Breaking Symmetric Cryptosystems Using Quantum Period Finding

Abstract

Due to Shor’s algorithm, quantum computers are a severe threat for public key cryptography. This motivated the cryptographic community to search for quantum-safe solutions. On the other hand, the impact of quantum computing on secret key cryptography is much less understood. In this paper, we consider attacks where an adversary can query an oracle implementing a cryptographic primitive in a quantum superposition of different states. This model gives a lot of power to the adversary, but recent results show that it is nonetheless possible to build secure cryptosystems in it.

We study applications of a quantum procedure called Simon’s algorithm (the simplest quantum period finding algorithm) in order to attack symmetric cryptosystems in this model. Following previous works in this direction, we show that several classical attacks based on finding collisions can be dramatically sped up using Simon’s algorithm: finding a collision requires \(\varOmega (2^{n/2})\) queries in the classical setting, but when collisions happen with some hidden periodicity, they can be found with only O(n) queries in the quantum model.

We obtain attacks with very strong implications. First, we show that the most widely used modes of operation for authentication and authenticated encryption (e.g. CBC-MAC, PMAC, GMAC, GCM, and OCB) are completely broken in this security model. Our attacks are also applicable to many CAESAR candidates: CLOC, AEZ, COPA, OTR, POET, OMD, and Minalpher. This is quite surprising compared to the situation with encryption modes: Anand et al. show that standard modes are secure with a quantum-secure PRF.

Second, we show that Simon’s algorithm can also be applied to slide attacks, leading to an exponential speed-up of a classical symmetric cryptanalysis technique in the quantum model.

1 Introduction

The goal of post-quantum cryptography is to prepare cryptographic primitives to resist quantum adversaries, i.e. adversaries with access to a quantum computer. Indeed, cryptography would be particularly affected by the development of large-scale quantum computers. While currently used asymmetric cryptographic primitives would suffer from devastating attacks due to Shor’s algorithm [43], the status of symmetric ones is not so clear: generic attacks, which define the security of ideal symmetric primitives, would get a quadratic speed-up thanks to Grover’s algorithm [24], hinting that doubling the key length could restore an equivalent ideal security in the post-quantum world. Even though the community seems to consider the issue settled with this solution [6], only very little is known about real world attacks, that determine the real security of used primitives. Very recently, this direction has started to draw attention, and interesting results have been obtained. New theoretical frameworks to take into account quantum adversaries have been developed [2, 11, 12, 15, 20, 23].

Simon’s algorithm [44] is central in quantum algorithm theory. Historically, it was an important milestone in the discovery by Shor of his celebrated quantum algorithm to solve integer factorization in polynomial time [43]. Interestingly, Simon’s algorithm has also been applied in the context of symmetric cryptography. It was first used to break the 3-round Feistel construction [31] and then to prove that the Even-Mansour construction [32] is insecure with superposition queries. While Simon’s problem (which is the problem solved with Simon’s algorithm) might seem artificial at first sight, it appears in certain constructions in symmetric cryptography, in which ciphers and modes typically involve a lot of structure.

These first results, although quite striking, are not sufficient for evaluating the security of actual ciphers. Indeed, the confidence we have on symmetric ciphers depends on the amount of cryptanalysis that was performed on the primitive. Only this effort allows researchers to define the security margin which measures how far the construction is from being broken. Thanks to the large and always updated cryptanalysis toolbox built over the years in the classical world, we have solid evaluations of the security of the primitives against classical adversaries. This is, however, no longer the case in the post-quantum world, i.e. when considering quantum adversaries.

We therefore need to build a complete cryptanalysis toolbox for quantum adversaries, similar to what has been done for the classical world. This is a fundamental step in order to correctly evaluate the post-quantum security of current ciphers and to design new secure ciphers for the post-quantum world.

Our Results. We make progresses in this direction, and open new surprising and important ranges of applications for Simon’s algorithm in symmetric cryptography:

1. 1.

   The original formulation of Simon’s algorithm is for functions whose collisions happen only at some hidden period. We extend it to functions that have more collisions. This leads to a better analysis of previous applications of Simon’s algorithm in symmetric cryptography.

2. 2.

   We then show an attack against the LRW construction, used to turn a block-cipher into a tweakable block cipher [33]. Like the results on 3-round Feistel and Even-Mansour, this is an example of construction with provable security in the classical setting that becomes insecure against a quantum adversary.

3. 3.

   Next, we study block cipher modes of operation. We show that some of the most common modes for message authentication and authenticated encryption are completely broken in this setting. We describe forgery attacks against standardized modes (CBC-MAC, PMAC, GMAC, GCM, and OCB), and against several CAESAR candidates, with complexity only O(n), where n is the size of the block. In particular, this partially answers an open question by Boneh and Zhandry [13]: “Do the CBC-MAC or NMAC constructions give quantum-secure PRFs?”.

   Those results are in stark contrast with a recent analysis of encryption modes in the same setting: Anand et al. show that some classical encryption modes are secure against a quantum adversary when using a quantum-secure PRF [3]. Our results imply that some authentication and authenticated encryption schemes remain insecure with any block cipher.

4. 4.

   The last application is a quantization of slide attacks, a popular family of cryptanalysis that is independent of the number of rounds of the attacked cipher. Our result is the first exponential speed-up obtained directly by a quantization of a classical cryptanalysis technique, with complexity dropping from \(O(2^{n/2})\) to O(n), where n is the size of the block.

These results imply that for the symmetric primitives we analyze, doubling the key length is not sufficient to restore security against quantum adversaries. A significant effort on quantum cryptanalysis of symmetric primitives is thus crucial for our long-term trust in these cryptosystems.

The Attack Model. We consider attacks against classical cryptosystems using quantum resources. This general setting broadly defines the field of post-quantum cryptography. But attacking specific cryptosystems requires a more precise definition of the operations the adversary is allowed to perform. The simplest setting allows the adversary to perform local quantum computation. For instance, this can be modeled by the quantum random oracle model, in which the adversary can query the oracle in an arbitrary superposition of the inputs [11, 14, 45, 49]. A more practical setting allows quantum queries to the hash function used to instantiate the oracle on a quantum computer.

We consider here a much stronger model in which, in addition to local quantum operations, an adversary is granted an access to a possibly remote cryptographic oracle in superposition of the inputs, and obtains the corresponding superposition of outputs. In more detail, if the encryption oracle is described by a classical function \(\mathcal {O}_k : \{0,1\}^n \rightarrow \{0,1\}^n\), then the adversary can make standard quantum queries \(|x\rangle |y\rangle \mapsto |x\rangle |\mathcal {O}_k(x) \oplus y\rangle \), where x and y are arbitrary n-bit strings and \(| x \rangle \), \(|y\rangle \) are the corresponding n-qubit states expressed in the computational basis. A circuit representing the oracle is given in Fig. 1. Moreover, any superposition \(\sum _{x,y} \lambda _{x,y} | x \rangle | y \rangle \) is a valid input to the quantum oracle, who then returns \(\sum _{x,y} \lambda _{x,y} | x \rangle | y\oplus O_k(x) \rangle \). In previous works, these attacks have been called superposition attacks [20], quantum chosen message attacks [13] or quantum security [48].

Simon’s algorithm requires the preparation of the uniform superposition of all n-bit strings, \(\frac{1}{\sqrt{2^n}} \sum _x |x\rangle |0\rangle \) ¹. For this input, the quantum encryption oracle returns \( \frac{1}{\sqrt{2^n}} \sum _x |x\rangle |\mathcal {O}_k(x)\rangle \), the superposition of all possible pairs of plaintext-ciphertext. It might seem at first that this model gives an overwhelming power to the adversary and is therefore uninteresting. Note, however, that the laws of quantum mechanics imply that the measurement of such a 2n-qubit state can only reveal 2n bits of information, making this model nontrivial.

Fig. 1.

The quantum cryptographic oracle.

The simplicity of this model, together with the fact that it encompasses any reasonable model of quantum attacks makes it very interesting. For instance, [12] gave constructions of message authenticated codes that remain secure against superposition attacks. A similar approach was initiated by [20], who showed how to construct secure multiparty protocols when an adversary can corrupt the parties in superposition. A protocol that is proven secure in this model may truthfully be used in a quantum world.

Our work shows that superposition attacks, although they are not trivial, allow new powerful strategies for the adversary. Modes of operation that are provably secure against classical attacks can then be broken. There exist a few options to prevent the attacks that we present here. A possibility is to forbid all kind of quantum access to a cryptographic oracle. In a world where quantum resources become available, this restriction requires a careful attention. This can be achieved for example by performing a quantum measurement of any incoming quantum query to the oracle. But this task involves meticulous engineering of quantum devices whose outcome remains uncertain. Even information theoretically secure quantum cryptography remains vulnerable to attacks on their implementations, as shown by attacks on quantum key distribution [35, 46, 50].

A more realistic approach is to develop a set of protocols that remains secure against superposition attacks. Another advantage of this approach is that it also covers more advanced scenarios, for example when an encryption device is given to the adversary as an obfuscated algorithm. Our work shows how important it is to develop protocols that remain secure against superposition attacks.

Regarding symmetric cryptanalysis, we have already mentioned the protocol of Boneh and Zhandry for MACs that remains secure against superposition attacks. In particular, we answer negatively to their question asking wether CBC-MAC is secure in their model. Generic quantum attacks against symmetric cryptosystems have also been considered. For instance, [28] studies the security of iterated block ciphers, and Anand et al. investigated the security of various modes of operations for encryption against superposition attacks [3]. They show that OFB and CTR remain secure, while CBC and CFB are not secure in general (with attacks involving Simon’s algorithm), but are secure if the underlying PRF is quantum secure. Recently, [29] considers symmetric families of cryptanalysis, describing quantum versions of differential and linear attacks.

Cryptographic notions like indistinguishability or semantic security are well understood in a classical world. However, they become difficult to formalize when considering quantum adversaries. The quantum chosen message model is a good framework to study these [2, 15, 23].

In this paper, we consider forgery attacks: the goal of the attacker is to forge a tag for some arbitrary message, without the knowledge of the secret key. In a quantum setting, we follow the EUF-qCMA security definition that was given by Boneh and Zhandry [12]. A message authentication code is broken by a quantum existential forgery attack if after q queries to the cryptographic oracle, the adversary can generate at least \(q+1\) valid messages with corresponding tags.

Organization. The paper is organized as follows. First, Sect. 2 introduces Simon’s algorithm and explains how to modify it in order to handle functions that only approximately satisfy Simon’s promise. This variant seems more appropriate for symmetric cryptography and may be of independent interest. Section 3 summarizes known quantum attacks against various constructions in symmetric cryptography. Section 4 presents the attack against the LRW constructions. In Sect. 5, we show how Simon’s algorithm can be used to obtain devastating attacks on several widely used modes of operations: CBC-MAC, PMAC, GMAC, GCM, OCB, as well as several CAESAR candidates. Section 6 shows the application of the algorithm to slide attacks, providing an exponential speed-up. The paper ends in Sect. 7 with a conclusion, pointing out possible new directions and applications.

2 Simon’s Algorithm and Attack Strategy

In this section, we present Simon’s problem [44] and the quantum algorithm for efficiently solving it. The simplest version of our attacks directly exploits this algorithm in order to recover some secret value of the encryption algorithm. Previous works have already considered such attacks against 3-round Feistel schemes and the Even-Mansour construction (see Sect. 3 for details).

Unfortunately, it is not always possible to recast an attack in terms of Simon’s problem. More precisely, Simon’s problem is a promise problem, and in many cases, the relevant promise (that only a structured class of collisions can occur) is not satisfied, far from it in fact. We show in Theorem 1 below that, however, these additional collisions do not lead to a significant increase of the complexity of our attacks.

2.1 Simon’s Problem and Algorithm

We first describe Simon’s problem, and then the quantum algorithm for solving it. We refer the reader to the recent review by Montanaro and de Wolf on quantum property testing for various applications of this algorithm [38]. We assume here a basic knowledge of the quantum circuit model. We denote the addition and multiplication in a field with \(2^n\) elements by “\(\oplus \)” and “\(\cdot \)”, respectively.

We consider that the access to the input of Simon’s problem, a function f, is made by querying it. A classical query oracle is a function \(x \mapsto f(x)\). To run Simon’s algorithm, it is required that the function f can be queried quantum-mechanically. More precisely, it is supposed that the algorithm can make arbitrary quantum superpositions of queries of the form \(| x \rangle | 0 \rangle \mapsto | x \rangle | f(x) \rangle \).

Simon’s problem is the following:

This problem can be solved classically by searching for collisions. The optimal time to solve it is therefore \(\varTheta (2^{n/2}).\) On the other hand, Simon’s algorithm solves this problem with quantum complexity O(n). Recall that the Hadamard transform \(H^{\otimes n}\) applied on an n-qubit state \(|x\rangle \) for some \(x \in \{0,1\}^n\) gives \(H^{\otimes n} |x\rangle = \frac{1}{\sqrt{2^n}} \sum _{y \in \{0,1\}^n} (-1)^{x\cdot y} |y\rangle ,\) where \(x \cdot y := x_1 y_1 \oplus \cdots \oplus x_n y_n\).

The algorithm repeats the following five quantum steps.

1. 1.

   Starting with a 2n-qubit state \(|0\rangle |0\rangle \), one applies a Hadamard transform \(H^{\otimes n}\) to the first register to obtain the quantum superposition

   $$\frac{1}{\sqrt{2^n}} \sum _{x \in \{0,1\}^n} |x\rangle |0\rangle .$$
2. 2.

   A quantum query to the function f maps this to the state

   $$\frac{1}{\sqrt{2^n}} \sum _{x \in \{0,1\}^n} |x\rangle |f(x)\rangle .$$
3. 3.

   Measuring the second register in the computational basis yields a value f(z) and collapses the first register to the state:

   $$ \frac{1}{\sqrt{2}} (|z\rangle + |z \oplus s\rangle ). $$
4. 4.

   Applying again the Hadamard transform \(H^{\otimes n}\) to the first register gives:

   $$ \frac{1}{\sqrt{2}} \frac{1}{\sqrt{2^n}} \sum _{y \in \{0,1\}^n} (-1)^{y\cdot z}\left( 1+ (-1)^{y\cdot s} \right) |y\rangle . $$
5. 5.

   The vectors y such that \(y\cdot s=1\) have amplitude 0. Therefore, measuring the state in the computational basis yields a random vector y such that \(y \cdot s = 0\).

By repeating this subroutine O(n) times, one obtains \(n-1\) independent vectors orthogonal to s with high probability, and s can be recovered using basic linear algebra. Theorem 1 gives the trade-off between the number of repetitions of the subroutine and the success probability of the algorithm.

2.2 Dealing with Unwanted Collisions

In our cryptanalysis scenario, it is not always the case that the promise of Simon’s problem is perfectly satisfied. More precisely, by construction, there will always exist an s such that \(f(x) = f(x \oplus s)\) for any input x, but there might be many more collisions than those of this form. If the number of such unwanted collisions is too large, one might not be able to obtain a full rank linear system of equations from Simon’s subroutine after O(n) queries. Theorem 1 rules this out provided that f does not have too many collisions of the form \(f(x) = f(x \oplus t)\) for some \(t \not \in \{0, s\}\).

For \(f: \{0,1\}^n \rightarrow \{0,1\}^n\) such that \(f(x \oplus s) = f(x)\) for all x, consider

$$\begin{aligned} \varepsilon (f,s) = \max _{t \in \{0,1\}^n \setminus \{0,s\}} \mathrm {Pr}_x[f(x) = f(x\oplus t)]. \end{aligned}$$

(1)

This parameter quantifies how far the function is from satisfying Simon’s promise. For a random function, one expects \(\varepsilon (f,s) = \varTheta (n 2^{-n})\), following the analysis of [19]. On the other hand, for a constant function, \(\varepsilon (f,s)= 1\) and it is impossible to recover s.

The following theorem, whose proof can be found in Appendix A, shows the effect of unwanted collisions on the success probability of Simon’s algorithm.

Theorem 1

(Simon’s algorithm with approximate promise). If \(\varepsilon (f,s) \le p_0 <1\), then Simon’s algorithm returns s with cn queries, with probability at least \(1-\big (2 \big (\frac{1+p_0}{2} \big )^{\! c}\big )^n\).

In particular, choosing \(c \ge 3/(1-p_0)\) ensures that the error decreases exponentially with n. To apply our results, it is therefore sufficient to prove that \(\varepsilon (f,s)\) is bounded away from 1.

Finally, if we apply Simon’s algorithm without any bound on \(\varepsilon (f,s)\), we can not always recover s unambiguously. Still if we select a random value t orthogonal to all vectors \(u_i\) returned by each step of the algorithm, t satisfy \(f(x \oplus t) = f(x)\) with high probability.

Theorem 2

(Simon’s algorithm without promise). After cn steps of Simon’s algorithm, if t is orthogonal to all vectors \(u_i\) returned by each step of the algorithm, then \( \Pr _x[f(x \oplus t) = f(t)] \ge p_0 \) with probability at least \(1-\big (2 \big (\frac{1+p_0}{2} \big )^{\! c}\big )^n\).

In particular, choosing \(c \ge 3/(1-p_0)\) ensures that the probability is exponentially close to 1.

2.3 Attack Strategy

The general strategy behind our attacks exploiting Simon’s algorithm is to start with the encryption oracle \(E_k: \{0,1\}^n \rightarrow \{0,1\}^n\) and exhibit a new function f that satisfies Simon’s promise with two additional properties: the adversary should be able to query f in superposition if he has quantum oracle access to \(E_k\), and the knowledge of the string s should be sufficient to break the cryptographic scheme. In the following, this function is called Simon’s function.

In most cases, our attacks correspond to a classical collision attack. In particular, the value s will usually be the difference in the internal state after processing a fixed pair of messages \((\alpha _0, \alpha _1)\), i.e. \(s = E(\alpha _0) \oplus E(\alpha _1)\). The input of f will be inserted into the state with the difference s so that \(f(x) = f(x \oplus s)\).

In our work, this function f is of the form:

$$\begin{aligned} f^1: x \quad&\mapsto P(\widetilde{E}(x) + \widetilde{E}(x\oplus s)) \quad \text {or,}\\ f^2: b,x \quad&\mapsto {\left\{ \begin{array}{ll} \widetilde{E}(x) &{} \text {if}\; b = 0,\\ \widetilde{E}(x \oplus s) &{} \text {if}\; b = 1, \end{array}\right. } \end{aligned}$$

where \(\widetilde{E}\) is a simple function obtained from \(E_k\) and P a permutation. It is immediate to see that \(f^1\) and \(f^2\) have periods s for \(f^1\) or 1 ||s for \(f^2\).

In most applications, Simon’s function satisfies \(f(x)=f(y)\) for \(y \oplus x \in \{0,s\}\), but also for additional inputs x, y. Theorem 1 extends Simon’s algorithm precisely to this case. In particular, if the additional collisions of f are random, then Simon’s algorithm is successful. When considering explicit constructions, we can not in general prove that the unwanted collisions are random, but rather that they look random enough. In practice, if the function \(\varepsilon (f,s)\) is not bounded, then some of the primitives used in the construction have are far from ideal. We can show that this happens with low probability, and would imply an classical attack against the system. Applying Theorem 1 is not trivial, but it stretches the range of application of Simon’s algorithm far beyond its original version.

Construction of Simon’s Functions. To make our attacks as clear as possible, we provide the diagrams of circuits computing the function f. These circuits use a little number of basic building blocks represented in Fig. 2.

In our attacks, we often use a pair of arbitrary constants \(\alpha _0\) and \(\alpha _1\). The choice of the constant is indexed by a bit b. We denote by \(U_\alpha \) the gate that maps b to \(\alpha _b\) (See Fig. 2). For simplicity, we ignore here the additional qubits required in practice to make the transform reversible through padding.

Although it is well known that arbitrary quantum states cannot be cloned, we use the CNOT gate to copy classical information. More precisely, a CNOT gate can copy states in the computational basis: \(CNOT: | x \rangle | 0 \rangle \rightarrow | x \rangle | x \rangle \). This transform is represented in Fig. 2.

Finally, any unitary transform U can be controlled by a bit b. This operation, denoted \(U^b\) maps x to U(x) if \(b=1\) and leaves x unchanged otherwise. In the quantum setting, the qubit \(| b \rangle \) can be in a superposition of 0 and 1, resulting in a superposition of \(| x \rangle \) and \(| U(x) \rangle \). The attacks that we present in the following sections only make use of this procedure when the attacker knows a classical description of the unitary to be controlled. In particular, we do not apply it to the cryptographic oracle.

When computing Simon’s function, i.e. the function f on which Simon’s algorithm is applied, the registers containing the value of f must be unentangled with any other working register. Otherwise, these registers, which might hinder the periodicity of the function, have to be taken into account in Simon’s algorithm and the whole procedure could fail.

Fig. 2.

Circuit representation of basic building blocks.

3 Previous Works

Previous works have used Simon’s algorithm to break the security of classical constructions in symmetric cryptography: the Even-Mansour construction and the 3-round Feistel scheme. We now explain how these attacks work with our terminology and extend two of the results. First, we show that the attack on the Feistel scheme can be extended to work with random functions, where the original analysis held only for random permutations. Second, using our analysis Simon’s algorithm with approximate promise, we make the number of queries required to attack the Even-Mansour construction more precise. These observations have been independently made by Santoli and Schaffner [41]. They use a slightly different approach, which consists in analyzing the run of Simon’s algorithm for these specific cases.

3.1 Applications to a Three-Round Feistel Scheme

The Feistel scheme is a classical construction to build a random permutation out of random functions or random permutations. In a seminal work, Luby and Rackoff proved that a three-round Feistel scheme is a secure pseudo-random permutation [34].

A three-round Feistel scheme with input \((x_L,x_R)\) and output \((y_L, y_R)= E(x_L, x_R)\) is built from three round functions \(R_1\), \(R_2\), \(R_3\) as (see Fig. 3):

$$\begin{aligned} (u_0, v_0)&= (x_L,x_R),&(u_{i}, v_{i})&= (v_{i-1} \oplus R_i(u_{i-1}), u_{i-1}),&(y_L, y_R)&= (u_3, v_3). \end{aligned}$$

Fig. 3.

Three-round Feistel scheme.

Fig. 4.

Simon’s function for Feistel.

In order to distinguish a Feistel scheme from a random permutation in a quantum setting, Kuwakado and Morii [31] consider the case were the \(R_i\) are permutations, and define the following function, with two arbitrary constants \(\alpha _0\) and \(\alpha _1\) such that \(\alpha _0 \ne \alpha _1\):

$$\begin{aligned} f: \{0,1\} \times \{0,1\}^{n}&\rightarrow \{0,1\}^{n} \\ b,x \quad&\mapsto y_R \oplus \alpha _b, \quad \text {where }(y_R, y_L) = E(\alpha _b,x)\\ f(b,x)&= R_2(x \oplus R_1(\alpha _b)) \end{aligned}$$

In particular, this f satisfies \(f(b,x) = f(b \oplus 1, x \oplus R_1(\alpha _0) \oplus R_1(\alpha _1))\). Moreover,

$$\begin{aligned} f(b',x') = f(b,x)&\Leftrightarrow x' \oplus R_1(\alpha _{b'}) = x \oplus R_1(\alpha _b)\\&\Leftrightarrow {\left\{ \begin{array}{ll} x' \oplus x = 0 &{} \text {if }b' = b\\ x' \oplus x = R_1(\alpha _0)\oplus R_1(\alpha _1) &{} \text {if }b' \ne b \end{array}\right. } \end{aligned}$$

Therefore, the function satisfies Simon’s promise with \(s = 1\,\Vert \,R_1(\alpha _0) \oplus R_1(\alpha _1)\), and we can recover \(R_1(\alpha _0) \oplus R_1(\alpha _1)\) using Simon’s algorithm. This gives a distinguisher, because Simon’s algorithm applied to a random permutation returns zero with high probability. This can be seen from Theorem 2, using the fact that with overwhelming probability [19], there is no value \(t \ne 0\) such that \(\Pr _x[f(x \oplus t) = f(x)] > 1/2\) for a random permutation f (Fig. 4).

We can also verify that the value \(R_1(\alpha _0) \oplus R_1(\alpha _1)\) is correct with two additional classical queries \((y_L, y_R) = E(\alpha _0, x)\) and \((y'_L, y'_R) = E(\alpha _1, x \oplus R_1(\alpha _0) \oplus R_1(\alpha _1))\) for a random x. If the value is correct, we have \(y_R \oplus y'_R = \alpha _0 \oplus \alpha _1\).

Note that in their attack, Kuwakado and Morii implicitly assume that the adversary can query in superposition an oracle that returns solely the left part \(y_L\) of the encryption. If the adversary only has access to the complete encryption oracle E, then a query in superposition would return two entangled registers containing the left and right parts, respectively. In principle, Simon’s algorithm requires the register containing the input value to be completely disentangled from the others.

Feistel Scheme with Random Functions. Kuwakado and Morii [31] analyze only the case where the round functions \(R_i\) are permutations. We now extend this analysis to random functions \(R_i\). The function f defined above still satisfies \(f(b,x) = f(b \oplus 1, x \oplus R_1(\alpha _0) \oplus R_1(\alpha _1))\), but it doesn’t satisfy the exact promise of Simon’s algorithm: there are additional collisions in f, between inputs with random differences. However, the previous distinguisher is still valid: at the end of Simon’s algorithm, there exist at least one non-zero value orthogonal to all the values y measured at each step: s. This would not be the case with a random permutation.

Moreover, we can show that \(\varepsilon (f,1\,\Vert \,s)<1/2\) with overwhelming probability, so that Simon’s algorithm still recovers \(1\,\Vert \,s\) following Theorem 1. If \(\varepsilon (f,1\,\Vert \,s) > 1/2\), there exists \((\tau ,t)\) with \((\tau ,t) \not \in \{(0,0), (1,s)\}\) such that: \(\mathrm {Pr}[f(b,x) = f(b\oplus \tau , x\oplus t)] > 1/2\). Assume first that \(\tau = 0\), this implies:

$$\begin{aligned} \mathrm {Pr}[f(0,x) = f(0, x\oplus t)]> 1/2 \quad \text {or} \quad \mathrm {Pr}[f(1,x) = f(1, x\oplus t)] > 1/2. \end{aligned}$$

Therefore, for some b, \(\Pr [R_2(x \oplus R_1(\alpha _b)) = R_2(x \oplus t \oplus R_1(\alpha _b))] > 1/2\), i.e. \(\Pr [R_2(x) = R_2(x \oplus t)] > 1/2\). Similarly, if \(\tau = 1\), \(\Pr [R_2(x \oplus R_1(\alpha _0)) = R_2(x \oplus t \oplus R_1(\alpha _1))] > 1/2\), i.e. \( \Pr [R_2(x) = R_2(x \oplus t \oplus R_1(\alpha _0) \oplus R_1(\alpha _1))] > 1/2\).

To summarize, if \(\varepsilon (f,1\,\Vert \,s) > 1/2\), there exists \(u \ne 0\) such that \(\Pr [R_2(x) = R_2(x \oplus u)] > 1/2\). This only happens with negligible probability for a random choice of \(R_2\) as shown in [19].

3.2 Application to the Even-Mansour Construction

The Even-Mansour construction is a simple construction to build a block cipher from a public permutation [22]. For some permutation P, the cipher is:

$$\begin{aligned} E_{k_1,k_2}(x) = P(x \oplus k_1) \oplus k_2. \end{aligned}$$

Even and Mansour have shown that this construction is secure in the random permutation model, up to \(2^{n/2}\) queries, where n is the size of the input to P (Figs. 5 and 6).

Fig. 5.

Even-Mansour scheme.

Fig. 6.

Simon’s function for Even-Mansour.

However, Kuwakado and Morii [32] have shown that the security of this construction collapses if an adversary can query an encryption oracle with a superposition of states. More precisely, they define the following function:

$$\begin{aligned} f: \{0,1\}^{n}&\rightarrow \{0,1\}^{n} \\ x \quad&\mapsto E_{k_1,k_2}(x) \oplus P(x)= P(x \oplus k_1) \oplus P(x) \oplus k_2. \end{aligned}$$

In particular, f satisfies \(f(x \oplus k_1) = f(x)\) (interestingly, the slide with a twist attack of Biryukov and Wagner [8] uses the same property). However, there are additional collisions in f between inputs with random differences. As in the attack against the Feistel scheme with random round functions, we use Theorem 1, to show that Simon’s algorithm recovers \(k_1\) ².

We show that \(\varepsilon (f,k_1)<1/2\) with overwhelming probability for a random permutation P, and if \(\varepsilon (f,k_1)>1/2\), then there exists a classical attack against the Even-Mansour scheme. Assume that \(\varepsilon (f,k_1) > 1/2\), that is, there exists t with \(t \not \in \{0, k_1\}\) such that \( \mathrm {Pr}[f(x) = f(x\oplus t)] > 1/2\), i.e.,

$$\begin{aligned} p=\mathrm {Pr}[P(x) \oplus P(x\oplus k_1) \oplus P(x\oplus t) \oplus P(x\oplus t\oplus k_1) = 0]&> 1/2. \end{aligned}$$

This correspond to higher order differential for P with probability 1/2, which only happens with negligible probability for a random choice of P. In addition, this would imply the existence of a simple classical attack against the scheme:

1. 1.

   Query \(y = E_{k_1,k_2}(x)\) and \(y' = E_{k_1,k_2}(x \oplus t)\)

2. 2.

   Then \(y \oplus y' = P(x) \oplus P(x \oplus t)\) with probability at least one half

Therefore, for any instantiation of the Even-Mansour scheme with a fixed P, either there exist a classical distinguishing attack (this only happens with negligible probability with a random P), or Simon’s algorithm successfully recovers \(k_1\). In the second case, the value of \(k_2\) can then be recovered from an additional classical query: \(k_2 = E(x) \oplus P(x \oplus k_1)\).

In the next sections, we give new applications of Simon’s algorithm, to break various symmetric cryptography schemes.

4 Application to the LRW Construction

We now show a new application of Simon’s algorithm to the LRW construction. The LRW construction, introduced by Liskov, Rivest and Wagner [33], turns a block cipher into a tweakable block cipher, i.e. a family of unrelated block ciphers. The tweakable block cipher is a very useful primitive to build modes for encryption, authentication, or authenticated encryption. In particular, tweakable block ciphers and the LRW construction were inspired by the first version of OCB, and later versions of OCB use the tweakable block ciphers formalism. The LRW construction uses a (almost) universal hash function h (which is part of the key), and is defined as (see also Fig. 7):

$$\begin{aligned} \widetilde{E}_{t,k}(x) = E_k(x \oplus h(t)) \oplus h(t). \end{aligned}$$

Fig. 7.

The LRW construction, and efficient instantiations XEX (CCA secure) and XE (only CPsecure).

We now show that the LRW construction is not secure in a quantum setting. We fix two arbitrary tweaks \(t_0, t_1\), with \(t_0 \ne t_1\), and we define the following function:

Given a superposition access to an oracle for an LRW tweakable block cipher, we can build a circuit implementing this function, using the construction given in Fig. 8. In the circuit, the cryptographic oracle \(\widetilde{E}_{t,k}\) takes two inputs: the block x to be encrypted and the tweak t. Since the tweak comes out of \(\widetilde{E}_{t,k}\) unentangled with the other register, we do not represent this output in the diagram. In practice, the output is forgotten by the attacker.

It is easy to see that this function satisfies \( f(x) = f(x \oplus s)\) with \(s = h(t_0) \oplus h(t_1)\). Furthermore, the quantity \(\varepsilon (f,s) = \max _{t \in \{0,1\}^n \setminus \{0,s\}} \mathrm {Pr}[f(x) = f(x\oplus t)]\) is bounded with overwhelming probability, assuming that \(E_k\) behaves as a random permutation. Indeed if \(\varepsilon (f,s) > 1/2\), there exists some t with \(t \not \in \{0, s\}\) such that \(\mathrm {Pr}[f(x) = f(x\oplus t)] > 1/2\), i.e.,

$$ \mathrm {Pr}[ E_k\big (x\big ) \oplus E_k\big (x \oplus s\big ) \oplus E_k\big (x \oplus t)\big ) \oplus E_k\big (x \oplus t \oplus s\big ) = 0] > 1/2 $$

This correspond to higher order differential for \(E_k\) with probability 1/2, which only happens with negligible probability for a random permutation. Therefore, if E is a pseudo-random permutation family, \(\varepsilon (f,s) \le 1/2\) with overwhelming probability, and running Simon’s algorithm with the function f returns \(h(t_0) \oplus h(t_1)\). The assumption that E behaves as a PRP family is required for the security proof of LRW, so it is reasonable to make the same assumption in an attack. More concretely, a block cipher with a higher order differential with probability 1/2 as seen above would probably be broken by classical attacks. The attack is not immediate because the differential can depend on the key, but it would seem to indicate a structural weakness. In the following sections, some attacks can also be mounted using Theorem 2 without any assumptions on E.

In any case, there exist at least one non-zero value orthogonal to all the values y measured during Simon’s algorithm: s. This would not be the case if f is a random function, which gives a distinguisher between the LRW construction and an ideal tweakable block cipher with O(n) quantum queries to \(\widetilde{E}\).

In practice, most instantiations of LRW use a finite field multiplication to define the universal hash function h, with a secret offset L (usually computed as \(L = E_k(0)\)). Two popular constructions are:

• \(h(t) = \gamma (t) \cdot L\), used in OCB1 [40], OCB3 [30] and PMAC [10], with a Gray encoding \(\gamma \) of t,

• \(h(t) = 2^t \cdot L\), the XEX construction, used in OCB2 [39].

In both cases, we can recover L from the value \(h(t_0) \oplus h(t_1)\) given by the attack.

This attack is important, because many recent modes of operation are inspired by the LRW construction, and the XE and XEX instantiations, such as CAESAR candidates AEZ [25], COPA [4], OCB [30], OTR [37], Minalpher [42], OMD [18], and POET [1]. We will see in the next section that variants of this attack can be applied to each of these modes.

Fig. 8.

Simon’s function for LRW.

5 Application to Block Cipher Modes of Operations

We now give new applications of Simon’s algorithm to the security of block cipher modes of operations. In particular, we show how to break the most popular and widely used block-cipher based MACs, and message authentication schemes: CBC-MAC (including variants such as XCBC [9], OMAC [26], and CMAC [21]), GMAC [36], PMAC [10], GCM [36] and OCB [30]. We also show attacks against several CAESAR candidates. In each case, the mode is proven secure up to \(2^{n/2}\) in the classical setting, but we show how, by a reduction to Simon’s problem, forgery attacks can be performed with superposition queries at a cost of O(n).

Notations and Preliminaries. We consider a block cipher \(E_k\), acting on blocks of length n, where the subscript k denotes the key. For simplicity, we only describe the modes with full-block messages, the attacks can trivially be extended to the more general modes with arbitrary inputs. In general, we consider a message M divided into \(\ell \) n-bits block: \(M=m_1 \,\Vert \, \ldots \,\Vert \, m_\ell \). We also assume that the MAC is not truncated, i.e. the output size is n bits. In most cases, the attacks can be adapted to truncated MACS.

5.1 Deterministic MACs: CBC-MAC and PMAC

We start with deterministic Message Authentication Codes, or MACs. A MAC is used to guarantee the authenticity of messages, and should be immune against forgery attacks. The standard security model is that it should be hard to forge a message with a valid tag, even given access to an oracle that computes the MAC of any chosen message (of course the forged message must not have been queried to the oracle).

To translate this security notion to the quantum setting, we assume that the adversary is given an oracle that takes a quantum superposition of messages as input, and computes the superposition of the corresponding MAC.

CBC-MAC. CBC-MAC is one of the first MAC constructions, inspired by the CBC encryption mode. Since the basic CBC-MAC is only secure when the queries are prefix-free, there are many variants of CBC-MAC to provide security for arbitrary messages. In the following we describe the Encrypted-CBC-MAC variant [5], using two keys k and \(k'\), but the attack can be easily adapted to other variants [9, 21, 26]. On a message \(M=m_1 \,\Vert \, \ldots \,\Vert \, m_\ell \), CBC-MAC is defined as (see Fig. 9):

$$\begin{aligned} x_0&= 0&x_i&= E_{k}(x_{i-1} \oplus m_i)&{{\mathrm{CBC\text {-}MAC}}}(M) = E_{k'}(x_{\ell }) \end{aligned}$$

Fig. 9.

Encrypt-last-block CBC-MAC.

CBC-MAC is standardized and widely used. It has been proved to be secure up to the birthday bound [5], assuming that the block cipher is indistinguishable from a random permutation.

Attack. We can build a powerful forgery attack on CBC-MAC with very low complexity using superposition queries. We fix two arbitrary message blocks \(\alpha _0, \alpha _1\), with \(\alpha _0 \ne \alpha _1\), and we define the following function:

The function f can be computed with a single call to the cryptographic oracle, and we can build a quantum circuit for f given a black box quantum circuit for \({{\mathrm{CBC\text {-}MAC}}}_k\). Moreover, f satisfies the promise of Simon’s problem with :

Therefore, an application of Simon’s algorithm returns \(E_k(\alpha _0) \oplus E_k(\alpha _1)\). This allows to forge messages easily:

1. 1.

   Query the tag of \(\alpha _0 \,\Vert \, m_1\) for an arbitrary block \(m_1\);

2. 2.

   The same tag is valid for \(\alpha _1 \,\Vert \, m_1 \oplus E_k(\alpha _0) \oplus E_k(\alpha _1)\).

In order to break the formal notion of EUF-qCMA security, we must produce \(q+1\) valid tags with only q queries to the oracle. Let \(q' = O(n)\) denote the number of of quantum queries made to learn \(E_k(\alpha _0)\oplus E_k(\alpha _1)\). The attacker will repeats the forgery step step \(q'+1\) times, in order to produce \(2(q'+1)\) messages with valid tags, after a total of \(2q'+1\) classical and quantum queries to the cryptographic oracle. Therefore, \({{\mathrm{CBC\text {-}MAC}}}\) is broken by a quantum existential forgery attack.

After some exchange at early stages of the work, an extension of this forgery attack has been found by Santoli and Schaffner [41]. Its main advantage is to handle oracles that accept input of fixed length, while our attack works for oracles accepting messages of variable length.

PMAC. PMAC is a parallelizable block-cipher based MAC designed by Rogway [39]. PMAC is based on the XE construction: the construction uses secret offsets \(\varDelta _i\) derived from the secret key to turn the block cipher into a tweakable block cipher. More precisely, the PMAC algorithm is defined as

$$\begin{aligned} c_i&= E_k(m_i \oplus \varDelta _i)&{{\mathrm{PMAC}}}(M) = E^*_k\big (m_{\ell } \oplus \sum c_i\big ) \end{aligned}$$

where \(E^*\) is a tweaked variant of E. We omit the generation of the secret offsets because they are irrelevant to our attack.

First Attack. When PMAC is used with two-block messages, it has the same structure as CBC-MAC: \({{\mathrm{PMAC}}}(m_1\,\Vert \,m_2) = E^*_k(m_2 \oplus E_k(m_1 \oplus \varDelta _0))\). Therefore we can use the attack of the previous section to recover \(E_k(\alpha _0) \oplus E_k(\alpha _1)\) for arbitrary values of \(\alpha _0\) and \(\alpha _1\). Again, this leads to a simple forgery attack. First, query the tag of \(\alpha _0 \,\Vert \, m_1 \,\Vert \, m_2\) for arbitrary blocks \(m_1\), \(m_2\). The same tag is valid for \(\alpha _1 \,\Vert \, m_1 \,\Vert \, m_2 \oplus E_k(\alpha _0) \oplus E_k(\alpha _1)\). As for \({{\mathrm{CBC\text {-}MAC}}}\), these two steps can be repeated \(t+1\) times, where t is the number of quantum queries issued. The adversary then produces \(2(t+1)\) messages after only \(2t+1\) queries to the cryptographic oracle.

Second Attack. We can also build another forgery attack on PMAC where we recover the difference between two offsets \(\varDelta _i\), following the attack against LRW given in Sect. 4. More precisely, we use the following function:

$$\begin{aligned} f: \{0,1\}^{n}&\rightarrow \{0,1\}^{n} \\ m \quad&\mapsto {{\mathrm{PMAC}}}(m \,\Vert \, m \,\Vert \, 0^n) = E_k^*\left( E_k(m \oplus \varDelta _0) \oplus E_k(m \oplus \varDelta _1)\right) . \end{aligned}$$

In particular, it satisfies \(f(m \oplus s) = f(m)\) with \(s = \varDelta _0 \oplus \varDelta _1\). Furthermore, we can show that \(\varepsilon (f,s) \le 1/2\) when E is a good block cipher³, and we can apply Simon’s algorithm to recover \(\varDelta _0 \oplus \varDelta _1\). This allows to create forgeries as follows:

1. 1.

   Query the tag of \(m_1 \,\Vert \, m_1\) for an arbitrary block \(m_1\);

2. 2.

   The same tag is valid for \(m_1 \oplus \varDelta _0 \oplus \varDelta _1 \,\Vert \, m_1 \oplus \varDelta _0 \oplus \varDelta _1\).

As mentioned in Sect. 4, the offsets in PMAC are defined as \(\varDelta _i = \gamma (i) \cdot L\), with \(L = E_k(0)\) and \(\gamma \) a Gray encoding. This allows to recover L from \(\varDelta _0 \oplus \varDelta _1\), as \(L = (\varDelta _0 \oplus \varDelta _1) \cdot \left( \gamma (0) \oplus \gamma (1)\right) ^{-1}\). Then we can compute all the values \(\varDelta _i\), and forge arbitrary messages.

We can also mount an attack without any assumption on \(\varepsilon (f,s)\), using Theorem 2. Indeed, with a proper choice of parameters, Simon’s algorithm will return a value \(t \ne 0\) that satisfies \(\Pr _x[ f(x \oplus t) = f(x)] \ge 1/2\). This value is not necessarily equal to s, but it can also be used to create forgeries in the same way, with success probability at least 1/2.

Fig. 10.

Simon’s function for CBC-MAC.

Fig. 11.

Simon’s function for the second attack against PMAC.

5.2 Randomized MAC: GMAC

GMAC is the underlying MAC of the widely used GCM standard, designed by McGrew and Viega [36], and standardized by NIST. GMAC follows the Carter-Wegman construction [16]: it is built from a universal hash function, using polynomial evaluation in a Galois field. As opposed to the constructions of the previous sections, GMAC is a randomized MAC; it requires a second input N, which must be non-repeating (a nonce). GMAC is essentially defined as (Figs. 10 and 11):

$$\begin{aligned} {{\mathrm{GMAC}}}(N,M)&= \text {GHASH}(M\,\Vert \,\text {len}(M)) \oplus E_k(N\,\Vert \,1) \\ \text {GHASH}(M)&= \sum _{i=1}^{\text {len}(M)} m_i \cdot H^{\text {len}(M)-i+1} \quad \text {with}\; H = E_k(0), \end{aligned}$$

where \(\text {len}(M)\) is the length of M.

Fig. 12.

GMAC

Attack. When the polynomial is evaluated with Horner’s rule, the structure of GMAC is similar to that of CBC-MAC (see Fig. 12). For a two-block message, we have \({{\mathrm{GMAC}}}(m_1\,\Vert \,m_2) = \big ((m_1 \cdot H) \oplus m_2\big ) \cdot H \oplus E_k(N\,\Vert \,1)\). Therefore, we us the same f as in the CBC-MAC attack, with fixed blocks \(\alpha _0\) and \(\alpha _1\):

$$\begin{aligned} f_N: \{0,1\} \times \{0,1\}^{n}&\rightarrow \{0,1\}^{n} \\ b, x \quad&\mapsto {{\mathrm{GMAC}}}(N, \alpha _b\,\Vert \,x)= \alpha _b \cdot H^2 \oplus x \cdot H \oplus E_k(N\,\Vert \,1). \end{aligned}$$

In particular, we have:

Therefore \(f_N\) satisfies the promise of Simon’s algorithm with \(s = 1\,\Vert \,(\alpha _0 \oplus \alpha _1) \cdot H\).

Role of the Nonce. There is an important caveat regarding the use of the nonce. In a classical setting, the nonce is chosen by the adversary under the constraint that it is non-repeating, i.e. the oracle computes \(N, M \mapsto {{\mathrm{GMAC}}}(N, M)\). However, in the quantum setting, we don’t have a clear definition of non-repeating if the nonce can be in superposition. To sidestep the issue, we use a weaker security notion where the nonce is chosen at random by the oracle, rather than by the adversary (following the IND-qCPA definition of [13]). The oracle is then \(M \mapsto (r, {{\mathrm{GMAC}}}(r,M))\). If we can break the scheme in this model, the attack will also be valid with any reasonable CPA security definition.

In this setting we can access the function \(f_N\) only for a random value of N. In particular, we cannot apply Simon’s algorithm as is, because this requires O(n) queries to the same function \(f_N\). However, a single step of Simon’s algorithm requires a single query to the \(f_N\) function, and returns a vector orthogonal to s, for any random choice of N. Therefore, we can recover \((\alpha _0 \oplus \alpha _1) \cdot H\) after O(n) steps, even if each step uses a different value of N. Then, we can recover H easily, and it is easy to generate forgeries when H is known:

1. 1.

   Query the tag of \(N, m_1\,\Vert \,m_2\) for arbitrary blocks \(m_1\), \(m_2\) (under a random nonce N).

2. 2.

   The same tag is valid for \(m_1 \oplus 1\,\Vert \,m_2 \oplus H\) (with the same nonce N).

As for \({{\mathrm{CBC\text {-}MAC}}}\), repeating these two steps leads to an existential forgery attack.

5.3 Classical Authenticated Encryption Schemes: GCM and OCB

We now give applications of Simon’s algorithm to break the security of standardized authenticated encryption modes. The attacks are similar to the attacks against authentication modes, but these authenticated encryption modes are nonce-based. Therefore we have to pay special attention to the nonce, as in the attack against GMAC. In the following, we assume that the nonce is randomly chosen by the MAC oracle, in order to avoid issues with the definition of non-repeating nonce in a quantum setting.

Extending MAC Attacks to Authenticated Encryption Schemes. We first present a generic way to apply MAC attacks in the context of an authenticated encryption scheme. More precisely, we assume that the tag of the authenticated encryption scheme is computed as f(g(A), h(M, N)), i.e. the authentication of the associated data A is independent of the nonce N. This is the case in many practical schemes (e.g. GCM, OCB) for efficiency reasons.

In this setting, we can use a technique similar to our attack against GMAC: we define a function \(M \mapsto f_N(M)\) for a fixed nonce N, such that for any nonce N, \(f_N(M) = f_N(M \oplus \varDelta )\) for some secret value \(\varDelta \). Next we use Simon’s algorithm to recover \(\varDelta \), where each step of Simon’s algorithm is run with a random nonce, and returns a vector orthogonal to \(\varDelta \). Finally, we can recover \(\varDelta \), and if \(f_N\) was carefully built, the knowledge of \(\varDelta \) is sufficient for a forgery attack.

The CCM mode is a notable exception, where all the computations depend on the nonce. In particular, there is no obvious way to apply our attacks to CCM.

Extending GMAC Attack to GCM. GCM is one of the most widely used authenticated encryption modes, designed by McGrew and Viega [36]. GMAC is the composition of the counter mode for encryption with GMAC (computed over the associated data and the ciphertext) for authentication.

In particular, when the message is empty, GCM is just GMAC, and we can use the attack of the previous section to recover the hash key H. This immediately allows a forgery attack.

OCB. OCB is another popular authenticated encryption mode, with a very high efficiency, designed by Rogaway et al. [30, 39, 40]. Indeed, OCB requires only \(\ell \) block cipher calls to process an \(\ell \)-block message, while GCM requires \(\ell \) block cipher calls, and \(\ell \) finite field operations. OCB is build from the LRW construction discussed in Sect. 4. OCB takes as input a nonce N, a message \(M = m_1\,\Vert \,\ldots \,\Vert \,m_\ell \), and associated data \(A = a_1\,\Vert \,\ldots a_{\text {@ }}\), and returns a ciphertext \(C = c_1\,\Vert \,\ldots \,\Vert \,c_\ell \) and a tag \(\tau \):

$$\begin{aligned} c_i = E_k(m_i \oplus \varDelta ^N_i) \oplus \varDelta ^N_i, \quad \tau = E_k\left( \varDelta '^N_\ell \oplus \sum m_i\right) \oplus \sum b_i, \quad b_i = E_k(a_i \oplus \varDelta _i). \end{aligned}$$

Extending PMAC Attack to OCB. In particular, when the message is empty, OCB reduces to a randomized variant of PMAC:

$$\begin{aligned} {{\mathrm{OCB}}}_k(N, \varepsilon , A)&= \phi _k(N) \oplus \sum b_i,&b_i&= E_k(a_i \oplus \varDelta _i). \end{aligned}$$

Note that the \(\varDelta _i\) values used for the associated data are independent of the nonce N. Therefore, we can apply the second PMAC attack previously given, using the following function:

$$\begin{aligned} f_N: \{0,1\}^{n}&\rightarrow \{0,1\}^{n} \\ x \quad&\mapsto {{\mathrm{OCB}}}_k(N, \varepsilon , x\,\Vert \,x) \\ f_N(x)&=E_k(x \oplus \varDelta _0) \oplus E_k(x \oplus \varDelta _1) \oplus \phi _k(N) \end{aligned}$$

Again, this is a special case of the LRW attack of Sect. 4. The family of functions satisfies \(f_N(a \oplus \varDelta _0 \oplus \varDelta _1) = f_N(a)\), for any N, and \(\varepsilon (f_N,\varDelta _0 \oplus \varDelta _1) \le 1/2\) with overwhelming probability if E is a PRP. Therefore we can use the variant of Simon’s algorithm to recover \(\varDelta _0 \oplus \varDelta _1\). Two messages with valid tags can then be generated by a single classical queries:

1. 1.

   Query the authenticated encryption \(C,\tau \) of \(M, a\,\Vert \,a\) for an arbitrary message M, and an arbitrary block a (under a random nonce N).

2. 2.

   \(C,\tau \) is also a valid authenticated encryption of \(M, a \oplus \varDelta _0 \oplus \varDelta _1\,\Vert \,a \oplus \varDelta _0 \oplus \varDelta _1\), with the same nonce N.

Repeating these steps lead again to an existential forgery attack.

Alternative Attack Against OCB. For some versions of OCB, we can also mount a different attack targeting the encryption part rather than the authentication part. The goal of this attack is also to recover the secret offsets, but we target the \(\varDelta ^N_i\) used for the encryption of the message. More precisely, we use the following function:

This function satisfies \(f_N(m \oplus \varDelta ^N_1 \oplus \varDelta ^N_2) = f_N(m)\) and \(\varepsilon (f_N,\varDelta ^N_0 \oplus \varDelta ^N_1) \le 1/2\), with the same arguments as previously. Moreover, in OCB1 and OCB3, the offsets are derived as \(\varDelta ^N_i = \varPhi _k(N) \oplus \gamma (i) \cdot E_k(0)\) for some function \(\varPhi \) (based on the block cipher \(E_k\)). In particular, \(\varDelta ^N_1 \oplus \varDelta ^N_2\) is independent of N:

$$ \varDelta ^N_1 \oplus \varDelta ^N_2 = (\gamma (1) \oplus \gamma (2)) \cdot E_k(0). $$

Therefore, we can apply Simon’s algorithm to recover \(\varDelta ^N_1 \oplus \varDelta ^N_2\). Again, this leads to a forgery attack, by repeating the following two steps:

1. 1.

   Query the authenticated encryption \(c_1\,\Vert \,c_2,\tau \) of \(m\,\Vert \,m, A\) for an arbitrary block m, and arbitrary associated data A (under a random nonce N).

2. 2.

   \(c_2 \oplus \varDelta ^N_0 \oplus \varDelta ^N_1\,\Vert \,c_1 \oplus \varDelta ^N_0 \oplus \varDelta ^N_1, \tau \) is also a valid authenticated encryption of \(m \oplus \varDelta ^N_0 \oplus \varDelta ^N_1\,\Vert \,m \oplus \varDelta ^N_0 \oplus \varDelta ^N_1, A\) with the same nonce N.

The forgery is valid because we swap the inputs of the first and second block ciphers. In addition, we have \(\sum m_i = \sum m'_i\), so that the tag is still valid.

5.4 New Authenticated Encryption Schemes: CAESAR Candidates

In this section, we consider recent proposals for authenticated encryption, submitted to the ongoing CAESAR competition. Secret key cryptography has a long tradition of competitions: AES and SHA-3 for example, were chosen after the NIST competitions organized in 1997 and 2007, respectively. The CAESAR competition⁴ aims at stimulating research on authenticated encryption schemes, and to define a portfolio of new authenticated encryption schemes. The competition is currently in the second round, with 29 remaining algorithms.

First, we point out that the attacks of the previous sections can be used to break several CAESAR candidates:

• CLOC [27] uses CBC-MAC to authenticate the message, and the associated data is processed independently of the nonce. Therefore, the CBC-MAC attack can be extended to CLOC⁵.

• AEZ [25], COPA [4], OTR [37] and POET [1] use a variant of PMAC to authenticate the associated data. In both cases, the nonce is not used to process the associated data, so that we can extend the PMAC attack as we did against OCB⁶.

• The authentication of associated data in OMD [18] and Minalpher [42] are also variants of PMAC (with a PRF that is not block cipher), and the attack can be applied.

In the next section, we show how to adapt the PMAC attack to Minalpher and OMD, since the primitives are different.

Minalpher. Minalpher [42] is a permutation-based CAESAR candidate, where the permutation is used to build a tweakable block-cipher using the tweakable Even-Mansour construction. When the message is empty (or fixed), the authentication part of Minalpher is very similar to PMAC. With associated data \(A = a_1 \,\Vert \, \ldots a_{\text {@ }}\), the tag is computed as:

$$\begin{aligned} b_i&= P(a_i \oplus \varDelta _i) \oplus \varDelta _i&\tau&= \phi _k\left( N, M, a_{\text {@ }} \oplus \sum _{i=1}^{\text {@ }-1} b_i\right) \\ \varDelta _i&= y^i \cdot L'&L'&= P(k\,\Vert \,0) \oplus (k\,\Vert \,0) \end{aligned}$$

where \(\phi _k\) is a permutation (we omit the description of \(\phi _k\) because it is irrelevant for our attack). Since the tag is a function of \(a_{\text {@ }} \oplus \sum _{i=1}^{\text {@ }-1} b_i\), we can use the same attacks as against PMAC. For instance, we define the following function:

$$\begin{aligned} f_N: \{0,1\} \times \{0,1\}^{n}&\rightarrow \{0,1\}^{n} \\ b, x \quad&\mapsto \text {Minalpher}(N, \varepsilon , \alpha _b\,\Vert \,x)= \phi _k(N, \varepsilon , P(\alpha _b \oplus \varDelta _1) \oplus \varDelta _1 \oplus x). \end{aligned}$$

In particular, we have:

$$\begin{aligned} f_N(b',x') = f_N(b,x)&\Leftrightarrow P(\alpha _{b'} \oplus \varDelta _1) \oplus x' = P(\alpha _b \oplus \varDelta _1) \oplus x \\&\Leftrightarrow {\left\{ \begin{array}{ll} x' \oplus x = 0 &{} \text {if }b' = b\\ x' \oplus x = P(\alpha _0\oplus \varDelta _1)\oplus P(\alpha _1\oplus \varDelta _1) &{} \text {if }b' \ne b\\ \end{array}\right. } \end{aligned}$$

Since \(s=P(\alpha _0\oplus \varDelta _1)\oplus P(\alpha _1\oplus \varDelta _1)\) is independent of N, we can easily apply Simon’s algorithm to recover s, and generate forgeries.

OMD. OMD [18] is a compression-function-based CAESAR candidate. The internal primitive is a keyed compression function denoted \(F_k\). Again, when the message is empty the authentication is very similar to PMAC. With associated data \(A = a_1\,\Vert \,\ldots a_{\text {@ }}\), the tag is computed as:

$$\begin{aligned} b_i&= F_k(a_i \oplus \varDelta _i)&\tau&= \phi _k(N, M) \oplus \sum b_i \end{aligned}$$

We note that the \(\varDelta _i\) used for the associated data do not depend on the nonce. Therefore we can use the second PMAC attack with the following function:

$$\begin{aligned} f_N: \{0,1\}^{n}&\rightarrow \{0,1\}^{n} \\ x \quad&\mapsto {{\mathrm{OMD}}}(N, \varepsilon , x\,\Vert \,x)\\ f_N(x)&= \phi _k(N, \varepsilon ) \oplus F_k(x \oplus \varDelta _1) \oplus F_k(x \oplus \varDelta _2) \end{aligned}$$

This is the same form as seen when extending the PMAC attack to OCB, therefore we can apply the same attack to recover \(s= \varDelta _1 \oplus \varDelta _2\) and generate forgeries.

6 Simon’s Algorithm Applied to Slide Attacks

In this section we show how Simon’s algorithm can be applied to a cryptanalysis family: slide attacks. In this case, the complexity of the attack drops again exponentially, from \(O(2^{n/2})\) to O(n) and therefore becomes much more dangerous. To the best of our knowledge this is the first symmetric cryptanalytic technique that has an exponential speed-up in the post-quantum world.

The Principle of Slide Attacks. In 1999, Wagner and Biryukov introduced the technique called slide attack [7]. It can be applied to block ciphers made of r applications of an identical round function R, each one parametrized by the same key K. The attack works independently of the number of rounds, r. Intuitively, for the attack to work, R has to be vulnerable to known plaintext attacks.

The attacker collects \(2^{n/2}\) encryptions of plaintexts. Amongst these couples of plaintext-ciphertext, with large probability, he gets a “slid” pair, that is, a pair of couples \((P_0, C_0)\) and \((P_1, C_1)\) such that \(R(P_0)=P_1\). This immediately implies that \(R(C_0)=C_1\). For the attack to work, the function R needs to allow for an efficient recognition of such pairs, which in turns makes the key extraction from R easy. A trivial application of this attack is the key-alternate cipher with blocks of n bits, identical subkeys and no round constants. The complexity is then approximately \(2^{n/2}\). The speed-up over exhaustive search given by this attack is then quadratic, similar to the quantum attack based on Grover’s algorithm.

This attack is successful, for example, to break the TREYFER block cipher [47], with a data complexity of \(2^{32}\) and a time complexity of \(2^{32+12}=2^{44}\) (where \(2^{12}\) is the cost of identifying the slid pair by performing some key guesses). Comparatively, the cost for an exhaustive search of the key is \(2^{64}\).

Exponential Quantum Speed-Up of Slide Attacks. We consider the attack represented in Fig. 13. The unkeyed round function is denoted P and the whole encryption function \(E_k\).

Fig. 13.

Representation of a slid-pair used in a slide attack. 

We define the following function:

$$\begin{aligned} f: \{0,1\} \times \{0,1\}^{n}&\rightarrow \{0,1\}^{n} \\ b,x \quad&\mapsto {\left\{ \begin{array}{ll} P(E_k(x)) \oplus x &{} \text {if}\; b = 0,\\ E_k(P(x)) \oplus x &{} \text {if}\; b = 1. \end{array}\right. } \end{aligned}$$

The slide property shows that all x satisfy \(P(E_k(x)) \oplus k = E_k(P(x \oplus k))\). This implies that f satisfies the promise of Simon’s problem with \(s = 1\,\Vert \,k\):

$$\begin{aligned} f(0,x) = P(E_k(x)) \oplus x&= E_k(P(x \oplus k)) \oplus k \oplus x = f(1,x \oplus k). \end{aligned}$$

In order to apply Theorem 1, we bound \(\varepsilon (f,1\,\Vert \,k)\), assuming that both \(E_k \circ P\) and \(P \circ E_k\) are indistinguishable from random permutations. If \(\varepsilon (f,1\,\Vert \,k) > 1/2\), there exists \((\tau ,t)\) with \((\tau ,t) \not \in \{(0,0), (1,k)\}\) such that: \(\mathrm {Pr}[f(b,x) = f(b\oplus \tau , x\oplus t)] > 1/2\). Let us assume \(\tau = 0\). This implies

$$\begin{aligned} \mathrm {Pr}[f(0,x) = f(0, x\oplus t)]> 1/2 \quad \text {or} \quad \mathrm {Pr}[f(1,x) = f(1, x\oplus t)] > 1/2, \end{aligned}$$

which is equivalent to

$$\begin{aligned} \mathrm {Pr}[P(E_k(x)) = P(E_k(x \oplus t)) \oplus t]> 1/2 \quad \text {or} \quad \mathrm {Pr}[E_k(P(x)) = E_k(P(x \oplus t)) \oplus t] > 1/2. \end{aligned}$$

In particular, there is a differential in \(P \circ E_k\) or \(E_k \circ P\) with probability 1/2.

Otherwise, \(\tau = 1\). This implies

$$\begin{aligned}&\mathrm {Pr}[P(E_k(x)) \oplus x = E_k(P(x \oplus t)) \oplus x \oplus t]> 1/2\\ \text {i.e. } \quad&\mathrm {Pr}[E_k(P(x \oplus k)) \oplus k = E_k(P(x \oplus t)) \oplus t] > 1/2. \end{aligned}$$

Again, it means there is a differential in \(E_k \circ P\) with probability 1/2.

Finally we conclude that \(\varepsilon (f,1\,\Vert \,k) \le 1/2\), unless \(E_k \circ P\) or \(P \circ E_k\) have differentials with probability 1/2. If \(E_k\) behave as a random permutation, \(E_k \circ P\) and \(P \circ E_k\) also behave as random permutations, and these differential are only found with negligible probability. Therefore, we can apply Simon’s algorithm, following Theorem 1, and recover k (Fig. 14).

Fig. 14.

Simon’s function for slide attacks. The X gate is the quantum equivalent of the NOT gate that flips the qubit \(| 0 \rangle \) and \(| 1 \rangle \).

7 Conclusion

We have been able to show that symmetric cryptography is far from ready for the post quantum world. We have found exponential speed-ups on attacks on symmetric cryptosystems. In consequence, some cryptosystems that are believed to be safe in a classical world become vulnerable in a quantum world.

With the speed-up on slide attacks, we provided the first known exponential quantum speed-up of a classical attack. This attack now becomes very powerful. An interesting follow-up would be to seek other such speed-ups of generic techniques. For authenticated encryption, we have shown that many modes of operations that are believed to be solid and secure in the classical world, become completely broken in the post-quantum world. More constructions might be broken following the same ideas.

Appendices

A Proof of Theorem 1

The proof of Theorem 1 is based of the following lemma.

Lemma 1

For \(t \in \{0,1\}^n\), consider the function \(g(x) := 2^{-n} \sum _{y\in t^{\perp }} (-1)^{x \cdot y}\), where \(t^\perp = \{ y\in \{0,1\}^n \,\text {s.t.}\, y \cdot t = 0\}\). for any x, it satisfies

$$\begin{aligned} g(x)= \frac{1}{2}(\delta _{x,0} + \delta _{x,t}). \end{aligned}$$

(2)

Proof

If \(t=0\) then \(g(x) = \sum _{y \in \{0,1\}^n} (-1)^{x \cdot y} =\delta (x,0)\), which proves the claim. From now on, assume that \(t \ne 0\). It is straightforward to check that \(g(0) = g(t) = \frac{1}{2}\) because all the terms of the sum are equal to 1 and there are \(2^{n-1}\) vectors y orthogonal to t. Since \(\sum _{x \in \{0,1\}^n} g(x) = 1\), it is sufficient to prove that \(g(x) \ge 0\) to establish the claim in the case \(t\ne 0\). For this, decompose g(x) into two terms:

$$\begin{aligned} g(x) = \sum _{y \in E_0} (-1)^{x \cdot y} - \sum _{y \in E_1} (-1)^{x \cdot y} = | E_0| - | E_1|, \end{aligned}$$

where \( E_i := \{ y \in \{0,1\}^n \, \text {s.t.} \, y \cdot x= i \, \mathrm {and} \, y \cdot y = 0\}\) for \(i=0,1\). Simple counting shows that:

$$\begin{aligned} | E_0 | = \left\{ \begin{array}{cl} 2^{n-1} &{} \mathrm {if} \, x=0,\\ 2^{n-1} &{} \mathrm {if} \, x=t,\\ 2^{n-2} &{} \mathrm {otherwise}. \end{array} \right. \end{aligned}$$

In particular, \(|E_0| \ge |E_1|\) which implies that \(g(x) \ge 0\).

We are now ready to prove Theorem 1. Each call to the main subroutine of Simon’s algorithm will return a vector \(u_i\). If cn calls are made, one obtains cn vectors \(u_1, \ldots , u_{cn}\). By construction, f is such that \(f(x) = f(x \oplus s)\) and consequently, the cn vectors \(u_1, \ldots , u_{cn}\) are all orthogonal to s. The algorithm is successful provided one can recover the value of s unambiguously, which is the case if the cn vectors span the \((n-1)\)-dimensional space orthogonal to s. (Let us note that if the space is \((n-d)\)-dimensional for some constant d, one can still recover s efficiently by testing all the vectors orthogonal to the subspace.) In other words, the failure probability \(p_\text {fail}\) is

$$\begin{aligned} p_{\text {fail}}&= \mathrm {Pr}[\text {dim}\big (\text {Span}(u_1, \ldots , u_n)\big ) \le n-2]\\&\le \mathrm {Pr}[\exists t \in \{0,1\}^n\setminus \{0,s\} \,\text {s.t.} \, u_1 \cdot t = u_2 \cdot t = \cdots = u_{cn} \cdot t =0 ]\\&\le \sum _{t \in \{0,1\}^{n} \setminus \{0,s\} } \mathrm {Pr}[ u_1 \cdot t = u_2 \cdot t = \cdots = u_{cn} \cdot t =0 ]\\&\le \sum _{t \in \{0,1\}^{n} \setminus \{0,s\} } \big ( \mathrm {Pr}[ u_1 \cdot t =0]\big )^{cn} \\&\le \max _{t \in \{0,1\}^{n} \setminus \{0,s\} } \big (2 \mathrm {Pr}[ u_1 \cdot t =0]^c \big )^n \end{aligned}$$

where the second inequality results from the union bound and the third inequality follows from the fact that the results of the cn subroutines are independent.

In order to establish the theorem, it is now sufficient to show that \(\mathrm {Pr}[ u \cdot t =0]\) is bounded away from 1 for all t, where u is the vector corresponding to the output of Simon’s subroutine. We will prove that for all \(t\in \{0,1\}^{n} \setminus \{0,s\}\), the following inequality holds:

$$\begin{aligned} \mathrm {Pr}_u [ u \cdot t =0] = \frac{1}{2}\big (1 + \mathrm {Pr}_x[f(x) = f(x\oplus t)]\big ) \le \frac{1}{2}(1+\varepsilon (f,s)) \le \frac{1}{2} (1+p_0). \end{aligned}$$

(3)

In Simon’s algorithm, one can wait until the last step before measuring both registers. The final state before measurement can be decomposed as:

$$\begin{aligned} 2^{-n} \sum _{x \in \{0,1\}^n}\sum _{y \in \{0,1\}^n} (-1)^{x \cdot y} |y\rangle |f(x)\rangle =&2^{-n} \sum _{\begin{array}{c} y \in \{0,1\}^n\\ \text {s.t.}\, y\cdot t=0 \end{array} }\sum _{x \in \{0,1\}^n} (-1)^{x \cdot y} |y\rangle |f(x)\rangle \\&+ 2^{-n} \sum _{\begin{array}{c} y \in \{0,1\}^n\\ \text {s.t.}\, y\cdot t=1 \end{array} } \sum _{x \in \{0,1\}^n} (-1)^{x \cdot y} |y\rangle |f(x)\rangle . \end{aligned}$$

The probability of obtaining u such that \(u \cdot t = 0\) is given by

(4)

$$\begin{aligned}&= 2^{-(n+1)} \left[ \sum _{x \in \{0,1\}^n} \langle f(x)|f(x) \rangle + \sum _{x \in \{0,1\}^n} \langle f(x\oplus t)|f(x) \rangle \right] \end{aligned}$$

(5)

$$\begin{aligned}&= \frac{1}{2} \left[ 1 + \mathrm {Pr}_x [f(x) = f(x\oplus t) \right] \end{aligned}$$

(6)

where we used Lemma 1 proven in the appendix in Eq. 4, and \(\delta _{x,x'}=1\) if \(x=x'\) and 0 otherwise.

B Proof of Theorem 2

Let t be a fixed value and \(p_t = Pr_x[f(x \oplus t = f(t)]\). Following the previous analysis, the probability that the cn vectors \(u_i\) are orthogonal to t can be written as \(\Pr [ u_1 \cdot t = u_2 \cdot t = \cdots = u_{cn} \cdot t =0 ] = \left( \frac{1+p_t}{2}\right) ^{cn}\).

In particular, we can bound the probability that Simon’s algorithm returns a value t with \(p_t < p_0\):

$$ \Pr [p_t< p_0] = \sum _{t:\, p_t < p_0} \left( \frac{1+p_t}{2}\right) ^{cn} \le 2^n \times \left( \frac{1+p_0}{2}\right) ^{cn}. $$