Multi-key Analysis of Tweakable Even-Mansour with Applications to Minalpher and OPP

The tweakable Even-Mansour construction generalizes the conventional Even-Mansour scheme through replacing round keys by strings derived from a master key and a tweak. Besides providing plenty of inherent variability, such a design builds a tweakable block cipher from some lower level primitive. In the present paper, we evaluate the multi-key security of TEM-1, one of the most commonly used one-round tweakable Even-Mansour schemes (formally introduced at CRYPTO 2015), which is constructed from a single n-bit permutation P and a function f(k, t) linear in k from some tweak space to {0, 1} n. Based on giant component theorem in random graph theory, we propose a collision-based multi-key attack on TEM-1 in the known-plaintext setting. Furthermore, inspired by the methodology of Fouque et al. presented at ASIACRYPT 2014, we devise a novel way of detecting collisions and eventually obtain a memory-efficient multi-key attack in the adaptive chosen-plaintext setting. As important applications, we utilize our techniques to analyze the authenticated encryption algorithms Minalpher (a second-round candidate of CAESAR) and OPP (proposed at EUROCRYPT 2016) in the multi-key setting. We describe knownplaintext attacks on Minalpher and OPP without nonce misuse, which enable us to recover almost all O(2n/3) independent masks by making O(2n/3) queries per key and costing O(22n/3) memory overall. After defining appropriate iterated functions and accordingly changing the mode of creating chains, we improve the basic blockwiseadaptive chosen-plaintext attack to make it also applicable for the nonce-respecting setting. While our attacks do not contradict the security proofs of Minalpher and OPP in the classical setting, nor pose an immediate threat to their uses, our results demonstrate their security margins in the multi-user setting should be carefully considered. We emphasize this is the very first third-party analysis on Minalpher and OPP

Quantum Query Lower Bounds for Key Recovery Attacks on the Even-Mansour Cipher

The Even-Mansour (EM) cipher is one of the famous constructions for a block cipher. Kuwakado and Morii demonstrated that a quantum adversary can recover its $n$-bit secret keys only with $O(n)$ nonadaptive quantum queries. While the security of the EM cipher and its variants is well-understood for classical adversaries, very little is currently known of their quantum security. Towards a better understanding of the quantum security, or the limits of quantum adversaries for the EM cipher, we study the quantum query complexity for the key recovery of the EM cipher and prove every quantum algorithm requires $\Omega(n)$ quantum queries for the key recovery even if it is allowed to make adaptive queries. Therefore, the quantum attack of Kuwakado and Morii has the optimal query complexity up to a constant factor, and we cannot asymptotically improve it even with adaptive quantum queries

Quantum Attacks on Some Feistel Block Ciphers

Post-quantum cryptography has attracted much attention from worldwide cryptologists. However, most research works are related to public-key cryptosystem due to Shor\u27s attack on RSA and ECC ciphers. At CRYPTO 2016, Kaplan et al. showed that many secret-key (symmetric) systems could be broken using a quantum period finding algorithm, which encouraged researchers to evaluate symmetric systems against quantum attackers. In this paper, we continue to study symmetric ciphers against quantum attackers. First, we convert the classical advanced slide attacks (introduced by Biryukov and Wagner) to a quantum one, that gains an exponential speed-up in time complexity. Thus, we could break 2/4K-Feistel and 2/4K-DES in polynomial time. Second, we give a new quantum key-recovery attack on full-round GOST, which is a Russian standard, with $2^{114.8}$ quantum queries of the encryption process, faster than a quantum brute-force search attack by a factor of $2^{13.2}$

Quantum Circuit Implementation and Resource Analysis of LBlock and LiCi

Due to Grover's algorithm, any exhaustive search attack of block ciphers can achieve a quadratic speed-up. To implement Grover,s exhaustive search and accurately estimate the required resources, one needs to implement the target ciphers as quantum circuits. Recently, there has been increasing interest in quantum circuits implementing lightweight ciphers. In this paper we present the quantum implementations and resource estimates of the lightweight ciphers LBlock and LiCi. We optimize the quantum circuit implementations in the number of gates, required qubits and the circuit depth, and simulate the quantum circuits on ProjectQ. Furthermore, based on the quantum implementations, we analyze the resources required for exhaustive key search attacks of LBlock and LiCi with Grover's algorithm. Finally, we compare the resources for implementing LBlock and LiCi with those of other lightweight ciphers.Comment: 29 pages,21 figure

Beyond quadratic speedups in quantum attacks on symmetric schemes

International audienceIn this paper, we report the first quantum key-recovery attack on a symmetric block cipher design, using classical queries only, with a more than quadratic time speedup compared to the best classical attack. We study the 2XOR-Cascade construction of Gaži and Tessaro (EURO-CRYPT 2012). It is a key length extension technique which provides an n-bit block cipher with 5n 2 bits of security out of an n-bit block cipher with 2n bits of key, with a security proof in the ideal model. We show that the offline-Simon algorithm of Bonnetain et al. (ASIACRYPT 2019) can be extended to, in particular, attack this construction in quantum time O(2 n), providing a 2.5 quantum speedup over the best classical attack. Regarding post-quantum security of symmetric ciphers, it is commonly assumed that doubling the key sizes is a sufficient precaution. This is because Grover's quantum search algorithm, and its derivatives, can only reach a quadratic speedup at most. Our attack shows that the structure of some symmetric constructions can be exploited to overcome this limit. In particular, the 2XOR-Cascade cannot be used to generically strengthen block ciphers against quantum adversaries, as it would offer only the same security as the block cipher itself

Cryptanalysis against Symmetric-Key Schemes with Online Classical Queries and Offline Quantum Computations

In this paper, quantum attacks against symmetric-key schemes are presented in which adversaries only make classical queries but use quantum computers for offline computations. Our attacks are not as efficient as polynomial-time attacks making quantum superposition queries, while our attacks use the realistic model and overwhelmingly improve the classical attacks. Our attacks convert a type of classical meet-in-the-middle attacks into quantum ones. The attack cost depends on the number of available qubits and the way to realize the quantum hardware. The tradeoff between data complexity $D$ and time complexity $T$ against the problem of cardinality $N$ is $D^2 \cdot T^2 =N$ and $D \cdot T^6 = N^3$ in the best and worst case scenarios to the adversary respectively, while the classic attack requires $D\cdot T = N$. This improvement is meaningful from an engineering aspect because several existing schemes claim beyond-birthday-bound security for $T$ by limiting the maximum $D$ to be below $2^{n/2}$ according to the classical tradeoff $D\cdot T = N$. Those schemes are broken if quantum offline computations are performed by adversaries. The attack can be applied to many schemes such as a tweakable block-cipher construction TDR, a dedicated MAC scheme Chaskey, an on-line authenticated encryption scheme McOE-X, a hash function based MAC H$^2$-MAC and a permutation based MAC keyed-sponge. The idea is then applied to the FX-construction to discover new tradeoffs in the classical query model

A Chaos-Based Authenticated Cipher with Associated Data

In recent years, there has been a rising interest in authenticated encryptionwith associated data (AEAD)which combines encryption and authentication into a unified scheme. AEAD schemes provide authentication for a message that is divided into two parts: associated data which is not encrypted and the plaintext which is encrypted. However, there is a lack of chaos-based AEAD schemes in recent literature. This paper introduces a new128-bit chaos-based AEAD scheme based on the single-key Even-Mansour and Type-II generalized Feistel structure. The proposed scheme provides both privacy and authentication in a single-pass using only one 128-bit secret key. The chaotic tent map is used to generate whitening keys for the Even-Mansour construction, round keys, and random s-boxes for the Feistel round function. In addition, the proposed AEAD scheme can be implemented with true randomnumber generators to map a message tomultiple possible ciphertexts in a nondeterministic manner. Security and statistical evaluation indicate that the proposed scheme is highly secure for both the ciphertext and the authentication tag. Furthermore, it has multiple advantages over AES-GCM which is the current standard for authenticated encryption