Skip to main content

Cryptanalysis Against Symmetric-Key Schemes with Online Classical Queries and Offline Quantum Computations

Part of the Lecture Notes in Computer Science book series (LNSC,volume 10808)

Abstract

In this paper, quantum attacks against symmetric-key schemes are presented in which adversaries only make classical queries but use quantum computers for offline computations. Our attacks are not as efficient as polynomial-time attacks making quantum superposition queries, while our attacks use the realistic model and overwhelmingly improve the classical attacks. Our attacks convert a type of classical meet-in-the-middle attacks into quantum ones. The attack cost depends on the number of available qubits and the way to realize the quantum hardware. The tradeoffs between data complexity D and time complexity T against the problem of cardinality N are \(D^2 \cdot T^2 =N\) and \(D \cdot T^6 = N^3\) in the best and worst case scenarios to the adversary respectively, while the classic attack requires \(D\cdot T = N\). This improvement is meaningful from an engineering aspect because several existing schemes claim beyond-birthday-bound security for T by limiting the maximum D to be below \(2^{n/2}\) according to the classical tradeoff \(D\cdot T = N\). Those schemes are broken when quantum computations are available to the adversaries. The attack can be applied to many schemes such as a tweakable block-cipher construction TDR, a dedicated MAC scheme Chaskey, an on-line authenticated encryption scheme McOE-X, a hash function based MAC H \(^2\)-MAC and a permutation based MAC keyed-sponge. The idea is then applied to the FX-construction to discover new tradeoffs in the classical query model.

Keywords

  • Post-quantum cryptography
  • Classical query model
  • Meet-in-the-middle
  • Tradeoff
  • Chaskey
  • TDR
  • Keyed sponge
  • KMAC
  • FX

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-76953-0_11
  • Chapter length: 21 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   84.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-76953-0
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   107.00
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.
Fig. 8.
Fig. 9.

Notes

  1. 1.

    While several concerns have been pointed out recently [Ber09, BB17], those works surely took important roles to the progress of this research topic in an early stage.

  2. 2.

    Kaplan [Kap14] proposed another type of quantum MitM attack for multiple encryptions. It computes two independent parts offline, thus is different from ours.

References

  1. Banegas, G., Bernstein, D.J.: Low-communication parallel quantum multi-target preimage search. Cryptology ePrint Archive, Report 2017/789 (2017). To appear at SAC 2017

    Google Scholar 

  2. Beals, R., Brierley, S., Gray, O., Harrow, A.W., Kutin, S., Linden, N., Shepherd, D., Stather, M.: Efficient distributed quantum computing. In: Proceedings of the Royal Society A, vol. 469, p. 20120686. The Royal Society (2013)

    Google Scholar 

  3. Boyer, M., Brassard, G., Høyer, P., Tapp, A.: Tight bounds on quantum searching. Fortsch. Phys. 46(4–5), 493–505 (1998). https://arxiv.org/abs/quant-ph/9605034

    CrossRef  Google Scholar 

  4. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_11

    CrossRef  Google Scholar 

  5. Bernstein, D.J.: Cost analysis of hash collisions: will quantum computers make SHARCS obsolete? In: SHARCS 2009 (2009)

    Google Scholar 

  6. Brassard, G., Høyer, P., Tapp, A.: Quantum algorithm for the collision problem. CoRR, quant-ph/9705002 (1997). Quantum Cryptanalysis of Hash and Claw-Free Functions. LATIN 1998, pp. 163–169

    Google Scholar 

  7. Bonnetain, X.: Quantum key-recovery on full AEZ. Cryptology ePrint Archive, Report 2017/767 (2017). To appear at SAC 2017

    Google Scholar 

  8. Chailloux, A., Naya-Plasencia, M., Schrottenloher, A.: An efficient quantum collision search algorithm and implications on symmetric cryptography. Cryptology ePrint Archive, Report 2017/847 (2017)

    Google Scholar 

  9. Fleischmann, E., Forler, C., Lucks, S.: McOE: a family of almost foolproof on-line authenticated encryption schemes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 196–215. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34047-5_12. Cryptology ePrint Archive, Report 2011/644

    CrossRef  Google Scholar 

  10. Lov, G., Rudolph, T.: How significant are the known collision and element distinctness quantum algorithms. Quantum Inf. Comput. 4(3), 201–206 (2004)

    MathSciNet  MATH  Google Scholar 

  11. Grover, L.K.: A fast quantum mechanical algorithm for database search. In: STOC 1996, pp. 212–219 (1996). https://arxiv.org/abs/quant-ph/9605043

  12. Hosoyamada, A., Aoki, K.: On quantum related-key attacks on iterated Even-Mansour ciphers. In: Obana, S., Chida, K. (eds.) IWSEC 2017. LNCS, vol. 10418, pp. 3–18. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-64200-0_1

    CrossRef  Google Scholar 

  13. Kaplan, M.: Quantum attacks against iterated block ciphers. arXiv preprint arXiv:1410.1434 (2014)

  14. Kaplan, M., Leurent, G., Leverrier, A.,  Naya-Plasencia, M.: Breaking symmetric cryptosystems using quantum period finding. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 207–237. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_8

    CrossRef  Google Scholar 

  15. Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Quantum differential and linear cryptanalysis. IACR Trans. Symmetric Cryptol. 2016(1), 71–94 (2016)

    MATH  Google Scholar 

  16. Kuwakado, H., Morii, M.: Quantum distinguisher between the 3-round Feistel cipher and the random permutation. In: ISIT 2010, pp. 2682–2685. IEEE (2010)

    Google Scholar 

  17. Kuwakado, H., Morii, M.: Security on the quantum-type Even-Mansour cipher. In: ISITA 2012, pp. 312–316. IEEE (2012)

    Google Scholar 

  18. Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 252–267. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_20

    Google Scholar 

  19. Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search (an analysis of DESX). J. Cryptol. 14, 17–35 (2001)

    MathSciNet  CrossRef  MATH  Google Scholar 

  20. Liu, F., Liu, F.: Universal forgery and key recovery attacks: application to FKS, FKD and Keyak. Cryptology ePrint Archive, Report 2017/691 (2017)

    Google Scholar 

  21. Liu, F., Liu, F.: Universal forgery with birthday paradox: application to blockcipher-based message authentication codes and authenticated encryptions. Cryptology ePrint Archive, Report 2017/653 (2017)

    Google Scholar 

  22. Leander, G., May, A.: Grover meets Simon - quantumly attacking the FX-construction. Cryptology ePrint Archive, Report 2017/427 (2017). To appear at Asiacrypt 2017

    Google Scholar 

  23. Liskov, M., Rivest, R.L., Wagner, D.A.: Tweakable block ciphers. J. Cryptol. 24(3), 588–613 (2011)

    MathSciNet  CrossRef  MATH  Google Scholar 

  24. Liu, F., Xie, T., Shen, C.: Breaking \(H^2\)-MAC using birthday paradox. Cryptology ePrint Archive, Report 2011/647 (2011)

    Google Scholar 

  25. McKay, K.A., Bassham, L., Turan, M.S., Mouha, N.: NISTIR 8114 report on lightweight cryptography. Technical report, U.S. Department of Commerce, National Institute of Standards and Technology (2017). https://doi.org/10.6028/NIST.IR.8114

  26. Minematsu, K.: Beyond-birthday-bound security based on tweakable block cipher. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 308–326. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03317-9_19

    CrossRef  Google Scholar 

  27. Mouha, N., Mennink, B., Van Herrewege, A., Watanabe, D., Preneel, B., Verbauwhede, I.: Chaskey: an efficient MAC algorithm for 32-bit microcontrollers. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 306–323. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13051-4_19

    CrossRef  Google Scholar 

  28. Mendel, F., Mennink, B., Rijmen, V., Tischhauser, E.: A simple key-recovery attack on McOE-X. In: Pieprzyk, J., Sadeghi, A.-R., Manulis, M. (eds.) CANS 2012. LNCS, vol. 7712, pp. 23–31. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-35404-5_3

    CrossRef  Google Scholar 

  29. Mouha, N.: Chaskey: a MAC algorithm for microcontrollers - status update and proposal of Chaskey-12. Cryptology ePrint Archive, Report 2015/1182 (2015)

    Google Scholar 

  30. Mennink, B., Szepieniec, A.: XOR of PRPs in a quantum world. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 367–383. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_21

    CrossRef  Google Scholar 

  31. NIST: SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash. Technical report, U.S. Department of Commerce, National Institute of Standards and Technology. NIST Special Publication (SP) 800–185 (2016)

    Google Scholar 

  32. Sasaki, Y.: Cryptanalyses on a Merkle-Damgård based MAC—almost universal forgery and distinguishing-H attacks. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 411–427. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_25

    CrossRef  Google Scholar 

  33. Simon, D.R.: On the power of quantum computation. SIAM J. Comput. 26(5), 1474–1483 (1997)

    MathSciNet  CrossRef  MATH  Google Scholar 

  34. Tsudik, G.: Message authentication with one-way hash functions. In: ACM SIGCOMM Computer Communication Review, vol. 22, no. 5, pp. 29–38. ACM (1992)

    Google Scholar 

  35. Van Oorschot, P.C., Wiener, M.J.: Parallel collision search with application to hash functions and discrete logarithms. In: CCS 1994, pp. 210–218. ACM (1994)

    Google Scholar 

  36. Yasuda, K.: HMAC without the “Second” Key. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 443–458. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04474-8_35

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Akinori Hosoyamada or Yu Sasaki .

Editor information

Editors and Affiliations

A Further Discussion on Quantum Computation Models

A Further Discussion on Quantum Computation Models

Regarding attack models for quantum computations, we received several comments from other researchers. Below we introduce two issues which are pointed out by them.

1.1 A.1 Flying Qubits

As discussed in [BBG+13], if each qubit (or each small quantum processor) in a quantum hardware of size \(O(2^n\)) can communicate with O(n) qubits (or small quantum processors), then the hardware can simulate a hardware in free communicational model with the time overhead \(O(n^2)\). Thus, if we can modify a quantum hardware in realistic communication model so that each qubit in the hardware can communicate with a little more qubits (which is called “flying qubits” in [BBG+13]), then the hardware can simulate free communication model with a small overhead. However, realization of “flying qubits” fully depends on future development of quantum hardware, and here we give no argument about realizability of it.

1.2 A.2 Feasibility of Q2 Model

Q1 model is more realistic than Q2 model, though Q2 model should not be regarded as “non-realistic model.” In the main body of this paper, we described that Q2 model assumes that all the users implement algorithms on quantum computers and the network is communicated in the form of superposition. However, if an adversary attacks some kind of cryptosystems like “disk encryption” which is implemented on a quantum computer, then the notion of network becomes abstract. In addition, if white-box encryption algorithm is implemented on a quantum computer, then network becomes irrelevant.

Q2 model is simple and non-trivial. It ensures security in any intermediate scenario including hybrid ones like classical machines with quantum modules, where Q1 model could not really apply. We do not know how fast technologies on quantum computation and communication will develop, and using primitives not known to be secure in Q2 model would be challenging in the future.

Rights and permissions

Reprints and Permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Hosoyamada, A., Sasaki, Y. (2018). Cryptanalysis Against Symmetric-Key Schemes with Online Classical Queries and Offline Quantum Computations. In: Smart, N. (eds) Topics in Cryptology – CT-RSA 2018. CT-RSA 2018. Lecture Notes in Computer Science(), vol 10808. Springer, Cham. https://doi.org/10.1007/978-3-319-76953-0_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-76953-0_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-76952-3

  • Online ISBN: 978-3-319-76953-0

  • eBook Packages: Computer ScienceComputer Science (R0)