 Lorenzo Garcia, Christian Aschemberger, another Roy Tiesen. Our speaker is another Roy. Welcome. Which are Taylor Metz. Hello. Yeah. So this work is about designing special purpose blocks and hash functions, which are, what, can you hear me if I speak like this, everybody? I'm not sure whether this will work all the time, so let me make sure. Is it OK? OK, great. So the block servers and hash functions we propose in this work is designed specially for some particular applications. And the efficiency is Taylor Metz for such applications. So the main motivation behind such applications is that in recent years, there have been many progress in multi-party computations and zero knowledge, fully homomorphic encryption, and a lot of work which were merely theory has become practical now, and they are being turned into applications. And in many cases, these communication protocols, which are based on homomorphic encryption or multi-party computation schemes, they use block-cypher and hash function. And not only that, sometimes they use them as two random functions or two random functions. So not only from a block-cypher and hash function point of view, it's important. It's also important from PRS or PRP point of view, the efficiency of this stuff. So examples are many. To name just few, private setting, technical computations on sensory data, then outsourcing databases. So many applications, just names easier. So if you look at a system which is based on cryptography and cryptographic protocols, the primitives will lie at the bottom of this pyramid, where we have symmetric primitives, like hash functions and block-cypher, and upon which you build communication protocols. So here we are looking at special purpose protocols that say entity or zero knowledge. And our motivation is that sometimes the performance in these symmetric primitives can actually improve the overall performance of the system at the top. And hence, the user is happy to use such a system, which is outdated. Now, our focus in this paper is particularly something called SNAR, which is based on zero knowledge. And particularly, there is an interesting protocol called application for zero hash, which is built based on SNAR, which is kind of substituted of this one, and anonymity is better here. And our motivation is that there is some constriction of performance due to symmetric typical program. So can we actually design something which will be, let's say, tailor-made for SNAR? And we'll focus on hash function, but while doing that, we'll also propose the design of a block-cypher. So to give a little background, what is being done inside SNAR is that, suppose some function is being computed, and some user who is not capable of computing that function is actually out-searching or making some other computer compute that function. But the user is not completely convinced. He wants to verify the user. So there's a verifier and prover. So prover is supposed to prove that whatever results I'm claiming that is computed by calculating through this function by giving certain input is actually correct. So the claim is correct that he has actually computed a perfect. So this is viewed as a circuit. So f can be presented as a circuit. And to this circuit, you give some input, and some witnesses are generated while computing. This witness can be thought of as, let's say, some intermediate variable when you compute the final output. So you can actually think of a set where you have the input value s and also this witness variable. And they will satisfy this circuit, which is represented by the function c or the circuit c. And prover knows this particular witness variable, which might be some intermediate value. But the prover keeps it. So this is mathematically described as an arithmetic circuit. Overlays to some fields. May or may not be binary. And particularly important to our application is that this circuit is built on a bi-linear distance. So basically, the moment we have this condition, then we can actually represent the entire circuit with a system of equations, which looks something like this. Some linear terms, times some linear terms, equal to another linear term. And this is the main part, that there is a multiplication involved here to represent this equation. And the number of such equations actually gives you the total number of multiplications to generate the witness variables, as well as to generate the constraint. And this particular set of constraints are called rank 1. And I think it's quadratic for rank 1 for this. Now, in order to measure or evaluate the efficiency, first we have to decide on the computation model. So the basic assumption is that whenever we are doing multiplication, the cost is really high. But compared to multiplication, when you are doing addition, which is on a field, and on binary fields, let's say, exhaust, there is completely free or negligible from question and operation. And this model is actually not new. It's not only pretty close to small, but it's also very much useful for tight-shadow computation, where you protect an implementation against tight-shadow attack by something called masking. But there, I would say that this is less extreme, because to give an example over a field of the format 2 to the n, when you do squaring, it's linear. And in fact, in masking, those operations are considered linear. And the advantages can be taken because of this linearity. Whereas in snark, you cannot take the result. x square is still nonlinear. So the general idea is that linear affine constants are free, not x square, by the way, when it comes to snark. And even multiplication with constants is free. And all other nonlinear operations are excellent. But the caution here is that, although x sorts are free, a very large number of x sorts can cost trouble. Now, I'll come back to this point at the end of the slide, where I will show the performance from our experimental results, that what exactly I mean by very large number of x sorts. Now, let's come back to the symmetry to see what kind of operations we see there. Blocked-out work has come pretty much built on some small fields. Sometimes we see two different types of fields, or range of mix, for example, in Shattu. AES is built over S2 by AES. But it's not uncommon for a symmetric field to mix two different types of fields. And this is a problem for snark. Because there, you have to represent everything in terms of a single field. And whenever, let's say, you're mixing F2 and some other fields, you have to embed everything into, let's say, some prime field. And there, an x-hort becomes expensive, because it will involve one extra molecule. So embedding becomes possible. So one of the design goals to keep in mind is that we want all the operations on a single field, and preferably on a prime field, that will make snark library. The typical examples of linear operations are x-hort addition over the field, when a x-hort is over the binary field, F2, rotation, and the typical operations involve smaller addition results. Now, some of the protocols we see that they actually involve some computations over F2. That's why the embedding is important, and the cost because the embedding is also important. So all the operations over F2, if you have a symmetry between them, are expressed in terms of operations over F2. So this is the embedding. So it becomes extra. So x-hort doesn't involve only an addition. It's not linear anymore, when you embed it, it involves one non-linear addition. So this is about the cost model. Now, what kind of circuit we pay for? If you look at fully homomorphic encryption, we pay for loaded circuit that makes it efficient. When it comes to MP3, it can be loaded. It can be low number for the different. It depends on the application, depends on the particular design for the protocol. Snark, strictly low number of computations that we will be looking at. And recently, there have been many proposals keeping this particular application in mind. Please, for example, watch support for homomorphic encryption. It was broken later also. Low MC was for MP3, but also for fully homomorphic encryption. And recently, Legendre symboled this PRF. So this was pretty cool support. And the field random function is both small. And it's very efficient, for example, for these protocols. So here is an example that it's not only the block set for a hash function is important, but also underline PRF becomes important for such activity. So the things we keep in mind is that we don't want to make the field operations, not useful, because embedding of certain makes it costly. So we avoid that. And also we want that if a design is over-filled, let's say, of the format 2 to the n, we'd like to make it work over Fp also. So can we actually take the same design and fit it over Fp? Then we don't have to design, again, another proposal or another block set or something. So this particular block size of family and hash function family, which is called mean fit, like the rhyme with Nancy. So it stands for minimum multiplication size. But still the total amount of multiplications are not minimum. So now the block size of family has block size n and key size n, and also in a five-cell mode, 2n block size n. And we use this fit permutation to construct the hash function by using this function. Now, designing a cipher or a fit permutation over a field is not a new idea. And if you remember the block size proposed by Mr. Neuber, it was proposed to particularly define against differential and linear analysis. So it used a simple APN function over Fp to be the 33. 33, because otherwise the cube operation does not remain permutation. So the way it was designed was something like this. You take a 64-bit block size, use five-cell mode of operation, 32-bit and expand it to some operations, and then make it 33-bit, apply APN, and then shop one bit. But it was broken with something called interpolation attack. So after that, I think this way of designing was either forgotten or abandoned, because something that was attractive or let's say was reduced to it. But I think this type of design perhaps found it again. So this is our first proposal. It's a very simple design. We just use key addition, which we always independent round constant, which we generate randomly. And for every round, we propose here to use the same APN function with this cube. The reason is that it has optimal differential property. And it's a permutation. So we stick to odd-size block size. So we cannot have n. So there are two key sizes proposed here. One is to use the same key overall. The other one, if you take two n-size keys, and use it alternately, if you want to get rid of them. And these are the number of rounds which we propose, which is kind of block size divided by log 3. The reason is very straightforward. We could not do it less than that. And I think you can already imagine why, because you can just calculate the degree what happens after r r. If you do that, then you'll immediately find the interpolation attack using 2 power g many plantations. From there, you can really figure out the number of rounds. And the good thing is that if you stick to this number of rounds, we can actually take the same design and apply it over a stick. So that was the first one. And now if the block size becomes too high, we can actually switch to that k n fashion like the guy, where we have two n-b block size. And now we go with the same idea. But we don't use any expansion or any big choppy. We use odd size, so odd size half of the block, that is the odd size, and then apply it later. And number of rounds here, you can see twice. The reason is that in Python as well, because you can, in an SPN design, when you go in one way, the degree increases. But if I want to come back from the other way, if I calculate the degree from the end, it may not be the same. Because for the inverse, the degree increases. So there can be some meat in the middle, that actually is possible for Python, but you cannot do it for it. So that's why for Python, we have to switch twice the number of rounds. And the round constant rounds are the same. The same idea. You can either use n-bit key or 2-n-bit key in the same way you can go on with the round constant. Now, hash function, as I said, would be set for a new set with a fixed key. Get your commutation and use it in a point. In a start setting, in all our experiments, we, for all our instrumentation, use the SPN style. But it's also possible to use the Python mode. The difference is there, you'll get double the number of rounds, but on the other hand, you'll be on a lower field. So there will be a little trade-off. This field set doesn't really matter at first, the instrumentation is there, at least in our experiments, we didn't see anything of total difference. So exact number of thousand-teen-five bits. So we didn't see any difference. Now, for security, we looked at the possible system analysis attack. So, excuse an optimal differential properly, so we could not do anything with differential and also linear attacks. Of course, full-round is not possible to attack with differential analysis. And if you look at the interpolation attack, then I can see, as I said, I can calculate the degree and from there, we can already calculate the required connection number possible because of the number of rounds we calculated exactly by taking this interval. Another attack which we considered is that imagine that you have this polynomial, which represents the cipher, and now you take two plaintext hypertexts here. So you have x1, y1, x2, y2. Now think of the cipher as a polynomial where t is the indeterminate. So now if you take the dc of this two polynomial with high probability, that will be the key. So basically, if I can have this polynomial and if I can calculate the dcb, then I can just follow the key with two plaintext hypertexts. We know the complexity of calculating dcb, so from there we can actually also calculate the number of rounds, we can get the bound and the number of rounds we need to protect against it. But this assumes something very powerful about the adversary. The adversary can actually compute the polynomial from the whole side, and that itself might be more expensive to do than. Another thing is higher-order differential attack. Of course, the degree actually does not allow. The overall degree is the feasible higher-order differential attack. Another thing was invariant sub-field attack. This is because we are working on a single field. Now imagine you have a field of the format to the end, and now you keep on each ready. If there's a sub-field, you can actually end up on the same sub-field again and again. And in that way, you can actually break the two random variables. So this can happen only for f2 to the end type of field, for f2 because there's a sub-field to the end of the attack. But for f2 to the end, the round cost can actually avoid that. Now, to come back to the start study, where for which we actually designed this case, so how does it look like, the circuit? Or we can actually forget our circuit and only go to the equation. So you compute each round like this. So the first is the squaring, and then to the next equation. If I add these two, I actually get this equation, which is the same thing which I started with. Linear times union is equal to linear. If you buy linear, you get only one multiplication, which is the minimum you can get. So that for a round, it's not going to be better. So the total number of multiplications is exactly the number of rounds. These are some experiment results. When we compare it with chart 2, we saw that linear is 9 to 10 times better. And when we compare in the start study with chart 3, it's almost the same as chart 2. So it's still faster because low-m2 was one of the reason we compared it with data also. And here is the summary of the results. Now here, to come back to this point, which I was saying that the really large number of additions can make difference. You can really see what's happening here. When the number of additions explodes, it actually makes the thing go really crazy. It doesn't matter that the number of multiplications are less. It really is making some effect here. But unfortunately, we still cannot quantify this. I find it very interesting how to do it. The implementation is available online. To conclude, there are two points that this type of design, or this type of criteria, is not only used for block-sciper designs, for protocols, but also for PRF or PRF designs. And then there are two questions that we don't know how extors are affecting. Although in the computation model, we say that this is free, but it cannot be at least free. And another thing is that we only use monomial or APN form of function. We tried with other types of monomials also. But it doesn't make the things better. It doesn't reduce the number of functions. So if we can use multi-nomials instead of monomials, then we do nothing. Do I have time for a question? So when you chose the number of rounds, you said that the successive cubing will have to bring you to the maximum possible degree. That's why you chose the N over log 3. But the problem is that you're walking over a finite field. And therefore, if you are raising to a certain number of parts of 3, you might actually get a low degree polynomial by chance. So you have to be careful. It will happen with very low probability. But just saying that you are cubing and cubing and cubing and the degree will remain large is wrong for certain choices. Because all those cubings can wrap around and get you back to a small polynomial with low degree. But it's a finite field. And therefore, raising to a high power, you reduce it more to lower the size of the multiplicative. Yes. OK. OK, so you don't go beyond. I thought that this is only a lower bound, but you can go a few extra steps. But if the attacker follow you around, add a few rounds. You get a lower degree, right? Yes. OK, other questions? If not, let's thank speaker.