Gr\"obner Basis Cryptanalysis of Ciminion and Hydra

TL;DR

This paper applies Gr"obner basis techniques to analyze the security of the Ciminion and Hydra symmetric key primitives, revealing that their resistance to polynomial system solving attacks is lower than previously claimed.

Contribution

It constructs explicit Gr"obner bases for both primitives' polynomial models, providing more accurate complexity estimates and challenging existing security claims.

Findings

Ciminion's polynomial model can be simplified using a constructed Gr"obner basis.

Hydra's security against Gr"obner basis attacks is lower than originally claimed, with attacks feasible at fewer rounds.

Explicit Gr"obner basis constructions improve the understanding of the primitives' algebraic vulnerabilities.

Abstract

Ciminion and Hydra are two recently introduced symmetric key Pseudo-Random Functions for Multi-Party Computation applications. For efficiency, both primitives utilize quadratic permutations at round level. Therefore, polynomial system solving-based attacks pose a serious threat to these primitives. For Ciminion, we construct a quadratic degree reverse lexicographic (DRL) Gr\"obner basis for the iterated polynomial model via linear transformations. With the Gr\"obner basis we can simplify cryptanalysis, as we no longer need to impose genericity assumptions to derive complexity estimates. For Hydra, with the help of a computer algebra program like SageMath we construct a DRL Gr\"obner basis for the iterated model via linear transformations and a linear change of coordinates. In the Hydra proposal it was claimed that $r_\mathcal{H} = 31$ rounds are sufficient to provide $128$ bits of security against Gr\"obner basis attacks for an ideal adversary with $\omega = 2$. However, via our Hydra Gr\"obner basis standard term order conversion to a lexicographic (LEX) Gr\"obner basis requires just $126$ bits with $\omega = 2$. Moreover, using a dedicated polynomial system solving technique up to $r_\mathcal{H} = 33$ rounds can be attacked below $128$ bits for an ideal adversary.