Algebraic Attacks against Grendel: An Arithmetization-Oriented Primitives with the Legendre Symbol

1. Introduction

Arithmetization-oriented primitives have recently been widely employed in advanced cryptographic protocols, including Fully Homomorphic Encryption (FHE) protocols, Multiparty Computation (MPC) protocols, and Zero-Knowledge (ZK) proofs. These advanced cryptographic protocols employ arithmetic to convert normal calculations into a sequence of finite field operations, such as addition and multiplication over a large finite field ${\mathbb{F}}_p$, where p is a big prime integer, at least greater than or equal to $2^{63}$. In order to characterize these finite field operations, arithmetization-oriented primitives are created. The design criterion for arithmetic primitives is to lessen the multiplication complexity of cryptographic algorithms because the multiplication operation primarily consumes resources in advanced cryptographic protocols. Using the low-degree round function is an easy approach to accomplishing this objective.

There are many such arithmetization-oriented primitives, such as MiMC[1], GMiMC[2], HadesMiMC/Poseidon[3,4], Masta[5], Pasta[6], Ciminion[7], Chaghri[8] and Neptune[9]. These primitives directly use a low-degree round function as power maps $x\mapsto x^d$. More complex ones like Rescue use the low-degree power map $x\mapsto x^3$ and its inverse $x\mapsto x^{1/3}$ as round functions. A new arithmetization-oriented primitive Grendel[10] is designed for zero-knowledge proof systems. Grendel uses the Legendre symbol to enhance their round functions in combination with the SHARK-like construction. Let ${\chi }_p(·):{\mathbb{F}}_p\mapsto \{-1,0,1\}$ is defined as ${\chi }_p\left(x\right):=x^{\frac{p-1}{2}}(modp)$ for the Legendre symbol. The application of the Legendre symbol in cryptography dates back to 1997. Mauduit and Sárközy introduced the Legendre symbol into the generation of pseudo-random bit sequences. Tóth [11] and Gyarmati et al.[12] introduce new measures of pseudorandomness (avalanche effect and cross-correlation) and assert that those values in the Legendre symbol sequence are high. Known as the Legendre symbol PRF, $x\mapsto {\chi }_p^k\left(x\right):={\chi }_p(x+k)$, k is the private key. In [13], Khovratovich developed a birthday-bound attack for the security analysis of the Legendre symbol PRF. This attack was later improved by Beullens et al. in [14] and Kaluderovic et al. in [15]. Key-recovery attacks against the Legendre symbol PRF may be converted into the solution of a certain set of multivariate quadratic equation systems over a prime field, according to more recent research by Seres et al. in [16].

In symmetric cryptographic schemes, to incorporate the Legendre symbol into a round function, it is necessary for the resulting non-linear layer to be invertible. In [17], it was first proposed to construct an invertible function using the Legendre symbol as follows: $x\mapsto x·({\chi }_p\left(x\right)+\alpha )$. This map is invertible when ${\chi }_p({\alpha }^2-1)=1$. By combining the Legendre symbol with the power map, the map $x\mapsto x^d·{\chi }_p\left(x\right)$ is obtained, which is invertible when $gcd(d+(p-1)/2,p-1)=1$. In [18], Grassi et al. further analyzed the generalization of $x\mapsto x·({\chi }_p\left(x\right)+\alpha )$ to $x\mapsto x^d·({\chi }_p\left(x\right)+\alpha )$, building upon the foundations of [10,17]. They proposed new invertible functions that combine the Legendre symbol and analyzed their statistical and algebraic properties.

When operating on large finite fields, arithmetization-oriented ciphers are less susceptible to statistical attacks such as differential [19] and linear [20] attacks. However, they are more vulnerable to algebraic attacks. For example, the cipher Jarvis[21] was found to be vulnerable to Gröbner basis attacks. The high-order differential attack is also an effective method, as demonstrated in [22] for the high-order differential attack on GMiMC, and in [23] where Eichlseder et al. first applied the high-order differential attack on MiMC. Subsequently, Bouvier et al. [24] and Cui et al. [25] analyzed the upper bounds on the algebraic degrees of MiMC, reevaluating its security margin against high-order differentials using different approaches. In [26], Liu et al. proposed an innovative technique called the coefficient grouping technique, which reduces the evaluation of algebraic degrees to a well-structured optimization problem. They applied this technique to launch a high-order differential attack on Chaghri, a fully homomorphic encryption scheme. Exploring further the application of algebraic methods to analyze arithmetization-oriented ciphers remains an interesting avenue for future investigation.

Related works. In the original security analysis of the Grendel proposed by the designers in [10], the utilization of S-boxes based on the Legendre symbol was highlighted as a notable advantage. This choice allowed for achieving a higher algebraic degree within a relatively small number of rounds, providing resilience against high-order differential and interpolation attacks. Consequently, the focus of the analysis shifted towards the Gröbner basis attack, which presented two distinct approaches for constructing equation systems.

• The first approach involves the attacker guessing all the Legendre symbols used in the scheme. Subsequently, they solve the resulting system of equations and verify the correctness of the guessed symbols based on the obtained solution. The complexity of this attack increases by approximately a factor of 2 for each correctly guessed symbol, considering the probability of accurate guessing is around $1/2$.
• On the other hand, the second approach avoids guessing the Legendre symbols and instead relies on the introduction of auxiliary variables to facilitate the establishment of the equation system. For more detailed information, please refer to [10].

Additionally, after guessing all Legendre symbols, the S-boxes in Grendel exhibit a low degree. As a result, it is not necessary to introduce intermediate variables in each round to mitigate the degree of growth. Instead, the attacker can directly solve a higher-degree system of equations. This alternative approach has already been used to attack the full hash function Grendel in [18]. In Section 3.1, we will provide a detailed description of their attack.

Our Contribution. In this paper, we further analyze the hash function Grendel on the basis of [10,18]. By introducing the Constrained Input/Constrained Output(CICO) problem and leveraging its solution to obtain preimages of the hash function Grendel, we can extend the previously proposed technique in [27] and enhance the preimage attack by bypassing two additional rounds of the SPN structure. By introducing the CICO problem, our attack is capable of attacking two additional rounds compared to the attack presented in [18], as shown in Table 1. Furthermore, we leverage the CICO problem to construct a system of multivariate equations for the hash function Grendel. By analyzing the introduction of intermediate variables and the main complexity of Gröbner basis attacks, we have further deepened our understanding of how to construct equation systems and conduct Gröbner basis attacks.

Table 1. For a security level of $s=128$ and a modulus $p=2^{256}$, the number of rounds that can be attacked using the univariate root-finding method in different instances of the hash function Grendel.

Instance $(\mathit{d},\mathit{n})$	Attacked Rounds in [10]	Attacked Rounds in [18]	Our result
(2,3)	28	25	27
(2,4)	21	20	22
(2,8)	11	12	14
(2,12)	7	8	10
(3,3)	22	22	24
(3,4)	16	18	20
(3,8)	8	11	13
(3,12)	6	8	10
(5,3)	16	19	21
(5,4)	12	16	18
(5,8)	6	10	12
(5,12)	4	7	9

Table 1. For a security level of $s=128$ and a modulus $p=2^{256}$, the number of rounds that can be attacked using the univariate root-finding method in different instances of the hash function Grendel.

Instance $(\mathit{d},\mathit{n})$	Attacked Rounds in [10]	Attacked Rounds in [18]	Our result
(2,3)	28	25	27
(2,4)	21	20	22
(2,8)	11	12	14
(2,12)	7	8	10
(3,3)	22	22	24
(3,4)	16	18	20
(3,8)	8	11	13
(3,12)	6	8	10
(5,3)	16	19	21
(5,4)	12	16	18
(5,8)	6	10	12
(5,12)	4	7	9

2. Preliminaries

2.1. Notations

In the following, let p be a prime number, and ${\mathbb{F}}_p$ be a finite field with p elements. Let ${\mathbb{F}}_p^n$ denote a vector space with n elements, and each element in ${\mathbb{F}}_p$. The notation ${\mathbf{0}}^u\in {\mathbb{F}}_p^u$ is defined as having all u components equal to zero.

Let ${\mathbb{F}}_p^n$ be a vector space with standard basis $\{e_0,e_1,\cdots ,e_{n-1}\}$. A vector subspace $V_u$ of ${\mathbb{F}}_p^n$ can be represented as the span of a subset of a standard basis $\{e_0,e_1,\cdots e_{u-1}\}$, where $0<u<n$.

Definition 1 

(The Legendre Symbol). The Legendre symbol ${\chi }_p(·)$ is a function ${\chi }_p:{\mathbb{F}}_p\mapsto \{-1,0,1\}$ defined as

$$\begin{array}{c}\hfill {\chi }_p\left(x\right)=\left\{\begin{array}{cc}1\hfill & \mathit{if}x\mathit{is}\mathrm{a}\mathit{nonzero}\mathit{quadratic}\mathit{residue}\mathit{modulo}p,\hfill \\ -1\hfill & \mathit{if}x\mathit{is}\mathrm{a}\mathit{quadratic}\mathit{non}-\mathit{residue}\mathit{modulo}p,\hfill \\ 0\hfill & x=0.\hfill \end{array}\right.\end{array}$$

2.2. CICO Problem

In the cryptanalysis of traditional symmetric schemes, the goal is to recover the key (or some subkeys) with complexity lower than $2^k$. However, the security of arithmetization-oriented hash functions such as the hash function Grendel is based on the infeasibility of solving the CICO problem.

Definition 2 

(CICO Problem.). Let $F:{\mathbb{F}}_p^n\to {\mathbb{F}}_p^n$ be a permutation, and let $0<u<n$ be an integer. For given $(a_0,\cdots a_{n-u-1}),(b_0,\cdots ,b_{n-u-1})\in {\mathbb{F}}_p^{n-u}$, the CICO problem aims to find $(X_0,\cdots ,X_{u-1}),(Y_0,\cdots ,Y_{u-1})\in {\mathbb{F}}_p^u$ such that

$$\begin{array}{c}\hfill F(X_0,\cdots ,X_{u-1},a_0,\cdots ,a_{n-u-1})=(Y_0,\cdots ,Y_{u-1},b_0,\cdots ,b_{n-u-1}).\end{array}$$

A simpler version of the CICO problem is as follows: let $n=2$ and $u=1$, then the CICO problem is to find $(X,Y)\in {\mathbb{F}}_p^2$ such that $F(X,0)=(Y,0)$. We observe that both the input and output of the permutation belong to the same vector subspace $V_u$. The CICO problem is highly relevant to the security of hash functions. Therefore, if the adversary has the ability to solve the problem with a complexity of less than $p^{n-u}$ permutation calls, it is possible to find a preimage or collision of the hash function under the sponge structure. The CICO problem can usually be modelled as a system of equations and solved algebraically.

2.3. Solve the Systems of Algebraic Equations

Our attack is based on modelling cryptographic primitives as a system of polynomial equations. In this section, we present the methods and complexities of solving some univariate and multivariate equations, which are then used to attack the hash function Grendel.

We assume that the cryptographic primitive is represented as a well-defined system, a system of m polynomial equations consisting of n variables $\mathit{X}=(x_0,\cdots ,x_{n-1})\in {\mathbb{F}}_p^n$,

$$\begin{array}{c}\hfill \left\{\begin{array}{c}{F}_0(x_0,\cdots x_{n-1})=0\hfill \\ F_1(x_0,\cdots x_{n-1})=0\hfill \\ ⋮\hfill \\ F_{m-1}(x_0,\cdots x_{n-1})=0.\hfill \end{array}\right.\end{array}$$

Then our purpose is to get the ordinary solution of the equation; then, we hope to get the round key of the encryption schemes or the preimage of the hash function.

2.3.1. Solve a System of Univariate Equations

A univariate equation has only one variable and an equation of $F\left(x\right)=0$. Solving the given system is equivalent to find the roots of the univariate polynomial $F\in {\mathbb{F}}_p\left[x\right]$ with degree $\mathcal{D}$ of F. Since all operations are performed on the finite field ${\mathbb{F}}_p$, the computational complexity is measured in terms of field operations.

• Compute $G=x^p-x(modF)$.
  The computation of $x^p(modF)$ requires $\mathcal{O}\left(\mathcal{D}·log\left(p\right)·log\left(\mathcal{D}\right)·\log \left(log\left(\mathcal{D}\right)\right)\right)$ field operations with a double-and-add algorithm.
• Compute $H=gcd(F,G)$.
  H has the same roots as F in ${\mathbb{F}}_q$ since $H=gcd(F,x^q-x)$, but its degree is likely much lower. This step [28] requires $\mathcal{O}\left(\mathcal{D}·log{\left(\mathcal{D}\right)}^2\right)$ field operations.
• Factor H.
  In general, the polynomial H has only a few roots in ${\mathbb{F}}_p$. Thus, this step is negligible in complexity.

This root-finding approach using GCD computations is given in [28], and the final complexity of the algorithm is estimated by

$$\begin{array}{c}\hfill \mathcal{O}\left(\mathtt{M}\left(\mathcal{D}\right)log\left(\mathcal{D}\right)log(\mathcal{D}·p)\right),\end{array}$$

(1)

where $\mathtt{M}\left(\mathcal{D}\right):=63.43·\mathcal{D}log\left(\mathcal{D}\right)log(log(\mathcal{D}\left)\right)+\mathcal{O}(\mathcal{D}log(\mathcal{D}\left)\right)$ is the complexity of multiplication of two polynomials of degree at most $\mathcal{D}$ over ${\mathbb{F}}_p$.

2.3.2. Solve a System of Multivariate Equations

The Gröbner basis attack is a method to recover a secret from a system of polynomial equations. The first step is to convert the primitive into a system of multivariate equations. Then, a Gröbner basis is computed for the ideal generated by these polynomials. Finally, the Gröbner basis is utilized to compute the target variables in the given system. This attack method involves the following three phases.

• To launch a Gröbner basis attack, the first step is to construct a set of polynomial equations describing the primitive. After that, a Gröbner basis for the ideal generated by these equations is computed, usually concerning the degrevlex ordering for better efficiency. The algorithm used for the computation of the Gröbner basis could be Buchberger’s algorithm [29], F4 [30] and F5 [31].
• After computing the Gröbner basis for the given system of polynomial equations, the next step is to perform a change of term order to facilitate the computation of the elimination ideals and the elimination of variables. This is typically done by going from the degrevlex term order to the lex one, using an algorithm such as FGLM[32]. It is worth noting that in many applications, including those in cryptography, the systems of algebraic equations result in zero-dimensional ideals, meaning they have only finitely solutions.
• The final step of a Gröbner basis attack is to solve the univariate equation for the last variable using a polynomial factoring algorithm. This allows us to obtain the specific value of the last variable, which can then be substituted into the remaining equations to obtain the full solution of the system. This step can use the algorithm given above to find the univariate equation system. Once the polynomial has been factored, we can easily find its roots, which correspond to the possible values of the last variable. By substituting each root into the remaining equations, we can obtain all possible solutions to the system of equations.

Cost of Gröbner basis Computation. For a system of m polynomial equations and n variables, there is

$$F_0(x_0,...,x_{n-1})=F_1(x_0,...,x_{n-1})=\cdots =F_{m-1}(x_0,...,x_{n-1})=0,$$

where $F_i\in {\mathbb{F}}_p[x_0,...,x_{n-1}]$, $0\le i\le m$. The complexity of computing a Gröbner basis in degrevlex term order [33] is

$$\begin{array}{c}\hfill \mathcal{O}\left({\left(\genfrac{}{}{0pt}{}{n+D_{reg}}{D_{reg}}\right)}^{\omega }\right).\end{array}$$

(2)

In [34], another bound for the complexity of computing the Gröbner basis was provided as

$$\begin{array}{c}\hfill \mathcal{O}\left(n{D}_{reg}·{\left(\genfrac{}{}{0pt}{}{n+D_{reg}-1}{D_{reg}}\right)}^{\omega }\right),\end{array}$$

(3)

where $2\le \omega <2.3727$ is the linear algebra constant representing the complexity of matrix multiplication and $D_{reg}$ is the degree of regularity. By further comparing these two complexities and computing their ratio, we can observe that

$$\begin{array}{c}\hfill \frac{{\left(\genfrac{}{}{0pt}{}{n+D_{reg}}{D_{reg}}\right)}^{\omega }}{n{D}_{reg}·{\left(\genfrac{}{}{0pt}{}{n+D_{reg}-1}{D_{reg}}\right)}^{\omega }}=\frac{(n+D_{reg}^{\omega })}{n^{\omega +1}·D_{reg}}.\end{array}$$

When n is small and $D_{reg}$ is large, the complexity calculation of Formula 3 provides a tighter bound. However, the authors in [18] found that when n is small, the complexity of computing the Gröbner basis is asymptotically smaller than the complexity of the FGLM algorithm. Therefore, for small values of n, the complexity of the Gröbner basis attack depends on the complexity of the FGLM algorithm. On the other hand, the Formula 2 becomes more restrictive when n has a comparatively larger value..

Cost of FGLM algorithm. Using the FGLM[32] algorithm, the complexity of converting the degrevlex order to lex order is:

$$\begin{array}{c}\hfill \mathcal{O}(n·{\mathcal{D}}_{\mathcal{I}}^3),\end{array}$$

where n is the number of variables, ${\mathcal{D}}_{\mathcal{I}}$ is the degree of the zero-dimensional ideal.

If the polynomial system is a regular system, we assume that there are n polynomials with the same degree $d_i=\delta ,i\in [1,n]$ and n variables, then the $D_{reg}$ can be estimated by $1+{\sum }_{i=1}^n{d}_i-1$. If the polynomial system is not a regular system, then its $D_{reg}$ is less than $1+{\sum }_{i=1}^n{d}_i-1$, which is called Macaulay’s bound.

2.4. Description of Hash Function Grendel

The hash function Grendel is composed of the Grendel permutation combined with sponge structure. Let $p\ge 3$ be a prime number and $n\ge 2$ be an integral number. The Grendel permutation $\mathcal{P}:{\mathbb{F}}_p^n\to {\mathbb{F}}_p^n$ is obtained by iterating R rounds of the Grendel round function $\mathcal{F}:{\mathbb{F}}_p^n\to {\mathbb{F}}_p^n$. The state size is n. Each round uses a different round constant. Each round function consists of three parts: a nonlinear layer, a linear layer, and adding round constants respectively denoted as $\mathcal{NL}$, $\mathcal{L}$, and $\mathcal{AC}$.

• The Nonlinear Layer: Let $X=(x_0,\cdots ,x_{n-1})\in {\mathbb{F}}_p^n$. $\mathcal{NL}:{\mathbb{F}}_p^n\to {\mathbb{F}}_p^n$ consists of independent n identical S-boxes. $\mathcal{NL}\left(X\right)=(S\left(x_0\right),S\left(x_1\right),\cdots ,S\left(x_{n-1}\right))$, where

  $$\begin{array}{c}\hfill S\left(x\right)=x^d·{\chi }_p\left(x\right).\end{array}$$
  ${\chi }_p$ is the Legendre symbol, and $d\ge 2$ is an integer that satisfies $gcd(\frac{2d+p-1}{2},p-1)=1$.
• The Linear Layer: The $\mathcal{L}:{\mathbb{F}}_p^n\to {\mathbb{F}}_p^n$ is a $n\times n$ MDS matrix $\mathcal{M}\in {\mathbb{F}}_p^{n\times n}$.
• Adding Round Constants: Round constant $c_j^i\in {\mathbb{F}}_p$, where $0\le i\le R-1,0\le j\le n-1$.

The Grendel round function $\mathcal{F}$ consists of three parts and can be described as $\mathcal{F}(·)=\mathcal{AC}\circ \mathcal{L}\circ \mathcal{NL}(·)$. The Grendel permutation $\mathcal{P}$ is iterated R rounds by the $\mathcal{F}$, which can be expressed as $\mathcal{P}(·)={\underbrace{\mathcal{F}\circ \cdots \circ \mathcal{F}(·)}}_R$. The pseudocode describing the Grendel permutation is shown in Algorithm 1.

Algorithm 1:The Grendel Permutation $\mathcal{P}$

Input:$\mathit{X}=(X_0,X_1,\cdots ,X_{n-1})\in {\mathbb{F}}_p^n$; Output:$\mathit{Y}=(Y_0,Y_1,\cdots ,Y_{n-1})\in {\mathbb{F}}_p^n$. 1: for$r=0$ to $R-1$ do 2:     for $i=0$ to $n-1$ do 3:         $X_i\leftarrow X^d·{\chi }_p\left(X_i\right)$; 4:     end for 5:     $\mathit{X}\leftarrow \mathcal{M}·\mathit{X}$; 6:     for $i=0$ to $n-1$ do 7:         $X_i\leftarrow X_i+c_i^r$; 8:     end for 9: end for 10: $\mathit{Y}\leftarrow \mathit{X}$; 11: return$\mathit{Y}$;

The sponge construction [35,36] is a cryptographic framework that utilizes an internal cryptographic permutation or function. It offers versatility in achieving different objectives, including encryption, authentication and hashing. The construction is based on the concept of a sponge, which consists of an internal permutation that operates on a fixed-sized state. By appropriately configuring the sponge, it can be adapted for various cryptographic applications, providing security and flexibility. In this paper, we slightly modify the original approach to operate on elements of ${\mathbb{F}}_p$ instead of ${\mathbb{F}}_2$. Both the input and the output may be of arbitrary size. The state size is $n=r+c$, where r denotes the rate and c denotes capacity. To process a message m, which consists of elements from the field ${\mathbb{F}}_p$, we utilize the following operations.

• Padding. If the length of the message is already a multiple of r, no padding is necessary. However, if the length is not a multiple of r, we first append a $1\in {\mathbb{F}}_p$ to the message. Then, we pad the message with 0 until its length becomes a multiple of r.
• Absorption. The message is divided into blocks of size r. Each block is added to the first r blocks of the state using the addition operation. Afterwards, the entire state is processed by applying the permutation function $\mathcal{P}$. Repeat the above operation until all the messages are absorbed.
• Squeezing.In each iteration of the squeezing phase, a block of length r is squeezed out. The permutation function $\mathcal{P}$ is applied to the entire state and the squeezed block is extracted. This process is repeated until the squeezing phase is completed.

Security.According to the proof presented in [36], when the inner permutation bears resemblance to a random permutation, the sponge construction is indistinguishable from a random oracle up to approximately $p^{c/2}$ queries. Equivalently, in order to provide s bits of security, we need $p^{c/2}\ge 2^s$.

Figure 1. The above is an example of a Grendel permutation with a state size of 2. The following is an instance of the hash function Grendel with a sponge structure, which is built upon the Grendel permutation.

Figure 1. The above is an example of a Grendel permutation with a state size of 2. The following is an instance of the hash function Grendel with a sponge structure, which is built upon the Grendel permutation.

3. Algebraic Cryptanalysis of Hash Function Grendel

In this section, we simply review the preimage attack proposed by [18] on a sponge hash function instantiated with the Grendel permutation in Section 3.1. Then we introduce the CICO problem, and further analyze the security of the hash function Grendel.

3.1. Preimage Attack on Hash Function Grendel in [18]

Let s denote the security level and p represent the prime that defines the field. The authors in [18] focus on the case where $p\ge 2^s$, allowing for $r\ge 1$, r defines the rate of the sponge hash function. In this scenario, the hash function can output a single element from ${\mathbb{F}}_p$, which aligns with common practice as p is typically chosen to be large.

Given a hash digest $h\in {\mathbb{F}}_p$, the objective is to find a preimage. For cases where $r\ge 2$,18] begin by fixing $r-1$ input elements. Contrary to the analysis in [10], they refrain from introducing intermediate variables. Instead, the work in [18] with fixed Legendre symbol and employ polynomials of degree $d^R$, where R denotes the number of attacked rounds. In essence, the attack on R-round construction involves the following steps:

• Iterating over all possible sets of Legendre symbols. The probability of a Legendre symbol being $\pm 1$ is approximately $\frac{1}{2}$, while the probability of it being 0 is $\frac{1}{p}$. Consequently, the probability that l Legendre symbols are different from zero can be calculated as ${(1-\frac{1}{p})}^l$. For a large number of rounds, if p is approximately $2^{32}$, this probability exceeds $99.99\%$. In their attack, $l=nR-(n-1)=n(R-1)+1$. In the first round, it is possible to compute $n-1$ Legendre symbols deterministically because there is no linear layer before the initial application of the S-boxes.
• Solving the resulting univariate equation to identify a preimage. They focus on the case in which the number of hash output elements is 1. By fixing all Legendre symbols, there are only a single unknown (the input variable) and a single equation of degree at most $d^R$ in the end. The equation system hence consists of only one univariate equation and can be solved by applying a root-finding algorithm to this equation.
• Verifying if the solution obtained is a valid preimage. Furthermore, once the roots are discovered, they proceed to verify the validity of the obtained solution. They do this by comparing the computed Legendre symbols to the fixed ones for the given instance. If any inconsistency is found between the computed symbol using their solution and the fixed symbol, they promptly terminate the verification process, indicating that the trial is invalid. Considering that we only need to compute the first Legendre symbol in each instance with a probability of $50\%$, the first two symbols with a probability of $25\%$, and so on, we can expect to compute an average of 3 Legendre symbols for each trial before encountering an inconsistency.

3.2. Techniques to Skip SPN Rounds

In this section, we introduce a trick proposed by [27], which can help us skip two rounds without additional consumption when analyzing the permutation based on the SPN structure using the CICO problem.

Let permutation $\mathcal{P}:{\mathbb{F}}_p^n\to {\mathbb{F}}_p^n$ be s-secure against the CICO problem. We split it into two permutations ${\mathcal{F}}_0$ and ${\mathcal{F}}_1$, i.e., $\mathcal{P}={\mathcal{F}}_1\circ {\mathcal{F}}_0(·)$. $V_u$ is a vector subspace spanned by $\{e_0,\cdots ,e_{u-1}\}$. We use

$$\begin{array}{cc}\hfill & \mathit{X}=(X_0,X_1,\cdots ,X_{u-1},A_0,\cdots ,A_{n-u-1})\in V_u,\hfill \\ \hfill & \mathit{Z}=(Z_0,Z_1,\cdots ,Z_{u-1},C_0,\cdots ,C_{n-u-1})\in V_u\hfill \end{array}$$

to be the input state and output state of $\mathcal{P}$ respectively, where $(A_0,\cdots ,A_{n-u-1})\in {\mathbb{F}}_p^{n-u}$ and $(C_0,\cdots ,C_{n-u-1})\in {\mathbb{F}}_p^{n-u}$ are fixed constants. According to the definition of CICO problem, if we can find $\mathit{X}$ and $\mathit{Z}$ such that $\mathcal{P}\left(\mathit{X}\right)=\mathit{Z}$ with a complexity smaller than $2^s$, then we may conclude that the permutation security margin is insufficient.

We denote $\mathit{Y}=(Y_0,Y_1,\cdots ,Y_{n-1})\in {\mathbb{F}}_p^n$ as the intermediate variable after ${\mathcal{F}}_0$. If we can find $\mathit{Y}$ so that it also belongs to the vector subspace $V_u$, then we can construct a polynomial system with $n-u$ outputs through ${\mathcal{F}}_1$. So we can find its root. Finally, we can get the value of $\mathit{X}$ according to the value of $\mathit{Y}$, which is enough to solve the CICO problem. Then, to solve the CICO problem of permutation $\mathcal{P}$, only the ${\mathcal{F}}_1$ part needs to be dealt with, not the whole permutation $\mathcal{P}$.

In order to describe this technique in more detail, we assume that the permutation $\mathcal{P}$ is the Grendel permutation. We let ${\mathcal{F}}_0$ consist of two nonlinear layers, one linear layer and one round key addition in the Grendel round function. ${\mathcal{F}}_0$ can be expressed as ${\mathcal{F}}_0(·)=\mathcal{NL}\circ \mathcal{AC}\circ \mathcal{L}\circ \mathcal{NL}(·)$, then ${\mathcal{F}}_1$ can be regarded as an $R-2$ round Grendel round function with a linear layer and a round key addition. S is denoted as the S-box, and $S^{-1}$ is the inverse of the S-box.

Figure 2. A detailed description of a specific trick with a state size of 4.

Figure 2. A detailed description of a specific trick with a state size of 4.

We need the S-box to satisfy the following property

$$\begin{array}{c}\hfill S(A·X)=S\left(A\right)·S\left(X\right),\end{array}$$

(4)

where $A,X\in {\mathbb{F}}_p$.

Let the linear layer MDS matrix $\mathcal{M}$ satisfy:

$$\begin{array}{c}\hfill {\mathcal{M}}^{-1}=\left[\begin{array}{ccccc}{m}_{0,0}& m_{0,1}& m_{0,2}& \cdots & m_{0,n-1}\\ m_{1,0}& m_{1,1}& m_{1,2}& \cdots & m_{1,n-1}\\ ⋮& ⋮& ⋮& \ddots & ⋮\\ m_{n-1,0}& m_{n-1,1}& m_{n-1,2}& \cdots & m_{n-1,n-1}\end{array}\right].\end{array}$$

Here $c_j^i$ ($0\le i\le R-1,0\le j\le n-1$) denotes the round constant. Next, we show how to construct univariate equations with the CICO problem. We always set $u=n-1$ in the following.

When $n=3$. We set $u=n-1=2$, then $V_u$ is a vector subspace spanned by $\{e_0,e_1\}$. Let the input states of ${\mathcal{F}}_0$ be $\mathit{X}=(X_1,X_2,A_0)\in V_u$, where $A_0$ is a fixed constant. Let the states after ${\mathcal{F}}_0$ be $\mathit{Y}=(Y_0,Y_1,Y_2)\in {\mathbb{F}}_p^3$. When passing through the first nonlinear layer of ${\mathcal{F}}_0$, there is

$$\begin{array}{cc}\hfill S\left(A_0\right)& =m_{2,0}(S^{-1}\left(Y_0\right)-c_0^0)+m_{2,1}(S^{-1}\left(Y_1\right)-c_1^0)+m_{2,2}(S^{-1}\left(Y_2\right)-c_2^0)\hfill \\ \hfill & =m_{2,0}{S}^{-1}\left(Y_0\right)+m_{2,1}{S}^{-1}\left(Y_1\right)+m_{2,2}{S}^{-1}-(m_{2,0}{c}_0^0+m_{2,1}{c}_1^0+m_{2,2}{c}_2^0).\hfill \end{array}$$

(5)

We fix $Y_2$ to a constant value $B_0=S\left(m_{2,2}^{-1}(m_{2,0}{c}_0^0+m_{2,1}{c}_1^0+m_{2,2}{c}_2^0+S\left(A_0\right))\right)$. Then we can simplify the Equation 5 as

$$\begin{array}{cc}\hfill & m_{2,0}{S}^{-1}\left(Y_0\right)+m_{2,1}{S}^{-1}\left(Y_1\right)=0\hfill \\ \hfill ⟺& m_{2,0}{S}^{-1}\left(Y_0\right)=-m_{2,1}{S}^{-1}\left(Y_1\right)\hfill \\ \hfill ⟺& S\left(m_{2,0}{S}^{-1}\left(Y_0\right)\right)=S(-m_{2,1}{S}^{-1}\left(Y_1\right))\hfill \\ \hfill ⟺& S\left(m_{2,0}\right)Y_0=S\left(m_{2,1}\right)Y_1.\hfill \end{array}$$

(6)

The S-box must satisfy the Formula 4, and the above Equation 6 can be established successfully. We found that $A_0$ and $B_0$ are fixed, $Y_1$ can be represented by $Y_0$ as $Y1=\frac{S\left(m_{2,0}\right)}{S\left(m_{2,1}\right)}{Y}_0$. Then we have

$$\begin{array}{cc}\hfill & \mathit{X}=(X_0,X_1,A_0)\in V_2,\hfill \\ \hfill & \mathit{Y}=Y_0(1,\frac{S\left(m_{2,0}\right)}{S\left(m_{2,1}\right)},0)+(0,0,B_0)\in V_2.\hfill \end{array}$$

When $n=4$. We set $u=n-1=3$, then $V_u$ is a vector subspace spanned by $\{e_0,e_1,e_2\}$. Similar to $n=3$, we denote the input and output states of ${\mathcal{F}}_0$ as $\mathit{X}=(X_0,X_1,X_2,A_0)\in V_u$ and $\mathit{Y}=(Y_0,Y_1,Y_2,Y_3)\in {\mathbb{F}}_p^4$ respectively, where $A_0$ are fixed constants. When passing through the first nonlinear layer of ${\mathcal{F}}_0$, there is

$$\begin{array}{cc}\hfill S\left(A_0\right)& =m_{3,0}(S^{-1}\left(Y_0\right)-c_0^0)+m_{3,1}(S^{-1}\left(Y_1\right)-c_1^0)+m_{3,2}(S^{-1}\left(Y_2\right)-c_2^0)+m_{3,3}(S^{-1}\left(Y_3\right)-c_3^0)\hfill \\ \hfill & =m_{3,0}{S}^{-1}\left(Y_0\right)+m_{3,1}{S}^{-1}\left(Y_1\right)+m_{3,2}{S}^{-1}+m_{3,3}{S}^{-1}\left(Y_3\right)\hfill \\ & -(m_{3,0}{c}_0^0+m_{3,1}{c}_1^0+m_{3,2}{c}_2^0+m_{3,3}{c}_3^0)\hfill \\ \hfill & =\sum _{i=0}^3{m}_{3,i}{S}^{-1}\left(Y_i\right)-\sum _{i=0}^3{m}_{3,i}{c}_i^0.\hfill \end{array}$$

(7)

We fix $Y_3$ to a constant denoted as $B_0$; $Y_3$ satisfies

$$\begin{array}{c}\hfill m_{3,3}{S}^{-1}\left(Y_3\right)=\sum _{i=0}^3{m}_{3,i}{c}_i^0+S\left(A_0\right).\end{array}$$

Then we can obtain

$$\begin{array}{cc}\hfill & m_{3,0}{S}^{-1}\left(Y_0\right)+m_{3,1}{S}^{-1}\left(Y_1\right)+m_{3,2}{S}^{-1}\left(Y_2\right)=0.\hfill \end{array}$$

(8)

In order to simplify the equation, we set $(Y_1,Y_2)=(S\left(Q_1\right)Y_0,S\left(Q_2\right)Y_0)$, and bring $(Y_1,Y_2)$ into Equation 8, then we get

$$\begin{array}{c}\hfill S^{-1}\left(Y_0\right)(m_{3,0}+m_{3,1}{Q}_1+m_{3,2}{Q}_2)=0.\end{array}$$

Therefore, if $(Q_1,Q_2)$ and $Y_3$ satisfy

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}\hfill & m_{3,0}+m_{3,1}{Q}_1+m_{3,2}{Q}_2=0\hfill \\ \hfill & Y_3=S\left(m_{3,3}^{-1}(\sum _{i=0}^3{m}_{3,i}{c}_i^0+S\left(A_0\right))\right),\hfill \end{array}\right.\end{array}$$

we will have

$$\begin{array}{cc}\hfill & \mathit{X}=(X_0,X_1,X_2,A_0)\in V_3,\hfill \\ \hfill & \mathit{Y}=Y_0(1,Q_1,Q_2,0)+(0,0,0,B_0)\in V_3.\hfill \end{array}$$

When $n\ge 4$. In general, we set $u=n-1$, $V_{n-1}$ is also a vector subspace spanned by $\{e_0,e_1,\cdots ,e_{n-2}\}$. Similarly, the input and output states of ${\mathcal{F}}_0$ are in the form of $\mathit{X}=(X_0,X_1,\cdots ,X_{n-2},A_0)$ and $\mathit{Y}=(Y_0,Y_1,\cdots ,Y_{n-1})\in {\mathbb{F}}_p^n$ respectively. Let $A_0\in {\mathbb{F}}_p$ be a fixed constant. When passing through the first nonlinear layer of ${\mathcal{F}}_0$, there is

$$\begin{array}{c}\hfill S\left(A_0\right)=\sum _{i=0}^{n-1}{m}_{n-1,i}(S^{-1}\left(Y_i\right)-c_i^0)=\sum _{i=0}^{n-1}{m}_{n-1,i}{S}^{-1}\left(Y_i\right)-\sum _{i=0}^{n-1}{m}_{n-1,i}{c}_i^0.\end{array}$$

(9)

We also fix $Y_{n-1}$ to a constant denoted as $B_0$, then $Y_{n-1}$ fulfills

$$\begin{array}{c}\hfill m_{n-1,n-1}{S}^{-1}\left(Y_{n-1}\right)=\sum _{i=0}^{n-1}{m}_{n-1,i}{c}_i^0+S\left(A_{n-1}\right).\end{array}$$

(10)

Just like $n=3$ and $n=4$, we set $(Y_1,Y_2,\cdots ,Y_{n-2})=(S\left(Q_1\right)Y_0,S\left(Q_2\right)Y_0,\cdots ,S\left(Q_{n-2}\right)Y_0)$. By bringing $(Y_1,Y_2,\cdots ,Y_{n-1})$ and the constant $Y_{n-1}$ back into the Equation 9, then we can obtain

$$\begin{array}{c}\hfill S^{-1}\left(Y_0\right)(m_{n-1,0}+\sum _{i=1}^{n-1}{m}_{n-1,i}{Q}_i)=0.\end{array}$$

Therefore, if $(Q_1,Q_2,\cdots ,Q_{n-1})$ and $Y_{n-1}$ satisfy

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}\hfill & m_{n-1,0}+\sum _{i=1}^{n-1}{m}_{n-1,i}{Q}_i=0\hfill \\ \hfill & Y_{n-1}=S\left(m_{n-1,n-1}^{-1}(\sum _{i=0}^{n-1}{m}_{n-1,i}{c}_i^0+S\left(A_0\right))\right),\hfill \end{array}\right.\end{array}$$

we will have

$$\begin{array}{cc}\hfill & \mathit{X}=(X_0,X_1,\cdots ,X_{n-2},A_0)\in V_{n-1},\hfill \\ \hfill & \mathit{Y}=Y_0(1,Q_1,Q_2,\cdots ,Q_{n-2},0)+({\mathbf{0}}^{n-1},B_0)\in V_{n-1}.\hfill \end{array}$$

Let $\mathit{Y}$ be the input to ${\mathcal{F}}_1$, where only $Y_0$ is the unknown variable. We define the output of ${\mathcal{F}}_1$ as $Z=(Z_0,Z_1,\cdots ,Z_{n-2},C_0)\in V_{n-1}$, $C_0\in {\mathbb{F}}_p$ is a fixed constant. By considering the final position of the output from ${\mathcal{F}}_1$, we construct a univariate equation with $Y_0$ as its variable, which is in the form of

$$\begin{array}{c}\hfill F\left(Y_0\right)=C_0.\end{array}$$

(11)

Given a valid $Y_0$, we can invariably infer an input $\mathit{X}$ specifically tailored for the R-round permutation $\mathcal{P}$ that projects onto the vector subspace $V_{n-1}$.

3.3. Application to Hash Function Grendel

In this section, we build upon the full-round preimage attack on the hash function Grendel presented in [18] by employing the trick described in the previous section to decrease the degree and complexity of the polynomial system. Let s be the security level, and let p be the prime that defines the field. We limit ourselves to focus on the case in which $p\ge 2^s$. The following are the details of our attack.

• We first divide the Grendel permutation into two parts ${\mathcal{F}}_0$ and ${\mathcal{F}}_1$ as before. The Grendel permutation has R rounds. Consider the hash function Grendel with the following parameters: $n=r+c$. The Grendel S-box, denoted as $S\left(x\right):x\mapsto x^d·{\chi }_p\left(x\right)$ satisfies the Formula 4, which can be proven straightforwardly. Similarly, we set $u=n-1$, and the $V_u$ is a vector subspace. The Grendel permutation takes an input $\mathit{X}=(X_0,\cdots ,X_{r-1},{\mathbf{0}}^c)$ where $X_0,\cdots ,X_{r-1}$ represent the input messages, and it produces an output $\mathit{Z}=(Z_0,\cdots ,Z_{r-1},{\mathbf{0}}^c)$. The initial value IV of Grendel is set to all zeros, and the last c elements of the output $\mathit{Z}$ are also zeros. Consequently, after $\mathit{X}\in V_u$ passes through ${\mathcal{F}}_0$, it yields $\mathit{Y}=(Y_0,Y_1,\cdots ,Y_{n-1})\in V_u$. As indicated in the previous section, we have $Y_{n-1}$ and $(Q_1,\cdots ,Q_{n-1})$ satisfy

  $$\begin{array}{c}\hfill \left\{\begin{array}{c}{m}_{n-1,0}+\sum _{i=1}^{n-1}{m}_{n-1,i}{Q}_i=0\hfill \\ Y_{n-1}={\left(m_{n-1,n-1}^{-1}\left(\sum _{i=0}^{n-1}{m}_{n-1,i}{c}_i^0\right)\right)}^3·{\chi }_p\left(m_{n-1,n-1}^{-1}\left(\sum _{i=0}^{n-1}{m}_{n-1,i}{c}_i^0\right)\right).\hfill \end{array}\right.\end{array}$$
  Thus, for ${\mathcal{F}}_1$, there is only one unknown input variable $Y_0$. Then we can process it similarly as in [18].
• According to [18], it can be observed that when $p\ge 2^{32}$, the probability of the Legendre symbol being $\pm 1$ is greater than $99.99\%$. Therefore, we only consider guessing $\pm 1$. Based on the previous step, ${\mathcal{F}}_1$ has an input $\mathit{Y}$ with only one unknown variable $Y_0$. The ${\mathcal{F}}_1$ has $R-2$ rounds; we must guess the number of Legendre symbols, given by $l=n(R-3)+1=nR-3n+1$. Because only the Legendre symbol of $Y_0$ needs to be guessed in the first round of ${\mathcal{F}}_1$, and other values are constant, the Legendre symbol is known. Consequently, there are at most $2^l=2^{nR-3n+1}$ distinct sets of Legendre symbols to guess until the correct set of Legendre symbols is found.
• After fixing the Legendre symbols, we can construct a polynomial with $Y_0$ as an unknown variable. The polynomial equation, as defined in Formula 11, has a degree of $\mathcal{D}=d^{R-2}$. To determine the specific value of $Y_0$, we can employ the root-finding algorithm in Section 2.3.1. The complexity $T_1$ of the root-finding algorithm is

  $$\begin{array}{cc}\hfill & T_1=\mathcal{O}(\mathtt{M}\left(d^{R-2}\right)log\left(d^{R-2}\right)log(d^{R-2}·p)),\hfill \\ \hfill & \mathtt{M}\left(d^{R-2}\right)=63.43·d^{R-2}log\left(d^{R-2}\right)log(log\left(d^{R-2}\right))+\mathcal{O}(d^{R-2}log\left(d^{R-2}\right)).\hfill \end{array}$$
• Upon obtaining $Y_0$’s value, we need to verify its validity. This requires checking the correctness of each guessed Legendre symbol. According to [18], for each set of guessed Legendre symbols, we only need to verify three of them to exclude an invalid set. The complexity $T_2$ of computing a Legendre symbol [37] is evaluated as $\mathcal{O}(\sigma {(log\sigma )}^{2}log(log\left(\sigma \right)))$ for $\sigma =log\left(p\right)$. Therefore, the complexity of this step is $3·T_2$.

As a result, when we obtain a valid $Y_0$, according to the CICO definition, we can always deduce the $\mathit{X}$ such that they are mapped to the vector subspace $V_u$ through the Grendel permutation. The overall complexity T of this attack is

$$\begin{array}{c}\hfill T=(T_1+3·T_2)·2^{nR-3n+1}.\end{array}$$

Therefore, this particular instance is vulnerable to attack if $T\le 2^s$. As shown in Table 1, for the case of security level $s=128$, under different parameter settings, we can observe that we are able to perform two additional rounds of attack compared to the previous work [18]. However, we have not exceeded the new security margin set in [18].

In our investigation of the hash function Grendel, we ascertained that capitalizing on the CICO problem to devise a univariate equation is feasible solely under the conditions $u=r=n-1$. This premise holds because, in this specific scenario, it enables the generation of an intermediate variable intimately associated with the vector subspace $V_u$ and ensures that the hash output remains confined to this subspace.

3.4. The Gröbner Basis Attacks for Hash Function Grendel

In this section, we employ the CICO problem to construct a multivariate equation system for the hash function Grendel instantiation. Similarly, we consider the message absorption size to be r, resulting in r hash digests being squeezed out after a Grendel permutation. To further analyze the complexity, we utilize the Gröbner basis attack method described in Section 2.3.2 and incorporate insights gained from our experimental observations.

Building upon our previous assumption of guessing the Legendre symbols, we delve deeper into the analysis by considering the introduction of intermediate variables to reduce the degree of the polynomials. Based on the presence of intermediate variables, we categorize our attacks into two scenarios: one without the introduction of intermediate variables and the other with the introduction of intermediate variables in each round.

Considering the hash function Grendel with input messages $(X_1,X_2,\cdots ,X_{r-1})$ of size r and an IV set to all zeros, the Grendel permutation takes an input $\mathit{X}=(X_1,X_2,\cdots ,X_{r-1},{\mathbf{0}}^c)$, where ${\mathbf{0}}^c$ denotes a vector of zeros with length c. The resulting output $\mathit{Z}=(Z_0,\cdots ,Z_{n-1})$ is subject to the CICO problem, where the input $\mathit{X}$ belongs to the vector subspace $V_r$ spanned by $\{e_0,\cdots ,e_{r-1}\}$. To satisfy this condition, the last c positions of $\mathit{Z}$ denoted as $C_0,\cdots ,C_{c-1}$ are fixed constants. In the following attacks, we always set $r=c=\frac{2}{n}$. Consequently, we can formulate a system of multivariate equations.

Without Intermediate Variables. Let $\mathit{X}$ and $\mathit{Z}$ be the input and output of the permutation. We don’t introduce any additional intermediate variables like $\mathit{Y}$. We can build an equation system with c variables and c equations.

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}\hfill & F_0(X_0,X_1,\cdots ,X_{c-1})=C_0\hfill \\ \hfill & F_1(X_0,X_1,\cdots ,X_{c-1})=C_1\hfill \\ \hfill & ⋮\hfill \\ \hfill & F_{c-1}(X_0,X_1,\cdots ,X_{c-1})=C_{c-1}.\hfill \end{array}\right.\end{array}$$

We obtain a system of equations with c equations and c variables, where each equation has a degree of ${\mathcal{D}}_i=d^R,0\le i\le c-1$. It is evident that the degree of the equations is much larger than the number of variables. Hence, we employ the Formula 3 to calculate the complexity of the Gröbner basis algorithm. In particular, by setting $d=2$, we compare the complexities of computing the Gröbner basis and the FGLM algorithm. For a system of c equations where each equation having a degree of $2^R$, we can compute the upper bound on the regularity degree ${\mathcal{D}}_{reg}$ of the equation system and the zero-dimensional ideal ${\mathcal{D}}_{\mathcal{I}}$ as follows:

$$\begin{array}{ccc}\hfill & {\mathcal{D}}_{reg}\le 1+\sum _{i=0}^{c-1}({\mathcal{D}}_i-1)=(2^R-1)·c+1,\hfill & \hfill {\mathcal{D}}_{\mathcal{I}}\le \prod _{i=0}^{c-1}{\mathcal{D}}_i=2^{Rc}.\end{array}$$

Computing the Gröbner basis with respect to the grevlex term order using the Formula 3 exhibits asymptotic complexity:

$$\begin{array}{c}\hfill T_G=n{D}_{reg}·{\left(\genfrac{}{}{0pt}{}{n+D_{reg}-1}{D_{reg}}\right)}^{\omega }\le c·((2^R-1)·c+1)·\left(\genfrac{}{}{0pt}{}{2^R·c}{2^R·c-c+1.}\right)\end{array}$$

Then, applying a fast variant of the FGLM algorithm to perform the change of term order exhibits asymptotic complexity:

$$\begin{array}{c}\hfill T_F={\left({\mathcal{D}}_{\mathcal{I}}\right)}^{\omega }=2^{Rc\omega }.\end{array}$$

By evaluating $T_G$ and $T_F$ for $c=2$, there is

$$\begin{array}{cc}\hfill & T_G=(2^{R+2}-2)\times \left(\genfrac{}{}{0pt}{}{2^{R+1}}{2^{R+1}-1}\right)={\left(2^{R+1}\right)}^{\omega }\times (2^{R+2}-2)\le 2^{Rw+w+r+2},\hfill \\ \hfill & T_F=2^{2Rw}.\hfill \end{array}$$

In this case, it is evident that $T_F$ is greater than $T_G$, which indicates that FGLM algorithm becomes the bottleneck in the Gröbner basis attack.

Intermediate Variables. Directly using the input and output of the Grendel permutation are probably infeasible due to the maximum degree and dense polynomials involved. To address this challenge, one possible strategy is to introduce intermediate variables. This approach reduces the degrees in the equation system (and consequently reduces the number of monomials) but at the expense of introducing additional variables. For the Grendel permutation, we introduce new variables in each round to prevent the growth of degrees. Let $\mathit{X}$ and ${\mathit{Y}}^0=(Y_0^0,\cdots ,Y_{n-1}^0)\in {\mathbb{F}}_p^n$ represent the input and output of the first round’s nonlinear layer. The relationship between $\mathit{X}$ and ${\mathit{Y}}^0$ can be expressed through r equations of degree d and c equations of degree 1. Specifically, $Y_0^0=X_0^d$, in accordance with the definition of the S-box (excluding the consideration of the Legendre symbol, as it is determined based on the conjecture). Hence, we add n variables in each round. And we simply use the output values $C_0,\cdots ,C_{c-1}$ to construct the system of equations except for the last one. Then, we have $r+Rn$ variables and the same number of equations. Among these equations, there are $Rn$ equations with a degree of d and r equations with a degree of 1.

Figure 3. Overview of the introduction of intermediate variables in the Grendel permutation.

Figure 3. Overview of the introduction of intermediate variables in the Grendel permutation.

When n is large, indicating the presence of a greater number of intermediate variables, then $D_{reg}$ becomes relatively small. Therefore, we utilize the Formula 2 to evaluate the complexity of the Gröbner basis attack.

In summary, the complexity of the Gröbner basis attack on the hash function Grendel can be divided into three parts. The first part is the complexity of guessing the Legendre symbols, denoted as $T_{guess}$. The second part is the complexity of the Gröbner basis attack, denoted as $T_{GB}$ (with specific calculations selected from the various scenarios mentioned earlier). The third part is the complexity of verifying the Legendre symbols, denoted as $T_{verify}$. There is

$$\begin{array}{cc}\hfill & T_{guess}=2^{(R-1)n+c},\hfill \\ \hfill & T_{verify}=3·\mathcal{O}(\sigma {(log\sigma )}^{2}log(log\left(\sigma \right)))\mathrm{for}\sigma =log\left(p\right).\hfill \end{array}$$

The complete complexity of the Gröbner basis attack for the hash function Grendel can be evaluated by

$$\begin{array}{c}\hfill (T_{GB}+T_{verify})·T_{guess}.\end{array}$$

Table 2. For a security margin of $s=128$ and a modulus $p=2^{256}$, by setting c = r = 2/n, we can evaluate the number of rounds that can be susceptible to Gröbner basis attacks with varying computational complexities.

Instance $(\mathit{d},\mathit{n})$	Attacked Rounds with ${\mathit{T}}_{\mathit{F}}$	Attacked Rounds with ${\mathit{T}}_{\mathit{G}}$
(2,4)	16	21
(2,8)	8	10
(2,12)	5	7
(3,4)	12	17
(3,8)	6	8
(3,12)	4	5
(5,4)	9	14
(5,8)	4	7
(5,12)	3	4

Table 2. For a security margin of $s=128$ and a modulus $p=2^{256}$, by setting c = r = 2/n, we can evaluate the number of rounds that can be susceptible to Gröbner basis attacks with varying computational complexities.

Instance $(\mathit{d},\mathit{n})$	Attacked Rounds with ${\mathit{T}}_{\mathit{F}}$	Attacked Rounds with ${\mathit{T}}_{\mathit{G}}$
(2,4)	16	21
(2,8)	8	10
(2,12)	5	7
(3,4)	12	17
(3,8)	6	8
(3,12)	4	5
(5,4)	9	14
(5,8)	4	7
(5,12)	3	4

4. Conclusion

In this paper, we propose a preimage attack on the sponge hash function implemented with full rounds of the Grendel permutation, utilizing algebraic approaches. By introducing the CICO problem, we address the construction of univariate and multivariate equation systems for the hash function Grendel and employ different algorithms to solve these equations, resulting in new analytical findings. This provides additional insights into the factors that designers should consider when developing arithmetization-oriented cryptographic primitives in response to the CICO problem. Moreover, We find that the choice of different algebraic methods for constructing equations can have an impact on the security analysis of cryptographic primitives. Therefore, it is worth exploring the possibility of combining different algebraic methods for the analysis of arithmetization-oriented cryptographic primitives.