 Welcome to the presentation of our work dedicated to the security of symmetric primitives optimized for integrative proof systems. My name is Anne Contour and what I'm presenting here is the joint work with Tim Bain, Itaïd Nour, Maria Eichelzeder, Kregor Leander, Gaétan Laurent, Leo Perrin, Maria Naya Placentia, Yuse Saki, Yosuke Todo and Frédéric Minou. The details of this work are of course available in the proceedings of crypto, but as you know crypto this year is a bit special. So for instance, as far as I can see the bitch this year looks like this and also this year's strawberries have a different taste and even sea lions this year look a bit different. Let's see. Anyway, let's now have a look at this symmetric primitive optimized for integrative proof systems. So the design of such primitive actually follows a line of research which is quite active in the last few years because there's a strong demand for symmetric primitives which are optimized for some specific advanced cryptographic protocols. So this includes for instance the design of symmetric ciphers to be used within hybrid encryption schemes together with fully homomorphic encryption. Also a very interesting example is the block cipher MIMC which has been designed to be optimized for being used with MPC. And so this MIMC block cipher it has a very simple algebraic structure because it iterates many times the cube mapping of a large finite fields and at each iteration this cube mapping is only followed by a round key addition. So this MIMC has inspired several over designs for over application but with quite similar requirements and this includes for instance these hash functions which are used in the new integrative proof systems that have been proposed recently like Z-cast arcs protocols or snarks or bullet proofs. Indeed these hash functions they should be specified as sequences of low degree polynomials or of low degree rational maps over a finite field. So of course this type of designs based on simple algebraic transformation over finite fields this is not a new idea because it was an idea which was already behind the design of some seminal block ciphers. So if we consider this recently proposed integrative proof system then it's clear that the performance and versicurity are conditioned by the proper tails of the underlying hash functions. So in terms of performance the cost metric for the hash function is determined by the size of the polynomial relations. So these relations are expressed over a finite field and for these applications it is suitable to use large finite fields and also fields of odd characteristic especially prime fields. So this is then very different from usual symmetric primitives which are defined over binary fields. And then since they can be represented by simple algebraic relations these primitives may be vulnerable to algebraic attack based on ground databases as shown recently for instance at last azure crypts. But of course we also need to guarantee that these primitives are resistant to other types of tags and this is the aim of this work. So to be concrete we focus on some hash functions dedicated to ZK store protocols and especially on some hash functions involved in the public challenges launched by the stockwork company. So these hash functions are based on two different types of key permutations. The first one is called GMIMC. So it's an unbalanced Feistel network. So this is a Feistel flavor of MIMC and it uses the cube mapping of a prime field as expanding round function. And the second type is an SPN flavor of MIMC and it is named Hades MIMC and it is defined both over a finite field and over a prime field. So these key permutations are used within the sponge construction because what we need for those applications are hash functions. So this means that we are using this design here and over the presentation I will always use this small t for denoting the block size of the sponge construction and c denotes the capacity of the sponge. So this implies that we will consider key permutation here whose internal state consists of t words and each of these words is an element in the field FQ. So the parameters proposed in the stockwork challenges are here. So the first ones are for 128 security bits and the second one for 256 security bits. So as you can see here for 128 security bits we have three different field sizes. So the first one considers fields of size roughly 2 to the power 64. The second one fields of size around 2 to the power 128 and then fields of size around 2 to the power 256. And for each size of the field we have two variant one corresponding to prime fields and the other one corresponding to binary fields. So we will analyze the security of all this function but with a particular focus on the variants given here in red because it corresponds to the parameters which provides the best performance for that case or protocols. So we will mainly focus on permutations whose internal state consists of 12 elements in a field with roughly 2 to the power 64 elements. So what we did is that we presented several attacks on these functions. But what is important is that all these attacks rely on two important key IDs. So the first one is a generalization of some classical attacks to fields of any characteristics. And for instance we will see why the prime fields choosing the challenges makes the functions more vulnerable to some attacks like integral attacks. And the second key ID is to combine algebraic techniques with classical attacks like differential attacks to take advantage of the specific structure of the primitive in our context. So I will then illustrate these two IDs with two examples, two attacks on GMIMC. So the first one is an integral attack. So I will show how we can generalize integral attacks for two fields of any characteristic especially by using multiplicative subgroups of the field. And I will show how this can be applied to GMIMC. And then I will present another type of attack which we called algebraically controlled differential attacks because this combines differential cryptonizers with some algebraic techniques. And again, I will show how this can be applied to GMIMC. So let us start with integral attacks over FQ. So let us consider a function F from FQ into the same field FQ. And when FQ is a binary field integral attacks rely on the following well-known property. For any affine subspace V whose size exceeds the degree of F plus 1, then the values of F of X sum to 0 when X varies in the subspace V. So this well-known property comes from the fact that the sum here is nothing else than the value of a derivative of the function but a derivative of order which is equal to the dimension of the subspace. So it is clear that this sum is always equal to 0 when this condition on the degree is satisfied. But the problem is that this last formula here does not hold in odd characteristics. So in odd characteristic if we want to exhibit a zero sum we need to consider much more complicated formula. However, there is one case for which this zero sum property can be generalized to any field. So this case is the case where the input X is saturated which means that X takes all possible values in FQ. Indeed, for any field it's easy to prove that the values of F of X sum to 0 when X varies in FQ as soon as the degree of F is strictly less than Q minus 1. So this is a nice property because this generalizes the usual integral property to any field. But what is not that nice is that this property is less is much more restrictive than what we had in the binary case. Indeed, in the binary case we were able to compute a zero sum by computing the sum of the values of F of X when X varies in a set whose size is much smaller than the size of the whole field especially when the degree of F is small. While in the general case here we are only able to compute the sum of all F of X when X varies in the whole field. So of course we have less freedom degrees for the general case than for the binary case. However, we are able to have a situation which is quite similar to the situation of the binary case in the general case by using multiplicative subgroups. Indeed, if the size of a multiplicative subgroup G exceeds the degree of F then we also get that the value of F of X when X varies in the subgroup G sum to a constant which only depends on the value of F at zero and of the size of the subgroup. So this means that exactly as in the binary case we now have a relation between the value of F when the input varies in a set of size which is close to the degree of F. So we have a sum of a much smaller set than the whole field when the degree of F is small exactly as what we have in the binary case. So let us now see how this generalized version of integral attack applies to GMIMC. So GMIMC is a Feistel network with T branches and so it has an expanding round function which corresponds to the Q mapping over FQ. So for the parameters we focus on we have 12 branches Q is roughly to the power 64 and for these parameters we apply this round function 101 times. So what we will do now is that we will exhibit an integral distinguisher for the GMIMC permutation. So for that we will first start with a differential property over 2T minus 2 rounds of GMIMC. So this property is a very specific property so for that we consider some input states having a very specific form which is this one. So the first T minus 2 branches are set to some constant and then the last but one branch is equal to some X and the last branch is equal to F of X where F is a given function. So I do not give the detailed formula for this F but it is a polynomial in X of a degree 3 and it depends on the constant alphas here and also on the round constants of the first rounds of GMIMC. So now if we consider the first T minus 2 rounds of GMIMC then it is clear that because these first T minus 2 branches do not depend on X then we get that the output of these first T minus 2 rounds is such that the last T minus 2 branches do not depend on X and only the first two branches depend on X and have value which correspond to what we had here plus a constant. So now let us add one more round. So now the input of the round function of the S-box depends on X. So this implies that we will add to all other branches a value which also depends on X and which corresponds to the output of the S-box. If we now apply a second round then again we have an input of the X-box which also depends on X and which is defined by this F here and so again the output of this second S-box will be added to all other branches. But this function F has been chosen in such a way that the outputs of these two S-boxes corresponding to these two rounds this outputs they cancel each other. So this means that what we add to all other branches at these two rounds this value is equal to zero. In other words at the end of these two additional rounds what we get is an internal state which has this form the first T minus two branches they do not depend on X only the last two branches depend on X. So the last branch is equal to X prime which is X plus some constants while the last but one branch is equal to a polynomial in X which has degree three. So now we have a state which has exactly the same form as what we had at the beginning so again we can apply T minus two rounds here and what we get is that we get another state at the end of this additional T minus two rounds which is such that the first two branches depend on X and the last T minus two branches are constants. So this is a very important property and that we used in several attacks against G-mims. So what we have found is that if we consider input states which have these specific forms then after two T minus two rounds we get output states which have this form and what is nice in our context is that if we look at each branch of the output state here we can see that each of these branch can be written as a polynomial in X and these polynomials have degree at most three. So now what we can do is that we can add some more rounds so if we add one more round so what we get will be an output state where each branch is now a polynomial in X of degree at most nine because the degree is multiplied by at most a factor three which is the degree of the round function. So this implies that if we add now log three of Q minus two minus one rounds then we guarantee that the degree of the polynomial corresponding to each branch at the output is strictly less than Q minus one and so this implies that we can apply this zero sum property in other words the sum of all these outputs corresponding to the inputs the Q inputs obtained when Q varies in FQ this output sum to zero and we can also do something which is better we can add T minus one more rounds and the reason is that if we look at this quantity which is a linear combination of the output words of these T minus one rounds it's not difficult to see that this is a linear combination of the input words of this T minus one rounds and because the input words here corresponds to polynomial of degree at most of degrees strictly less than Q minus one then the same property holds for this value so this implies that when X varies in FQ this quantity here sum to zero so this provides us an inter with an integral distinguisher on g mimsy which covers three T minus four plus log three of Q minus two rounds so for instance for the parameters we focus on this distinguisher covers seven T out of the 101 rounds of g mimsy but what is not that nice is that the complexity of this distinguisher it's exactly Q the size of the field because X varies in FQ and then this implies then when the size of the field is higher than the security level then the distinguisher does not apply however even in both case we can find we can exhibit a similar integral distinguisher by considering now multiplicative subgroup of the field even if the field is quite large so in that case so for instance in our case the parameter the field size proposed for the challenges is this one and this prime is very nice because for our attack for the attacker because Q minus one is divisible by a high power of two so this means for instance that we can consider a multiplicative subgroup of size two to the power of 128 and then with this we can exhibit an integral distinguisher which covers 85 rounds and so the number of rounds covered by the distinguisher is exactly the same as before except that the size of the multiplicative subgroup is used instead of Q minus one so also because what we are considering here is not a block cipher but a permutation where the key is fixed and corresponds to the round constant this means that we are in a non-case setting and so we can start the computation not only from the input of the permutation but we can start from the middle which means that we can use similar properties to construct not only integral distinguisher but what is called zero sum distinguisher so we only have to use the same property but by computing in the backwards direction now and so what we get like this is we get some quantity depending on the input words which sum to zero and similarly as before some quantity depending on the output words which sum to zero so with this we get a zero sum distinguisher covering this number of rounds so if for the parameters we focus on if x varies in fq so if we saturate x then we cover a number of rounds which is higher than the number of rounds recommended by the designer and if we want to get a distinguisher which only covers a number of round corresponding to the recommended number of rounds then we can restrict ourselves to a multiplicative subgroup and then so for instance for the subgroup of this side what we get is a distinguisher with a lower complexity here the complexity is 2 to the power 48 which is smaller than the size of the field so this was for integral distinguishers and let me now move on to the second new type of bags that we introduced on gmc so we called this attack algebraically control differential attacks and the idea here is to combine differential cryptocurrencies with some algebraic properties so what we would like to do here is to make to to mount a collision attack on the hash function that means on the sponge construction using gmc and so for that what we need is to find a pair of inputs which satisfy some differential characteristics but in our setting what we will do is that instead of the usual probabilistic method which is too expensive here what we will do is that we will use some algebraic techniques we will try to solve some algebraic equations in order to find these inputs which satisfy a given differential characteristic and we will be able to do this by representing the condition on differential transition as algebraic equations so I will show how this applies to gmc and what we will obtain is a differential characteristics for gmc but we will find valid inputs for this differential characteristic by an attack an algorithm which is almost entirely algebraic and it's not probabilistic at all so I will show you how this works on 3t minus two rounds of the permutation but actually we can extend these differential characteristics to t more rounds and then we get a better different better and more and so we get a better differential characteristics and we can use this for finding collisions so for instance we applied that in practice for finding collisions on the version of the hash function with the parameters we focus on but reduced to 40 rounds and this has been done in a few minutes on the pc so let's have a look to what happens in practice so what we want to find for this attack first is a differential characteristic for gmc so let's see what happens here we start from a differential an input difference which has this particle form so the two the first two branches have a non-zero difference delta zero and delta zero prime and then we have t minus two branches with a zero input difference so because the first input difference is not zero then the s box at the first round is active and then we denote by delta one the output difference of this first s box and so this delta one is then added to all other branches which means that at the output of this first round we get this difference where delta one has been added to all branches except the last one and now if we apply a second round again we have an active s box so we have a transition we denote by delta one prime the output of so the output difference of the s box at the second round and again this delta one prime is added to all branches except the last one and we get this difference at the output of the second round so what is nice here is that we have we can observe that as a this the difference that we have in this first t minus two branches is the same it equals delta one plus delta one prime so this implies that if this delta one plus delta one prime is equal to zero then we get zeros here in on the first t minus two branches and so this implies that we have t minus two additional rounds for three because the s box is not active in the last in in the next t minus two rounds so what we get at the end if this condition is satisfied is a differential characteristic over t rounds and moreover this differential characteristic is an iterative differential characteristic because the output difference has exactly the same form as the input difference so this condition this this t rounds differential characteristic is satisfied in this condition holds and this condition it occurs with probability one over q where q is the size of the field but the problem here is that we operate on very large fields so this is extremely expensive so we won't be able to use a classical probabilistic method for finding pairs of inputs which satisfy this differential so instead what we will do is that we will view this condition as an algebraic equation on the values on the inputs of the differentials so let's see now how we can apply this to find longer differential characteristic on jmc so we can combine this new differential characteristic with the property we had and we used in interval distinguisher over two t minus two rounds so remember what we had we considered some input states which had this specific form so we had a constant on the first t minus two and inputs branches and then x and f of x and then we proved that after two t minus two rounds we have an output of this form whereas the last t minus two branches are now constant so if we take if we consider two input states which have exactly this form so one defined by x and the other one defined by one so what we have is after two t minus two rounds two output states having this form and in particular they are equal on the last t minus two branches which means that the difference between these output states has exactly the same form as the input difference or previous differential characteristics so we can chain this with or t rounds differential characteristic which had this form and so with that we get a differential characteristic over three t minus two rounds and this differential characteristic is satisfied if the two-round differential characteristic here is satisfied so if we have the the difference at the output of the s boxes in the two rounds involved in here this characteristic if this difference can sell out and so as I explained before this differences here this condition can be written as an equation depending on the inputs here x and x here and y and so we can find a pair of inputs so a pair of values x and y such that those two inputs satisfy the differential characteristic if we are able to solve this equation so of course this depends on the degree of the equation corresponding to this condition so what is the degree of this equation then this is quite simple we start from something a polynomial g which has degree three and then we apply a first round so we multiply the degree by three and we have a second round so we multiply it again by three and so this means that in total we get degree which is utmost 27 so what we have shown is that we are able to find to find input values which satisfy this differential characteristic over three t minus two rounds if we are able to solve this equation which is an equation in x and y of degree at most 27 and so how do we solve this when this is quite simple we just set y equal to a constant and so we get a polynomial in x of degree at most 27 and we just factor this polynomial and this is very very fast and then we can find an input difference which satisfies sorry an input which satisfies the differential characteristic so this was on a small example but we can also extend this differential characteristic by adding t more rounds at the beginning and then we can find a differential characteristic over now four t minus two rounds and using this we have been able to find practical collisions on the hash function for a reduced version reduced to 40 rounds so let me now conclude so here is a summary of some of the attacks that we presented in the paper the first part of the table corresponds to functions with a security level equal to 128 bits the second part corresponds to a security level equal to 256 bits and the red entries corresponds to attacks that means distinguisher on the permutation or attacks on the hash function which cover all the rounds proposed by the designers and so I would like to conclude with two more observations the first one is that I didn't say that the stock word challenge is also include a third type of key permutation which is permutation corresponding to the block cipher's vision for the binary case and rescue for the prime field and we were not able to apply similar attacks on this third type of permutation so this means that it seems that vision and rescue offers a better security in these applications than DMMC and had a SMIMC but the second observation is that it's quite hard quite difficult to make strong claims on the security of this new type of primitives and one of the reason is that these primitives operates over fields of odd characteristics and as we have seen we've wore general version of integral attacks well we need really new tools for analyzing these primitives and there are still much work that needs to be done in order to find these new tools and to see how we can have very a vision cryptanalytic methods for primitives over fields of odd characteristics so thank you very much for listening