Cryptanalysis Against Symmetric-Key Schemes with Online Classical Queries and Offline Quantum Computations

  • Akinori Hosoyamada
  • Yu Sasaki
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10808)


In this paper, quantum attacks against symmetric-key schemes are presented in which adversaries only make classical queries but use quantum computers for offline computations. Our attacks are not as efficient as polynomial-time attacks making quantum superposition queries, while our attacks use the realistic model and overwhelmingly improve the classical attacks. Our attacks convert a type of classical meet-in-the-middle attacks into quantum ones. The attack cost depends on the number of available qubits and the way to realize the quantum hardware. The tradeoffs between data complexity D and time complexity T against the problem of cardinality N are \(D^2 \cdot T^2 =N\) and \(D \cdot T^6 = N^3\) in the best and worst case scenarios to the adversary respectively, while the classic attack requires \(D\cdot T = N\). This improvement is meaningful from an engineering aspect because several existing schemes claim beyond-birthday-bound security for T by limiting the maximum D to be below \(2^{n/2}\) according to the classical tradeoff \(D\cdot T = N\). Those schemes are broken when quantum computations are available to the adversaries. The attack can be applied to many schemes such as a tweakable block-cipher construction TDR, a dedicated MAC scheme Chaskey, an on-line authenticated encryption scheme McOE-X, a hash function based MAC H \(^2\)-MAC and a permutation based MAC keyed-sponge. The idea is then applied to the FX-construction to discover new tradeoffs in the classical query model.


Post-quantum cryptography Classical query model Meet-in-the-middle Tradeoff Chaskey TDR Keyed sponge KMAC FX 


  1. [BB17]
    Banegas, G., Bernstein, D.J.: Low-communication parallel quantum multi-target preimage search. Cryptology ePrint Archive, Report 2017/789 (2017). To appear at SAC 2017Google Scholar
  2. [BBG+13]
    Beals, R., Brierley, S., Gray, O., Harrow, A.W., Kutin, S., Linden, N., Shepherd, D., Stather, M.: Efficient distributed quantum computing. In: Proceedings of the Royal Society A, vol. 469, p. 20120686. The Royal Society (2013)Google Scholar
  3. [BBHT98]
    Boyer, M., Brassard, G., Høyer, P., Tapp, A.: Tight bounds on quantum searching. Fortsch. Phys. 46(4–5), 493–505 (1998). CrossRefGoogle Scholar
  4. [BDPA08]
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). CrossRefGoogle Scholar
  5. [Ber09]
    Bernstein, D.J.: Cost analysis of hash collisions: will quantum computers make SHARCS obsolete? In: SHARCS 2009 (2009)Google Scholar
  6. [BHT97]
    Brassard, G., Høyer, P., Tapp, A.: Quantum algorithm for the collision problem. CoRR, quant-ph/9705002 (1997). Quantum Cryptanalysis of Hash and Claw-Free Functions. LATIN 1998, pp. 163–169Google Scholar
  7. [Bon17]
    Bonnetain, X.: Quantum key-recovery on full AEZ. Cryptology ePrint Archive, Report 2017/767 (2017). To appear at SAC 2017Google Scholar
  8. [CNPS17]
    Chailloux, A., Naya-Plasencia, M., Schrottenloher, A.: An efficient quantum collision search algorithm and implications on symmetric cryptography. Cryptology ePrint Archive, Report 2017/847 (2017)Google Scholar
  9. [FFL12]
    Fleischmann, E., Forler, C., Lucks, S.: McOE: a family of almost foolproof on-line authenticated encryption schemes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 196–215. Springer, Heidelberg (2012). Cryptology ePrint Archive, Report 2011/644CrossRefGoogle Scholar
  10. [GR04]
    Lov, G., Rudolph, T.: How significant are the known collision and element distinctness quantum algorithms. Quantum Inf. Comput. 4(3), 201–206 (2004)MathSciNetzbMATHGoogle Scholar
  11. [Gro96]
    Grover, L.K.: A fast quantum mechanical algorithm for database search. In: STOC 1996, pp. 212–219 (1996).
  12. [HA17]
    Hosoyamada, A., Aoki, K.: On quantum related-key attacks on iterated Even-Mansour ciphers. In: Obana, S., Chida, K. (eds.) IWSEC 2017. LNCS, vol. 10418, pp. 3–18. Springer, Cham (2017). CrossRefGoogle Scholar
  13. [Kap14]
    Kaplan, M.: Quantum attacks against iterated block ciphers. arXiv preprint arXiv:1410.1434 (2014)
  14. [KLLN16a]
    Kaplan, M., Leurent, G., Leverrier, A.,  Naya-Plasencia, M.: Breaking symmetric cryptosystems using quantum period finding. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 207–237. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  15. [KLLN16b]
    Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Quantum differential and linear cryptanalysis. IACR Trans. Symmetric Cryptol. 2016(1), 71–94 (2016)zbMATHGoogle Scholar
  16. [KM10]
    Kuwakado, H., Morii, M.: Quantum distinguisher between the 3-round Feistel cipher and the random permutation. In: ISIT 2010, pp. 2682–2685. IEEE (2010)Google Scholar
  17. [KM12]
    Kuwakado, H., Morii, M.: Security on the quantum-type Even-Mansour cipher. In: ISITA 2012, pp. 312–316. IEEE (2012)Google Scholar
  18. [KR96]
    Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 252–267. Springer, Heidelberg (1996). Google Scholar
  19. [KR01]
    Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search (an analysis of DESX). J. Cryptol. 14, 17–35 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
  20. [LL17a]
    Liu, F., Liu, F.: Universal forgery and key recovery attacks: application to FKS, FKD and Keyak. Cryptology ePrint Archive, Report 2017/691 (2017)Google Scholar
  21. [LL17b]
    Liu, F., Liu, F.: Universal forgery with birthday paradox: application to blockcipher-based message authentication codes and authenticated encryptions. Cryptology ePrint Archive, Report 2017/653 (2017)Google Scholar
  22. [LM17]
    Leander, G., May, A.: Grover meets Simon - quantumly attacking the FX-construction. Cryptology ePrint Archive, Report 2017/427 (2017). To appear at Asiacrypt 2017Google Scholar
  23. [LRW11]
    Liskov, M., Rivest, R.L., Wagner, D.A.: Tweakable block ciphers. J. Cryptol. 24(3), 588–613 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  24. [LXS11]
    Liu, F., Xie, T., Shen, C.: Breaking \(H^2\)-MAC using birthday paradox. Cryptology ePrint Archive, Report 2011/647 (2011)Google Scholar
  25. [MBTM17]
    McKay, K.A., Bassham, L., Turan, M.S., Mouha, N.: NISTIR 8114 report on lightweight cryptography. Technical report, U.S. Department of Commerce, National Institute of Standards and Technology (2017).
  26. [Min09]
    Minematsu, K.: Beyond-birthday-bound security based on tweakable block cipher. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 308–326. Springer, Heidelberg (2009). CrossRefGoogle Scholar
  27. [MMH+14]
    Mouha, N., Mennink, B., Van Herrewege, A., Watanabe, D., Preneel, B., Verbauwhede, I.: Chaskey: an efficient MAC algorithm for 32-bit microcontrollers. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 306–323. Springer, Cham (2014). CrossRefGoogle Scholar
  28. [MMRT12]
    Mendel, F., Mennink, B., Rijmen, V., Tischhauser, E.: A simple key-recovery attack on McOE-X. In: Pieprzyk, J., Sadeghi, A.-R., Manulis, M. (eds.) CANS 2012. LNCS, vol. 7712, pp. 23–31. Springer, Heidelberg (2012). CrossRefGoogle Scholar
  29. [Mou15]
    Mouha, N.: Chaskey: a MAC algorithm for microcontrollers - status update and proposal of Chaskey-12. Cryptology ePrint Archive, Report 2015/1182 (2015)Google Scholar
  30. [MS17]
    Mennink, B., Szepieniec, A.: XOR of PRPs in a quantum world. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 367–383. Springer, Cham (2017). CrossRefGoogle Scholar
  31. [NIS16]
    NIST: SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash. Technical report, U.S. Department of Commerce, National Institute of Standards and Technology. NIST Special Publication (SP) 800–185 (2016)Google Scholar
  32. [Sas12]
    Sasaki, Y.: Cryptanalyses on a Merkle-Damgård based MAC—almost universal forgery and distinguishing-H attacks. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 411–427. Springer, Heidelberg (2012). CrossRefGoogle Scholar
  33. [Sim97]
    Simon, D.R.: On the power of quantum computation. SIAM J. Comput. 26(5), 1474–1483 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  34. [Tsu92]
    Tsudik, G.: Message authentication with one-way hash functions. In: ACM SIGCOMM Computer Communication Review, vol. 22, no. 5, pp. 29–38. ACM (1992)Google Scholar
  35. [VOW94]
    Van Oorschot, P.C., Wiener, M.J.: Parallel collision search with application to hash functions and discrete logarithms. In: CCS 1994, pp. 210–218. ACM (1994)Google Scholar
  36. [Yas09]
    Yasuda, K.: HMAC without the “Second” Key. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 443–458. Springer, Heidelberg (2009). CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.NTT Secure Platform LaboratoriesMusashino-shiJapan

Personalised recommendations