305 research outputs found
Quantum-enhanced symmetric cryptanalysis for S-AES
Advanced Encryption Standard is one of the most widely used and important
symmetric ciphers for today. It well known, that it can be subjected to the
quantum Grover's attack that twice reduces its key strength. But full AES
attack requires hundreds of qubits and circuit depth of thousands, that makes
impossible not only experimental research but also numerical simulations of
this algorithm. Here we present an algorithm for optimized Grover's attack on
downscaled Simplifed-AES cipher. Besides full attack we present several
approaches that allows to reduce number of required qubits if some nibbles of
the key are known as a result of side-channel attack. For 16-bit S-AES the
proposed attack requires 23 qubits in general case and 19, 15 or 11 if 4, 8 or
12 bits were leaked in specifc confguration. Comparing to previously known
32-qubits algorithm this approach potentially allows to run the attack on
today's NISQ-devices and perform numerical simulations with GPU, that may be
useful for further research of problem-specifc error mitigation and error
correction techniques.Comment: 15 pages, 7 figure
Quantum Search for Scaled Hash Function Preimages
We present the implementation of Grover's algorithm in a quantum simulator to
perform a quantum search for preimages of two scaled hash functions, whose
design only uses modular addition, word rotation, and bitwise exclusive or. Our
implementation provides the means to assess with precision the scaling of the
number of gates and depth of a full-fledged quantum circuit designed to find
the preimages of a given hash digest. The detailed construction of the quantum
oracle shows that the presence of AND gates, OR gates, shifts of bits and the
reuse of the initial state along the computation, require extra quantum
resources as compared with other hash functions based on modular additions, XOR
gates and rotations. We also track the entanglement entropy present in the
quantum register at every step along the computation, showing that it becomes
maximal at the inner core of the first action of the quantum oracle, which
implies that no classical simulation based on Tensor Networks would be of
relevance. Finally, we show that strategies that suggest a shortcut based on
sampling the quantum register after a few steps of Grover's algorithm can only
provide some marginal practical advantage in terms of error mitigation.Comment: 24 pages, 14 figure
The Construction Of Quantum Block Cipher For Grover Algorithm
Asymmetric and symmetric cryptography are believed to be secure against any attack using classical computers. However, this view is no longer valid in the presence of quantum computing. Asymmetric cryptographic algorithms which are based on integer factorization or discrete
logarithms problems are rendered unsecured against quantum attacks. In contrast, threats posed by quantum computing to symmetric cryptography is not clear compared with asymmetric cryptography. Similarly to classical computing, to conduct a quantum attack on a classical block cipher, the block cipher must be designed and implemented as a quantum reversible circuit in a quantum platform
Simplified Modeling of MITM Attacks for Block Ciphers: New (Quantum) Attacks
The meet-in-the-middle (MITM) technique has led to many key-recovery attacks on block ciphers and preimage attacks on hash functions. Nowadays, cryptographers use automatic tools that reduce the search of MITM attacks to an optimization problem. Bao et al. (EUROCRYPT 2021) introduced a low-level modeling based on Mixed Integer Linear Programming (MILP) for MITM attacks on hash functions, which was extended to key-recovery attacks by Dong et al. (CRYPTO 2021). However, the modeling only covers AES-like designs. Schrottenloher and Stevens (CRYPTO 2022) proposed a different approach aiming at higher-level simplified models. However, this modeling was limited to cryptographic permutations.
In this paper, we extend the latter simplified modeling to also cover block ciphers with simple key schedules. The resulting modeling enables us to target a large array of primitives, typically lightweight SPN ciphers where the key schedule has a slow diffusion, or none at all. We give several applications such as full breaks of the PIPO-256 and FUTURE block ciphers, and reduced-round classical and quantum attacks on SATURNIN-Hash
Implementing Grover oracles for quantum key search on AES and LowMC
Grover\u27s search algorithm gives a quantum attack against block ciphers by searching for a key that matches a small number of plaintext-ciphertext pairs. This attack uses calls to the cipher to search a key space of size . Previous work in the specific case of AES derived the full gate cost by analyzing quantum circuits for the cipher, but focused on minimizing the number of qubits.
In contrast, we study the cost of quantum key search attacks under a depth restriction and introduce techniques that reduce the oracle depth, even if it requires more qubits. As cases in point, we design quantum circuits for the block ciphers AES and LowMC. Our circuits give a lower overall attack cost in both the gate count and depth-times-width cost models. In NIST\u27s post-quantum cryptography standardization process, security categories are defined based on the concrete cost of quantum key search against AES. We present new, lower cost estimates for each category, so our work has immediate implications for the security assessment of post-quantum cryptography.
As part of this work, we release Q# implementations of the full Grover oracle for AES-128, -192, -256 and for the three LowMC instantiations used in Picnic, including unit tests and code to reproduce our quantum resource estimates. To the best of our knowledge, these are the first two such full implementations and automatic resource estimations.
This is a revised version that corrects the estimates for AES to account for some issues in Q# that made the original estimates inaccurate. We did not revise the estimates for LowMC, so the resource counts are likely lower than possible
Simplified MITM modeling for permutations: New (quantum) attacks
Meet-in-the-middle (MITM) is a general paradigm where internal states are computed along two independent paths (’forwards’ and
’backwards’) that are then matched. Over time, MITM attacks improved
using more refined techniques and exploiting additional freedoms and
structure, which makes it more involved to find and optimize such attacks. This has led to the use of detailed attack models for generic solvers
to automatically search for improved attacks, notably a MILP model developed by Bao et al. at EUROCRYPT 2021.
In this paper, we study a simpler MILP modeling combining a greatly
reduced attack representation as input to the generic solver, together
with a theoretical analysis that, for any solution, proves the existence
and complexity of a detailed attack. This modeling allows to find both
classical and quantum attacks on a broad class of cryptographic permutations. First, Present-like constructions, with the permutations from the
Spongent hash functions: we improve the MITM step in distinguishers
by up to 3 rounds. Second, AES-like designs: despite being much simpler
than Bao et al.’s, our model allows to recover the best previous results.
The only limitation is that we do not use degrees of freedom from the
key schedule. Third, we show that the model can be extended to target
more permutations, like Feistel networks. In this context we give new
Guess-and-determine attacks on reduced Simpira v2 and Sparkle.
Finally, using our model, we find several new quantum preimage and
pseudo-preimage attacks (e.g. Haraka v2, Simpira v2 . . . ) targeting the
same number of rounds as the classical attacks
- …