New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Candidates for in-circuit zkSNARK hash functions #36
Comments
The next step of analysis for these polynomial hash functions is to extend my basic tests where we iterate across all
For each candidate we need to output the probabilities, compared to the field size, of each occurrence. |
In retrospect, and after analysis of several of these, I think it's a bad idea for me to be creating new crypto, and I should limit myself to using other peoples primitives in a way which relies on their known properties. For example, knowing the encryption key for the LongsightF cipher you can create any collision, but it's still target collision resistant - in that when the input must satisfy some other hard problem aside from just finding any collision, then you end up with hardness of the birthday problem where it matches your birthday. Say, for example, if the leaf is My only problem with LongsightF is that you can truncate all N levels of the merkle tree authentication path in linear time, which is why we should use a different hash or cipher for the merkle tree. Secondly, the MiMC function has a low polynomial degree which makes it a candidate for higher order differential analysis. Either way, we have a candidate for a keyed on-way permutation function with round constants: def DoublevisionH_e(m, k, p, C, e=5):
Ck = (m + k) % p
for C_i in C:
m = powmod((m + C_i) % p, e, p)
k = powmod((k + Ck) % p, e, p)
Ck = (m + k) % p
return Ck For every Is there a relation between I don't know what to call this property, but lets call it leftness and rightness, if an element is Left you add the round constant to it, if the element is Right you add the When looking at the higher order algebraic complexity of the The circuit diagram for
|
So, to recap, the To use it as part of a compression function we can use it in a Davies-Meyer, Matyas-Meyer-Oseas or Miyaguchi-Preneel construction, respectively: Note that, when providing the key
Which factors to:
So, the degree of the factored monomials for each round, assuming a known
This shows that while the polynomial can be reduced, the degree can only be reduced by 20%, after which it is irreducible. A possible rule could be Note that because the reduced polynomial, for one round, is in the form of:
This resembles the polynomial from Shamir's secret-sharing scheme, however for every subsequent evaluation the values of sequence If you look at the polynomial used in Hash127 by DJB:
Where Further notes on interpolation probabilities:
From DJB's paper on stronger security bounds for WCS authenticators, and it relates to the bijection tests for the doublevision function, on the last page under 'Interpolation probabilities, collision probabilities, differential probabilities'. We calculate the collision probability, where for each We calculate a variant of the interpolation probability which shows that Thirdly the differential probability, for any fixed |
I think it's worth digging further into higher-order differential cryptanalysis for |
So, we can possibly say that the one-wayness of the problem for Doublevision relates to the discrete logarithm and quadratic residue problems, essentially factoring the sum of cubes. Interesting references:
The problem is that many of the security assumptions in the papers above rely on using a prime factor which to generate a sub-group, furthermore the exponents are fixed. The security assumption for the number of rounds for MiMC-p/p as a cipher comes from the computational hardness of determining the Lagrange form of the polynomial of a specific degree, at 160 rounds this is about For a more specific construction, e.g. the merkle tree authentication path, can this be weakened? Lets say we use the Miyaguchi–Preneel construction: def compress_MiyaguchiPreneel(m_0, m_1, C, e, p):
H_0 = LongsightL(IV, m_0, C, e, p)
H_1 = LongsightL(H_0, m_1, C, e, p)
return (H_0 + H_1 + m_0) % p The Lagrange form stops becoming as much of a concern for each step as the key changes for every Anyway, if we use a different IV and different round constants at every level, and make sure that the full path is of sufficiently high degree, the only problem remains that the LongsightL (and F variant) functions are invertible - in that you can truncate the whole Merkle authentication path with control over both arguments. For this reason the Miyaguchi–Preneel construct above is used, avoiding fixed points etc. and where only 1 argument can be used for each function call. Using this method, and using native field elements for the inputs instead of bits, we can keep the number of constraints for the whole Merkle tree authentication path to say ... under 1500. I will need to run some quick tests to verify that the LongsightL function is bijective etc. |
The criteria is:
Candidates from authenticated MACs:
Candidates from universal hashing:
Specifically for the Merkle tree, where all information is public, all that we're concerned about is collision resistance and malleability. Specifically in this case the hash127 algorithm can be used with a fixed key (
r
) per tree level. Wheres = (r^{n+1} + (r^n * m_0) + (r^{n-1} * m_1) + ... + (r * m_{n-1})) mod p
,m
is split into 32 bit chunks andm != 0
. The values ofr^n
etc. can be pre-computed.Concerning malleability, where each message chunk is the size of a field element we can construct an input which resets the intermediate sum into a known state, the smaller the chunk size the less malleable it becomes at the cost of greater multiplicative complexity. For example with field elements as message input we could just find something that when multiplied by
r
is the difference between the current sum and our target value to produce a collision, and the more message blocks you have control over the easier this gets.However, splitting into individual bits increases the complexity of the circuit as we need to verify the bitness of every message input to prevent malleability. If the messages are 256 bits each and the merkle tree is 29 deep, that requires 7424 constraints to verify all input bits. Where we compress two messages into 1 field element using 32 bit blocks it requires an additional 16 constraints per level (464 for 29 levels). Then an additional 464 constraints to compute the polynomial for the 29 levels, which puts the total at 8355 constraints.
There is another approach for LongsightF where, when used as a cipher, it may still be usable as the merkle path authenticator there the number of rounds is less significant. In this case we know that for any given result we can walk backwards to find any number of colliding inputs with control over both input parameters, essentially when used as a merkle path authenticator its construction is similar to a sponge construction in duplex mode.
However, the security of the whole authentication path comes down to finding a single colliding input which is essentially the first item in the Merkle tree path, which means the complexity isn't improved by using the merkle-damgård construct, that is finding appropriate inputs for level 28 is as linear after running level 29 in reverse. A good reference for different constructions is: https://www.emsec.rub.de/media/crypto/attachments/files/2011/03/bartkewitz.pdf
The clearest example I can think of which demonstrates this is the collision resistance of
LongsightL
where the key can be chosen - if you can choose the keys for each round it's very malleable. However, if the round keys are derived via squaring of a single input then you've essentially eliminated the malleability.e.g.
Even with only 2 values of
m
this intuitively becomes an intractable problem, where for N rounds the message is multiplied by the square of the key, this makes it very similar to the polynomial used by hash127 and Poly1305+AES with the exception that the message blocks and round constants are derived from two initial values.The problem we have is the parity of quadratic residue where both
m
andk
are squares after the first round, for example there is a linear route backwards and we know the round function isn't bijective. Interesting references:When used with the curve order of altBN, as used by the field of the zkSNARK circuit, we can ensure that for any fixed
k
and any0 < m < p
the result will be a bijection as exponentiating by 5 is also a bijection:But, we can't generalise this for any
k
and anym
as there will be overlap while still satisfying the pigeon hole principal. The best thing we can do is to use two bijective sequences, which in turn are also bijective where eitherk
orm
are fixed.The problem with this though, is that by controlling either
k
orm
you can forcey
to be zero, which reduces the complexity to finding an initialk
than when squared/exponentiatedr
times results in the desiredm
.Another problem is that
m
andk
can be switched and the result is the same, when used in a Merkle tree this is bad as we need to be strictly order-enforcing, whereas whenx
is squared at each iteration the order is enforced, likewise ifk
is exponentiated in a bijective fashionm
can be squared and the result is still a bijection.The
y
step can be either additive or multiplicative.However, after further testing the problem with either of these is that when
m
is fixed andk
is variable it isn't a bijection, the function can be modified to satisfy this requirement, but then only the last value ofy
is used which removes a layer of complexity.Adding
y
to eitherk
orm
retains the quality of being a bijection where the same argument that's fixed is the one whichy
is added to. e.g. for allk \in Z_p
andk=(k+y)^5
wherem
is constant and visa versa.In my pigeonhole surjection test, which measures the distribution of pigeons in holes for all
N
andM
forH(N,M)
e.g.for N in range(0,p): for M in range(0,p): H(N,M)
, the standard deviation for LongsightF hovers at around 2 and the variance at 4. Whereas withDoublevisionH_e
the standard deviation hovers at around 1 and variance at 1. If I addy
to bothk
andm
before exponentiating them we get similar standard deviation and variance as LongsightF.So we have a measurable quality which indicates a bijection that the variance is ~1 and stddev is ~1, whereas without a bijection the stddev is ~2 and variance ~4 which indicates the bijective flavour is more consistently distributed, which indicates less randomness.
But, is more random distribution a good quality? Is there a relation between the bijective nature when one parameter is constant, versus something which isn't a bijection. My gut feel is that, with a large enough
|p|
the additional complexity of having bothm
andk
bex=(x+y)^5
computationally binds both parameters to the value from the previous round. It doesn't solve the "first round y is zero" problem though, but I think that's unsolvable in that you can always algebraically negate the first round with control over one parameter - but that doesn't give you control over the other one which is the crux of the matter.Which leaves us with one interesting candidate:
Where the exponent
5
is replaced with whatever is a bijection for that specific field. However, it still suffers the problem of the argument order being reversible due to the commutative nature of they
step, and for a Merkle tree it's absolutely necessary to have ordering.For the ordering property we can use two sequences of round constants for both
m
andk
, which becomes:This ensures that, for round 0, when
k
andm
are equal,y
will also be equal, but for round 1, the sequencesm
andk
will have diverged and will be dependent upon their initial value.Furthermore, by using multiplication in the step for
y
the degree of the polynomial increases at each round, such thatdeg(f(x)g(x)) = deg(f(x)) + deg(g(x))
we can show that:y = m * k
deg(y) = 0
m = (m + y + C_?)^5
deg(m) = 5
k = k + y + C_?
deg(k) = 5
y = m * k
deg(y) = deg(m) + deg(k) = 10
m = (m + y + C_?)^5
deg(m) = 10
(as the degree ofy
is 10)k = k + y + C_?
deg(k) = 10
y = m * k
deg(y) = deg(m) + deg(k) = 20
As such, the degree doubles at every round, such that after 127 rounds the degree exceeds 2^128, after 30 rounds the degree exceeds 2^31 etc. However, does that mean a collision could be found in
2^r
probability using higher order differential cryptanalysis? And furthermore, is my statement about the degree of the polynomial correct, or is it limited to 5 as that's the outside exponent of thek
andm
equations?An alternative which pushes the degree further up into the statement is:
Which makes it:
y = (m * k)
m = (m + C_?)^5 + (m * k)
k = (k + C_?)^5 + (m * k)
y = ((m+C_?)^5 * (k+C_?)^5)
deg(y) = 10
m = (m + C_?)^5 + y
deg(m) == 10
?In that case, if you were to multiply by
y
in stagesm
andk
surely that would increase the rate of the degree at every iteration, at the cost of multiplicative complexity, for example:Where:
However, we've diverged far away from my original proof of the bijective property, and gotten into very speculative musings of the degree of polynomials and its relation to security under higher order differential analysis.
The following paper by Xuejia Lai researches on the security of multivariate hash functions: [1] https://eprint.iacr.org/2008/350.pdf - which references MQ-HASH - [2] https://pdfs.semanticscholar.org/a258/904c3e021df8c2de621b7dfa4dc504c8f3b2.pdf - 'On Building Hash Functions From Multivariate Quadratic Equations - Billet, Robshaw & Peyrin' which is further supplemented by 'Interpreting Hash Function Security Proofs' - [3] https://infoscience.epfl.ch/record/172008/files/Juraj-Provsec2010.pdf
In [1] Lai states the degree of MQ-HASH is four... where it's necessary to compute the
d
th derivative for2^d
inputs, whered
is the degree of the multivariate function, if the derivative is a constant we can distinguish the function sampled from a uniformly distributed function, although soemtiems its difficult to translate from mathlish, but it implies that a higher order differential attack requires computation equal to2^d
whered
is the degree of the polynomial.The reason I wanted to rely strongly on the property of a bijection for either
k
orm
is to reduce the sparseness of the polynomial surjection for bothk
andm
. In § 4.1 of [1] Lai describes the probability of trivial collisions, however this is represented overGF(2)
rather thanGF(p)
..... brain slowly melts I think a better way of analysing this would be via calculus and its relation to quadratic residue over a field.
Either way, we can break this down into the statement:
Comparative to the MiMC round function:
Where the MiMC function uses two variables, denoted by
x[i-1]
andx[i-2]
, our round function when truncated to a single variable doubles the polynomial degree. When expanded to account for two variables it becomes:So, to summarise, we now have a compression function which:
k
orm
where the other element is a constantI think this is good enough to be used as a compression function to form a Merkle tree.
The text was updated successfully, but these errors were encountered: