For Arithmetization-Oriented ciphers and hash functions Gr\"obner basis attacks are generally considered as the most competitive attack vector. Unfortunately, the complexity of Gr\"obner basis algorithms is only understood for special cases, and it is needless to say that these cases do not apply to most cryptographic polynomial systems. Therefore, cryptographers have to resort to experiments, extrapolations and hypotheses to assess the security of their designs. One established measure to quantify the complexity of linear algebra-based Gr\"obner basis algorithms is the so-called solving degree. Caminata \& Gorla revealed that under a certain genericity condition on a polynomial system the solving degree is always upper bounded by the Castelnuovo-Mumford regularity and henceforth by the Macaulay bound, which only takes the degrees and number of variables of the input polynomials into account. In this paper we extend their framework to iterated polynomial systems, the standard polynomial model for symmetric ciphers and hash functions. In particular, we prove solving degree bounds for various attacks on MiMC, Feistel-MiMC, Feistel-MiMC-Hash, Hades and GMiMC. Our bounds fall in line with the hypothesized complexity of Gr\"obner basis attacks on these designs, and to the best of our knowledge this is the first time that a mathematical proof for these complexities is provided. Moreover, by studying polynomials with degree falls we can prove lower bounds on the Castelnuovo-Mumford regularity for attacks on MiMC, Feistel-MiMC and Feistel-MiMC-Hash provided that only a few solutions of the corresponding iterated polynomial system originate from the base field. Hence, regularity-based solving degree estimations can never surpass a certain threshold, a desirable property for cryptographic polynomial systems.

翻译：针对算术化导向（Arithmetization-Oriented）密码算法与哈希函数的Gröbner基攻击通常被视为最具竞争力的攻击手段。然而，Gröbner基算法的复杂度仅在特殊情形下可被理解，且毋庸置疑的是，这些特殊情形并不适用于大多数密码学多项式系统。因此，密码学家不得不依赖实验、外推与假设来评估其设计的安全性。在线性代数驱动的Gröbner基算法复杂度量化中，所谓的“求解度”（solving degree）是一项既定指标。Caminata与Gorla揭示了：在多项式系统满足特定一般性条件时，求解度始终受限于Castelnuovo-Mumford正则度（Castelnuovo-Mumford regularity），进而受限于仅考虑输入多项式的次数与变量数的Macaulay界（Macaulay bound）。本文将其框架拓展至迭代多项式系统——对称密码与哈希函数的标准多项式模型。具体而言，我们证明了针对MiMC、Feistel-MiMC、Feistel-MiMC-Hash、Hades及GMiMC的多种攻击的求解度上界。这些界与针对这些设计的Gröbner基攻击的假设复杂度相吻合；据我们所知，这是首次为这些复杂度提供数学证明。此外，通过研究具备度下降（degree falls）特性的多项式，我们可证明：仅当对应迭代多项式系统的少量解来自基域时，针对MiMC、Feistel-MiMC与Feistel-MiMC-Hash攻击的Castelnuovo-Mumford正则度下界成立。因此，基于正则度的求解度估计永远无法超越特定阈值——这一性质在密码学多项式系统中具有理想性。