26 research outputs found
Using Simon's Algorithm to Attack Symmetric-Key Cryptographic Primitives
We present new connections between quantum information and the field of
classical cryptography. In particular, we provide examples where Simon's
algorithm can be used to show insecurity of commonly used cryptographic
symmetric-key primitives. Specifically, these examples consist of a quantum
distinguisher for the 3-round Feistel network and a forgery attack on CBC-MAC
which forges a tag for a chosen-prefix message querying only other messages (of
the same length). We assume that an adversary has quantum-oracle access to the
respective classical primitives. Similar results have been achieved recently in
independent work by Kaplan et al. Our findings shed new light on the
post-quantum security of cryptographic schemes and underline that classical
security proofs of cryptographic constructions need to be revisited in light of
quantum attackers.Comment: 14 pages, 2 figures. v3: final polished version, more formal
definitions adde
Quantum Key-recovery Attack on Feistel Structures
Post-quantum cryptography has drawn considerable attention from cryptologists on a global scale. At Asiacrypt 2017, Leander and May combined Grover\u27s and Simon\u27s quantum algorithms to break the FX-based block ciphers, which were introduced by Kilian and Rogaway to strengthen DES. In this study, we investigate the Feistel constructions using Grover\u27s and Simon\u27s algorithms to generate new quantum key-recovery attacks on different rounds of Feistel constructions. Our attacks
require quantum queries to break an -round Feistel construction.
The time complexity of our attacks is less than that observed for quantum brute-force search by a factor of . When compared with the best classical attacks, i.e., Dinur \emph{et al.}\u27s attacks at CRYPTO 2015, the time complexity is reduced by a factor of without incurring any memory cost
A failure in decryption process for bivariate polynomial reconstruction problem cryptosystem
In 1999, the Polynomial Reconstruction Problem (PRP) was put forward as a new hard mathematics problem. A univariate PRP scheme by Augot and Finiasz was introduced at Eurocrypt in 2003, and this cryptosystem was fully cryptanalyzed in 2004. In 2013, a bivariate PRP cryptosystem was developed, which is a modified version of Augot and Finiasz's original work. This study describes a decryption failure that can occur in both cryptosystems. We demonstrate that when the error has a weight greater than the number of monomials in a secret polynomial, p, decryption failure can occur. The result of this study also determines the upper bound that should be applied to avoid decryption failure
Quantum cryptanalysis on some Generalized Feistel Schemes
Post-quantum cryptography has attracted much attention from worldwide cryptologists.
In ISIT 2010, Kuwakado and Morii gave a quantum distinguisher with polynomial time against 3-round Feistel networks. However, generalized Feistel schemes (GFS) have not been systematically investigated against quantum attacks.
In this paper, we study the quantum distinguishers about some generalized Feistel schemes. For -branch Type-1 GFS (CAST256-like Feistel structure), we introduce ()-round quantum distinguishers with polynomial time. For -branch Type-2 GFS (RC6/CLEFIA-like Feistel structure), we give ()-round quantum distinguishers with polynomial time. Classically, Moriai and Vaudenay proved that a 7-round -branch Type-1 GFS and 5-round -branch Type-2 GFS are secure pseudo-random permutations. Obviously, they are no longer secure in quantum setting.
Using the above quantum distinguishers, we introduce generic quantum key-recovery attacks by applying the combination of Simon\u27s and Grover\u27s algorithms recently proposed by Leander and May. We denote as the bit length of a branch. For -round Type-1 GFS with branches, the time complexity is , which is better than the quantum brute force search (Grover search) by a factor . For -round Type-2 GFS with branches, the time complexity is , which is better than the quantum brute force search by a factor
On Quantum Ciphertext Indistinguishability, Recoverability, and OAEP
The qINDqCPA security notion for public-key encryption schemes by Gagliardoni et al. (PQCrypto\u2721) models security against adversaries which are able to obtain ciphertexts in superposition. Defining this security notion requires a special type of quantum operator. Known constructions differ in which keys are necessary to construct this operator, depending on properties of the encryption scheme. We argue—for the typical setting of securing communication between Alice and Bob—that in order to apply the notion, the quantum operator should be realizable for challengers knowing only the public key. This is already known to be the case for a wide range of public-key encryption schemes, in particular, those exhibiting the so-called recoverability property which allows to recover the message from a ciphertext using the randomness instead of the secret key. The open question is whether there are real-world public-key encryption schemes for which the notion is not applicable, considering the aforementioned observation on the keys known by the challenger. We answer this question in the affirmative by showing that applying the qINDqCPA security notion to the OAEP construction requires the challenger to know the secret key. We conclude that the qINDqCPA security notion might need to be refined to eventually yield a universally applicable PKE notion of quantum security with a quantum indistinguishability phase
Quantum Attacks on Some Feistel Block Ciphers
Post-quantum cryptography has attracted much attention from worldwide cryptologists. However, most research works are related to public-key cryptosystem due to Shor\u27s attack on RSA and ECC ciphers. At CRYPTO 2016, Kaplan et al. showed that many secret-key (symmetric) systems could be broken using a quantum period finding algorithm, which encouraged researchers to evaluate symmetric systems against quantum attackers.
In this paper, we continue to study symmetric ciphers against quantum attackers. First, we convert the classical advanced slide attacks (introduced by Biryukov and Wagner) to a quantum one, that gains an exponential speed-up in time complexity. Thus, we could break 2/4K-Feistel and 2/4K-DES in polynomial time. Second, we give a new quantum key-recovery attack on full-round GOST, which is a Russian standard, with quantum queries of the encryption process, faster than a quantum brute-force search attack by a factor of
Quantum-secure message authentication via blind-unforgeability
Formulating and designing unforgeable authentication of classical messages in
the presence of quantum adversaries has been a challenge, as the familiar
classical notions of unforgeability do not directly translate into meaningful
notions in the quantum setting. A particular difficulty is how to fairly
capture the notion of "predicting an unqueried value" when the adversary can
query in quantum superposition. In this work, we uncover serious shortcomings
in existing approaches, and propose a new definition. We then support its
viability by a number of constructions and characterizations. Specifically, we
demonstrate a function which is secure according to the existing definition by
Boneh and Zhandry, but is clearly vulnerable to a quantum forgery attack,
whereby a query supported only on inputs that start with 0 divulges the value
of the function on an input that starts with 1. We then propose a new
definition, which we call "blind-unforgeability" (or BU.) This notion matches
"intuitive unpredictability" in all examples studied thus far. It defines a
function to be predictable if there exists an adversary which can use
"partially blinded" oracle access to predict values in the blinded region. Our
definition (BU) coincides with standard unpredictability (EUF-CMA) in the
classical-query setting. We show that quantum-secure pseudorandom functions are
BU-secure MACs. In addition, we show that BU satisfies a composition property
(Hash-and-MAC) using "Bernoulli-preserving" hash functions, a new notion which
may be of independent interest. Finally, we show that BU is amenable to
security reductions by giving a precise bound on the extent to which quantum
algorithms can deviate from their usual behavior due to the blinding in the BU
security experiment.Comment: 23+9 pages, v3: published version, with one theorem statement in the
summary of results correcte
Semantic Security and Indistinguishability in the Quantum World
At CRYPTO 2013, Boneh and Zhandry initiated the study of quantum-secure
encryption. They proposed first indistinguishability definitions for the
quantum world where the actual indistinguishability only holds for classical
messages, and they provide arguments why it might be hard to achieve a stronger
notion. In this work, we show that stronger notions are achievable, where the
indistinguishability holds for quantum superpositions of messages. We
investigate exhaustively the possibilities and subtle differences in defining
such a quantum indistinguishability notion for symmetric-key encryption
schemes. We justify our stronger definition by showing its equivalence to novel
quantum semantic-security notions that we introduce. Furthermore, we show that
our new security definitions cannot be achieved by a large class of ciphers --
those which are quasi-preserving the message length. On the other hand, we
provide a secure construction based on quantum-resistant pseudorandom
permutations; this construction can be used as a generic transformation for
turning a large class of encryption schemes into quantum indistinguishable and
hence quantum semantically secure ones. Moreover, our construction is the first
completely classical encryption scheme shown to be secure against an even
stronger notion of indistinguishability, which was previously known to be
achievable only by using quantum messages and arbitrary quantum encryption
circuits.Comment: 37 pages, 2 figure