Abstract
Advanced cryptographic protocols such as Zero-knowledge (ZK) proofs of knowledge, widely used in cryptocurrency applications such as Zcash, Monero, Filecoin, Tezos, Topos, demand new cryptographic hash functions that are efficient not only over the binary field \(\mathbb {F}_2\), but also over large fields of prime characteristic \(\mathbb {F}_p\). This need has been acknowledged by the wider community and new so-called Arithmetization-Oriented (AO) hash functions have been proposed, e.g. MiMC-Hash, Rescue–Prime, Poseidon, Reinforced Concrete and Griffin to name a few.
In this paper we propose Anemoi: a new family of ZK-friendly permutations, that can be used to construct efficient hash functions and compression functions. The main features of these algorithms are that 1) they are designed to be efficient within multiple proof systems (e.g. Groth16, Plonk, etc.), 2) they contain dedicated functions optimised for specific applications (namely Merkle tree hashing and general purpose hashing), 3) they have highly competitive performance e.g. about a factor of 2 improvement over Poseidon and Rescue–Prime in terms of R1CS constraints, a 21%–35% Plonk constraint reduction over a highly optimized Poseidon implementation, as well as competitive native performance, running between two and three times faster than Rescue–Prime, depending on the field size.
On the theoretical side, Anemoi pushes further the frontier in understanding the design principles that are truly entailed by arithmetization-orientation. In particular, we identify and exploit a previously unknown relationship between CCZ-equivalence and arithmetization-orientation. In addition, we propose two new standalone components that can be easily reused in new designs. One is a new S-box called Flystel, based on the well-studied butterfly structure, and the second is \(\textsf{Jive}_{}\) – a new mode of operation, inspired by the “Latin dance” symmetric algorithms (Salsa, ChaCha and derivatives). Our design is a conservative one: it uses a very classical Substitution-Permutation Network structure, and our detailed analysis of algebraic attacks highlights can be of independent interest.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
“Factory” is here used in the sense of the programming design pattern, i.e. it is an object returning functions.
- 2.
Starting from a given function F, applying any affine permutation of \(\mathbb {F}_{q}^{2}\) to its graph is unlikely to yield the graph of another function G. Indeed, this would require that the left hand side of \(\mathcal {L}(x, F(x))\) takes all the values in \(\mathbb {F}_{q}\) as x goes through \(\mathbb {F}_{q}\), which is a priori not the case. A mapping \(\mathcal {L}\) that does yield the graph of another function is called “admissible”, a concept that was extensively studied in [18].
- 3.
The result of Li et al. covers all generalized butterflies, not just those corresponding to Flystel structures. In a Flystel, the first parameter (which we will denote a) is set to 1. Their results for the differential uniformity and the linearity hold only when \(\beta \ne (1+a)^\alpha \), meaning that we simply need to make sure that \(\beta \ne 0\). For the algebraic degree, the condition they give in their Theorem 5 to have a degree equal to \(n+1\) degenerates into \(\beta ^{2^{i+1}} = \beta ^{2^{i}+1}\), which is never the case as \(i > 0\).
- 4.
The field order must have a bitlength of at least 10 bits. The aim of this restriction is to ensure that e.g. MDS matrices can be found as those might not be defined for small field sizes.
- 5.
Recall that the branching number of a linear permutation L is the minimum over \(x \ne 0\) of \(\textrm{hw}(x) + \textrm{hw}\left( L(x) \right) \), where \(\textrm{hw}(x)\) denotes the Hamming weight of x.
- 6.
We would expect the value of \(\kappa _{\alpha }\) to keep increasing with \(\alpha \) but the computations needed to estimate it become too costly as \(\alpha \) increases.
- 7.
For readability, the selectors values have been omitted.
- 8.
We refer here to original instantiations, in opposition to a common practice in the industry to tweak parameters (typically the MDS matrix layer). All instantiations here are original, paper versions for fair comparison.
- 9.
Liu et al. originally utilized an earlier version of this work specifying 12 rounds in this setting.
References
Polygon Miden. Repository, September 2022. https://github.com/maticnetwork/miden
Albrecht, M., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: efficient encryption and cryptographic hashing with minimal multiplicative complexity. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 191–219. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_7
Aly, A., Ashur, T., Ben-Sasson, E., Dhooghe, S., Szepieniec, A.: Design of symmetric-key primitives for advanced cryptographic protocols. IACR Trans. Symm. Cryptol. 2020(3), 1–45 (2020). https://doi.org/10.13154/tosc.v2020.i3.1-45
Ambrona, M., Schmitt, A.L., Toledo, R.R., Willems, D.: New optimization techniques for PlonK’s arithmetization. Cryptology ePrint Archive, Paper 2022/462 (2022). https://eprint.iacr.org/2022/462
Beierle, C., et al.: Lightweight AEAD and hashing using the Sparkle permutation family. IACR Trans. Symm. Cryptol. 2020(S1), 208–261 (2020). https://doi.org/10.13154/tosc.v2020.iS1.208-261
Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable, transparent, and post-quantum secure computational integrity. Cryptology ePrint Archive, Report 2018/046 (2018). https://eprint.iacr.org/2018/046
Ben-Sasson, E., et al.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy, pp. 459–474. IEEE Computer Society Press, May 2014. https://doi.org/10.1109/SP.2014.36
Ben-Sasson, E., Goldberg, L., Levit, D.: Stark friendly hash - survey and recommendation. Cryptology ePrint Archive, Report 2020/948 (2020). https://ia.cr/2020/948
Bernstein, D.J.: The Salsa20 family of stream ciphers. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 84–97. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68351-3_8
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 313–314. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_19
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: ECRYPT Hash Workshop, vol. 9. Citeseer (2007)
Bos, J., Coster, M.: Addition chain heuristics. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 400–407. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_37
Bouvier, C., Briaud, P., Chaidos, P., Perrin, L., Salen, R., Velichkov, V., Willems, D.: New design techniques for efficient arithmetization-oriented hash functions: Anemoi permutations and Jive compression mode. Cryptology ePrint Archive, Paper 2022/840 (2022). https://eprint.iacr.org/2022/840
Bouvier, C., Briaud, P., Chaidos, P., Perrin, L., Velichkov, V.: Anemoi: exploiting the link between arithmetization-orientation and CCZ-equivalence. Cryptology ePrint Archive, Report 2022/840 (2022). https://eprint.iacr.org/2022/840
Budaghyan, L., Carlet, C., Pott, A.: New classes of almost bent and almost perfect nonlinear polynomials. IEEE Trans. Inf. Theor. 52(3), 1141–1152 (2006)
Canteaut, A., Duval, S., Perrin, L.: A generalisation of Dillon’s APN permutation with the best known differential and nonlinear properties for all fields of size \(2^{4k+2}\). IEEE Trans. Inf. Theor. 63(11), 7575–7591 (2017). https://doi.org/10.1109/TIT.2017.2676807
Canteaut, A., et al.: Saturnin: a suite of lightweight symmetric algorithms for post-quantum security. IACR Trans. Symm. Cryptol. 2020(S1), 160–207 (2020). 10.13154/tosc.v2020.iS1.160-207
Canteaut, A., Perrin, L.: On CCZ-equivalence, extended-affine equivalence, and function twisting. Finite Fields Appl. 56, 209–246 (2019). https://doi.org/10.1016/j.ffa.2018.11.008
Carlet, C., Charpin, P., Zinoviev, V.: Codes, bent functions and permutations suitable for DES-like cryptosystems. Des. Codes Crypt. 15(2), 125–156 (1998)
Dobraunig, C., Grassi, L., Guinet, A., Kuijsters, D.: Ciminion: symmetric encryption based on Toffoli-gates over large finite fields. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 3–34. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_1
Duval, S., Leurent, G.: MDS matrices with lightweight circuits. IACR Trans. Symm. Cryptol. 2018(2), 48–78 (2018). https://doi.org/10.13154/tosc.v2018.i2.48-78
Dworkin, M.: SHA-3 standard: permutation-based hash and extendable-output functions (2015–08-04 2015). https://doi.org/10.6028/NIST.FIPS.202
Faugère, J., Gianni, P., Lazard, D., Mora, T.: Efficient computation of zero-dimensional gröbner bases by change of ordering. J. Symbolic Comput. 16(4), 329–344 (1993). https://doi.org/10.1006/jsco.1993.1051. https://www.sciencedirect.com/science/article/pii/S0747717183710515
Faugére, J.C.: A new efficient algorithm for computing gröbner bases (f4). J. Pure Appl. Algebra 139(1), 61–88 (1999). https://doi.org/10.1016/S0022-4049(99)00005-5. https://www.sciencedirect.com/science/article/pii/S0022404999000055
Faugère, J.C.: A new efficient algorithm for computing gröbner bases without reduction to zero (f5). In: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation, ISSAC 2002, pp. 75–83. Association for Computing Machinery, New York (2002). https://doi.org/10.1145/780506.780516. https://doi.org/10.1145/780506.780516
Gabizon, A., Williamson, Z.J.: plookup: a simplified polynomial protocol for lookup tables. Cryptology ePrint Archive, Report 2020/315 (2020). https://eprint.iacr.org/2020/315
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989). https://doi.org/10.1137/0218012
Grassi, L., Hao, Y., Rechberger, C., Schofnegger, M., Walch, R., Wang, Q.: A new Feistel approach meets fluid-SPN: Griffin for zero-knowledge applications. Cryptology ePrint Archive, Report 2022/403 (2022). https://eprint.iacr.org/2022/403
Grassi, L., Khovratovich, D., Lüftenegger, R., Rechberger, C., Schofnegger, M., Walch, R.: Reinforced concrete: a fast hash function for verifiable computation. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS 2022, pp. 1323–1335. Association for Computing Machinery (2022). https://doi.org/10.1145/3548606.3560686
Grassi, L., Khovratovich, D., Rechberger, C., Roy, A., Schofnegger, M.: Poseidon: a new hash function for zero-knowledge proof systems. In: Bailey, M., Greenstadt, R. (eds.) USENIX Security 2021, pp. 519–535. USENIX Association, August 2021
Grassi, L., Øygarden, M., Schofnegger, M., Walch, R.: From farfalle to megafono via Ciminion: the PRF hydra for MPC applications. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023, Part IV. LNCS, vol. 14007, pp. 255–286. Springer, Heidelberg, April 2023. https://doi.org/10.1007/978-3-031-30634-1_9
Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016, Part II. LNCS, May 2016, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11
Hirose, S.: Sequential hashing with minimum padding. In: NIST Workshop on Lightweight Cryptography 2016. National Institute of Standards and Technology (NIST) (2016)
Li, Y., Tian, S., Yu, Y., Wang, M.: On the generalization of butterfly structure. IACR Trans. Symm. Cryptol. 2018(1), 160–179 (2018). https://doi.org/10.13154/tosc.v2018.i1.160-179
Liu, J., et al.: An efficient verifiable state for zk-EVM and beyond from the Anemoi hash function. Cryptology ePrint Archive, Paper 2022/1487 (2022). https://eprint.iacr.org/2022/1487
Loustaunau, W.: An Introduction to Grobner Bases. American Mathematical Society (1994). https://books.google.is/books?id=Caoxi78WaIAC
McLoughlin, M.B.: addchain: cryptographic addition chain generation in go. Repository, October 2021. https://github.com/mmcloughlin/addchain. https://doi.org/10.5281/zenodo.5622943
Meckler, I., Rao, V., Ryan, M., Querol, A., Spadavecchia, J., Wong, D.: Mina book, kimchi specification. https://o1-labs.github.io/proof-systems/specs/kimchi.html#poseidon
Nyberg, K.: Differentially uniform mappings for cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_6
Perrin, L., Udovenko, A., Biryukov, A.: Cryptanalysis of a theorem: decomposing the only known solution to the big APN problem. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 93–122. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_4
Szepieniec, A., Ashur, T., Dhooghe, S.: Rescue-prime: a standard specification (SoK). Cryptology ePrint Archive, Report 2020/1143 (2020). https://eprint.iacr.org/2020/1143
Szepieniec, A., Lemmens, A., Sauer, J.F., Threadbare, B.: The tip5 hash function for recursive starks. Cryptology ePrint Archive, Paper 2023/107 (2023). https://eprint.iacr.org/2023/107
Zero, P.: Plonky2. Repository, September 2022. https://github.com/mir-protocol/plonky2
Acknowledgements
We thank the reviewers of CRYPTO 2023 for providing insightful comments which helped improve the clarity of this paper. In particular, we would like to thank the shepherd for their assistance in finalizing the paper. We are also grateful to Markulf Kohlweiss, Antoine Rondelet and Duncan Tebbs for proofreading an earlier draft of this paper, and for providing insightful comments and suggestions. Additionally, we extend our thanks to Duncan Tebbs for providing an independent estimation of the Flystel circuit cost in terms of R1CS constraints. The work of Léo Perrin is supported by the European Research Council (ERC, grant agreement no. 101041545 “ReSCALE”). We thank Tomer Ashur for pointing out a mistake in Fig. 1 in a previous version of the paper. We also thank Miguel Ambrona and Raphaël Toledo for the idea of the quadratic custom gate and their contribution to the Plonk implementation.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Bouvier, C. et al. (2023). New Design Techniques for Efficient Arithmetization-Oriented Hash Functions: \(\texttt{Anemoi}\) Permutations and \(\texttt{Jive}\) Compression Mode. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14083. Springer, Cham. https://doi.org/10.1007/978-3-031-38548-3_17
Download citation
DOI: https://doi.org/10.1007/978-3-031-38548-3_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38547-6
Online ISBN: 978-3-031-38548-3
eBook Packages: Computer ScienceComputer Science (R0)
