Advertisement

Quantum Attacks Without Superposition Queries: The Offline Simon’s Algorithm

  • Xavier BonnetainEmail author
  • Akinori Hosoyamada
  • María Naya-Plasencia
  • Yu Sasaki
  • André Schrottenloher
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11921)

Abstract

In symmetric cryptanalysis, the model of superposition queries has led to surprising results, with many constructions being broken in polynomial time thanks to Simon’s period-finding algorithm. But the practical implications of these attacks remain blurry. In contrast, the results obtained so far for a quantum adversary making classical queries only are less impressive.

In this paper, we introduce a new quantum algorithm which uses Simon’s subroutines in a novel way. We manage to leverage the algebraic structure of cryptosystems in the context of a quantum attacker limited to classical queries and offline quantum computations. We obtain improved quantum-time/classical-data tradeoffs with respect to the current literature, while using only as much hardware requirements (quantum and classical) as a standard exhaustive search with Grover’s algorithm. In particular, we are able to break the Even-Mansour construction in quantum time \(\tilde{O}(2^{n/3})\), with \(O(2^{n/3})\) classical queries and \(O(n^2)\) qubits only. In addition, we improve some previous superposition attacks by reducing the data complexity from exponential to polynomial, with the same time complexity.

Our approach can be seen in two complementary ways: reusing superposition queries during the iteration of a search using Grover’s algorithm, or alternatively, removing the memory requirement in some quantum attacks based on a collision search, thanks to their algebraic structure.

We provide a list of cryptographic applications, including the Even-Mansour construction, the FX construction, some Sponge authenticated modes of encryption, and many more.

Keywords

Simon’s algorithm Classical queries Symmetric cryptography Quantum cryptanalysis Even-Mansour construction FX construction 

Notes

Acknowledgements

The authors thank Léo Perrin for proofreading this article and Elena Kirshanova for helpful remarks. This project has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement \(\text{n}^o\) 714294 - acronym QUASYModo).

References

  1. 1.
    Albrecht, M.R., Driessen, B., Kavun, E.B., Leander, G., Paar, C., Yalçın, T.: Block ciphers – focus on the linear layer (feat. PRIDE). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 57–76. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44371-2_4CrossRefGoogle Scholar
  2. 2.
    Bertoni, G., Daemen, J., Hoffert, S., Peeters, M., Assche, G.V., Keer, R.V.: Farfalle: parallel permutation-based cryptography. IACR Trans. Symmetric Cryptol. 2017(4), 1–38 (2017). https://tosc.iacr.org/index.php/ToSC/article/view/801
  3. 3.
    Biryukov, A., Wagner, D.: Slide attacks. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 245–259. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48519-8_18CrossRefGoogle Scholar
  4. 4.
    Bonnetain, X.: Quantum key-recovery on full AEZ. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 394–406. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-72565-9_20CrossRefGoogle Scholar
  5. 5.
    Bonnetain, X., Hosoyamada, A., Naya-Plasencia, M., Sasaki, Y., Schrottenloher, A.: Quantum attacks without superposition queries: the offline simon algorithm. IACR Cryptology ePrint Archive 2019, 614 (2019). https://eprint.iacr.org/2019/614
  6. 6.
    Bonnetain, X., Naya-Plasencia, M.: Hidden shift quantum cryptanalysis and implications. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 560–592. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-03326-2_19CrossRefGoogle Scholar
  7. 7.
    Bonnetain, X., Naya-Plasencia, M., Schrottenloher, A.: On quantum slide attacks. In: Selected Areas in Cryptography - SAC 2019. Lecture Notes in Computer Science, Springer (2020)Google Scholar
  8. 8.
    Borghoff, J., et al.: PRINCE – a low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34961-4_14CrossRefGoogle Scholar
  9. 9.
    Brassard, G., HØyer, P., Tapp, A.: Quantum cryptanalysis of hash and claw-free functions. In: Lucchesi, C.L., Moura, A.V. (eds.) LATIN 1998. LNCS, vol. 1380, pp. 163–169. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0054319CrossRefGoogle Scholar
  10. 10.
    Canteaut, A., et al.: Saturnin: a suite of lightweight symmetric algorithms for post-quantum security (2019). https://project.inria.fr/saturnin/files/2019/05/SATURNIN-spec.pdf
  11. 11.
    Carlet, C., Charpin, P., Zinoviev, V.: Codes, bent functions and permutations suitable for DES-like cryptosystems. Designs Codes Crypt. 15(2), 125–156 (1998)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Chailloux, A., Naya-Plasencia, M., Schrottenloher, A.: An efficient quantum collision search algorithm and implications on symmetric cryptography. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 211–240. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70697-9_8CrossRefGoogle Scholar
  13. 13.
    Chakraborti, A., Datta, N., Nandi, M., Yasuda, K.: Beetle family of lightweight and secure authenticated encryption ciphers. IACR Trans. Crypt. Hardw. Embed. Syst. 2018(2), 218–241 (2018).  https://doi.org/10.13154/tches.v2018.i2.218-241CrossRefGoogle Scholar
  14. 14.
    Crowley, P., Biggers, E.: Adiantum: length-preserving encryption for entry-level processors. IACR Trans. Symmetric Cryptol. 2018(4), 39–61 (2018).  https://doi.org/10.13154/tosc.v2018.i4.39-61CrossRefGoogle Scholar
  15. 15.
    Daemen, J.: Limitations of the Even-Mansour construction. In: Imai, H., Rivest, R.L., Matsumoto, T. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 495–498. Springer, Heidelberg (1993).  https://doi.org/10.1007/3-540-57332-1_46CrossRefGoogle Scholar
  16. 16.
    Daemen, J., Hoffert, S., Assche, G.V., Keer, R.V.: The design of xoodoo and xoofff. IACR Trans. Symmetric Cryptol. 2018(4), 1–38 (2018).  https://doi.org/10.13154/tosc.v2018.i4.1-38CrossRefGoogle Scholar
  17. 17.
    Dinur, I.: Cryptanalytic time-memory-data tradeoffs for FX-constructions with applications to PRINCE and PRIDE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 231–253. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_10CrossRefGoogle Scholar
  18. 18.
    Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: Cryptanalysis of Iterated Even-Mansour schemes with two keys. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 439–457. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45611-8_23CrossRefGoogle Scholar
  19. 19.
    Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–162 (1997).  https://doi.org/10.1007/s001459900025MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Gagliardoni, T.: Quantum Security of Cryptographic Primitives. Ph.D. thesis, Darmstadt University of Technology, Germany (2017). http://tuprints.ulb.tu-darmstadt.de/6019/
  21. 21.
    Grassl, M., Langenberg, B., Roetteler, M., Steinwandt, R.: Applying Grover’s algorithm to AES: quantum resource estimates. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 29–43. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-29360-8_3CrossRefzbMATHGoogle Scholar
  22. 22.
    Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Miller, G.L. (ed.) Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia, Pennsylvania, USA, 22–24 May 1996, pp. 212–219. ACM (1996). http://doi.acm.org/10.1145/237814.237866
  23. 23.
    Hosoyamada, A., Sasaki, Y.: Cryptanalysis against symmetric-key schemes with online classical queries and offline quantum computations. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 198–218. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-76953-0_11CrossRefGoogle Scholar
  24. 24.
    Kaplan, M., Leurent, G., Leverrier, A.,  Naya-Plasencia, M.: Breaking symmetric cryptosystems using quantum period finding. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 207–237. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53008-5_8CrossRefGoogle Scholar
  25. 25.
    Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Quantum differential and linear cryptanalysis. IACR Trans. Symmetric Cryptol. 2016(1), 71–94 (2016). http://tosc.iacr.org/index.php/ToSC/article/view/536
  26. 26.
    Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 252–267. Springer, Heidelberg (1996).  https://doi.org/10.1007/3-540-68697-5_20CrossRefGoogle Scholar
  27. 27.
    Kuperberg, G.: A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35(1), 170–188 (2005).  https://doi.org/10.1137/S0097539703436345MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Kuperberg, G.: Another subexponential-time quantum algorithm for the dihedral hidden subgroup problem. In: TQC 2013, LIPIcs, vol. 22, pp. 20–34. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik (2013)Google Scholar
  29. 29.
    Kuwakado, H., Morii, M.: Quantum distinguisher between the 3-round feistel cipher and the random permutation. In: IEEE International Symposium on Information Theory, ISIT 2010, Proceedings, pp. 2682–2685. IEEE (2010)Google Scholar
  30. 30.
    Kuwakado, H., Morii, M.: Security on the quantum-type Even-Mansour cipher. In: Proceedings of the International Symposium on Information Theory and Its Applications, ISITA 2012, pp. 312–316. IEEE (2012)Google Scholar
  31. 31.
    Leander, G., May, A.: Grover meets Simon – quantumly attacking the FX-construction. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 161–178. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70697-9_6CrossRefGoogle Scholar
  32. 32.
    Martin, L.: XTS: a mode of AES for encrypting hard disks. IEEE Secur. Privacy 8(3), 68–69 (2010).  https://doi.org/10.1109/MSP.2010.111CrossRefGoogle Scholar
  33. 33.
    Mouha, N., Mennink, B., Van Herrewege, A., Watanabe, D., Preneel, B., Verbauwhede, I.: Chaskey: an efficient MAC algorithm for 32-bit microcontrollers. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 306–323. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-13051-4_19CrossRefGoogle Scholar
  34. 34.
    National Academies of Sciences, Engineering, and Medicine: Quantum Computing: Progress and Prospects. The National Academies Press, Washington, DC (2018). https://www.nap.edu/catalog/25196/quantum-computing-progress-and-prospects
  35. 35.
    National Institute of Standards and Technlology: Submission requirements and evaluation criteria for the post-quantum cryptography standardization process (2016). https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf
  36. 36.
    Nielsen, M.A., Chuang, I.: Quantum Computation and Quantum Information. AAPT (2002)Google Scholar
  37. 37.
    Rötteler, M., Steinwandt, R.: A note on quantum related-key attacks. Inf. Process. Lett. 115(1), 40–44 (2015).  https://doi.org/10.1016/j.ipl.2014.08.009CrossRefzbMATHGoogle Scholar
  38. 38.
    Sasaki, Y., et al.: Minalpher v1.1. CAESAR competition (2015). https://competitions.cr.yp.to/round2/minalpherv11.pdf
  39. 39.
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE Computer Society (1994)Google Scholar
  40. 40.
    Simon, D.R.: On the power of quantum computation. In: 35th Annual Symposium on Foundations of Computer Science, pp. 116–123 (1994)Google Scholar
  41. 41.
    Winternitz, R.S., Hellman, M.E.: Chosen-key attacks on a block cipher. Cryptologia 11(1), 16–20 (1987).  https://doi.org/10.1080/0161-118791861749CrossRefzbMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  • Xavier Bonnetain
    • 1
    • 3
    Email author
  • Akinori Hosoyamada
    • 2
    • 4
  • María Naya-Plasencia
    • 1
  • Yu Sasaki
    • 2
  • André Schrottenloher
    • 1
  1. 1.InriaParisFrance
  2. 2.NTT Secure Platform LaboratoriesTokyoJapan
  3. 3.Collège DoctoralSorbonne UniversitéParisFrance
  4. 4.Nagoya UniversityNagoyaJapan

Personalised recommendations