190 research outputs found
Quantum Distinguishing Attacks against Type-1 Generalized Feistel Ciphers
A generalized Feistel cipher is one of the methods to construct block ciphers, and it has several variants. Dong, Li, and Wang showed quantum distinguishing attacks against the -round Type-1 generalized Feistel cipher with quantum chosen-plaintext attacks, where , and they also showed key recovery attacks [Dong, Li, Wang. Sci China Inf Sci, 2019, 62(2): 022501].
In this paper, we show a polynomial time quantum distinguishing attack against the -round version, i.e., we improve the number of rounds by . We also show a quantum distinguishing attack against the -round version in the quantum chosen-ciphertext setting. We apply these quantum distinguishing attacks to obtain key recovery attacks against Type-1 generalized Feistel ciphers
Quantum All-Subkeys-Recovery Attacks on 6-round Feistel-2* Structure Based on Multi-Equations Quantum Claw Finding
Exploiting quantum mechanisms, quantum attacks have the potential ability to
break the cipher structure. Recently, Ito et al. proposed a quantum attack on
Feistel-2* structure (Ito et al.'s attack) based onthe Q2 model. However, it is
not realistic since the quantum oracle needs to be accessed by the adversary,
and the data complexityis high. To solve this problem, a quantum
all-subkeys-recovery (ASR) attack based on multi-equations quantum claw-finding
is proposed, which takes a more realistic model, the Q1 model, as the scenario,
and only requires 3 plain-ciphertext pairs to quickly crack the 6-round
Feistel-2* structure. First, we proposed a multi-equations quantum claw-finding
algorithm to solve the claw problem of finding multiple equations. In addition,
Grover's algorithm is used to speedup the rest subkeys recovery. Compared with
Ito et al.'s attack, the data complexity of our attack is reduced from O(2^n)
to O(1), while the time complexity and memory complexity are also significantly
reduced.Comment: 18 pages, 4 figure
Improved quantum attack on Type-1 Generalized Feistel Schemes and Its application to CAST-256
Generalized Feistel Schemes (GFS) are important components of symmetric ciphers, which have been extensively researched in classical setting. However, the security evaluations of GFS in quantum setting are rather scanty.
In this paper, we give more improved polynomial-time quantum distinguishers on Type-1 GFS in quantum
chosen-plaintext attack (qCPA) setting and quantum chosen-ciphertext attack (qCCA) setting.
In qCPA setting, we give new quantum polynomial-time distinguishers on -round Type-1 GFS with branches , which gain more rounds than the previous distinguishers. Hence, we could get better key-recovery attacks, whose time complexities gain a factor of .
In qCCA setting, we get -round quantum distinguishers on Type-1 GFS, which gain more rounds than the previous distinguishers.
In addition,
we give some quantum attacks on CAST-256 block cipher. We find 12-round and 13-round polynomial-time quantum distinguishers in qCPA and qCCA settings, respectively, while the best previous one is only 7 rounds.
Hence, we could derive quantum key-recovery attack on 19-round CAST-256. While the best previous quantum key-recovery attack is on 16 rounds. When comparing our quantum attacks with classical attacks, our result also reaches 16 rounds on CAST-256 with 128-bit key under a competitive complexity
Quantum Attacks on Some Feistel Block Ciphers
Post-quantum cryptography has attracted much attention from worldwide cryptologists. However, most research works are related to public-key cryptosystem due to Shor\u27s attack on RSA and ECC ciphers. At CRYPTO 2016, Kaplan et al. showed that many secret-key (symmetric) systems could be broken using a quantum period finding algorithm, which encouraged researchers to evaluate symmetric systems against quantum attackers.
In this paper, we continue to study symmetric ciphers against quantum attackers. First, we convert the classical advanced slide attacks (introduced by Biryukov and Wagner) to a quantum one, that gains an exponential speed-up in time complexity. Thus, we could break 2/4K-Feistel and 2/4K-DES in polynomial time. Second, we give a new quantum key-recovery attack on full-round GOST, which is a Russian standard, with quantum queries of the encryption process, faster than a quantum brute-force search attack by a factor of
Using Simon's Algorithm to Attack Symmetric-Key Cryptographic Primitives
We present new connections between quantum information and the field of
classical cryptography. In particular, we provide examples where Simon's
algorithm can be used to show insecurity of commonly used cryptographic
symmetric-key primitives. Specifically, these examples consist of a quantum
distinguisher for the 3-round Feistel network and a forgery attack on CBC-MAC
which forges a tag for a chosen-prefix message querying only other messages (of
the same length). We assume that an adversary has quantum-oracle access to the
respective classical primitives. Similar results have been achieved recently in
independent work by Kaplan et al. Our findings shed new light on the
post-quantum security of cryptographic schemes and underline that classical
security proofs of cryptographic constructions need to be revisited in light of
quantum attackers.Comment: 14 pages, 2 figures. v3: final polished version, more formal
definitions adde
Feistel Structures for MPC, and More
We study approaches to generalized Feistel constructions with low-degree round functions with a focus on x -> x^3 . Besides known constructions, we also provide a new balanced Feistel construction with improved diffusion properties. This then allows us to propose more efficient generalizations of the MiMC design (Asiacrypt’16), which we in turn evaluate in three application areas. Whereas MiMC was not competitive at all in a recently proposed new class of PQ-secure signature schemes, our new construction leads to about 30 times smaller signatures than MiMC. In MPC use cases, where MiMC outperforms all other competitors, we observe improvements in throughput by a factor of more than 4 and simultaneously a 5-fold reduction of preprocessing effort, albeit at the cost of a higher latency. Another use case where MiMC already outperforms other designs, in the area of SNARKs, sees modest improvements. Additionally, this use case benefits from the flexibility to use smaller fields
- …