For Arithmetization-Oriented ciphers and hash functions Gr\"obner basis attacks are generally considered as the most competitive attack vector. Unfortunately, the complexity of Gr\"obner basis algorithms is only understood for special cases, and it is needless to say that these cases do not apply to most cryptographic polynomial systems. Therefore, cryptographers have to resort to experiments, extrapolations and hypotheses to assess the security of their designs. One established measure to quantify the complexity of linear algebra-based Gr\"obner basis algorithms is the so-called solving degree. Caminata \& Gorla revealed that under a certain genericity condition on a polynomial system the solving degree is always upper bounded by the Castelnuovo-Mumford regularity and henceforth by the Macaulay bound, which only takes the degrees and number of variables of the input polynomials into account. In this paper we extend their framework to iterated polynomial systems, the standard polynomial model for symmetric ciphers and hash functions. In particular, we prove solving degree bounds for various attacks on MiMC, Feistel-MiMC, Feistel-MiMC-Hash, Hades and GMiMC. Our bounds fall in line with the hypothesized complexity of Gr\"obner basis attacks on these designs, and to the best of our knowledge this is the first time that a mathematical proof for these complexities is provided. Moreover, by studying polynomials with degree falls we can prove lower bounds on the Castelnuovo-Mumford regularity for attacks on MiMC, Feistel-MiMC and Feistel-MiMC-Hash provided that only a few solutions of the corresponding iterated polynomial system originate from the base field. Hence, regularity-based solving degree estimations can never surpass a certain threshold, a desirable property for cryptographic polynomial systems.

翻译：对于面向算术化的密码和哈希函数，Gröbner基攻击通常被视为最具竞争力的攻击途径。然而，Gröbner基算法的复杂度仅在特殊情况下被理解，而这些情况显然不适用于大多数密码学多项式系统。因此，密码学家不得不依赖实验、外推和假设来评估其设计的安全性。量化基于线性代数的Gröbner基算法复杂度的经典指标是所谓的求解度。Caminata和Gorla指出，在多项式系统满足某种一般性条件时，求解度始终以Castelnuovo-Mumford正则度为上界，进而受限于Macaulay界——该界仅考虑输入多项式的次数和变量数量。本文将其框架扩展至迭代多项式系统（对称密码和哈希函数的标准多项式模型）。具体而言，我们证明了针对MiMC、Feistel-MiMC、Feistel-MiMC-Hash、Hades及GMiMC的多种攻击的求解度上界。这些界与这些设计上Gröbner基攻击的假设复杂度一致，据我们所知，这是首次为这些复杂度提供数学证明。此外，通过研究具有度数下降的多项式，我们证明了在仅少量与基域相关的解对应迭代多项式系统的条件下，MiMC、Feistel-MiMC和Feistel-MiMC-Hash攻击的Castelnuovo-Mumford正则度下界。因此，基于正则度的求解度估计永远不会超过某个阈值——这是密码学多项式系统的一个理想性质。