practical tests, we limit ourselves to consider balanced functions F : F m p → F p under the class of equivalence defined in Def. 2. The practical results are reported in App.B -Table 3 for the case of quadratic functions F : F m p → F p for m = 2, 3.Those include the number and the percentage of balanced functions, the maximum value of n ≥ 3 tested and the total runtime.

Proof of Theorem 4
As we already mentioned, we prove that the function S over F n p is not a permutation for any quadratic function F : F 3 p → F p and n ≥ 5 by constructing collisions, which means we find two distinct n-uples x, y ∈ F n p such that S(x) = S(y) and x = y or equivalently: where the sub-indexes are taken modulo n.For reaching this goal, we introduce new variables s, d ∈ F n p , respectively the sum and the difference: For the follow-up, note that the equality 2

Case
First of all, we show that the result is true for n = 5 by finding two different inputs x, y ∈ F 5 p such that S(x) = S(y) ∈ F 5 p and x = y.These inputs satisfy an additional condition, namely x 0 = y 0 = x 1 = y 1 = ẑ ∈ F p .This allows us to generalize the found collision for each n ≥ 6.Indeed, exactly as in the case of Theorem 3, given x, y ∈ F 5 p as before, note that x = x ẑ ẑ . . .ẑ, y = y ẑ ẑ . . .ẑ ∈ F n p implies a collision S(x) = S(y) ∈ F n p , since F is defined over F 3 p and since x 0 = y 0 = x 1 = y 1 = ẑ.W.l.o.g., we fix ẑ = 0 in the following.
The condition S(x) = S(y) over F 5 p is equivalent to: Since α 0,0,2 and α 2,0,0 are different from zero, then s 2 = − α0,0,1 α0,0,2 and s 4 = − α1,0,0 α2,0,0 from the first two equations.The sum of the last three equations gives (analogous for the coefficient of d 4 ).Since d 3 = 0, the third equation becomes and substituting this value in the fourth equation, we get taking d i and s i as stated, the solution of the system corresponds to a collision for S.
Working under the class of equivalence defined in Def. 2, we also assume α 0,2,0 = 1.The condition for the collision is given by which is always the case since α (1) = 1 + α 0,1,0 + α 0,0,1 = 0 (remember that we are assuming α 1,0,0 = 1).In such a case and by fixing s 0 = 0, the condition S(x) = S(y) becomes where • T denotes the transpose matrix.By simple computation, the determinant of the l.h.s.matrix is which is always different from zero by choosing d i = d i+1 for each i = 3, . . ., n − 2 (where . As a result, given d i as just defined and s 0 = 0, the solution of the previous system corresponds to two distinct x, y ∈ F n p such that S(x) = S(y).

Proof of Lemma 3
We first prove the result for the case n = 5.Our goal is to prove that for each function F : F 3 p → F p of degree 2 defined as in (7), it is possible to find two different inputs x, y ∈ F 5 p such that S(x) = S(y), or equivalently: ∀i ∈ {0, 1, 2, 3, 4} : where the sub-indexes are taken modulo n.As before, we assume Once such a collision is found, a collision for n ≥ 6 is trivially set up by working with x, y ∈ F n p where ∀i ≥ 5 : which implies that F (x i , x i+1 , x i+2 ) = F (y i , y i+1 , x i+2 ) = 0 for each i ∈ {5, . . ., n − 1}.
Similarly, by fixing d 2 = d 3 = 0 and d 4 = 0, the conditions for the collision are: which has a non-trivial solution (hence, a collision) if α 1,1,0 = −α 1,0,1 and α 1,1,0 , α 1,0,1 = 0. Working in the same way and by fixing d 3 = d 4 = 0 and d 2 = 0, the conditions for the collision are: which always admits a non-trivial solution (hence, a collision) if α 0,1,1 = −α 1,0,1 and α 0,1,1 , α 1,0,1 = 0.In summary, if only a single difference d i is non-zero, the cases in which it is not possible to find a collisions by using the strategy just proposed are Indeed, if α 1,0,1 = 0, it is sufficient that one of three conditions given in the system is not fulfilled in order to find a collision using the previous results.
Let's analyze them in details.
By isolating ẑ in the first equation and s 4 in the second, and by substituting ẑ in the last equation, we get If α 2,0,0 = α 0,0,2 or α 1,0,0 = α 0,0,1 there exist a pair (s 3 , d 4 ) such that this equality holds and d 4 = 0.In this case choose x 2 such that the third equation always holds true, and these conditions correspond to a collision.
If α 0,1,1 = 0 and if α 0,0,2 = 0 the determinant is non-zero and the system has solution, hence there is a collision.Otherwise if α 0,0,2 = 0 the result follows from Lemma 2, because all the monomials of degree two with x 2 as a factor have coefficients equal to zero in F .Analogous for α 1,1,0 = 0.
We assume α 2,0,0 = 0 (since α 2,0,0 = 0 would reduce this case to the previous one).Let's choose ẑ = 0, d 2 = d 4 = 0 and d 3 = 0.In such a case, the condition for having a collision becomes: The determinant of the matrix is , then the determinant is different from zero and a collision can be found (remember that we are working in the case α 1,1,0 , α 2,0,0 = 0).

Neptune: a Concrete Application
As final step, we present Neptune, a sponge hash function [BDPV07,BDPA08] instantiated with the Neptune π permutation.Neptune π resembles the permutation Poseidon π [GKR + 21], and takes into account the results proposed in this paper.In the following, after recalling Poseidon and presenting Neptune as its variant, we discuss its design rationale and its security.Next, we compare the multiplicative complexity of Neptune with the one of Poseidon.

Poseidon and the Hades Design Strategy
Poseidon is a sponge hash function over F t p .Its internal permutation is based on the Hades design strategy [GLR + 20], recently proposed at Eurocrypt 2020.The main feature of Hades schemes is the use of two different non-linear layers, namely a full one (composed of t power maps x → x d for odd d ≥ 3) in the external rounds, and a partial one (composed of a single power map x → x d and t − 1 identity functions) in the internal rounds.This particular structure allows to provide security against both statistical and algebraic attacks, and at the same time to achieve a low multiplicative complexity.In particular, the external rounds aim to prevent statistical attacks as the classical and truncated differential attacks, linear attacks, rebound attacks and so on.The main goal of the partial rounds is to increase the overall degree of the permutation.Together with the external rounds, they provide security against Gröbner basis attacks.
Let p > 2 63 be a prime number and let κ ∈ [80, 256] be the security level.Let t ≥ 2 be such that p t ≥ 2 3•κ .4Let d ≥ 3 be the smallest integer such that gcd(d, p − 1) = 1.The Poseidon permutation P : F t p → F t p is defined as where and where c (F,j) , c (P,j) are (random) round constants, M ∈ F t×t p is a MDS matrix and S (F ) , S (P ) : F t p → F t p are defined as In [BCD + 20], distinguishers for this reduced-round permutation were presented, which lead to collision attacks on the sponge hash function instantiated with the reduced-round permutation P.Moreover, in the same paper, authors were able to set up preimage attacks on the sponge hash function instantiated with the full-round permutation P in the case of a weak MDS matrix M such that M 2 is a multiple of the identity, and so, for which an invariant subspace trail that covers all the internal rounds with probability 1 exists (see also [KR21]).In [GRS21], Grassi et al. showed how to properly choose the MDS matrix M in order to prevent this (and similar) attack(s).

Neptune
Let κ ∈ [80, 256] be the security level, and let p > 2 63 be a prime number.Let t = 2t ∈ {2, 4, . . ., 24} be an even integer.Since Neptune is intended to be used as the internal where and where c (E,j) , c (I,i) ∈ F t p are (random) round constants.
About the External Rounds E. The non-linear S (E) : F t p → F t p is defined as where S : F 2 p → F 2 p is defined as S (x 2i , x 2i+1 ) = y 2i y 2i+1 for i ∈ {0, 1, . . ., t − 1} where for fixed α, γ ∈ F p \ {0} (e.g., α = 1 and γ = 0).Let M , M ∈ F t ×t p be two MDS matrices such that The matrix M (E) ∈ F t×t p is defined as About the Internal Round I.The internal round I is defined via a Partial-SPN scheme as in Poseidon, where where d ≥ 3 is the smallest integer such that gcd(d, p − 1) = 1, and where M (I) ∈ F t×t p is an invertible matrix that 1. must prevent arbitrary-long subspace trails for the Partial-SPN scheme 2. can be computed via O(t) affine operations.
A possible example of a matrix M (I) that satisfies such conditions is i,i ∈ F p \ {0} are chosen in order to guarantee the previous requirements, for a cost of t multiplications with constants.

Number of Rounds.
The number of rounds are R F = 6 for the external ones (that is, 4 for at the beginning and 2 at the end) and for the internal ones (where we add 12.5% of security margin, as in Poseidon).

Design Rationale
By a simple computation, the number of F p -multiplications required to evaluate Poseidon is ( log that is O(16 • t) for d = 3 and O(24 • t) for d = 5 (where d = 3, 5 are the two most common values used in ZK protocols).In order to design Neptune, we decided to focus only on the external full rounds, since we noticed that the number of internal partial rounds is almost constant with respect to t.For this reason, we decided not to modify them.Regarding the external rounds and in order to make use of the results proposed in this paper, the goals we tried to achieve were: 1. having a full round that does not cost more than t F p -multiplications; 2. be able to guarantee security against statistical attacks via a small number of full external rounds.
As a result, instead of limiting ourselves to consider an uneven distribution of the S-Boxes, we propose two different round functions, one for the internal part and one for the external one.
Open Conjectures for Future Work.As we have already seen, given any quadratic function F : F m p → F p for m = 2, 3, the corresponding function S defined over F n p as in Def. 1 is not invertible for n ≥ 3 and n ≥ 5 respectively.We conjecture that the same occurs for bigger values of m.More formally: Conjecture 1.Let p ≥ 3 be a prime integer, and let 1 ≤ m ≤ n.For each m, there exists a finite integer n max (m) such that given any quadratic function F : F m p → F p , the corresponding function S over F n p defined as in Def. 1 is not invertible for any n ≥ n max (m).
E.g., if m = 1, then n max = 1; if m = 2, then n max = 3; if m = 3, then n max = 5.Moreover, based on the result proposed in Sect.3.3, n max (m) ≥ m + 1 for each m ≥ 2. Indeed, given a quadratic function F : F m p → F p , the Lai-Massey functions defined over F m p as in Sect.3.3 are invertible.
If the conjecture is true, it would be interesting to analyze how fast n max (m) grows.The current results for m ∈ {1, 2, 3} suggest that By applying Corollary 2 on a generic m, we can construct an invertible function S F over F 2•(m−1) p via a quadratic function F : F m p → F p (e.g., F (x 0 , x 1 , . . ., x m−1 ) = x 0 + (x 0 − x m−1 ) 2 ).Such a result is not in conflict with n max (m) = 2 • m − 1 just given.The same happens when applying Prop.11 to the results proposed in this paper.E.g., in the case g = h ≥ 2 (which include both the Lai-Massey constructions proposed in Sect.3.3, as well as the functions proposed in Prop. 10 and in Prop.9 for g = h = 3), we get m = g+(g−1)•z and n = g • (z + 1) for any z ≥ 0, where 2 If the conjecture "n max (m) = 2 • m − 1" is true, this implies that given a local quadratic function F : F m p → F p , it is not possible to set up an invertible function S over F n p defined as in Def. 1 for n m.
Concatenation of Independent S-Boxes.At the current state, we do not know any (non-trivial) quadratic function F : F m p → F p for which it is possible to set up an invertible function S over F n p as in Def. 1 for n m.For this reason, we are "forced" to set up the non-linear layer of the external rounds as a concatenation of independent quadratic S-Boxes defined either over F 2 p or over F 3 p .Based on our results, possible options for F : F m p → F p include: • Lai-Massey constructions, as ) as in Prop.9.
We decided to discard the last two functions, since they would force us to consider separately the case p = 1 mod 3 from the case p = 2 mod 3. Regarding the first option, the two Lai-Massey functions admit invariant subspaces, that is, there exists a subspace X ⊂ F m p which is invariant through the non-linear function.E.g., [1, 1] T is invariant for the case m = 2, while [1, 1, 0] T , [1, 0, 1] T , [0, 1, 1] T (and their linear combinations) are invariant for the case m = 3.We opted for the smallest m, since it also allows to cover a larger range of values of t, besides the fact that it admits a smaller number of invariant subspaces.
Let F (x 0 , x 1 ) = α • x 0 + (x 0 − x 1 ) 2 for α ∈ F p \ {0}, and let S F over F 2 p be defined as in Def. 1. Due to the presence of the invariant subspace [1, 1] T , we do not use S F directly, but we consider S (x i , x i+1 ) defined as The invertible matrix [2, 1; 1, 3] and the vector [γ; 0] (for γ = 0) have been chosen in order to destroy the invariant subspace [1, 1] T .Note that S over F 2 p costs 2 F p -multiplications, which implies that S (E) over F t p costs t F p -multiplications.
The Linear Layer M (E) .The S-Box S over F 2 p mixes two F p -words in a non-linear way.Hence, it is not necessary to instantiate the linear layer with e.g. a t × t MDS matrix in order to achieve both full diffusion and a high number of active S-Boxes over two consecutive rounds.Indeed, it is not hard to check that such goal can be achieved by mixing only the first output components of the S-Boxes among them via a MDS matrix M , and independently only the second output components of the S-Boxes among them via a different MDS matrix M .This is exactly the definition of M (E) , for which half of the components are equal to zero.Moreover, it is not hard to check that M (E) is invertible.
Low-Degree Inverse.By considering only the external rounds, a concrete drawback of the quadratic Lai-Massey function regards the fact that its degree is low both in the forward and in the backward direction.For this reason, the partial rounds instantiated with an invertible power map -which has low degree in e.g. the forward direction and high degree in the backward one -play a crucial role in order to stop Meet-in-the-Middle (MitM) attacks.Indeed, we recall that the inverse x → x d of x → x d satisfies (d • d − 1) mod (p − 1) = 0 (due to Fermat's little theorem x p = x mod p for each x ∈ F p \ {0}), which implies that d is of approximately the same order of p (for small values of d).

Initial Matrix Multiplication.
With respect to Poseidon, we emphasize that the input of Neptune π is multiplied by M (E) before the first S-Box layer is applied.This could make a difference in the case of algebraic attacks.Indeed, remember that the invertible S-Box layer is defined via the concatenation of independent non-linear functions.If no initial diffusion/matrix multiplication takes place, one can ignore the first S-Box layer (by replacing the initial value IV with the corresponding output via the S-Box layer), with the result of making the attack independent of the first S-Box layer, and so of its degree.Once a solution is found at the output of the first S-Box layer, it is possible to invert it in order to find the corresponding solution at the input of the permutation and so of the hash function.A similar scenario could occur at the end of the permutation if no full diffusion takes place.

Security Analysis
Due to the similarities between Poseidon and Neptune, we emphasize that (almost) all the attacks work in the same way for the two schemes.This means that we are going to adapt the security analysis of Poseidon to Neptune.

(Invariant) Subspace Trails for the Internal Rounds
As already pointed out in [BCD + 20, KR21], there exist several subspaces of F t p that are invariant through the internal rounds of Poseidon and so of Neptune.The matrix M (I) plays a crucial role in order to destroy them.Definition 6 ((Invariant) Subspace Trail [LAAZ11,LMR15,GRR16]).Let (U 0 , . . ., U l ) denote a set of l + 1 subspaces of F t p with dim(U i ) ≤ dim(U i+1 ).(U 0 , . . ., U l ) is a subspace trail of length l with respect to the function R defined over F t p if for each i ∈ {0, . . ., l} and for each α i ∈ F t p there exists α i+1 ∈ F t p such that If U i = U j for each i, j = 0, . . ., l (that is, the subspace is invariant), the trail is called an invariant subspace trail.
Following Poseidon, for each i ≥ 0, let's define the subspace X i ⊆ F t p as As shown in [GRS21, GSW + 21], the matrix M (I) must be chosen in order to guarantee that no subspace X i is invariant for an arbitrary number of internal rounds, and more generally, that no subspace trail can cover any arbitrary number of internal rounds.We suggest to use the tool presented in [GRS21] in order to properly choose the matrix M (I)  for this goal.This implies that e.g.no more than t − 1 internal rounds can be covered without activating any S-Box x → x d .

Statistical Attacks
The external rounds aim to provide security against statistical attacks.Working as in HadesMiMC or as in Poseidon (see [GLR + 20, Sect.4.2] for details), the idea is that the permutation composed of the external rounds only (that is, with the internal rounds replaced by an invertible linear layer) resists statistical attacks.Here we focus on (truncated) differential and rebound attacks.As in Poseidon, the security against these attacks implies the security against other statistical attacks, as the linear one [Mat93], impossible differential [Knu98,BBS99], integral one [DKR97], zero-correlation linear one [BR11,BR14], multiple-of-n/mixture differential [GRR17,Gra18], and so on.
Differential Attacks.Given pairs of inputs with some fixed input differences, differential cryptanalysis [BS93] considers the probability distribution of the corresponding output differences produced by the cryptographic primitive.Let δ, ∆ ∈ F n p be respectively the input and the output differences through a permutation P over F n p .The differential probability (DP) of having a certain output difference ∆ given a particular input difference δ is equal to In the case of iterated schemes, a cryptanalyst searches for ordered sequences of differences over any number of rounds that are called differential characteristics/trails.Assuming the independence of the rounds, the DP of a differential trail is the product of the DPs of its one-round differences.
Definition 7. Let P be a permutation over F p n ≡ F n p .Its maximum differential probability is defined as DP max = max δ,∆∈F n p \{0} Prob P (δ → ∆).
Working over two consecutive rounds, the minimum number of active S-Boxes is t + 1, due to the fact that (1st) both M and M are MDS matrices (with branch number equal to t + 1 = t/2 + 1) and (2nd) they are "independent", in the sense that they work over independent t F p -words.This means that the overall probability of each differential trail over two consecutive rounds per three times is at most since t = 2t and p t = p c • p r ≥ 2 3κ .As a result, when targeting a security level of κ bits, two consecutive rounds per three times are sufficient for preventing classical differential attacks.
By considering the internal rounds as well (as suggested in e.g.[KR21]), we point out that the probability of every differential trail is even smaller, more precisely it is at most (where R I t ≥ 1) due the fact that at least one S-Box x → x d is active every t internal rounds.
Truncated Differential and Rebound Attacks.Truncated differential [Knu94] is a variant of classical differential attack in which the attacker can specify only part of the difference between pairs of texts.In the particular case of an hash function, truncated differentials can be exploited in order to set up rebound attacks [MRST09].The goal of this attack is to find two (input, output) pairs such that the two inputs satisfy a certain (truncated) input difference and the corresponding outputs satisfy a certain (truncated) output difference.
Due to the choice of the matrix M (E) and working as in Poseidon (see [GKR + 21, Sect.5.5.1] for details), no truncated differential (equivalently, subspace trail) with probability 1 can cover more than a single round.In particular, while the S-Box S is defined over F p 2 ≡ F 2 p , we point out that the matrix M (E) does not admit an equivalent representation over F t ×t p 2 .Indeed, consider the field F p 2 = GF(p)[x]/P (x), where P is an irreducible polynomial of the form P (x) = x 2 − η where L p (η) = −1.The product of two elements a It is simple to observe that each 2 × 2 sub-matrix of M is of the form Eq. (12) if and only M i,j = M i,j , which can never hold due to the definition of M , M .6Due to these facts and working as in Poseidon (for which both the S-Boxes and the matrix multiplications are defined over the same field F p ), we conjecture that six external rounds are sufficient for preventing rebound attacks.

Algebraic Attacks
Interpolation Attacks.The interpolation attack [JK97] aims to construct an interpolation polynomial that describes the function.Such polynomial can be used in order to set up a distinguisher and/or an attack on the symmetric scheme.The attack does not work if the number of unknown monomials is sufficiently large (e.g., larger than the data available for the attack).In the MitM scenario, the attacker construct two polynomials, that is, one that involves the input(s) and one that involve the output(s), that must match in the middle.
Due to the presence of the map x → x d in the internal rounds, the final two full rounds combined with three internal rounds ensure maximum degree in the backward direction (remember that 1/d ≡ d such that (d • d − 1) mod (p − 1) = 0, so d is of the same order of p).Working as in Poseidon (see [GKR + 21, Sect.5.5.2] for details) and in order to guarantee security against the interpolation attack, the number of internal rounds R I must satisfy where (1st) the two final rounds and 3 internal rounds are necessary for reaching maximum degree in the backward direction and (2nd) the first round is not taken into account, since no full diffusion is achieved.Finally, we add t internal rounds due to the possibility to cover them with an invariant subspace trails (which would imply no degree growth), and log d (t) additional internal rounds in order to ensure that the polynomial is dense.
Before going on, we recall that the security against interpolation attack implies security against higher-order differential attack [Lai94,Knu94], due to the results presented in [BCD + 20, Prop.1].
Factorization and Gröbner Basis Attacks.Polynomial factorization can be used to solve a single univariate equation F (x) = 0 for a polynomial F over F p .E.g., in the case r ≥ 1, factorization can be used to find a pre-image of h ∈ F p , by solving , where IV ∈ F c p is the initial value that instantiates the inner part.In such a case, it is actually not necessary to find the full factorization of the polynomial, since one root is sufficient for setting up the attack.The cost of finding a root is proportional to the degree ∆ of the polynomial F , more precisely as shown in [vzGG13].It is easy to check that security against interpolation attack implies security against this attack as well.
Gröbner basis [Buc76] generalizes factorization, and it allows to solve a system of non-linear equations that describe the function.As we explain in App.C.2, the cost of such an attack depends both on the number and on the degree of the equations, on the number of variables, but also on the fact that the equations to solve are dense or not.In [GKR + 21, Sect.5.5.2],authors showed that the security of Poseidon against the interpolation attack implies the security against Gröbner basis attacks.As one may expect, in App.C.2, we show that the same conclusion holds for Neptune as well, due to the similarity between the internal rounds of Neptune and the ones of Poseidon.

Multiplicative Complexity: Poseidon versus Neptune
With these results in mind, we finally compare the multiplicative complexity between Poseidon and Neptune.By simple computation: Besides that, we point out that • the matrix multiplication of each external round of Neptune costs t 2 /2 multiplications with constants8 versus t 2 multiplications with constants in the case of Poseidon (besides the fact that Neptune has two external/full rounds less than Poseidon); • in Poseidon, the same matrix M is used for the full/external rounds and for the partial/internal ones.Since such matrix must prevent arbitrary-long subspace trails with probability 1 for the partial/internal rounds, it cannot be instantiated with e.g. a circulant matrix.Vice-versa, the MDS matrices M , M in the external rounds of Neptune do not have to satisfy such requirement.Hence, they can be instantiated with e.g.circ(2, 1, 1) or circ(3, 2, 1, 1) for t ∈ {3, 4} respectively; • both Neptune and Poseidon admit an equivalent representation in which the matrix multiplication of each internal/partial round costs 2 • t multiplications with constants (for more details, we refer to [GLR + 19, GLR + 20, App.C]).However, in such representation, the matrix of the internal/partial round is not fixed, that is, changes at every round.Without using such equivalent representation, the matrix multiplication of each internal round of Neptune can cost only t multiplications with constants, besides being fixed.
These facts could represent an advantage of Neptune with respect to Poseidon for the plain performance point.

B.2 Practical Results
In order to carry out the practical experiments, we implemented the brute-force collisionsearch algorithm described in Algorithm 1: for each quadratic function F : F m p → F p we look for a collision in the domain of the corresponding function S F (as defined in Def. 1) over F n p for n ≥ m.We aim to practically verify that no invertible function S F exists for the cases (1st) m = 2 and n ≥ 3 (as proved in Theorem 3) and (2nd) m = 3 and n ≥ 5 (as proved in Theorem 4).We verify it practically just for small values of p and n, while the theoretical proofs confirm that the behavior that occurs for small values is also valid for all p ≥ 3.
The tests have been done on a Intel 40-cores Xeon E5-2698 v4 @ 2.20GHz.The results of the practical experiments are given in Table 3, describing for each p ≥ 3: • the number of balanced quadratic functions with respect to the total number of functions F ; • the maximum value of n tested (denoted as "max n"); • the total runtime in hours/days.
We restrict the domain of functions F by using the equivalent classes introduced in Sect.B.1 (that is, α 0,0,0 = 0, α 2,0,0 , α 0,0,1 ∈ {0, 1}).As described in Algorithm 1, tests are divided into two main phases: (1st) the balanced testing and (2nd) the collision search.The time each step requires depends on the case considered: • d = 2 and m = 2: the balanced testing takes just the 0.1% of the total runtime, while the collision search takes most of the time spent on the tests.
• d = 2 and m = 3: runtimes for balanced testing and collision search depend on p, e.g. for p = 3 the balanced testing takes the 0.1% of the total runtime, while for p = 11 it takes the 88%.
Anyway, the balanced testing and collisions search runtimes depend strongly on the number of iterations that the program requires in order to establish if a function is balanced or, respectively, invertible (i.e., to find the first collision), since the program works iteratively, testing for each value whether its image has already been evaluated as the image of another value.

C.1 Maximum Differential Probability of S
Let p ≥ 3 be a prime integer, and let S : F 2 p → F 2 p be defined as in (11).Here we prove that its maximum differential probability is p −1 .
In order to do this, we proceed in two steps: • first, we compute the maximum differential probability of S F over F 2 p defined as in Def. 1 via F (x 0 , x 1 ) = α • x 0 + β • (x 0 − x 1 ) 2 ; • based on this result, we compute the maximum differential probability of S .
Maximum Differential Probability of S .Given (δ 0 , δ 1 ), (∆ 0 , ∆ 1 ) ∈ F 2 p \ {(0, 0)}, the maximum differential probability of S is given by In our case, condition (13) becomes: that is Hence, the probability given in (14) reduces to Such probability is never bigger than p −1 , since: This implies that the first probability is equal to 1.If δ 0 = δ 1 , then the first probability is 1/p; This implies that the second probability is equal to 1.If ∆ 0 = ∆ 1 , then the first probability is 1/p; • if δ 0 = δ 1 and ∆ 0 = ∆ 1 , then In such a case, the overall probability is equal to zero, since we cannot have a zero difference in the middle when the input/output differences are non-zero (remember that the construction is invertible).
It follows that the probability is maximum when either δ 0 = δ 1 or ∆ 0 = ∆ 1 , and in such a case it is equal to 1/p.

C.2 Gröbner Basis Attacks on Neptune
The cost of the Gröbner basis attack depends on the system of equations that describes Neptune.As usually done in the literature, instead of considering (collision or/and preimage) attacks on the sponge hash function, we focus on the CICO problem on the permutation that instantiates Neptune.
Definition 8.The invertible function G : F t p → F t p is κ-secure against the CICO (t 1 , t 2 )problem (where t 1 , t 2 < t) if there is no algorithm with expected complexity smaller than 2 κ that for given i 1 ∈ F t1 p and o 1 ∈ F t2 p finds i 2 , o 2 such that G(i 1 i 2 ) = o 1 o 2 .We consider two approaches: • working on the relation between the input and the output of the entire permutation; • working at round level.
Preliminary.Gröbner basis attack consists of three steps: 1. first, the attacker needs to set up the equation system and compute a Gröbner basis for it; 2. secondly, they perform a change of term ordering for the basis, usually going to a term order which makes it easier to eliminate variables and find the solutions; 3. finally, the attacker uses the system obtained in the second step in order to start solving for the variables.
As is usually done in the literature, here we focus on the complexity of the first step (i.e., computing a Gröbner basis), which can be estimated by operations, where D reg is the degree of regularity, n v is the number of variables, and 2 ≤ ω < 3 is a constant representing the complexity of a matrix multiplication.Let n e denotes the number of equations in the polynomial system and d i is the degree of the i-th equation.Directly computing D reg is hard in general, but an estimate for regular sequences (namely, in the case n e = n v ) is given by (d i − 1).

C.2.1 Working on the Input and the Output
Let's first consider the input and the output of the permutation, focusing on the case in which the number of unknown input variables x is equal to the number of known output variables.In such a case, we get x equations of degree 4 6 • d R I = 2 12+R I •log 2 (d) (we assume that R F = 6 is fixed) in x variables.Hence, we have that which implies a cost of approximately x ω assuming a semi-regular system (as done for Poseidon).Since ω ≥ 2 (the best scenario for the attacker), we have that where x! ≤ x x for each x ≥ 1.In order to guarantee κ bits of security: (2 12+R I •log 2 (d) ) 2x ≥ min{2 κ , p x }.
The maximum is obtained for x = 1, which implies which is always satisfied by the number of rounds required to prevent the interpolation attack.

C.2.2 Working at Round Level
Another possibility for setting up the Gröbner basis attack consists of working at round level.In such a case: • every internal round can be described as a single equation of degree d; • every external round can be described via t equations of degree 2. Indeed, assuming for simplicity α = β = 1, note that given (y 0 , y 1 ) = S (x 0 , x 1 ), we have It follows that we have • R I equations of degree d; • R F • t − c equations of degree 2 (note that the final c F p -elements are truncated) in R F • t − c + R I variables (note that the inner part is instantiated with a fixed initial value).Assuming a semi-regular system and R F = 6, we have that As in the case of Poseidon, the number of rounds necessary for preventing the interpolation attack satisfies the inequality where R I = R I − t in order to take into account the fact that (up to) t internal rounds can be skipped via an invariant subspace.

Figure 1 :
Figure 1: A sponge hash function instantiated with a permutation P.

Table 1 :
Comparison between Poseidon and Neptune -both instantiated with d = 3for the case p ≈ 2 256 , κ = 128 and several values of t.

Table 2 :
Comparison between Poseidon and Neptune -both instantiated with d = 5for the case p ≈ 2 256 , κ = 128 and several values of t.
F p -multiplications, where again R P is almost constant with respect to t.Note that RP ≈ R I − t.In the case of large t 1 and for d = 3, Neptune requires O(8 • t) F p -multiplications versus O(16 • t) F p -multiplications required by Poseidon.Similarly, in the case of large t 1 and for d = 5, Neptune requires O(9 • t) F p -multiplications versus O(24 • t) F p -multiplications required by Poseidon.More concretely, a comparison between the two schemes for small values of t is proposed in Table 2 for the case p ≈ 2 256 .As it is possible to observe, Neptune has always a smaller multiplicative complexity with respect to Poseidon. 7 • Neptune requires(6 + ( log 2 (d) + hw(d) − 1)) • t + ( log 2 (d) + hw(d) − 1) • (R I − t) F p -multiplications, where (R I − t) is almost constant with respect to t; • Poseidon requires ( log 2 (d) + hw(d) − 1) • (8 • t + R P ) : • we have to test p m different inputs in order to check if F is balanced; • if the function F is balanced, we have to test p n different inputs in order to check if S is invertible.This requires O(p m • 2 2 • p (m 2 +3m−4)/2 • p n ) steps (namely, memory access, evaluation of the function F , etc.).Note that these are just rough estimations, since several functions F are e.g.discarded in the first step if they are not balanced.
the first step stops when one entry of a ∈ N p is bigger than p m−1 , we need log 2 (p m−1 ) bits for each entry of such array.Regarding the computational cost, for each function F : F m p → F p