61 research outputs found

    Improved Quantum Algorithms for the k-XOR Problem

    Get PDF
    The k-XOR problem can be generically formulated as the following: given many n-bit strings generated uniformly at random, find k distinct of them which XOR to zero. This generalizes collision search (two equal elements) to a k-tuple of inputs. This problem has become ubiquitous in cryptanalytic algorithms, including variants in which the XOR operation is replaced by a modular addition (kk-SUM) or other non-commutative operations (e.g., the composition of permutations). The case where a single solution exists on average is of special importance. At EUROCRYPT 2020, Naya-Plasencia and Schrottenloher defined a class of ``quantum merging algorithms\u27\u27 for the k-XOR problem, obtained by combining quantum search. They represented these algorithms by a set of ``merging trees\u27\u27 and obtained the best ones through linear optimization of their parameters. In this paper, we give a simplified representation of merging trees that makes their analysis easier. We give better quantum algorithms for the Single-solution k-XOR problem by relaxing one of the previous constraints, and making use of quantum walks. Our algorithms subsume or improve over all previous quantum algorithms for Single-solution k-XOR. For example, we give an algorithm for 4-XOR (or 4-SUM) in quantum time O~(27n/24)\widetilde{\mathcal{O}}(2^{7n/24})

    Recherche de collisions et cryptanalyse symétrique quantique

    Get PDF
    National audienceDepuis la découverte décisive de l'algorithme de Shor ([Sho94]), le monde de la cryptographie s'est intéressé de prÚs aux capacités d'un éventuel ordinateur quantique, dont l'émergence mettrait à bas la plupart des primitives asymétriques utilisées aujourd'hui. La situation en cryptographie symétrique est plus ambiguë : la croyance générale veut qu'un doublement de la taille des clés suffise à protéger les systÚmes actuels. En effet, l'algorithme de Grover ([Gro96]) promet une accélération quadratique de tout type de recherche exhaustive. Cependant, de récents travaux ont appelé à discuter de cette affirmation péremptoire ([Kap+16a]). Mon stage s'inscrit dans la continuité de ces travaux

    Algorithmes quantiques pour la cryptanalyse et cryptographie symétrique post-quantique

    Get PDF
    Modern cryptography relies on the notion of computational security. The level of security given by a cryptosystem is expressed as an amount of computational resources required to break it. The goal of cryptanalysis is to find attacks, that is, algorithms with lower complexities than the conjectural bounds.With the advent of quantum computing devices, these levels of security have to be updated to take a whole new notion of algorithms into account. At the same time, cryptography is becoming widely used in small devices (smart cards, sensors), with new cost constraints.In this thesis, we study the security of secret-key cryptosystems against quantum adversaries.We first build new quantum algorithms for k-list (k-XOR or k-SUM) problems, by composing exhaustive search procedures. Next, we present dedicated cryptanalysis results, starting with a new quantum cryptanalysis tool, the offline Simon's algorithm. We describe new attacks against the lightweight algorithms Spook and Gimli and we perform the first quantum security analysis of the standard cipher AES.Finally, we specify Saturnin, a family of lightweight cryptosystems oriented towards post-quantum security. Thanks to a very similar structure, its security relies largely on the analysis of AES.La cryptographie moderne est fondĂ©e sur la notion de sĂ©curitĂ© computationnelle. Les niveaux de sĂ©curitĂ© attendus des cryptosystĂšmes sont exprimĂ©s en nombre d'opĂ©rations ; une attaque est un algorithme d'une complexitĂ© infĂ©rieure Ă  la borne attendue. Mais ces niveaux de sĂ©curitĂ© doivent aujourd'hui prendre en compte une nouvelle notion d'algorithme : le paradigme du calcul quantique. Dans le mĂȘme temps,la dĂ©lĂ©gation grandissante du chiffrement Ă  des puces RFID, objets connectĂ©s ou matĂ©riels embarquĂ©s pose de nouvelles contraintes de coĂ»t.Dans cette thĂšse, nous Ă©tudions la sĂ©curitĂ© des cryptosystĂšmes Ă  clĂ© secrĂšte face Ă  un adversaire quantique.Nous introduisons tout d'abord de nouveaux algorithmes quantiques pour les problĂšmes gĂ©nĂ©riques de k-listes (k-XOR ou k-SUM), construits en composant des procĂ©dures de recherche exhaustive.Nous prĂ©sentons ensuite des rĂ©sultats de cryptanalyse dĂ©diĂ©e, en commençant par un nouvel outil de cryptanalyse quantique, l'algorithme de Simon hors-ligne. Nous dĂ©crivons de nouvelles attaques contre les algorithmes Spook et Gimli et nous effectuons la premiĂšre Ă©tude de sĂ©curitĂ© quantique du chiffrement AES. Dans un troisiĂšme temps, nous spĂ©cifions Saturnin, une famille de cryptosystĂšmes Ă  bas coĂ»t orientĂ©s vers la sĂ©curitĂ© post-quantique. La structure de Saturnin est proche de celle de l'AES et sa sĂ©curitĂ© en tire largement parti

    Universal Horn Sentences and the Joint Embedding Property

    Get PDF
    The finite models of a universal sentence Ί\Phi in a finite relational signature are the age of a structure if and only if Ί\Phi has the joint embedding property. We prove that the computational problem whether a given universal sentence Ί\Phi has the joint embedding property is undecidable, even if Ί\Phi is additionally Horn and the signature of Ί\Phi only contains relation symbols of arity at most two.Comment: 16 page

    Quantum Linear Key-recovery Attacks Using the QFT

    Get PDF
    The Quantum Fourier Transform is a fundamental tool in quantum cryptanalysis. In symmetric cryptanalysis, hidden shift algorithms such as Simon\u27s (FOCS 1994), which rely on the QFT, have been used to obtain structural attacks on some very specific block ciphers. The Fourier Transform is also used in classical cryptanalysis, for example in FFT-based linear key-recovery attacks introduced by Collard et al. (ICISC 2007). Whether such techniques can be adapted to the quantum setting has remained so far an open question. In this paper, we introduce a new framework for quantum linear key-recovery attacks using the QFT. These attacks loosely follow the classical method of Collard et al., in that they rely on the fast computation of a ``correlation state\u27\u27 in which experimental correlations, rather than being directly accessible, are encoded in the amplitudes of a quantum state. The experimental correlation is a statistic that is expected to be higher for the good key, and on some conditions, the increased amplitude creates a speedup with respect to an exhaustive search of the key. The same method also yields a new family of structural attacks, and new examples of quantum speedups beyond quadratic using classical known-plaintext queries

    Cryptanalyse quantique de CSIDH

    Get PDF
    National audienc

    Simplified Modeling of MITM Attacks for Block Ciphers: New (Quantum) Attacks

    Get PDF
    The meet-in-the-middle (MITM) technique has led to many key-recovery attacks on block ciphers and preimage attacks on hash functions. Nowadays, cryptographers use automatic tools that reduce the search of MITM attacks to an optimization problem. Bao et al. (EUROCRYPT 2021) introduced a low-level modeling based on Mixed Integer Linear Programming (MILP) for MITM attacks on hash functions, which was extended to key-recovery attacks by Dong et al. (CRYPTO 2021). However, the modeling only covers AES-like designs. Schrottenloher and Stevens (CRYPTO 2022) proposed a different approach aiming at higher-level simplified models. However, this modeling was limited to cryptographic permutations. In this paper, we extend the latter simplified modeling to also cover block ciphers with simple key schedules. The resulting modeling enables us to target a large array of primitives, typically lightweight SPN ciphers where the key schedule has a slow diffusion, or none at all. We give several applications such as full breaks of the PIPO-256 and FUTURE block ciphers, and reduced-round classical and quantum attacks on SATURNIN-Hash

    Quantum Security of the Legendre PRF

    Get PDF
    International audienceIn this paper, we study the security of the Legendre PRF against quantum attackers, given classical queries only, and without quantum random-access memories. We give two algorithms that recover the key of a shifted Legendre symbol with unknown shift, with a complexity smaller than the exhaustive search of the key. The first one is a quantum variant of the table-based collision algorithm. The second one is an offline variant of Kuperberg's abelian hidden shift algorithm. We note that the latter, although asymptotically promising, is not currently the most efficient against practical parameters

    Improved Classical and Quantum Algorithms for Subset-Sum

    Get PDF
    We present new classical and quantum algorithms for solving random subset-sum instances. First, we improve over the Becker-Coron-Joux algorithm (EUROCRYPT 2011) from O~(20.291n)\tilde{\mathcal{O}}(2^{0.291 n}) downto O~(20.283n)\tilde{\mathcal{O}}(2^{0.283 n}), using more general representations with values in {−1,0,1,2}\{-1,0,1,2\}. Next, we improve the state of the art of quantum algorithms for this problem in several directions. By combining the Howgrave-Graham-Joux algorithm (EUROCRYPT 2010) and quantum search, we devise an algorithm with asymptotic cost O~(20.236n)\tilde{\mathcal{O}}(2^{0.236 n}), lower than the cost of the quantum walk based on the same classical algorithm proposed by Bernstein, Jeffery, Lange and Meurer (PQCRYPTO 2013). This algorithm has the advantage of using \emph{classical} memory with quantum random access, while the previously known algorithms used the quantum walk framework, and required \emph{quantum} memory with quantum random access. We also propose new quantum walks for subset-sum, performing better than the previous best time complexity of O~(20.226n)\tilde{\mathcal{O}}(2^{0.226 n}) given by Helm and May (TQC 2018). We combine our new techniques to reach a time O~(20.216n)\tilde{\mathcal{O}}(2^{0.216 n}). This time is dependent on a heuristic on quantum walk updates, formalized by Helm and May, that is also required by the previous algorithms. We show how to partially overcome this heuristic, and we obtain an algorithm with quantum time O~(20.218n)\tilde{\mathcal{O}}(2^{0.218 n}) requiring only the standard classical subset-sum heuristics

    Improved quantum algorithms for the k-XOR problem

    Get PDF
    The k-XOR problem can be generically formulated as the following: given many n-bit strings generated uniformly at random, find k distinct of them which XOR to zero. This generalizes collision search (two equal elements) to a k-tuple of inputs. This problem has become ubiquitous in cryptanalytic algorithms, including variants in which the XOR operation is replaced by a modular addition (k-SUM) or other non-commutative operations (e.g., the composition of permutations). The case where a single solution exists on average is of special importance. At EUROCRYPT 2020, Naya-Plasencia and Schrottenloher defined a class of quantum merging algorithms for the k-XOR problem, obtained by combining quantum search. They represented these algorithms by a set of merging trees and obtained the best ones through linear optimization of their parameters. In this paper, we give a simplified representation of merging trees that makes their analysis easier. We give better quantum algorithms for the Single-solution k-XOR problem by relaxing one of the previous constraints, and making use of quantum walks. Our algorithms subsume or improve over all previous quantum algorithms for Single-solution k-XOR. For example, we give an algorithm for 4-XOR (or 4-SUM) in quantum time O~ (2 7n/24)
    • 

    corecore