Grover Meets Simon - Quantumly Attacking the FX-construction

Using whitening keys is a well understood mean of increasing the key-length of any given cipher. Especially as it is known ever since Grover’s seminal work that the effective key-length is reduced by a factor of two when considering quantum adversaries, it seems tempting to use this simple and elegant way of extending the key-length of a given cipher to increase the resistance against quantum adversaries. However, as we show in this work, using whitening keys does not increase the security in the quantum-CPA setting significantly. For this we present a quantum algorithm that breaks the construction with whitening keys in essentially the same time complexity as Grover’s original algorithm breaks the underlying block cipher. Technically this result is based on the combination of the quantum algorithms of Grover and Simon for the first time in the cryptographic setting.

[1]  Alexander Russell,et al.  Quantum-Secure Symmetric-Key Cryptography Based on Hidden Shifts , 2016, EUROCRYPT.

[2]  Joe Kilian,et al.  How to Protect DES Against Exhaustive Key Search (an Analysis of DESX) , 2015, Journal of Cryptology.

[3]  Mark Zhandry,et al.  Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World , 2013, CRYPTO.

[4]  Andris Ambainis,et al.  One-dimensional quantum walks , 2001, STOC '01.

[5]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[6]  Christof Paar,et al.  Block Ciphers - Focus on the Linear Layer (feat. PRIDE) , 2014, CRYPTO.

[7]  G. Brassard,et al.  Quantum Amplitude Amplification and Estimation , 2000, quant-ph/0005055.

[8]  Joe Kilian,et al.  How to Protect DES Against Exhaustive Key Search , 1996, CRYPTO.

[9]  N. Mermin Quantum Computer Science: An Introduction , 2007 .

[10]  Gilles Brassard,et al.  An exact quantum polynomial-time algorithm for Simon's problem , 1997, Proceedings of the Fifth Israeli Symposium on Theory of Computing and Systems.

[11]  Anne Canteaut,et al.  PRINCE - A Low-Latency Block Cipher for Pervasive Computing Applications - Extended Abstract , 2012, ASIACRYPT.

[12]  Hidenori Kuwakado,et al.  Quantum distinguisher between the 3-round Feistel cipher and the random permutation , 2010, 2010 IEEE International Symposium on Information Theory.

[13]  D. Deutsch,et al.  Rapid solution of problems by quantum computation , 1992, Proceedings of the Royal Society of London. Series A: Mathematical and Physical Sciences.

[14]  Marc Kaplan,et al.  Quantum attacks against iterated block ciphers , 2014, ArXiv.

[15]  Dominique Unruh,et al.  Post-Quantum Security of the CBC, CFB, OFB, CTR, and XTS Modes of Operation , 2016, PQCrypto.

[16]  Hidenori Kuwakado,et al.  Security on the quantum-type Even-Mansour cipher , 2012, 2012 International Symposium on Information Theory and its Applications.

[17]  Richard J. Lipton,et al.  Quantum Algorithms via Linear Algebra: A Primer , 2014 .

[18]  Daniel R. Simon,et al.  On the power of quantum computation , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[19]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[20]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[21]  María Naya-Plasencia,et al.  Breaking Symmetric Cryptosystems Using Quantum Period Finding , 2016, CRYPTO.

[22]  Harald Niederreiter,et al.  Probability and computing: randomized algorithms and probabilistic analysis , 2006, Math. Comput..

[23]  María Naya-Plasencia,et al.  Quantum Differential and Linear Cryptanalysis , 2015, IACR Trans. Symmetric Cryptol..

[24]  Christian Schaffner,et al.  Using Simon's algorithm to attack symmetric-key cryptographic primitives , 2016, Quantum Inf. Comput..