19 research outputs found
Improved quantum circuits for elliptic curve discrete logarithms
We present improved quantum circuits for elliptic curve scalar
multiplication, the most costly component in Shor's algorithm to compute
discrete logarithms in elliptic curve groups. We optimize low-level components
such as reversible integer and modular arithmetic through windowing techniques
and more adaptive placement of uncomputing steps, and improve over previous
quantum circuits for modular inversion by reformulating the binary Euclidean
algorithm. Overall, we obtain an affine Weierstrass point addition circuit that
has lower depth and uses fewer gates than previous circuits. While previous
work mostly focuses on minimizing the total number of qubits, we present
various trade-offs between different cost metrics including the number of
qubits, circuit depth and -gate count. Finally, we provide a full
implementation of point addition in the Q# quantum programming language that
allows unit tests and automatic quantum resource estimation for all components.Comment: 22 pages, to appear in: Int'l Conf. on Post-Quantum Cryptography
(PQCrypto 2020
Quantum resource estimates for computing elliptic curve discrete logarithms
We give precise quantum resource estimates for Shor's algorithm to compute
discrete logarithms on elliptic curves over prime fields. The estimates are
derived from a simulation of a Toffoli gate network for controlled elliptic
curve point addition, implemented within the framework of the quantum computing
software tool suite LIQ. We determine circuit implementations for
reversible modular arithmetic, including modular addition, multiplication and
inversion, as well as reversible elliptic curve point addition. We conclude
that elliptic curve discrete logarithms on an elliptic curve defined over an
-bit prime field can be computed on a quantum computer with at most qubits using a quantum circuit of at most Toffoli gates. We are able to classically simulate the
Toffoli networks corresponding to the controlled elliptic curve point addition
as the core piece of Shor's algorithm for the NIST standard curves P-192,
P-224, P-256, P-384 and P-521. Our approach allows gate-level comparisons to
recent resource estimates for Shor's factoring algorithm. The results also
support estimates given earlier by Proos and Zalka and indicate that, for
current parameters at comparable classical security levels, the number of
qubits required to tackle elliptic curves is less than for attacking RSA,
suggesting that indeed ECC is an easier target than RSA.Comment: 24 pages, 2 tables, 11 figures. v2: typos fixed and reference added.
ASIACRYPT 201
Generalized Matsui Algorithm 1 with application for the full DES
In this paper we introduce the strictly zero-correlation attack. We extend the work of Ashur and Posteuca in BalkanCryptSec 2018 and build a 0-correlation key-dependent linear trails covering the full DES. We show how this approximation can be used for a key recovery attack and empirically verify our claims through a series of experiments. To the best of our knowledge, this paper is the first to use this kind of property to leverage a meaningful attack against a symmetric-key algorithm
A New Test Statistic for Key Recovery Attacks Using Multiple Linear Approximations
The log-likelihood ratio (LLR) and the chi-squared distribution based test statistics have been proposed in the literature for
performing statistical analysis of key recovery attacks on block ciphers. A limitation of the LLR test statistic is that its
application requires the full knowledge of the corresponding distribution. Previous work using the chi-squared approach required
{\em approximating} the distribution of the relevant test statistic by chi-squared and normal distributions. Problematic issues
regarding such approximations have been reported in the literature.
Perhaps more importantly, both the LLR and the chi-squared based methods are applicable only if the success probability is
greater than 0.5. On the other hand, an attack with success probability less than is also of considerable interest.
This work proposes a new test statistic for key recovery attacks which has the following features.
Its application does not require the full knowledge of the underlying distribution; it is possible to carry out an analysis using this
test statistic without using any approximations; the method applies for all values of the success probability.
The statistical analysis of the new test statistic follows the hypothesis testing framework and uses Hoeffding\u27s inequalities to
bound the probabilities of Type-I and Type-II errors
A General Framework for the Related-key Linear Attack against Block Ciphers with Linear Key Schedules
We present a general framework for the related-key linear attack that can be applied to iterative block ciphers with linear key schedules.
The attack utilizes a newly introduced related-key linear approximation that is obtained directly from a linear trail.
The attack makes use of a known related-key data consisting of triplets of a plaintext, a ciphertext, and a key difference such that the ciphertext is the encrypted value of the plaintext under the key that is the xor of the key to be recovered and the specified key difference.
If such a block cipher has a linear trail with linear correlation \epsilon, it admits attacks with related-key data of size \epsilon^{-2} just as in the case of classical Matsui\u27s Algorithms.
But since the attack makes use of a related-key data, the attacker can use a linear trail with the squared correlation less than 2^{-n}, n being the block size, in case the key size is larger than n.
Moreover, the standard key hypotheses seem to be appropriate even when the trail is not dominant as validated by experiments.
The attack can be applied in two ways.
First, using a linear trail with squared correlation smaller than 2^{-n}, one can get an effective attack covering more rounds than existing attacks against some ciphers, such as Simon48/96, Simon64/128 and Simon128/256.
Secondly, using a trail with large squared correlation, one can use related-key data for key recovery even when the data is not suitable for existing linear attacks