Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC

Abstract

The block cipher Jarvis and the hash function Friday, both members of the MARVELlous family of cryptographic primitives, are among the first proposed solutions to the problem of designing symmetric-key algorithms suitable for transparent, post-quantum secure zero-knowledge proof systems such as ZK-STARKs. In this paper we describe an algebraic cryptanalysis of Jarvis and Friday and show that the proposed number of rounds is not sufficient to provide adequate security. In Jarvis, the round function is obtained by combining a finite field inversion, a full-degree affine permutation polynomial and a key addition. Yet we show that even though the high degree of the affine polynomial may prevent some algebraic attacks (as claimed by the designers), the particular algebraic properties of the round function make both Jarvis and Friday vulnerable to Gröbner basis attacks. We also consider MiMC, a block cipher similar in structure to Jarvis. However, this cipher proves to be resistant against our proposed attack strategy. Still, our successful cryptanalysis of Jarvis and Friday does illustrate that block cipher designs for “algebraic platforms” such as STARKs, FHE or MPC may be particularly vulnerable to algebraic attacks.

Appendices

A Polynomials of Section 4.2

In Sect. 4.2, we search for monic affine polynomials D, E such that the equality

$$\begin{aligned} D(B) = E(C) \end{aligned}$$

is satisfied, where B, C are monic affine polynomials of degree 4. In particular, given

$$ B(X) = X^4 + b_2 X^2 + b_1 X + b_0\quad \text {and}\quad C(X) = X^4 + c_2 X^2 + c_1 X + c_0 $$

the goal is to find

$$ D(X) = X^4 + d_2 X^2 + d_1 X^1 + d_0\quad \text {and}\quad E(X) = X^4 + e_2 X^2 + e_1 X + e_0 $$

such that \( D(B) = E(C). \)

By comparing the corresponding coefficients of D(B) and E(C), we obtain a system of 5 linear equations in the 6 variables \(d_0, d_1, d_2, e_0, e_1, e_2\):

$$\begin{aligned} d_2 + e_2&= b_2^4 + c_2^4, \\ d_1 + b_2^2\cdot d_2 + e_1 + c_2^2\cdot e_2&= b_1^4 + c_1^4, \\ b_2\cdot d_1 + b_1^2\cdot d_2 + c_2\cdot e_1 + c_1^2\cdot e_2&= 0, \\ b_1\cdot d_1 + c_1\cdot e_1&= 0, \\ d_0 + b_0\cdot d_1 + b_0^2\cdot d_2 + e_0 + c_0\cdot e_1 + c_0^2\cdot e_2&= b_0^4 + c_0^4. \end{aligned}$$

This system can be solved to recover D and E.

B Constants \(\alpha _i\), \(\beta _i\), \(\gamma _i\), and \(\delta _i\) for the Round Keys

Each round key \(k_{i+1} = \frac{1}{k_i} + c_{i}\) in Jarvis can be written as

$$\begin{aligned} k_{i+1} = \frac{\alpha _i \cdot k_0 + \beta _i}{\gamma _i \cdot k_0 + \delta _i}, \end{aligned}$$

where \(\alpha _i\), \(\beta _i\), \(\gamma _i\), and \(\delta _i\) are constants. By simple computation, note that:

• \(i = 0\):

  $$\begin{aligned} k_1 = \frac{1}{k_0} + c_{0} = \frac{c_{0} k_0 + 1}{k_0}, \end{aligned}$$

  and \(\alpha _0 = c_{0}, \beta _0 = 1, \gamma _0 = 1, \delta _0 = 0\);

• \(i = 1\):

  $$\begin{aligned} k_2 = \frac{1}{k_1} + c_{1} = \frac{(c_{0} c_{1} + 1) k_0 + c_{1}}{c_{0} k_0 + 1}, \end{aligned}$$

  and \(\alpha _1 = 1 + c_{0} c_{1}, \beta _1 = c_{1}, \gamma _1 = c_{0}, \delta _1 = 1\);

• \(i = 2\):

  $$\begin{aligned} k_3 = \frac{1}{k_2} + c_{2} = \frac{(c_{0} c_{1} c_{2} + c_{0} + c_{2}) k_0 + c_{1} c_{2} + 1}{(c_{0} c_{1} + 1) k_0 + c_{1}}, \end{aligned}$$

  and \(\alpha _2 = c_{0} c_{1} c_{2} + c_{0} + c_{2}, \beta _2 = c_{1} c_{2} + 1, \gamma _2 = c_{0} c_{1} + 1, \delta _2 = c_{1}\);

and so on. Thus, we can derive recursive formulas to calculate the remaining values for generic \(i \ge 0\):

$$\begin{aligned} \alpha _{i+1}&= \alpha _i \cdot c_{i+1} + \gamma _i, \\ \beta _{i+1}&= \beta _i \cdot c_{i+1} + \delta _i,\\ \gamma _{i+1}&= \alpha _i, \\ \delta _{i+1}&= \beta _i. \end{aligned}$$

C System of Equations from Section 7

The system of equations is constructed by symbolically computing \(A_{\textsc {AES}{}}^{-1}(\hat{C}(x))\), as described in Sect. 7, and setting all coefficients for degrees \(8, 16, 32, 64, 128\) to \(0\). These are five possible degrees and the following equations are the sum of all coefficients belonging to each of these degrees:

$$\begin{aligned} \texttt {0x5a} \cdot {\hat{c}_1}^8 + \texttt {0x7f} \cdot {\hat{c}_2}^4 + \texttt {0xfe} \cdot {\hat{c}_4}^2&= 0, \\ \texttt {0x78} \cdot {\hat{c}_1}^{16} + \texttt {0x5a} \cdot {\hat{c}_2}^8 + \texttt {0x7f} \cdot {\hat{c}_4}^4&= 0, \\ \texttt {0x59} \cdot {\hat{c}_1}^{32} + \texttt {0x78} \cdot {\hat{c}_2}^{16} + \texttt {0x5a} \cdot {\hat{c}_4}^8&= 0, \\ \texttt {0xdb} \cdot {\hat{c}_1}^{64} + \texttt {0x59} \cdot {\hat{c}_2}^{32} + \texttt {0x78} \cdot {\hat{c}_4}^{16}&= 0, \\ \texttt {0x6e} \cdot {\hat{c}_1}^{128} + \texttt {0xdb} \cdot {\hat{c}_2}^{64} + \texttt {0x59} \cdot {\hat{c}_4}^{32}&= 0. \end{aligned}$$

By practical tests we found that no (nontrivial) coefficients \(\hat{c}_1, \hat{c}_2, \hat{c}_4\) satisfy all previous equalities, which means that there are no polynomials \(\hat{B}\) and \(\hat{C}\) both of degree \(4\) that satisfy \(A_{\textsc {AES}{}}(X) = (\hat{C} \circ \hat{B}^{-1})(X)\).