Algebraic Attacks against Some Arithmetization-Oriented Primitives

. Recent advanced Zero-Knowledge protocols, along with other high-level constructions such as Multi-Party Computations (MPC), have highlighted the need for a new type of symmetric primitives that are not optimized for speed on the usual platforms (desktop computers, servers, microcontrollers, RFID tags...), but for their ability to be implemented using arithmetic circuits. Several primitives have already been proposed to satisfy this need. In order to enable an efficient arithmetization , they operate over large finite fields, and use round functions that can be modelled using low degree equations. The impact of these properties on their security remains to be completely assessed. In particular, algebraic attacks relying on polynomial root-finding become extremely relevant. Such attacks work by writing the cryptanalysis as systems of polynomial equations over the large field, and solving them with off-the-shelf tools ( SageMath , NTL, Magma , . . . ). The need for further analysis of these new designs has been recently highlighted by the Ethereum Foundation, as it issued bounties for successful attacks against round-reduced versions of several of them. In this paper, we show that the security analysis performed by the designers (or challenge authors) of four such primitives is too optimistic, and that it is possible to improve algebraic attacks using insights gathered from a careful study of the round function. First, we show that univariate polynomial root-finding can be of great relevance in practice, as it allows us to solve many of the Ethereum Foundation’s challenges on Feistel–MiMC. Second, we introduce a trick to essentially shave off two full rounds at little to no cost for Substitution-Permutation Networks (SPN). This can be combined with univariate (resp. multivariate) root-finding, which allowed to solve some challenges for Poseidon (resp. Rescue–Prime). Finally, we also find an alternative way to set up a system of equations to attack Ciminion, leading to much faster attacks than expected by the designers.


Introduction
Up until a few years ago, the vast majority of new symmetric primitives were optimized to run on the "usual" platforms, from high-end computers like desktops or servers with sophisticated processors handling e.g. vector and AES [AES01] instructions, all the way down to microcontrollers and RFID tags-the so-called lightweight cryptography. The design or the analysis of a primitive intended to run in such contexts will then be based on a vast literature, building upon decades of improvements of well-known techniques such as the differential attack [BS92,BS91].
Things are different in the arithmetization-oriented (AO) world. This term describes primitives that are not optimized for time and memory complexities on the usual platforms, but to yield an efficient representation as an arithmetic circuit, where the arithmetic operations considered are the addition and the multiplication in a large finite field F , where is typically at least equal to 2 63 , and is often a prime number. The subtleties of the arithmetization considered will impact the cost of each operation, and may in fact enable the use of more sophisticated operations (for example, Reinforced Concrete [GKL + 21] uses the ability of Plonk [GWC19] to evaluate lookup tables).
As a first approximation, AO designs must be such that there exists a low degree model of their round function. Suppose that such a primitive operates on F , for some ≥ 1, and that its round function is : F → F . Then there must exist a family of polynomials { } 0≤ < such that: • the multiplicative complexity of each is low (for efficiency purposes).
A direct approach to reach this goal is to use a low degree round function, as was done in Feistel-MiMC [AGR + 16], Poseidon [GKR + 21], and Ciminion [DGGK21]. A more sophisticated approach was introduced by the designers of Rescue [AAB + 20, SAD20], who remarked that such a low degree encoding was also possible if the inverse of the round function had a low degree. As a direct consequence of these design criteria, such primitives may be vulnerable to a specific form of cryptanalysis. Indeed, there exist off-the-shelf tools that are capable of finding the roots of a system of polynomials, and which are more efficient when the degree of the equations is lower. Such attacks have been lumped together and called algebraic attacks, but this simplification erases some important subtleties, as we will see.
Algebraic attacks are indeed a threat. For instance, Jarvis [AD18] was found to be vulnerable to some algebraic attacks [ACG + 19]: it turns out that the system of equations needed to model its round function envisioned by its designers could be greatly simplified in a systematic fashion. However, that is not to say that only such algebraic methods can be applied to such primitives. In fact, as shown in [BCD + 20], more classical distinguishers based on higher-order differentials and subspace trails can be applied to such primitives, namely the permutations GMiMC [AGP + 19], and Poseidon [GKR + 21]. Subspace-based attacks against the latter were substantially improved in [KR21]. The initial security margin of the AO block cipher MiMC [AGR + 16] against higher-order differentials was also re-assessed twice, first by Eichlseder et al. [EGL + 20], then by Bouvier et al. [BCP22].
The pressing need for a better understanding of the security of AO hash functions has pushed the Ethereum foundation to put forward a bounty 1 rewarding with thousands of dollars the best practical attacks against round-reduced versions of the permutations underlying several sponge-based AO hash functions, namely Reinforced Concrete [GKL + 21], Feistel-MiMC [AGR + 16], Poseidon [GKR + 21], and Rescue-Prime [AAB + 20, SAD20]. The specific parameter sets targeted at the time of publication of the bounties are specified in Appendix A, though some of the parameters have been updated since then as a consequence of our work.
Our Contributions. In this paper, we investigate the security offered by four different AO symmetric primitives, with a focus on attacks exploiting models of their round function as low degree polynomials. Indeed, the encoding of a primitive as a system of equations is not unique, and it is possible to find better ones than those considered by the authors in their original cryptanalysis. This in turn leads to attacks that can violate in practice the security claims made for round-reduced versions.
For round-reduced Feistel-MiMC, we mount an attack based on univariate root-finding that showcases a significant issue with the initial security claims put forward by the Ethereum Foundation, and which allowed us to find a practical attack against an instance initially thought of as "hard".
We also develop a general method to remove all the equations modelling the first 2 rounds of a Substitution-Permutation Network (SPN), provided that the first operation is the S-box layer rather than the linear layer, and that the S-box is a monomial-both of which usually hold. This has a significant impact on the complexity of solving the resulting system of equations, which allowed us to successfully apply a univariate rootfinding algorithm to round-reduced Poseidon, and a multivariate one to round-reduced Rescue-Prime.
Finally, we show an efficient way to build algebraic attacks against the Ciminion encryption scheme. In particular, the asymptotic complexity of our algebraic attack is (2 4 ), while the designers expected the best attack to have complexity (2 6 ), with the number of rounds, and the exponent of matrix multiplication. Since they added extra rounds as a security margin, we cannot break practical parameters, but in theory our attack breaks parameters targeting large security levels (e.g. = 1024). More importantly, it highlights the shortcomings of the initial security analysis of this algorithm.
Paper Outline. We start by introducing the necessary mathematical background and security definitions in Section 2. We then present general results on the resolution of polynomial systems in Section 3, both for multivariate and univariate techniques. We attack 3 out of 4 of the functions targeted by the Ethereum Foundation, namely Feistel-MiMC, Poseidon, and Rescue-Prime, in Section 4. Our cryptanalysis of the Ciminion encryption is in Section 5. We also present some detailed experimental results about the efficiency of our attacks in Section 6. Finally, Section 7 concludes the paper.

Notations
In what follows, we use F to denote the finite field with elements. might be a prime number (Feistel-MiMC, Poseidon, Rescue-Prime, Ciminion) or a power of 2 (Feistel-MiMC, Ciminion). In the challenges designed by the Ethereum fondation, = 2 64 − 59 is prime.
The set F is a vector space of F with canonical basis { 0 , ..., −1 }, where has only zero coordinates, except at position where it is equal to 1. We let : F → F be the projection mapping ( 0 , ..., −1 ) to .
The functions we consider operate over F , where ∈ {2, 3}. We then have that ( ) = ( 0 ( ), ..., −1 ( )), where each is of a coordinate of with = ∘ . Each can be uniquely written as and the degree of is the maximum degree of its coordinates.

Security Assessment
In this paper, we assess the security of several algorithms. Ciminion is an encryption scheme which uses a key of length to encrypt a given plaintext. In this case, the goal is simply to recover the key (or some subkeys) with a time complexity lower than 2 . While that case was simple to define, most of this work deals with the analysis of cryptographic permutations, which are intended for use in a sponge construction [BDPVA07] to build secure hash function. More precisely, we focus on Feistel-MiMC, Poseidon and Rescue-Prime. For such objects, the security requirement is a bit more subtle, but it is convincingly captured by the hardness of the following problem, nicknamed Constrained Input/Constrained Output (CICO).
Let < be an integer, and let be the vector space spanned by { 0 , ..., − −1 }. In other words, is the set of all the elements of F such that their last coordinates are equal to 0 (or, equivalently, such that ( ) = 0 for all − 1 − < < ).

Definition 1 (CICO Problem). Let
: F → F be a function, and let < be an integer. The CICO problem consists in finding ∈ F such that ∈ and ( ) ∈ .
A brute-force approach would solve this problem with a time complexity of about calls to the permutation: the idea would simply be to try random values of until one of them satisfies ( ) ∈ . The ability to solve this problem more efficiently than this brute-force search would potentially allow an attacker to find preimages for a given digest in a sponge mode, or could help with finding collisions, hence its relevance.
In what follows, we consider the case where = 1. In this case, we use the simpler notation = 1 .
The challenges described by the Ethereum Foundation are explicitly about solving the CICO problem for the permutations used by several AO hash functions, namely Feistel-MiMC, Poseidon, Rescue-Prime, and Reinforced Concrete. The details of the challenges are provided in Appendix A.

Systems of Polynomial Equations and their Resolution
Our attacks are based on modelling the cryptographic primitive using a system of polynomial equations, and then solving those using an off-the-shelf solver. The choice of the solving method has a significant impact on its performance. In general, in order to assess the security of a primitive against algebraic attacks, it is necessary to have some grip on the complexity of the various solving algorithms. In this section, we present some theoretical results on the resolution of univariate systems (Section 3.1), and then of multivariate systems (Section 3.2). Some experimental results on these attacks are presented in Section 6.
Overall, the univariate solving tends to be much more efficient. However, it cannot be applied to all algorithms as there are efficient methods to prevent its applicability, as was done by the designers of Rescue-Prime (see Section 4.4).
We assume that we can represent an attack against a cryptosystem with a well-defined system of variables 1 . . . in F , i.e composed of polynomial equations on variables: ( 1 , . . . We assume that the system is non-trivial and that there exists a solution (in F ) of this system that gives sufficient information to break the cryptosystem. This happens for example if a variable is a round key, if the variables describe a preimage under an algebraic hash function, or if we try to solve a CICO instance.

Solving Univariate Systems
In the univariate case, we have a system with a single equation and a single variable: ( ) = 0 .
Solving the system is equivalent to finding the roots of the polynomial ∈ F [ ] in a finite field of characteristic ; we denote the degree of as . We use fast arithmetic to multiply two polynomials of degree with (︀ log( ) log(log( )) )︀ field operations using an FFT algorithm. Using the following method, finding the roots requires only (︀ log( ) (︀ log( ) + log( ) )︀ log(log( )) )︀ field operations: 1. Compute = − mod . Computing mod requires ( log( ) log( ) log(log( )))) field operations using a double-and-add algorithm.
has the same roots as in the field F since = gcd( , − ), but its degree is much lower (it is exactly the number of roots). This requires ( log 2 ( ) log(log( ))) field operations.

Factor .
In general, is of degree one or two because has few roots in the field, and this step is of negligible complexity.
In particular, finding the roots inside the field is significantly easier than factoring the polynomial (it is quasi-linear in the degree).
For practical instances, we use the NTL library [Sho], a C++ library for number theory, and the computation is feasible for a degree up to roughly 2 32 (≈ 3 20 ) in a prime field F with ≈ 2 64 . We present some benchmarks in Section 6.1 for polynomials given by round-reduced version of Feistel-MiMC, of Poseidon and for random polynomials.

Solving a Multivariate System
In general, we have a system with polynomials in F [ 1 , . . . , ]. A system is said to be regular if for all , ∈ ⟨ 1 , . . . , −1 ⟩ ⇒ ∈ ⟨ 1 , . . . , −1 ⟩. The Fröberg conjecture states that this is the typical behaviour for random polynomial systems [Frö85]. However, recent studies have shown that polynomial systems representing algebraic cryptographic algorithms are often not regular [DG10,DY13,Sau22]. A thorough analysis of specific non regular systems is very complex for the designers, therefore a common practice is to estimate the complexity of the Gröbner basis attack for an equivalent regular system, and to add extra rounds to account for the non-regularity of the system. If the system is well-defined (as much equations as variables) and if the system can not be reduced to strictly less than equations (which holds for regular systems), then the number of solutions is finite in the algebraic closure of F . Let us denote the degree of the polynomial , the degree of the ideal ℐ = ⟨ 1 , . . . , ⟩, which is also the number of solutions in the algebraic closure of F , and reg the degree of regularity of ℐ, as defined by Dubois et al. in [DG10]. We have Moreover, the bounds are reached when the system is regular 2 . The main technique to solve the multivariate polynomial systems is to compute a Gröbner basis [Buc76] of the ideal ℐ. A Gröbner basis of ℐ, with respect to a total ordering on the set of monomials, is a particular generating set of ℐ. Gröbner basis become very interesting under the lexicographic order since they take the form Indeed, the solutions of this system are easy to recover iteratively by first computing the roots of 1 in F , then substituting 1 in polynomials 2, , then computing the roots of 2, , etc... Computing a Gröbner basis from a polynomial system can be done with Buchberger's algorithm [Buc76], or with more efficient algorithms such as F4 [Fau99] and F5 [Fau02] by Faugère. In practice, directly computing the Gröbner basis in lexicographic order is prohibitively expensive. Instead, Faugère et al. [FGLM93] proposed to first compute the Gröbner basis in another order, then to apply the FGLM algorithm to convert it into a Gröbner basis under the lexicographic order. To the best of our knowledge, the fastest algorithm to compute a Gröbner basis at the time of writing is Faugère's F5 algorithm [Fau02] in the grevlex (for graded reverse lexicographic) monomial order. In the end, the overall approach to solving a multivariate system of equations follows the following steps.
1. Compute a grevlex order Gröbner basis with the F5 algorithm.
2. Convert it into a lexicographic order Gröbner basis using the FGLM algorithm.
3. Find the roots in F of the Gröbner basis polynomials using univariate system resolution of subsection 3.1 and substitution.
Complexity. The complexity depends on the number of variables , the degree of the ideal and the degree of regularity reg . Below, we give estimates for the complexity of each step of the algorithm above.
1. Under the hypothesis that the polynomial system is regular, the complexity of the F5 algorithm is bounded by 3 where 2 ≤ ≤ 3 is the matrix multiplication exponent [BFS15, Proposition 1].
3. Since all the roots are computed in F , we can use the fast univariate system solving of subsection 3.1 with substitution. Experimentally, in most cases we have a small number of roots and ,1 ( ) is of degree 1 after substitution of 1 . . . −1 . This step is of complexity roughly ( log 2 ( )).
2 Note that the upper bound does not require the system to be regular. 3 In the security analysis of Ciminion, Rescue-Prime and Poseidon, another correct upper bound [BFS04] is used. For small , the bound that we give is sharper, but not necessarily for large . In particular, our bound is better to estimate the complexity of the Ciminion attack of Section 5.
When the polynomials have the same degree = and is small, the complexity of F5 is asymptotically smaller than the complexity of FGLM. With = and reg = × − +1, we obtain On the other hand, when the polynomials have small degrees = and is high, the complexity of F5 is asymptotically higher than the complexity of FGLM. Indeed, in this case we have = and reg = × − + 1, which implies Note that these two properties are only valid for regular systems. In the case of non-regular systems, these upper bounds are not tight and the complexity of F5 may be smaller than expected, as shown in Section 6.2.
Experimental results. In practice, we use the Magma system, and the computation is feasible up to roughly a degree = 3 9 in a prime field F with ≈ 2 64 . Our experimental results for round-reduced versions of Rescue-Prime, Ciminion and random systems are summarized in Section 6.2. In practice, FGLM (step 2) is the bottleneck; Magma uses the F4 algorithm for step 1, which is almost as fast as F5, but its implementation of FGLM seems to have a complexity that is cubic in .

CICO Cryptanalysis of Several Primitives
We now report our experimental results in solving the CICO problem for the challenges put forward by the Ethereum Foundation.
The complexities of some of our attacks are in line with designers' claims. However, we have found that, in practice, the exact claimed security level for a given number of rounds is not always clear. Furthermore, breaking challenges in practice gives a more concrete understanding of the security of reduced versions since we focus on upper bounds rather than lower bounds. Besides, some designers' security analysis rely on optimistic complexity assumptions (eg. ignoring log factors, or taking a small omega), so our attack may give more accurate security estimates. Attack description. In order to build a polynomial system representing the CICO problem, we consider an input state ( 0 , 0 ) = (X, 0). Then we evaluate the round function iteratively, as polynomials in F [X]:

Attacks Against Round-Reduced
The CICO problem becomes = 0: we just have to find the roots of = −1 . In practice, we use SageMath to generate the polynomial, and we compute the roots either directly from SageMath, or with an external program using NTL. The corresponding code is given in the Supplementary Material. Complexity Analysis. Since the round function has degree 3, we obtain a univariate polynomial −1 of degree = 3 −1 after − 1 rounds. We can estimate the complexity of finding the roots as: We give explicit values for the proposed challenges in Table 1. Parameters have changed while we were working on it, so "original" (Table 1a) and "new parameters" (Table 1b) are two sets of parameters proposed by the Ethereum Fondation, the first ones being less secure than the latter ones. We observe that the security claims from the Ethereum Foundation are close to 3 2 . This likely corresponds to an estimation of the complexity of a Gröbner base attack using equations of degree 3 in variables: the corresponding complexity would be 3 ≥ 3 2 . Besides, the original specification of Feistel-MiMC states that Lagrange interpolation attacks are espected to have a complexity of · 3 2 −3 , while GCDs attacks are espected to have a complexity of 2 · 3 /2−3 . As the latter leaves more freedom to the attacker, it does not apply in our context. However, we have chosen to put both in Table 1 for a fairer comparison.

Bypassing SPN Steps
Let = 0 ∘ 1 be a permutation of F , and be the vector space spanned by { 0 , . . . , −2 }. Suppose that there exists two vectors and in F such that for all X ∈ F . In this case, we write all the intermediate variables of 1 as polynomials in X, starting from the state X + , and evaluating round operations one by one as polynomials. Then we can find such that 1 ( + ) ∈ by finding a root of the polynomial corresponding to the last coordinate of the output. Finally, setting = ( 0 , 1 , . . . −1 ) = −1 0 ( + ) will yield a solution to the CICO problem, while the solver has to handle a polynomial based on 1 rather than the full . This approach is summarized in Figure 2, and we used it against both Poseidon (see Section 4.3) and Rescue-Prime (see Section 4.4).
Let us describe this trick in more detail. First, for the sake of consistency, we will use steps when referring to the constant addition, the S-box, and the linear part. Then one round of Poseidon consists of one step, and one round of Rescue-Prime of two steps: one using as S-box, the other using −1 .
Following Figure 4, the value 1 ( 0 −1 ) must satisfy It is the case provided for instance that: As a consequence, if we find a value X such that the image of ( 2 ( 0 )X, . . . , 2 ( −2 )X, ) through − 2 steps of the primitive is equal to (*, . . . , *, 0), then we will always be able to deduce an input ( 0 , 1 , . . . , −2 , 0) for steps of the primitive that is mapped to .

Application to Round-Reduced Poseidon
Design description. Poseidon [GKR + 21] is a family of hash functions, based on the HADES design strategy [GLR + 20]. The internal permutation is composed of = RF + RP rounds of two different types: full rounds have S-box functions, and partial rounds have only 1 S-box and − 1 identity functions. Each round function consists of adding the round constants 4 , applying partial or full S-box layers , and then multiplying the state by an MDS matrix (M). The permutation starts with Rf = RF/2 full rounds, followed by RP partial rounds, and finally Rf = RF/2 full rounds.
The challenges from the Ethereum Foundation use = 3, the S-Box is ↦ → 3 and RF = 8 is fixed, while RP varies according to the security level required. Attack description. A basic encoding of Poseidon into equations can be solved quickly for a small number of rounds. In fact, it was sufficient for us to be able to claim the first bounty offered by the Ethereum Foundation for this algorithm. However, targeting the next ones requires to use the technique described in Section 4.2. The idea is to decrease the degree and the complexity of the polynomial system by more carefully choosing its variables. Let = 3, and 1 , 2 such that 1 ( ) = 2 ( ) = 3 . Then, applying our trick for SPN rounds, we consider an input state after the S-box layer of the second round of the form ( 0 3 X, 1 3 X, ) (i.e. we use = ( 0 3 , 1 3 , 0) and = (0, 0, )). We obtain As previously mentioned, if we find a value X such that the image of ( 0 3 X, 1 3 X, ) through − 2 rounds of Poseidon (and a linear layer) is equal to (*, *, 0), then we will always be able to deduce an input ( , , 0) for -round of Poseidon that is mapped to .
Therefore, we evaluate the permutation as polynomials in F [X] starting from the state ( 3 X, 3 X, ) with , , satisfying System (2), and the CICO problem is equivalent to finding the root of the polynomial corresponding to the rightmost branch of the output.
In practice, we use SageMath to generate the polynomial, and we compute the roots either directly from SageMath, or with an external program using NTL. The corresponding code is given in the Supplementary Material. Complexity Analysis. Poseidon has = RF + RP rounds in total, but we skip the first two rounds using the trick. Therefore, we obtain a univariate polynomial of degree = 3 −2 , and we can estimate the complexity of finding the roots as: We give explicit values for the proposed challenges in Table 2, along with the corresponding security claims. For the challenges issued by the Ethereum foundation, the claim was that  an attack would require at least 2 37+ steps, where is a "security" level specified in bits, and is equal to 8, 16, 34, 32 and 40 when RP is equal to 3, 8, 13, 19 and 24 respectively. The original specification of Poseidon states that interpolation attacks are expected to have a complexity similar to the one of our attacks, namely about RP+RF [GKR + 21, Equation (3)]. However, the challenges of the Ethereum Foundation 5 appear to claim a higher security level.

Application to Round-Reduced Rescue-Prime
Design description. Rescue is a family of AO hash functions, that was first proposed as part of Marvellous designs [AAB + 19]. Rescue has the particularity of using both a low degree S-box and its inverse. Indeed, each round of Rescue, consists of two steps: while the first one involves an S-box , an MDS matrix , and the addition of the round constants, the second one is quite similar but replaces with its inverse −1 . The two steps of each round are described in Figure 6. For our study, we will use the specifications of Rescue-Prime [SAD20], which means in particular that in each round, we first apply and then −1 (rather than the contrary as described in the original paper [AAB + 19]).
The challenges from the Ethereum Foundation use = 3 or = 2, and the S-boxes are ↦ → 3 and its inverse ↦ → 1/3 .   Attack description. Rescue-Prime cannot be efficiently written as a univariate polynomial system, because it uses both the S-boxes ↦ → 3 and ↦ → 1/3 . Each S-box has a low univariate degree in one direction, but a high degree in the other direction. Therefore, we add intermediate variables so that each S-box can be described with a low-degree equation, and we build a multivariate system.
More precisely, let us consider Rescue-Prime with a -element state ( = 2 or = 3) and rounds. We use variables ( 0 , 0 , . . .) to represent the input and ( , , . . .) to represent the internal state after the -th round ( ( + 1) variables in total). As shown in Figure 6, we can write equations linking the variables at the input and output of round , using only the direct S-box ↦ → 3 . Therefore, we have degree-3 equations: If we add equations 0 = 0 and = 0, we obtain a system of polynomial equations representing the CICO problem. We observe that the input variables can be removed. Indeed, each ( 0 ), ( 0 ), . . . can be written as degree-3 polynomial of 1 , 1 , . . .. Given that ( 0 ) = 0, it follows that we can only keep the corresponding polynomial equal to 0, and then remove the input variables. We can also remove because it is fixed to zero, and we obtain a system of ( − 1) + 1 equations and − 1 variables. With = 2, we have the same number of equations and variables. However, with ≥ 3 we have more variables than equations, and we can use the trick of Section 4.2 to obtain a smaller system corresponding to a subset of the solutions with one solution on average.
It is the case provided for instance when: Recalling that one round corresponds to two steps, it follows that, if we find a value X such that the image of ( 0 1/3 X, 1 1/3 X, ) through − 1 rounds of Rescue-Prime (and a linear layer) is equal to (*, *, 0), then we will always be able to deduce an input ( , , 0) for -round Rescue-Prime that is mapped to . Then, for the remaining − 1 rounds, Figure 6 shows how we generate the following polynomial equations to avoid the inverse S-box.
Finally, this results in the following system of polynomial equations: This system has ( −1) variables and ( −1) equations. As before, we used SageMath to generate our system of equation. However, we used Magma to find the solutions of the corresponding multivariate system. Again, our code is given in the Supplementary Material. Complexity Analysis. With = 3 branches and rounds, we obtain a system of 3( − 1) degree-3 equations with the same number of variables. In our experiments, the system behaves like a generic system and has = 3 3( −1) solutions in the algebraic closure of the field. Therefore, the complexity of solving the system is approximately: With = 2 branches and rounds, we obtain a system of 2 − 1 degree-3 equations with the same number of variables. Therefore, = 3 2 −1 and the complexity of solving the system is approximately: Besides, the original paper of Rescue-Prime states that Gröbner basis attacks are expected to have the following complexity We give explicit values for the proposed challenges in Table 3.  light linear layer instead of an MDS matrix. Ciminion's encryption scheme is presented in Figure 8. For the sake of consistency with previous figures, we show it on F rather than F 2 as presented in the original paper. and are both permutations based on the same round function, presented in Figure 10. For a security level of , possesses + 6 rounds and max{⌈ +37 12 ⌉, 6} rounds. rol is a non-linear rolling function described in Figure 9.
Dobraunig et al. performed a thorough security analysis of Ciminion, exploring all cryptanalysis techniques, such as linear cryptanalysis, differential cryptanalysis, higherorder differentials, interpolation and Gröbner basis attacks. For the latter however, they studied a modified Ciminion that they conjectured to be weaker than the real Ciminion. In the modified Ciminion, they came up with a system of 6 equations of degrees {2 −1 , 2 , 2 , 2 +1 , 2 +1 , 2 +2 } over 6 variables, where is the number of rounds of .
The value of was chosen so that this attack has complexity at least 2 . More precisely, the authors estimated the complexity of the F5 algorithm with parameters Following [BFS04], they estimated the complexity 6 as The designers took = 2 as a lower bound, obtaining a minimum number of rounds ≥ ⌈ −21.8 12 ⌉, and added 5 rounds as a security margin.
A new polynomial system. Instead of looking at a system of equations resulting from a presumed weaker scheme, we study the real scheme and propose a better way to set up a system of equations. For a given nonce ℵ, we consider the first two output blocks. We denote = − and ′ = ′ − ′ , for = 1 . . . 4, and introduce two variables , ∈ F for the missing output words (not given as part of the ciphertext) after the first and second permutations (see Figure 11). The output of the first permutation is ( 1 , 2 , ), therefore, we can write the input as polynomials in : ( 1 , 2 0 ( ), 1, 2 1 ( ), 1, 2 2 ( )) = −1 ( 1 , 2 , ) Similarly, the output of the second permutation is ( 3 , 4 , ), and we can write the corresponding input as polynomials in : Finally, taking two nonces ℵ, ℵ ′ , we eliminate the keys 3 , 4 and obtain a system of four equations in the four variables ( , , ′ , ′ ), using two blocks of ciphertexts from each nonce: (5) Solving this system allows to recover the full internal state, and to deduce the keys 1 , 2 , 3 , 4 . In order to solve the system, we use the approach explained in Section 3.2.
Solving complexity. Let us denote the polynomial corresponding to the -th row of the system, such that we have for all = 1 . . . 4, ( , ′ , , ′ ) = 0. We notice that is a sum of univariate polynomials: ( , ′ , , Then, it is sufficient to determine max deg( ) for each . Given that deg( 0 ) = 2 −1 , deg( 1 ) = 2 −1 , and deg( 2 ) = 2 , the degree of the polynomials in , ′ , and ′ are: In particular, system (5) has 2 equations of degree 3 · 2 −1 , 1 of degree 2 , and 1 of degree 2 −1 . Therefore, we have the following parameters: We can deduce upper bounds on the cost of the steps required to solve the system. Computing a Gröbner basis with respect to the grevlex order using Faugère's F5 algorithm has asymptotic complexity reg × On the other hand, performing the change of order with a fast variant of FGLM has asymptotic complexity ≈ 2 (4 +0.2) .
FGLM is therefore the bottleneck.
For practical values of , the attack is not faster than 2 , but it shows that the design has much less security margin than anticipated by the designers. In particular, if we take an optimistic value = 2 as in the security analysis of the designers, we obtain an attack with complexity roughly 2 112.4 for the 128-bit security version recommended by the designers with 14 rounds.

Experimental Results
In order to better understand the behaviour of the root-finding tools we relied on in our attacks, we performed additional benchmarks on top of our attacks against the Ethereum challenges. We treat the cases of univariate and multivariate equations separately.

Univariate Solving
For root-finding of univariate polynomials, we investigated the FLINT [Har11] and NTL C libraries. Both support operations related to big polynomials in finite fields, but NTL was considerably faster for different sizes of toy polynomials, therefore we chose to benchmark only NTL. In order to work with high degree polynomials with NTL, we need to apply a small patch to the library source files to increase the value of NTL_FFTMaxRoot. Table 4 presents our experimental results, with = 18446744073709551557 ≈ 2 64 . Given a degree = 3 , we generate the polynomial modeling the CICO problem for Poseidon with (RP, RF) = ( − 6, 8) and for Feistel-MiMC with + 1 rounds , and random polynomials (each of the + 1 coefficients is taken randomly in F ). For each instance and degree, we launched min(32, 2 18− ) jobs, with varying random polynomials. For all instances, the standard deviation of the memory consumption is negligible (in average 10 −5 times the average value), and the standard deviation of time stays under 3 percent of the average value.
The data is represented in Figure 12, and we performed a linear regression of the time and memory usage of random polynomials root finding. We notice that the structure of the polynomials of Feistel-MiMC and Poseidon does not offer a significant speed up to the root finding compared to random polynomials.
Because the theoretical complexity is quasi-linear, the linear regression should be treated cautiously. In addition, the benchmarks apply only on 1 core and do not account for parallelization. We expect to speed up the univariate root finding with NTL parallelization (which, officially, is supported), but some tests showed that NTL CPU usage does not exceed 300%, even with more than 3 threads.

Multivariate Solving
For benchmarks of multivariate solving, we chose to use Magma [BCP97]. We compare the resources needed for the resolution of the Rescue-Prime and Ciminion polynomial systems to the resources needed for random equivalent systems. It should be noted that Magma implements the F4 algorithm [FGHR14] to find the grevlex Gröbner basis, and the FGLM algorithm [FGLM93] in cubic complexity for the change of ordering. Also, there seems to 10 5
be a fixed memory overhead of 32 MB when using Magma for Gröbner basis, therefore we did not take into account low-memory points in the linear regressions. Table 5 and Figure 13 present the results for the resolution of a -round Rescue-Prime instance, = 3, 4, with = 3 and = 18446744073709551557 ≈ 2 64 . These are compared to random equivalent systems of equations of degree 3 on variables, generated randomly by affecting a random coefficient of F to each possible monomial of degree ≤ 3. In order to give a better insight on the evolution of the resources consumption, we chose to additionnaly benchmark random systems with = 5, 7, 8, which do not correspond to any version of Rescue-Prime.

Rescue-Prime and Rescue-Prime-like systems
For systems of equations, we launched min(2 2(9− ) , 64) jobs. The standard deviation of time and memory consumption never exceeds 2% of the average value. The program was cut after 7 days for random systems with = 9. The F4 step finished, but the FGLM step did not finish (after approximately 44 hours). The linear regression of Rescue system FGLM time might be biased compared to Random FGLM time, because only Rescue possesses a data point with = 9, which demands heavy resources in memory, potentially causing some overhead.
The results highlight several properties: • We observe that the theoretical maximal ideal degree is reached, for all systems: 3 for equations of degree 3.
• The F4 run time varies considerably between the Rescue-Prime system and a random system. For 4-round Rescue-Prime ( = 9), there is almost a factor 50 between the run time of F4 on the Rescue-Prime system and on a random system.
• F4 dominates in time for random system, but FGLM heavily dominates for Rescue-Prime systems.
• The case with 6 equations is the only point of comparison between the Rescue-Prime system and the random system, but on this data point, FGLM is faster on Rescue-Prime than on a random system, despite having the same ideal degree (729).
• The memory consumption seems to essentially follow the same linear regression for both Rescue-Prime systems and Random systems.
Ciminion and Ciminion-like systems For rounds of Ciminion, in Section 5, we present a modelization of the cryptosystem with 4 equations on 4 variables, of degrees respectively 2 −1 , 2 , 3 · 2 −1 , and 3 · 2 −1 . For the sake of simplicity, we kept the same prime number = 18446744073709551557 = 2 64 − 59, although it is less than 2 64 (Ciminion normally requires a prime > 2 64 ). We chose to add the concept of half rounds to increase the number of data points: + 0.5 rounds of Ciminion is Ciminion where the first branch has undergone + 1 rounds while the second branch has only been through rounds. With the same technique as in Section 5, we can represent this instance of Ciminion with a system of 4 equations on 4 variables, of degrees 2 −1 , 2 −1 , 2 −1 , and 2 −1 . We compare the Ciminion systems to random systems of 4 equations on 4 variables with the same degrees, where a random coefficient of F is assigned to every possible monomial in each equation. The 4-round Ciminion was cut off due to memory insufficiency (≥ 192 GB). Table 6 and Figure 14 present the results. We did not take into account the memory points with = 2 in the linear regression, because it seems to be a fixed overhead when solving Gröbner bases with Magma (regardless of their sizes).
• The Ciminion system of equation does not reach the maximal ideal degree. We did not succeed to find a simple reduction of the system to explain this fact. This is surprising and not accounted for in the security analysis of the designer of Ciminion.
• The FGLM step heavily dominates the time complexity for Ciminion-like systems. For half rounds, the 4 equations all have the same degree, and this confirms the property showed in Section 3.2.
• We observe a factor 20 between the time complexity of the F4 step of the Ciminion system and random equivalent systems.
• We observe a factor at least 2.5 between the time complexity of the FGLM step of the Ciminion system and random equivalent systems. This is partially due to the suboptimal ideal degree of the Ciminion system.
• Extrapolating the results to = 64 and = 9 (since ≈ 2 64 it does not make sense to consider larger security levels), the expected time complexity of the FGLM step is 9 · 10 −8 · 2 10.52·9 = 2 60.8 seconds (and not operations), which gives a comfortable security margin: our modelization does not break Ciminion.
For Ciminion and for Rescue-Prime systems, the FGLM step is predominant. However, the implementation of FGLM in Magma is in cubic complexity on the ideal degree. With a more performant implementation of FGLM [FGHR14,FM17], we should reduce the time complexity for both systems.

Conclusion
Our results show that properly choosing the parameters for arithmetization-oriented primitives is still non-trivial. In particular, some of the parameters chosen for the Ethereum Foundation challenge were apparently erroneous.
More specifically, we suggest a few lessons that can be learnt from our findings:

Encodings.
There are many different ways to set up a system of equations corresponding to an attack against a primitive, but different encoding can result in different attack complexities. Designers should consider as many variants as possible when evaluating the complexity of algebraic attacks.
Univariate solving. When a primitive can be modelled as a univariate polynomial, this is usually the most efficient way to mount an algebraic attack. Indeed, finding the roots (in the field) of a random univariate polynomial has a complexity that is quasi-linear in the degree. Therefore, the number of rounds should be defined by the degree of the univariate polynomial, rather than by the complexity of computing a Gröbner basis.
First round. If the first round starts with a layer of S-boxes, this layer can be ignored when attacking the CICO problem. It is then better to start (and end) with a linear diffusion layer.
Clara Pernot for proof reading a first draft of this manuscript, and Magali Bardet and Pierre Briaud for helpful discussions about solving multivariate systems. Finally, we thank the Ethereum foundation for putting forward the challenges that kickstarted the research presented in this paper.