Sahiba Suryawanshi,Shibam Ghosh,Dhiman Saha,Prathamesh Ram

DOI: https://doi.org/10.1007/s10623-024-01502-x

IF: 1.4

2024-11-03

Designs Codes and Cryptography

Abstract:Higher order differential properties constitute a very insightful tool at the hands of a cryptanalyst allowing for probing a cryptographic primitive from an algebraic perspective. In FSE 2017, Saha et al. reported SymSum (referred to as in this paper), a new distinguisher based on higher order vectorial Boolean derivatives of SHA-3 , constituting one of the best distinguishers on the latest cryptographic hash standard. exploits the difference in the algebraic degree of highest degree monomials in the algebraic normal form of SHA-3 with regards to their dependence on round constants. Later in AFRICACRYPT 2020, Suryawanshi et al. extended using linearization techniques and in SSS 2023 also applied it to NIST-LWC finalist Xoodyak . However, a major limitation of is the maximum attainable derivative ( MAD ) of the polynomial representation, which is less than half of the widely studied ZeroSum distinguisher. This is attributed to being dependent on k -fold vectorial derivatives while ZeroSum relies on k -fold simple derivatives. In this work we overcome this limitation of by developing and validating the theory of computing with simple derivatives. This gives us a close to improvement in the MAD that can be computed. The new distinguisher reported in this work can also be combined with 1/2-round linearization to penetrate more rounds. Moreover, we identify an issue with the 2-round linearization claim made by Suryawanshi et al. which renders it invalid and also furnishes an algebraic fix at the cost of some additional constraints. Combining all the results we report , a new variant of the distinguisher based on k -fold simple derivatives that outperforms ZeroSum by a factor of for round SHA3-384 and 9-round SHA3-512 respectively while enjoying the same MAD as ZeroSum . For every other SHA-3 variant, maintains an advantage of factor 2 over the ZeroSum . Combined with 1/2-round linearization, improves upon all existing ZeroSum and distinguishers on both SHA-3 and Xoodyak . As regards Keccak , the internal permutation of SHA-3 , we report the best 15-round distinguisher with a complexity of and the first better than birthday-bound 16-round distinguisher with a complexity of (improving upon the 15/16-round results by Guo et al. in ASIACRYPT 2016). We also devise the best full-round distinguisher on the Xoodoo internal permutation of Xoodyak with a practically verifiable complexity of and furnish the first third-party distinguishers on the Belarushian-standard hash function Bash . All distinguishers presented in this work have been verified through implementations whenever practically viable. Overall, with the MAD barrier broken, emerges as a better distinguisher than ZeroSum on all fronts and adds to the state-of-the-art of cryptanalytic tools investigating non-randomnes -Abstract Truncated-

mathematics, applied,computer science, theory & methods

Senyang Huang,Xiaoyun Wang,Guangwu Xu,Meiqin Wang,Jingyuan Zhao

DOI: https://doi.org/10.1587/transfun.e102.a.242

2018-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:The security analysis of Keccak, the winner of SHA-3, has attracted considerable interest. Recently, some attention has been paid to distinguishing Keccak sponge function from random permutation. In EUROCRYPT'17, Huang et al. proposed conditional cube tester to recover the key of Keccak-MAC and Keyak and to construct practical distinguishing attacks on Keccak sponge function up to 7 rounds. In this paper, we improve the conditional cube tester model by refining the formulation of cube variables. By classifying cube variables into three different types and working the candidates of these types of cube variable carefully, we are able to establish a new theoretical distinguisher on 8-round Keccak sponge function. Our result is more efficient and greatly improves the existing results. Finally we remark that our distinguishing attack on the the reduced-round Keccak will not threat the security margin of the Keccak sponge function.

Yonglin Hao,Gregor Leander,Willi Meier,Yosuke Todo,Qingju Wang

DOI: https://doi.org/10.1007/s00145-021-09383-2

2021-01-01

Journal of Cryptology

Abstract:A division property is a generic tool to search for integral distinguishers, and automatic tools such as MILP or SAT/SMT allow us to evaluate the propagation efficiently. In the application to stream ciphers, it enables us to estimate the security of cube attacks theoretically, and it leads to the best key-recovery attacks against well-known stream ciphers. However, it was reported that some of the key-recovery attacks based on the division property degenerate to distinguishing attacks due to the inaccuracy of the division property. Three-subset division property (without unknown subset) is a promising method to solve this inaccuracy problem, and a new algorithm using automatic tools for the three-subset division property was recently proposed at Asiacrypt2019. In this paper, we first show that this state-of-the-art algorithm is not always efficient and we cannot improve the existing key-recovery attacks. Then, we focus on the three-subset division property without unknown subset and propose another new efficient algorithm using automatic tools. Our algorithm is more efficient than existing algorithms, and it can improve existing key-recovery attacks. In the application to Trivium, we show a 842-round key-recovery attack. We also show that a 855-round key-recovery attack, which was proposed at CRYPTO2018, has a critical flaw and does not work. As a result, our 842-round attack becomes the best key-recovery attack. In the application to Grain-128AEAD, we show that the known 184-round key-recovery attack degenerates to a distinguishing attack. Then, the distinguishing attacks are improved up to 189 rounds, and we also show the best key-recovery attack against 190 rounds. In the application to ACORN, we prove that the 772-round key-recovery attack at ISC2019 is in fact a constant-sum distinguisher. We then give new key-recovery attacks mounting to 773-, 774- and 775-round ACORN. We verify the current best key-recovery attack on 892-round Kreyvium and recover the exact superpoly. We further propose a new attack mounting to 893 rounds.

Yonglin Hao,Gregor Leander,Willi Meier,Yosuke Todo,Qingju Wang

DOI: https://doi.org/10.1007/978-3-030-45721-1_17

2020-01-01

Abstract:A division property is a generic tool to search for integral distinguishers, and automatic tools such as MILP or SAT/SMT allow us to evaluate the propagation efficiently. In the application to stream ciphers, it enables us to estimate the security of cube attacks theoretically, and it leads to the best key-recovery attacks against well-known stream ciphers. However, it was reported that some of the key-recovery attacks based on the division property degenerate to distinguishing attacks due to the inaccuracy of the division property. Three-subset division property (without unknown subset) is a promising method to solve this inaccuracy problem, and a new algorithm using automatic tools for the three-subset division property was recently proposed at Asiacrypt2019. In this paper, we first show that this state-of-the-art algorithm is not always efficient and we cannot improve the existing key-recovery attacks. Then, we focus on the feature of the three-subset division property without unknown subset and propose another new efficient algorithm using automatic tools. Our algorithm is more efficient than existing algorithms, and it can improve existing key-recovery attacks. In the application to Trivium, we show a 841-round key-recovery attack. We also show that a 855-round key-recovery attack, which was proposed at CRYPTO2018, has a critical flaw and does not work. As a result, our 841-round attack becomes the best key-recovery attack. In the application to Grain-128AEAD, we show that the known 184-round key-recovery attack degenerates to distinguishing attacks. Then, the distinguishing attacks are improved up to 189 rounds, and we also show the best key-recovery attack against 190 rounds.

Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1587/transfun.e97.a.177

2013-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:This paper presents differential-based distinguishers against double-branch compression functions and applies them to ISO standard hash functions RIPEMD-128 and RIPEMD-160. A double-branch compression function computes two branch functions to update a chaining variable and then merges their outputs. For such a compression function, we observe that second-order differential paths will be constructed by finding a sub-path in each branch independently. This leads to 4-sum attacks on 47 steps (out of 64 steps) of RIPEMD-128 and 40 steps (out of 80 steps) of RIPEMD-160. Then new properties called a (partial) 2-dimension sum and a q-multi-second-order collision are considered. The partial 2-dimension sum is generated on 48 steps of RIPEMD-128 and 42 steps of RIPEMD-160, with complexities of 2(35) and 2(36), respectively. Theoretically, the 2-dimension sum is generated faster than the brute force attack up to 52 steps of RIPEMD-128 and 51 steps of RIPEMD-160, with complexities of 2101 and 2(158), respectively. The results on RIPEMD-128 can also be viewed as q-multi-second-order collision attacks. The practical attacks have been implemented and examples are presented. We stress that our results do not impact to the security of full RIPEMD-128 and RIPEMD-160 hash functions.

Senyang Huang,Xiaoyun Wang,Guangwu Xu,Meiqin Wang,Jingyuan Zhao

DOI: https://doi.org/10.1007/978-3-319-56614-6_9

2017-01-01

Abstract:The security analysis of Keccak, the winner of SHA-3, has attracted considerable interest. Recently, some attention has been paid to the analysis of keyed modes of Keccak sponge function. As a notable example, the most efficient key recovery attacks on Keccak-MAC and Keyak were reported at EUROCRYPT'15 where cube attacks and cube-attack-like cryptanalysis have been applied. In this paper, we develop a new type of cube distinguisher, the conditional cube tester, for Keccak sponge function. By imposing some bit conditions for certain cube variables, we are able to construct cube testers with smaller dimensions. Our conditional cube testers are used to analyse Keccak in keyed modes. For reduced-round Keccak-MAC and Keyak, our attacks greatly improve the best known attacks in key recovery in terms of the number of rounds or the complexity. Moreover, our new model can also be applied to keyless setting to distinguish Keccak sponge function from random permutation. We provide a searching algorithm to produce the most efficient conditional cube tester by modeling it as an MILP (mixed integer linear programming) problem. As a result, we improve the previous distinguishing attacks on Keccak sponge function significantly. Most of our attacks have been implemented and verified by desktop computers. Finally we remark that our attacks on the reduced-round Keccak will not threat the security margin of Keccak sponge function.

Hongbo Yu,Jiazhe Chen,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-662-43933-3_14

2013-01-01

Abstract:The hash function Skein is one of 5 finalists of the NIST SHA-3 competition. It is based on the block cipher Threefish which only uses three primitive operations: modular addition, rotation and bitwise XOR (ARX). This paper proposes a free-start partial-collision attack on round-reduced Skein-256 by combing the rebound attack with the modular differential techniques. The main idea of our attack is to connect two short differential paths into a long one with another differential characteristic that is complicated. Following our path, we give a free-start partial-collision attack on Skein-256 reduced to 32 rounds with Hamming distance 50 and complexity about 2(85) hash computations. In particular, we provide practical near-collision examples for Skein-256 reduced to 24 rounds and 28 rounds in the fixed tweaks and choosing tweaks setting separately. As far as we know, this is the first construction of a non-linear differential path for Skein which can lead to significantly improvement over previous analysis.

Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1007/978-3-642-31284-7_17

2012-01-01

Abstract:This paper presents differential-based distinguishers against ISO standard hash functions RIPEMD-128 and RIPEMD-160. Second-order differential paths are constructed on reduced steps of their compression functions. These lead to 4-sum attacks on 47 steps (out of 64 steps) of RIPEMD-128 and 40 steps (out of 80 steps) of RIPEMD-160. Then new properties called a (partial) 2-dimension sum and q-multi-second-order collision are considered. The partial 2-dimension sum is generated on 48 steps of RIPEMD-128 and 42 steps of RIPEMD-160, with a complexity of 235 and 236, respectively. Theoretically, 2-dimension sums are generated faster than the brute force attack up to 52 steps of RIPEMD-128 and 51 steps of RIPEMD-160, with a complexity of 2101 and 2158, respectively. The attacks on RIPEMD-128 can also be regarded as q-multi-second-order collision attacks. The practical attacks are implemented and generated examples are presented. We stress that our results do not impact to the security of full RIPEMD-128 and RIPEMD-160 hash functions.

Xiaoyang Dong,Xiaoyun Wang

DOI: https://doi.org/10.13154/tosc.v2016.i1.13-32

2016-01-01

Abstract:Since Knudsen and Rijmen proposed the known-key attacks in ASIACRYPT 2007, the open-key model becomes more and more popular. As the other component of the open-key model, chosen-key model was applied to the full attacks on AES-256 by Biryukov et al. in CRYPTO 2009. In this paper, we explore how practically the chosen-key model affect the real-world cryptography and show that 11-round generic Feistel-SP block cipher is no longer safe in its hashing modes (MMO and MP mode) as there exist collision attacks. This work improves Sasaki and Yasuda’s collision attacks by 2 rounds with two interesting techniques. First, we for the first time use the available degrees of freedom in the key to reduce the complexity of the inbound phase, which extends the previous 5-round inbound differential to a 7-round one. This results in a 12-round chosen-key distinguisher of Feistel-SP block cipher. Second, inspired by the idea of Wang et al., we construct collisions using two blocks. The rebound attack is used in the second compression function. We carefully balance the freedom of the first block and the complexity of the rebound attack, and extend the chosen-key attack to a 11-round collision attack on its hashing modes (MMO and MP mode).

Zejun Xiang,Wentao Zhang,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-319-44524-3_9

2016-01-01

Abstract:SIMON is a family of lightweight block ciphers published by the U.S. National Security Agency (NSA) in 2013. Due to its novel and bit-based design, integral cryptanalysis on SIMON seems a tough job. At EUROCRYPT 2015 Todo proposed division property which is a generalized integral property, and he applied this technique to searching integral distinguishers of SIMON block ciphers by considering the left and right halves of SIMON independently. As a result, he found 11-round integral distinguishers for both SIMON48 and SIMON64. Recently, at FSE 2016 Todo et al. proposed bit-based division property that considered each bit independently. This technique can find more accurate distinguishers, however, as pointed out by Todo et al. the time and memory complexity is bounded by 2(n) for an n-bit block cipher. Thus, bit-based division property is only applicable to SIMON32.In this paper we propose a new technique that achieves a trade-off between considering each bit independently and considering left and right halves as a whole, which is actually a trade-off between time-memory and the accuracy of the distinguishers. We proceed by splitting the state of SIMON into small pieces and study the division property propagations of circular shift and bitwise AND operations under the state partition. Moreover, we propose two different state partitions and study the influences of different partitions on the propagation of division property. We find that different partitions greatly impact the division property propagation of circular shift which will finally result in a big difference on the length of integral distinguishers. By using a tailored search algorithm for SIMON, we find 12-round integral distinguishers for Simon48 and Simon64 respectively, which improve Todo's results by one round for both variants.

Huan Zhou,Xiaoni Du,Xingbin Qiao,Wenping Yuan

2024-09-19

Abstract:Feistel Boomerang Connectivity Table (FBCT) is an important cryptanalytic technique on analysing the resistance of the Feistel network-based ciphers to power attacks such as differential and boomerang attacks. Moreover, the coefficients of FBCT are closely related to the second-order zero differential spectra of the function $F(x)$ over the finite fields with even characteristic and the Feistel boomerang uniformity is the second-order zero differential uniformity of $F(x)$. In this paper, by computing the number of solutions of specific equations over finite fields, we determine explicitly the second-order zero differential spectra of power functions $x^{2^m+3}$ and $x^{2^m+5}$ with $m>2$ being a positive integer over finite field with even characteristic, and $x^{p^k+1}$ with integer $k\geq1$ over finite field with odd characteristic $p$. It is worth noting that $x^{2^m+3}$ is a permutation over $\mathbb{F}_{2^n}$ and only when $m$ is odd, $x^{2^m+5}$ is a permutation over $\mathbb{F}_{2^n}$, where integer $n=2m$. As a byproduct, we find $F(x)=x^4$ is a PN and second-order zero differentially $0$-uniform function over $\mathbb{F}_{3^n}$ with odd $n$. The computation of these entries and the cardinalities in each table aimed to facilitate the analysis of differential and boomerang cryptanalysis of S-boxes when studying distinguishers and trails.

Cryptography and Security,Information Theory

Nai-Hui Chia,Kai-Min Chung,Takashi Yamakawa

2023-10-30

Abstract:In a recent seminal work, Bitansky and Shmueli (STOC '20) gave the first construction of a constant round zero-knowledge argument for NP secure against quantum attacks. However, their construction has several drawbacks compared to the classical counterparts. Specifically, their construction only achieves computational soundness, requires strong assumptions of quantum hardness of learning with errors (QLWE assumption) and the existence of quantum fully homomorphic encryption (QFHE), and relies on non-black-box simulation. In this paper, we resolve these issues at the cost of weakening the notion of zero-knowledge to what is called $\epsilon$-zero-knowledge. Concretely, we construct the following protocols: - We construct a constant round interactive proof for NP that satisfies statistical soundness and black-box $\epsilon$-zero-knowledge against quantum attacks assuming the existence of collapsing hash functions, which is a quantum counterpart of collision-resistant hash functions. Interestingly, this construction is just an adapted version of the classical protocol by Goldreich and Kahan (JoC '96) though the proof of $\epsilon$-zero-knowledge property against quantum adversaries requires novel ideas. - We construct a constant round interactive argument for NP that satisfies computational soundness and black-box $\epsilon$-zero-knowledge against quantum attacks only assuming the existence of post-quantum one-way functions. At the heart of our results is a new quantum rewinding technique that enables a simulator to extract a committed message of a malicious verifier while simulating verifier's internal state in an appropriate sense.

Quantum Physics,Cryptography and Security

Guangqiu Lv,Chenhui Jin,Zhen Shi,Ting Cui

DOI: https://doi.org/10.1007/s11227-024-06375-4

IF: 3.3

2024-10-05

The Journal of Supercomputing

Abstract:At CRYPTO 2019, Gohr first proposed neural distinguishers (NDs) on SPECK32, which are superior to the distinguishers based on the differential distribution table (DDT). Benamira et al. noted that NDs rely on the differential distribution of the last three rounds, and Bao et al. pointed out that NDs depend on the strong correlations between the bit values of ciphertext pairs satisfying the expected differential. Hence, one may guess that there exist deep relations between NDs and the differential-linear imbalances. To approximate NDs under a single ciphertext pair, we utilize differential-linear imbalances to construct simplified distinguishers. These newly constructed distinguishers offer comparable distinguishing advantages to that of NDs but with reduced time complexities. For instance, one such simplified distinguisher has only of the original time complexity of NDs. Our experiments demonstrate that these new distinguishers achieve a matching rate of 98.2% for 5-round SPECK32 under a single ciphertext pair. Furthermore, we achieve the highest accuracies for 7-round and 8-round SPECK32 up to date by using a maximum of 512 ciphertext pairs. Finally, by replacing NDs with simplified distinguishers, we significantly reduce the time complexities of differential-neural attacks on 11–14 rounds of SPECK32.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Guozhen Liu,Weidong Qiu,Yi Tu

DOI: https://doi.org/10.13154/tosc.v2019.i4.407-437

2020-01-01

Abstract:Keccak-f is the permutation used in the NIST SHA-3 hash function standard. Inspired by the previous exhaustive differential trail search methods by Mella et al. at ToSC 2017, we introduce in this paper new algorithms to cover 3-round trail cores with propagation weight at least 53, up from the previous best weight 45. To achieve the goal, the concept of ideal improvement assumption is proposed to construct theoretical representative of subspaces so as to efficiently cover the search space of 3-round trail cores with at least one out-Kernel α state. Of particular note is that the exhaustiveness in 3-round trail core search of at least one out-Kernel α is only experimentally verified. With the knowledge of all 3-round trail cores of weight up to 53, lower bounds on 4/5/6-round trails are tightened to 56/58/108, from the previous 48/50/92, respectively.

Kai Hu,Siwei Sun,Meiqin Wang,Qingju Wang

DOI: https://doi.org/10.1007/978-3-030-64837-4_15

2020-01-01

Abstract:Since it was proposed in 2015 as a generalization of integral properties, the division property has evolved into a powerful tool for probing the structures of Boolean functions whose algebraic normal forms are not available. We capture the most essential elements for the detection of division properties from a pure algebraic perspective, proposing a technique named as monomial prediction , which can be employed to determine the presence or absence of a monomial in any product of the coordinate functions of a vectorial Boolean function f by counting the number of the so-called monomial trails across a sequence of simpler functions whose composition is f . Under the framework of the monomial prediction, we formally prove that most algorithms for detecting division properties in literature raise no false alarms but may miss. We also establish the equivalence between the monomial prediction and the three-subset bit-based division property without unknown subset presented at EUROCRYPT 2020, and show that these two techniques are perfectly accurate. The monomial prediction technique can be regarded as a purification of the definitions of the division properties without resorting to external multisets. This algebraic formulation gives more insights into division properties and inspires new search strategies. With the monomial prediction, we obtain the exact algebraic degrees of Trivium up to 834 rounds for the first time. In the context of cube attacks, we are able to explore a larger search space in limited time and recover the exact algebraic normal forms of complex superpolies with the help of a divide-and-conquer strategy. As a result, we identify more cubes with smaller dimensions, leading to improvements of some near-optimal attacks against 840-, 841- and 842-round Trivium.

Celine Blondeau,Thomas Peyrin,Lei Wang

DOI: https://doi.org/10.1007/978-3-662-47989-6_22

2015-01-01

Abstract:In this article, we analyse the known-key security of the standardized PRESENT lightweight block cipher. Namely, we propose a known-key distinguisher on the full PRESENT, both 80- and 128-bit key versions. We first leverage the very latest advances in differential cryptanalysis on PRESENT, which are as strong as the best linear cryptanalysis in terms of number of attacked rounds. Differential properties are much easier to handle for a known-key distinguisher than linear properties, and we use a bias on the number of collisions on some predetermined input/output bits as distinguishing property. In order to reach the full PRESENT, we eventually introduce a new meet-in-the-middle layer to propagate the differential properties as far as possible. Our techniques have been implemented and verified on the small scale variant of PRESENT. While the known-key security model is very generous with the attacker, it makes sense in practice since PRESENT has been proposed as basic building block to design lightweight hash functions, where no secret is manipulated. Our distinguisher can for example apply to the compression function obtained by placing PRESENT in a Davies-Meyer mode. We emphasize that this is the very first attack that can reach the full number of rounds of the PRESENT block cipher.

Huiqin Xie,Li Yang

DOI: https://doi.org/10.48550/arXiv.1712.06997

2018-07-23

Abstract:Traditional cryptography is suffering a huge threat from the development of quantum computing. While many currently used public-key cryptosystems would be broken by Shor's algorithm, the effect of quantum computing on symmetric ones is still unclear. The security of symmetric ciphers relies heavily on the development of cryptanalytic tools. Thus, in order to accurately evaluate the security of symmetric primitives in the post-quantum world, it is significant to improve classical cryptanalytic methods using quantum algorithms. In this paper, we focus on two variants of differential cryptanalysis: truncated differential cryptanalysis and impossible differential cryptanalysis. Based on the fact that Bernstein-Vazirani algorithm can be used to find the linear structures of Boolean functions, we propose two quantum algorithms that can be used to find high-probability truncated differentials and impossible differentials of block ciphers, respectively. We rigorously prove the validity of the algorithms and analyze their complexity. Our algorithms treat all rounds of the reduced cipher as a whole and only concerns the input and output differences at its both ends, instead of specific differential characteristics. Therefore, to a certain extent, they alleviate the weakness of conventional differential cryptanalysis, namely the difficulties in finding differential characteristics as the number of rounds increases.

Quantum Physics,Cryptography and Security

Li Zhang,Yu Zhang,Wenling Wu,Yongxia Mao,Yafei Zheng

DOI: https://doi.org/10.1093/comjnl/bxad009

2023-03-09

The Computer Journal

Abstract:Abstract Whether a block cipher can resist impossible differential attack is an important basis to evaluate the security of a block cipher. However, the length of impossible differentials is important for the security evaluation of block ciphers. Most of the previous studies are based on structural cryptanalysis to find the impossible differential, and the structural cryptanalysis covers a lot of specific cryptanalytic vectors which are independent of the nonlinear S-boxes. In this paper, we study the maximum length of the impossible differential of an Advanced Encryption Standard-like cipher in the setting with the details of S-boxes. Inspired by the ‘Divide-and-Conquer’ technique, we propose a new technique called Reduced Block, which combines the details of the S-box. With this tool, the maximum length of impossible differentials can be proven under reasonable assumptions. As applications, we use this tool on uBlock and Midori. Consequently, we prove that for uBlock-128, uBlock-256 and Midori-64, there are no impossible five-round, six-round and seven-round differentials with one active input nibble and one active output nibble, even when considering the details of S-boxes. Furthermore, we reveal some properties of the uBlock S-box and linear layer and demonstrate theoretically that there are no impossible differentials longer than four rounds for uBlock-128 under the assumption that the round keys are independent and uniformly random. This study might provide some insight into the bounds of the length of impossible differentials.

computer science, information systems, theory & methods, software engineering, hardware & architecture

Huiqin Xie,Li Yang

DOI: https://doi.org/10.3390/sym16091124

2024-09-03

Symmetry

Abstract:In order to design quantum-safe block ciphers, it is crucial to investigate the application of quantum algorithms to cryptographic analysis tools. In this study, we use the Bernstein–Vazirani algorithm to enhance truncated differential cryptanalysis and boomerang cryptanalysis. We first propose a quantum algorithm for finding truncated differentials, then rigorously prove that the output truncated differentials must have high differential probability for the vast majority of keys in the key space. Subsequently, based on this algorithm, we design a quantum algorithm for finding boomerang distinguishers. The quantum circuits of the two proposed quantum algorithms contain only polynomial quantum gates and qubits. Compared with classical tools for searching truncated differentials or boomerang distinguishers, the proposed algorithms can maintain the polynomial complexity while fully considering the impact of S-boxes and key scheduling.

multidisciplinary sciences