1 Introduction

The discovery of efficient quantum algorithms for algebraic problems with longstanding roles in cryptography, like factoring and discrete logarithm [30], has led to a systematic re-evaluation of cryptography in the presence of quantum attacks. Such attacks can, for example, recover private keys directly from public keys for many public-key cryptosystems of interest. A 2010 article of Kuwakado and Morii [18] identified a new family of quantum attacks on certain generic constructions of private-key cryptosystems. While the attacks rely on similar quantum algorithmic tools (that is, algorithms for the hidden subgroup problem), they qualitatively differ in several other respects. Perhaps most notably, they break reductions which are information-theoretically secureFootnote 1 in the classical setting. On the other hand, these attacks require a powerful “quantum CPA” setting which permits the quantum adversary to make queries—in superposition—to the relevant cryptosystem.

These quantum chosen-plaintext attacks (qCPA) have been generalized and expanded to apply to a large family of classical symmetric-key constructions, including Feistel networks, Even-Mansour ciphers, Encrypted-CBC-MACs, tweakable block ciphers, and others [14, 18, 19, 29]. A unifying feature of all these new attacks, however, is an application of Simon’s algorithm for recovering “hidden shifts” in the group \((\mathbb {Z}/2)^n\). Specifically, the attacks exploit an internal application of addition \(({\text {mod}} 2)\) to construct an instance of a hidden shift problem—solving the hidden shift problem then breaks the cryptographic construction. As an illustrative example, consider two (independent) uniformly random permutations \(P, Q: \{0,1\}^n \rightarrow \{0,1\}^n\) and a uniformly random element z of \(\{0,1\}^n\). It is easy to see that no classical algorithm can distinguish the function \((x,y) \mapsto (P(x), Q(y))\) from the function \((x,y) \mapsto (P(x), P(y \oplus z))\) with a polynomial number of queries; this observation directly motivates the classical Even-Mansour block-cipher construction. On the other hand, an efficient quantum algorithm with oracle access to \((x,y) \mapsto (P(x), P(y \oplus z))\) can apply Simon’s algorithm to recover the “hidden shift” z efficiently; this clearly allows the algorithm to distinguish the two cases above.

While these attacks threaten many classical private-key constructions, they depend on an apparent peculiarity of the group \((\mathbb {Z}/2)^n\)—the Hidden Shift problem over \((\mathbb {Z}/2)^n\) admits an efficient quantum algorithm. In contrast, Hidden Shift problems in general have resisted over 20 years of persistent attention from the quantum algorithms community. Indeed, aside from Simon’s polynomial-time algorithm for hidden shifts over \((\mathbb {Z}/2)^n\), generalizations to certain groups of constant exponent [10], and Kuperberg’s \(2^{O(\sqrt{\log N})}\) algorithm for hidden shifts over \(\mathbb {Z}/N\) [16], very little is known. This dearth of progress is not for lack of motivation. In fact, it is well-known that efficient quantum algorithms for Hidden Shift over \(\mathbb {Z}/N\) would (via a well-known reduction from the Hidden Subgroup Problem on \(D_N\)) yield efficient quantum attacks on important public-key cryptosystems [26, 27], including prime candidates for quantum security and the eventual replacement of RSA in Internet cryptography [3]. Likewise, efficient algorithms for the symmetric group would yield polynomial-time quantum algorithms for Graph Isomorphism, a longstanding challenge in the area.

On the other hand, \((\mathbb {Z}/2)^n\) group structure is rather incidental to the security of typical symmetric-key constructions. For example, the classical Even-Mansour construction defines a block cipher \(E_{k_1, k_2}(m)\) by the rule

$$\begin{aligned} E_{k_1, k_2}(m) = P(m \oplus k_1) \oplus k_2, \end{aligned}$$

where P is a public random permutation and the secret key \((k_1, k_2)\) is given by a pair of independent elements drawn uniformly from \((\mathbb {Z}/2)^n\). The security proofs, however, make no particular assumptions about group structure, and apply if the \(\oplus \) operation is replaced with an alternative group operation, e.g., \(+\) modulo N or multiplication in \(\mathbb {F}_{2^n}\).

This state of affairs suggests the possibility of ruling out quantum attacks by the simple expedient of adapting the underlying group in the construction. Moreover, the apparently singular features of \((\mathbb {Z}/2)^n\) in the quantum setting suggest that quite mild adaptations may be sufficient. As mentioned above, many classical security proofs are unaffected by this substitution; our primary goal is to add security against quantum adversaries. Our approach is to reduce well-studied Hidden Shift problems directly to the security of these symmetric-key cryptosystems. Thus, efficient quantum chosen-plaintext attacks on these systems would resolve long-standing open questions in quantum complexity theory.

1.1 Contributions

Hidden Shift as a Cryptographic Primitive. We propose the intractability of the Hidden Shift problem as a fundamental assumption for establishing quantum security of cryptographic schemes. In the general problem, we are given two functions on some finite group G, and a promise that one is a shift of the other; our task is to identify the shift. Our assumptions have the following form:

Assumption 1

(The \(\mathcal {G}\)-Hidden Shift Assumption, informal). Let \(\mathcal {G} = \{ G_i \mid i \in I\}\) be a family of finite groups indexed by a set \(I \subset \{0,1\}^*\). For all polynomial-time quantum algorithms \(\mathcal A\),

$$\begin{aligned} \mathop {{{\mathrm{\mathbb {E}}}}}\limits _{f} \Bigl [ \min _{\begin{array}{c} s \in G_i \end{array}} \Pr \bigl [\mathcal A^{f, f_s}(i) = s\bigr ]\Bigr ] \le {\text {negl}}(|i|), \end{aligned}$$

where \(f_s(x) = f(sx)\), the expectation is taken over random choice of the function f, the minimum is taken over all shifts \(s \in G_i\), and the probability is taken over internal randomness and measurements of \(\mathcal {A}\).

This assumption asserts that there is no quantum algorithm for Hidden Shift (over \(\mathcal G\)) in the worst-case over s, when function values are chosen randomly. Note that the typical formulation in the quantum computing literature is worst case over s and f; on the other hand, known algorithmic approaches are invariant under arbitrary relabeling of the value space of f. The “random-valued” case thus seems satisfactory for our cryptographic purposes. (In fact, our results can alternatively depend on the case where f is injective, rather than random.) See Sect. 3 below for further discussion and precise versions of Assumption 1. In general, formulating such an assumption requires attention to the encoding of the group. However, we will focus entirely on groups with conventional encodings which directly provide for efficient group operations, inversion, generation of random elements, etc. Specifically, we focus on the two following particular variants:

Assumption 2

(The \(2^n\)-Cyclic Hidden Shift Assumption). This is the Hidden Shift Assumption with the group family \(\mathcal {C}_2 = \{ \mathbb {Z}/2^n \mid n \ge 0\}\) where the index consists of the number n written in unary.

Assumption 3

(The Symmetric Hidden Shift Assumption). This is the Hidden Shift Assumption with the group family \(\mathcal {S} = \{ S_n \mid n \ge 0\}\) where \(S_n\) denotes the symmetric group on n symbols and the index consists of the number n written in unary.

In both cases the size of the group is exponential in the length of the index.

We remark that the Hidden Shift problem has polynomial quantum query complexity [7]—thus one cannot hope that Hidden-Shift-based schemes possess information-theoretic security in the quantum setting (as they do in the classical setting); this motivates introduction of Hidden Shift intractability assumptions.

To explore the hardness of Hidden Shift problems against quantum polynomial-time (QPT) algorithms, we describe several reductions. First, we prove that Hidden Shift is equivalent to a randomized version of the problem where the shift s is random (Random Hidden Shift), and provide an amplification theorem which is useful in establishing security of schemes based on Assumption 1.

Proposition

(Amplification, informal). Assume there exists a QPT algorithm which solves Random Hidden Shift for an inverse-polynomial fraction of inputs. Then there exists a QPT algorithm for solving both Hidden Shift and Random Hidden Shift for all but a negligible fraction of inputs.

We then show that, for many group families, Hidden Shift over the relevant groups is equivalent to a decisional version of the problem. In the decisional version, we are guaranteed that the two functions are either (i) both random and independent, or (ii) one is random and the other is a shift; the goal is to decide which is the case.

Theorem

(Search and decision are equivalent, informal). Let \(\mathcal G\) be the group family \(\mathcal {C}_2\) or the group family \(\mathcal S\) (or a group family with an efficient subgroup series). Then there exists a QPT algorithm for Random Hidden Shift (with at most inverse-poly error) over \(\mathcal G\) if and only if there exists a QPT algorithm for Decisional Random Hidden Shift (with at most inverse-poly error) over \(\mathcal G\).

Finally, we provide some evidence that Hidden Shift over the family \(\mathcal {C}_2\) is as hard as Hidden Shift over general cyclic groups. Specifically, we show that efficient algorithms for an approximate version of Hidden Shift over \(\mathcal {C}_2\) give rise to efficient algorithms for the same problem over \(\mathcal {C}\), the family of all cyclic groups.

We also briefly discuss the connections between Hidden Shift, the assumptions above, and assumptions underlying certain candidates for quantum-secure public-key cryptography [5, 26]. For completeness, we recall known connections to the Hidden Subgroup Problem. Both the Hidden Shift and Hidden Subgroup Problem families have received significant attention from the quantum algorithms community, and are believed to be quantumly hard with the exception of particular families of groups [5, 12, 21, 22, 26].

Quantum-Secure Symmetric-Key Cryptographic Schemes. With the above results in hand, we describe a generic method for using Assumption 1 to “adapt” classically-secure schemes in order to remove vulnerabilities to quantum chosen-plaintext attacks. The adaptation is simple: replace the underlying \((\mathbb {Z}/2)^n\) structure of the scheme with that of either \(\mathcal C_2\) or \(\mathcal S\). This amounts to replacing bitwise XOR with a new group operation. In the case of \(\mathcal C_2\), the adaptation is particularly simple and efficient.

While our basic approach presumably applies in broad generality, we focus on three emblematic examples: the Even-Mansour construction—both as a PRF and as a block cipher—and the CBC-MAC construction. We focus throughout on the group families \(\mathcal {C}_2\) and \(\mathcal {S}\), though we also discuss some potential advantages of other choices (see Sect. 3.2). Finally, we discuss related quantum attacks on cryptographic constructions, including the 3-round Feistel cipher and quantum slide attacks [14]. We remark that the Feistel cipher over groups other than \((\mathbb {Z}/2)^n\) has been considered before, in a purely classical setting [24].

Hidden Shift Even-Mansour. Following the prescription above, we define group variants of the Even-Mansour cipher. We give a reduction from the worst-case Hidden Shift problem to the natural distinguishability problem (i.e., distinguishing an Even-Mansour cipher from a random permutation). Thus, under the Hidden Shift Assumption, the Even-Mansour construction is a quantum-query-secure pseudorandom function (qPRF). In particular, key-recovery is computationally infeasible, even for a quantum adversary. We also provide (weaker) reductions between Hidden Shift and the problem of breaking Even-Mansour in the more challenging case where the adversary is provided access to both the public permutation and its inverse (and likewise for the encryption map). In any case, these adaptations frustrate the “Simon algorithm key recovery attack” [14, 19], as this would now require a subroutine for Hidden Shift in the relevant group family. Moreover, one can also apply standard results (see, e.g., [13]) to show that, over some groups, all bits of the key are as hard as the entire key (and hence, by our reductions, as hard as Hidden Shift). We remark that considering \(\mathbb {Z}/{2^n}\) structure to define an adaptation of Even-Mansour has been considered before in the context of classical slide attacks [6].

Hidden Shift CBC-MAC. Following our generic method for transforming schemes, we define group variants of the Encrypted-CBC-MAC. We establish that this primitive is collision-free against quantum adversaries. Specifically, we show that any efficient quantum algorithm which discovers collisions in the Hidden-Shift Encrypted-CBC-MAC with non-negligible probability would yield an efficient worst-case quantum algorithm for Hidden Shift over the relevant group family. As with Even-Mansour, this adaptation also immediately frustrates the Simon’s algorithm collision-finding attacks [14, 29].

Feistel Ciphers, Slide Attacks. We also define group variants of the well-known Feistel cipher for constructing pseudorandom permutations from pseudorandom functions. Our group variants frustrate Simon-style attacks [18]; a subroutine for the more general Hidden Shift problem is now required. Finally, we also address the exponential quantum speedup of certain classical slide attacks, as described in [14]. We show how one can once again use Hidden Shift to secure schemes vulnerable to these “quantum slide attacks.”

2 Preliminaries

Notation; Remarks on Finite Groups. For a finite group G and an element \(s \in G\), let \(L_s: G \rightarrow G\) denote the permutation given by left multiplication by s, so \(L_s: x \mapsto s \cdot x\). We discuss a number of constructions in the paper requiring computation in finite groups and assume, throughout, that elements of the group in question have an encoding that efficiently permits such natural operations as product, inverse, selection of uniformly random group elements, etc. As our discussion focuses either on specific groups—such as \((\mathbb {Z}/2)^n\) or \(\mathbb {Z}/N\)—where such encoding issues are straightforward or, alternatively, generic groups in which we assume such features by fiat, we routinely ignore these issues of encoding.

Classical and Quantum Algorithms. Throughout we use the abbreviation PPT for “probabilistic polynomial time,” referring to an efficient classical algorithm, and QPT for “quantum polynomial time,” referring to an efficient quantum algorithm. Our convention is to denote algorithms of either kind with calligraphic letters, e.g., \(\mathcal A\) will typically denote an algorithm which models an adversary. If f is a function, the notation \(\mathcal A^f\) stands for an algorithm (either classical or quantum) with oracle access to the function f. A classical oracle is simply the black-box gate \(x \mapsto f(x)\); a quantum oracle is the unitary black-box gate \({\left| {x}\right\rangle }{\left| {y}\right\rangle } \mapsto {\left| {x}\right\rangle }{\left| {y \oplus f(x)}\right\rangle }\). Unless stated otherwise, oracle QPT algorithms are assumed to have quantum oracle access.

Quantum-Secure Pseudorandomness. We now set down a way of quantifying the ability of a QPT adversary to distinguish between families of functions. Fix a function family \(\mathcal F \subset \{ h : \{0,1\}^m \rightarrow \{0,1\}^\ell \}\), a function \(f : \{0,1\}^n \times \{0,1\}^m \rightarrow \{0,1\}^\ell \), and define \(f_k := f(k, \cdot )\). We say that f is an indexed subfamily of \(\mathcal F\) if \(f_k \in \mathcal F\) for every \(k \in \{0,1\}^n\). We will generally assume that m and \(\ell \) are polynomial functions of n and treat n to be the complexity (or security) parameter.

Definition 1

Let \(\mathcal F\) be a function family, f an indexed subfamily, and \(\mathcal D\) an oracle QPT algorithm. The distinguishing advantage of \(\mathcal D\) is the quantity

$$\begin{aligned} \mathbf{Adv } ^{\mathcal D}_{\mathcal F, f} := \left| \underset{k \in _R\{0,1\}^n}{\Pr }\Bigl [\mathcal D^{f_k}(1^n) = 1\Bigr ] - \underset{g \in _R\mathcal F}{\Pr }\Bigl [\mathcal D^g(1^n) = 1\Bigr ] \right| . \end{aligned}$$

Next, we define efficient indexed function families which are pseudorandom against QPT adversaries. We emphasize that these function families are computed by deterministic classical algorithms.

Definition 2

Let \(\mathcal {F}_n\) be the family of all functions from m(n) bits to \(\ell (n)\) bits, and f a efficiently computable, indexed subfamily of \(\bigcup _n \mathcal {F}_n\) (so that \(f_k \in \mathcal {F}_n\) for \(|k| = n\)). We say that f is a quantum-secure pseudorandom function (qPRF) if \(\mathbf{Adv } ^{\mathcal D}_{\mathcal {F}_n, f} \le {\text {negl}}(n)\) for all QPT \(\mathcal D\).

It is known how to construct qPRFs from standard assumptions (i.e., existence of quantum-secure one-way functions) [33].

The pseudorandom function property is not enough in certain applications, e.g., in constructing block ciphers. It is then often useful to add the property that each function in the family is a permutation, which can be inverted efficiently (provided the index is known).

Definition 3

Let \(\mathcal P\) be the family of all permutations, and f an efficiently computable, indexed subfamily of \(\mathcal P\). We say that f is a quantum-secure pseudorandom permutation (qPRP) if (i) f is a qPRF, (ii) each \(f_k\) is a permutation, and (iii) there is an efficient algorithm which, given k, computes the inverse \(f_k^{-1}\) of \(f_k\).

A recent result shows how to construct qPRPs from one-way functions [32]. Finding simpler constructions is an open problem. Two simple constructions which are known to work classically, Even-Mansour and the 3-round Feistel, are both broken by a simple attack based on Simon’s algorithm for Hidden Shift on \((\mathbb {Z}/2)^n\). As we discuss in detail later, we conjecture that the adaptations of these constructions to other group families are qPRPs.

We will also make frequent use of a result of Zhandry (Theorem 3.1 in [34]) which states that 2k-wise independent functions are indistinguishable from random to quantum adversaries making no more than k queries.

Theorem 1

Let \(\mathcal H\) be a 2k-wise independent family of functions with domain \(\mathcal X\) and range \(\mathcal Y\). Let \(\mathcal D\) be a quantum algorithm making no more than k oracle queries. Then

$$\begin{aligned} \underset{h \in _R\mathcal H}{\Pr }\Bigl [\mathcal D^{h}(1^n) = 1\Bigr ] = \underset{g \in _R\mathcal Y^\mathcal X}{\Pr }\Bigl [\mathcal D^g(1^n) = 1\Bigr ]. \end{aligned}$$

Collision-Freeness. We will also need a (standard) definition of collision-resistance against efficient quantum adversaries with oracle access.

Definition 4

Let \(f : \{0,1\}^* \times \{0,1\}^* \rightarrow \{0,1\}^{*}\) be an efficiently-computable function family defined for all (kx) for which \(|x| = m(|k|)\) (for a polynomial m). We say that f is collision-resistant if for all QPT \(\mathcal A\),

$$\begin{aligned} \mathop {\Pr }\limits _{k \in _R\{0,1\}^n} \Bigl [ \mathcal A^{f_k}(1^n) = (x, y) \wedge f_k(x) = f_k(y) \wedge x \ne y \Bigr ] \le {\text {negl}}(n). \end{aligned}$$

3 Hidden Shift as a Cryptographic Primitive

We begin by discussing a few versions of the basic oracle promise problem related to finding hidden shifts of functions on groups. In the problems below, the relevant functions are given to the algorithm via black-box oracle access and we are interested in the setting where the complexity of the algorithm (both number of queries and running time) scales in \({\text {poly}}(\log |G|)\).

3.1 Hidden Shift Problems

Basic Definitions. We begin with the Hidden Shift problem. As traditionally formulated in the quantum computing literature, the problem is the following:

Problem 1

(The traditional Hidden Shift problem). Let G be a group and V a set. Given oracle access to an injective function \(f: G \rightarrow V\) and an unknown shift \(g = f \circ L_s\) of f, find s.

It is convenient for us to parameterize this definition in terms of a specific group family and fix the range of the oracles f and g. This yields our basic asymptotic definition for the problem.

Problem 2

( \({ \textsc {Hidden Shift}}\) ( )). Let \(\mathcal {G} = \{ G_i \mid i \in I\}\) be a family of groups with index set \(I \subset \{0,1\}^*\) and let \(\ell : \mathbb {N}\rightarrow \mathbb {N}\) be a polynomial. Then the Hidden Shift problem over \(\mathcal {G}\) (with length parameter \(\ell \)) is the following: given an index i and oracle access to a pair of functions \(f, g: G_i \rightarrow \{0,1\}^{\ell (|i|)}\) where \(g(x) = f(sx)\), determine \(s \in G_i\). We assume, throughout, that \(2^{\ell (|i|)} \gg |G_i|\).

This generic formulation is more precise, but technically still awkward for cryptographic purposes as it permits oracle access to completely arbitrary functions f. To avoid this technical irritation, we focus on the performance of Hidden Shift algorithms over specific classes of functions f. Specifically, we either assume f is random or that it is injective. When a Hidden Shift algorithm is applied to solve problems in a typical computational setting, the actual functions fg are injective and given by efficient computations. We remark that established algorithmic practice in this area ignores the actual function values altogether, merely relying on the structure of the level sets of the function

$$\begin{aligned} \varPhi (x,b) = {\left\{ \begin{array}{ll} f(x) &{} \text {if}\,\, b=0,\\ g(x) &{} \text {if}\,\, b=1. \end{array}\right. } \end{aligned}$$

In particular, such structural conditions of f appear to be irrelevant to the success of current quantum-algorithmic techniques for the problem. This motivates the following notion of “success” for an algorithm.

Definition 5

(Completeness). Let \(\mathcal A\) be an algorithm for the Hidden Shift problem on \(\mathcal {G}\) with length parameter \(\ell \). Let f be a function defined on all pairs (ix) where \(x \in G_i\) so that \(f(i,x) \in \{0,1\}^{\ell (|i|)}\). Then we define the completeness of \(\mathcal A\) relative to f to be the quantity

$$\begin{aligned} 1 - \epsilon _f(i) \triangleq \min _{s \in G_i} \Pr [{\mathcal A}^{f,f_s}(i) = s]. \end{aligned}$$

The completeness of \(\mathcal A\) relative to random functions is the average

$$\begin{aligned} 1 - \epsilon _R(i) \triangleq \mathop {{{\mathrm{\mathbb {E}}}}}\limits _{f}\left[ \min _{s \in G_i} \Pr [{\mathcal A}^{f,f_s}(i) = s]\right] = \mathop {{{\mathrm{\mathbb {E}}}}}\limits _{f} [1 - \epsilon _f(i)], \end{aligned}$$

where f(ix) is drawn uniformly at random. Note that these notions are worst-case in s, the shift.

Note that this definition does not specify how the algorithm should behave on instances that are not hidden shifts. For simplicity, we assume that the algorithm returns a value for s in any case, with no particular guarantee on s in the case when the functions are not shifts of each other.

Our basic hardness assumption is the following:

Assumption 4

(The \(\mathcal {G}\)-Hidden Shift Assumption; randomized). Let \(\mathcal {G} = \{ G_i \mid i \in I\}\) be a family of finite groups indexed by a set \(I \subset \{0,1\}^*\) and \(\ell : \mathbb {N}\rightarrow \mathbb {N}\) be a length parameter. Then for all efficient algorithms \(\mathcal A\), \(1 - \epsilon _R(i) = {\text {negl}}(|i|)\).

For completeness, we also record a version of the assumption for injective f. In practice, our cryptographic constructions will rely only on the randomized version.

Assumption 5

(The \(\mathcal {G}\)-Hidden Shift Assumption; injective). Let \(\mathcal {G} = \{ G_i \mid i \in I\}\) be a family of finite groups indexed by a set \(I \subset \{0,1\}^*\) and \(\ell : \mathbb {N}\rightarrow \mathbb {N}\) be a length parameter. Then for all efficient algorithms \(\mathcal A\) there exists an injective f (satisfying the criteria of Definition 5 above), so that \(1 - \epsilon _f(i) = {\text {negl}}(|i|)\).

In preparation for establishing results on security amplification, we define two additional variants of the Hidden Shift problem: a variant where both the function and the shift are randomized, and a decisional variant. Our general approach for constructing security proofs will be to reduce one of these variants to the problem of breaking the relevant cryptographic scheme. As we will later show, an efficient solution to either variant implies an efficient solution to both, which in turn results in a violation of Assumption 4 above.

Problem 3

( Random Hidden Shift ( )). Let \(\mathcal {G} = \{ G_i \mid i \in I\}\) be a family of finite groups indexed by a set \(I \subset \{0,1\}^*\) and \(\ell : \mathbb {N}\rightarrow \mathbb {N}\) be a length parameter. Then the Random Hidden Shift problem over \(\mathcal G\) is the Hidden Shift problem where the input function f(ix) is drawn uniformly and the shift s is drawn (independently and uniformly) from \(G_i\).

We define the completeness \(1 - \epsilon (i)\) for a Random Hidden Shift algorithm \(\mathcal A\) analogously to Definition 5. Observe that a small error is unavoidable for any algorithm, as there exist pairs of functions for which s is not uniquely defined. We will also need a decisional version of the problem, defined as follows.

Problem 4

( Decisional Random Hidden Shift ( )). Let \(\mathcal {G} = \{ G_i \mid i \in I\}\) be a family of finite groups indexed by a set \(I \subset \{0,1\}^*\) and \(\ell : \mathbb {N}\rightarrow \mathbb {N}\) be a length parameter. The Decisional Random Hidden Shift problem is the following: Given i and oracle access to two functions \(f, g: G_i \rightarrow \{0,1\}^{\ell (|i|)}\) with the promise that either (i) both f and g are drawn independently at random, or (ii) f is random and \(g = f \circ L_s\) for some \(s \in G\), decide which is the case.

We say that an algorithm for DRHS has completeness \(1-\epsilon (i)\) and soundness \(\delta (i)\) if the algorithm errs with probability no more than \(\epsilon (i)\) in the case that the functions are shifts and errs with probability no more than \(\delta (i)\) in the case that the functions are drawn independently.

Next, we briefly recall the definition of the (closely-related) Hidden Subgroup Problem. The problem is primarily relevant in our context because of its historical significance (and relationship to Hidden Shift); we will not use it directly in any security reductions.

Problem 5

( Hidden Subgroup Problem ( )). Let G be a group and S a set. Given a function \(f : G \rightarrow S\), and a promise that there exists \(H \le G\) such that f is constant and distinct on the right cosets of H, output a complete set of generators for H.

Some further details, including explicit reductions between HS and HSP, are given in Appendix A.

Of interest are both classical and quantum algorithms for solving the various versions of HS and HSP. The relevant metrics for such algorithms are the query complexity (i.e., the number of times that the functions are queried, classically or quantumly) as well as their time and space complexity. An algorithm is said to be efficient if all three are polynomial in \(\log |G|\).

Hardness Results. Next, we establish several reductions between these problems. Roughly, these results show that the average-case and decisional versions of the problem are as hard as the worst-case version.

Self-reducibility and Amplification. First, we show that (i) both HS and RHS are random self-reducible, and (ii) an efficient solution to RHS implies an efficient solution to HS.

Proposition 1

Let \(\mathcal {G} = \{ G_i \mid i \in I\}\) be a family of finite groups indexed by a set \(I \subset \{0,1\}^*\) and \(\ell : \mathbb {N}\rightarrow \mathbb {N}\) be a length parameter. Assume there exists a QPT \(\mathcal A\) which solves Random Hidden Shift over \(\mathcal {G}\) (with parameter \(\ell (|i|)\)) with inverse-polynomial completeness. Then there exists a QPT \(\mathcal A'\) which satisfies all of the following:

  1. 1.

    \(\mathcal A'\) solves Hidden Shift with random f with completeness \(1 - {\text {negl}}(|i|)\);

  2. 2.

    \(\mathcal A'\) solves Hidden Shift for any injective f with completeness \(1 - {\text {negl}}(|i|)\);

  3. 3.

    \(\mathcal A'\) solves Random Hidden Shift with completeness \(1 - {\text {negl}}(|i|)\).

Proof

We are given oracles fg and a promise that \(g = f \circ L_s\). For a particular choice of n, there is an explicit (polynomial-size) bound k on the running time of \(\mathcal A\). Let \(\mathcal H\) be a 2k-wise independent function family which maps the range of f to itself. The algorithm \(\mathcal A'\) will repeatedly execute the following subroutine. First, an element \(h \in \mathcal H\) and an element \(t \in G_i\) are selected independently and uniformly at random. Then \(\mathcal A\) is executed with oracles

$$\begin{aligned} f' := h \circ f \qquad \text {and} \qquad g' := h \circ g \circ L_t. \end{aligned}$$

It’s easy to see that \(g' = f' \circ L_{st}\). If \(\mathcal A\) outputs a group element r, \(\mathcal A'\) checks if \(g'(x) = f'(rx)\) at a polynomial number of random values x. If the check succeeds, \(\mathcal A'\) outputs \(rt^{-1}\) and terminates. If the check fails (or if \(\mathcal A\) outputs garbage), we say that the subroutine fails. The subroutine is repeated m times, each time with a fresh h and t.

Continuing with our fixed choice of f and g, we now argue that \(\mathcal A\) (when used as above) cannot distinguish between \((f', g')\) and the case where \(f'\) is uniformly random, and \(g'\) is a uniformly random shift of \(f'\). First, the fact that the shift is randomized is clear. Second, if f is injective, then \(f'\) is simply h with permuted inputs, and is thus indistinguishable from random (by the 2k-wise independence of h and Theorem 1). Third, if f is random, then it is indistinguishable from injective (by the collision bound of [35]), and we may thus apply the same argument as in the injective case.

It now follows that, with inverse-polynomial probability \(\epsilon \) (over the choice of h and t), the instance \((f', g')\) is indistinguishable from an instance \((\varphi , \varphi _{st})\) on which the subroutine succeeds with inverse-polynomial probability \(\delta \). After m repetitions of the subroutine, \(\mathcal A'\) will correctly compute the shift \(r = st\) with probability at least \((1 - \epsilon \delta )^m \approx e^{-\epsilon \delta m}\), as desired.   \(\square \)

Decision Versus Search. Next, we consider the relationship between searching for shifts (given the promise that one exists), and deciding if a shift exists or not. Roughly speaking, we establish that the two problems are equivalent for most group families of interest. We begin with a straightforward reduction from DRHS to RHS.

Proposition 2

If there exists a QPT algorithm for Random Hidden Shift on \(\mathcal {G}\) with completeness \(1 - \epsilon (i)\), then there exists a QPT algorithm for Decisional Random Hidden Shift on \(\mathcal {G}\) with completeness \(1 - \epsilon (i)\), and negligible soundness error.

Proof

Let \(\ell (\cdot )\) be the relevant length parameter. Consider an RHS algorithm for G with completeness \(1 - \epsilon \) and the following adaptation to DRHS.

  • Run the RHS algorithm.

  • When the algorithm returns a purported shift s, check s for veracity with a polynomial number of (classical) oracle queries to f and g (ensuring that \(g(x_i) = f(sx_i)\) for k(n) distinct samples \(x_1, \ldots , x_{k(n)}\)).

Observe that if f and g are indeed hidden shifts, this procedure will determine that with probability \(1 - \epsilon \). When f and g are unrelated random functions, the “testing” portion of the algorithm will erroneously succeed with probability no more than \(|G| \cdot 2^{-k \cdot \ell (|i|)}\). Thus, under the assumption that \(|G| \ge k(n)\), the resulting DRHS algorithm has completeness \(1 - \epsilon \) and soundness \(|G| \cdot 2^{-k \cdot \ell (|i|)}\). For any nontrivial length function \(\ell \), this soundness can be driven exponentially close to zero by choosing \(k = \log |G| + k'\).   \(\square \)

On the other hand, we are only aware of reductions from RHS to DRHS under the additional assumption that G has a “dense” tower of subgroups. In that case, an algorithmic approach of Fenner and Zhang [9] can be adapted to provide a reduction. Both \(S_n\) and \(\mathbb {Z}/2^n\) have such towers.

Proposition 3

Let \(\mathcal G\) be either the group family \(\{\mathbb {Z}/{2^n}\}\), or the group family \(\{S_n\}\). If there exists a QPT algorithm for Decisional Random Hidden Shift on \(\mathcal G\) with at most inverse-polynomial completeness and soundness errors, then there exists a QPT algorithm for Random Hidden Shift on \(\mathcal G\) with negligible completeness error.

Proof

The proof adapts techniques of [9] to our probabilistic setting, and relies on the fact that these group families have an efficient subgroup tower. Specifically, each \(G_i\) possesses a subgroup series \(\{1\} = G^{(0)}< G^{(1)}< G^{(2)}< \cdots < G^{(s)} = G_i\) for which (i) uniformly random sampling and membership in \(G^{(t)}\) can be performed efficiently for all t, and (ii) for all t, there is an efficient algorithm for producing a left transversal of \(G^{(t-1)}\) in \(G^{(t)}\). For \(\mathbb {Z}/{2^n}\), the subgroup series is \(\{1\}< \mathbb {Z}/2< \mathbb {Z}/{2^2}< \mathbb {Z}/{2^3} < \cdots \). For \(S_n\) (i.e., the group of permutations of n letters), the subgroup series is \(\{1\}< S_1< S_2< S_3 < \cdots \), where each step of the series adds a new letter. We remark that such series can be efficiently computed for general permutation groups using a strong generating set, which can be efficiently computed from a presentation of the group in terms of generating permutations [11].

We recursively define a RHS algorithm by considering the case of a group G with a subgroup H of polynomial index with a known left transversal \(A = \{a_1, \ldots , a_k\}\) (so that G is the disjoint union of the \(a_i H\)). Assume that the DRHS algorithm for H has soundness \(\delta _H\) and completeness \(1-\epsilon _H\). In this case, the algorithm (for G) may proceed as follows:

  1. 1.

    For each \(\alpha \in A\), run the DRHS algorithm on the two functions f and \(\check{g}: x \mapsto g(\alpha x)\) restricted to the subgroup H.

  2. 2.

    If exactly one of these recursive calls reports that the function f and \(x \mapsto g(\alpha x)\) are hidden shifts, recursively apply the RHS algorithm to recover the hidden shift \(s'\) (so that \(f(x) = g(\alpha s' x)\) for \(x \in H\)). Return the shift \(s = \alpha s'\).

  3. 3.

    Otherwise assert that the functions are unrelated random functions.

In the case that f and g are independent random functions, the algorithm above errs with probability no more than \([G:H] \delta _{H}\).

Consider instead the case that \(f: G \rightarrow S\) is a random function and \(g(x) = f(sx)\) for an element \(s \in G\). Observe that if \(s^{-1} \in \alpha _i H\), so that \(s^{-1} = \alpha _i h_s\) for an element \(h_s \in H\), we have \(g(\alpha _i h_s x) = f(x)\). It follows that f and \(\check{g}: x \mapsto g(\alpha _i x)\) are shifts of each other; in particular, this is true when restricted to the subgroup H. Moreover, the hidden shift s can be determined directly from the hidden shift between f and \(\check{g}\). Note that, as above, the probability that any of the recursive calls to DRHS are answered incorrectly is no more than \([G:H] \delta _{H} + \epsilon _{H}\).

It remains to analyze the completeness of the resulting recursive RHS algorithm: in the case of the subgroup chain above, let \(\gamma _t\) denote the completeness of the resulting RHS algorithm on \(G^{(t+1)}\) and note that

$$\begin{aligned} \gamma _{t+1} \le [G^{(t+1)}:G^{(t)}] \delta _{G^{(t)}} + \epsilon _{G^{(t)}} + \gamma _{t} \end{aligned}$$

and thus that the resulting error on G is no more than

$$\begin{aligned} \sum _t [G^{(t+1)}:G^{(t)}] \delta _{G^{(t)}} + \sum _t \epsilon _{G^{(t)}}. \end{aligned}$$
(3.1)

As mentioned above, both the group families \(\{\mathbb {Z}/2^n \mid n \ge 0\}\) and \(\{S_n \mid n \ge 0\}\) satisfy this subgroup chain property.    \(\square \)

Remark. Note that the groups \(\mathbb {Z}/N\) for general N are not treated by the results above; indeed, when N is prime, there is no nontrivial tower of subgroups. (Such groups do have other relevant self-reducibility and amplification properties [13].) We remark, however, that a generalization of the Hidden Shift problem which permits approximate equality results in a tight relationship between Hidden Shift problems for different cyclic groups. In particular, consider the \(\delta \)-Approximate Hidden Shift problem given by two functions \(f, g: G \rightarrow S\) with the promise that there exists an element \(s \in G\) so that \(\Pr _x[g(x) = f(sx)] \ge 1 - \delta \) (where x is chosen uniformly in G); the problem is to identify an element \(s' \in G\) with this property. Note that \(s'\) may not be unique in this case.

In particular, consider an instance \(f, g: \mathbb {Z}/n \rightarrow V\) of a Hidden Shift problem on a cyclic group \(\mathbb {Z}/n\). We wish to “lift” this instance to a group \(\mathbb {Z}/m\) for \(m \gg n\) in such a way that a solution to the \(\mathbb {Z}/m\) instance yields a solution to the \(\mathbb {Z}/n\) instance. For a function \(\phi : \mathbb {Z}/n \rightarrow V\), define the function \(\hat{\phi }: \mathbb {Z}/m \rightarrow V\) by the rule \(\hat{\phi }(x) = \phi (x \bmod n)\). Note, then, that \(\Pr _x[\hat{f}(x) = \hat{g}(\hat{s} + x)] \ge 1 - n/m\) for the shift \(\hat{s} = s\); moreover, recovering any shift for the \(\mathbb {Z}/m\) problem which achieves equality with probability near \(1 - n/m\) yields a solution to the \(\mathbb {Z}/n\) problem (by taking the answer modulo n, perhaps after correcting for the \(m \bmod n\) overhang at the end of the \(\mathbb {Z}/m\) oracle). Note that this function is not injective.

We remark that the Hidden Shift problem for non-injective Boolean functions (i.e., with range \(\mathbb {Z}/2\)) sometimes admits efficient algorithms (see, e.g., [23, 28]). Whether these techniques can be extended to the general setting above is an interesting open problem.

3.2 Selecting Hard Groups

Efficiently Solvable Cases. For some choices of underlying group G, some of the above problems admit polynomial-time algorithms. A notable case is the Hidden Subgroup Problem on \(G = \mathbb {Z}\), which can be solved efficiently by Shor’s algorithm [30]. The HSP with arbitrary abelian G also admits a polynomial-time algorithm [15]. The earliest and simplest example was Simon’s algorithm [31], which efficiently solves the HSP in the case \(G = (\mathbb {Z}/2)^n\) and \(H = \{1, s\}\) for unknown s, with only O(n) queries to the oracle. Due to the fact that \((\mathbb {Z}/2)^n \rtimes \mathbb {Z}/2 \cong (\mathbb {Z}/2)^{n+1}\), Simon’s algorithm also solves the Hidden Shift problem on \((\mathbb {Z}/2)^n\). Additionally, Friedl et al. [10] have given efficient (or quasi-polynomial) algorithms for hidden shifts over solvable groups of constant exponent; for example, their techniques yield efficient algorithms for the groups \((\mathbb {Z}/p)^n\) (for constant p) and \((S_4)^n\).

Cyclic Groups. In contrast with the Hidden Subgroup Problem, the general abelian Hidden Shift is believed to be hard. The only nontrivial algorithm known is due to Kuperberg, who gave a subexponential-time algorithm for the HSP on dihedral groups [16]. He also gave a generalization to the abelian Hidden Shift problem, as follows.

Theorem 2

(Theorem 7.1 in [16]). The abelian Hidden Shift problem has a quantum algorithm with time and query complexity \(2^{O((\log |G|)^{1/2})}\), uniformly for all finitely-generated abelian groups.

Regev and Kuperberg later improved the above algorithm (so it uses polynomial quantum space, and gains various knobs for tuning complexity parameters), but the time and query complexity remains the same [17, 25].

There is also evidence connecting HSP on the dihedral group \(D_N\) (and hence also HS on \(\mathbb {Z}/N\)) to other hard problems. Regev showed that, if there exists an efficient quantum algorithm for the dihedral HSP which uses coset sampling (the only nontrivial technique known), then there’s an efficient quantum algorithm for \({\text {poly}}(n)\)-unique-SVP [26]. This problem, in turn, is the basis of several lattice-based cryptosystems. However, due to the costs incurred in the reduction, Kuperberg’s algorithm only yields exponential-time attacks. An efficient solution to HS on \(\mathbb {Z}/N\) could also be used to break a certain isogeny-based cryptosystem [4].

We will focus particularly on the case \(\mathbb {Z}/{2^n}\). This is the simplest group for which all of our constructions and results apply. Moreover, basic computational tasks (encoding/decoding group elements as bitstrings, sampling uniformly random group elements, performing basic group operations, etc.) all have straightforward and extremely efficient implementations over \(\mathbb {Z}/{2^n}\). The existence of a quantum attack with complexity \(2^{O(\sqrt{n})}\) in this case will only become practically relevant in the very long term, when the costs of quantum and classical computations become somewhat comparable. If such attacks are truly a concern, then there are other natural group choices, as we discuss below.

Permutation Groups. In the search for quantum algorithms for HSP and HS, arguably the most-studied group family is the family of symmetric groups \(S_n\). It is well-known that an algorithm for HSP over \(S_n \wr (\mathbb {Z}/2)\) would yield a polynomial-time quantum algorithm for Graph Isomorphism. As discussed in Appendix A, this is precisely the case of HSP relevant to the Hidden Shift problem over \(S_n\).

For these groups, the efforts of the quantum algorithms community have so far amounted only to negative results. First, it was shown that the standard Shor-type approach of computing with individual “coset states” cannot succeed [22]. In fact, entangled measurements over \(\varOmega (n \log n)\) coset states are needed [12], matching the information-theoretic upper bound [7]. Finally, the only nontrivial technique for performing entangled measurements over multiple registers, the so-called Kuperberg sieve, is doomed to fail as well [21].

While encoding, decoding, and computing over the symmetric groups is more complicated and less efficient than the cyclic case, it is a well-understood subject (see, e.g., [11]). When discussing these groups below, we will assume (without explicit mention) an efficient solution to these problems.

Matrix Groups. Another relevant family of groups are the matrix groups \(\textsf {GL}_2(\mathbb {F}_q)\) and \(\textsf {SL}_2(\mathbb {F}_q)\) over finite fields. These nonabelian groups exhibit many structural features which are similar to the symmetric groups, such as high-dimensional irreducible representations. Many of the negative results concerning the symmetric groups also carry over to matrix groups [12, 21].

Efficient encoding, decoding, and computation over finite fields \(\mathbb {F}_q\) is standard. Given these ingredients, extending to matrix groups is not complicated. In the case of \(\textsf {GL}_2(\mathbb {F}_q)\), we can encode an arbitrary pair (not both zero) \((a, c) \in \mathbb {F}_q^2\) in the first column, and any pair (bd) which is not a multiple of (ac) in the second column. For \(\textsf {SL}_2(\mathbb {F}_q)\), we simply have the additional constraint that d is fixed to \(a^{-1}(1+bc)\) by the choices of abc.

Product Groups. Arguably the simplest group family for which the negative results of [12] apply, are certain n-fold product groups. These are groups of the form \(G^n\) where G is a fixed, constant-size group (e.g., \(S_5\)). This opens up the possibility of simply replacing the XOR operation (i.e., \(\mathbb {Z}/2\) addition) with composition in some other constant-size group (e.g., \(S_5\)), and retaining the same n-fold product structure.

Some care is needed, however, because there do exist nontrivial algorithms in this case. When the base group G is solvable, then there are efficient algorithms for both HSP and Hidden Shift (see Theorem 4.17 in [10]). It is important to note that this efficient algorithm applies even to some groups (e.g., \((S_4)^n\)) for which the negative results of [12] also apply. Nevertheless, solvability seems crucial for [10], and choosing \(G = S_5\) for the base group gives a family for which no nontrivial Hidden Shift algorithms are known. We remark that there is however a \(2^{O(\sqrt{n \log n})}\)-time algorithm for order-2 Hidden Subgroup Problem s on \(G^n\) based on Kuperberg’s sieve [1]; this suggests the possibility of subexponential (i.e., \(2^{O(n^\delta )}\) for \(\delta < 1\)) algorithms for Hidden Shift over these groups.

4 Hidden Shift Even-Mansour Ciphers

We now address the question of repairing classical symmetric-key schemes which are vulnerable to Simon’s algorithm. We begin with the simplest construction, the so-called Even-Mansour cipher [8].

4.1 Generalizing the Even-Mansour Scheme

The Standard Scheme. The Even-Mansour construction turns a publicly known, random permutation \(P : \{0,1\}^n \rightarrow \{0,1\}^n\) into a keyed, pseudorandom permutation

$$\begin{aligned} E^P_{k_1, k_2} : \{0,1\}^n&\longrightarrow \{0,1\}^n\\ x&\longmapsto P(x \oplus k_1) \oplus k_2 \end{aligned}$$

where \(k_1, k_2 \in \{0,1\}^n\), and \(\oplus \) denotes bitwise XOR. This scheme is relevant in two settings:

  1. 1.

    simply as a source of pseudorandomness; in this setting, oracle access to P is provided to all parties.

  2. 2.

    as a block cipher; now oracle access to both P and \(P^{-1}\) is provided to all parties. Access to \(P^{-1}\) is required for decryption. One can then ask if \(E^P\) is a PRP (adversary gets access to \(E^P\)), or a strong PRP (adversary gets access to both \(E^P\) and its inverse).

In all of these settings, Even-Mansour is known to be information-theoretically secure against classical adversaries making at most polynomially-many queries [8].

Quantum Chosen Plaintext Attacks on the Standard Scheme. The proofs of classical security of Even-Mansour carry over immediately to the setting of quantum adversaries with only classical access to the relevant oracles. However, if an adversary is granted quantum oracle access to the P and \(E^P\) oracles, but no access at all to the inverse oracles, then Even-Mansour is easily broken. This attack was first described in [19]; a complete analysis is given in [14]. The attack is simple: First, one uses the quantum oracles for P and \(E^P\) to create a quantum oracle for \(P \oplus E^P\), i.e., the function

$$\begin{aligned} f(x) = P(x) \oplus P(x \oplus k_1) \oplus k_2. \end{aligned}$$

One then runs Simon’s algorithm [31] on the function f. The claim is that, with high probability, Simon’s algorithm will output \(k_1\). To see this, note that f satisfies half of Simon’s promise, namely \(f(x \oplus k_1) = f(x)\). Moreover, if it is classically secure, then it almost satisfies the entire promise. More precisely, for any fixed P and random pair (xy), either the probability of a collision \(f(x) = f(y)\) is low enough for Simon’s algorithm to succeed, or there are so many collisions that there exists a classical attack [14]. Once we have recovered \(k_1\), we also immediately recover \(k_2\) with a classical query, since \(k_2 = E^P_{k_1, k_2}(x) \oplus P(x \oplus k_1)\) for any x.

Hidden Shift Even-Mansour. To address the above attack, we propose simple variants of the Even-Mansour scheme. The construction generalizes the standard Even-Mansour scheme in the manner described in Sect. 1. Each variant is parameterized by a family of exponentially-large finite groups G. The general construction is straightforward to describe. We begin with a public permutation \(P : G \rightarrow G\), and from it construct a family of keyed permutations

$$\begin{aligned} E^P_{k_1, k_2} (x) = P(x \cdot k_1) \cdot k_2, \end{aligned}$$

where \(k_1, k_2\) are now uniformly random elements of G, and \(\cdot \) denotes composition in G. The formal definition, as a block cipher, follows.

Scheme 1

(Hidden Shift Even-Mansour block cipher). Let \(\mathcal G\) be a family of finite, exponentially large groups, satisfying the efficient encoding conditions given in Sect. 3.2. The scheme consists of three polynomial-time algorithms, parameterized by a permutation P of the elements of a group G in \(\mathcal G\):

  • \(\mathsf {KeyGen}: \mathbb {N}\rightarrow G \times G\); on input |G|, outputs \((k_1, k_2) \in _RG \times G\);

  • \(\mathsf {Enc}_{k_1, k_2}^P : G \rightarrow G\); defined by \(m \mapsto P(m \cdot k_1) \cdot k_2\);

  • \(\mathsf {Dec}_{k_1, k_2}^P : G \rightarrow G\); defined by \(c \mapsto P^{-1}(c \cdot k_2^{-1}) \cdot k_1^{-1}\).

For simplicity of notation, we set \(E^P_{k_1, k_2} := \mathsf {Enc}_{k_1, k_2}^P\). Note that \(\mathsf {Dec}_{k_1, k_2}^P = \bigl (E^P_{k_1, k_2}\bigr )^{-1}\). Correctness of the scheme is immediate; in the next section, we present several arguments for its security in various settings. All of these arguments are based on the conjectured hardness of certain Hidden Shift problems over \(\mathcal G\).

4.2 Security Reductions

We consider two settings. In the first, the adversary is given oracle access to the permutation P, and then asked to distinguish the Even-Mansour cipher \(E^P_{k_1, k_2}\) from a random permutation unrelated to P. In the second setting, the adversary is given oracle access to P, \(P^{-1}\), as well as \(E^P_{k_1, k_2}\) and its inverse; the goal in this case is to recover the key \((k_1, k_2)\) (or some part thereof).

Distinguishability from Random. We begin with the first setting described above. We fix a group G, and let \(\mathcal P_G\) denote the family of all permutations of G. Select a uniformly random \(P \in \mathcal P_G\). The encryption map for the Hidden Shift Even-Mansour scheme over G can be written as

$$\begin{aligned} E^P_{k_1, k_2} = L_{k_2} \circ P \circ L_{k_1}. \end{aligned}$$

If we have oracle access to P, then this is clearly an efficiently computable subfamily of \(\mathcal P_G\), indexed by key-pairs. For pseudorandomness, the relevant problem is then to distinguish \(E^P\) from a random permutation which is unrelated to the oracle P.

Problem 6

(Even-Mansour Distinguishability ( )). Given oracle access to permutations \(P, Q \in \mathcal P_G\) and a promise that either (i) both P and Q are random, or (ii) P is random and \(Q = E^P_{k_1, k_2}\) for random \(k_1, k_2\), decide which is the case.

It is straightforward to connect this problem to the decisional version of Random Hidden Shift, as follows.

Proposition 4

If there exists a QPT \(\mathcal D\) for EMD on \(\mathcal G\), then there exists a QPT algorithm for the DRHS problem on \(\mathcal G\), with soundness and completeness at most negligibly different from those of \(\mathcal D\).

Proof

Let fg be the two oracle functions for the DRHS problem over G. We know that f is a random function from G to G, and we must decide if g is also random, or simply a shift of f. We sample \(t_1, t_2\) uniformly at random from G, and provide \(\mathcal D\) with oracles f (in place of P), and \(g' := L_{t_2} \circ g \circ L_{t_1}\) (in place of \(E^P\)). We then simply output what \(\mathcal D\) outputs. Note that (fg) are uniformly random permutations if and only if \((f, g')\) are. In addition, \(g = f \circ L_s\) if and only if \(g' = L_{t_2} \circ f \circ L_{st_1}\). It follows that the input distribution to \(\mathcal D\) is as in EMD, modulo the fact that the oracles in DRHS are random functions rather than random permutations. The error resulting from this is at most negligible, by the collision-finding bound of Zhandry [35].    \(\square \)

Next, we want to amplify the DRHS distinguisher, and then apply the reduction from Hidden Shift given in Proposition 3. Combining this with Proposition 4, we arrive at a complete security reduction.

Theorem 3

Let \(\mathcal G\) be either the \(\mathbb {Z}/{2^n}\) group family or the \(S_n\) group family. Under Assumption 4, the Hidden Shift Even-Mansour cipher over \(\mathcal G\) is a quantum-secure pseudorandom function.

Proof

Let \(\mathcal G\) be either the \(\mathbb {Z}/{2^n}\) group family, or the \(S_n\) group family. If the Even-Mansour cipher over \(\mathcal G\) is not a qPRP, then by Definition 3, there exists an algorithm \(\mathcal D_\textsf {EMD}\) for the EMD problem with total (i.e., completeness plus soundness) error at most \(1 - 1/s(n)\) for some polynomial s. To give the adversary as much freedom as possible, we assume that the probability of selecting the public permutation P is taken into account here; that is, \(\mathcal D_\textsf {EMD}\) need only succeed with inverse-polynomial probability over the choices of permutation P, keys \(k_1, k_2\), and its internal randomness.

By Proposition 4, we then also have a DRHS algorithm \(\mathcal D_{{\textsf {DRHS}}}\) with error at most \(1 - 1/s(n)\) (up to negligible terms). We can amplify this algorithm by means of a 2k-wise independent hash function family \(\mathcal H\), where k is an upper bound on the running time of \(\mathcal D_{{\textsf {DRHS}}}\) (for the given input size n and required error bound 1 / s(n)). Given functions fg for the DRHS problem on G, we select a random function \(h \in \mathcal H\) and a random group element \(t \in G\). We then call \(\mathcal D_{{\textsf {DRHS}}}\) with oracles

$$\begin{aligned} f' := h \circ f \qquad \text {and} \qquad g'_t := h \circ g \circ L_t \end{aligned}$$

Note that, to any efficient quantum algorithm, (i) f and g are random if and only if \(f'\) and \(g'_{t}\) are, and (ii) \(g(x) = f(sx)\) if and only if \(g'_t(x) = f'(stx)\). We know that \(\mathcal D_{{\textsf {DRHS}}}\) will succeed with probability \(1 - 1 / s(n)\), except the probability is now taken over the choice of t and h (rather than f and g). We repeat this process with different random choices of h and t. A straightforward application of a standard Chernoff bound shows that, after O(p(n)) runs, we will correctly distinguish with \(1 - {\text {negl}}(n)\) probability.

Finally, we apply Proposition 3, to get an algorithm for Random Hidden Shift with negligible error; by Proposition 1, we get an equally strong algorithm for Hidden Shift.    \(\square \)

Key Recovery Attacks. We now consider partial or complete key recovery attacks, in the setting where the adversary also gets oracle access to the inverses of P and \(E^P_{k_1, k_2}\). Note that, for the Even-Mansour cipher on any group G, knowing the first key \(k_1\) suffices to produce the second key \(k_2\), since

$$\begin{aligned} k_2 = P(x \cdot k_1)^{-1} E^P_{k_1, k_2}(x) \end{aligned}$$

for every \(x \in G\).

We remark that giving security reductions is now complicated by the fact that Random Hidden Shift and its variants all become trivial if we are granted even a partial ability to invert f or g; querying \(f^{-1} \circ g\) on any input x produces \(x \cdot s^{-1}\), which immediately yields the shift s. However, we can still give a nontrivial reduction, as follows.

Theorem 4

Consider the Even-Mansour cipher over \(G \times G\), for any group G. Suppose there exists a QPT algorithm which, when granted oracle access to P, \(E^{P_{k_1, k_2}}\), and their inverses, outputs \(k_1, k_2\). Then there exists an efficient quantum algorithm for the Hidden Shift problem over G.

Proof

We are given oracle access to functions \(f, g : G \rightarrow G\) and a promise that there exists \(s \in G\) such that \(f(x) = g(x\cdot s)\) for all \(x \in G\). We define the following oracles, which can be constructed from access to f and g. First, we have permutations \(P_f, P_g : G \times G \rightarrow G \times G\) defined by

$$\begin{aligned} P_f (x, y) = (x, y \cdot f(x)) \qquad \text {and} \qquad P_g(x, y) = (x, y \cdot g(x)). \end{aligned}$$

Now we sample keys \(k_1 = (x_1, y_1), k_2 = (x_2, y_2)\) from \(G \times G\) and define the function \(E := E^{P_f}_{k_1, k_2}\). To the key-recovery adversary \(\mathcal A\) for Even-Mansour over \(G \times G\), we provide the oracles E and \(E^{-1}\) for the encryption/decryption oracles, and the oracles \(P_g\) and \(P_g^{-1}\) for the public permutation oracles.

To see that we can recover the shift s from the output of \(\mathcal A\), we rewrite E in terms of g, as follows:

$$\begin{aligned} E(x, y)&= P_f ( x x_1, y y_1) \cdot (x_2, y_2)\\&= (x x_1, y y_1 f(x x_1)) \cdot (x_2, y_2)\\&= (x x_1 s, y y_1 f(x x_1)) \cdot (s^{-1} x_2, y_2)\\&= (x x_1 s, y y_1 g(x x_1 s)) \cdot (s^{-1} x_2, y_2)\\&= P_g(x x_1 s, y y_1) \cdot (s^{-1} x_2, y_2). \end{aligned}$$

After complete key recovery, \(\mathcal A\) will output \((x_1 s, y_1)\) and \((s^{-1} x_2, y_2)\), from which we easily deduce s.   \(\square \)

Remark. The reduction above focuses on the problem of recovering the entire key. Note that for certain groups, e.g., \(\mathbb {Z}/p\) for prime p, predicting any bit of the key with inverse-polynomial advantage is sufficient to recover the entire key (see Håstad and Nåslund [13]). In such cases we may conclude that predicting individual bits of the key is difficult.

5 Hidden Shift CBC-MACs

5.1 Generalizing the Encrypted-CBC-MAC Scheme

The Standard Scheme. The standard Encrypted-CBC-MAC construction requires a pseudorandom permutation \(E_k : \{0,1\}^n \rightarrow \{0,1\}^n\). A message m is subdivided into blocks \(m = m_1 || m_2 || \cdots || m_l\), each of length n. The tag is then computed by repeatedly encrypting-and-XORing the message blocks, terminating with one additional round of encryption with a different key. Specifically, we set

$$\begin{aligned} \text {CBC-MAC}_{k, k'} := E_{k'}( E_k ( m_l \oplus E_k ( \cdots E_k(m_2 \oplus E_k(m_1)) \cdots ))). \end{aligned}$$

This yields a secure MAC for variable-length messages.

Quantum Chosen Plaintext Attacks on the Standard Scheme. If we are granted quantum CPA access to CBC-MAC\(_{k, k'}\), then there is a \((\mathbb {Z}/2)^n\)-hidden-shift attack, described below. This attack was described in [14]; another version of the attack appears in [29]. Consider messages consisting of two blocks, and fix the first block to be one of two distinct values \(\alpha _0 \ne \alpha _1\). We use the oracle for \(\text {CBC-MAC}_{k, k'}\) to construct an oracle for the function

$$\begin{aligned} f(b, x) := \text {CBC-MAC}_{k, k'}(\alpha _b || x) = E_{k'}(E_k(x \oplus E_k(\alpha _b))). \end{aligned}$$

Note that f satisfies Simon’s promise, since

$$\begin{aligned} f(b \oplus 1, x \oplus E_k(\alpha _0) \oplus E_k(\alpha _1)) = f(b, x) \end{aligned}$$

for all bx. We can thus run Simon’s algorithm to recover the string \(s_k = E_k(\alpha _0) \oplus E_k(\alpha _1)\). Knowledge of \(s_k\) enables us to find an exponential number of collisions, since

$$\begin{aligned} \text {CBC-MAC}_{k, k'}(\alpha _0 || x) = \text {CBC-MAC}_{k, k'}(\alpha _1 || x \oplus E_k(\alpha _0) \oplus E_k(\alpha _1)). \end{aligned}$$

In particular, this CBC-MAC does not satisfy the Boneh-Zhandry notion of a secure MAC in the quantum world [2].

Hidden Shift CBC-MAC. We propose generalizing the Encrypted-CBC-MAC construction above, by allowing the bitwise XOR operation to be replaced by composition in some exponentially-large family of finite groups G. Each message block is then identified with an element of G, and we view the pseudorandom permutation \(E_k\) as a permutation of the group elements of G. We then define

$$\begin{aligned} \text {CBC-MAC}^G_{k, k'} : G^*&\longrightarrow G \\ (m_1, \dots , m_l)&\longmapsto E_{k'}( E_k ( m_l \cdot E_k ( \cdots E_k(m_2 \cdot E_k(m_1)) \cdots ))), \end{aligned}$$

where \(\cdot \) denotes the group operation in G.

Scheme 2

(Hidden Shift Encrypted-CBC-MAC). Let G be a family of finite, exponentially large groups satisfying the efficient encoding conditions given in Sect. 3.2. Let \(E_k : G \rightarrow G\) be a quantum-secure pseudorandom permutation. The scheme consists of three polynomial-time algorithms:

  • \(\mathsf {KeyGen}\); on input |G|, outputs two keys \(k, k'\) using key generation for E;

  • \(\mathsf {Mac}_{k, k'} : m \longmapsto E_{k'}( E_k ( m_l \cdot E_k ( \cdots E_k(m_2 \cdot E_k(m_1)) \cdots )\);

  • \(\mathsf {Ver}_{k, k'} : (m, t) \mapsto \textsf {accept}\) if \(\mathsf {Mac}_{k, k'}(m) = t\), and reject otherwise.

We consider the security of this scheme in the next section.

5.2 Security Reduction

We now give a reduction from the Random Hidden Shift problem to collision-finding in the above CBC-MAC.

Theorem 5

Let \(\mathcal G\) be either the \(\mathbb {Z}/{2^n}\) group family or the \(S_n\) group family. Under Assumption 4, the Hidden-Shift CBC-MAC over \(\mathcal G\) is a collision-resistant function.

Proof

For simplicity, we assume that the collision-finding adversary finds collisions between equal-length messages. This is of course trivially true, for example, if the MAC is used only for messages of some a priori fixed length.

Suppose we are given an instance of the Hidden Shift problem, i.e., a pair of functions \(F_0, F_1\) with the promise that \(F_0\) is random and \(F_1\) is a shift of \(F_0\). We have at our disposal a QPT \(\mathcal A\) which finds collisions in the Hidden Shift Encrypted-CBC-MAC. We assume without loss of generality that, whenever \(\mathcal A\) outputs a collision \((c, c')\), there is no pair of prefixes of \((c, c')\) that also give a valid collision; indeed, we can easily build an \(\mathcal A'\) which, whenever such prefixes exist, simply outputs the prefix collision instead.

We assume for the moment that the number of message blocks in c and \(c'\) is the same number t. Since the number of blocks and the running time of \(\mathcal A\) are polynomial, we can simply guess t, and we will guess correctly with inverse-polynomial probability. We run \(\mathcal A\) with a modified oracle \(\mathcal O\) which “inserts” our hidden shift problem at stage t. This is defined as follows.

Let m be our input message, and l the number of blocks. If \(l < t\), we simply output the usual Encrypted-CBC-MAC of m. If \(l \ge t\), we first perform \(t-1\) rounds of the CBC procedure, computing a function

$$\begin{aligned} h (m) := E_k( m_{t-1} \cdot E_k(\cdots E_k(m_2 \cdot E_k(m_1)) \cdots ). \end{aligned}$$

Note that h only depends on the first \(t-1\) blocks of m. Next, we choose a random bit b and compute \(F_{b(m)}(m_t \cdot h(m))\). We then finish the rest of the rounds of the CBC procedure, outputting

$$\begin{aligned} O(m) := E_k' ( E_k ( m_l \cdot E_k(\cdots E_k(F_{b(m)}(m_t \cdot h(m))) \cdots ). \end{aligned}$$

It’s not hard to see that the distribution that the adversary observes will be indistinguishable from the usual Encrypted-CBC-MAC. Suppose a collision \((m, m')\) is output. We set \(x_1 = m_1 || m_2 || \cdots || m_{t-1}\) and \(x_2 = m_1' || m_2' || \cdots || m_{t-1}'\) and \(y_1 = m_t\) and \(y_2 = m_t'\). The collision then means that

$$\begin{aligned} F_{b(m)}(y_1 \cdot h(x_1)) = F_{b(m')}(y_2 \cdot h(x_2)). \end{aligned}$$

Since \(m \ne m'\), with probability 1 / 2 we have \(b(m) \ne b(m')\). We repeat \(\mathcal A\) until we achieve inequality of these bits. We then have

$$\begin{aligned} F_0(y_1 \cdot h(x_1)) = F_1(y_2 \cdot h(x_2)) = F_0(y_2 \cdot h(x_2) \cdot s) \end{aligned}$$

and so the shift is simply \(s = y_2^{-1} h(x_2)^{-1} y_1 h(x_1)\).    \(\square \)

6 Thwarting the Simon Attack on Other Schemes

It is reasonable to conjecture that our transformation secures (classically secure) symmetric-key schemes against quantum CPA, generically. So far, we have only been able to give complete security reductions in the cases of the Even-Mansour cipher and the Encrypted-CBC-MAC. For the case of all other schemes vulnerable to the Simon algorithm attacks of [14, 18, 19], we can only say that the attack is thwarted by passing from \((\mathbb {Z}/2)^n\) to \(\mathbb {Z}/{2^n}\) or \(S_n\). We now briefly outline two cases of particular note. For further details, see Appendix B.

The first case is the Feistel network construction, which transforms random functions into pseudorandom permutations. While the three-round Feistel cipher is known to be classically secure [20], no security proof is known in the quantum CPA case, for any number of rounds. In [18], a quantum chosen-plaintext attack is given for the three-round Feistel cipher, again based on Simon’s algorithm. The attack is based on the observation that, if one fixes the first half of the input to one of two fixed values \(\alpha _0 \ne \alpha _1\), then the output contains one of two functions \(f_{\alpha _0}\), \(f_{\alpha _1}\), which are \((\mathbb {Z}/2)^n\)-shifts of each other. However, if we instead replace each bitwise XOR in the Feistel construction with addition modulo \(\mathbb {Z}/{2^n}\), the two functions become \(\mathbb {Z}/{2^n}\)-shifts, and the attack now requires a cyclic Hidden Shift subroutine.

The second case is what [14] refer to as the “quantum slide attack,” which uses Simon’s algorithm to give a linear-time quantum chosen-plaintext attack, an exponential speedup over classical slide attacks. The attack works against ciphers \(E_{k, t}(x) := k \oplus (R_k)^t(x)\) which consist of t rounds of a function \(R_k(x) := R(x \oplus k)\). In the attack, one simply observes that \(E_{k, t} (R(x))\) is a shift of \(R(E_{k, t} (x))\) by the key k, and then applies Simon’s algorithm. To defeat this attack, we simply work over \(\mathbb {Z}/{2^n}\), setting \(E_{k, t}(x) := k + (R_k)^t(x)\) and \(R_k(x) := R(x+k)\). It’s easy to see that the same attack now requires a Hidden Shift subroutine for \(\mathbb {Z}/{2^n}\).