2.1. Notations

2.2. CICO Problem

2.3. Solve the Systems of Algebraic Equations

2.4. Description of Hash Function Grendel

• The Nonlinear Layer: Let $X=(x_0,\cdots ,x_{n-1})\in {\mathbb{F}}_p^n$. $\mathcal{NL}:{\mathbb{F}}_p^n\to {\mathbb{F}}_p^n$ consists of independent n identical S-boxes. $\mathcal{NL}\left(X\right)=(S\left(x_0\right),S\left(x_1\right),\cdots ,S\left(x_{n-1}\right))$, where

  $$\begin{array}{c}\hfill S\left(x\right)=x^d·{\chi }_p\left(x\right).\end{array}$$
  ${\chi }_p$ is the Legendre symbol, and $d\ge 2$ is an integer that satisfies $gcd(\frac{2d+p-1}{2},p-1)=1$.
• The Linear Layer: The $\mathcal{L}:{\mathbb{F}}_p^n\to {\mathbb{F}}_p^n$ is a $n\times n$ MDS matrix $\mathcal{M}\in {\mathbb{F}}_p^{n\times n}$.
• Adding Round Constants: Round constant $c_j^i\in {\mathbb{F}}_p$, where $0\le i\le R-1,0\le j\le n-1$.

• Padding. If the length of the message is already a multiple of r, no padding is necessary. However, if the length is not a multiple of r, we first append a $1\in {\mathbb{F}}_p$ to the message. Then, we pad the message with 0 until its length becomes a multiple of r.
• Absorption. The message is divided into blocks of size r. Each block is added to the first r blocks of the state using the addition operation. Afterwards, the entire state is processed by applying the permutation function $\mathcal{P}$. Repeat the above operation until all the messages are absorbed.
• Squeezing.In each iteration of the squeezing phase, a block of length r is squeezed out. The permutation function $\mathcal{P}$ is applied to the entire state and the squeezed block is extracted. This process is repeated until the squeezing phase is completed.

Security.According to the proof presented in [36], when the inner permutation bears resemblance to a random permutation, the sponge construction is indistinguishable from a random oracle up to approximately $p^{c/2}$ queries. Equivalently, in order to provide s bits of security, we need $p^{c/2}\ge 2^s$.

Figure 1. The above is an example of a Grendel permutation with a state size of 2. The following is an instance of the hash function Grendel with a sponge structure, which is built upon the Grendel permutation.

Figure 1. The above is an example of a Grendel permutation with a state size of 2. The following is an instance of the hash function Grendel with a sponge structure, which is built upon the Grendel permutation.

3.1. Preimage Attack on Hash Function Grendel in [18]

3.2. Techniques to Skip SPN Rounds

In order to describe this technique in more detail, we assume that the permutation $\mathcal{P}$ is the Grendel permutation. We let ${\mathcal{F}}_0$ consist of two nonlinear layers, one linear layer and one round key addition in the Grendel round function. ${\mathcal{F}}_0$ can be expressed as ${\mathcal{F}}_0(·)=\mathcal{NL}\circ \mathcal{AC}\circ \mathcal{L}\circ \mathcal{NL}(·)$, then ${\mathcal{F}}_1$ can be regarded as an $R-2$ round Grendel round function with a linear layer and a round key addition. S is denoted as the S-box, and $S^{-1}$ is the inverse of the S-box.

Figure 2. A detailed description of a specific trick with a state size of 4.

Figure 2. A detailed description of a specific trick with a state size of 4.

3.3. Application to Hash Function Grendel

• We first divide the Grendel permutation into two parts ${\mathcal{F}}_0$ and ${\mathcal{F}}_1$ as before. The Grendel permutation has R rounds. Consider the hash function Grendel with the following parameters: $n=r+c$. The Grendel S-box, denoted as $S\left(x\right):x\mapsto x^d·{\chi }_p\left(x\right)$ satisfies the Formula 4, which can be proven straightforwardly. Similarly, we set $u=n-1$, and the $V_u$ is a vector subspace. The Grendel permutation takes an input $\mathit{X}=(X_0,\cdots ,X_{r-1},{\mathbf{0}}^c)$ where $X_0,\cdots ,X_{r-1}$ represent the input messages, and it produces an output $\mathit{Z}=(Z_0,\cdots ,Z_{r-1},{\mathbf{0}}^c)$. The initial value IV of Grendel is set to all zeros, and the last c elements of the output $\mathit{Z}$ are also zeros. Consequently, after $\mathit{X}\in V_u$ passes through ${\mathcal{F}}_0$, it yields $\mathit{Y}=(Y_0,Y_1,\cdots ,Y_{n-1})\in V_u$. As indicated in the previous section, we have $Y_{n-1}$ and $(Q_1,\cdots ,Q_{n-1})$ satisfy

  $$\begin{array}{c}\hfill \left\{\begin{array}{c}{m}_{n-1,0}+\sum _{i=1}^{n-1}{m}_{n-1,i}{Q}_i=0\hfill \\ Y_{n-1}={\left(m_{n-1,n-1}^{-1}\left(\sum _{i=0}^{n-1}{m}_{n-1,i}{c}_i^0\right)\right)}^3·{\chi }_p\left(m_{n-1,n-1}^{-1}\left(\sum _{i=0}^{n-1}{m}_{n-1,i}{c}_i^0\right)\right).\hfill \end{array}\right.\end{array}$$
  Thus, for ${\mathcal{F}}_1$, there is only one unknown input variable $Y_0$. Then we can process it similarly as in [18].
• According to [18], it can be observed that when $p\ge 2^{32}$, the probability of the Legendre symbol being $\pm 1$ is greater than $99.99\%$. Therefore, we only consider guessing $\pm 1$. Based on the previous step, ${\mathcal{F}}_1$ has an input $\mathit{Y}$ with only one unknown variable $Y_0$. The ${\mathcal{F}}_1$ has $R-2$ rounds; we must guess the number of Legendre symbols, given by $l=n(R-3)+1=nR-3n+1$. Because only the Legendre symbol of $Y_0$ needs to be guessed in the first round of ${\mathcal{F}}_1$, and other values are constant, the Legendre symbol is known. Consequently, there are at most $2^l=2^{nR-3n+1}$ distinct sets of Legendre symbols to guess until the correct set of Legendre symbols is found.
• After fixing the Legendre symbols, we can construct a polynomial with $Y_0$ as an unknown variable. The polynomial equation, as defined in Formula 11, has a degree of $\mathcal{D}=d^{R-2}$. To determine the specific value of $Y_0$, we can employ the root-finding algorithm in Section 2.3.1. The complexity $T_1$ of the root-finding algorithm is

  $$\begin{array}{cc}\hfill & T_1=\mathcal{O}(\mathtt{M}\left(d^{R-2}\right)log\left(d^{R-2}\right)log(d^{R-2}·p)),\hfill \\ \hfill & \mathtt{M}\left(d^{R-2}\right)=63.43·d^{R-2}log\left(d^{R-2}\right)log(log\left(d^{R-2}\right))+\mathcal{O}(d^{R-2}log\left(d^{R-2}\right)).\hfill \end{array}$$
• Upon obtaining $Y_0$’s value, we need to verify its validity. This requires checking the correctness of each guessed Legendre symbol. According to [18], for each set of guessed Legendre symbols, we only need to verify three of them to exclude an invalid set. The complexity $T_2$ of computing a Legendre symbol [37] is evaluated as $\mathcal{O}(\sigma {(log\sigma )}^{2}log(log\left(\sigma \right)))$ for $\sigma =log\left(p\right)$. Therefore, the complexity of this step is $3·T_2$.

3.4. The Gröbner Basis Attacks for Hash Function Grendel

Intermediate Variables. Directly using the input and output of the Grendel permutation are probably infeasible due to the maximum degree and dense polynomials involved. To address this challenge, one possible strategy is to introduce intermediate variables. This approach reduces the degrees in the equation system (and consequently reduces the number of monomials) but at the expense of introducing additional variables. For the Grendel permutation, we introduce new variables in each round to prevent the growth of degrees. Let $\mathit{X}$ and ${\mathit{Y}}^0=(Y_0^0,\cdots ,Y_{n-1}^0)\in {\mathbb{F}}_p^n$ represent the input and output of the first round’s nonlinear layer. The relationship between $\mathit{X}$ and ${\mathit{Y}}^0$ can be expressed through r equations of degree d and c equations of degree 1. Specifically, $Y_0^0=X_0^d$, in accordance with the definition of the S-box (excluding the consideration of the Legendre symbol, as it is determined based on the conjecture). Hence, we add n variables in each round. And we simply use the output values $C_0,\cdots ,C_{c-1}$ to construct the system of equations except for the last one. Then, we have $r+Rn$ variables and the same number of equations. Among these equations, there are $Rn$ equations with a degree of d and r equations with a degree of 1.

Figure 3. Overview of the introduction of intermediate variables in the Grendel permutation.

Figure 3. Overview of the introduction of intermediate variables in the Grendel permutation.

In summary, the complexity of the Gröbner basis attack on the hash function Grendel can be divided into three parts. The first part is the complexity of guessing the Legendre symbols, denoted as $T_{guess}$. The second part is the complexity of the Gröbner basis attack, denoted as $T_{GB}$ (with specific calculations selected from the various scenarios mentioned earlier). The third part is the complexity of verifying the Legendre symbols, denoted as $T_{verify}$. There is

$$\begin{array}{cc}\hfill & T_{guess}=2^{(R-1)n+c},\hfill \\ \hfill & T_{verify}=3·\mathcal{O}(\sigma {(log\sigma )}^{2}log(log\left(\sigma \right)))\mathrm{for}\sigma =log\left(p\right).\hfill \end{array}$$

The complete complexity of the Gröbner basis attack for the hash function Grendel can be evaluated by

$$\begin{array}{c}\hfill (T_{GB}+T_{verify})·T_{guess}.\end{array}$$

Table 2. For a security margin of $s=128$ and a modulus $p=2^{256}$, by setting c = r = 2/n, we can evaluate the number of rounds that can be susceptible to Gröbner basis attacks with varying computational complexities.

Table 2. For a security margin of $s=128$ and a modulus $p=2^{256}$, by setting c = r = 2/n, we can evaluate the number of rounds that can be susceptible to Gröbner basis attacks with varying computational complexities.

Instance $(\mathit{d},\mathit{n})$	Attacked Rounds with ${\mathit{T}}_{\mathit{F}}$	Attacked Rounds with ${\mathit{T}}_{\mathit{G}}$
(2,4)	16	21
(2,8)	8	10
(2,12)	5	7
(3,4)	12	17
(3,8)	6	8
(3,12)	4	5
(5,4)	9	14
(5,8)	4	7
(5,12)	3	4