Quantum attacks without superposition queries: the offline Simon’s algorithm. (English) Zbl 1456.94052
Galbraith, Steven D. (ed.) et al., Advances in cryptology – ASIACRYPT 2019. 25th international conference on the theory and application of cryptology and information security, Kobe, Japan, December 8–12, 2019. Proceedings. Part I. Cham: Springer. Lect. Notes Comput. Sci. 11921, 552-583 (2019).
Summary: In symmetric cryptanalysis, the model of superposition queries has led to surprising results, with many constructions being broken in polynomial time thanks to Simon’s period-finding algorithm. But the practical implications of these attacks remain blurry. In contrast, the results obtained so far for a quantum adversary making classical queries only are less impressive.
In this paper, we introduce a new quantum algorithm which uses Simon’s subroutines in a novel way. We manage to leverage the algebraic structure of cryptosystems in the context of a quantum attacker limited to classical queries and offline quantum computations. We obtain improved quantum-time/classical-data tradeoffs with respect to the current literature, while using only as much hardware requirements (quantum and classical) as a standard exhaustive search with Grover’s algorithm. In particular, we are able to break the Even-Mansour construction in quantum time \(\tilde{O}(2^{n/3})\), with \(O(2^{n/3})\) classical queries and \(O(n^2)\) qubits only. In addition, we improve some previous superposition attacks by reducing the data complexity from exponential to polynomial, with the same time complexity.
Our approach can be seen in two complementary ways: reusing superposition queries during the iteration of a search using Grover’s algorithm, or alternatively, removing the memory requirement in some quantum attacks based on a collision search, thanks to their algebraic structure.
We provide a list of cryptographic applications, including the Even-Mansour construction, the FX construction, some Sponge authenticated modes of encryption, and many more.
For the entire collection see [Zbl 1428.94008].
In this paper, we introduce a new quantum algorithm which uses Simon’s subroutines in a novel way. We manage to leverage the algebraic structure of cryptosystems in the context of a quantum attacker limited to classical queries and offline quantum computations. We obtain improved quantum-time/classical-data tradeoffs with respect to the current literature, while using only as much hardware requirements (quantum and classical) as a standard exhaustive search with Grover’s algorithm. In particular, we are able to break the Even-Mansour construction in quantum time \(\tilde{O}(2^{n/3})\), with \(O(2^{n/3})\) classical queries and \(O(n^2)\) qubits only. In addition, we improve some previous superposition attacks by reducing the data complexity from exponential to polynomial, with the same time complexity.
Our approach can be seen in two complementary ways: reusing superposition queries during the iteration of a search using Grover’s algorithm, or alternatively, removing the memory requirement in some quantum attacks based on a collision search, thanks to their algebraic structure.
We provide a list of cryptographic applications, including the Even-Mansour construction, the FX construction, some Sponge authenticated modes of encryption, and many more.
For the entire collection see [Zbl 1428.94008].
MSC:
| 94A60 | Cryptography |
| 68Q12 | Quantum algorithms and complexity in the theory of computing |
| 81P94 | Quantum cryptography (quantum-theoretic aspects) |
Keywords:
Simon’s algorithm; classical queries; symmetric cryptography; quantum cryptanalysis; Even-Mansour construction; FX constructionReferences:
| [1] | Albrecht, MR; Driessen, B.; Kavun, EB; Leander, G.; Paar, C.; Yalçın, T.; Garay, JA; Gennaro, R., Block ciphers – focus on the linear layer (feat. PRIDE), Advances in Cryptology - CRYPTO 2014, 57-76, 2014, Heidelberg: Springer, Heidelberg · Zbl 1317.94079 · doi:10.1007/978-3-662-44371-2_4 |
| [2] | Bertoni, G., Daemen, J., Hoffert, S., Peeters, M., Assche, G.V., Keer, R.V.: Farfalle: parallel permutation-based cryptography. IACR Trans. Symmetric Cryptol. 2017(4), 1-38 (2017). https://tosc.iacr.org/index.php/ToSC/article/view/801 |
| [3] | Biryukov, A.; Wagner, D.; Knudsen, L., Slide attacks, Fast Software Encryption, 245-259, 1999, Heidelberg: Springer, Heidelberg · Zbl 0942.94020 · doi:10.1007/3-540-48519-8_18 |
| [4] | Bonnetain, X.; Adams, C.; Camenisch, J., Quantum key-recovery on full AEZ, Selected Areas in Cryptography - SAC 2017, 394-406, 2018, Cham: Springer, Cham · Zbl 1384.94037 · doi:10.1007/978-3-319-72565-9_20 |
| [5] | Bonnetain, X., Hosoyamada, A., Naya-Plasencia, M., Sasaki, Y., Schrottenloher, A.: Quantum attacks without superposition queries: the offline simon algorithm. IACR Cryptology ePrint Archive 2019, 614 (2019). https://eprint.iacr.org/2019/614 |
| [6] | Bonnetain, X.; Naya-Plasencia, M.; Peyrin, T.; Galbraith, S., Hidden shift quantum cryptanalysis and implications, Advances in Cryptology - ASIACRYPT 2018, 560-592, 2018, Cham: Springer, Cham · Zbl 1446.94106 · doi:10.1007/978-3-030-03326-2_19 |
| [7] | Bonnetain, X., Naya-Plasencia, M., Schrottenloher, A.: On quantum slide attacks. In: Selected Areas in Cryptography - SAC 2019. Lecture Notes in Computer Science, Springer (2020) · Zbl 1453.94062 |
| [8] | Borghoff, J.; Wang, X.; Sako, K., PRINCE - a low-latency block cipher for pervasive computing applications, Advances in Cryptology - ASIACRYPT 2012, 208-225, 2012, Heidelberg: Springer, Heidelberg · Zbl 1292.94035 · doi:10.1007/978-3-642-34961-4_14 |
| [9] | Brassard, G.; HØyer, P.; Tapp, A.; Lucchesi, CL; Moura, AV, Quantum cryptanalysis of hash and claw-free functions, LATIN’98: Theoretical Informatics, 163-169, 1998, Heidelberg: Springer, Heidelberg · Zbl 1508.68118 · doi:10.1007/BFb0054319 |
| [10] | Canteaut, A., et al.: Saturnin: a suite of lightweight symmetric algorithms for post-quantum security (2019). https://project.inria.fr/saturnin/files/2019/05/SATURNIN-spec.pdf |
| [11] | Carlet, C.; Charpin, P.; Zinoviev, V., Codes, bent functions and permutations suitable for DES-like cryptosystems, Designs Codes Crypt., 15, 2, 125-156, 1998 · Zbl 0938.94011 · doi:10.1023/A:1008344232130 |
| [12] | Chailloux, A.; Naya-Plasencia, M.; Schrottenloher, A.; Takagi, T.; Peyrin, T., An efficient quantum collision search algorithm and implications on symmetric cryptography, Advances in Cryptology - ASIACRYPT 2017, 211-240, 2017, Cham: Springer, Cham · Zbl 1380.81085 · doi:10.1007/978-3-319-70697-9_8 |
| [13] | Chakraborti, A.; Datta, N.; Nandi, M.; Yasuda, K., Beetle family of lightweight and secure authenticated encryption ciphers, IACR Trans. Crypt. Hardw. Embed. Syst., 2018, 2, 218-241, 2018 · doi:10.13154/tches.v2018.i2.218-241 |
| [14] | Crowley, P.; Biggers, E., Adiantum: length-preserving encryption for entry-level processors, IACR Trans. Symmetric Cryptol., 2018, 4, 39-61, 2018 · doi:10.13154/tosc.v2018.i4.39-61 |
| [15] | Daemen, J.; Imai, H.; Rivest, RL; Matsumoto, T., Limitations of the Even-Mansour construction, Advances in Cryptology — ASIACRYPT ’91, 495-498, 1993, Heidelberg: Springer, Heidelberg · Zbl 0825.94187 · doi:10.1007/3-540-57332-1_46 |
| [16] | Daemen, J.; Hoffert, S.; Assche, GV; Keer, RV, The design of xoodoo and xoofff, IACR Trans. Symmetric Cryptol., 2018, 4, 1-38, 2018 · doi:10.13154/tosc.v2018.i4.1-38 |
| [17] | Dinur, I.; Oswald, E.; Fischlin, M., Cryptanalytic time-memory-data tradeoffs for FX-constructions with applications to PRINCE and PRIDE, Advances in Cryptology - EUROCRYPT 2015, 231-253, 2015, Heidelberg: Springer, Heidelberg · Zbl 1370.94504 · doi:10.1007/978-3-662-46800-5_10 |
| [18] | Dinur, I.; Dunkelman, O.; Keller, N.; Shamir, A.; Sarkar, P.; Iwata, T., Cryptanalysis of Iterated Even-Mansour schemes with two keys, Advances in Cryptology - ASIACRYPT 2014, 439-457, 2014, Heidelberg: Springer, Heidelberg · Zbl 1306.94048 · doi:10.1007/978-3-662-45611-8_23 |
| [19] | Even, S.; Mansour, Y., A construction of a cipher from a single pseudorandom permutation, J. Cryptol., 10, 3, 151-162, 1997 · Zbl 1053.94552 · doi:10.1007/s001459900025 |
| [20] | Gagliardoni, T.: Quantum Security of Cryptographic Primitives. Ph.D. thesis, Darmstadt University of Technology, Germany (2017). http://tuprints.ulb.tu-darmstadt.de/6019/ |
| [21] | Grassl, M.; Langenberg, B.; Roetteler, M.; Steinwandt, R.; Takagi, T., Applying Grover’s algorithm to AES: quantum resource estimates, Post-Quantum Cryptography, 29-43, 2016, Cham: Springer, Cham · Zbl 1405.81026 · doi:10.1007/978-3-319-29360-8_3 |
| [22] | Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Miller, G.L. (ed.) Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia, Pennsylvania, USA, 22-24 May 1996, pp. 212-219. ACM (1996). doi:10.1145/237814.237866 · Zbl 0922.68044 |
| [23] | Hosoyamada, A.; Sasaki, Y.; Smart, NP, Cryptanalysis against symmetric-key schemes with online classical queries and offline quantum computations, Topics in Cryptology - CT-RSA 2018, 198-218, 2018, Cham: Springer, Cham · Zbl 1507.94040 · doi:10.1007/978-3-319-76953-0_11 |
| [24] | Kaplan, M.; Leurent, G.; Leverrier, A.; Naya-Plasencia, M.; Robshaw, M.; Katz, J., Breaking symmetric cryptosystems using quantum period finding, Advances in Cryptology - CRYPTO 2016, 207-237, 2016, Heidelberg: Springer, Heidelberg · Zbl 1391.94766 · doi:10.1007/978-3-662-53008-5_8 |
| [25] | Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Quantum differential and linear cryptanalysis. IACR Trans. Symmetric Cryptol. 2016(1), 71-94 (2016). http://tosc.iacr.org/index.php/ToSC/article/view/536 |
| [26] | Kilian, J.; Rogaway, P.; Koblitz, N., How to protect DES against exhaustive key search, Advances in Cryptology — CRYPTO ’96, 252-267, 1996, Heidelberg: Springer, Heidelberg · Zbl 1329.94067 · doi:10.1007/3-540-68697-5_20 |
| [27] | Kuperberg, G., A subexponential-time quantum algorithm for the dihedral hidden subgroup problem, SIAM J. Comput., 35, 1, 170-188, 2005 · Zbl 1084.81019 · doi:10.1137/S0097539703436345 |
| [28] | Kuperberg, G.: Another subexponential-time quantum algorithm for the dihedral hidden subgroup problem. In: TQC 2013, LIPIcs, vol. 22, pp. 20-34. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik (2013) · Zbl 1356.68076 |
| [29] | Kuwakado, H., Morii, M.: Quantum distinguisher between the 3-round feistel cipher and the random permutation. In: IEEE International Symposium on Information Theory, ISIT 2010, Proceedings, pp. 2682-2685. IEEE (2010) |
| [30] | Kuwakado, H., Morii, M.: Security on the quantum-type Even-Mansour cipher. In: Proceedings of the International Symposium on Information Theory and Its Applications, ISITA 2012, pp. 312-316. IEEE (2012) |
| [31] | Leander, G.; May, A.; Takagi, T.; Peyrin, T., Grover meets Simon – quantumly attacking the FX-construction, Advances in Cryptology - ASIACRYPT 2017, 161-178, 2017, Cham: Springer, Cham · Zbl 1380.94109 · doi:10.1007/978-3-319-70697-9_6 |
| [32] | Martin, L., XTS: a mode of AES for encrypting hard disks, IEEE Secur. Privacy, 8, 3, 68-69, 2010 · doi:10.1109/MSP.2010.111 |
| [33] | Mouha, N.; Mennink, B.; Van Herrewege, A.; Watanabe, D.; Preneel, B.; Verbauwhede, I.; Joux, A.; Youssef, A., Chaskey: an efficient MAC algorithm for 32-bit microcontrollers, Selected Areas in Cryptography - SAC 2014, 306-323, 2014, Cham: Springer, Cham · Zbl 1382.94145 · doi:10.1007/978-3-319-13051-4_19 |
| [34] | National Academies of Sciences, Engineering, and Medicine: Quantum Computing: Progress and Prospects. The National Academies Press, Washington, DC (2018). https://www.nap.edu/catalog/25196/quantum-computing-progress-and-prospects |
| [35] | National Institute of Standards and Technlology: Submission requirements and evaluation criteria for the post-quantum cryptography standardization process (2016). https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf |
| [36] | Nielsen, M.A., Chuang, I.: Quantum Computation and Quantum Information. AAPT (2002) |
| [37] | Rötteler, M.; Steinwandt, R., A note on quantum related-key attacks, Inf. Process. Lett., 115, 1, 40-44, 2015 · Zbl 1358.94076 · doi:10.1016/j.ipl.2014.08.009 |
| [38] | Sasaki, Y., et al.: Minalpher v1.1. CAESAR competition (2015). https://competitions.cr.yp.to/round2/minalpherv11.pdf |
| [39] | Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, pp. 124-134. IEEE Computer Society (1994) |
| [40] | Simon, D.R.: On the power of quantum computation. In: 35th Annual Symposium on Foundations of Computer Science, pp. 116-123 (1994) |
| [41] | Winternitz, RS; Hellman, ME, Chosen-key attacks on a block cipher, Cryptologia, 11, 1, 16-20, 1987 · Zbl 0654.94008 · doi:10.1080/0161-118791861749 |
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.
