Quantum Multicollision-Finding Algorithm

The current paper presents a new quantum algorithm for finding multicollisions, often denoted by $l$-collisions, where an $l$-collision for a function is a set of $l$ distinct inputs having the same output value. Although it is fundamental in cryptography, the problem of finding multicollisions has not received much attention \emph{in a quantum setting}. The tight bound of quantum query complexity for finding $2$-collisions of random functions has been revealed to be $\Theta(N^{1/3})$, where $N$ is the size of a codomain. However, neither the lower nor upper bound is known for $l$-collisions. The paper first integrates the results from existing research to derive several new observations, e.g.~$l$-collisions can be generated only with $O(N^{1/2})$ quantum queries for a small constant $l$. Then a new quantum algorithm is proposed, which finds an $l$-collision of any function that has a domain size $l$ times larger than the codomain size. A rigorous proof is given to guarantee that the expected number of quantum queries is $O\left( N^{(3^{l-1}-1)/(2 \cdot 3^{l-1})} \right)$ for a small constant $l$, which matches the tight bound of $\Theta(N^{1/3})$ for $l=2$ and improves the known bounds, say, the above simple bound of $O(N^{1/2})$

Improved Quantum Multicollision-Finding Algorithm

The current paper improves the number of queries of the previous quantum multi-collision finding algorithms presented by Hosoyamada et al. at Asiacrypt 2017. Let an $l$-collision be a tuple of $l$ distinct inputs that result in the same output of a target function. In cryptology, it is important to study how many queries are required to find $l$-collisions for random functions of which domains are larger than ranges. The previous algorithm finds an $l$-collision for a random function by recursively calling the algorithm for finding $(l-1)$-collisions, and it achieves the average quantum query complexity of $O(N^{(3^{l-1}-1) / (2 \cdot 3^{l-1})})$, where $N$ is the range size of target functions. The new algorithm removes the redundancy of the previous recursive algorithm so that different recursive calls can share a part of computations. The new algorithm finds an $l$-collision for random functions with the average quantum query complexity of $O(N^{(2^{l-1}-1) / (2^{l}-1)})$, which improves the previous bound for all $l\ge 3$ (the new and previous algorithms achieve the optimal bound for $l=2$). More generally, the new algorithm achieves the average quantum query complexity of $O\left(c^{3/2}_N N^{\frac{2^{l-1}-1}{ 2^{l}-1}}\right)$ for a random function $f\colon X\to Y$ such that $|X| \geq l \cdot |Y| / c_N$ for any $1\le c_N \in o(N^{\frac{1}{2^l - 1}})$. With the same query complexity, it also finds a multiclaw for random functions, which is harder to find than a multicollision

Quantum forgery attacks on COPA,AES-COPA and marble authenticated encryption algorithms

The classic forgery attacks on COPA, AES-COPA and Marble authenticated encryption algorithms need to query about 2^(n/2) times, and their success probability is not high. To solve this problem, the corresponding quantum forgery attacks on COPA, AES-COPA and Marble authenticated encryption algorithms are presented. In the quantum forgery attacks on COPA and AES-COPA, we use Simon's algorithm to find the period of the tag generation function in COPA and AES-COPA by querying in superposition, and then generate a forged tag for a new message. In the quantum forgery attack on Marble, Simon's algorithm is used to recover the secret parameter L, and the forged tag can be computed with L. Compared with classic forgery attacks on COPA, AES-COPA and Marble, our attack can reduce the number of queries from O(2^(n/2)) to O(n) and improve success probability close to 100%.Comment: 21 pages, 11 figure

On Finding Quantum Multi-collisions

A $k$-collision for a compressing hash function $H$ is a set of $k$ distinct inputs that all map to the same output. In this work, we show that for any constant $k$, $\Theta\left(N^{\frac{1}{2}(1-\frac{1}{2^k-1})}\right)$ quantum queries are both necessary and sufficient to achieve a $k$-collision with constant probability. This improves on both the best prior upper bound (Hosoyamada et al., ASIACRYPT 2017) and provides the first non-trivial lower bound, completely resolving the problem

Improved Straight-Line Extraction in the Random Oracle Model With Applications to Signature Aggregation

The goal of this paper is to improve the efficiency and applicability of straightline extraction techniques in the random oracle model. Straightline extraction in the random oracle model refers to the existence of an extractor, which given the random oracle queries made by a prover $P^*(x)$ on some theorem $x$, is able to produce a witness $w$ for $x$ with roughly the same probability that $P^*$ produces a verifying proof. This notion applies to both zero-knowledge protocols and verifiable computation where the goal is compressing a proof. Pass (CRYPTO \u2703) first showed how to achieve this property for NP using a cut-and-choose technique which incurred a $\lambda^2$-bit overhead in communication where $\lambda$ is a security parameter. Fischlin (CRYPTO \u2705) presented a more efficient technique based on ``proofs of work\u27\u27 that sheds this $\lambda^2$ cost, but only applies to a limited class of Sigma Protocols with a ``quasi-unique response\u27\u27 property, which for example, does not necessarily include the standard OR composition for Sigma protocols. With Schnorr/EdDSA signature aggregation as a motivating application, we develop new techniques to improve the computation cost of straight-line extractable proofs. Our improvements to the state of the art range from 70X--200X for the best compression parameters. This is due to a uniquely suited polynomial evaluation algorithm, and the insight that a proof-of-work that relies on multicollisions and the birthday paradox is faster to solve than inverting a fixed target. Our collision based proof-of-work more generally improves the Prover\u27s random oracle query complexity when applied in the NIZK setting as well. In addition to reducing the query complexity of Fischlin\u27s Prover, for a special class of Sigma protocols we can for the first time closely match a new lower bound we present. Finally we extend Fischlin\u27s technique so that it applies to a more general class of strongly-sound Sigma protocols, which includes the OR composition. We achieve this by carefully randomizing Fischlin\u27s technique---we show that its current deterministic nature prevents its application to certain multi-witness languages

New results on symmetric quantum cryptanalysis (Keynote speaker)

International audienceThe security of symmetric cryptography is completely based on cryptanalysis: we only gain confidence in the security of a symmetric primitive through extensive and continuous scrutiny. It is therefore not possible to determine whether a symmetric primitive might be secure or not in a post-quantum world without first understanding how a quantum adversary could attack it. In this talk I will provide an overview of the subject and present some recent results on symmetric quantum cryptanalysis: a new efficient quantum collision search algorithm (joint work with A. Chailloux and A. Schrottenloher), and new efficient quantum algorithms for solving the K-xor problem (joint work with L. Grassi and A. Schrottenloher). We will discuss some implications of these results in quantum-safe symmetric cryptography

Symmetric Cryptanalysis: the Foundation of Trust

International audienceThe security of asymmetric primitives typically relies on the hardness of a well-established mathematical problem and is then well accepted by the community. By contrast, the security of symmetric primitives is much less clearly established and the existing pseudo-security-proofs always rely on an ideal modelization that is far from realistic (for example, modeling a pseudo-random distribution by a truly random one). We are then often left with an empirical measure of the security, provided by a thorough, and even more importantly never-ending study of the symmetric primitives by cryptanalysts.That is why confidence in symmetric primitives is always based on the amount of cryptanalysis they have received, and on the security margin that they have left. To react as quickly as possible when required, it is important to analyze the security thoroughly with respect to all currently available cryptanalysis tools (including quantum ones); and then keep it up to date as the tools evolve

New Results on Quantum Symmetric Cryptanalysis

National audienceThe security of symmetric cryptography is completely based on cryptanalysis: we only gain confidence in the security of a symmetric primitive through extensive and continuous scrutiny. It is therefore not possible to determine whether a symmetric primitive might be secure or not in a post-quantum world without first understanding how a quantum adversary could attack it. In this talk I will provide an overview of the subject and present some recent results on symmetric quantum cryptanalysis: a new efficient quantum collision search algorithm (joint work with A. Chailloux and A. Schrottenloher) and an extensive analysis of the use of modular additions on symmetric primitives (joint work with X. Bonnetain). We will discuss some implications of these results in quantum-safe symmetric cryptography