Gröbner Basis Cryptanalysis of Ciminion and Hydra

Abstract

Ciminion and Hydra are two recently introduced symmetric key Pseudo- Random Functions for Multi-Party Computation applications. For efficiency, both primitives utilize quadratic permutations at round level. Therefore, polynomial system solving-based attacks pose a serious threat to these primitives. For Ciminion, we construct a quadratic degree reverse lexicographic (DRL) Gröbner basis for the iterated polynomial model via linear transformations. With the Gröbner basis we can simplify cryptanalysis, as we no longer need to impose genericity assumptions to derive complexity estimates. For Hydra, with the help of a computer algebra program like SageMath we construct a DRL Gröbner basis for the iterated model via linear transformations and a linear change of coordinates. In the Hydra proposal it was claimed that r_H = 31 rounds are sufficient to provide 128 bits of security against Gröbner basis attacks for an ideal adversary with ω = 2. However, via our Hydra Gröbner basis standard term order conversion to a lexicographic (LEX) Gröbner basis requires just 126 bits with ω = 2. Moreover, using a dedicated polynomial system solving technique up to r_H = 33 rounds can be attacked below 128 bits for an ideal adversary.