International Association for Cryptologic Research

International Association
for Cryptologic Research


Algebraic Attacks on Rasta and Dasta Using Low-Degree Equations

Fukang Liu , University of Hyogo
Santanu Sarkar , Indian Institute of Technology Madras
Willi Meier , FHNW
Takanori Isobe , University of Hyogo & NICT & PRESTO
DOI: 10.1007/978-3-030-92062-3_8
Search ePrint
Search Google
Presentation: Slides
Conference: ASIACRYPT 2021
Abstract: Rasta and Dasta are two fully homomorphic encryption friendly symmetric-key primitives proposed at CRYPTO 2018 and ToSC 2020, respectively. We point out that the designers of Rasta and Dasta neglected an important property of the $\chi$ operation. Combined with the special structure of Rasta and Dasta, this property directly leads to significantly improved algebraic cryptanalysis. Especially, it enables us to theoretically break 2 out of 3 instances of full Agrasta, which is the aggressive version of Rasta with the block size only slightly larger than the security level in bits. We further reveal that Dasta is more vulnerable against our attacks than Rasta for its usage of a linear layer composed of an ever-changing bit permutation and a deterministic linear transform. Based on our cryptanalysis, the security margins of Dasta and Rasta parameterized with $(n,\kappa,r)\in\{(327,80,4),(1877,128,4),(3545,256,5)\}$ are reduced to only 1 round, where $n$, $\kappa$ and $r$ denote the block size, the claimed security level and the number of rounds, respectively. These parameters are of particular interest as the corresponding ANDdepth is the lowest among those that can be implemented in reasonable time and target the same claimed security level.
Video from ASIACRYPT 2021
  title={Algebraic Attacks on Rasta and Dasta Using Low-Degree Equations},
  author={Fukang Liu and Santanu Sarkar and Willi Meier and Takanori Isobe},