@article{Bariant_Bouvier_Leurent_Perrin_2022, title={Algebraic Attacks against Some Arithmetization-Oriented Primitives}, volume={2022}, url={https://tosc.iacr.org/index.php/ToSC/article/view/9850}, DOI={10.46586/tosc.v2022.i3.73-101}, abstractNote={<p>Recent advanced Zero-Knowledge protocols, along with other high-level constructions such as Multi-Party Computations (MPC), have highlighted the need for a new type of symmetric primitives that are not optimized for speed on the usual platforms (desktop computers, servers, microcontrollers, RFID tags...), but for their ability to be implemented using arithmetic circuits.<br>Several primitives have already been proposed to satisfy this need. In order to enable an efficient <em>arithmetization</em>, they operate over large finite fields, and use round functions that can be modelled using low degree equations. The impact of these properties on their security remains to be completely assessed. In particular, algebraic attacks relying on polynomial root-finding become extremely relevant. Such attacks work by writing the cryptanalysis as systems of polynomial equations over the large field, and solving them with off-the-shelf tools (SageMath, NTL, Magma, . . . ).<br>The need for further analysis of these new designs has been recently highlighted by the Ethereum Foundation, as it issued bounties for successful attacks against round-reduced versions of several of them.<br>In this paper, we show that the security analysis performed by the designers (or challenge authors) of four such primitives is too optimistic, and that it is possible to improve algebraic attacks using insights gathered from a careful study of the round function.<br>First, we show that univariate polynomial root-finding can be of great relevance n practice, as it allows us to solve many of the Ethereum Foundation’s challenges on Feistel–MiMC. Second, we introduce a trick to essentially shave off two full rounds at little to no cost for Substitution-Permutation Networks (SPN). This can be combined with univariate (resp. multivariate) root-finding, which allowed to solve some challenges for Poseidon (resp. Rescue–Prime). Finally, we also find an alternative way to set up a system of equations to attack Ciminion, leading to much faster attacks than expected by the designers.</p>}, number={3}, journal={IACR Transactions on Symmetric Cryptology}, author={Bariant, Augustin and Bouvier, Clémence and Leurent, Gaëtan and Perrin, Léo}, year={2022}, month={Sep.}, pages={73–101} }