Quantum Time/Memory/Data Tradeoff Attacks

One of the most celebrated and useful cryptanalytic algorithms is Hellman’s time/memory tradeoff (and its Rainbow Table variant), which can be used to invert random-looking functions on N possible values with time and space complexities satisfying TM = N. In this paper we develop new upper bounds on their performance in the quantum setting. As a search problem, one can always apply to it the standard Grover’s algorithm, but this algorithm does not benefit from the possible availability of a large memory in which one can store auxiliary advice obtained during a free preprocessing stage. In fact, at FOCS’20 it was rigorously shown that for memory size bounded by M ≤ O( √ N), even quantum advice cannot yield an attack which is better than Grover’s algorithm. Our main result complements this lower bound by showing that in the standard Quantum Accessible Classical Memory (QACM) model of computation, we can improve Hellman’s tradeoff curve to T M = N. When we generalize the cryptanalytic problem to a time/memory/data tradeoff attack (in which one has to invert f for at least one of D given values), we get the generalized curve T MD = N. A typical point on this curve is D = N, M = N, and T = N, whose time is strictly lower than both Grover’s algorithm (which requires T = N in this generalized search variant) and the classical Hellman algorithm (which requires T = N for these D and M). ? The first author was supported in part by the Center for Cyber, Law, and Policy in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office and by the Israeli Science Foundation through grants No. 880/18 and 3380/19. ?? The second author was supported by the European Research Council under the ERC starting grant agreement n. 757731 (LightCrypt) and by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office. ? ? ? The third author is partally supported by Len Blavatnik and the Blavatnik Family foundation, the Blavatnik ICRC, and Robert Bosch Technologies Israel Ltd. He is a member of CPIIS.

[1]  Qipeng Liu,et al.  Tight Quantum Time-Space Tradeoffs for Function Inversion , 2020, IEEE Annual Symposium on Foundations of Computer Science.

[2]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[3]  Eli Biham,et al.  Rigorous Bounds on Cryptanalytic Time/Memory Tradeoffs , 2006, CRYPTO.

[4]  Tanja Lange,et al.  Quantum Algorithms for the Subset-Sum Problem , 2013, PQCrypto.

[5]  Eli Biham,et al.  Cryptanalysis of Ciphers and Protocols , 2006 .

[6]  Orr Dunkelman,et al.  Treatment of the initial value in Time-Memory-Data Tradeoff attacks on stream ciphers , 2008, Inf. Process. Lett..

[7]  María Naya-Plasencia,et al.  Optimal Merging in Quantum k-xor and k-xor-sum Algorithms , 2020, EUROCRYPT.

[8]  Greg Kuperberg,et al.  Another Subexponential-time Quantum Algorithm for the Dihedral Hidden Subgroup Problem , 2011, TQC.

[9]  María Naya-Plasencia,et al.  Quantum Algorithms for the k -xor Problem , 2018, ASIACRYPT.

[10]  Minki Hhan,et al.  Quantum Random Oracle Model with Auxiliary Input , 2019, IACR Cryptol. ePrint Arch..

[11]  Lower Bounds for Function Inversion with Quantum Advice , 2019, ITC.

[12]  Andris Ambainis,et al.  Quantum walk algorithm for element distinctness , 2003, 45th Annual IEEE Symposium on Foundations of Computer Science.

[13]  Andrew Chi-Chih Yao,et al.  Coherent Functions and Program Checkers (Extended Abstract) , 1990, STOC 1990.

[14]  Alex Biryukov,et al.  Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers , 2000, ASIACRYPT.

[15]  Alex Biryukov,et al.  Improved Time-Memory Trade-Offs with Multiple Data , 2005, Selected Areas in Cryptography.

[16]  Gilles Brassard,et al.  Quantum cryptanalysis of hash and claw-free functions , 1997, SIGA.

[17]  L. T. Blenstrup Extended Abstract , 1994 .

[18]  Philippe Oechslin,et al.  Making a Faster Cryptanalytic Time-Memory Trade-Off , 2003, CRYPTO.

[19]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[20]  María Naya-Plasencia,et al.  An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography , 2017, ASIACRYPT.

[21]  Gilles Brassard,et al.  Tight bounds on quantum searching , 1996, quant-ph/9605034.

[22]  Aran Nayebi,et al.  Quantum lower bound for inverting a permutation with advice , 2014, Quantum Inf. Comput..

[23]  Thorsten Kleinjung,et al.  Improved key recovery on the Legendre PRF , 2020, IACR Cryptol. ePrint Arch..