Using Simon's Algorithm to Attack Symmetric-Key Cryptographic Primitives

We present new connections between quantum information and the field of classical cryptography. In particular, we provide examples where Simon's algorithm can be used to show insecurity of commonly used cryptographic symmetric-key primitives. Specifically, these examples consist of a quantum distinguisher for the 3-round Feistel network and a forgery attack on CBC-MAC which forges a tag for a chosen-prefix message querying only other messages (of the same length). We assume that an adversary has quantum-oracle access to the respective classical primitives. Similar results have been achieved recently in independent work by Kaplan et al. Our findings shed new light on the post-quantum security of cryptographic schemes and underline that classical security proofs of cryptographic constructions need to be revisited in light of quantum attackers.Comment: 14 pages, 2 figures. v3: final polished version, more formal definitions adde

Quantum Period Finding is Compression Robust

We study quantum period finding algorithms such as Simon and Shor (and its variants Eker{\aa}-H{\aa}stad and Mosca-Ekert). For a periodic function $f$ these algorithms produce -- via some quantum embedding of $f$ -- a quantum superposition $\sum_x |x\rangle|f(x)\rangle$, which requires a certain amount of output qubits that represent $|f(x)\rangle$. We show that one can lower this amount to a single output qubit by hashing $f$ down to a single bit in an oracle setting. Namely, we replace the embedding of $f$ in quantum period finding circuits by oracle access to several embeddings of hashed versions of $f$. We show that on expectation this modification only doubles the required amount of quantum measurements, while significantly reducing the total number of qubits. For example, for Simon's algorithm that finds periods in $f: \mathbb{F}_2^n \rightarrow \mathbb{F}_2^n$ our hashing technique reduces the required output qubits from $n$ down to $1$, and therefore the total amount of qubits from $2n$ to $n+1$. We also show that Simon's algorithm admits real world applications with only $n+1$ qubits by giving a concrete realization of a hashed version of the cryptographic Even-Mansour construction. Moreover, for a variant of Simon's algorithm on Even-Mansour that requires only classical queries to Even-Mansour we save a factor of (roughly) $4$ in the qubits. Our oracle-based hashed version of the Eker{\aa}-H{\aa}stad algorithm for factoring $n$-bit RSA reduces the required qubits from $(\frac 3 2 + o(1))n$ down to $(\frac 1 2 + o(1))n$. We also show a real-world (non-oracle) application in the discrete logarithm setting by giving a concrete realization of a hashed version of Mosca-Ekert for the Decisional Diffie Hellman problem in $\mathbb{F}_{p^m}$, thereby reducing the number of qubits by even a linear factor from $m \log p$ downto $\log p$

Block encryption of quantum messages

In modern cryptography, block encryption is a fundamental cryptographic primitive. However, it is impossible for block encryption to achieve the same security as one-time pad. Quantum mechanics has changed the modern cryptography, and lots of researches have shown that quantum cryptography can outperform the limitation of traditional cryptography. This article proposes a new constructive mode for private quantum encryption, named $\mathcal{EHE}$, which is a very simple method to construct quantum encryption from classical primitive. Based on $\mathcal{EHE}$ mode, we construct a quantum block encryption (QBE) scheme from pseudorandom functions. If the pseudorandom functions are standard secure, our scheme is indistinguishable encryption under chosen plaintext attack. If the pseudorandom functions are permutation on the key space, our scheme can achieve perfect security. In our scheme, the key can be reused and the randomness cannot, so a $2n$-bit key can be used in an exponential number of encryptions, where the randomness will be refreshed in each time of encryption. Thus $2n$-bit key can perfectly encrypt $O(n2^n)$ qubits, and the perfect secrecy would not be broken if the $2n$-bit key is reused for only exponential times. Comparing with quantum one-time pad (QOTP), our scheme can be the same secure as QOTP, and the secret key can be reused (no matter whether the eavesdropping exists or not). Thus, the limitation of perfectly secure encryption (Shannon's theory) is broken in the quantum setting. Moreover, our scheme can be viewed as a positive answer to the open problem in quantum cryptography "how to unconditionally reuse or recycle the whole key of private-key quantum encryption". In order to physically implement the QBE scheme, we only need to implement two kinds of single-qubit gates (Pauli $X$ gate and Hadamard gate), so it is within reach of current quantum technology.Comment: 13 pages, 1 figure. Prior version appears in eprint.iacr.org(iacr/2017/1247). This version adds some analysis about multiple-message encryption, and modifies lots of contents. There are no changes about the fundamental result

Quantum forgery attacks on COPA,AES-COPA and marble authenticated encryption algorithms

The classic forgery attacks on COPA, AES-COPA and Marble authenticated encryption algorithms need to query about 2^(n/2) times, and their success probability is not high. To solve this problem, the corresponding quantum forgery attacks on COPA, AES-COPA and Marble authenticated encryption algorithms are presented. In the quantum forgery attacks on COPA and AES-COPA, we use Simon's algorithm to find the period of the tag generation function in COPA and AES-COPA by querying in superposition, and then generate a forged tag for a new message. In the quantum forgery attack on Marble, Simon's algorithm is used to recover the secret parameter L, and the forged tag can be computed with L. Compared with classic forgery attacks on COPA, AES-COPA and Marble, our attack can reduce the number of queries from O(2^(n/2)) to O(n) and improve success probability close to 100%.Comment: 21 pages, 11 figure

Quantum Key-recovery Attack on Feistel Structures

Post-quantum cryptography has drawn considerable attention from cryptologists on a global scale. At Asiacrypt 2017, Leander and May combined Grover\u27s and Simon\u27s quantum algorithms to break the FX-based block ciphers, which were introduced by Kilian and Rogaway to strengthen DES. In this study, we investigate the Feistel constructions using Grover\u27s and Simon\u27s algorithms to generate new quantum key-recovery attacks on different rounds of Feistel constructions. Our attacks require $2^{nr/4~-~3n/4}$ quantum queries to break an $r$-round Feistel construction. The time complexity of our attacks is less than that observed for quantum brute-force search by a factor of $2^{0.75n}$. When compared with the best classical attacks, i.e., Dinur \emph{et al.}\u27s attacks at CRYPTO 2015, the time complexity is reduced by a factor of $2^{0.5n}$ without incurring any memory cost