In [1]:
from CompactFIPS202 import SHAKE256
from sage.functions.log import logb
import random

# prime=2**64-59=18446744073709551557
# output-length l=1; c=1
# alpha=3,m=3, security_level=32

#definition of the Grendel_permutation

def legendre_symbol(value,p):
    return value^((p-1)/2)

def get_mds_matrix(p,m):
    #get a primitive element
    Fp=FiniteField(p)
    g=Fp(2)
    while g.multiplicative_order()!=p-1:
        g=g+1
    V=matrix([[g^(i*j) for j in range(0,2*m)] for i in range(0,m)])
    V_ech=V.echelon_form()
    MDS=V_ech[:,m:].transpose()
    return MDS
    
def get_round_constants(p,m,security_level,N):
    bytes_per_int=1+ceil(logb(p,2)/8)
    num_bytes=m*N*bytes_per_int
    seed_string="grendel-%i-%i-%i"%(p,m,security_level)
    byte_string=SHAKE256(bytes(seed_string, "ascii"), num_bytes)
    round_constants=[]
    Fp=FiniteField(p)
    for i in range(m*N):
        acc=0
        for j in range(bytes_per_int):
            acc=256*acc+ZZ(byte_string[i*bytes_per_int+j])
        round_constants.append(Fp(acc %p))
    return round_constants

def Grendel_permutation(alpha,m,N,state,linear_layer,round_constants):
    new_state=state
    for i in range(0,N):
        for j in range(0,m):
            new_state[j]=(new_state[j])^alpha*(legendre_symbol(new_state[j]))
        new_state=linear_layer*vector(new_state)
        for j in range(0,m):
            new_state[j]=new_state[j]+round_constants[i*m+j]
    return new_state


# definition of extract_guesses
def extract_guesses(permutation_guess,number_single_guesses):
    single_guesses=[]
    for i in range(0,number_single_guesses):
        guess_intermediate=(permutation_guess>>i)&0b1
        guess_converted=(guess_intermediate*1)+((guess_intermediate-1)*1)
        single_guesses.append(guess_converted)
    return single_guesses

#Finding a preimage for a sponge hash function instantiated with N-round Grendel over F_p^m
p=18446744073709551557
Fp=GF(p)
security_level=32
alpha=3
m=3
N=6

M=get_mds_matrix(p,m)
M_inv=M.inverse()

round_constants=get_round_constants(p,m,security_level,N)


print("p,alpha,m,N",p,alpha,m,N)

p,alpha,m,N 18446744073709551557 3 3 6


In [2]:
#build the equation for each guess
L=m*(N-2)
guess_limit=2^L

a=M_inv[2][0]
b=M_inv[2][1]
c=M_inv[2][2]
c_1=c^(-1)

d=round_constants[0]
e=round_constants[1]
f=round_constants[2]


A1=b
A2=-a
g=legendre_symbol((a*d+b*e+c*f)*c_1,p)

s_1=legendre_symbol(A1,p)
s_2=legendre_symbol(A2,p)

R.<x>=PolynomialRing(Fp)

load("ntl_power_mod.spyx")
print("load: ntl_power_mod.spyx")

Compiling ./ntl_power_mod.spyx...


load: ntl_power_mod.spyx


In [3]:
num_success=0
for k in range(10000):
    a=random.randint(0,p-1)
    h=Fp(a)
    sum_verify=0
    success=[ ]
    for permutation_guess in range(0,guess_limit):
        state=[s_1*x,s_2*x,g]
        single_guesses=extract_guesses(permutation_guess,L)
        new_state=M*vector(state)
        for j in range(m):
            new_state[j]=new_state[j]+round_constants[m+j]
        for i in range(2,N):
            for j in range(m):
                new_state[j]=((new_state[j])^alpha)*single_guesses[(i-2)*m+j]
            new_state=M*vector(new_state)
            for j in range(m):
                new_state[j]=new_state[j]+round_constants[i*m+j]
        equation=new_state[0]-h
        Q=ntl_power_mod(x,Fp.order(),equation)
        R=equation.gcd(Q-x)
        for r in R.roots(multiplicities=False):
            flag=True
            state=[s_1*r,s_2*r,g]
            new_state=M*vector(state)
            for j in range(m):
                new_state[j]=new_state[j]+round_constants[m+j]
            for i in range(2,N):
                for j in range(m):
                    le=legendre_symbol(new_state[j],p)
                    sum_verify=sum_verify+1
                    if le!= single_guesses[(i-2)*m+j]:
                        flag=False
                        break
                    new_state[j]=((new_state[j])^alpha)*le   
                if flag==True:
                    new_state=M*vector(new_state)
                    for j in range(m):
                        new_state[j]=new_state[j]+round_constants[i*m+j]
                else:
                    break
            if flag==True:
                success.append(state)
    log_sum_verify=logb(sum_verify,2)
    print('out:',h)
    print('log_sum_verify:%f,L+1:%i' % (log_sum_verify,L+1))
    print(success)
    if len(success)>0:
        num_success=num_success+1
print(num_success)

out: 1986655580481054946
log_sum_verify:13.045930,L+1:13
[]
out: 1474998238083709239
log_sum_verify:13.025659,L+1:13
[]
out: 10149267486636889234
log_sum_verify:12.988152,L+1:13
[]
out: 14139440504144971436
log_sum_verify:13.054435,L+1:13
[]
out: 2989137239429619885
log_sum_verify:13.012101,L+1:13
[]
out: 13814783350306154231
log_sum_verify:13.036517,L+1:13
[[6199027495979495838, 12247716577730055719, 1]]
out: 15613825026244514385
log_sum_verify:13.020980,L+1:13
[[2339706696890560940, 16107037376818990617, 1], [15954624029082022569, 2492120044627528988, 1], [1719823792722386655, 16726920280987164902, 1]]
out: 1572789385117640421
log_sum_verify:13.009654,L+1:13
[[11490804484871477424, 6955939588838074133, 1], [8482979901806783878, 9963764171902767679, 1]]
out: 8306609089215818662
log_sum_verify:12.996120,L+1:13
[[15652737681532556822, 2794006392176994735, 1], [9817113481849752121, 8629630591859799436, 1]]
out: 6551215713463118154
log_sum_verify:12.998767,L+1:13
[]
out: 14638601503496801

out: 6530840394698360361
log_sum_verify:12.956558,L+1:13
[]
out: 6318982914976097819
log_sum_verify:12.980675,L+1:13
[]
out: 7271963576994957469
log_sum_verify:12.969207,L+1:13
[]
out: 5520675102149743555
log_sum_verify:12.981210,L+1:13
[[7229696463221817454, 11217047610487734103, 1], [5938222703182791397, 12508521370526760160, 1]]
out: 11535522868888263883
log_sum_verify:12.968307,L+1:13
[]
out: 11806004937120838804
log_sum_verify:13.019938,L+1:13
[]
out: 14514663753527349986
log_sum_verify:13.009479,L+1:13
[[14138643168599299845, 4308100905110251712, 1]]
out: 889916425477135949
log_sum_verify:12.965965,L+1:13
[[17583445563637007006, 863298510072544551, 1]]
out: 3176509725918121350
log_sum_verify:13.026696,L+1:13
[[17314178371364607100, 1132565702344944457, 1], [11415229204753198606, 7031514868956352951, 1], [12024790834975200807, 6421953238734350750, 1]]
out: 12093717104096522922
log_sum_verify:13.011577,L+1:13
[[9306744547010934814, 9139999526698616743, 1]]
out: 7133339777263818503


out: 17882400209606845282
log_sum_verify:12.978532,L+1:13
[[16428435167813323796, 2018308905896227761, 1]]
out: 18306263897103829605
log_sum_verify:13.015067,L+1:13
[[16816214494952507993, 1630529578757043564, 1]]
out: 12016893881805191236
log_sum_verify:12.977280,L+1:13
[[3158875073854722537, 15287868999854829020, 1], [619733430286821023, 17827010643422730534, 1]]
out: 6809921722885413583
log_sum_verify:13.034971,L+1:13
[]
out: 6854463276035165925
log_sum_verify:12.991345,L+1:13
[]
out: 13454584222559387917
log_sum_verify:13.011577,L+1:13
[[11339392647057120404, 7107351426652431153, 1], [17896005732012681998, 550738341696869559, 1], [12164443197567894775, 6282300876141656782, 1]]
out: 13517551721398781416
log_sum_verify:13.002991,L+1:13
[[2308201103951222444, 16138542969758329113, 1], [18049154237724216610, 397589835985334947, 1], [11245629742834035853, 7201114330875515704, 1]]
out: 6253019712284943268
log_sum_verify:12.991168,L+1:13
[]
out: 8791248837434267300
log_sum_verify:12.98067

out: 2776323620627763569
log_sum_verify:12.976743,L+1:13
[[15902985561759907880, 2543758511949643677, 1]]
out: 14162162190340485966
log_sum_verify:13.010878,L+1:13
[[3664485427733399124, 14782258645976152433, 1]]
out: 14209780564566150258
log_sum_verify:12.977638,L+1:13
[[585308008324582933, 17861436065384968624, 1]]
out: 12465755404523186428
log_sum_verify:13.001936,L+1:13
[[16255842989032534385, 2190901084677017172, 1]]
out: 3107636731442717139
log_sum_verify:12.974773,L+1:13
[]
out: 15471613704991857565
log_sum_verify:13.007027,L+1:13
[]
out: 14598634904063116859
log_sum_verify:12.999119,L+1:13
[]
out: 10361917557625203181
log_sum_verify:12.987619,L+1:13
[[4484841519739867042, 13961902553969684515, 1]]
out: 2618784848371418319
log_sum_verify:13.029977,L+1:13
[[10328853489481456437, 8117890584228095120, 1]]
out: 10911666252488700030
log_sum_verify:13.036174,L+1:13
[]
out: 15371700058778747238
log_sum_verify:12.949097,L+1:13
[[775061513201618775, 17671682560507932782, 1]]
out: 6958780

out: 9999060074787375534
log_sum_verify:12.963077,L+1:13
[[1936893916770416685, 16509850156939134872, 1]]
out: 4869318649838405033
log_sum_verify:13.003869,L+1:13
[]
out: 1081635031369570461
log_sum_verify:12.969926,L+1:13
[[4789252934780039398, 13657491138929512159, 1], [17501688174819931562, 945055898889619995, 1]]
out: 10189814902306152900
log_sum_verify:13.037204,L+1:13
[[18296650719376582963, 150093354332968594, 1]]
out: 14811455583151119987
log_sum_verify:13.000000,L+1:13
[[5510971482545694349, 12935772591163857208, 1], [5303111702874955642, 13143632370834595915, 1]]
out: 1488676946426715096
log_sum_verify:12.963077,L+1:13
[[5194271056963395855, 13252473016746155702, 1]]
out: 9881435039713107358
log_sum_verify:12.996827,L+1:13
[[2797047235597327772, 15649696838112223785, 1], [15822971695883461952, 2623772377826089605, 1], [4107735316638050621, 14339008757071500936, 1]]
out: 8756591529177105779
log_sum_verify:12.960002,L+1:13
[[14181953863670974827, 4264790210038576730, 1]]
out: 1

out: 17826860194452946119
log_sum_verify:12.986198,L+1:13
[[1055536927234287141, 17391207146475264416, 1]]
out: 9790118721576170359
log_sum_verify:12.984596,L+1:13
[]
out: 14794263151018872965
log_sum_verify:13.027215,L+1:13
[]
out: 3569676726383212134
log_sum_verify:13.011577,L+1:13
[[16926995231828407226, 1519748841881144331, 1]]
out: 3014129152140633325
log_sum_verify:13.016634,L+1:13
[[17976666185588964011, 470077888120587546, 1]]
out: 3817770352363603815
log_sum_verify:13.037719,L+1:13
[]
out: 4220427139491688733
log_sum_verify:12.996297,L+1:13
[]
out: 18247269475234426006
log_sum_verify:13.021153,L+1:13
[[16852997708695483103, 1593746365014068454, 1], [202029520738746019, 18244714552970805538, 1], [16533135457495667537, 1913608616213884020, 1]]
out: 5531232450460260833
log_sum_verify:12.969926,L+1:13
[[18295879956608334419, 150864117101217138, 1]]
out: 9820225750138673677
log_sum_verify:12.990281,L+1:13
[[7918729625175804604, 10528014448533746953, 1]]
out: 13936581458674320301
lo

KeyboardInterrupt: 