Quantum Attacks without Superposition Queries: the Offline Simon Algorithm

In symmetric cryptanalysis, the model of superposition queries has led to surprising results, with many constructions being broken in polynomial time thanks to Simon's period-finding algorithm. But the practical implications of these attacks remain blurry. In contrast, the results obtained so far for a quantum adversary making classical queries only are less impressive. In this paper, we introduce a new quantum algorithm which uses Simon's subroutines in a novel way. We manage to leverage the algebraic structure of cryptosystems in the context of a quantum attacker limited to classical queries and offline quantum computations. We obtain improved quantum-time/classical-data tradeoffs with respect to the current literature, while using only as much hardware requirements (quantum and classical) as a standard exhaustive search with Grover's algorithm. In particular, we are able to break the Even-Mansour construction in quantum time $\tilde{O}(2^{n/3})$, with $O(2^{n/3})$ classical queries and $O(n^2)$ qubits only. In addition, we improve some previous superposition attacks by reducing the data complexity from exponential to polynomial, with the same time complexity. Our approach can be seen in two complementary ways: \emph{reusing} superposition queries during the iteration of a search using Grover's algorithm, or alternatively, removing the memory requirement in some quantum attacks based on a collision search, thanks to their algebraic structure. We provide a list of cryptographic applications, including the Even-Mansour construction, the FX construction, some Sponge authenticated modes of encryption, and many more.

[1]  Ingrid Verbauwhede,et al.  Chaskey: An Efficient MAC Algorithm for 32-bit Microcontrollers , 2014, Selected Areas in Cryptography.

[2]  Kan Yasuda,et al.  Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[3]  María Naya-Plasencia,et al.  Hidden Shift Quantum Cryptanalysis and Implications , 2018, IACR Cryptol. ePrint Arch..

[4]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[5]  María Naya-Plasencia,et al.  An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography , 2017, ASIACRYPT.

[6]  G. Brassard,et al.  Quantum Amplitude Amplification and Estimation , 2000, quant-ph/0005055.

[7]  Joe Kilian,et al.  How to Protect DES Against Exhaustive Key Search , 1996, CRYPTO.

[8]  Alex Biryukov,et al.  Slide Attacks , 1999, FSE.

[9]  Yu Sasaki,et al.  Cryptanalysis against Symmetric-Key Schemes with Online Classical Queries and Offline Quantum Computations , 2018, IACR Cryptol. ePrint Arch..

[10]  Itai Dinur,et al.  Cryptanalytic Time-Memory-Data Tradeoffs for FX-Constructions with Applications to PRINCE and PRIDE , 2015, EUROCRYPT.

[11]  Hidenori Kuwakado,et al.  Security on the quantum-type Even-Mansour cipher , 2012, 2012 International Symposium on Information Theory and its Applications.

[12]  Xavier Bonnetain,et al.  Quantum Key-Recovery on Full AEZ , 2017, SAC.

[13]  Martin E. Hellman,et al.  Chosen-Key Attacks on a Block Cipher , 1987, Cryptologia.

[14]  Eli Biham,et al.  Cryptanalysis of Iterated Even-Mansour Schemes with Two Keys , 2014, IACR Cryptol. ePrint Arch..

[15]  Gilles Brassard,et al.  Quantum cryptanalysis of hash and claw-free functions , 1997, SIGA.

[16]  Gregor Leander,et al.  Grover Meets Simon - Quantumly Attacking the FX-construction , 2017, ASIACRYPT.

[17]  Christof Paar,et al.  Block Ciphers - Focus on the Linear Layer (feat. PRIDE) , 2014, CRYPTO.

[18]  Hidenori Kuwakado,et al.  Quantum distinguisher between the 3-round Feistel cipher and the random permutation , 2010, 2010 IEEE International Symposium on Information Theory.

[19]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[20]  Greg Kuperberg,et al.  Another Subexponential-time Quantum Algorithm for the Dihedral Hidden Subgroup Problem , 2011, TQC.

[21]  Guido Bertoni,et al.  Farfalle: parallel permutation-based cryptography , 2017, IACR Trans. Symmetric Cryptol..

[22]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[23]  Anne Canteaut,et al.  Saturnin: a suite of lightweight symmetric algorithms for post-quantum security , 2020, IACR Trans. Symmetric Cryptol..

[24]  Martin Rötteler,et al.  Post-Quantum Cryptography , 2015, Lecture Notes in Computer Science.

[25]  Joan Daemen,et al.  The design of Xoodoo and Xoofff , 2018, IACR Trans. Symmetric Cryptol..

[26]  María Naya-Plasencia,et al.  Breaking Symmetric Cryptosystems Using Quantum Period Finding , 2016, CRYPTO.

[27]  Greg Kuperberg A Subexponential-Time Quantum Algorithm for the Dihedral Hidden Subgroup Problem , 2005, SIAM J. Comput..

[28]  María Naya-Plasencia,et al.  On Quantum Slide Attacks , 2019, IACR Cryptol. ePrint Arch..

[29]  Anne Canteaut,et al.  PRINCE - A Low-Latency Block Cipher for Pervasive Computing Applications - Extended Abstract , 2012, ASIACRYPT.

[30]  Paul Crowley,et al.  Adiantum: length-preserving encryption for entry-level processors , 2018, IACR Trans. Symmetric Cryptol..

[31]  Luther Martin,et al.  XTS: A Mode of AES for Encrypting Hard Disks , 2010, IEEE Security & Privacy.

[32]  Thierry Paul,et al.  Quantum computation and quantum information , 2007, Mathematical Structures in Computer Science.

[33]  María Naya-Plasencia,et al.  Quantum Differential and Linear Cryptanalysis , 2015, IACR Trans. Symmetric Cryptol..

[34]  Joan Daemen,et al.  Limitations of the Even-Mansour Construction , 1991, ASIACRYPT.

[35]  Daniel R. Simon,et al.  On the power of quantum computation , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[36]  Martin Roetteler,et al.  A note on quantum related-key attacks , 2013, Inf. Process. Lett..

[37]  Tommaso Gagliardoni,et al.  Quantum Security of Cryptographic Primitives , 2017, ArXiv.

[38]  Claude Carlet,et al.  Codes, Bent Functions and Permutations Suitable For DES-like Cryptosystems , 1998, Des. Codes Cryptogr..