Keywords

1 Introduction

Modern cryptography developed many techniques that go well beyond solving traditional confidentiality and authenticity problems in two-party communication. Secure multi-party computation (MPC), zero-knowledge proofs (ZK), and fully homomorphic encryption (FHE) are some of the most striking examples. In various applications of these three technologies, part of the circuit or function that is being evaluated is in turn a cryptographic primitive such as a PRF, a symmetric encryption scheme, or a collision resistant function.

In this work, we focus on a large class of such applications where the total number of field multiplications in the underlying cryptographic primitive poses the largest performance bottleneck. Examples include MPC protocols based on Yao’s garbled circuit and all ZK-proof system that we are aware of, including recent developments around SNARKs [BSCG+13] which found practical applications, e.g., in Zerocash [BCG+14]. This motivates the following question addressed in this work: How does a construction for a secure block cipher or a secure cryptographic hash functions look like that minimizes the number of field multiplications?

Earlier work on specialized designs for such applications, like LowMC [ARS+15], Kreyvium [CCF+16], or the very recent FLIP [MJSC16] all consider the case of Boolean multiplications and mostly focus on the depth of the resulting circuit.

Surprisingly, albeit many MPC/FHE/ZK-protocols natively support operations in \(\text {GF}({p})\) for large p, very few candidates, even considering all of symmetric cryptography, exist which natively work in such fields. Our focus in this paper is hence on multiplications in the larger fields \(\text {GF}({2^m})\) and \(\text {GF}({p})\) which is motivated as follows: As many protocols support multiplications in larger fields natively, encoding of a description in \(\text {GF}({2})\) is cumbersome and inefficient. Whilst it is possible to do bit operations over \(\mathbb {F}_p\) using standard tricks (which turn XOR into a non-linear operation), such a conversion is expensive. Consider AES as an example: it allows for an efficient description in a variety of field sizes. This is also the reason why the bit-cased LowMC which has a lower number of AND gates can often barely, if at all, outperform AES in actual implementations of the GMW MPC protocols, despite being much better than AES in terms of \(\text {GF}({2})\) metrics. See [ARS+16a, Table 6] for details of the most striking example. This is also partly due to the very high number of XORs computed in LowMC, resulting them to be no longer negligible.

Contributions and Related Work. The design we propose is extremely simple: A function \(F(x) := x^3\) is iterated with subkey additions. This is described in detail in Sect. 2. In fact, our design is a simplified variant of a design by Nyberg and Knudsen [KN95] from the 1990s, which was aimed to demonstrate ways to achieve provable security against the then emerging differential and linear attacks, using a small number of rounds (smaller than, say, DES). However, not much later, [JK97] showed very efficient, even practical interpolation attacks on such proposals. Indeed, our proposal resembles \(\mathcal {PURE}\), a design introduced in [JK97] in order to present their attack. We pick up this work from almost 20 years ago and study in earnest if a much higher number of rounds can make this design secure in Sect. 4. It turns out, perhaps surprisingly, that the required much higher number of rounds (in the order of 100 s instead of 10 or less) is very competitive when it comes to the new application areas of symmetric cryptography that motivate this work.

We propose several variants of our design called MiMC: variants for \(\text {GF}({p})\) and \(\text {GF}({2^n})\) as well as variants that use the cube mapping directly or in a Feistel structure. MiMC can be used for encryption as well as for collision-resistant cryptographic hashing. See Sect. 2 for the basic variant in \(\text {GF}({2^n})\) and Sect. 5 for a discussion on the other variants. MiMC is distinguished from any of the many constructions that have been proposed in this field recently to the that it contradicts popular belief: A recent standard textbook [KR11, Sect. 8.4] explicitly considers such constructions as “not serious, for various reasons”.

Metrics. Given the wide variety of applications and protocols, no simple metric will be able to reliably predict application level performance. Issues of conversion between various field types (as the conversion between GF(2) and GF(p) mentioned above, which can be quite costly) add to the complication. Nevertheless, in order to give at least some hint towards expected performance, we will use the minimal number of multiplication to compute an output (minMULs), and the average number of multiplications needed per input bit (MULs/bit) on various designs. For the important special case of GF(2) we will use minANDs and ANDs/bit, respectively.

A discussion of various constructions in GF(p) and GF(2) can be found in Sect. 3. In the benchmarking part in Sect. 6.1, we will also come across the case of an extremely imbalanced LowMC-variant where this simple metric clearly fails to predict actual performance. The application performance is not independent of the size of the multiplier, but for the sizes relevant for MiMC this dependence is fairly weak. The experimental result supporting this is provided in the full version of this paper [AGR+16].

Implementation Results. The hashing mode for \(\text {GF}({p})\) may prove to be particularly useful as it is the first of its kind, despite various applications in verifiable computing [CFH+15] and applications of SNARKS like Zerocash [BCG+14] requiring such a function. Due to a lack of an alternative, authors implemented and optimized SHA-256, which leads to a bottleneck in efficiency. We demonstrate that MiMC compares very favorably in such an application. Based on our experiments and implementations, we report a factor 10 improvement in Sect. 6.1. We briefly mention more direct implementations in Sect. 6.2 and discuss the suitability of the design for cheap (generic) protection against higher-order side-channel attacks in Sect. 6.3.

In follow-up to this work [GRR+16], it was found that MiMC is also a very competitive candidate as an MPC-friendly PRF. Compared to AES, benchmark results showed that MiMC has a more than 10 times higher throughput in the online phase, and still about six times faster in the offline/precomputation phase in the LAN setting. Even the latency, which one could expect to be relatively high for MiMC due to its serial nature and the relatively high number of rounds, is better than the latency of AES. Note that for the AES case, this does not include conversion losses due to the application not using the AES field \(\text {GF}({2^8})\), and hence the difference in real-world application settings will likely be larger.

2 The MiMC Primitives

In the following, we describe a block cipher, a permutation, and a permutation-based cryptographic hash function with a low number of multiplications in a finite field \(\mathbb {F}_{q}\) (alternatively \(\text {GF}({q}) \)) where q is either a prime p or a power of 2.

2.1 The Block Cipher

In order to achieve an efficient implementation over a field \(\mathbb {F}_q\) (with q either prime or a power of 2), i.e., to minimize computationally expensive multiplications in the field, our design operates entirely over \(\mathbb {F}_q\), thereby avoiding S-boxes completely. More precisely, we use a permutation polynomial over \(\mathbb {F}_q\) as round function. In the following, we restrict ourselves to \(\mathbb {F}_{2^n}\) and we denote by MiMC-b/\(\kappa \) a keyed permutation with block size b and key size \(\kappa \). The concept however equally applies to \(\mathbb {F}_{p}\), which we will discuss briefly in Sect. 5.

MiMC- n/n . Our block cipher is constructed by iterating a round function r times where each round consists of a key addition with the key k, the addition of a round constant \(c_i\in \mathbb {F}_{2^n}\), and the application of a non-linear function defined as \(F(x) := x^3\) for \(x\in \mathbb {F}_{2^n}\). For a discussion of this particular choice of polynomial and alternatives, we refer to Sect. 5.3. The ciphertext is finally produced by adding the key k again to the output of the last round. Hence, the round function is described as \(F_i(x) = F(x\oplus k \oplus c_i)\) where \(c_0 = c_{r} = 0\) and the encryption process is defined as

$$ E_k(x) = (F_{r-1} \circ F_{r-2} \circ \ldots F_0)(x) \oplus k. $$

We choose n to be odd and the number of rounds as \(r = \Big \lceil \frac{n}{\log _2 3}\Big \rceil \). The \(r-1\) round constants are chosen as random elements from \(\mathbb {F}_{2^n}\).

Note that the random constants \(c_i\) do not need to be generated for every evaluation of MiMC. Instead the constants are fixed once and can be hard-coded into the implementation on either side. No extra communication is thus needed, just as with round constants in LowMC, AES, or in fact any other cipher.

Decryption for MiMC-n/n can be realized analogously to encryption by reversing the order of the round constants and using \(F^{-1}(x) := x^{s}\) with \(s = (2^{n+1} - 1)/3\) instead of \(F(x) := x^3\) (the complete derivation of s is given in Sect. 4, Lemma 1). Hence, encryption and decryption need to be implemented separately. Furthermore, decryption is much more expensive than encryption. Using modes where the inverse is not needed is thus advisable. We note that for our targeted applications, such as PRFs or cryptographic hash functions, computing the inverse is usually not required. We therefore provide benchmark results only for the encryption function. The fact that the inverse has a more complex algebraic description also has a beneficial effect on security as it limits cryptanalytic approaches that try to combine the encryption and decryption direction, such as inside-out approaches (Fig. 1).

Fig. 1.
figure 1

r rounds of MiMC-n/n

Full size image

MiMC-2 n/n (Feistel). By using the same non-linear permutation in a Feistel network, we can process larger blocks at the cost of increasing the number of rounds by a factor of two. The round function of MiMC-2n/n is defined as following

$$\begin{aligned} x_L \Vert x_R \longleftarrow x_R \oplus {(x_L \oplus k \oplus c_i)}^3 \Vert x_L. \end{aligned}$$

The round constants \(c_i\) are again random elements of \(\mathbb {F}_{2^n}\) except for the first and last round constants which are equal to 0. In the last round, the swap operation is not applied. The number of rounds for the Feistel version is \(r^\prime = 2\cdot r = 2\cdot \Big \lceil \frac{n}{\log _2 3}\Big \rceil \), where r is the number of rounds of MiMC-n/n.

Decryption for MiMC-2n/n can easily be realized by using the encryption function with reversed order of round constants, as usual for Feistel networks.

2.2 The Permutation

To construct the permutation MiMC\(^P\) from the cipher MiMC as described above, we simply set the key to the all-0 string.

2.3 The Hash Function

For the hash function MiMChash, we propose to instantiate the permutation MiMC\(^P\) in the sponge framework [BDPA08]. Given a permutation of size n, and a desired security level s, we can hash \(r=n-2s\) bits per call to the permutation. The MiMC permutation can be realized either in the SPN mode or Feistel mode by setting the key to \(0^\kappa \) where \(\kappa \) is the size of the key in bits. MiMCHash-\(\ell \) denotes the hash function with \(\ell \) bit output.

As usual, the message is first padded according to the sponge specification so that the number of message blocks is a multiple of r where r is the rate in sponge mode. For MiMCHash-t we use MiMC-n/n permutation where \(n = 4\cdot t + 1\) and \(s=2\cdot t\). For MiMCHash-256 we thus use a MiMC-n/n permutation with \(n = 1025\). The rate and the capacity are chosen as 512 and 513 respectively. This choice allows for processing the same amount of input bits as SHA-256 (512 bits) while at the same time offering collision security of 128-bits and preimage security of 256-bits, and in contrast to SHA-256 also full 256-bit 2nd-preimage security independent of the message length. We also propose MiMCHash-256b, which also offers collision resistance of 128 bits but only 128-bit security against preimage-style attacks, similar to SHAKE-256 as specified in the new SHA-3 standard. This construction makes use of a MiMC-n/n permutation where \(n = 769\). The rate and the capacity are chosen as 512 and 257 respectively. More generally for MiMCHash-tb, we use the MiMC-n/n permutation where \(n = 3\cdot t + 1\) and \(s=t+1\).

3 Related Designs and Comparison

In this section, we give an overview of related designs, i.e. symmetric primitives which are based on arithmetic operations in some ring.

3.1 Knudsen-Nyberg Cipher

As discussed above, our design can be seen as a resurrection of a design due to Knudsen and Nyberg in [KN95], who proposed a DES-like cipher using a similar idea for non-linear mappings in a finite field. The Feistel round function of the 64-bit KN-cipher uses an affine mapping \(e:\mathbb {F}_{2^{32}}\rightarrow \mathbb {F}_{2^{37}}\) to first transform the 32-bit input into a 37-bit value. After addition with a 37-bit round key, the resulting 37-bit value is then input to the non-linear permutation \(g:x \rightarrow x^3\) in \(\mathbb {F}_{2^{37}}\). Five bits of the output of g are then discarded to reduce the final output again to 32 bits. In summary, one application of the round function is given as

$$ x_L||x_R \rightarrow x_R||x_L \oplus f(e(x_R) \oplus k_i) $$

where f consists of application g followed by discarding one bit. The KN cipher is a six-round Feistel design with six 37-bit independent round keys and is provably secure against differential attacks. However, it is vulnerable to an interpolation attack (see below) because of the low algebraic degree of the polynomial corresponding to the encryption function. The Feistel variant of our design — MiMC-2n/n — can be easily recognized as a variant of the KN cipher, except for that we do not discard any bits (and hence always stay in the same field), add independent round constants and have a higher number of rounds. Indeed, our design more closely resembles \(\mathcal {PURE}\), the cipher used in [JK97] to demonstrate the vulnerability of the KN cipher to interpolation attacks, except for the higher number of rounds in our design. The performance of both designs essentially differs linearly in by how much we extend the number of rounds. We note that our GCD attack in Sect. 4.2 also extends to \(\mathcal {PURE}\) and allows to reduce the number of plaintext-ciphertext pairs required for a successful cryptanalysis.

3.2 The Pohlig-Hellman Cipher

The Pohlig-Hellman cipher was described in [PH78]. Choose a prime p. Pick \(1 \le k \le p-2\) with \(\gcd (k,p-1)=1\) and \(1 \le d \le p-2\) with \(d=k^{-1} \bmod p-1\), with p public and k and d private. To encrypt the message \(1 \le m \le p-1\) compute \(c = m^k \bmod p\). To decrypt compute \(m = c^d \bmod p\). Encryption and decryption take between \(\log _2p\) and \(2\log _2p\) multiplications depending on the Hamming weights of k and d. A key recovery attack solves the discrete logarithm problem in \(\mathbb {F}_p\). The General Number Field Sieve solves this problem in complexity \(\exp \left( \left( \root 3 \of {\frac{64}{9}} + o(1)\right) {(\ln p)}^{\frac{1}{3}}{(\ln \ln p)}^{\frac{2}{3}}\right) =L_p\left[ \frac{1}{3},\root 3 \of {\frac{64}{9}}\right] \). Thus for n-bit security, the number of multiplications required grows faster than O(n).

3.3 Naor-Reingold PRF

The Naor-Reingold PRF [NR97] is a pseudorandom function whose security can be reduced to the decisional Diffie-Hellman problem. For a given \(n\in \mathbb {N}\), primes p and q with q dividing \(p-1\), an element \(g\in \mathbb {F}_p^*\) of order q, and \(n+1\) elements \(a_0,\dots ,a_n\in \mathbb {Z}_q\), and an n-bit input \(x_1,\dots ,x_n\in \mathbb {F}_2\) define

$$\begin{aligned} f_{p,q,g,\varvec{a}}(x_1,\dots ,x_n) := g^{a_0\prod _{x_i=1}a_i} \end{aligned}$$

where \((g,\varvec{a})\) is the secret key. Evaluation of the function corresponds to one exponentiation in \(\mathbb {F}_p\) and n multiplications in \(\mathbb {Z}_q\). Thus it takes between p and 2p multiplications in \(\mathbb {F}_p\). As the security of this primitive can be reduced to the decisional Diffie-Hellman problem, just as with the Pohlig-Hellman cipher, for n bit security the number of multiplications grows faster than O(n).

3.4 Ajtai, SWIFFT, SWIFFTX

SWIFFT [LMPR08] is a hash function family related to hard problems in lattices. In can be seen in the tradition of the work of Ajtai [Ajt96] and was used as a building block for the SWIFFTX SHA-3 submission [ADL+08]. The hash function consists of an application of the Number Theoretic Transform (NTT) over \(\mathbb {Z}_{257}\) and in dimension 64 to \(m=16\) blocks of \(n=64\) bits. Each such transform costs \(\frac{1}{2}n \log _2 n = 3 \cdot n = 192\) multiplications by a constant per 64 bits. The output of the NTT is then pointwise multiplied with 64 random fixed elements in \(\mathbb {Z}_{257}\), costing another 64 multiplications. For \(m\cdot n\) bits of input the algorithm scales linearly in m, so require \(mn(1+\frac{1}{2}\log _2n)\) operations for \(m\cdot n\) bits of input. On modern microprocessors most of these multiplications can be avoided by using precomputed lookup tables and some specifically chosen constants. However, it is not clear that these techniques translate to our setting. Furthermore, we note that multiplication by small constants can be more efficient than general multiplications in, e.g. homomorphic encryption schemes. On the other hand, the constants in an NTT are not small a priori. Still, our analysis might be somewhat pessimistic. We note that SWIFFT itself does not fulfil standard requirements for general purpose hash functions and that SWIFFTX addresses these issues by running four SWIFFT instances (increasing the number of multiplications accordingly) and by introducing an S-box.

3.5 SPRING

SPRING [BBL+15] is a PRF proposal with security related to the Learning with Errors (LWE) problem. Similarly, to SWIFFT this construction employs an NTT over \(\mathbb {Z}_{257}\), but at dimension \(n=128\). This costs \(\frac{1}{2} n \log _2 n = 448\) multiplications in \(\mathbb {Z}_{257}\). Additional, k multiplications in \(\mathbb {Z}_{257}\) are required in a post-processing step for \(k \in \{64,128\}\) being the bit size of the input to the PRF. Hence, for \(k=128\) we expect 576 multiplications in \(\mathbb {Z}_{257}\). We note that these multiplications can be realized efficiently on modern CPUs, but not necessarily in the scenarios targeted in this work.

3.6 Comparison

In Table 1 we compare MiMC with various block cipher and PRF designs. In Table 2 we compare MiMC with various cryptographic hash function proposals. In both cases, we notice a big difference between MiMC instantiations, and other designs for the two metrics that interest us: (1) the minimal number of multiplications needed to encrypt a block or at least n bits (minMULs), and (2) the number of multiplications per encrypted bit. For the \(\text {GF}({p})\) version of MiMC, the number of multiplications has to be multiplied by 2.

Table 1. Comparison of ciphers in encryption mode (excluding key schedule). We list the size-optimized variants. Note that in most cases multiplication refers to the field \(\text {GF}({2})\) (minANDs and ANDs/bit) whereas in MiMC and others multiplication is in a larger field(minMULs and MULs/bit). For stream ciphers we give the minANDs needed to generate n bits of output.
Full size table
Table 2. Comparison of hash functions. We list the size-optimized variants. Note that in most cases multiplication refers to the field \(\text {GF}({2})\) (minANDs and ANDs/bit) whereas in MiMC multiplication is in a larger field (minMULs and MULs/bit).
Full size table

4 Design Rationale and Analysis of MiMC

In this section we explain the design rationale of the keyed permutation and argue its security. The monomial \(x^3\) serves as the non-linear layer of the block cipher. Note that we can use \(x^3\) to construct the cipher iff it is a permutation monomial in the field \(\mathbb {F}_{2^n}\). The following well known result governs the choice of the monomial and size of the field in the design of MiMC.

Proposition 1

Any monomial \(x^d\) is a permutation in the field \(\mathbb {F}_{2^n}\) iff \(\gcd (d, 2^n-1) = 1\).

Hence, \(x \rightarrow x^3\) is not a permutation in \(\mathbb {F}_{2^n}\) when n is even but only when n is odd. In particular, choosing thus \(n = 2^t+1\) ensures that \(x^3\) is a permutation in \(\mathbb {F}_{2^n}\).

Moreover, using the previous proposition, we can compute the inverse of the non-linear permutation \(x^3\) in \(\mathbb {F}_{2^n}\).

Lemma 1

Let n an odd integer. The inverse of the non-linear function \(x^3\) in \(\mathbb {F}_{2^n}\) is given by \(x^{s}\) with \(s:=(2^{n+1}-1)/3\).

Proof

Given \(y=x^3\), we are looking for an s such that \(x = y^s\) in \(GF(2^n)\), that is \(x^{3\cdot s} = x\). By Fermat’s little theorem, this is equivalent to look for an s such that \(3\cdot s = 1 \pmod {2^n-1}\). That is, there exists an integer t such that \(3\cdot s = 1 +t \cdot {2^n - 1}\). By Proposition 1, we have that \(\gcd (3, 2^x-1) = 1\) if and only if x is odd (i.e. \(\gcd (3, 2^x-1) = 3\) if and only if x is even). For \(t=1\), we obtain \(3\cdot s = 2^n\) which is a contradiction. If t is equal to 2, then \(3\cdot s = 2^{n+1}-1\). Since \(n+1\) is even (by hypothesis), then 3 divides \(2^{n+1}-1\). Finally, since \(x^3\) is a permutation in \(GF(2^n)\) for n odd (by previous proposition), then the inverse is unique and is given by \(s:=(2^{n+1}-1)/3\).    \(\square \)

4.1 Computation Cost Model

In most models of computation field multiplication is considered to be more computationally expensive than addition. However, note that squaring is a linear operation in a binary field \(\mathbb {F}_{2^{n}}\). Hence, if we consider the number of non-linear multiplications in a binary field then the number required to compute \(x^3\) is one. In the SNARK setting, each witness variable (and possibly each constraint) is generated from a field operation more specifically from a field multiplication. As a consequence, computing \(x^3\) generates two equations \(x \cdot x = y\) and \(y \cdot x = x^3\). Hence, in this setting we do not benefit from the linearity of squaring over the fields \(\mathbb {F}_{2^n}\) and computing \(x^3\) costs two multiplications. However, the cost of additions in these fields is still negligible compared to that of multiplication. Note that we can also disregard the cost of multiplication by a constant. Details on the form of equations involved in SNARK is given in Sect. 6.

We stress that although the cost of an addition is considered negligible compared to a multiplication, very large number of additions can reduce the efficiency of a design.

4.2 Security Analysis

Our designs resist a variety of cryptanalysis techniques. The algebraic design principle of MiMC causes a natural concern about the security of the keyed permutation against algebraic cryptanalytic techniques. We describe several possible algebraic attacks (incl. a new “GCD” attack) against the design and analyze the resistance of the block cipher against these attacks. We also consider statistical attacks.

To summarize the following results, the number of rounds for the case of MiMC-n/n is derived from an interpolation attack, while the number of rounds for the case of MiMC-2n/n is deduced from a Meet-in-the-Middle GCD attack.

We discuss the case in which some restrictions on the memory that the attacker can use to implement the attack hold in the full version of this paper [AGR+16]. We show that in this case it is possible to reduce the total number of rounds. We have also analysed the security when the adversary has a restriction on the number of plaintexts available in [AGR+16].

Interpolation Attack. Interpolation attacks, introduced by Jakobsen and Knudsen [JK97], construct a polynomial corresponding to the encryption function without knowledge of the secret key. If an adversary can construct such a polynomial then for any given plaintext the corresponding cipher-text can be produced without knowledge of the secret key.

Let \(E_k: \mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) be an encryption function. For a randomly fixed key k, the polynomial P(x) representing \(E_k(x)\) can be constructed using Lagrange’s theorem, where x is the indeterminate corresponding to the plaintext. If the polynomial has degree d then we can find it using Lagrange’s formula

$$ P(x) = \sum _{i = 1}^{d} y_i \prod _{1 \le j \le d, i \ne j} \frac{x-x_j}{x_i-x_j} $$

where \(E_k(x_i) = y_i\) for \(i = 1,2, \ldots d\).

This method can be extended to a key recover attack. The attack proceeds by simply guessing the key of the final round, decrypting the cipher-texts and constructing the polynomial for \(r-1\) rounds. With one extra p/c pair, the attacker checks whether the polynomial is correct.

Observe that the number of unknown coefficients of the interpolation polynomial is \(d+1\) and that the complexity of constructing a Lagrangian interpolation polynomial is \(\mathcal {O}(d \log d)\) [Sto85]. Hence, setting \(d = 3^r\) with \(r = r_{max} \approx n/\log _2(3)\) thwarts this attack. Note that no function mapping from \(\text {GF}({2^n}) \) to \(\text {GF}({2^n}) \) has degree \(\ge 2^n\), since \(T^{2^n-1}\equiv 1\) for each \(T\in \mathbb {F}_{2^n}\) and the degree of the interpolation polynomial does not increase for \(r>r_{max}\).

By the same argument, a similar result holds for the case of the Feistel network MiMC-2n/n. Indeed, at each round the left/right hand part of the state can be described as a polynomial of the left and of the right hand part of the plaintext, with at most \(3^{2r-1} + 3^r+3^{r-1}+1\) unknown coefficients (observe that at round r, the degree of the polynomial is at most \(3^r\) in the left part of the plaintext and \(3^{r-1}\) in the right part). Thus, the complexity of constructing this Lagrangian interpolation polynomial is approximately \(\mathcal {O}(r\cdot 3^{2r})\), where a function mapping from \({\text {GF}({2^{n}})}^2\) to \(\text {GF}({2^n}) \) has degree at most \(2^{2n}\).

Note that in the chosen-plaintext scenario and in the case of MiMC-2n/n, an attacker can reduce the degree of the interpolation polynomial. For example, for chosen plaintexts of the form \(x||x^3\) the degree of the interpolation polynomial after r rounds is at most \({2\cdot 3^{r-1}}\) in the left part of the plaintext and \({2\cdot 3^{r-2}}\) in the right part, while for chosen plaintexts of the form 0||x the degree of the interpolation polynomial is at most \(3^{r-1}\) in the left part of the plaintext and \(3^{r-2}\) in the right part. Thus, for this second case, the interpolation polynomial of the right part of the text depends only by the right part of the plaintexts and has degree \(3^{r-2}\). In order to avoid the reduced degree of the polynomial, it is sufficient to add (at least) two rounds more to the number of rounds calculated for MiMC-n/n.

A meet-in-the-middle variant of the interpolation attack was also proposed in [JK97], constructing a polynomials \(g(x) = h(y)\) instead of one polynomial \(y = f(x)\). For MiMC-n/n, this approach does not produce an improvement due to the prohibitive degree of the inverse operation. In contrast, for MiMC-2n/n we have that g and h may have degree \(3^{r/2}\) in the left part of the plaintext and \(3^{r/2-1}\) in the right part only instead of degree \(3^{r}\) and \(3^{r-1}\) respectively. However, this lower degree comes at the price of increases computational cost. Indeed, constructing g and h requires solving a system of equation in \({n = 2\cdot (3^{r/2}+1)\cdot (3^{r/2-1}+1)}\) unknowns costing \(\mathcal {O}(n^\omega ) = \mathcal {O}(3^{r})\) operations, where the hidden constant is \(\ge 1\) and we conservatively set the linear algebra constant \(\omega =2\). The chosen plaintext variant of this attack is quite similar. As before, the idea is to choose plaintexts in which the left part is fixed. In this way, one of the two interpolation polynomial depends only on one variable, the right part of the plaintext. Thus, constructing g and h requires solving a system of equation in \({n = (3^{r/2-2}+1) + (3^{r/2}+1)\cdot (3^{r/2-1}+1)}\) unknowns costing \(\mathcal {O}(n^2) = \mathcal {O}(3^{r-1})\) operations where the hidden constant is \(\ge 1\).

We note that the complexity of an interpolation attack may decrease if the polynomial P(x) is sparse for a chosen key. However, because we are adding random round constants in each round and \(x^3\) is a permutation in \(\mathbb {F}_{2^n}\) by construction, our P(x) is not expected to be sparseFootnote 1.

Computing GCDs. From the description of MiMC, it is clear that factoring univariate polynomials recovers the key. However, if we are given more than one known plaintext-cipher-text pair, we can reduce the complexity further by computing a GCD of them. Denote by E(kx) the encryption of x under key k. For a pair \((x,y)\in \mathbb {F}_{q}^2\), \(E(K,x)-y\) denotes a univariate polynomial in \(\mathbb {F}_q[K]\) corresponding to (xy). Note that in general, given plaintext/cipher text pair (xy), it should be hard for a generic encryption scheme to compute the univariate polynomial \(E(K,x)-y\) explicitly in the variable K (i.e. the secret key). However, this is not the case of MiMC, for which the polynomial \(E(K,x)-y\) can be always computed explicitly, and it simply corresponds to the definition of encryption process (that is, the iterative application of the cubic function). Moreover, note that this attack may also be applied to \(\mathcal {PURE}\), the cipher used in [JK97] to demonstrate the vulnerability of the KN cipher to interpolation attacks, assuming round keys are not independent but linearly derived from k.

Consider now two such polynomials \(E(K,x_1) - y_1\) and \(E(K,x_2) - y_2\), with \(y_1 = E(k,x_1)\) and \(y_2=E(k,x_2)\) for the fixed but unknown key k. It is clear that these polynomials share \((K - k)\) as a factor. Indeed, with high probability the greatest common divisor will be \((K - k)\). Thus, by computing the GCD of the two polynomials, we can find the value of k.

MiMC-n/n for a known plain text x corresponds to a polynomial having degree \(3^r\), where the leading monomial always has non-zero coefficient. Hence, we can recover k with a GCD computation of two polynomials at degree \(3^r\) (indeed, considering differences of two polynomials \(G(K,x_i) - y_i\) reduces this degree to \(3^r-1\) by canceling the leading term). It is well-known that the complexity for finding the GCD of two polynomials of degree d is \(\mathcal {O}(d \log ^2 d)\). Hence, the complexity of this attack is \(\mathcal {O}(r^2 \cdot 3^r)\). For MiMC-n/n the time complexity of this attack is higher than that of the interpolation attack.

More care must be taken for MiMC-2n/n, since in this case the meet-in-the-middle variant of this attack can be performed. That is, instead of constructing polynomials expressing ciphertexts as polynomials in the plaintext and the key, we can construct two polynomials \(G'(K,x_i)\) and \(G''(K,y_i)\) expressing the state in round r/2 as a polynomial in the key and the plaintext or ciphertext respectively. Then, considering \(G'(K,x_1) - G''(K,y_1)\) and \(G'(K,x_2) - G''(K,y_2)\) we can apply a GCD attack on polynomials of degree \(3^{r/2}\), reducing the complexity to \({\mathcal {O}(r^2\cdot 3^{r/2})}\). Hence, to thwart this attack we must increase the number of rounds to \(r = 2\cdot r_{max} \approx 2 \cdot n/\log _2(3)\).

Invariant Subfields. The algebraic structure of MiMC allows to mount a invariant subfield attack on the block cipher under a poor choice of round constants. That is, if all the round constants \(c_i\) and the key k are in subfield \(\mathbb {F}_{2^{m}}\) of \(\mathbb {F}_{2^{n}}\) then by choosing a plaintext \(x \in \mathbb {F}_{2^{m}}\) an adversary can ensure that \(E_k(x) \in \mathbb {F}_{2^{m}}\). This attack is thwarted by picking n to be prime. The only subfield is then \(\mathbb {F}_2\) such that picking constants \(\ne 1\) will be enough to avoid the attack.

Differential Attacks. Differential cryptanalysis is one of the most widely used technique in symmetric-key cryptanalysis. The different types of cryptanalysis methods based on this technique depend on the propagation of an input difference through a given number of rounds of an iterative block cipher to yield a known output difference with high probability. The probability of the propagation often determines how many rounds can be attacked using this technique.

Given an input difference \(\delta \) and an output difference \(\delta '\), the differential probability of the round function is given as

$$\begin{aligned} \textsf {Pr}\left( {\delta \rightarrow \delta '}\right) = |\{x \in \mathbb {F}_{2^n}: F(x+\delta )+F(x) = \delta '\}|/2^n \end{aligned}$$
(1)

In our case the number of x satisfying \(F(x+\delta )+F(x) = \delta '\) is determined by the non-linear function \(x^3\). Hence it is enough to determine the size of the set

$$\begin{aligned} D = \{x \in \mathbb {F}_{2^n}: {(x+\delta )}^3+x^3 = \delta ', \delta \ne 0\}. \end{aligned}$$

As this is a quadratic equation in x for any, there are at most two solutions to the equation. This implies \(\textsf {Pr}\left( {\delta \rightarrow \delta '}\right) \le \frac{2}{2^n}\). This is sufficient to give any differential trail of at least two rounds a probability too low to be useful in an attack. A detailed analysis of the differential property of monomials of the form \(x^{2^t+1}\) in \(\mathbb {F}_{2^{n}}\) can be found in [Nyb94, Can97].

Linear Attacks. Similar to differential attacks, linear attacks pose no threat to MiMC. Indeed, the cubic function is an almost bent or an almost perfect nonlinear (APN) function, i.e., differential 2-uniform, where an APN permutation provides the best resistance against linear and differential cryptanalysis. Thus, since its maximum square correlation is limited to \(2^{-n+1}\) (cf. for example [AÅBL12] for details), any linear trail of the cubing function will have negligible potential after a few rounds.

Algebraic Degree and Higher-Order Differentials. As discussed above, the large number of rounds ensures that the algebraic degree of MiMC in its native field will be maximal or almost maximal. This naturally thwarts higher-order differential attacks when considering the difference as defined in the field (i.e., using the inverse of the field addition). But what happens to the degree when viewing the rounds as vectorial Boolean functions? As squaring is a linear operation in \(\mathbb {F}_{2^n}\), it is also linear when viewed as vectorial function over \(\mathbb {F}_2\). Cubing on the other hand introduces an additional multiplication which gives the round function an algebraic degree of 2 in every component when viewed as a vectorial Boolean function. Again, the large number of rounds should cause the degree to rise quickly and reach the limit of \(2^n\) which is sufficient to thwart any higher-order differential attacks also when viewing the round function as a vectorial Boolean function.

Hash-Specific Security Considerations. For usage in the MiMC permutation in the sponge mode as described in Sect. 2.3 we require the permutation to not show non-trivial non-random behavior for up to \(2^s\) input/output pairs. As specified in Sect. 2 the size of the permutation n determines the number of rounds (based on the GCD attack described above). As \(2s < n\) for both MiMCHash-256 and MiMCHash-256b, this choices leaves us with an additional security margin, even if an hypothetical inside-out approach could double the number of rounds in an attack.

5 Variants

In this section, we discuss two variants of MiMC. One for instantiating MiMC over prime fields and one for extending the key size to increase security.

5.1 MiMC over Prime Fields

The above descriptions of MiMC can also be used to operate over prime fields i.e. a field \(\mathbb {F}_p\) where p is prime. In that case, it needs to be assured that the cubing in the round function creates a permutation. For this, it is sufficient to require \(\gcd (3,p-1) = 1\).

Following the notation as above, we can consider MiMC-p/p where the permutation monomial \(x^3\) is defined over \(\mathbb {F}_p\). The number of rounds for constructing the keyed permutation is \(r = \Big \lceil \frac{\log p}{\log _2 3}\Big \rceil \). In the Feistel mode, we define MiMC-2p/p where the round function is defined over \(\mathbb {F}_p\) and where the number of rounds is double with respect to MiMC-p/p. In both the constructions the r round constants are chosen as random elements in \(\mathbb {F}_p\).

Our cryptanalysis from Sect. 4 transfers to this case except for the subfield attack which does not apply here.

5.2 Larger Keys

Instead of considering our simple iterative construction where we add the same key in each round, we may also consider the case where we have a key which is \(\kappa \)-times bigger than the block size n. In this case, we may consider an instance where we are cyclically adding \(\kappa \) independent keys to our rounds. Our i-th round function then becomes:

$$\begin{aligned} F_i(x) = {(x \oplus k_{i\,\bmod \,\kappa } \oplus c_i)}^3 \end{aligned}$$

It is clear that differential and linear cryptanalysis are not affected by this modification if we model MiMC as a Markov cipher. However, considering a larger key size does affect algebraic attacks. In particular, a simple GCD attack is not sufficient any more to recover the keys \(k_0, k_1,\ldots , k_{\kappa -1}\). Instead, we may consider Resultants or Gröbner bases.

We consider the case where \(\kappa =2\). It is well-known [BKW93] that the maximum degree reached during a Gröbner basis computation of a bivariate system of equations is \(\le 2\cdot \text {maxdeg}(P) + 1\), where \(\text {maxdeg}(P)\) is the maximum degree of our input system (i.e. \(3^r\) in our case). Hence, from e.g. [BFS14], the complexity of solving such a system of equations is

$$\begin{aligned} \mathcal {O}\left( 2\cdot 3^r \cdot \left( {\begin{array}{c}2\cdot 3^r + 3\\ 2 \cdot 3^r + 1\end{array}}\right) \right) . \end{aligned}$$

Applying resultants, from [LMS13] we expect a complexity of

$$\begin{aligned} \tilde{\mathcal {O}}\left( d^{4.69} \right) = \tilde{\mathcal {O}}\left( 3^{4.69\,r} \right) . \end{aligned}$$

Conservatively, we may anticipate a meet-in-the-middle attack which would reduce the cost of either of these attacks to a square root of the above estimates.

5.3 Different Round Functions

Considering the case \(\text {GF}({2^n}) \), we may consider a round function of the form

$$ F(x) = {(x \oplus k \oplus c)}^d $$

for generic exponents d. In particular, we have decided to limit our analysis to exponents of the form \(2^t + 1\) and \(2^t - 1\), for positive integer t (note that 3 is the only number that can be written in both ways). Remember that for MiMC-n/n, d has to satisfy the condition gcd\((d, 2^n-1)=1\) in order to be a permutation, while in the case of MiMC-2n/n (that is, for Feistel Networks) this condition is not necessary.

For further analysis, we recall the Lucas’s Theorem:

Theorem 1

For non-negative integers m and n and a prime p, the following congruence relation holds:

$$ \left( {\begin{array}{c}m\\ n\end{array}}\right) \equiv \prod _{i=0}^k\left( {\begin{array}{c}m_i\\ n_i\end{array}}\right) \pmod p, $$

where \(m=m_k p^k+m_{k-1}p^{k-1}+... +m_1p+m_0\) and \(n=n_k p^k+n_{k-1}p^{k-1}+... +n_1p+n_0\) are the base p expansions of m and n respectively, using the convention that \(\genfrac(){0.0pt}1{m}{n} = 0\) if \(m < n\).

Exponents of the form \(2^t+1\) (with \(t>1\)) have the nice property that the cost to compute \(x^{2^t+1}\) does not depend on t, i.e. it requires only one multiplication (in some applications). Moreover, the degree of the resulting r-round interpolation polynomial is \({(2^t+1)}^r\), which is significantly higher than \(3^r\) even for “small” t. The major problem of this kind of exponents is that the corresponding interpolation polynomials are in general sparse. For example, using Lucas’s Theorem, it is very easy to note that just after one round the polynomial has only 4 terms instead of \(2^t +2\):

$$\begin{aligned}&{(x \oplus k)}^{2^t+1} \equiv _2 {(x \oplus k)}^{2^t} \cdot {(x \oplus k)} \equiv _2 \\ \equiv _2&\, (x^{2^t} \oplus k^{2^t}) \cdot {(x \oplus k)} \, \equiv _2 \, x^{2^t+1} \oplus k \cdot x^{2^t} \oplus k^{2^t} \cdot x \oplus k^{2^t+1}. \end{aligned}$$

Using the same technique, after r rounds, the number of terms of the polynomial is upper bounded by \(3^r + 1\), which is (much) smaller than \((2^t+1)^r + 1\). Note that \(3^r + 1\) is exact the same upper bounded obtained for the exponent 3 (which corresponds to \(t=1\)). Thus, the number of rounds to guarantee the security against the algebraic attacks doesn’t change choosing exponent of the form \(2^t + 1\) for \(t>1\). That is, both from the security point of view and from the implementation one, there is no advantage to choose exponents of the form \(2^t+1\) greater than 3.

Similar considerations can be done also for exponents of the form \(2^t+2^s =2^s \cdot (2^{t-s} + 1)\), where \(s<t\).

For this reason, coefficients of the form \(2^t-1\) are more interesting. Indeed, in this case it is very easy to prove that the interpolation polynomial is not sparse:

$$ {(x \oplus k)}^{2^t-1} \equiv _2 \bigoplus _{i = 0}^{2^t-1} x^{i}\cdot k^{2^t-1-i}, $$

since

$$ \left( {\begin{array}{c}2^t-1\\ i\end{array}}\right) \equiv _2 1 \qquad \forall i \in \{0, 1, \dots , 2^t-1\}. $$

On the other hand, in order to compute \(x^{2^t-1}\), we need more multiplications and square operations. Thus, a natural question is if it is possible to minimize the total number of multiplications necessary to compute the ciphertext choosing an exponent of the form \(2^t-1\) different from 3.

There are different ways to compute \(g^e\) where \(g\in \mathbb {F}_{2^n}\) and \(e=2^t-1\) for some \(t\ge 2\), the classical algorithm being the square-and-multiply algorithm, cf. [MVO96, Sect. 14.6]. For this algorithm, the number of multiplications requested for this exponent is equal to the number of squares \(t - 1\). In Algorithm 1, we give a slight variation of the original algorithm.

figure a

By simple computation, the number of multiplications for the previous algorithm is \(\lceil t/2 \rceil \), while the number of squares is \(t-1\). Observe that with respect to the original algorithm, it requires precomputation and to store the quantity \(g^2 \cdot g\). Thus, for our purpose, this algorithm is better than the original one (for the case \(e=2^t-1\)). This algorithm can be improvedFootnote 2, but for our purpose it suffices.

Thus, using the previous analysis about the number of rounds, the total number of multiplications m and of squares s for MiMC-n/n (analogous for MiMC-2n/n) is

$$ m = \biggl \lceil \frac{t}{2} \biggl \rceil \cdot \biggl \lceil \frac{n}{\log _2(2^t-1)} \biggl \rceil \qquad s = (t-1)\cdot \biggl \lceil \frac{n}{\log _2(2^t-1)} \biggl \rceil . $$

For example, for \(n=129\), the best result is obtained for \(t=4\) (that is for the exponent 15)Footnote 3, for which the total number of multiplications is 66 (instead of 82 for the exponent 3), while the number of squares is 99 (instead of 82 for the exponent 3).

Note that the sum of the total number of multiplications m and of the total number of squares s is almost constant for each choice of t.

Finally, only for completeness, it is also possible to extend the previous analysis to the case GF(p). In this case, since the square operation is not linear, it counts as a multiplication. Thus, if we consider an exponent of the form \(2^t-1\), the total number of multiplications m for MiMC-p/p is

$$ m = \biggl ( \biggl \lceil \frac{t}{2} \biggl \rceil + t-1 \biggl ) \cdot \frac{\log (p-1)}{\log (2^t-1)}. $$

To conclude, if the cost of a square operation is negligible with respect to the cost of a multiplication (that is, if the square operation is linear), then it is possible to minimize the total number of multiplications choosing an exponent of the form \(2^t-1\) different from 3. Instead, when the number of square operations can not be ignored (as for example in the case of SNARK settings or in the GF(p) case), the choice of an exponent of the form \(2^t-1\) different from 3 does not offer any advantage due to the fact that the number \(m+s\) is almost constant.

6 Application and Implementation

We implemented the MiMC block cipher and hash function in C++ using NTL [Sho]. Note that we put no restriction on the irreducible polynomial to represent the finite field \(\mathbb {F}_{2^n}\) in our proposal.

6.1 Verifiable Computation and SNARK

Recently, several techniques have been proposed to achieve practical or nearly practical verifiable computation through constructions such as Pinocchio [PHGR16] and zk-SNARK. A special kind of Succinct Non-interactive Argument of Knowledge or SNARK was proposed in 2014 to build Zerocash [BCG+14] — a digital currency similar to Bitcoin but achieving anonymity. In [BSCG+13] an implementation of a publicly verifiable non-interactive argument system is given.

The main idea of the SNARK is to provide a circuit whose satisfiability enables a verifier to check correctness of an underlying computation. In this concrete implementation, we focus on the (zk)SNARK for arithmetic circuit satisfiability. The main target of our design proposals is to improve the efficiency of (zk)SNARK when they are used as cryptographic primitives in a SNARK setting.

An \(\mathbb {F}\)-arithmetic circuit takes input from the field \(\mathbb {F}\) and its gates produce output in \(\mathbb {F}\). Also the circuits considered here consist of bilinear gates only. Arithmetic circuit satisfiability (ACS) is defined as follows:

Definition 1

The ACS problem of an \(\mathbb {F}\)-arithmetic circuit \(\mathcal {C}:\mathbb {F}^n \times \mathbb {F}^h \rightarrow \mathbb {F}^l\) is depicted by the relation \(\mathcal {R} = \{(x,a) \in \mathbb {F}^n \times \mathbb {F}^h : \mathcal {C}(x, a) = 0^l\}\) such that its language is \(L = \{x \in \mathbb {F}^n : \exists a \in \mathbb {F}^h \, \mathrm {s.t} \; \mathcal {C}(x, a) = 0^l\}\).

Since the circuit consists of bilinear gates only, we aim to minimize the number of NLM or field multiplications in our design. The addition in the field, which is the same as bitwise XOR, is a comparatively less expensive operation. The SNARK algorithm generates the proof for satisfiability of a system of rank-1 quadratic constraints over a finite field. This system of constraints is defined as below.

Definition 2

A system of rank-1 quadratic equations over a field \(\mathbb {F}\) is a sequence of tuples \(((A_i, B_i, C_i), n)\) for \(i = 1, \ldots , N_c \) and \(A_i, B_i, C_i \in \mathbb {F}^{1+N'}\) such that \(n \le N'\). This system is satisfiable with an input \(x \in \mathbb {F}^n\) if there is a witness \(w \in \mathbb {F}^{N'}\) such that

$$ \langle A_i, w \rangle \cdot \langle B_i , w \rangle = \langle C_i , w \rangle \quad \forall i = 1, \ldots , N_c $$

Here \(N_c\) is the number of constraints and \(N'\) is the number of variables.

The number of such constraints contributes to the efficiency of the SNARK algorithm. From the above definition it is also clear that in a SNARK setting over \(\mathbb {F}_{2^m}\) we can not ignore the squaring as linear operation.

MiMC in the SNARK Setting. In MiMC, each round can be expressed with the following equations

$$\begin{aligned} X + \underbrace{k_i + C_i}_{\alpha } + U&= 0 \end{aligned}$$
(2)
$$\begin{aligned} U \cdot U&= Y \end{aligned}$$
(3)
$$\begin{aligned} Y \cdot U&= Z \end{aligned}$$
(4)

where \(k_i, C_i\) are the round key and constants respectively. Note that the above 3 equations can be combined to form one rank-1 quadratic constraint (as in Definition 2)

$$\begin{aligned} (X + \alpha )(X + \alpha + Y) = Y + Z \end{aligned}$$
(5)

For the MiMCHash the round key is fixed to a constant hence \(\alpha \) can be treated as a constant in this equation. Note that the number of witness per round of MiMC is 2. Therefore the total number of witness for the fixed key permutation is \(2 \cdot R\), where \(R \approx \frac{n}{\log 3}\) is the number of rounds and n is the block size. The witness generation requires one constant addition (XOR) and two multiplications in the corresponding field. The complexity of the prover algorithm of SNARK (Appendix E in [BSCG+13]) is dominated by \(O(N_c\log N_c)\) where \(N_c\) is the number of rank-1 constraints.

LowMC in the SNARK Setting. In LowMC, each round consists of Sbox (3-bit), matrix multiplication (over \(\mathbb {F}_2\)), round key and constant addition (XOR). Each 3-bit Sbox application can be written as

$$\begin{aligned} b \cdot c&= a + z_1 \end{aligned}$$
(6)
$$\begin{aligned} a \cdot (c + 1)&= b + z_2 \end{aligned}$$
(7)
$$\begin{aligned} a \cdot (b + 1)&= b + c + z_3 \end{aligned}$$
(8)

The above three equations can be combined to form 2 rank-1 constraints as following

$$\begin{aligned} b \cdot c&= a + z_1 \end{aligned}$$
(9)
$$\begin{aligned} a \cdot (b + c)&= c + z_2 + z_3 \end{aligned}$$
(10)

The witness generation for each Sbox requires 3 multiplications and 6 additions (out of which 2 are constant additions) over \(\mathbb {F}_2\). In each round there are m Sboxes. Hence per round the witness generation process will require 3 m multiplications and 6 m (2 m of them are constant addition) additions per round. Suppose \(N_b\) is the block size of the permutation. Then there will be approximately \((l-1)\cdot N_b\) additions over \(\mathbb {F}_2\) due to linear layer of LowMC in each round, where l is the average number of non-zero entries in each row of the random matrix of the linear layer. Also there will be \(N_b\) constant additions over \(\mathbb {F}_2\) which is due to round constant and key addition. The total number of rank-1 constraints for R rounds of LowMC will be \(R\cdot 2\,\text {m}\). Note that the number of additions is much higher in comparison with the number of multiplication over \(\mathbb {F}_2\).

Remark 1

For the MiMC permutation, the operations are performed over a larger field e.g. \(\mathbb {F}_{2^{1025}}\). Indeed the cost of a single multiplication is higher in the larger field compared to a multiplication over \(\mathbb {F}_2\). Moreover, the number of additions are significantly more than the number of multiplications (see Table 3). Although in the cost model the cost of addition is much less than the cost of multiplication, very large number of additions over \(\mathbb {F}_2\) brings down the efficiency of LowMC in SNARK setting in comparison to MiMC. On the other hand, in MiMC the number of additions per round is one.

Experimental Results. Following the libsnark [Lab] implementation we have implemented a prototype of SNARK for generating the circuit and witness for MiMC permutation for different block sizes and MiMCHash-256. One important target application of MiMC is SNARK or SNARK like algorithms. We have measured the time taken by MiMCHash for processing a single block and compared it with the time taken by SHA-256 using the libsnark implementation.

For processing a single block i.e. for hashing a single block message our MiMC implementation in the SNARK setting requires \(\approx 7.8\) milliseconds to generate the arithmetic circuit and witness while SHA-256 takes \(\approx 73\) milliseconds.

Since LowMC was designed for MPC/ZK applications we have also implemented it in the SNARK setting. A comparison of LowMC with MiMC is given in Table 3.

Table 3. Comparison of LowMC and MiMC with block size 1025 and the corresponding parameters for LowMC and Keccak permutation with specified parameters. For all implementations we have used the -O3 optimization option of the gcc compiler. For LowMC, the number of rounds and the number of Sboxes per round are denoted as R and m respectively.
Full size table

If we intend to use the LowMC permutation to construct a hash function using Sponge mode then the block size of LowMC should be 1025 bit for achieving the same security level as SHA-256 or MiMCHash-256. We have implemented LowMC with the updated parameter-set v2 from [ARS+16b] with this block size and two possible choices for the parameters (Rm), where R and m are number of rounds and number of Sbox per round respectively. One is minimizing the number of rounds for the given block size and security requirements, the other one is minimizing the number of ANDs/bit. Both are derived from the round formula given in [ARS+16b]. LowMC is a block cipher designed for MPC/FHE applications and the original proposal did not provide any suggestion to construct a secure hash function using the permutation. However if used in the sponge mode then the performance of the resulting hash function can be approximated by the performance of the LowMC permutation in SNARK setting.

We have also compared the performance of the Keccak-[1600, 24] [NIS14] permutation when used for the SHA-3 and SHAKE hash function in our SNARK setting. Note that the truncation after a Keccak permutation can be expressed as equality constraints. In fact the performance for the SHAKE128 or SHA3 are almost same as the Keccak-[1600, 24]. The performance comparison in the Table 3 shows that MiMC is significantly more efficient than LowMC and SHA-3 in SNARK setting.

All field operations are implemented using the NTL together with the gf2x library. All computations were carried out on an Intel Core i7 2.10 GHz processor with 16 GB memory and we took the average over \(\approx 2000\) repetitions. As a design with an unusual imbalance between ANDs and XORs, the comparison with LowMC variants is interesting as it gives an example where the number multiplications alone can no longer be used as a hint for the eventual performance. Where the round-minimized LowMC variant is more than 10 times slower with about 8 times more multiplications, reducing the number of ANDs in the other LowMC variant at the expense of many more rounds does not have the expected effect: The runtime grows again. The reason is the huge amount of XOR computations whose cost is clearly are no longer negligible. This shows the limits of a simplified metric that focuses on AND gates (or multiplication gates) also.

All implementations in C++ can be found on https://github.com/byt3bit/mimc_snark.git.

6.2 Direct Implementation

For the sake of completeness we provide a brief discussion of the complexity for the direct implementation MiMC, but stress that it has limited impact on the performance on our target platforms. Each round of MiMC-n/n performs one multiplication in the field \(\mathbb {F}_{2^{n}}\). For the considered values of n this computation of \(x^3\) becomes computationally expensive, since it is not feasible to use the efficient lookup table method even for \(n = 32, 64\).

The evaluation of \(x^3\) can be reduced to field multiplication. Since the problem is frequently encountered in many public-key cryptographic algorithms and protocols, efficient field multiplication is a well studied area in the literature. One strategy for efficient field multiplication is to use lookup tables. Indeed, several algorithms [GP97, DWBV+96, HMV93] are proposed in the literature which use precomputed lookup tables to improve the efficiency of finite field multiplication. We briefly describe the complexity for evaluating the monomial using several algorithms from the literature (Table 4).

Table 4. Complexities of different algorithms for implementing field multiplications
Full size table

In all lookup-table based multiplication algorithms above, b is the size of the internal data path of the processor. Any element in \(\mathbb {F}_{2^{n}}\) is partitioned as a collection into g groups each having b bits. If n is not a multiple of b then the most significant group will contain \(n \pmod {b}\) bits. Note that the algorithm in [HMV93] requires n to be multiple of b. Furthermore, d denotes the degree of the second highest monomial (with non-zero coefficient) in the irreducible polynomial that defines the field \(\mathbb {F}_{2^{n}}\) and w denotes the word size of processor. The resources of a processor are optimally utilized when \(b = w\). For example in a 32 bit processor two polynomials can be added using \(\lceil \frac{n}{32}\rceil \) XOR instructions. However choosing \(b=w\) in this case increases the size of the lookup table to \(2^5\) GB for the algorithms from [HMV93, GP97]. On the other hand choosing \(b < w\) may imply lower utilization of processor’s resources. The algorithm described in [Has00] proposes a better utilization of resources when a small value of b is chosen to keep the size of the lookup table sufficiently small. Also, this algorithm does not require n to be multiple of b.

6.3 Generic Masking Against Side-Channel Attack

Side-channel attacks exploit different types of physical leakage of information e.g. power consumption or EM emanations during the execution of cryptographic algorithms on a device for recovering sensitive variables (e.g. secret key). Masking is a well known technique to prevent implementations of cryptographic algorithms from such attacks. Most of the masking schemes usually protect an implementation against first-order attacks. Over the past years several higher-order side-channel attacks were proposed and demonstrated successfully against many well-known cryptographic algorithms. Higher order masking schemes are useful to protect a cryptographic algorithm against such attacks.

In a higher order masking scheme a sensitive variable (e.g. variables involving secret keys) is split into \(t+1\) shares where t is known as the order of masking. It has been shown that the complexity of side-channel attacks increases exponentially with the masking order.

In FSE 2012 a generic higher order masking scheme [CGP+12] was proposed by Carlet, Goubin, Prouff, Quisquater and Rivain. For masking an S-box using CGPQR scheme we need to consider the polynomial corresponding to the S-box, which can be easily computed from the S-box table using Lagrange’s theorem in a field \(\mathbb {F}_{2^{n}}\). In CGPQR masking scheme evaluation of this polynomial is protected against higher order attacks. For example, let x be a secret variable for which we evaluate a function f(x). Let \(x_0, x_1, \ldots , x_t\) are the \(t+1\) shares corresponding to this variable such that \(x = \bigoplus _{i=0}^t x_i\). Any linear function \(\ell (x)\) is easy to mask since \(\ell (x) = \ell (x_0) \oplus \ldots \oplus \ell (x_t)\). However masking a non-linear function is not as easy as linear or affine functions.

The operations necessary for evaluating a polynomial in \(\mathbb {F}_{2^{n}}\) are addition, multiplication by a scalar, squaring and regular multiplication. For tth order masking any affine and linear operation in \(\mathbb {F}_{2^{n}}\) requires \(\mathcal {O}{(t)}\) logical operations, whereas regular multiplication requires \(\mathcal {O}{(t^2)}\) logical operations. Hence regular multiplication is significant operation in CGPQR masking scheme and its efficiency can be increased by minimizing the number of regular multiplications in a field for a cryptographic algorithm.

MiMC is constructed using a monomial \(x^3\) in \(\mathbb {F}_{2^{n}}\). Evaluation of this monomial in each round requires only one multiplication and hence is optimized for CGPQR higher order masking scheme.

7 Conclusions

We have reconsidered a 20-year old cipher design idea, given a thorough security analysis, and demonstrated that it can be very competitive in emerging new applications of symmetric cryptography: SNARKs. It might seem that the usefulness of the design is limited to this setting, as the number of rounds is high compared to other more “traditional” designs for symmetric primitives. However there is evidence that the opposite is true, which was recently discovered in a follow-up work [GRR+16]. Due to its very simple design and despite the high number of rounds, it also turned out to be very competitive in a very different application setting: The currently fastest known MPC protocols with security against active adversaries. This clearly shows that there is a good use-case for designs which work natively in GF(p), and we hope that MiMC can inspire more design and cryptanalysis in this direction.