## CryptoDB

### Paper: Algebraic Attacks on Rasta and Dasta Using Low-Degree Equations

Authors: Fukang Liu , University of Hyogo Santanu Sarkar , Indian Institute of Technology Madras Willi Meier , FHNW Takanori Isobe , University of Hyogo & NICT & PRESTO DOI: 10.1007/978-3-030-92062-3_8 Search ePrint Search Google Slides ASIACRYPT 2021 Rasta and Dasta are two fully homomorphic encryption friendly symmetric-key primitives proposed at CRYPTO 2018 and ToSC 2020, respectively. We point out that the designers of Rasta and Dasta neglected an important property of the $\chi$ operation. Combined with the special structure of Rasta and Dasta, this property directly leads to significantly improved algebraic cryptanalysis. Especially, it enables us to theoretically break 2 out of 3 instances of full Agrasta, which is the aggressive version of Rasta with the block size only slightly larger than the security level in bits. We further reveal that Dasta is more vulnerable against our attacks than Rasta for its usage of a linear layer composed of an ever-changing bit permutation and a deterministic linear transform. Based on our cryptanalysis, the security margins of Dasta and Rasta parameterized with $(n,\kappa,r)\in\{(327,80,4),(1877,128,4),(3545,256,5)\}$ are reduced to only 1 round, where $n$, $\kappa$ and $r$ denote the block size, the claimed security level and the number of rounds, respectively. These parameters are of particular interest as the corresponding ANDdepth is the lowest among those that can be implemented in reasonable time and target the same claimed security level.
##### BibTeX
@inproceedings{asiacrypt-2021-31341,
title={Algebraic Attacks on Rasta and Dasta Using Low-Degree Equations},
publisher={Springer-Verlag},
doi={10.1007/978-3-030-92062-3_8},
author={Fukang Liu and Santanu Sarkar and Willi Meier and Takanori Isobe},
year=2021
}