 Welcome to this presentation. This will be about an algebraic attack on ciphers with low degree round functions, and the application will be to full memsie. This is joint work together with Maria, Lorenzo, Reinhardt, Morten, Christian and Genshu, and my name is Markus. So let's first start with a short background section here. We know from the recent years that algebraically simple designs are becoming more and more popular. And this is the case, for example, due to proof systems like snarks or starks. And in these proof systems or also in other similar use cases, some certain metrics are more important than others. So for example, plane efficiency or the plane encryption speed, so to say, is not so important. But what is important is, for example, the algebraic representation of the construction or also the total number of multiplications, which is then also very important in MPC scenarios. And memsie is a construction which has been a benchmark since 2016 in some of these settings. And it was also a basis for follow-up designs like, for example, GMC and Hades memsie. So these two constructions are not similar when it comes to the construction itself, but they borrow some ideas from memsie. And before I actually present our work, let me give you a very short summary of the attacks I will present. So first I will talk about the secret key distinguisher, which covers almost the full round number of memsie. Then I'll talk about the non-key distinguisher, which covers almost twice the number of rounds of memsie. And at the end I will then talk about the key recovery attack, which covers full memsie, and actually also a bit more than that. So what will be the outline, what will be the content of this presentation? Well, first I'll give the specification of the memsie block cipher, which is basically a way to build the block cipher of this memsie construction. I will then talk about the round function of this construction and about the number of rounds maybe shortly. And I will also give the degree of the round function. So this is one of the key properties we exploit here. And after giving some details about memsie, I will talk about the distinguishes for this construction and then also about the key recovery attack on memsie. And at the end, finally, I will talk about the summary, so give a short summary and maybe give some questions for future work also. So let us start with the specification of this construction memsie. Well, first it works over prime fields or binary fields. And it's important to say that this attack here works over binary fields only. It does not work over prime fields. And we have a simple construction here. If we want to build a block cipher, for example, we have an input x. We add some key k, we cube the result, we add a key again. We add the round constant, a random one. We cube the result again. And at the end, we have the output ciphertext. So the round function basically consists of a key addition, a round constant addition and the final cubing operation. And in memsie, every round key is the same. So there is no key schedule. Then we have that the round constants are chosen randomly from this finite field and n is odd to achieve a permutation in this basically for this cube function. So the state size or block size is odd. And the question now is, of course, how many rounds are secure and the approach by designers was the following. Well, we can just choose the best known non-random property as a reference and then add one more round on top of that. And then we arrive at the following red round number. And for example, we use 82 rounds for the 129-bit version. So this is the original round number of memsie. However, due to this new result, a few more rounds are actually needed. So I've promised you some details about the round function degree. Well, first we have this word-level degree, which now we know is 3. And then the upper bound for the degree of the whole construction is 3 to the r after r rounds. And this is important if we talk about the complex de-effectorization techniques and interpolation attacks. And indeed in the original paper, the number of rounds was chosen with respect to this analysis, similar analysis here. But besides the word-level degree, we also have the bit-level degree. So the algebraic degree of the round function. And in the case of memsie, it's 2 because the hamming weight of the word-level degree is 2. And then the upper bound for the degree of the whole construction is 2 to the r after r rounds. And for example, we would have 2 to the 82, which is much larger than 128 for the 129-bit version. So most likely, security is easily reached here. However, as we will see, this is not the case. So this brings me to the first couple of our results. So two distinguishes for memsie. But first, what do we actually use? What is the approach we use? We use something which is called higher-order dimensions. And this exploits the lower algebraic degree of the construction. And indeed, if the degree is sufficiently low, we can build distinguishes. For example, if we have a function which has an algebraic degree of delta, then we can use the vector space of dimension delta plus 1. And then we would have a distinguisher. So basically, in that case, a zero-sum distinguisher, because with some of the results of each evaluation, then the total result will be zero. So a question is, what do we need for protection? Well, we need to reach the maximum algebraic degree, which is n minus 1 for an n-bit permutation. And in that case, then the vector space would need dimension n, which is the full space, so it wouldn't be an attack anymore. And for key alternating ciphers, and MIMC actually is a key alternating cipher, we can then ask ourselves the question, what is the algebraic degree of such a cipher? And if we first consider such a cipher, so it's described above, and then we consider each round function having a degree of d, so the same degree in each round function, then what we want to have is we want to reach the algebraic degree of n minus 1. And what we can do, in order to estimate it, is we want to focus on the smallest word-level degree, which has the hamming weight n minus 1, and this would be 2 to the n minus 1 minus 1. And so the question we would need to answer is, when does a monomial of this degree actually appear in the univariate description? So it would be this polynomial x to the something below in the univariate description of MIMC. So when does it appear? Well, clearly to make it appear, what we need at least is that the word-level degree of the whole construction is what at least this degree we want to achieve. And if we don't structure it, this implies that r is greater or equal than this seeding here of the log. And if we now set d to 3, so we set the degree of the round function to 3, which is the case of MIMC, then the resulting number of rounds is very, very close to the total number of rounds of MIMC. And indeed, it's at most 2 of, which leads me to our first result, which basically is that the growth in these constructions, the degree growth is linear in the number of rounds. So for example, we can see here in the following graph here, that for example, according to the upper bound, who would already reach the maximum degree of the center rounds, but in the specific case of MIMC here, for example, we need almost the full round number in order to reach it. So this is this linear growth. And now how can we use this in order to build distinguishes? Well, first, we already have, according to this result, a higher order distinguisher on the number of rounds, which is CQ minus 1 rounds. And so this means that the number of rounds, which is not covered by a distinguisher in the case of MIMC, is then this number here, and I've marked 1 and 2 in red, just to emphasize that the number of rounds, which are not covered by a distinguisher in the case of MIMC, is either 1 or 2. So in 2 cases, all the remaining rounds are actually covered. And to give some examples here, the distinguisher covers R minus 1 rounds for the 33-bit version of MIMC, and it covers R minus 2 rounds, for example, for the 129-bit version. And there are no other cases. So either R minus 1 or R minus 2 rounds are covered, whereas R is the original round number of MIMC in both cases. And no distinguisher, this is also something we can build here. So in this setting, the attacker knows the key, and the goal is basically to discover some property which holds for the probability higher than that for an ideal permutation. And to do this, we exploit the inside out approach. So we try to find a set of inputs and outputs, whose sums are equal to 0. And now if we start in the middle of this construction, we know that we can cover almost the full number of rounds in the forward direction. So this comes from the previous higher order distinguisher. So the question is how many rounds can we cover in the backwards direction. And for this, there is this nice proposition from Burr et al. And basically, if F is a permutation, it's a permutation like MIMC, then the algebraic degree of the inverse of this permutation is N minus 1, even only if the algebraic degree of the forward direction is N minus 1. So what this means is that if we use a subspace of dimension N minus 1, then the number of rounds we can distinguish is the same for MIMC as well as for the inverse of MIMC. So we can cover almost full MIMC in the forward but also in the backward direction. And this means that our non-key zero sum distinguisher covers almost the double of the number of rounds of MIMC. And now having talked about these two distinguishers, I will now get to the actual key recovery attack on MIMC. So let me first summarize our impedance here. So we have a distinguisher with dimension N minus 1. We know that this distinguisher works in both directions and we also know that the distinguisher covers almost the full number of rounds. And usually, maybe besides of the high data complexity, but usually this is exactly what we need for an attack. However, in the specific case of MIMC, there are some major problems. The first one is obviously the high data complexity. It may be an issue, but it may not prevent the attack. But more importantly, the final subkey is the size of N bits, so basically the full keys as a full block size. And this means that in a traditional approach, we would need to guess basically the full last subkey. And this would already be like brute forcing, so this would then not work or not count as it would work, but it would not count as an attack. Another problem we have is that we have full diffusion bit level, both in the forwards and also in the backward direction, and we also have a high-degree inverse. So guessing individual bits and then evaluating if the distinguisher holds for these bits is also not an option here. But maybe we can try something like interpolation, which has been unfollowed in C for example, and there would be many anomalies here and we would need more data to be at the limit with the data complexity, so this is not possible either. So all these traditional or existing approaches would not work in the case of MIMSI because basically we have this large last subkey. So the question is how can we break the final round of MIMSI or if we need to cover two rounds by this key-solving approach, how can we break the final two rounds? And we know to do this that the encryption function reached the maximum algebraic degree only in the last one or the last two rounds. So the question is maybe we can build some efficient equation system which covers the remaining few rounds because we only have very few of them. And we also know that the encryption function has a much smaller degree. It's only a degree-3 function while the decryption function has a higher degree in larger fields. So the encryption function is basically cheaper to evaluate. This means that in such an attack or such a scenario we would essentially request plaintexts. So this would make it a chosen cybertext attack. Then we would fill in and sum over the values of the plaintext if we want to evaluate this forward polynomial for each of the received plaintexts. And finally we would set it to zero because of the zero sum and we would solve the remaining univariate polynomial in the single key variable. And this is exactly what we did for the case of Mimsi. So basically first generate this symbolic expression. We have this one-round encryption essentially. So again this is only the case if we want to cover one round. It's more than that if we want to cover two rounds but it's actually still possible. So the approach is the same. So in that case if we want to cover one round then we request the plaintexts. We compute the values for each of the received plaintexts and then we start solving. How does this work? Where we have a set of plaintexts. We basically sum over these plaintexts. This helps us to evaluate the final representation of this final polynomial which will have basically all constants except for the key variable. And then we set this polynomial to zero which we can do because we know that there's a higher odd distinguisher coming from the other side and then we solve this low degree equation. So the solving step itself is then quite fast. And now of course since the data complexity is high we also need to precisely estimate the complexity of the attack. So is it still an attack even? And to do so we focus on all the complexities involved where almost all the complexity is necessary for basically computing to compute this polynomial. So first if we take a look at this representation and if our data is 2 to the n minus 1 then we need 2 to the n minus 1 multiplications for x to the 3 where square n's are linear here. Then we need approximately also 2 to the n minus 1 square n's first for each of these evaluations but also for the final x2. So we can actually only use also one square n for the final x2 because it's linear and we can use the final x and just square that. And then we need approximately 2 to the n extra additions for x, x to the 3 which is also the final representation of this polynomial. And the complexity of solving this polynomial is then also of course part of the attack because this is also needed and we have this low degree polynomial which has a key variable and these sums p1, p2 and p3 and these sums actually the sums we have computed before so in this approach before and now we know that this polynomial has a degree of 2 only so it's a very low degree and so the complexity of actually solving it is negligible. So this is not of course this also plays a role and can be estimated but it's negligible compared to the other step. And actually it's also quite fast for higher degree polynomials so for instance if we not only want to cover one round bit attack but if we need to cover two rounds so this still works then. And then the advantage if we compare it with exhaustive search and if we compare it with the operations which are needed for exhaustive search actually then the advantage is approximately log of n and the memory cost is negligible why is that? Well because we only need to remember the intermediate sums and the intermediate representation of the polynomial isn't anything else we need to store so the memory cost is negligible. Well we have verified this attack practically on some toy versions of MIMC and what is interesting is that in the cases we tested in our experiments one round was actually sufficient to cover by the solving step so this means that r-1 rounds were always covered by the inverse distinguisher so this is not the case in the theory but it was the case in our practical tests but of course our analysis and also the implementation we give they cover the case also the case of two rounds so not only one but also the case of two rounds and there's no more than that that needs to be covered according to the theory and then there's this new recommendation for the number of rounds of MIMC we also give because we can break the full round number and this new recommendation is based on the number of multiplications which are necessary for the attack and also for MIMC and for example if we assume that a certain number of rounds can be covered by a zero sum what to try now is to try to find the extra number of rounds we need to add in order to basically raise the number of multiplications so that at the end the evaluation of this polynomial would be more expensive than brute force and this extra number of rounds is actually given below here so the condition test of the theory is given below and for example if we are talking about the 129 bit version of MIMC where we originally used 82 rounds so this was the original round number we used 87 rounds so basically plus 5 rounds here and finally we also give a generalization of the attack so we can generalize the attack from the univariate description to the multivariate one and in that case of course we need a Grubner-Basis step so in the last step we need the Grubner-Basis approach because we have a multivariate system of equations but this would be a possibility and a complete definition of this approach is also available in the full paper but also a complexity estimation so maybe this can be applied to other constructions which maybe also have a low degree but which are similar construction wise similar to MIMC as a summary, the first result was a new bound for the degree growth of key alternating ciphers where MIMC is one of these and we found out that it actually closed linearly not exponentially then we also give the first key recovery attack on full MIMC of a binary field so again the attack does not work over prime fields we don't know how to apply it because we don't know any for instance any non-trivial subspaces of the prime fields which is possible for a binary field then the complexity of the attack is quite high but it's strictly below exhaustive search it's a new attack approach so maybe it's applicable also to other loading constructions to some now but maybe also to some in the future and finally in the future maybe we are able to somehow better analyze the growth of the inverse degree not only the growth of the forward degree and this would maybe allow us to reduce the data complexity we need for the attack well thank you very much for your attention yeah, this was it