25 research outputs found
4-Round Luby-Rackoff Construction is a qPRP: Tight Quantum Security Bound
The Luby-Rackoff construction, or the Feistel construction, is one of the most important approaches to construct secure block ciphers from secure pseudorandom functions. The 3-round and 4-round Luby-Rackoff constructions are proven to be secure against chosen-plaintext attacks (CPAs) and chosen-ciphertext attacks (CCAs), respectively, in the classical setting. However, Kuwakado and Morii showed that a quantum superposed chosen-plaintext attack (qCPA) can distinguish the 3-round Luby-Rackoff construction from a random permutation in polynomial time. In addition, Ito et al. showed a quantum superposed chosen-ciphertext attack (qCCA) that distinguishes the 4-round Luby-Rackoff construction. Since Kuwakado and Morii showed the result, a problem of much interest has been how many rounds are sufficient to achieve provable security against quantum query attacks. This paper answers this fundamental question by showing that 4-rounds suffice against qCPAs. Concretely, we prove that the 4-round Luby-Rackoff construction is secure up to quantum queries. We also prove that the bound is tight by showing an attack that distinguishes the 4-round Luby-Rackoff construction from a random permutation with quantum queries. Our result is the first to demonstrate the tight security of a typical block-cipher construction against quantum query attacks, without any algebraic assumptions. To give security proofs, we use an alternative formalization of Zhandry\u27s compressed oracle technique
Towards compressed permutation oracles
Compressed oracles (Zhandry, Crypto 2019) are a powerful technique to reason about quantum random oracles, enabling a sort of lazy sampling in the presence of superposition queries. A long-standing open question is whether a similar technique can also be used to reason about random (efficiently invertible) permutations.
In this work, we make a step towards answering this question. We first define the compressed permutation oracle and illustrate its use. While the soundness of this technique (i.e., the indistinguishability from a random permutation) remains a conjecture, we show a curious 2-for-1 theorem: If we use the compressed permutation oracle methodology to show that some construction (e.g., Luby-Rackoff) implements a random permutation (or strong qPRP), then we get the fact that this methodology is actually sound for free
Quantum Attacks on Lai-Massey Structure
Aaram Yun et al. considered that Lai-Massey structure has the same security as Feistel structure. However, Luo et al. showed that 3-round Lai-Massey structure can resist quantum attacks of Simon\u27s algorithm, which is different from Feistel structure. We give quantum attacks against a typical Lai-Massey structure. The result shows that there exists a quantum CPA distinguisher against 3-round Lai-Massey structure and a quantum CCA distinguisher against 4-round Lai-Massey Structure, which is the same as Feistel structure. We extend the attack on Lai-Massey structure to quasi-Feistel structure. We show that if the combiner of quasi-Feistel structure is linear, there exists a quantum CPA distinguisher against 3-round balanced quasi-Feistel structure and a quantum CCA distinguisher against 4-round balanced quasi-Feistel Structure
Block Cipher Doubling for a Post-Quantum World
In order to maintain a similar security level in a post-quantum setting, many symmetric primitives should have to double their keys and increase their state sizes. So far, no generic way for doing this is known that would provide convincing quantum security guarantees.
In this paper we propose a new generic construction, QuEME, that allows to double the key and the state size of a block cipher.
The QuEME design is inspired by the ECB-Mix-ECB (EME) construction, but is defined for a different choice of mixing function that withstands our new quantum superposition attack that exhibits a periodic property found in collisions and that breaks EME and a large class of variants of it.
We prove that QuEME achieves -bit security in the classical setting, where is the block size of the underlying block cipher, and at least -bit security in the quantum setting. We propose a concrete instantiation of this construction, called Double-AES, that is built with variants of AES-128
Quantum Pseudoentanglement
Quantum pseudorandom states are efficiently constructable states which
nevertheless masquerade as Haar-random states to poly-time observers. First
defined by Ji, Liu and Song, such states have found a number of applications
ranging from cryptography to the AdS/CFT correspondence. A fundamental question
is exactly how much entanglement is required to create such states. Haar-random
states, as well as -designs for , exhibit near-maximal
entanglement. Here we provide the first construction of pseudorandom states
with only polylogarithmic entanglement entropy across an equipartition of the
qubits, which is the minimum possible. Our construction can be based on any
one-way function secure against quantum attack. We additionally show that the
entanglement in our construction is fully "tunable", in the sense that one can
have pseudorandom states with entanglement for any desired
function .
More fundamentally, our work calls into question to what extent entanglement
is a "feelable" quantity of quantum systems. Inspired by recent work of
Gheorghiu and Hoban, we define a new notion which we call "pseudoentanglement",
which are ensembles of efficiently constructable quantum states which hide
their entanglement entropy. We show such states exist in the strongest form
possible while simultaneously being pseudorandom states. We also describe
diverse applications of our result from entanglement distillation to property
testing to quantum gravity.Comment: 32 page
Provably Quantum-Secure Tweakable Block Ciphers
Recent results on quantum cryptanalysis show that some symmetric key schemes can be broken in polynomial time even if they are proven to be secure in the classical setting.
Liskov, Rivest, and Wagner showed that secure tweakable block ciphers can be constructed from secure block ciphers in the classical setting.
However, Kaplan et al.~showed that their scheme can be broken by polynomial time quantum superposition attacks, even if underlying block ciphers are quantum-secure.
Since then, it remains open if there exists a mode of block ciphers to build quantum-secure tweakable block ciphers.
This paper settles the problem in the reduction-based provable security paradigm.
We show the first design of
quantum-secure tweakable block ciphers based on quantum-secure block ciphers,
and present a provable security bound.
Our construction is simple, and when instantiated with a quantum-secure -bit block cipher, it is secure against attacks that query arbitrary quantum superpositions of plaintexts and tweaks up to quantum queries.
Our security proofs use the compressed oracle technique introduced by Zhandry.
More precisely, we use an alternative formalization of the technique introduced by Hosoyamada and Iwata
Quantum Security of TNT
Many classical secure structures are broken by quantum attacks. Evaluating the quantum security of a structure and providing a tight security bound is a challenging research area. As a tweakable block cipher structure based on block ciphers, was proven to have CPA and CCA security in the classical setting. We prove that is a quantum-secure tweakable block cipher with a bound of . In addition, we show the tight quantum PRF security bound of when is based on random functions, which is better than given by Bhaumik et al. and solves their open problem. Our proof uses the recording standard oracle with errors technique of Hosoyamada and Iwata based on Zhandry’s compressed oracle technique
Quantum Security of FOX Construction based on Lai-Massey Scheme
The Lai-Massey scheme is an important cryptographic approach to design block ciphers from secure pseudorandom functions. It has been used in the designs of IDEA and IDEA-NXT. At ASIACRYPT\u2799, Vaudenay showed that the 3-round and 4-round Lai-Massey scheme are secure against chosen-plaintext attacks (CPAs) and chosen-ciphertext attacks (CCAs), respectively, in the classical setting. At SAC\u2704, Junod and Vaudenay proposed a new family of block ciphers based on the Lai-Massey scheme, namely FOX. In this work, we analyze the security of the FOX cipher in the quantum setting, where the attacker can make quantum superposed queries to the oracle. Our results are as follows:
The 3-round FOX construction is not a pseudorandom permutation against quantum chosen-plaintext attacks (qCPAs), and the 4-round FOX construction is not a strong pseudorandom permutation against quantum chosen-ciphertext attacks (qCCAs). Essentially, we build quantum distinguishers against the 3-round and 4-round FOX constructions, using Simon\u27s algorithm.
The 4-round FOX construction is a pseudorandom permutation against qCPAs. Concretely, we prove that the 4-round FOX construction is secure up to quantum queries. Our security proofs use the compressed oracle technique introduced by Zhandry. More precisely, we use an alternative formalization of the compressed oracle technique introduced by Hosoyamada and Iwata
Algorithmes quantiques pour la cryptanalyse et cryptographie symétrique post-quantique
Modern cryptography relies on the notion of computational security. The level of security given by a cryptosystem is expressed as an amount of computational resources required to break it. The goal of cryptanalysis is to find attacks, that is, algorithms with lower complexities than the conjectural bounds.With the advent of quantum computing devices, these levels of security have to be updated to take a whole new notion of algorithms into account. At the same time, cryptography is becoming widely used in small devices (smart cards, sensors), with new cost constraints.In this thesis, we study the security of secret-key cryptosystems against quantum adversaries.We first build new quantum algorithms for k-list (k-XOR or k-SUM) problems, by composing exhaustive search procedures. Next, we present dedicated cryptanalysis results, starting with a new quantum cryptanalysis tool, the offline Simon's algorithm. We describe new attacks against the lightweight algorithms Spook and Gimli and we perform the first quantum security analysis of the standard cipher AES.Finally, we specify Saturnin, a family of lightweight cryptosystems oriented towards post-quantum security. Thanks to a very similar structure, its security relies largely on the analysis of AES.La cryptographie moderne est fondée sur la notion de sécurité computationnelle. Les niveaux de sécurité attendus des cryptosystèmes sont exprimés en nombre d'opérations ; une attaque est un algorithme d'une complexité inférieure à la borne attendue. Mais ces niveaux de sécurité doivent aujourd'hui prendre en compte une nouvelle notion d'algorithme : le paradigme du calcul quantique. Dans le même temps,la délégation grandissante du chiffrement à des puces RFID, objets connectés ou matériels embarqués pose de nouvelles contraintes de coût.Dans cette thèse, nous étudions la sécurité des cryptosystèmes à clé secrète face à un adversaire quantique.Nous introduisons tout d'abord de nouveaux algorithmes quantiques pour les problèmes génériques de k-listes (k-XOR ou k-SUM), construits en composant des procédures de recherche exhaustive.Nous présentons ensuite des résultats de cryptanalyse dédiée, en commençant par un nouvel outil de cryptanalyse quantique, l'algorithme de Simon hors-ligne. Nous décrivons de nouvelles attaques contre les algorithmes Spook et Gimli et nous effectuons la première étude de sécurité quantique du chiffrement AES. Dans un troisième temps, nous spécifions Saturnin, une famille de cryptosystèmes à bas coût orientés vers la sécurité post-quantique. La structure de Saturnin est proche de celle de l'AES et sa sécurité en tire largement parti