New Algebraic Attacks on Grendel with the Strategy of Bypassing SPN Steps

The rapid development of modern cryptographic applications such as zero-knowledge, secure multi-party computation, fully homomorphic encryption has motivated the design of new so-called arithmetization-oriented symmetric primitives. As designing ciphers in this domain is relatively new and not well-understood, the security of these new ciphers remains to be completely assessed. In this paper, we revisit the security analysis of arithmetization-oriented cipher Grendel. Grendel uses the Legendre symbol as a component, which is tailored specifically for the use in zero-knowledge and efficiently-varifiable proof systems. At FSE 2022, the first preimage attack on some original full GrendelHash instances was proposed. As a countermeasure, the designer adds this attack into the security analysis and updates the formula to derive the secure number of rounds. In our work, we present new algebraic attacks on GrendelHash. For the preimage attack, we can reduce the complexity or attack one more round than previous attacks for some instances. In addition, we present the first collision attack on some round-reduced instances by solving the constrained input/constrained output problem for the underlying permutations.