Quantum attacks against iterated block ciphers

We study the amplification of security against quantum attacks provided by iteration of block ciphers. In the classical case, the Meet-in-the-middle attack is a generic attack against those constructions. This attack reduces the time required to break double iterations to only twice the time it takes to attack a single block cipher, given that the attacker has access to a large amount of memory. More abstractly, it shows that security by composition does not achieve exact multiplicative amplification. We present a quantized version of this attack based on an optimal quantum algorithm for the Element Distinctness problem. We then use the generalized adversary method to prove the optimality of the attack. An interesting corollary is that the time-space tradeoff for quantum attacks is very different from what classical attacks allow. This first result seems to indicate that composition resists better to quantum attacks than to classical ones because it prevents the quadratic speedup achieved by quantizing an exhaustive search. We investigate security amplification by composition further by examining the case of four iterations. We quantize a recent technique called the dissection attack using the framework of quantum walks. Surprisingly, this leads to better gains over classical attacks than for double iterations, which seems to indicate that when the number of iterations grows, the resistance against quantum attacks decreases.Comment: 14 page

Quantum Cryptography Beyond Quantum Key Distribution

Quantum cryptography is the art and science of exploiting quantum mechanical effects in order to perform cryptographic tasks. While the most well-known example of this discipline is quantum key distribution (QKD), there exist many other applications such as quantum money, randomness generation, secure two- and multi-party computation and delegated quantum computation. Quantum cryptography also studies the limitations and challenges resulting from quantum adversaries---including the impossibility of quantum bit commitment, the difficulty of quantum rewinding and the definition of quantum security models for classical primitives. In this review article, aimed primarily at cryptographers unfamiliar with the quantum world, we survey the area of theoretical quantum cryptography, with an emphasis on the constructions and limitations beyond the realm of QKD.Comment: 45 pages, over 245 reference

Random Oracles in a Quantum World

The interest in post-quantum cryptography - classical systems that remain secure in the presence of a quantum adversary - has generated elegant proposals for new cryptosystems. Some of these systems are set in the random oracle model and are proven secure relative to adversaries that have classical access to the random oracle. We argue that to prove post-quantum security one needs to prove security in the quantum-accessible random oracle model where the adversary can query the random oracle with quantum states. We begin by separating the classical and quantum-accessible random oracle models by presenting a scheme that is secure when the adversary is given classical access to the random oracle, but is insecure when the adversary can make quantum oracle queries. We then set out to develop generic conditions under which a classical random oracle proof implies security in the quantum-accessible random oracle model. We introduce the concept of a history-free reduction which is a category of classical random oracle reductions that basically determine oracle answers independently of the history of previous queries, and we prove that such reductions imply security in the quantum model. We then show that certain post-quantum proposals, including ones based on lattices, can be proven secure using history-free reductions and are therefore post-quantum secure. We conclude with a rich set of open problems in this area.Comment: 38 pages, v2: many substantial changes and extensions, merged with a related paper by Boneh and Zhandr

On the Security of Proofs of Sequential Work in a Post-Quantum World

A Proof of Sequential Work (PoSW) allows a prover to convince a resource-bounded verifier that the prover invested a substantial amount of sequential time to perform some underlying computation. PoSWs have many applications including time-stamping, blockchain design, and universally verifiable CPU benchmarks. Mahmoody, Moran, and Vadhan (ITCS 2013) gave the first construction of a PoSW in the random oracle model though the construction relied on expensive depth-robust graphs. In a recent breakthrough, Cohen and Pietrzak (EUROCRYPT 2018) gave an efficient PoSW construction that does not require expensive depth-robust graphs. In the classical parallel random oracle model, it is straightforward to argue that any successful PoSW attacker must produce a long $\mathcal{H}$-sequence and that any malicious party running in sequential time $T-1$ will fail to produce an $\mathcal{H}$-sequence of length $T$ except with negligible probability. In this paper, we prove that any quantum attacker running in sequential time $T-1$ will fail to produce an $\mathcal{H}$-sequence except with negligible probability -- even if the attacker submits a large batch of quantum queries in each round. The proof is substantially more challenging and highlights the power of Zhandry's recent compressed oracle technique (CRYPTO 2019). We further extend this result to establish post-quantum security of a non-interactive PoSW obtained by applying the Fiat-Shamir transform to Cohen and Pietrzak's efficient construction (EUROCRYPT 2018).Comment: 44 pages, 4 figure

Recherche de collisions et cryptanalyse symétrique quantique

National audienceDepuis la découverte décisive de l'algorithme de Shor ([Sho94]), le monde de la cryptographie s'est intéressé de près aux capacités d'un éventuel ordinateur quantique, dont l'émergence mettrait à bas la plupart des primitives asymétriques utilisées aujourd'hui. La situation en cryptographie symétrique est plus ambiguë : la croyance générale veut qu'un doublement de la taille des clés suffise à protéger les systèmes actuels. En effet, l'algorithme de Grover ([Gro96]) promet une accélération quadratique de tout type de recherche exhaustive. Cependant, de récents travaux ont appelé à discuter de cette affirmation péremptoire ([Kap+16a]). Mon stage s'inscrit dans la continuité de ces travaux

Hidden Shift Quantum Cryptanalysis and Implications

International audienceAt Eurocrypt 2017 a tweak to counter Simon's quantum attack was proposed: replace the common bitwise addition, with other operations, as a modular addition. The starting point of our paper is a follow up of these previous results: First, we have developed new algorithms that improve and generalize Kuperberg's algorithm for the hidden shift problem, which is the algorithm that applies instead of Simon when considering modular additions. Thanks to our improved algorithm, we have been able to build a quantum attack in the superposition model on Poly1305, proposed at FSE 2005, largely used and claimed to be quantumly secure. We also answer an open problem by analyzing the effect of the tweak to the FX construction. We have also generalized the algorithm. We propose for the first time a quantum algorithm for solving the problem with parallel modular additions , with a complexity that matches both Simon and Kuperberg in its extremes. We also propose a generic algorithm to solve the hidden shift problem in non-abelian groups. In order to verify the theoretical analysis we performed, and to get concrete estimates of the cost of the algorithms, we have simulated them, and were able to validate our estimated complexities. Finally, we analyze the security of some classical symmetric constructions with concrete parameters, to evaluate the impact and practicality of the proposed tweak, concluding that it does not seem to be efficient