Using Bernstein-Vazirani Algorithm to Attack Block Ciphers

In this paper, we study applications of Bernstein-Vazirani algorithm and present several new methods to attack block ciphers. Specifically, we first present a quantum algorithm for finding the linear structures of a function. Based on it, we propose new quantum distinguishers for the 3-round Feistel scheme and a new quantum algorithm to recover partial key of the Even-Mansour construction. Afterwards, by observing that the linear structures of a encryption function are actually high probability differentials of it, we apply our algorithm to differential analysis and impossible differential cryptanalysis respectively. We also propose a new kind of differential cryptanalysis, called quantum small probability differential cryptanalysis, based on the fact that the linear structures found by our algorithm are also the linear structure of each component function. To our knowledge, no similar method was proposed before. The efficiency and success probability of all attacks are analyzed rigorously. Since our algorithm treats the encryption function as a whole, it avoid the disadvantage of traditional differential cryptanalysis that it is difficult to extending the differential path.


Introduction
Over the last few years, there has been an increasing interest in quantum cryptography. On one hand, many cryptographic schemes based on quantum information have been proposed, among which the most well-known result is quantum key distribution (OKD) [1]. These schemes take full advantage of the novel properties of quantum information and aims to realize functionalities that do not exist using classical information alone. On the other hand, the development of quantum computing threatens many classical cryptosystems. The most representative example is Shor's algorithm [2]. By using Shor's algorithm, an adversary who owns a quantum computer can break the security of any schemes based on factorization or discrete logarithm, such as RSA. This has greatly motivated the development of post-quantum cryptography, i.e., classical cryptosystems that remain secure even when the adversary owns a quantum computer.
While currently used public-key cryptography suffers from a severe threat due to Shor's algorithm, the impact of quantum computers on symmetrickey cryptography is still less understood. Since Grover's algorithm provides a quadratic speed-up for general search problems, the key lengths of symmetrickey cryptosystems need to be doubled to maintain the security. In addition, Simon's algorithm [3] has also been applied to cryptanalysis. Kuwakado and Morri use it to construct a quantum distinguisher for 3-round Feistel scheme [4] and recover partial key of Even-Mansour construction [5]. Santoli and Schaffiner extend their result and present a quantum forgery attack on CBC-MAC scheme [6]. In [7], Kaplan et al. use Simon's algorithm to attack various symmetric cryptosystems, such as CBC-MAC, PMAC, CLOC and so on. They also study how differential and linear cryptanalysis behave in the post-quantum world [8]. In addition to Simon's algorithm, Bernstein-Vazirani (BV) algorithm [9] has also been used for cryptanalysis. Li and Yang proposed two methods to execute quantum differential cryptanalysis based on BV algorithm in [10], but in their attack, it is implicitly assumed that the attacker can query the function which maps the plaintext to the input of the last round of the encryption algorithm.
In this paper, we study applications of BV algorithm and use it to attack block ciphers. It has been found that running BV algorithm on a Boolean function f without performing the final measurement will gives a superposition of all states |ω (ω ∈ {0, 1} n ), and the amplitude corresponding to each |ω is its Walsh spectrum S f (ω) [11,12]. In addition, there is a link between the linear structure of a Boolean function and its Walsh spectrum [13]. Based on these two facts, Li and Yang present a quantum algorithm to find the linear structures of a Boolean function in [14]. We modify their algorithm so that it can find the linear structures of a vector function. Our attack strategies are all built on this modified algorithm.
Attack model. In this paper, we only consider quantum chosen message attack that has been studied in [15,16,17]. In this attack model, the adversary is granted the access to a quantum oracle which computes the encryption function in superposition. Specifically, if the encryption algorithm is described by a classical function E k : {0, 1} n → {0, 1} n , then the adversary can make quantum queries x,y |x |y → x,y |x |y ⊕ E k (x) .
Our contributions. In this article, we present several methods to attack block ciphers. We first propose a quantum algorithm for finding the linear structures of a vector function, which takes BV algorithm as a subroutine and is developed from the algorithm in [14]. Then we modify this original algorithm to get different versions and apply them in different attack strategies. In more detail, our main contributions are as follows: • We construct new quantum distinguishers for the 3-round Feistel scheme and propose a new quantum algorithm to recover partial key of Even-Mansour construction. Our methods are similar with the ones proposed by Kuwakado and Morri [4,5], but we use BV algorithm instead of Simon's algorithm. Although this modification cause a slight increase in complexity, it makes our methods has more general applications. For example, by constructing functions that have different linear structures, we can obtain various distinguishers for the 3-round Feistel scheme. The essential reason is that using BV algorithm can find not only the periods of a function but also its other linear structures.
• Observing that linear structures of a encryption function are actually high probability differentials of it, we propose three ways to execute differential cryptanalysis, which we call quantum differential analysis, quantum small probability differential cryptanalysis and quantum impossible differential cryptanalysis respectively. To the best of our knowledge, there is no analogue of quantum small probability differential cryptanalysis proposed before. Afterwards, we analyze the efficiency and success probability of all attacks. The quantum algorithms used for these three kinds of differential cryptanalysis all have polynomial running time. As we know, one of the main shortcomings of traditional differential cryptanalysis is the difficulties in ex-tending the differential paths, which limits the number of rounds that can be attacked. Our approach avoids this problem since it treats the encryption function as a whole.

Preliminaries
In this section, we briefly recall a few notations and results about the linear structure. Let n be a positive integer and F 2 = {0, 1} be a finite field of characteristic 2. F n 2 = {0, 1} n is a vector space over F 2 . The set of all functions from F n 2 to F 2 is denoted as B n .
where ⊕ denotes the bitwise exclusive-or.
For any f ∈ B n , let U f be the set of all linear structures of f , and Obviously, For any a ∈ F n 2 and i = 0, 1, let Clearly, 0 ≤ |V i f,a |/2 n ≤ 1, and a ∈ U i f if and only if |V i f,a |/2 n = 1. For any a ∈ F n 2 , 1 − |V i f,a |/2 n quantifies how close a is to be a linear structure of f . Naturally, we give the following definition: If a is a σ(n)-close linear structure of f for some negligible function σ(n), we call it a quasi linear structure of f . Definition 3. The relative differential uniformity of f ∈ B n is defined as This parameter quantifies how close the function is from having a nontrivial linear structure. For any f ∈ B n , it is obviously that 1 2 ≤ δ f ≤ 1, and U f = {0} if and only if δ f = 1. The linear structures of a Boolean function is closely related to its Walsh spectrum, which is defined as follows: The relation between the linear structure and Walsh spectral is captured by following two lemmas, which are proved in [14].
Lemma 2 provides a method to find the linear structures. If we have a sufficiently large subset H of N f , we can get U i f by solving the equation a · H = i. (Here a · H = i denotes the system of linear equations {a · ω = i|ω ∈ H}.) Next we consider the vector functions. Suppose m, n are positive integers. C m,n denotes the set of all functions from F m 2 to F n 2 . The linear structure of a vector function in C m,n can be defined similarly: is called a linear structure of a vector function F ∈ C m,n , if there exists a vector α ∈ {0, 1} n such that Suppose F = (F 1 , F 2 , · · · , F n ). A straightforward way to find the linear structures of F is to first search for the linear structures of each component function F j respectively and then take the intersection. Let U F be the set of all linear structures of F , and U α It is obviously that U F = ∪ α U α F . The relative differential uniformity of F is defined as which quantifies how close F is from having a nontrivial linear structure.

Finding linear structure via Bernstein-Vazirani algorithm
In this section we briefly recall the BV algorithm [9] and introduce how to use it to find the linear structures of a Boolean function. The goal of BV algorithm is to determine a secret string a ∈ {0, 1} n . Specifically, suppose The algorithm aims to determine a, given the access to an quantum oracle which computes the function f . It works as follows: 1. Prepare the initial state |ψ 0 = |0 ⊗n |1 , then perform the Hadamard transform H (n+1) on it to obtain the quantum superposition

2.
A quantum query to the oracle which computes f maps it to the state 3. Apply the Hadamard gates H (n) to the first n qubits again yielding where we omit the last qubit for the simplicity. If f (x) = a · x, we have where δ a (y) = 1 if y = a, otherwise δ a (y) = 0. Then by measuring |ψ 3 in the computational basis, we will get a with probability 1.
If we run the BV algorithm on a general function f ∈ B n , the output before the measurement can be expressed as where S f (·) is the Walsh spectrum of f . When we measure the above state in the computational basis, we will obtain y with probability S f (y) 2 . In other words, we will always get y ∈ N f when we run the BV algorithm on f . This fact combined with Lemma 2 implies a way to find the linear structures. Now we state the quantum algorithm proposed in [14] for finding the linear structures of a Boolean function. Roughly speaking, the BV algorithm is treated as a subroutine. By repeating the subroutine until one gets a subset H of N f , and then solving the equations x · H = i for both i = 0 and 1, one will get candidate linear structures of f.

Algorithm 1
Let p(n) be an arbitrary polynomial function of n. Φ denotes the null set. Initialize the set H := Φ. 1 For p = 1, 2, · · · , p(n), do 2 Run the BV algorithm with queries on the quantum oracle of f to get an n-bit output ω ∈ N f . 3 Let H = H ∪ {ω}. 4 end 5 Solve the equations x · H = i to get solution A i for i = 0, 1 respectively. 6 If A 0 ∪ A 1 ⊆ {0}, then output "No" and halt. 7 Else, output A 0 and A 1 .
To justify the validity of the above algorithm, we present following two theorems, where the Theorem 1 is proved in [14] and the Theorem 2 hasn't been7proved before. Theorem 1. If running Algorithm 1 on a function f ∈ B n gives sets A 0 and A 1 , then for all a ∈ A i (i = 0, 1), all satisfying 0 < < 1, we have This theorem is proved in [14], and we present the proof in Appendix A for the paper to be self-contained.
For arbitrary function f ∈ B n , we let It's obviously that δ f < 1. And if δ f < 1, it holds that δ f = δ f . By the definition of δ f , we can see that the smaller δ f is, the better for ruling out the vectors which are not linear structures of f during executing Algorithm 1.
Theorem 2. Suppose δ f ≤ p 0 < 1 and Algorithm 1 makes quantum queries for p(n) = cn times. Then it holds that 1.If δ f < 1, that is, f has no nonzero linear structure, then Algorithm 1 returns "No" with probability greater than 1 − p cn 0 ; 2.If Algorithm 1 returns A 0 and A 1 , then for any a / Proof . We first prove the second conclusion. Without loss of generality, we suppose i = 0. The case where i = 1 can be proved by similar way. If a / ∈ U 0 f , then according to Lemma 2 there exists a vector ω ∈ N f such that ω · a = 1. Let K = {ω ∈ N f |ω · a = 1}. If the cn times of running BV algorithm ever gives a vector ω ∈ K, then a / ∈ A 0 . Let W denote the random variable obtained by running BV algorithm, then The second formula holds due to Lemma 1. Therefore, which completes the proof of the second conclusion. By observing that δ f < 1 means there is no nonzero vector in U f , the first conclusion can be naturally derived from the second one.
Suppose l(n) is an arbitrary polynomial of n. Theorem 1 implies that after p(n) = O(l(n) 2 n) queries, all vectors in A 0 and A 1 will be 1 l(n) -close linear structures of f except a negligible probability. In other words, Algorithm 1 is very likely to output the high probability differentials of f . Theorem 2 shows that if f has no linear structure, Algorithm 1 with O(n) queries will output "No" except a negligible probability. In addition, if Algorithm 1 returns sets A 0 and A 1 , then each vector in A i will be linear structure of f with overwhelming probability. (The probability of a event happening is said to be overwhelming if it happens except a negligible probability.)

Linear Structure Attack
In this section, we first improve the Algorithm 1 so that it can find the linear structures of a vector function. Afterwards, we use the new algorithm to construct quantum distinguishers for the 3-round Feistel scheme and recover partial key of Even-Mansour construction respectively. Since our attack strategy is based on the linear structures of some constructed functions, we call it linear structure attack. Suppose F = (F 1 , F 2 , · · · , F n ) ∈ C m,n . A straightforward way to find the linear structures of F is to apply Algorithm 1 to each component function F j respectively and then choose a public linear structure. Specifically, we have following algorithm:

Algorithm 2
The access to the quantum oracle of F = (F 1 , · · · , F n ) is given. p(n) is an arbitrary polynomial function of n. 1 For j = 1, 2, · · · , n, do 2 Run Algorithm 1 with p(n) queries on F j to get A 0 j and A 1 j . 3 If Algorithm 1 outputs "No", then output "No" and halt.
Then output "No" and halt. 6 Else choose an arbitrary nonzero vector a ∈ A 1 ∩ · · · ∩ A n and output (a, i 1 , · · · , i n ), where i 1 , · · · , i n is the superscript such that a ∈ A i 1 For any function F = (F 1 , · · · , F n ), let δ F = max 1≤j≤n δ F j . The following theorem justifies the validity of the Algorithm 2.
Theorem 3. Suppose F ∈ C m,n . Running Algorithm 2 with cn 2 queries (p(n) = cn) on F gives "No" or some vector. It holds that 1.If δ F ≤ p 0 < 1 and F has no linear structure, then Algorithm 2 returns "No" with probability greater than 1 − p cn 0 .

2.If
Proof . By observing the fact that a ∈ U if and only if for all j = 1, · · · , n, a ∈ U i j F j , the first two conclusion can be naturally derived from the Theorem 2. According to Theorem 1, we have holds with a probability greater than (1 − e −2p(n) 2 ) n . If the equation (3) holds, then the number of x satisfying for both j = 1 and j = 2 is at least . Similarly, the number of x satisfying the equation (4) for all j = 1, 2, 3 is at least . By induction, the number of x satisfying (4) for all j = 1, · · · , n is at least 2 m (1 − n ). Thus the probability that Thus the third conclusion holds.
Note that Algorithm 2 actually requires that the adversary has the oracle access to each component function of F . About the efficiency, since Algorithm 2 needs to find the intersection of the sets A j s, its complexity depends on the size of these sets, which relies on the properties of the specific function F . However, we can prove that only polynomial time of computation is needed when Algorithm 2 is applied to 3-round Feistel scheme or Even-Mansour construction. In [7,4,5,6], the authors use Simon's algorithm to find the period of some constructed functions and then break the security of 3-round Feistel scheme or Even-Mansour construction. Compared with Simon's algorithm, the complexity of Algorithm 2 is a little larger because it needs to search linear structures of each component function respectively. However, Algorithm 2 has more general applications. It can find not only the periods of a function but also its other linear structures, which allows us to construct multiple distinguishers for 3-round Feistel scheme. And in the section 5 we will see that such way of finding linear structures by considering each component function respectively may bring some unexpected advantages for differential cryptanalysis.

Application to a three-round Feistel scheme
A Feistel scheme is a classical construction to build block ciphers. A 3round Feistel scheme with input (x L , x R ) and output (y L , y R ) is built from three random functions P 1 , P 2 , P 3 as shown in Figure 1, where x L , x R , y L , y R ∈ {0, 1} n . It's proved that a 3-round Feistel scheme is a secure pseudorandom permutation as long as the internal functions are pseudorandom as well [18]. Our goal is to construct a quantum distinguisher which distinguishes a 3round Feistel scheme from a random permutation on {0, 1} 2n .
Suppose s 0 , s 1 ∈ F n 2 are two arbitrary constants such that s 0 = s 1 . We define the following function: Given the oracle access of the 3-round Feistel function E, it is easy to construct the oracle O F which computes F on superpositions. Observing that the right part of the output E(s b , x) is F (b, x)⊕s b , we can construct the oracle O F by first query the oracle which computes the right part of E, then apply . Therefore, by running Algorithm 2 on F one can get (1 s). On the other hand, the probability of a random function having a linear structure is negligible. Given the access to a quantum oracle which computes the 3-rounds Feistel function E or a random permutation over {0, 1} 2n , we can construct the distinguishing algorithm as below:
Proof . If δ F j (1 s) > 2 3 , then there exists (τ, t) / ∈ {0, (1 s)} such that Thus there exists some b such that P r 3 . Anyway, there exists a u = 0 such that However, P 2j is a random Boolean function since P 2 is a random function. Thus the equation (6) holds only with a negligible probability according to the Hoeffding's inequality. This implies δ F j (1 s) > 2 3 holds only with a negligible probability.
About the validity of Algorithm 3, we have following theorem: Theorem 4. Algorithm 3 successfully distinguishes the 3-round Feistel function from a random permutation except a negligible probability.
Proof . If the given oracle computes a random permutation, the string a obtained during executing Algorithm 3 is random if exists. Hence the probability of F (u) being equal to F (u ) is approximate to 1 2 n . On the other hand, if the given oracle computes the 3-round Feistel function, then holds with a overwhelming probability according to Lemma 3. Due to Theorem 2, above equation indicates Thus the probability that F (u) = F (u ) is no more than ( 2 3 ) n+1 , which completes the proof.
Note that Algorithm 3 actually requires that the attacker can query each component function of the right part of E. Then we consider the efficiency of Algorithm 3. If the given oracle computes the 3-round Feistel function, according to Lemma 3 and Theorem 2, for any a / ∈ {0, (1 s)}, we have P r[a ∈ A 0 j ] ≤ ( 2 3 ) n+1 . Thus with a overwhelming probability, A 0 j contains only 0 and (1 s). Therefore, finding the intersection of A 0 j s almost needs no calculation. It is also true when given oracle computes a random permutation. In addition, Algorithm 3 queries quantum oracle for n(n + 1) times and classical oracle for 2 times. Thus the complexity of Algorithm 3 is O(n 2 ). The distinguishing algorithm used in [7,4,6] is based on Simon's algorithm and its complexity is only O(n), which is better then ours. But our algorithm provides a new and inspirational approach to attack block ciphers. And by using our attack strategy, one can find more than one distinguisher. For example, we can also define F (b, x) = P 2 (x ⊕ P 1 (s b )) ⊕ (b, · · · , b). Then F has the linear structure (1 P 1 (s 0 ) ⊕ P 1 (s 1 )) ∈ U (1,··· ,1) F , and we can use it to construct another quantum distinguisher by similar way.

Application to the Even-Mansour construction
The Even-Mansour construction is a simple scheme which builds a block cipher from a public permutation [19]. Suppose P : {0, 1} n → {0, 1} n is a permutation, the encryption function is defined as where k 1 , k 2 are the keys. Even and Mansour have proved that this construction is secure in the random permutation model up to 2 n/2 queries. However, Kuwakado and Morri proposed a quantum attack which could recover the key k 1 based on Simon's algorithm. Our attack strategy is similar with theirs, we use BV algorithm instead of the Simon's algorithm.
In order to recover the key k 1 , we first define the following function: Given the oracle access of E k 1 k 2 (·), it is easy to construct the oracle O F which computes F on superpositions. Since F (x) ⊕ F (x ⊕ k 1 ) = 0 for all x ∈ F n 2 , k 1 is a linear structure of F , or more accurately, k 1 ∈ U (00···0) F . Therefore, by running Algorithm 2 on F with minor modification we can obtain k 1 . Specifically, following algorithm can recover k 1 with a overwhelming probability.
Theorem 5. Running Algorithm 4 with n 2 (p(n) = n) queries on F gives the key k 1 except a negligible probability.
Proof . By the similar proof of Lemma 3, we can obtain that for j = 1, · · · , n δ F j (k 1 ) max holds except a negligible probability. This indicates δ F = max j δ F j ≤ 2 3 holds except a negligible probability. Then according to Theorem 3, the probability that Algorithm 4 outputs k 1 is greater than 1 − ( 2 3 ) n , which completes the proof.
About the complexity of Algorithm 4, according to the equation (7) and Theorem 2, the probability of A 0 j containing the vectors apart from k 1 and 0 is negligible. Thus finding the intersection of A 0 j s almost needs no calculation. In addition, Algorithm 4 needs to query quantum oracle for n 2 times. Thus its complexity is O(n 2 ).

Differential cryptanalysis
In this section, we look at the linear structures from another view: the differentials of a encryption function. Based on this, we give three ways to execute differential cryptanalysis, which we call quantum differential cryptanalysis, quantum small probability differential cryptanalysis and quantum impossible differential cryptanalysis respectively. Unlike the classical differential cryptanalysis, the success probability of the first two methods is related to the key used for encryption algorithm. Specifically, suppose q(n) is an arbitrary polynomial. For the first two methods, we can execute the corresponding attack algorithms properly so that they work for at least (1− 1 q(n) ) of the keys in the key space. While the third method works for all keys in the key space.

Quantum differential cryptanalysis
Differential cryptanalysis is a chosen-plaintext attack. Suppose E : {0, 1} n → {0, 1} n is the encryption function of a r-round block cipher. Let F k be the function which maps the plaintext x to the input y of the last round, where k denotes the key of the first r − 1 rounds. Let F k (x) = y, F k (x ) = y , then ∆x = x ⊕ x and ∆y = y ⊕ y are called the input difference and output difference respectively. The pair (∆x, ∆y) is called a differential. Differential cryptanalysis is composed by two phases. In the first phase, the attacker tries to find a high probability differential of F k . In the second phase, according to the high probability differential that has been found, the attacker tests all possible candidate subkeys and then recover the key of the last round. Our algorithm is applied in the first phase, while a quantum algorithm is applied in the second phase in [20].
Intuitively, we can use Algorithm 2 to find the high probability differentials of F k . However, there exists a problem that the oracle access of F k is not available. The attacker can only query the whole encryption function E. In classical differential cryptanalysis, the attacker analyzes the properties of the encryption algorithm and searches for the high probability differentials that is independent of the key, i.e. the differentials that always have high probability no matter what the key is. We tries to apply the same idea to our attack. But unfortunately, we still haven't found a way to obtain the key-independent high probability differentials of F k using BV algorithm. However, we can modify Algorithm 2 to find the differentials that have high probability for the most of keys. To do this, we treat the key as a part of the input of the encryption function and run Algorithm 2 on this new function. Specifically, suppose m be the length of the key in the first r − 1 rounds and K = {0, 1} m be corresponding key space. Define the following function G is deterministic and known to the attacker. Thus the oracle access of G is available. (Actually, the oracle access of each G j is available.) By executing Algorithm 2 on G, one is expected to obtain a high probability differential of G with overwhelming probability. But in order to make it also the differential of F k , the last m bits of the input difference, which corresponds to the difference of the key, needs to be zero. To do this, we modify the Algorithm 2 slightly as below:
By running Algorithm 5, one can find a differential of F k that has high probability for the most of keys. Specifically, we have following theorem: Theorem 6. Suppose q(n) is an arbitrary polynomial of n. If running Algorithm 5 with np(n) quantum queries on G gives a vector (a, i 1 , · · · , i n ), then there exist a subset K ⊆ K such that |K |/|K| ≥ 1 − 1 q(n) and for all k ∈ K , it holds that Proof . Since a·(ω 1 , · · · , ω n ) = 0 indicates (a 0, · · · , 0)·(ω 1 , · · · , ω n+m ) = 0, the vector (a 0 · · · , 0) can be seen as an output when we execute Algorithm 2 on G. According to Theorem 3, holds with a probability greater than (1 − e −2p(n) 2 0 ) n . Let Equation (8) indicates E k (V (k)) > 1−n 0 , where E k (·) means the expectation when the key k is chosen uniformly at random from K. Therefore, if the equation (8) holds, for any polynomial q(n), we have That is, for at least (1 − 1 q(n) ) of keys in K, it holds that V (k) > 1 − q(n)n 0 . Let K be the set of these keys, then |K |/|K| ≥ 1 − 1 q(n) , and for all k ∈ K , it holds that The conclusion is obtained by letting = q(n)n 0 .
According to Theorem 6, if p(n) = O(n 3 q(n) 2 ), then for any k ∈ K 1 and any constant c, V (k) > 1 − 1 c holds except a negligible probability. For any constant c 1 , c 2 , if p(n) = 1 2 c 2 1 n 2 q(n) 2 ln (c 2 n), then for any k ∈ K 1 , we have When the attacker performs differential cryptanalysis, he or she first chooses constants c 1 , c 2 , then executes Algorithm 5 with p(n) = 1 2 c 2 1 n 2 q(n) 2 ln (c 2 n) to obtain a differential of F k . The obtained differential has high probability for at least (1 − 1 q(n) ) of keys in K. Afterwards, the attacker determines the subkey in the last round according to this high probability differential, which can be done as in classical differential cryptanalysis. To analyze the complexity of Algorithm 5, we divide it into two parts: running BV algorithm to obtain the sets A j s; and finding the intersection of A j s. In the first part, Algorithm 5 needs to run BV algorithm for np(n) = O(n 2 q(n) 2 ln n) times. Thus O(n 2 q(n) 2 ln n) quantum queries are needed. As for the second part, the corresponding complexity depends on the size of the sets A j s. Suppose t = max j |A j |, then the complexity of finding the intersection by sort method is O(nt log t). The value of t depends on the property of the encryption algorithm. Generally speaking, t will not be large since a well constructed encryption algorithm usually does not have many linear structures. In addition, one can also choose a greater p(n) to decrease the value of t. Therefore, the complexity of Algorithm 5 is O(n 2 q(n) 2 ln n).
One of the advantages of our algorithm is that it can find the high probability differential directly. While in classical case, the attacker needs to analyze the partial structures of the encryption algorithm respectively and then seek the high probability differential characteristics, which may be much more complicated with the increase of the number of rounds.

Quantum small probability differential cryptanalysis
In this subsection we present a new way to execute differential cryptanalysis, which is called quantum small probability differential cryptanalysis. To the best of our knowledge, no similar method was proposed before. As shown in the previous sections, the way we find differentials of a vector function is to first search for the differentials of each component functions respectively, and then choose a public input difference and output the corresponding differential. Although this method will slightly increase the complexity of the attack algorithm, it may bring advantages in some applications. Quantum small probability differential cryptanalysis is such an example. In classical differential analysis, the attacker often use high probability differentials or impossible differentials to sieve the subkey of the last round, while the small probability differentials have never been used. The point is that for a random permutation, every differential appears with small probability. Thus the property of "small probability" cannot be used to distinguish a encryption function from a random permutation. However, if we consider each component function of the encryption function respectively, it will be possible to execute cryptanalysis based on small probability differentials. Specifically, let F k : {0, 1} n → {0, 1} n be the function which maps the plaintext x to the input y of the last round of the encryption algorithm, and (∆x, ∆y) is a differential of F k with small probability. For a random permutation P = (P 1 , · · · , P n ), the differential (∆x, ∆y) appears with probability about 1 2 n . But for the component function P j , the probability of the differential (∆x, ∆y j ) appearing is 1 2 , which is not small at all. Our attack strategy is based on this fact. The detailed procedure is as follows: I. Finding small probability differential: Let G(x, k) = F k (x) as defined previously and K denote the key space of the first r − 1 rounds. The oracle access of G is available. The attacker first chooses two polynomials q(n), l(n) of n, then run Algorithm 5 with np(n) = n 4 l(n) 2 q(n) 2 ( p(n) = n 3 l(n) 2 q(n) 2 ) queries on G to get an output (a, i 1 , · · · , i n ). Let b = (ī 1 , · · · ,ī n ), whereī j = i j ⊕ 1. Then (a, b) is a small probability differential of F k for at least (1 − 1 q(n) ) of keys in K. II. Key recovering: Suppose S is the set of all possible subkey of the last round. For each s ∈ S, we set the corresponding counter C s to be zero and do as follows: fix the input difference a, and make 2l(n) 2 classical queries on whole encryption function to get 2l(n) 2 ciphers. Then decrypt the last round to obtain l(n) 2 output differences ∆y (1) , · · · , ∆y (l(n) 2 ) of F k .
To justify that above attack procedure work for at least (1 − 1 q(n) ) of keys in K, we give following theorem: Theorem 7. There exists a subset K 1 ⊆ K such that: (2) If the key used for the first r − 1 rounds of the encryption algorithm is in K 1 and s is the right subkey of the last round, then the ratio λ s obtained by the above procedure satisfies Proof . According to Theorem 1 and the definition of G, for any j = 1, · · · , n, |{z ∈ F m+n holds with a probability greater than 1 − e −2p(n) 2 . Similar to the proof of Theorem 6, we let The equation (9) indicates E k (V j (k)) ≤ , where E k (·) means the expectation when the key k is chosen uniformly at random from K. Therefore, if the equation (9) holds, we have P r k [V j (k) ≤ nq(n) ] ≥ 1 − 1 nq(n) . In other words, for each j ∈ {1, · · · , n}, V j (k) ≤ nq(n) holds for at least (1− 1 nq(n) ) of keys in K. Then by similar analysis in the proof of Theorem 3, for at least (1 − 1 q(n) ) of keys in K, it holds that ∀j ∈ {1, · · · , n}.
Let K be the set of these keys, then |K |/|K| ≥ 1 − 1 q(n) , and for all k ∈ K , it holds that That is, for all j = 1, · · · , n, holds except a negligible probability. For i = 1, 2, · · · , l(n) 2 , j = 1, · · · , n, we define the random variable For every i, j, the equation (11) indicates E x (Y (i, j)) ≤ 1 2l(n) except a negligible probability. (Here E x means the expectation when output difference is obtained by choosing plaintext x uniformly at random. E x (Y (i, j)) is still a random variable since it is a function of the vector a, which is a random variable output by Algorithm 5.) According to Hoeffding's inequality and the fact that the equation (11) holds except a probability e −n/2 , it holds that which completes the proof.
In key recovering phase, the attacker computes l(n) 2 output difference to get the ratio λ s for every s ∈ S. If s is not the right key of the last round, the l(n) 2 differentials (a, ∆y (i) ) can be seen as differentials of a random permutation. Then the probability of Y (i, j) = 1 is approximate to 1 2 for every i, j. Therefore, the expectation of λ s is approximate to 1 2 . On the other hand, if s is the right key, the probability of λ s ≥ 1 l(n) is negligible according to Theorem 7. This notable difference makes our attack strategy feasible for at least (1− 1 q(n) ) of keys in K. About the complexity of the attack procedure, there are n 4 l(n) 2 q(n) 2 quantum queries and 2l(n) 2 classical queries needed in total.
The basic idea of quantum small probability differential cryptanalysis is similar to the idea of quantum differential cryptanalysis, that is, using some notable statistical difference to distinguish a encryption function from a random permutation. The main difference of these two methods is in key recovering phase. In quantum differential cryptanalysis, the attacker treats the differential as a whole and records the number of times it appears, while in quantum small probability differential cryptanalysis, the attacker considers every bit of the output differences respectively and records the number of times they appear.

Quantum impossible differential cryptanalysis
Impossible differential cryptanalysis is also a chosen-plaintext attack. Suppose F k : {0, 1} n → {0, 1} n and the key space K are defined as before. A differential (∆x, ∆y) is called a impossible differential of F k if it satisfies that F k (x ⊕ ∆x) + F k (x) = ∆y, ∀x ∈ F n 2 . Impossible differential cryptanalysis is composed by two phases. In the first phase, the attacker tries to find an impossible differential (∆x, ∆y) of F k . And in the second phase, the attacker uses the found impossible differential to sieve the subkey of the last round. Specifically, the attacker fixes the input difference ∆x, and make classical queries on the whole encryption function to get a certain number of ciphers. Then for any possible key s of the last round, the attacker uses it to decrypt these ciphers and obtains corresponding output differences of F k . If ∆y appears among these output differences, then the attacker rules out s. Our algorithm is applied in the first phase.
Let G(x, k) = F k (x) as defined previously. The oracle access of G is available. A algorithm to find the impossible differentials of F k is as follows:

Algorithm 6
The oracle access of G = (G 1 , · · · , G n ) is given. Let p(n) be an arbitrary polynomial function of n, and initialize the set H := Φ.
Proof . According to Theorem 2, we have P r[a ∈ Uī j G j ] > 1 − p n 0 . Thus P r[G j (z) ⊕ G j (z ⊕ (a 0)) = i j , ∀z ∈ F m+n 2 ] > 1 − p n 0 . This indicates for all k ∈ K, P r[F kj (x) ⊕ F kj (x ⊕ a) = i j , ∀x ∈ F n 2 ] > 1 − p n 0 . Since the probability that the equation (12) holds is no less than the above probability, the conclusion holds.
From Theorem 8, we can see that by running Algorithm 6 with O(n 2 ) queries the attacker may find impossible differentials of F k . Unlike the other two kinds of differential cryptanalysis proposed in previous two subsections, the "impossibility" of the found differential holds for all keys in K. But Algorithm 6 can only find the impossible differentials whose "impossibility" concentrates on a certain bit. In other words, only when there exists some j such that F kj has impossible differentials, can Algorithm 6 find impossible differentials of F k . Although our algorithm can only find such special impossible differentials, it still provide a new and inspirational approach for impossible differential cryptanalysis. In addition, one of the main shortcomings of traditional impossible differential cryptanalysis is the difficulties in extending the differential path, which limits the number of rounds that can be attacked. Our approach does not have this problem since it treats the first r − 1 rounds as a whole.

Discussion and Conclusion
In this paper, we construct new quantum distinguishers for the 3-round Feistel scheme and propose a new quantum algorithm to recover partial key of Even-Mansour construction. Afterwards, by observing that the linear structures of a encryption function are actually high probability differentials of it, we propose three ways to execute differential cryptanalysis. The quantum algorithms used for these three kinds of differential cryptanalysis all have polynomial running time. We believe our work provides some helpful and inspirational methods for quantum cryptanalysis.
There are many directions for future work. First, is it possible to modify the algorithms used for quantum differential analysis and quantum small probability differential cryptanalysis so that they can work for all keys in the key space. Also, under the premise of not affecting the success probability, how to reduce the complexity of our attacks is worthy of further study. In addition, all algorithms proposed in this article find differentials of a vector function by first searching for the differentials of its component functions respectively. There may exist other ways that find differentials of a vector function directly.

Appendix A. Proof of Theorem 1
In this section we present the proof of Theorem 1, which can be found in [14]. Theorem 1 is stated as following: Theorem 1.If running Algorithm 1 on a function f ∈ B n gives sets A 0 and A 1 , then for all a ∈ A i (i = 0, 1), all satisfying 0 < < 1, we have Proof . For all a ∈ A i (i = 0, 1), Let p = |V i f,a |/2 n and q = 1 − p, then p, q ∈ [0, 1]. We define a random variable Y as following: ω · a = i.
According to Lemma 1, the expectation of Y is E(Y ) = 1 · q = 1 − p. The p(n) times of running the BV algorithm produce p(n) independent identical random variables Y 1 , · · · , Y p(n) . By Hoeffding's inequality, Note that a ∈ A i , we have j Y j must be 0 (otherwise there exists some Y j = 1, then a / ∈ A i ). Thus P r[q ≥ ] ≤ e −2p(n) 2 . This indicates which completes the proof.