Cryptanalysis Against Symmetric-Key Schemes with Online Classical Queries and Offline Quantum Computations

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10808)


In this paper, quantum attacks against symmetric-key schemes are presented in which adversaries only make classical queries but use quantum computers for offline computations. Our attacks are not as efficient as polynomial-time attacks making quantum superposition queries, while our attacks use the realistic model and overwhelmingly improve the classical attacks. Our attacks convert a type of classical meet-in-the-middle attacks into quantum ones. The attack cost depends on the number of available qubits and the way to realize the quantum hardware. The tradeoffs between data complexity D and time complexity T against the problem of cardinality N are \(D^2 \cdot T^2 =N\) and \(D \cdot T^6 = N^3\) in the best and worst case scenarios to the adversary respectively, while the classic attack requires \(D\cdot T = N\). This improvement is meaningful from an engineering aspect because several existing schemes claim beyond-birthday-bound security for T by limiting the maximum D to be below \(2^{n/2}\) according to the classical tradeoff \(D\cdot T = N\). Those schemes are broken when quantum computations are available to the adversaries. The attack can be applied to many schemes such as a tweakable block-cipher construction TDR, a dedicated MAC scheme Chaskey, an on-line authenticated encryption scheme McOE-X, a hash function based MAC H \(^2\)-MAC and a permutation based MAC keyed-sponge. The idea is then applied to the FX-construction to discover new tradeoffs in the classical query model.


Post-quantum cryptography Classical query model Meet-in-the-middle Tradeoff Chaskey TDR Keyed sponge KMAC FX 


  1. [BB17]
    Banegas, G., Bernstein, D.J.: Low-communication parallel quantum multi-target preimage search. Cryptology ePrint Archive, Report 2017/789 (2017). To appear at SAC 2017Google Scholar
  2. [BBG+13]
    Beals, R., Brierley, S., Gray, O., Harrow, A.W., Kutin, S., Linden, N., Shepherd, D., Stather, M.: Efficient distributed quantum computing. In: Proceedings of the Royal Society A, vol. 469, p. 20120686. The Royal Society (2013)Google Scholar
  3. [BBHT98]
    Boyer, M., Brassard, G., Høyer, P., Tapp, A.: Tight bounds on quantum searching. Fortsch. Phys. 46(4–5), 493–505 (1998). CrossRefGoogle Scholar
  4. [BDPA08]
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). CrossRefGoogle Scholar
  5. [Ber09]
    Bernstein, D.J.: Cost analysis of hash collisions: will quantum computers make SHARCS obsolete? In: SHARCS 2009 (2009)Google Scholar
  6. [BHT97]
    Brassard, G., Høyer, P., Tapp, A.: Quantum algorithm for the collision problem. CoRR, quant-ph/9705002 (1997). Quantum Cryptanalysis of Hash and Claw-Free Functions. LATIN 1998, pp. 163–169Google Scholar
  7. [Bon17]
    Bonnetain, X.: Quantum key-recovery on full AEZ. Cryptology ePrint Archive, Report 2017/767 (2017). To appear at SAC 2017Google Scholar
  8. [CNPS17]
    Chailloux, A., Naya-Plasencia, M., Schrottenloher, A.: An efficient quantum collision search algorithm and implications on symmetric cryptography. Cryptology ePrint Archive, Report 2017/847 (2017)Google Scholar
  9. [FFL12]
    Fleischmann, E., Forler, C., Lucks, S.: McOE: a family of almost foolproof on-line authenticated encryption schemes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 196–215. Springer, Heidelberg (2012). Cryptology ePrint Archive, Report 2011/644CrossRefGoogle Scholar
  10. [GR04]
    Lov, G., Rudolph, T.: How significant are the known collision and element distinctness quantum algorithms. Quantum Inf. Comput. 4(3), 201–206 (2004)MathSciNetMATHGoogle Scholar
  11. [Gro96]
    Grover, L.K.: A fast quantum mechanical algorithm for database search. In: STOC 1996, pp. 212–219 (1996).
  12. [HA17]
    Hosoyamada, A., Aoki, K.: On quantum related-key attacks on iterated Even-Mansour ciphers. In: Obana, S., Chida, K. (eds.) IWSEC 2017. LNCS, vol. 10418, pp. 3–18. Springer, Cham (2017). CrossRefGoogle Scholar
  13. [Kap14]
    Kaplan, M.: Quantum attacks against iterated block ciphers. arXiv preprint arXiv:1410.1434 (2014)
  14. [KLLN16a]
    Kaplan, M., Leurent, G., Leverrier, A.,  Naya-Plasencia, M.: Breaking symmetric cryptosystems using quantum period finding. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 207–237. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  15. [KLLN16b]
    Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Quantum differential and linear cryptanalysis. IACR Trans. Symmetric Cryptol. 2016(1), 71–94 (2016)MATHGoogle Scholar
  16. [KM10]
    Kuwakado, H., Morii, M.: Quantum distinguisher between the 3-round Feistel cipher and the random permutation. In: ISIT 2010, pp. 2682–2685. IEEE (2010)Google Scholar
  17. [KM12]
    Kuwakado, H., Morii, M.: Security on the quantum-type Even-Mansour cipher. In: ISITA 2012, pp. 312–316. IEEE (2012)Google Scholar
  18. [KR96]
    Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 252–267. Springer, Heidelberg (1996). Google Scholar
  19. [KR01]
    Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search (an analysis of DESX). J. Cryptol. 14, 17–35 (2001)MathSciNetCrossRefMATHGoogle Scholar
  20. [LL17a]
    Liu, F., Liu, F.: Universal forgery and key recovery attacks: application to FKS, FKD and Keyak. Cryptology ePrint Archive, Report 2017/691 (2017)Google Scholar
  21. [LL17b]
    Liu, F., Liu, F.: Universal forgery with birthday paradox: application to blockcipher-based message authentication codes and authenticated encryptions. Cryptology ePrint Archive, Report 2017/653 (2017)Google Scholar
  22. [LM17]
    Leander, G., May, A.: Grover meets Simon - quantumly attacking the FX-construction. Cryptology ePrint Archive, Report 2017/427 (2017). To appear at Asiacrypt 2017Google Scholar
  23. [LRW11]
    Liskov, M., Rivest, R.L., Wagner, D.A.: Tweakable block ciphers. J. Cryptol. 24(3), 588–613 (2011)MathSciNetCrossRefMATHGoogle Scholar
  24. [LXS11]
    Liu, F., Xie, T., Shen, C.: Breaking \(H^2\)-MAC using birthday paradox. Cryptology ePrint Archive, Report 2011/647 (2011)Google Scholar
  25. [MBTM17]
    McKay, K.A., Bassham, L., Turan, M.S., Mouha, N.: NISTIR 8114 report on lightweight cryptography. Technical report, U.S. Department of Commerce, National Institute of Standards and Technology (2017).
  26. [Min09]
    Minematsu, K.: Beyond-birthday-bound security based on tweakable block cipher. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 308–326. Springer, Heidelberg (2009). CrossRefGoogle Scholar
  27. [MMH+14]
    Mouha, N., Mennink, B., Van Herrewege, A., Watanabe, D., Preneel, B., Verbauwhede, I.: Chaskey: an efficient MAC algorithm for 32-bit microcontrollers. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 306–323. Springer, Cham (2014). CrossRefGoogle Scholar
  28. [MMRT12]
    Mendel, F., Mennink, B., Rijmen, V., Tischhauser, E.: A simple key-recovery attack on McOE-X. In: Pieprzyk, J., Sadeghi, A.-R., Manulis, M. (eds.) CANS 2012. LNCS, vol. 7712, pp. 23–31. Springer, Heidelberg (2012). CrossRefGoogle Scholar
  29. [Mou15]
    Mouha, N.: Chaskey: a MAC algorithm for microcontrollers - status update and proposal of Chaskey-12. Cryptology ePrint Archive, Report 2015/1182 (2015)Google Scholar
  30. [MS17]
    Mennink, B., Szepieniec, A.: XOR of PRPs in a quantum world. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 367–383. Springer, Cham (2017). CrossRefGoogle Scholar
  31. [NIS16]
    NIST: SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash. Technical report, U.S. Department of Commerce, National Institute of Standards and Technology. NIST Special Publication (SP) 800–185 (2016)Google Scholar
  32. [Sas12]
    Sasaki, Y.: Cryptanalyses on a Merkle-Damgård based MAC—almost universal forgery and distinguishing-H attacks. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 411–427. Springer, Heidelberg (2012). CrossRefGoogle Scholar
  33. [Sim97]
    Simon, D.R.: On the power of quantum computation. SIAM J. Comput. 26(5), 1474–1483 (1997)MathSciNetCrossRefMATHGoogle Scholar
  34. [Tsu92]
    Tsudik, G.: Message authentication with one-way hash functions. In: ACM SIGCOMM Computer Communication Review, vol. 22, no. 5, pp. 29–38. ACM (1992)Google Scholar
  35. [VOW94]
    Van Oorschot, P.C., Wiener, M.J.: Parallel collision search with application to hash functions and discrete logarithms. In: CCS 1994, pp. 210–218. ACM (1994)Google Scholar
  36. [Yas09]
    Yasuda, K.: HMAC without the “Second” Key. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 443–458. Springer, Heidelberg (2009). CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.NTT Secure Platform LaboratoriesMusashino-shiJapan

Personalised recommendations