37 research outputs found
Grover Meets Simon - Quantumly Attacking the FX-construction
Using whitening keys is a well understood mean of increasing the key-length of any given cipher. Especially as it is known ever since Grover’s seminal work that the effective key-length is reduced by a factor of two when considering quantum adversaries, it seems tempting to use this simple and elegant way of extending the key-length of a given cipher to increase the resistance against quantum adversaries. However, as we show in this work, using whitening keys does not increase the security in the quantum-CPA setting significantly. For this we present a quantum algorithm that breaks the construction with whitening keys in essentially the same time complexity as Grover’s original algorithm breaks the underlying block cipher. Technically this result is based on the combination of the quantum algorithms of Grover and Simon for the first time in the cryptographic setting
Quantum Attacks without Superposition Queries: The Offline Simon's Algorithm
International audienc
Quantum Period Finding is Compression Robust
We study quantum period finding algorithms such as Simon and Shor (and its
variants Eker{\aa}-H{\aa}stad and Mosca-Ekert). For a periodic function
these algorithms produce -- via some quantum embedding of -- a quantum
superposition , which requires a certain amount
of output qubits that represent . We show that one can lower this
amount to a single output qubit by hashing down to a single bit in an
oracle setting.
Namely, we replace the embedding of in quantum period finding circuits by
oracle access to several embeddings of hashed versions of . We show that on
expectation this modification only doubles the required amount of quantum
measurements, while significantly reducing the total number of qubits. For
example, for Simon's algorithm that finds periods in our hashing technique reduces the required output
qubits from down to , and therefore the total amount of qubits from
to . We also show that Simon's algorithm admits real world applications
with only qubits by giving a concrete realization of a hashed version of
the cryptographic Even-Mansour construction. Moreover, for a variant of Simon's
algorithm on Even-Mansour that requires only classical queries to Even-Mansour
we save a factor of (roughly) in the qubits.
Our oracle-based hashed version of the Eker{\aa}-H{\aa}stad algorithm for
factoring -bit RSA reduces the required qubits from
down to . We also show a real-world (non-oracle)
application in the discrete logarithm setting by giving a concrete realization
of a hashed version of Mosca-Ekert for the Decisional Diffie Hellman problem in
, thereby reducing the number of qubits by even a linear
factor from downto
Quantum Key-recovery Attack on Feistel Structures
Post-quantum cryptography has drawn considerable attention from cryptologists on a global scale. At Asiacrypt 2017, Leander and May combined Grover\u27s and Simon\u27s quantum algorithms to break the FX-based block ciphers, which were introduced by Kilian and Rogaway to strengthen DES. In this study, we investigate the Feistel constructions using Grover\u27s and Simon\u27s algorithms to generate new quantum key-recovery attacks on different rounds of Feistel constructions. Our attacks
require quantum queries to break an -round Feistel construction.
The time complexity of our attacks is less than that observed for quantum brute-force search by a factor of . When compared with the best classical attacks, i.e., Dinur \emph{et al.}\u27s attacks at CRYPTO 2015, the time complexity is reduced by a factor of without incurring any memory cost
Quantum Attacks on HCTR and its Variants
Recently, in Asiacrypt 2019, Bonnetain et. al have shown attacks by quantum adversaries on FX construction and Even-Mansour Cipher without using superposition queries to the encryption oracle. In this work, we use a similar approach to mount new attacks on HCTR and HCH construction. In addition, we mount attacks on HCTR, Tweakable-HCTR and HCH using the superposition queries to the encryption oracle using strategies proposed by Leander and May in Asiacrypt 2017 and Kaplan et. al in Crypto 2016
Quantum cryptanalysis on some Generalized Feistel Schemes
Post-quantum cryptography has attracted much attention from worldwide cryptologists.
In ISIT 2010, Kuwakado and Morii gave a quantum distinguisher with polynomial time against 3-round Feistel networks. However, generalized Feistel schemes (GFS) have not been systematically investigated against quantum attacks.
In this paper, we study the quantum distinguishers about some generalized Feistel schemes. For -branch Type-1 GFS (CAST256-like Feistel structure), we introduce ()-round quantum distinguishers with polynomial time. For -branch Type-2 GFS (RC6/CLEFIA-like Feistel structure), we give ()-round quantum distinguishers with polynomial time. Classically, Moriai and Vaudenay proved that a 7-round -branch Type-1 GFS and 5-round -branch Type-2 GFS are secure pseudo-random permutations. Obviously, they are no longer secure in quantum setting.
Using the above quantum distinguishers, we introduce generic quantum key-recovery attacks by applying the combination of Simon\u27s and Grover\u27s algorithms recently proposed by Leander and May. We denote as the bit length of a branch. For -round Type-1 GFS with branches, the time complexity is , which is better than the quantum brute force search (Grover search) by a factor . For -round Type-2 GFS with branches, the time complexity is , which is better than the quantum brute force search by a factor
Quantum Attacks on Type-1 Generalized Feistel Schemes
Generalized Feistel schemes (GFSs) are extremely important and extensively researched cryptographic schemes. In this paper, we investigate the security of Type-1 GFS in quantum circumstances. On the one hand, in the qCCA setting, we give a new quantum polynomial-time distinguisher on -round Type-1 GFS with branches , which extends the previous results by rounds. This leads to a more efficient analysis of type-1 GFS, that is, the complexity of some previous key-recovery attacks is reduced by a factor of , where is the key length of the internal round function. On the other hand, for CAST-256, which is a certain block cipher based on Type-1 GFS, we give a 17-round quantum distinguisher in the qCPA setting. Based on this, we construct an -round quantum key-recovery attack with complexity