 Yeah, so welcome. So this is a presentation which is a joint work with Abdel Rahman Ali Tomar Ashour Ali Ben-Sasson, myself, Simon Doga and Alan Ciprianiac. And this is a presentation on the design of symmetric key primitives for advanced cryptographic protocols. So this work is focused on these advanced cryptographic protocols like multi-party computation and zero-knowledge proofs and the use of symmetric key primitives in them. And there is a big focus here on what is efficient for these protocols, what kind of building blocks do we need in our symmetric key primitives, which are easy to evaluate for these protocols. And given those basic building blocks, that means S-boxes which are efficient and the use of linear layers, we found that the effect of this causes quite a shift in cryptanalysis. We shift from the cryptanalysis that we know and love like differential and linear cryptanalysis to a more of a focus on groupler-based analysis and algebraic cryptanalysis with bigger extension fields. And the result of our study ends in the creation of two primitives which we named vision and rescue, which in this presentation I will present to you. And we'll start by explaining what these advanced cryptographic protocols are. And we're going to give two examples. We're going to give the example of zero-knowledge proofs and of multi-party computation. So in zero-knowledge proofs, typically we have two parties. We have a prover and we have a verifier. And the prover has some, let's say, some information. And to put the link with symmetric key primitives, let's say that the prover has some pre-image. And once the show to the verifier via interaction with the verifier, knowledge of this pre-image without revealing what this pre-image is. Then another application is multi-party computation. So in multi-party computation, we typically consider two or more parties. Each party can have their own secret information or can have their information shared and interacts with each other in order to compute on this secret data. And the applications of multi-party computation are plenty. But one possible application is to calculate a thresholdized signature. And of course for these threshold signature schemes, we also need symmetric key primitives in the form of a hash function to make sure we sign shorter messages. So okay, to explain to you the rest of this presentation, it will be very interesting to quickly go over what I mean when I say multi-variate equations because these will be used for both Starks as for Gropner-based analysis. So we're going to take this very simple example. So this is a typical cypher, just uncubing. So this is a compositional inverse of the cubing map, the input adding a key, cubing that, and then adding another key. So we can express this simple function in many ways. We can say, well, okay, let's say si is our input. So we can say, well, we take si, we raise that to per 1 over 3, we add this key in, we cube that, we add this other key in, and that I'm going to call si plus 2. So this is the simple forward evaluation. The backward evaluation then of course is also quite simple. We can say, well, okay, I don't know where we're working on, let's say over a prime field. So then there is a minus. So we subtract our key. We do the compositional inverse of our cubing. We subtract our key once again, and then we cube that, and then we find si. So this is the backwards evaluation. And we see that in both the backwards as the forward evaluation, we have this uncubing map here. So we'll see that that will be of high degree. But we can express this also as a multivariate equation. And in a multivariate equation, we can say, well, okay, let's call this x. And then we can say, well, let's write this in two equations. And in two equations, we can find, well, let's do x. Let's do minus ki plus 1. Let's cube that, and let's call that si. And we also, let's say, let's cube x. Let's add ki plus 2 with it. And then we get si plus 2. And so we see this is a multivariate equation because each equation is in multiple variables, and each equation is also of low degree. So now we move on to our work. We're going to first compare the traditional model with our new model. So in the traditional model, this is the model we're used to, we're making symmetric key primitives over software or hardware. And these, we know these work invariably over bits. So depending on your platform architecture, they might work over bytes or 32 bits. So over small extension fields. But these extension fields would still be small. And as a result, our S-boxes are also quite small because the S-boxes are going to be the tougher operation to handle, and it is better if our S-boxes respect the platform's architecture. Then on the linear layers, we know we want these to be light as well, and that means light in extra costs. So we want to have good diffusion, but for the minimal number of extra costs that we can have. Compare this, this traditional model to the new model. In the new model, we're working with algebraic expressions. We want all of our operations to have some sort of simple algebraic expression, not over the base field, not over bits, but over an extension field. And that finite field is one that is either a prime field with a large prime number, let's say a 32-bit prime number at least, or we're working again with a binary extension field, but now that binary extension field can be quite large. So let's say 64 bits or something. Now what we see is we're working with larger S-boxes. Now just larger S-boxes, these S-boxes can then have simple algebraic expressions such as monomials, let's say the cubing function or the inversion function, but then over a large prime field or a large binary extension field. Our linear layers, typically, they can be heavy because when we express them as these multivariate equations, they still are just equations of degree one. That means that even though these linear layers might be heavy in extra costs, they are still of degree one and therefore very efficient to compute. And so we see that there is a huge difference between these two models. We go from small S-boxes to using large S-boxes while retaining efficiency and we can use heavier linear layers. All right, and that is a difference in design goals and that will also, as said later on, create a huge difference in cryptanalysis as well. So this is how my colleague Tomer Assure and I started on the development of the block cipher jarveys. We were contacted by this company Starquare to investigate block ciphers and general primitives which were efficient for their algorithmic design. And what we found was the AES block cipher was quite efficient simply because its S-boxes were quite large, working over bytes. So we saw that by increasing the size of the S-boxes we could gain a more efficient cipher. So we went for the more extreme option by taking the inversion over the entire state and also taking an affine polynomial over the entire state releasing the need for any diffusion layers. And while the inversion was really efficient for these Starks, the affine polynomial was the inefficient part. So in order to increase efficiency again we split up this affine polynomial in two parts, B inverse and C such that B and C are both of low degree. And what the protocol then basically does is it evaluates each of these blocks separately and each of these blocks is multivariately of low degree. So jarveys was quite efficient over these Starks and the reason was because it was very easy to express as multivariate equations. And it was the same expression that can be used to attack it via a Gropner-based attack. And the idea is as follows. So the inversion normally is an operation which is of high degree over any field that is worked over. But multivariately you can simply express it as saying well just do x times y, the input times the output and that should equal to one. And that is simply a quadratic multivariate equation. So that's simply a quadratic equation in other words and using Gropner bases you can split the affine polynomials again in two parts, a B part and a C part both being of low degree. So because jarveys was attacked and we basically saw that Gropner-based attacks were indeed a threat which was quite new to us because typically they don't form a threat to many symmetric primitives. So we started to rethink our design and to see well how do we actually take into account this new design area. So and this led to the design of vision. Now vision is quite like jarveys which also uses the inversion as a non-linear layer. It also uses affine polynomials but now we use B and B inverse interchangeably and B is again of low degree. We also use more than one cell in the states and we use a diffusion layer which is an MDS matrix and the reason why this changed is to fault the first reason is because of efficiency. We saw that there were not many applications out there which use a prime field or a binary extension field the size of the entire state. Typically it's much smaller. And secondly, we also included in our crypt analysis a Gropner-based analysis and we saw that when using just one cell the degree of regularity of that Gropner-based did not rise. So for better security arguments we had to use more than one cell. So jarveys and vision they both worked over binary extension fields. That was good but we saw that many applications actually need to work over prime fields instead. So what we did is we redesigned our idea that we designed principles that we used in vision and we made a cypher called rescue. So rescue exists of again a non-linear layer being a monomial, x to the power of alpha. But here we interchangeably use x to the power of alpha and it's compositional inverse x to the power of 1 over alpha. And again we use a kind of shark-like structure. Okay and so that brings us to our core design principles. So with these core design principles we want to show to you some interesting observations we had when designing vision and rescue. First of all as opposed to software and hardware implementations we needed quite a flexibility of state size and finite field. And for example we have the AES which exists there for 128-bit security and 256-bit security. Something restrictive as that we could not really make. Meaning that we found that many users they use all different prime fields to work over. So we could not make a design that works over a particular prime field because then no one would be able to use that particular design. So we want our design to be kind of independent of the chosen prime field. The same happens with the binary extension field case. This N here can be 8-bits long. It could also be 32-bits long. It could even be 64-bits long. We should allow for any of these parameters. In the state size and rounds we also found something that there are people that prefer a thin state let's say a 128-bit state but then let's say 20 rounds a larger number of rounds versus a bigger state let's say 512-bits but then needing only 10 rounds. So we still need the flexibility to allow users to say well I want to work with a bigger state with fewer rounds rather than a smaller state with more rounds. The second design principle we had is non-procedural computation. This is basically what you have seen in rescue and vision is we need our non-linear layers or a round function to be of high polynomial degrees. So our inversion or our x to the power alpha or x to the power 1 over alpha operations of high degree when evaluated forward or backward but they need to be of low multivariate degree and so what that kind of means is that if you have a round let's say you have an input in that round then you get an output that we wanted there to be some function g such that if it operates on the input and the output it is of low degree and that might sound a bit weird but the idea is that many of these advanced cryptographic protocols even though sometimes in zero-knowledge proofs y is already computed and you're just wanting to verify whether indeed y is the output of x after applying the round function even in protocols such as multi-party computation there are tricks to kind of implicitly evaluate this multivariate equation anyway. And so we saw earlier that from this change of models from the software hardware model to this new model we can use larger S-boxes we can use heavier linear layers and because of that change we also see a change in cryptanalysis so we found that the traditional cryptanalysis being differential and linear cryptanalysis we found it quite easy to provide resistance against these attacks because of using larger nonlinear layers because of using let's say a shark structure a full MDS diffusion but also using monomials as our nonlinear layers for which we know the differential and linear properties so we found it really easy to provide resistance against these attacks what was really difficult to provide resistance against was against interpolation and Gropner attacks and when I say to provide resistance against them I mean without harming efficiency so we can easily provide resistance against these attacks without harming efficiency whereas these attacks they quite inherently state difficult and the reason is of course because we are forced to create nonlinear layers of low algebraic degree even being of low multivariate algebraic degree and we want our round functions to be simple expressions over the extension fields rather than over base fields over bits for example we want them to be simple expressions over the extension fields and these attacks especially Gropner attacks they work over those representations so they remained our main focus of cryptanalysis in this work and so on the cryptanalysis using Gropner bases we'll give an example and so in the example I've plotted or given the graph of rescue with m equal to 2 that means 2 state cells and alpha equal to 3 meaning that the cubing function was used as the nonlinear layer and the blue curve what we see is let's say that these round functions that we use these multivariate equations they acted as if a regular system in that case we see in the number of rounds the degree of regularity going up following the blue curve but what we did was we also took our round functions from rescue we implemented those and we calculated a Gropner basis for them we see that this gives us our data points for rounds 2, 3 and 4 we see that these give a degree of regularity way fewer or way lower than that of a regular system and what we see is that well this degree of regularity this concrete degree of regularity is half the degree of regularity of a regular system so what we do is we plot the orange curve this is a concrete fit of our data points and from that curve we can estimate the complexity over or we extrapolate the complexity over multiple rounds how much effort it would take to compute a Gropner basis for more rounds of rescue so we've put our work already online some time before and in the meantime it has enjoyed quite a lot of practical use in this slide I've linked some links to github but there are also papers on eprint or submitted papers that you can find out there where mainly rescue has already seen practical use and with this I kind of want to state that although the field of arithmetization oriented cyphers is quite new Low MC and MIMC being I think the first ones it is gaining more and more traction so there is a lot of use and a lot of demand out there and so that's a bit opposed to the cryptanalysis so most of these primitives they are quite new we've been seeing lately more and more works on attacks against these algebraic primitives against MIMC for example against GMIMC and also in this slide I've listed already some cryptanalysis that has been done on vision and rescue already being the first two bullets but this is also a call for more cryptanalysis as I said the field is getting more traction and for that to be sure that these new primitives are secure or by optimizing their efficiency further more cryptanalysis is definitely wanted and if you are interested the third bullet point states a link to a challenge hosted by Starkware in which you can find some instances of the vision and rescue hash functions as well as some other competitors and there you need to find collisions of these instances and you will be rewarded some ethers also the last bullet point might be of interest this is a new ePrint report which is also in submission this is a systematization of knowledge paper in which we specify a standard specification for rescue mainly oriented for the implementer site of the community but definitely if you want to look at what are practical instances for you to cryptanalyze then this paper could be quite interesting to search for as well I want to end the presentation thank you all for your attention and I hope you have a very very nice FSE