Quantum Key-recovery Attack on Feistel Structures

Post-quantum cryptography has drawn considerable attention from cryptologists on a global scale. At Asiacrypt 2017, Leander and May combined Grover\u27s and Simon\u27s quantum algorithms to break the FX-based block ciphers, which were introduced by Kilian and Rogaway to strengthen DES. In this study, we investigate the Feistel constructions using Grover\u27s and Simon\u27s algorithms to generate new quantum key-recovery attacks on different rounds of Feistel constructions. Our attacks require $2^{nr/4~-~3n/4}$ quantum queries to break an $r$-round Feistel construction. The time complexity of our attacks is less than that observed for quantum brute-force search by a factor of $2^{0.75n}$. When compared with the best classical attacks, i.e., Dinur \emph{et al.}\u27s attacks at CRYPTO 2015, the time complexity is reduced by a factor of $2^{0.5n}$ without incurring any memory cost

Quantum All-Subkeys-Recovery Attacks on 6-round Feistel-2* Structure Based on Multi-Equations Quantum Claw Finding

Exploiting quantum mechanisms, quantum attacks have the potential ability to break the cipher structure. Recently, Ito et al. proposed a quantum attack on Feistel-2* structure (Ito et al.'s attack) based onthe Q2 model. However, it is not realistic since the quantum oracle needs to be accessed by the adversary, and the data complexityis high. To solve this problem, a quantum all-subkeys-recovery (ASR) attack based on multi-equations quantum claw-finding is proposed, which takes a more realistic model, the Q1 model, as the scenario, and only requires 3 plain-ciphertext pairs to quickly crack the 6-round Feistel-2* structure. First, we proposed a multi-equations quantum claw-finding algorithm to solve the claw problem of finding multiple equations. In addition, Grover's algorithm is used to speedup the rest subkeys recovery. Compared with Ito et al.'s attack, the data complexity of our attack is reduced from O(2^n) to O(1), while the time complexity and memory complexity are also significantly reduced.Comment: 18 pages, 4 figure

Quantum Circuit Implementation and Resource Analysis of LBlock and LiCi

Due to Grover's algorithm, any exhaustive search attack of block ciphers can achieve a quadratic speed-up. To implement Grover,s exhaustive search and accurately estimate the required resources, one needs to implement the target ciphers as quantum circuits. Recently, there has been increasing interest in quantum circuits implementing lightweight ciphers. In this paper we present the quantum implementations and resource estimates of the lightweight ciphers LBlock and LiCi. We optimize the quantum circuit implementations in the number of gates, required qubits and the circuit depth, and simulate the quantum circuits on ProjectQ. Furthermore, based on the quantum implementations, we analyze the resources required for exhaustive key search attacks of LBlock and LiCi with Grover's algorithm. Finally, we compare the resources for implementing LBlock and LiCi with those of other lightweight ciphers.Comment: 29 pages,21 figure

Quantum Cryptanalysis on Contracting Feistel Structures and Observation on Related-key Settings

In this paper we show several quantum chosen-plaintext attacks (qCPAs) on contracting Feistel structures. In the classical setting, a $d$-branch $r$-round contracting Feistel structure can be shown to be PRP-secure when $d$ is even and $r \geq 2d-1$, meaning it is secure against polynomial-time chosen-plaintext attacks. We propose a polynomial-time qCPA distinguisher on the $d$-branch $(2d-1)$-round contracting Feistel structure, which solves an open problem by Dong et al. In addition, we show a polynomial-time qCPA that recovers the keys of the $d$-branch $r$-round contracting Feistel structure when each round function $F^{(i)}_{k_i}$ has the form $F^{(i)}_{k_i}(x) = F_i(x \oplus k_i)$ for a public random function $F_i$. This is applicable to the Chinese block cipher standard {\texttt{SM4}}, which is a special case where $d=4$. Finally, in addition to quantum attacks under single-key setting, we also show related-key quantum attacks on balanced Feistel structures in the model that adversaries can only control part of the key difference in quantum superposition. Our related-key attacks on balanced Feistel structures can easily be extended to ones on contracting Feistel structures

Estimating the Cost of Superposition Attacks on Lightweight Cryptography on Fault-Tolerant Quantum Systems

Wir werden verschiedene Angriffe in Quantensuperposition auf sogenannte Lightweight-Kryptographie Primitive unter Verwendung von Simon’s-Algorithmus vorstellen. Drei unserer Angriffe richten sich gegen den Finalisten des NIST Lightweight Cryptography Standardization Process, Elephant. Die anderen Primitive sind LightMAC und ESTATE. Wir werden auch zeigen, dass das Kürzen der Ausgabe von periodischer 2-zu-1-Funktionen Simon’s Algorithmus nicht einschränkt. Dieses Ergebnis kann genutzt werden, um bestehende Angriffe zu beschleunigen. Die Ressourcenkosten aller vorgestellten Angriffe werden dann unter Berücksichtigung eines fehlertoleranten, auf surface-code basierenden Quantencomputers geschätzt. Wir werden die Unterschiede zwischen einem Angreifer, der in der Lage ist, das Elephant-Primitiv in Superposition anzufragen, und einem, der nur klassische Anfragen stellen kann, demonstrieren. Selbst wenn beide Zugang zum selben lokalen Quantencomputer haben, wird derjenige, der Zugang zu Superpositionen hat, den geheimen Schlüssel in etwa $10^{11}$ logischen Qubit-Zyklen und 21.2 Sekunden wiederherstellen, während der andere etwa $10^{20}$ logische Qubit-Zyklen und 209.9 Jahre benötigt

Improved quantum attack on Type-1 Generalized Feistel Schemes and Its application to CAST-256

Generalized Feistel Schemes (GFS) are important components of symmetric ciphers, which have been extensively researched in classical setting. However, the security evaluations of GFS in quantum setting are rather scanty. In this paper, we give more improved polynomial-time quantum distinguishers on Type-1 GFS in quantum chosen-plaintext attack (qCPA) setting and quantum chosen-ciphertext attack (qCCA) setting. In qCPA setting, we give new quantum polynomial-time distinguishers on $(3d-3)$-round Type-1 GFS with branches $d\geq3$, which gain $d-2$ more rounds than the previous distinguishers. Hence, we could get better key-recovery attacks, whose time complexities gain a factor of $2^{\frac{(d-2)n}{2}}$. In qCCA setting, we get $(3d-3)$-round quantum distinguishers on Type-1 GFS, which gain $d-1$ more rounds than the previous distinguishers. In addition, we give some quantum attacks on CAST-256 block cipher. We find 12-round and 13-round polynomial-time quantum distinguishers in qCPA and qCCA settings, respectively, while the best previous one is only 7 rounds. Hence, we could derive quantum key-recovery attack on 19-round CAST-256. While the best previous quantum key-recovery attack is on 16 rounds. When comparing our quantum attacks with classical attacks, our result also reaches 16 rounds on CAST-256 with 128-bit key under a competitive complexity

Quantum Attacks on Lai-Massey Structure

Aaram Yun et al. considered that Lai-Massey structure has the same security as Feistel structure. However, Luo et al. showed that 3-round Lai-Massey structure can resist quantum attacks of Simon\u27s algorithm, which is different from Feistel structure. We give quantum attacks against a typical Lai-Massey structure. The result shows that there exists a quantum CPA distinguisher against 3-round Lai-Massey structure and a quantum CCA distinguisher against 4-round Lai-Massey Structure, which is the same as Feistel structure. We extend the attack on Lai-Massey structure to quasi-Feistel structure. We show that if the combiner of quasi-Feistel structure is linear, there exists a quantum CPA distinguisher against 3-round balanced quasi-Feistel structure and a quantum CCA distinguisher against 4-round balanced quasi-Feistel Structure

Quantum cryptanalysis on some Generalized Feistel Schemes

Post-quantum cryptography has attracted much attention from worldwide cryptologists. In ISIT 2010, Kuwakado and Morii gave a quantum distinguisher with polynomial time against 3-round Feistel networks. However, generalized Feistel schemes (GFS) have not been systematically investigated against quantum attacks. In this paper, we study the quantum distinguishers about some generalized Feistel schemes. For $d$-branch Type-1 GFS (CAST256-like Feistel structure), we introduce ($2d-1$)-round quantum distinguishers with polynomial time. For $2d$-branch Type-2 GFS (RC6/CLEFIA-like Feistel structure), we give ($2d+1$)-round quantum distinguishers with polynomial time. Classically, Moriai and Vaudenay proved that a 7-round $4$-branch Type-1 GFS and 5-round $4$-branch Type-2 GFS are secure pseudo-random permutations. Obviously, they are no longer secure in quantum setting. Using the above quantum distinguishers, we introduce generic quantum key-recovery attacks by applying the combination of Simon\u27s and Grover\u27s algorithms recently proposed by Leander and May. We denote $n$ as the bit length of a branch. For $(d^2-d+2)$-round Type-1 GFS with $d$ branches, the time complexity is $2^{(\frac{1}{2}d^2-\frac{3}{2}d+2)\cdot \frac{n}{2}}$, which is better than the quantum brute force search (Grover search) by a factor $2^{(\frac{1}{4}d^2+\frac{1}{4}d)n}$. For $4d$-round Type-2 GFS with $2d$ branches, the time complexity is $2^{{\frac{d^2 n}{2}}}$, which is better than the quantum brute force search by a factor $2^{{\frac{3d^2 n}{2}}}$