High Exponents May Not Suffice to Patch AIM （On Attacks, Weak Parameters, and Patches for AIM2）

Yimeng Sun; Shiyao Chen; Guowei Liu; Meiqin Wang; Chao Niu

Paper 2025/2272

High Exponents May Not Suffice to Patch AIM （On Attacks, Weak Parameters, and Patches for AIM2）

Yimeng Sun, Shandong University

Shiyao Chen, Shandong University

Guowei Liu, Shandong University

Meiqin Wang, Shandong University

Chao Niu, [email protected]

Abstract

The growth of advanced cryptographic applications has driven the development of arithmetization-oriented (AO) ciphers over large finite fields, which are designed to minimize multiplicative complexity. However, this design advantage of AO ciphers could also serve as an attack vector. For instance, the \textsf{AIM} one-way function in the post-quantum signature \AIMer proposed at CCS 2023 has been broken by several works soon after its publication. The designers then promptly developed secure patches and proposed an enhanced version, \textsf{AIM2}, which was updated to the latest version of \AIMer that has been selected as one of the winners of the Korean PQC Competition in early 2025. In this paper, we focus on the algebraic security of AIM2 over $\mathbb{F}_{2^n}$. First, we introduce a resultant-minimized model that reduces eliminations by using a non-$k$ based substitution strategy and linearized-polynomial decomposition, achieving an attack time complexity of $2^{188.76}$ ($2^{195.05}$) primitive calls of \textsf{AIM2-III} when $\omega=2$ ($\omega=2.373$), indicating that the designers have been over-optimistic in the evaluation of their security margin; Second, we propose a subfield reduction technique for the case that exponents approach subfield extension sizes, equation degrees collapse sharply, \textit{e.g.,} the exponent $e_2=141\mapsto 13$ in \textsf{AIM2-V} when considering the subfield $\mathbb{F}_{2^{128}}$. This can lower the algebraic attack complexity to $2^{295.97}$ primitive calls at $\omega=2$, which improves upon designers' estimated bound of Gr\"{o}bner basis attack by about $2^{100}$. Besides, based on our attack methods, we have identified some weak parameter choices, which could provide concrete design guidance for \textsf{AIM2} construction, especially for the exponent of its Mersenne S-box. Finally, to address the potential vulnerabilities, we further propose \textsf{AIM2-patch} with a simple secure patch on \textsf{AIM2}, which can prevent key elimination, neutralize linearized-polynomial decomposition, and raise algebraic attack complexity, while incurring negligible overheads in \AIMer scheme.

Metadata

Available format(s): PDF
Category: Attacks and cryptanalysis
Publication info: Preprint.
Keywords: AIMer AIM2 Resultant Attack Resultant-minimized Modeling Subfield Reduction Linearized Polynomial Decomposition
Contact author(s): sunyimeng @ mail sdu edu cn
csyhash @ foxmail com
guoweiliu @ mail sdu edu cn
mqwang @ sdu edu cn
niuchao niu @ antgroup com
History: 2025-12-18: approved; 2025-12-18: received; See all versions
Short URL: https://ia.cr/2025/2272
License: CC BY

BibTeX

@misc{cryptoeprint:2025/2272,
      author = {Yimeng Sun and Shiyao Chen and Guowei Liu and Meiqin Wang and Chao Niu},
      title = {High Exponents May Not Suffice to Patch {AIM} （On Attacks, Weak Parameters, and Patches for {AIM2}）},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/2272},
      year = {2025},
      url = {https://eprint.iacr.org/2025/2272}
}