Low-Communication Parallel Quantum Multi-Target Preimage Search

Conference paper
First Online:
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10719)

Abstract

The most important pre-quantum threat to AES-128 is the 1994 van Oorschot–Wiener “parallel rho method”, a low-communication parallel pre-quantum multi-target preimage-search algorithm. This algorithm uses a mesh of p small processors, each running for approximately \(2^{128}\!/pt\) fast steps, to find one of t independent AES keys \(k_1,\dots ,k_t\), given the ciphertexts Open image in new window for a shared plaintext 0.

NIST has claimed a high post-quantum security level for AES-128, starting from the following rationale: “Grover’s algorithm requires a long-running serial computation, which is difficult to implement in practice. In a realistic attack, one has to run many smaller instances of the algorithm in parallel, which makes the quantum speedup less dramatic.” NIST has also stated that resistance to multi-key attacks is desirable; but, in a realistic parallel setting, a straightforward multi-key application of Grover’s algorithm costs more than targeting one key at a time.

This paper introduces a different quantum algorithm for multi-target preimage search. This algorithm shows, in the same realistic parallel setting, that quantum preimage search benefits asymptotically from having multiple targets. The new algorithm requires a revision of NIST’s AES-128, AES-192, and AES-256 security claims.

Keywords

Quantum cryptanalysis Multi-target preimages Parallel rho method Grover’s algorithm 
This is a preview of subscription content, log in to check access.

References

  1. 1.
    Batcher, K.E.: Sorting networks and their applications. In: Proceedings of the Spring Joint Computer Conference, AFIPS 1968 (Spring), 30 April–2 May 1968, pp. 307–314. ACM, New York (1968)Google Scholar
  2. 2.
    Beals, R., Brierley, S., Gray, O., Harrow, A.W., Kutin, S., Linden, N., Shepherd, D., Stather, M.: Efficient distributed quantum computing. Proc. R. Soc. Lond. Ser. A Math. Phys. Eng. Sci. 469(2153), 20120686, 20 (2013). ISSN: 1364-5021Google Scholar
  3. 3.
    Bennett, C.H.: Time/space trade-offs for reversible computation. SIAM J. Comput. 18(4), 766–776 (1989)MathSciNetCrossRefMATHGoogle Scholar
  4. 4.
    Bernstein, D.J.: Cost analysis of hash collisions: Will quantum computers make SHARCS obsolete? In: SHARCS 2009 Special-purpose Hardware for Attacking Cryptographic Systems, p. 105 (2009)Google Scholar
  5. 5.
    Brassard, G., Høyer, P., Tapp, A.: Quantum cryptanalysis of hash and claw-free functions. In: Lucchesi, C.L., Moura, A.V. (eds.) LATIN 1998. LNCS, vol. 1380, pp. 163–169. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0054319 CrossRefGoogle Scholar
  6. 6.
    Grassl, M., Langenberg, B., Roetteler, M., Steinwandt, R.: Applying Grover’s algorithm to AES: quantum resource estimates. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 29–43. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-29360-8_3 CrossRefGoogle Scholar
  7. 7.
    Grover, L.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, pp. 212–219. ACM (1996)Google Scholar
  8. 8.
    Grover, L., Rudolph, T.: How significant are the known collision and element distinctness quantum algorithms? arXiv preprint arXiv:quant-ph/0309123 (2003)
  9. 9.
    Hülsing, A., Rijneveld, J., Song, F.: Mitigating multi-target attacks in hash-based signatures. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 387–416. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49384-7_15 CrossRefGoogle Scholar
  10. 10.
    Knill, E.: An analysis of Bennett’s pebble game. CoRR, abs/math/9508218 (1995)Google Scholar
  11. 11.
    NIST: Submission requirements and evaluation criteria for the post-quantum cryptography standardization process (2016). http://csrc.nist.gov/groups/ST/post-quantum-crypto/documents/call-for-proposals-final-dec-2016.pdf
  12. 12.
    Schnorr, C.-P., Shamir, A.: An optimal sorting algorithm for mesh connected computers. In: Hartmanis, J. (ed.) Proceedings of the 18th Annual ACM Symposium on Theory of Computing, 28–30 May 1986, Berkeley, California, USA, pp. 255–263. ACM (1986)Google Scholar
  13. 13.
    Van Oorschot, P.C., Wiener, M.J.: Parallel collision search with application to hash functions and discrete logarithms. In: Proceedings of the 2nd ACM Conference on Computer and Communications Security, pp. 210–218. ACM (1994)Google Scholar

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  1. 1.Department of Mathematics and Computer ScienceTechnische Universiteit EindhovenEindhovenThe Netherlands
  2. 2.Department of Computer ScienceUniversity of Illinois at ChicagoChicagoUSA

Personalised recommendations