Xiaoyang Dong,Xiaoyun Wang

DOI: https://doi.org/10.1007/s11432-017-9468-y

2018-08-31

Science China Information Sciences

Abstract:Post-quantum cryptography has drawn considerable attention from cryptologists on a global scale. At Asiacrypt 2017, Leander and May combined Grover’s and Simon’s quantum algorithms to break the FX-based block ciphers, which were introduced by Kilian and Rogaway to strengthen DES. In this study, we investigate the Feistel constructions using Grover’s and Simon’s algorithms to generate new quantum key-recovery attacks on different rounds of Feistel constructions. Our attacks require 20.25nr−0.75n quantum queries to break an r-round Feistel construction. The time complexity of our attacks is less than that observed for quantum brute-force search by a factor of 20.75n. When compared with the best classical attacks, i.e., Dinur et al.’s attacks at CRYPTO 2015, the time complexity is reduced by a factor of 20.5n without incurring any memory cost.

computer science, information systems,engineering, electrical & electronic

Xiaoyang Dong,Bingyou Dong,Xiaoyun Wang

DOI: https://doi.org/10.1007/s10623-020-00741-y

2020-03-09

Abstract:Post-quantum cryptography has attracted much attention from worldwide cryptologists. However, most research works are related to public-key cryptosystem due to Shor's attack on RSA and ECC ciphers. At CRYPTO 2016, Kaplan et al. showed that many secret-key (symmetric) systems could be broken using a quantum period finding algorithm, which encouraged researchers to evaluate symmetric systems against quantum attackers. In this paper, we continue to study symmetric ciphers against quantum attackers. First, we convert the classical advanced slide attacks (introduced by Biryukov and Wagner) to a quantum one, that gains an exponential speed-up in time complexity. Thus, we could break 2/4K-Feistel and 2/4K-DES in polynomial time. Second, we give a new quantum key-recovery attack on full-round GOST, which is a Russian standard, with <span class="mathjax-tex">\(2^{114.8}\)</span> quantum queries of the encryption process, faster than a quantum brute-force search attack by a factor of <span class="mathjax-tex">\(2^{13.2}\)</span>.

Qiqing Xia,Qianru Zhu,Huiqin Xie,Li Yang

2024-05-11

Abstract:Many quantum algorithms for attacking symmetric cryptography involve the rank problem of quantum linear equations. In this paper, we first propose two quantum algorithms for solving quantum linear systems of equations with coherent superposition and construct their specific quantum circuits. Unlike previous related works, our quantum algorithms are universal. Specifically, the two quantum algorithms can both compute the rank and general solution by one measurement. The difference between them is whether the data register containing the quantum coefficient matrix can be disentangled with other registers and keep the data qubits unchanged. On this basis, we apply the two quantum algorithms as a subroutine to parallel Simon's algorithm (with multiple periods), Grover Meets Simon algorithm, and Alg-PolyQ2 algorithm, respectively. Afterwards, we construct a quantum classifier within Grover Meets Simon algorithm and the test oracle within Alg-PolyQ2 algorithm in detail, including their respective quantum circuits. To our knowledge, no such specific analysis has been done before. We rigorously analyze the success probability of those algorithms to ensure that the success probability based on the proposed quantum algorithms will not be lower than that of those original algorithms. Finally, we discuss the lower bound of the number of CNOT gates for solving quantum linear systems of equations with coherent superposition, and our quantum algorithms reach the optimum in terms of minimizing the number of CNOT gates. Furthermore, our analysis indicates that the proposed algorithms are mainly suitable for conducting attacks against lightweight symmetric ciphers, within the effective working time of an ion trap quantum computer.

Quantum Physics

DOI: https://doi.org/10.1007/s11128-024-04424-8

IF: 1.965

2024-06-15

Quantum Information Processing

Abstract:Quantum computing has made many important achievements in the field of cryptanalysis. However, due to the limitations of current physical system and technology, the realization of large-scale universal quantum computers is a long way off. Currently, small-scale quantum computers are easier to implement than large-scale universal quantum computers. Distributed quantum computing proposes an implementation architecture, which attempts to break down large-scale tasks into many sub-tasks distributed across multiple small-scale quantum computers. How to use small-scale quantum computers with fewer qubits and shallower quantum depths to complete large-scale tasks and improve the success rate of attacking symmetric cryptosystems is our concern. In this paper, we propose a distributed exact Simon's algorithm, apply it to achieve quantum key recovery attacks on single-permutation-based pseudorandom cryptographic schemes with classical birthday bound security, and estimate the quantum resources of quantum circuits. Furthermore, we combine distributed exact Grover's algorithm and distributed exact Simon's algorithm to achieve quantum key recovery attacks on two-permutation-based pseudorandom cryptographic schemes with classical beyond birthday bound security and estimate the corresponding quantum resources. Our results show that (1) our algorithms are exact which means that the theoretical success probability of attacking pseudorandom cryptographic schemes is 100%; (2) the depth of circuit is in polynomial time which means that the theoretical depth of attacking symmetric cryptosystems is exponentially accelerated relative to the previous results; (3) the qubits of circuit don't increase significantly. Our work is of great importance. It could lead to the rapid realization of effective quantum attacks against symmetric cryptosystems on small-scale quantum computers.

physics, multidisciplinary,quantum science & technology, mathematical

Wenjie Liu,Mengting Wang,Zixian Li

DOI: https://doi.org/10.1007/s11128-023-03877-7

2023-09-24

Abstract:Exploiting quantum mechanisms, quantum attacks have the potential ability to break the cipher structure. Recently, Ito et al. proposed a quantum attack on Feistel-2* structure (Ito et al.'s attack) based onthe Q2 model. However, it is not realistic since the quantum oracle needs to be accessed by the adversary, and the data complexityis high. To solve this problem, a quantum all-subkeys-recovery (ASR) attack based on multi-equations quantum claw-finding is proposed, which takes a more realistic model, the Q1 model, as the scenario, and only requires 3 plain-ciphertext pairs to quickly crack the 6-round Feistel-2* structure. First, we proposed a multi-equations quantum claw-finding algorithm to solve the claw problem of finding multiple equations. In addition, Grover's algorithm is used to speedup the rest subkeys recovery. Compared with Ito et al.'s attack, the data complexity of our attack is reduced from O(2^n) to O(1), while the time complexity and memory complexity are also significantly reduced.

Quantum Physics,Cryptography and Security,Emerging Technologies

Qianru Zhu,Huiqin Xie,Qiqing Xia,Li Yang

DOI: https://doi.org/10.48550/arXiv.2301.06706

2023-01-17

Quantum Physics

Abstract:Quantum algorithm is a key tool for cryptanalysis. At present, people are committed to building powerful quantum algorithms and tapping the potential of quantum algorithms, so as to further analyze the security of cryptographic algorithms under quantum computing. Recombining classical quantum algorithms is one of the current ideas to construct quantum algorithms. However, they cannot be easily combined, the feasibility of quantum algorithms needs further analysis in quantum environment. This paper reanalyzes the existing combined algorithm Grover-meets-Simon algorithm in terms of the principle of deferred measurement. First of all, due to the collapse problem caused by the measurement, we negate the measurement process of Simon's algorithm during the process of the Grover-meets-Simon algorithm. Second, since the output of the unmeasured Simon algorithm is quantum linear systems of equations, we discuss the solution of quantum linear systems of equations and find it feasible to consider the deferred measurement of the parallel Simon algorithm alone. Finally, since the Grover-meets-Simon algorithm involves an iterative problem, we reconsider the feasibility of the algorithm when placing multiple measurements at the end. According to the maximum probability of success and query times, we get that the Grover-meets-Simon algorithm is not an effective attack algorithm when putting the measurement process of the Simon algorithm in the iterative process at the end of Grover-meets-Simon algorithm.

Marc Kaplan,Gaëtan Leurent,Anthony Leverrier,María Naya-Plasencia

DOI: https://doi.org/10.13154/tosc.v2016.i1.71-94

2017-03-07

Abstract:Quantum computers, that may become available one day, would impact many scientific fields, most notably cryptography since many asymmetric primitives are insecure against an adversary with quantum capabilities. Cryptographers are already anticipating this threat by proposing and studying a number of potentially quantum-safe alternatives for those primitives. On the other hand, symmetric primitives seem less vulnerable against quantum computing: the main known applicable result is Grover's algorithm that gives a quadratic speed-up for exhaustive search. In this work, we examine more closely the security of symmetric ciphers against quantum attacks. Since our trust in symmetric ciphers relies mostly on their ability to resist cryptanalysis techniques, we investigate quantum cryptanalysis techniques. More specifically, we consider quantum versions of differential and linear cryptanalysis. We show that it is usually possible to use quantum computations to obtain a quadratic speed-up for these attack techniques, but the situation must be nuanced: we don't get a quadratic speed-up for all variants of the attacks. This allows us to demonstrate the following non-intuitive result: the best attack in the classical world does not necessarily lead to the best quantum one. We give some examples of application on ciphers LAC and KLEIN. We also discuss the important difference between an adversary that can only perform quantum computations, and an adversary that can also make quantum queries to a keyed primitive.

Quantum Physics,Cryptography and Security

Xia Liu,Huan Yang,Li Yang

DOI: https://doi.org/10.1186/s42400-023-00181-w

2023-01-01

Abstract:The elliptic curve discrete logarithm problem (ECDLP) is a popular choice for cryptosystems due to its high level of security. However, with the advent of the extended Shor's algorithm, there is concern that ECDLP may soon be vulnerable. While the algorithm does offer hope in solving ECDLP, it is still uncertain whether it can pose a real threat in practice. From the perspective of the quantum circuits of the algorithm, this paper analyzes the feasibility of cracking ECDLP using an ion trap quantum computer with improved quantum circuits for the extended Shor's algorithm. We give precise quantum circuits for extended Shor's algorithm to calculate discrete logarithms on elliptic curves over prime fields, including modular subtraction, three different modular multiplication, and modular inverse. Additionally, we incorporate and improve upon windowed arithmetic in the circuits to reduce the CNOT-counts. Whereas previous studies mostly focused on minimizing the number of qubits or the depth of the circuit, we focus on minimizing the number of CNOT gates in the circuit, which greatly affects the running time of the algorithm on an ion trap quantum computer. Specifically, we begin by presenting implementations of basic arithmetic operations with the lowest known CNOT-counts, along with improved constructions for modular inverse, point addition, and windowed arithmetic. Next, we precisely estimate that, to execute the extended Shor's algorithm with the improved circuits to factor an n-bit integer, the CNOT-count required is 1237n(3)/ log n + 2n(2) + n. Finally, we analyze the running time and feasibility of the extended Shor's algorithm on an ion trap quantum computer.

Tairong Shi,Wenling Wu,Bin Hu,Jie Guan,Han Sui,Senpeng Wang,Mengyuan Zhang

DOI: https://doi.org/10.1109/tifs.2024.3402970

IF: 7.231

2024-06-07

IEEE Transactions on Information Forensics and Security

Abstract:A lot of work in the field of quantum cryptanalysis is currently devoted to finding applications of Grover-meets-Simon algorithm and its complexity is given in the form of , but research on how to implement the attack efficiently is still insufficient. After all, it is crucial to study quantum attacks in resource-limited situations, according to NIST's guidance on circuit depth. This work first evaluates the parallelization of Grover-meets-Simon by drawing on the Grover's parallel approach and shows that as the width increases by , the depth decreases by a factor of . Further, the first dedicated quantum attack on a class of functions that appear in cryptographic scheme applications (so-called XOR-type function) is proposed. The depth, width, and the number of gates required for the attack are greatly reduced compared to the general parallelization. Then we apply the attack to various Beyond-Birthday-Bound (BBB) MACs, where the XOR function can be constructed, including SUM-ECBC and its variants (2K-SUM-ECBC, 2K-ECBC_Plus), and GCM-SIV2. In the typical case where SUM-ECBC is based on AES-128, our attack saves at least 62.3% in depth, 19.5% in width and 22.2% in gate count simultaneously. The impact on some lightweight ciphers is further explored, and it is interesting to note that the lighter the quantum circuit implementation of the cipher is, the greater the possible impact of an attack will be. This observation may provide new insights into quantum cryptanalysis.

computer science, theory & methods,engineering, electrical & electronic

Bin-Bin Cai,Yusen Wu,Jing Dong,Su-Juan Qin,Fei Gao,Qiao-Yan Wen

DOI: https://doi.org/10.1093/comjnl/bxab216

2022-02-01

The Computer Journal

Abstract:Abstract By introducing the BHT algorithm into the slide attack on 1K-AES and the related-key attack on PRINCE, we present the corresponding quantum attacks in this paper. In the proposed quantum attacks, we generalize the BHT algorithm to the situation where the number of marked items is unknown ahead of time. Moreover, we give an implementation scheme of classifier oracle based on Quantum Phase Estimation algorithm in presented quantum attacks. The complexity analysis shows that the query complexity, time complexity and memory complexity of the presented quantum attacks are all $\mathcal{O}(2^{n/3})$ when the success probability is about $63\%$, where $n$ is the block size. Compared with the corresponding classical attacks, the proposed quantum attacks can achieve subquadratic speed-up under the same success probability no matter on query complexity, time complexity or memory complexity. Furthermore, the query complexity of the proposed quantum slide attack on 1K-AES is less than Grover search on 1K-AES by a factor of $2^{n/6}.$ When compared with the Grover search on PRINCE, the query complexity of the presented quantum attack on PRINCE is reduced from $\mathcal{O}(2^{n})$ to $\mathcal{O}(2^{n/2}).$ When compared with the combination of Grover and Simon’s algorithms on PRINCE, the query complexity of our quantum attack on PRINCE is reduced from $\mathcal{O}(n\cdot 2^{n/2})$ to $\mathcal{O}(2^{n/2}).$ Besides, the proposed quantum slide attack on 1K-AES indicates that the quantum slide attack could also be applied on Substitution-Permutation Network construction, apart from the iterated Even-Mansour cipher and Feistel constructions.

computer science, information systems, theory & methods, software engineering, hardware & architecture

Yinsong Xu,Wenjie Liu,Wenbin Yu

DOI: https://doi.org/10.1007/s11128-021-03036-w

2023-09-23

Abstract:The classic forgery attacks on COPA, AES-COPA and Marble authenticated encryption algorithms need to query about 2^(n/2) times, and their success probability is not high. To solve this problem, the corresponding quantum forgery attacks on COPA, AES-COPA and Marble authenticated encryption algorithms are presented. In the quantum forgery attacks on COPA and AES-COPA, we use Simon's algorithm to find the period of the tag generation function in COPA and AES-COPA by querying in superposition, and then generate a forged tag for a new message. In the quantum forgery attack on Marble, Simon's algorithm is used to recover the secret parameter L, and the forged tag can be computed with L. Compared with classic forgery attacks on COPA, AES-COPA and Marble, our attack can reduce the number of queries from O(2^(n/2)) to O(n) and improve success probability close to 100%.

Quantum Physics,Cryptography and Security,Emerging Technologies

Yun-fei MA,Tao WANG,Hao CHEN,Fan ZHANG,Xiao-xuan LOU,Lu-min XU,Wen-bing YANG

DOI: https://doi.org/10.3785/j.issn.1008-973X.2017.09.011

2017-01-01

Abstract:A fault-cube method was given aiming at the special property of And operation (&) in SIMON and the problem in previous cube attack and fault attack.The round-candidates for fault injection were identified according to the number of linear and quadratic equations.Positions for fault injection were determined by using a difference-characteristics table.Some round-keys were recovered by extracting low-degree equations during the off-line phase.Then,the entire round-keys were obtained with combination of guess-and-determine attack.The experimental results show that the attack on SIMON32/64 needs 69 fault injections on average and requires a compute complexity of 247.91,which is better than the previous cube attack.Compared to differential fault attack,the fault-cube method is more effective in determining fault positions.Moreover,using the fault model is easier to realize and the attack process is of high automation.The fault-cube method will provide some ideas on other lightweight block ciphers with low-degree core operations as well.

Ying Xu,Xiaoni Du,Meichun Jia,Xiangyu Wang,Jian Zou

DOI: https://doi.org/10.1007/s11128-023-04135-6

IF: 1.965

2023-10-16

Quantum Information Processing

Abstract:Generalized Feistel networks are important components of symmetric ciphers, and detailed security evaluations in the quantum setting remain to be explored. In this paper, based on the strong–weak separability of certain branch output function, we present polynomial-time quantum distinguishers for 4F-function and 2F-function structures in quantum chosen-plaintext attack setting for the first time, and then quantum key-recovery attacks are achieved through Grover-meet-Simon algorithm, respectively. Under the condition of the semi-strong separability, firstly, we give a quantum distinguisher on 8-round 4F-function structure, from which we carry out a 12-round quantum key-recovery attack to guess 10 n -bit subkey, whose time complexities gain a factor of . When attacking rounds, we can recover -bit subkey in time . Secondly, we show a quantum distinguisher on 5-round 2F-function structure, and a 7-round quantum key-recovery attack is performed on it, which can recover 3 n -bit subkey in time . When , -bit subkey can be recovered with time complexities by a factor of . Furthermore, based on the weak separability, a 6-round quantum distinguisher for 2F-function structure is constructed, and an 8-round quantum key-recovery attack is achieved, and the time complexity is when . The results show that the time complexity of each attack scheme we proposed is much better than that of Grover's brute force search.

physics, multidisciplinary,quantum science & technology, mathematical

Yu-Ao Chen,Xiao-Shan Gao,Chun-Ming Yuan

DOI: https://doi.org/10.48550/arXiv.1802.03856

2018-10-07

Abstract:In this paper, we give quantum algorithms for two fundamental computation problems: solving polynomial systems over finite fields and optimization where the arguments of the objective function and constraints take values from a finite field or a bounded interval of integers. The quantum algorithms can solve these problems with any given success probability and have polynomial runtime complexities in the size of the input, the degree of the inequality constraints, and the condition number of certain matrices derived from the problem. So, we achieved exponential speedup for these problems when their condition numbers are small. As applications, quantum algorithms are given to three basic computational problems in cryptography: the polynomial system with noise problem, the short integer solution problem, the shortest vector problem, as well as the cryptanalysis for the lattice based NTRU cryptosystem. It is shown that these problems and NTRU can against quantum computer attacks only if their condition numbers are large, so the condition number could be used as a new criterion for the lattice based post-quantum cryptosystems.

Symbolic Computation,Computational Complexity,Cryptography and Security,Quantum Physics

P. Singkanipa,V. Kasatkin,Z. Zhou,G. Quiroz,D.A. Lidar

2024-08-24

Abstract:Simon's problem is to find a hidden period (a bitstring) encoded into an unknown $2$-to-$1$ function. It is one of the earliest problems for which an exponential quantum speedup was proven for ideal, noiseless quantum computers, albeit in the oracle model. Here, using two different $127$-qubit IBM Quantum superconducting processors, we demonstrate an algorithmic quantum speedup for a variant of Simon's problem where the hidden period has a restricted Hamming weight $w$. For sufficiently small values of $w$ and for circuits involving up to $58$ qubits, we demonstrate an exponential speedup, albeit of a lower quality than the speedup predicted for the noiseless algorithm. The speedup exponent and the range of $w$ values for which an exponential speedup exists are significantly enhanced when the computation is protected by dynamical decoupling. Further enhancement is achieved with measurement error mitigation. This constitutes a demonstration of a bona fide quantum advantage for an Abelian hidden subgroup problem.

Quantum Physics

Gorjan Alagic,Cristopher Moore,Alexander Russell

DOI: https://doi.org/10.48550/arXiv.quant-ph/0603251

2007-01-26

Abstract:Daniel Simon's 1994 discovery of an efficient quantum algorithm for solving the hidden subgroup problem (HSP) over Z_2^n provided one of the first algebraic problems for which quantum computers are exponentially faster than their classical counterparts. In this paper, we study the generalization of Simon's problem to arbitrary groups. Fixing a finite group G, this is the problem of recovering an involution m = (m_1, ..., m_n) in G^n from an oracle f with the property that f(x) = f(xy) iff y equals m or the identity. In the current parlance, this is the hidden subgroup problem (HSP) over groups of the form G^n, where G is a nonabelian group of constant size, and where the hidden subgroup is either trivial or has order two. Although groups of the form G^n have a simple product structure, they share important representation-theoretic properties with the symmetric groups S_n, where a solution to the HSP would yield a quantum algorithm for Graph Isomorphism. In particular, solving their HSP with the so-called ``standard method'' requires highly entangled measurements on the tensor product of many coset states. Here we give quantum algorithms with time complexity 2^O(sqrt(n log n)) that recover hidden involutions m = (m_1, ..., m_n) in G^n where, as in Simon's problem, each m_i is either the identity or the conjugate of a known element k, and there is a character X of G for which X(k) = -X(1)$. Our approach combines the general idea behind Kuperberg's sieve for dihedral groups with the ``missing harmonic'' approach of Moore and Russell. These are the first nontrivial hidden subgroup algorithms for group families that require highly entangled multiregister Fourier sampling.

Quantum Physics

Xiaoyang Dong,Zheng Li,Xiaoyun Wang

DOI: https://doi.org/10.1007/s11432-017-9436-7

2019-01-02

Science China Information Sciences

Abstract:Post-quantum cryptography has attracted much attention from worldwide cryptologists. In ISIT 2010, Kuwakado and Morii gave a quantum distinguisher with polynomial time against 3-round Feistel networks. However, generalized Feistel schemes (GFS) have not been systematically investigated against quantum attacks. In this paper, we study the quantum distinguishers about some generalized Feistel schemes. For d-branch Type-1 GFS (CAST256-like Feistel structure), we introduce (2d - 1)-round quantum distinguishers with polynomial time. For 2d-branch Type-2 GFS (RC6/CLEFIA-like Feistel structure), we give (2d + 1)-round quantum distinguishers with polynomial time. Classically, Moriai and Vaudenay proved that a 7-round 4-branch Type-1 GFS and 5-round 4-branch Type-2 GFS are secure pseudo-random permutations. Obviously, they are no longer secure in quantum setting. Using the above quantum distinguishers, we introduce generic quantum key-recovery attacks by applying the combination of Simon’s and Grover’s algorithms recently proposed by Leander and May. We denote n as the bit length of a branch. For (d2-d+2)-round Type-1 GFS with d branches, the time complexity is 2(12d2−32d+2)⋅n2$${2^{\left( {\frac{1}{2}{d^2} - \frac{3}{2}d + 2} \right) \cdot \frac{n}{2}}}$$, which is better than the quantum brute force search (Grover search) by a factor 2(14d2+14d)n$${2^{\left( {\frac{1}{4}{d^2} + \frac{1}{4}d} \right)n}}$$. For 4d-round Type-2 GFS with 2d branches, the time complexity is 2d2n2$${2^{\frac{{{d^2}n}}{2}}}$$, which is better than the quantum brute force search by a factor 23d2n2$${2^{\frac{{3{d^2}n}}{2}}}$$.

computer science, information systems,engineering, electrical & electronic

Sahay Harshvardhan,Sanil Jain,James E. McClure,Caleb McIrvin,Ngoc Quy Tran

2023-06-03

Abstract:The emergence of noisy intermediate-scale quantum (NISQ) computers has important consequences for cryptographic algorithms. It is theoretically well-established that key algorithms used in cybersecurity are vulnerable to quantum computers due to the fact that theoretical security guarantees, designed based on algorithmic complexity for classical computers, are not sufficient for quantum circuits. Many different quantum algorithms have been developed, which have potentially broad applications on future computing systems. However, this potential depends on the continued maturation of quantum hardware, which remains an area of active research and development. Theoretical limits provide an upper bound on the performance for algorithms. In practice, threats to encryption can only be accurately be assessed in the context of the rapidly evolving hardware and software landscape. Software co-design refers to the concurrent design of software and hardware as a way to understand the limitations of current capabilities and develop effective strategies to advance the state of the art. Since the capabilities for classical computation currently exceed quantum capabilities, quantum emulation techniques can play an important role in the co-design process. In this paper, we describe how the {\em cuQuantum} environment can support quantum algorithm co-design activities using widely-available commodity hardware. We describe how emulation techniques can be used to assess the impact of noise on algorithms of interest, and identify limitations associated with current hardware. We present our analysis in the context of areas of priority for cybersecurity and cryptography in particular since these algorithms are extraordinarily consequential for securing information in the digital world.

Cryptography and Security,Quantum Physics

Gregory D. Kahanamoku-Meyer

DOI: https://doi.org/10.22331/q-2023-09-11-1107

2023-09-06

Abstract:Recently, quantum computing experiments have for the first time exceeded the capability of classical computers to perform certain computations -- a milestone termed "quantum computational advantage." However, verifying the output of the quantum device in these experiments required extremely large classical computations. An exciting next step for demonstrating quantum capability would be to implement tests of quantum computational advantage with efficient classical verification, such that larger system sizes can be tested and verified. One of the first proposals for an efficiently-verifiable test of quantumness consists of hiding a secret classical bitstring inside a circuit of the class IQP, in such a way that samples from the circuit's output distribution are correlated with the secret (<a class="link-https" data-arxiv-id="0809.0847" href="https://arxiv.org/abs/0809.0847">arXiv:0809.0847</a>). The classical hardness of this protocol has been supported by evidence that directly simulating IQP circuits is hard, but the security of the protocol against other (non-simulating) classical attacks has remained an open question. In this work we demonstrate that the protocol is not secure against classical forgery. We describe a classical algorithm that can not only convince the verifier that the (classical) prover is quantum, but can in fact can extract the secret key underlying a given protocol instance. Furthermore, we show that the key extraction algorithm is efficient in practice for problem sizes of hundreds of qubits. Finally, we provide an implementation of the algorithm, and give the secret vector underlying the "$25 challenge" posted online by the authors of the original paper.

Quantum Physics,Cryptography and Security

Wenjie Liu,Mengting Wang,Zixian Li

DOI: https://doi.org/10.1142/s021773232350092x

2023-10-01

Abstract:Classical forgery attacks against Offset Two-round (OTR) structures require some harsh conditions, such as some plaintext and ciphertext pairs need to be known, and the success probability is not too high. To solve these problems, a quantum forgery attack on OTR structure using Simon's algorithm is proposed. The attacker intercept the ciphertext-tag pair $(C,T)$ between the sender and receiver, while Simon's algorithm is used to find the period of the tag generation function in OTR, then we can successfully forge new ciphertext $C'$ ($C'\ne C$) for intercepted tag $T$. For a variant of OTR structure (Pr{/o}st-OTR-Even-Mansour structure), a universal forgery attack, in which it is easy to generate the correct tag of any given message if the attacker is allowed to change a single block in it, is proposed. It first obtains the secret parameter L using Simon's algorithm, then the secret parameter L is used to find the keys $k_1$ and $k_2$, so that an attacker can forge the changed messages. It only needs several plaintext blocks to help obtain the keys to forge any messages. Performance analysis shows that the query complexity of our attack is $O(n)$, and its success probability is very close to 1.

Quantum Physics,Cryptography and Security,Emerging Technologies