66 research outputs found
Using Simon's Algorithm to Attack Symmetric-Key Cryptographic Primitives
We present new connections between quantum information and the field of
classical cryptography. In particular, we provide examples where Simon's
algorithm can be used to show insecurity of commonly used cryptographic
symmetric-key primitives. Specifically, these examples consist of a quantum
distinguisher for the 3-round Feistel network and a forgery attack on CBC-MAC
which forges a tag for a chosen-prefix message querying only other messages (of
the same length). We assume that an adversary has quantum-oracle access to the
respective classical primitives. Similar results have been achieved recently in
independent work by Kaplan et al. Our findings shed new light on the
post-quantum security of cryptographic schemes and underline that classical
security proofs of cryptographic constructions need to be revisited in light of
quantum attackers.Comment: 14 pages, 2 figures. v3: final polished version, more formal
definitions adde
Quantum Period Finding is Compression Robust
We study quantum period finding algorithms such as Simon and Shor (and its
variants Eker{\aa}-H{\aa}stad and Mosca-Ekert). For a periodic function
these algorithms produce -- via some quantum embedding of -- a quantum
superposition , which requires a certain amount
of output qubits that represent . We show that one can lower this
amount to a single output qubit by hashing down to a single bit in an
oracle setting.
Namely, we replace the embedding of in quantum period finding circuits by
oracle access to several embeddings of hashed versions of . We show that on
expectation this modification only doubles the required amount of quantum
measurements, while significantly reducing the total number of qubits. For
example, for Simon's algorithm that finds periods in our hashing technique reduces the required output
qubits from down to , and therefore the total amount of qubits from
to . We also show that Simon's algorithm admits real world applications
with only qubits by giving a concrete realization of a hashed version of
the cryptographic Even-Mansour construction. Moreover, for a variant of Simon's
algorithm on Even-Mansour that requires only classical queries to Even-Mansour
we save a factor of (roughly) in the qubits.
Our oracle-based hashed version of the Eker{\aa}-H{\aa}stad algorithm for
factoring -bit RSA reduces the required qubits from
down to . We also show a real-world (non-oracle)
application in the discrete logarithm setting by giving a concrete realization
of a hashed version of Mosca-Ekert for the Decisional Diffie Hellman problem in
, thereby reducing the number of qubits by even a linear
factor from downto
Block encryption of quantum messages
In modern cryptography, block encryption is a fundamental cryptographic
primitive. However, it is impossible for block encryption to achieve the same
security as one-time pad. Quantum mechanics has changed the modern
cryptography, and lots of researches have shown that quantum cryptography can
outperform the limitation of traditional cryptography.
This article proposes a new constructive mode for private quantum encryption,
named , which is a very simple method to construct quantum
encryption from classical primitive. Based on mode, we
construct a quantum block encryption (QBE) scheme from pseudorandom functions.
If the pseudorandom functions are standard secure, our scheme is
indistinguishable encryption under chosen plaintext attack. If the pseudorandom
functions are permutation on the key space, our scheme can achieve perfect
security. In our scheme, the key can be reused and the randomness cannot, so a
-bit key can be used in an exponential number of encryptions, where the
randomness will be refreshed in each time of encryption. Thus -bit key can
perfectly encrypt qubits, and the perfect secrecy would not be broken
if the -bit key is reused for only exponential times.
Comparing with quantum one-time pad (QOTP), our scheme can be the same secure
as QOTP, and the secret key can be reused (no matter whether the eavesdropping
exists or not). Thus, the limitation of perfectly secure encryption (Shannon's
theory) is broken in the quantum setting. Moreover, our scheme can be viewed as
a positive answer to the open problem in quantum cryptography "how to
unconditionally reuse or recycle the whole key of private-key quantum
encryption". In order to physically implement the QBE scheme, we only need to
implement two kinds of single-qubit gates (Pauli gate and Hadamard gate),
so it is within reach of current quantum technology.Comment: 13 pages, 1 figure. Prior version appears in
eprint.iacr.org(iacr/2017/1247). This version adds some analysis about
multiple-message encryption, and modifies lots of contents. There are no
changes about the fundamental result
Quantum forgery attacks on COPA,AES-COPA and marble authenticated encryption algorithms
The classic forgery attacks on COPA, AES-COPA and Marble authenticated
encryption algorithms need to query about 2^(n/2) times, and their success
probability is not high. To solve this problem, the corresponding quantum
forgery attacks on COPA, AES-COPA and Marble authenticated encryption
algorithms are presented. In the quantum forgery attacks on COPA and AES-COPA,
we use Simon's algorithm to find the period of the tag generation function in
COPA and AES-COPA by querying in superposition, and then generate a forged tag
for a new message. In the quantum forgery attack on Marble, Simon's algorithm
is used to recover the secret parameter L, and the forged tag can be computed
with L. Compared with classic forgery attacks on COPA, AES-COPA and Marble, our
attack can reduce the number of queries from O(2^(n/2)) to O(n) and improve
success probability close to 100%.Comment: 21 pages, 11 figure
Quantum Key-recovery Attack on Feistel Structures
Post-quantum cryptography has drawn considerable attention from cryptologists on a global scale. At Asiacrypt 2017, Leander and May combined Grover\u27s and Simon\u27s quantum algorithms to break the FX-based block ciphers, which were introduced by Kilian and Rogaway to strengthen DES. In this study, we investigate the Feistel constructions using Grover\u27s and Simon\u27s algorithms to generate new quantum key-recovery attacks on different rounds of Feistel constructions. Our attacks
require quantum queries to break an -round Feistel construction.
The time complexity of our attacks is less than that observed for quantum brute-force search by a factor of . When compared with the best classical attacks, i.e., Dinur \emph{et al.}\u27s attacks at CRYPTO 2015, the time complexity is reduced by a factor of without incurring any memory cost
- …