Xiaoyang Dong,Bingyou Dong,Xiaoyun Wang

DOI: https://doi.org/10.1007/s10623-020-00741-y

2020-03-09

Abstract:Post-quantum cryptography has attracted much attention from worldwide cryptologists. However, most research works are related to public-key cryptosystem due to Shor's attack on RSA and ECC ciphers. At CRYPTO 2016, Kaplan et al. showed that many secret-key (symmetric) systems could be broken using a quantum period finding algorithm, which encouraged researchers to evaluate symmetric systems against quantum attackers. In this paper, we continue to study symmetric ciphers against quantum attackers. First, we convert the classical advanced slide attacks (introduced by Biryukov and Wagner) to a quantum one, that gains an exponential speed-up in time complexity. Thus, we could break 2/4K-Feistel and 2/4K-DES in polynomial time. Second, we give a new quantum key-recovery attack on full-round GOST, which is a Russian standard, with <span class="mathjax-tex">\(2^{114.8}\)</span> quantum queries of the encryption process, faster than a quantum brute-force search attack by a factor of <span class="mathjax-tex">\(2^{13.2}\)</span>.

Wenjie Liu,Mengting Wang,Zixian Li

DOI: https://doi.org/10.1007/s11128-023-03877-7

2023-09-24

Abstract:Exploiting quantum mechanisms, quantum attacks have the potential ability to break the cipher structure. Recently, Ito et al. proposed a quantum attack on Feistel-2* structure (Ito et al.'s attack) based onthe Q2 model. However, it is not realistic since the quantum oracle needs to be accessed by the adversary, and the data complexityis high. To solve this problem, a quantum all-subkeys-recovery (ASR) attack based on multi-equations quantum claw-finding is proposed, which takes a more realistic model, the Q1 model, as the scenario, and only requires 3 plain-ciphertext pairs to quickly crack the 6-round Feistel-2* structure. First, we proposed a multi-equations quantum claw-finding algorithm to solve the claw problem of finding multiple equations. In addition, Grover's algorithm is used to speedup the rest subkeys recovery. Compared with Ito et al.'s attack, the data complexity of our attack is reduced from O(2^n) to O(1), while the time complexity and memory complexity are also significantly reduced.

Quantum Physics,Cryptography and Security,Emerging Technologies

Ying Xu,Xiaoni Du,Meichun Jia,Xiangyu Wang,Jian Zou

DOI: https://doi.org/10.1007/s11128-023-04135-6

IF: 1.965

2023-10-16

Quantum Information Processing

Abstract:Generalized Feistel networks are important components of symmetric ciphers, and detailed security evaluations in the quantum setting remain to be explored. In this paper, based on the strong–weak separability of certain branch output function, we present polynomial-time quantum distinguishers for 4F-function and 2F-function structures in quantum chosen-plaintext attack setting for the first time, and then quantum key-recovery attacks are achieved through Grover-meet-Simon algorithm, respectively. Under the condition of the semi-strong separability, firstly, we give a quantum distinguisher on 8-round 4F-function structure, from which we carry out a 12-round quantum key-recovery attack to guess 10 n -bit subkey, whose time complexities gain a factor of . When attacking rounds, we can recover -bit subkey in time . Secondly, we show a quantum distinguisher on 5-round 2F-function structure, and a 7-round quantum key-recovery attack is performed on it, which can recover 3 n -bit subkey in time . When , -bit subkey can be recovered with time complexities by a factor of . Furthermore, based on the weak separability, a 6-round quantum distinguisher for 2F-function structure is constructed, and an 8-round quantum key-recovery attack is achieved, and the time complexity is when . The results show that the time complexity of each attack scheme we proposed is much better than that of Grover's brute force search.

physics, multidisciplinary,quantum science & technology, mathematical

Xiaoyang Dong,Zheng Li,Xiaoyun Wang

DOI: https://doi.org/10.1007/s11432-017-9436-7

2019-01-02

Science China Information Sciences

Abstract:Post-quantum cryptography has attracted much attention from worldwide cryptologists. In ISIT 2010, Kuwakado and Morii gave a quantum distinguisher with polynomial time against 3-round Feistel networks. However, generalized Feistel schemes (GFS) have not been systematically investigated against quantum attacks. In this paper, we study the quantum distinguishers about some generalized Feistel schemes. For d-branch Type-1 GFS (CAST256-like Feistel structure), we introduce (2d - 1)-round quantum distinguishers with polynomial time. For 2d-branch Type-2 GFS (RC6/CLEFIA-like Feistel structure), we give (2d + 1)-round quantum distinguishers with polynomial time. Classically, Moriai and Vaudenay proved that a 7-round 4-branch Type-1 GFS and 5-round 4-branch Type-2 GFS are secure pseudo-random permutations. Obviously, they are no longer secure in quantum setting. Using the above quantum distinguishers, we introduce generic quantum key-recovery attacks by applying the combination of Simon’s and Grover’s algorithms recently proposed by Leander and May. We denote n as the bit length of a branch. For (d2-d+2)-round Type-1 GFS with d branches, the time complexity is 2(12d2−32d+2)⋅n2$${2^{\left( {\frac{1}{2}{d^2} - \frac{3}{2}d + 2} \right) \cdot \frac{n}{2}}}$$, which is better than the quantum brute force search (Grover search) by a factor 2(14d2+14d)n$${2^{\left( {\frac{1}{4}{d^2} + \frac{1}{4}d} \right)n}}$$. For 4d-round Type-2 GFS with 2d branches, the time complexity is 2d2n2$${2^{\frac{{{d^2}n}}{2}}}$$, which is better than the quantum brute force search by a factor 23d2n2$${2^{\frac{{3{d^2}n}}{2}}}$$.

computer science, information systems,engineering, electrical & electronic

Bo Yu,Tairong Shi,Xiaoyang Dong,Xuan Shen,Yiyuan Luo,Bing Sun

DOI: https://doi.org/10.1007/978-981-97-0945-8_19

2024-01-01

Abstract:Simon's algorithm has shown a threat to block ciphers in the quantum setting, especially accelerating attacks with superposition queries. Sometimes it is difficult for attackers to make superposition queries, while an easier way is to use classical data then process them on quantum computers. At ASIACRYPT 2019, Bonnetain et al. proposed the offline Simon's algorithm. But there is a gap between the classical queries and a quantum database in their work. In this paper, we propose an algorithm involving polynomial qubits that can transform a classical database into a quantum superposition state without using QRAM. What's more, we analyze the influence of two approaches called pre- and post-distinguisher methods for Simon's algorithm attack. Then we run a quantum key recovery attack on Feistel structure in the Q1 model. For attacking r-round Feistel structure with n-bit block size and n/2-bit subkey, the time complexity of our attack is O(l center dot 2(n/2+2) + 2((r-3)n/4)) (where l is a constant), and the classical data complexity is always O(2(n/2+1)), which is much better than the classical attacks especially for r > 5.

Zou, Jian

DOI: https://doi.org/10.1007/s11128-024-04349-2

IF: 1.965

2024-04-03

Quantum Information Processing

Abstract:In this paper, we present some new key-recovery attacks on Misty L-KF, Misty R-KF, and generalized Feistel schemes. Firstly, we propose a new 5-round distinguisher on Misty L-KF structure. Based on our new distinguisher attack, we propose a new 6-round Demiric–Selçuk meet-in-the-middle attack (DS-MITM attack) against Misty L-KF structure. Secondly, we extend our classical DS-MITM attack to a new quantum DS-MITM attack on Misty L-KF structure by using the quantum claw finding algorithm. In addition, we apply the above method to attack Misty R-KF and generalized Feistel schemes. To sum up, we construct our classical key-recovery attacks on the 6-round Misty L-KF structure and Misty R-KF structure with time and memory cost. By using a quantum computer, our new quantum key-recovery attacks on the 6-round Misty L-KF structures and Misty R-KF structures can be constructed with time and memory cost. Furthermore, we can construct our new quantum -round key-recovery attacks on the d -branch contracting Feistels with time and memory cost. In the end, we can construct our new quantum -round and -round key-recovery attacks on the two types of d -branch expanding Feistels with time and memory cost.

physics, multidisciplinary,quantum science & technology, mathematical

Joseph Jaeger,Fang Song,Stefano Tessaro

DOI: https://doi.org/10.48550/arXiv.2105.01242

2021-10-23

Abstract:Should quantum computers become available, they will reduce the effective key length of basic secret-key primitives, such as blockciphers. To address this we will either need to use blockciphers which inherently have longer keys or use key-length extension techniques which employ a blockcipher to construct a more secure blockcipher that uses longer keys. We consider the latter approach and revisit the FX and double encryption constructions. Classically, FX is known to be secure, while double encryption is no more secure than single encryption due to a meet-in-the-middle attack. We provide positive results, with concrete and tight bounds, for both of these constructions against quantum attackers in ideal models. For FX, we consider a partially-quantum model, where the attacker has quantum access to the ideal primitive, but only classic access to FX. We provide two results for FX in this model. The first establishes the security of FX against non-adaptive attackers. The second establishes security against general adaptive attacks for a variant of FX using a random oracle in place of an ideal cipher. This result relies on the techniques of Zhandry (CRYPTO '19) for lazily sampling a quantum random oracle. An extension to perfectly lazily sampling a quantum random permutation, which would help resolve the adaptive security of standard FX, is an important but challenging open question. We introduce techniques for partially-quantum proofs without relying on analyzing the classical and quantum oracles separately, which is common in existing work. This may be of broader interest. For double encryption we apply a technique of Tessaro and Thiruvengadam (TCC '18) to establish that security reduces to the difficulty of solving the list disjointness problem, which we are able to reduce through a chain of results to the known quantum difficulty of the element distinctness problem.

Quantum Physics,Cryptography and Security

Xuexuan Hao,Fengrong Zhang,Yongzhuang Wei,Yong Zhou

DOI: https://doi.org/10.26421/qic20.1-2-4

2020-01-01

Quantum Information and Computation

Abstract:Quantum period finding algorithms have been used to analyze symmetric cryptography. For instance, the 3-round Feistel construction and the Even-Mansour construction could be broken in polynomial time by using quantum period finding algorithms. In this paper, we firstly provide a new algorithm for finding the nonzero period of a vectorial function with O(n) quantum queries, which uses the Bernstein-Vazirani algorithm as one step of the subroutine. Afterwards, we compare our algorithm with Simon's algorithm. In some scenarios, such as the Even-Mansour construction and the function satisfying Simon's promise, etc, our algorithm is more efficient than Simon's algorithm with respect to the tradeoff between quantum memory and time. On the other hand, we combine our algorithm with Grover's algorithm for the key-recovery attack on the FX construction. Compared with the Grover-Meets-Simon algorithm proposed by Leander and May at Asiacrypt 2017, the new algorithm could save the quantum memory.

Yingjie Zhang,Lijun Lyu,Kexin Qiao,Zhiyu Zhang,Siwei Sun,Lei Hu

DOI: https://doi.org/10.1007/978-3-030-93206-0_10

2021-01-01

Abstract:Linear cryptanalysis is one of the most effective statistical analysis methods on symmetric-key ciphers. It has benefited from many improvements since being proposed. Among these works, Antonio et al. proposed a fast arbitrary-round key recovery method based on Fast Walsh-Hadamard Transform (FWHT) in EUROCRYPT 2020. However, they did not promote their method on the Feistel structure, which is used widely. In addition, there are very few automatic methods for the key recovery phase. This paper extends Antonio et al.'s method to the Feistel structure and builds a Mixed-Integer Linear Programming (MILP) model to determine the guessed subkeys automatically. Due to this, we can automatically optimize the time complexity of linear cryptanalysis. Afterward, we apply our method to SIMON and SIMECK and increase the attackable rounds of SIMON64/96, SIMON64/128, SIMON96/96, SIMON96/144, SIMECK48/96, and SIMECK64/128 by one round to 31, 32, 38, 39, 31, and 38, respectively.

Boyu Ni,Gembu Ito,Xiaoyang Dong,Tetsu Iwata

DOI: https://doi.org/10.1007/978-3-030-35423-7_22

2020-01-01

Abstract:Generalized Feistel Schemes (GFSs) are important components of symmetric ciphers, which have been extensively studied in the classical setting. However, detailed security evaluations of GFS in the quantum setting still remain to be explored.

Hongkai Zou,Jian Zou,Yiyuan Luo

DOI: https://doi.org/10.1007/s11128-023-03921-6

IF: 1.965

2023-04-11

Quantum Information Processing

Abstract:At SAC 2021, Frixons et al. proposed quantum boomerang attacks that can effectively recover the keys of block ciphers in the quantum setting. Based on their work, we further consider how to quantize the generic boomerang attacks proposed by Biham et al. at FSE 2002, so as to obtain more generic quantum boomerang attacks. Similar to Frixons et al.'s work, we only consider quantum key recovery attacks in the single-key setting. With the help of some famous quantum algorithms, this paper presents two methods to convert the attacks of Biham et al. into some new quantum key recovery attacks. In order to proof our methods, we apply our new ideas to attack Serpent-256 and ARIA-196. To sum up, for Serpent-256, we give valid 9-round and 10-round quantum key recovery attacks respectively. The quantum time complexity of 9-round and 10-round of Serpent-256 is and respectively. Furthermore, we show a valid quantum key attack on 6-round ARIA-196 which has a time complexity of with negligible memory. The time complexity of the above quantum attacks are better than the corresponding classical attacks and quantum generic key recovery attack via Grover's algorithm.

physics, multidisciplinary,quantum science & technology, mathematical

Qianru Zhu,Huiqin Xie,Qiqing Xia,Li Yang

DOI: https://doi.org/10.48550/arXiv.2301.06706

2023-01-17

Quantum Physics

Abstract:Quantum algorithm is a key tool for cryptanalysis. At present, people are committed to building powerful quantum algorithms and tapping the potential of quantum algorithms, so as to further analyze the security of cryptographic algorithms under quantum computing. Recombining classical quantum algorithms is one of the current ideas to construct quantum algorithms. However, they cannot be easily combined, the feasibility of quantum algorithms needs further analysis in quantum environment. This paper reanalyzes the existing combined algorithm Grover-meets-Simon algorithm in terms of the principle of deferred measurement. First of all, due to the collapse problem caused by the measurement, we negate the measurement process of Simon's algorithm during the process of the Grover-meets-Simon algorithm. Second, since the output of the unmeasured Simon algorithm is quantum linear systems of equations, we discuss the solution of quantum linear systems of equations and find it feasible to consider the deferred measurement of the parallel Simon algorithm alone. Finally, since the Grover-meets-Simon algorithm involves an iterative problem, we reconsider the feasibility of the algorithm when placing multiple measurements at the end. According to the maximum probability of success and query times, we get that the Grover-meets-Simon algorithm is not an effective attack algorithm when putting the measurement process of the Simon algorithm in the iterative process at the end of Grover-meets-Simon algorithm.

Ruilin Li,Bing Sun,Chao Li,Longjiang Qu

2009-01-01

Abstract:This paper reevaluates the security of GF-NLFSR, a new kind of generalized unbalanced Feistel network structure that was proposed at ACISP 2009. We show that GF-NLFSR itself reveals a very slow diffusion rate, which could lead to several distinguishing attacks. For GF-NLFSR containing n sub-blocks, we find an n2-round integral distinguisher by algebraic methods and further use this integral to construct an (n2 + n - 2)-round impossible differential distinguisher. Compared with the original (3n - 1)-round integral and (2n - 1)-round impossible differential, ours are significantly better. Another contribution of this paper is to introduce a kind of nonsurjective attack by analyzing a variant structure of GF-NLFSR, whose provable security against differential and linear cryptanalysis can also be provided. The advantage of the proposed non-surjective attack is that traditional non-surjective attack is only applicable to Feistel ciphers with non-surjective (non-uniform) round functions, while ours could be applied to block ciphers with bijective ones. Moreover, its data complexity is O(l) with l the block length.

Jiajie Liu,Bing Sun,Guoqiang Liu,Xinfeng Dong,Li Liu,Hua Zhang,Chao Li

DOI: https://doi.org/10.1109/tit.2022.3223139

IF: 2.5

2023-01-01

IEEE Transactions on Information Theory

Abstract:This paper mainly investigates the iterative structures whose decryption is similar to the encryption. Firstly, we unify many well-known structures which share similar procedures between the decryption and the encryption, and give a sufficient and necessary condition for this structure to be bijective, which reveals many new insights into the Feistel structure as well as the Lai-Massey structure. Secondly, we analyze the security of the unified structure against the known cryptanalysis. By extending the dual structure from a Feistel structure to the unified structure, we prove that a differential of the unified structure is impossible if and only if it is a zero-correlation linear hull of its dual structure, which presents a generalized link between the impossible differential and zero-correlation linear cryptanalysis shown in CRYPTO 2015. Significantly, several constraints on the linear components of the cipher and the permutation on the branches of the cipher are specified to make the structure resilient to differential and linear cryptanalysis. Furthermore, in the case that the order of the permutation equals the number of the branches $n$ , we prove that there always exist a $(3n-1)$ -round impossible differential and a $(3n-1)$ -round zero-correlation linear hull of the structure, and also present an algorithm to construct these distinguishers. Finally, we propose some novel structures which might be used in future block cipher designs.

Jiajie Liu,Bing Sun,Chao Li

DOI: https://doi.org/10.1049/ise2.12098

2022-01-01

IET Information Security

Abstract:This study proposes a new iterative structure called the L‐Feistel structure, which shares similar procedures between encryption and decryption and could unify the Feistel structure and the Lai‐Massey structure. This paper evaluates the security of the L‐Feistel structure from the perspective of provable security and classical analysis, respectively. Firstly, it is proved that the 4‐round Key‐Alternating L‐Feistel cipher with independent round keys and independent round functions is secure against 2 n /2 queries that is, birthday‐bound security. Then by presenting the dual structure of the L‐Feistel structure with SP‐type round functions, it is proven that a differential of the L‐Feistel structure is impossible when and only when it is a zero‐correlation linear hull of its dual structure. Finally, the paper constructs impossible differentials, zero‐correlation linear hulls and integral distinguishers of the L‐Feistel structure with SP‐type round functions which cover six and seven rounds, respectively, under different conditions.

Alexey Moiseevskiy

2023-04-12

Abstract:Advanced Encryption Standard is one of the most widely used and important symmetric ciphers for today. It well known, that it can be subjected to the quantum Grover's attack that twice reduces its key strength. But full AES attack requires hundreds of qubits and circuit depth of thousands, that makes impossible not only experimental research but also numerical simulations of this algorithm. Here we present an algorithm for optimized Grover's attack on downscaled Simplifed-AES cipher. Besides full attack we present several approaches that allows to reduce number of required qubits if some nibbles of the key are known as a result of side-channel attack. For 16-bit S-AES the proposed attack requires 23 qubits in general case and 19, 15 or 11 if 4, 8 or 12 bits were leaked in specifc confguration. Comparing to previously known 32-qubits algorithm this approach potentially allows to run the attack on today's NISQ-devices and perform numerical simulations with GPU, that may be useful for further research of problem-specifc error mitigation and error correction techniques.

Quantum Physics

Marc Kaplan,Gaëtan Leurent,Anthony Leverrier,María Naya-Plasencia

DOI: https://doi.org/10.13154/tosc.v2016.i1.71-94

2017-03-07

Abstract:Quantum computers, that may become available one day, would impact many scientific fields, most notably cryptography since many asymmetric primitives are insecure against an adversary with quantum capabilities. Cryptographers are already anticipating this threat by proposing and studying a number of potentially quantum-safe alternatives for those primitives. On the other hand, symmetric primitives seem less vulnerable against quantum computing: the main known applicable result is Grover's algorithm that gives a quadratic speed-up for exhaustive search. In this work, we examine more closely the security of symmetric ciphers against quantum attacks. Since our trust in symmetric ciphers relies mostly on their ability to resist cryptanalysis techniques, we investigate quantum cryptanalysis techniques. More specifically, we consider quantum versions of differential and linear cryptanalysis. We show that it is usually possible to use quantum computations to obtain a quadratic speed-up for these attack techniques, but the situation must be nuanced: we don't get a quadratic speed-up for all variants of the attacks. This allows us to demonstrate the following non-intuitive result: the best attack in the classical world does not necessarily lead to the best quantum one. We give some examples of application on ciphers LAC and KLEIN. We also discuss the important difference between an adversary that can only perform quantum computations, and an adversary that can also make quantum queries to a keyed primitive.

Quantum Physics,Cryptography and Security

Gustavo Banegas,Ricardo Villanueva-Polanco

DOI: https://doi.org/10.1007/s12095-022-00625-z

2023-02-16

Cryptography and Communications

Abstract:This paper presents a general strategy to recover a block cipher secret key in the cold boot attack setting. More precisely, we propose a key-recovery method that combines key enumeration algorithms and Grover's quantum algorithm to recover a block cipher secret key after an attacker has procured a noisy version of it via a cold boot attack. We also show how to implement the quantum component of our algorithm for several block ciphers such as AES, PRESENT and GIFT, and LowMC. Additionally, since evaluating the third-round post-quantum candidates of the National Institute of Standards and Technology (NIST) post-quantum standardization process against different attack vectors is of great importance for their overall assessment, we show the feasibility of performing our hybrid attack on Picnic, a post-quantum signature algorithm being an alternate candidate in the NIST post-quantum standardization competition. According to our results, our method may recover the Picnic private key for all Picnic parameter sets, tolerating up to 40 % of noise for some of the parameter sets. Furthermore, we provide a detailed analysis of our method by giving the cost of its resources, its running time, and its success rate for various enumerations.

computer science, theory & methods,mathematics, applied

Yin-Song Xu,Yi-Bo Luo,Zheng Yuan,Xuan Zhou,Qi-di You,Fei Gao,Xiao-Yang Dong

DOI: https://doi.org/10.1007/s10623-024-01526-3

2024-01-01

Abstract:In recent years, it has become a popular trend to propose quantum versions of classical attacks. The rectangle attack as a differential attack is widely used in symmetric cryptanalysis and applied on many block ciphers. To improve its efficiency, we propose a new quantum rectangle attack firstly. In rectangle attack, it counts the number of valid quartets for each guessed subkeys and filters out subkey candidates according to the counter. To speed up this procedure, we propose a quantum key counting algorithm based on parallel amplitude estimation algorithm and amplitude amplification algorithm. Then, we complete with the remaining key bits and search the right full key by nested Grover search. Besides, we give a strategy to find a more suitable distinguisher to make the complexity lower. Finally, to evaluate post-quantum security of the tweakable block cipher Deoxys-BC, we perform automatic search for good distinguishers of Deoxys-BC according to the strategy, and then apply our attack on 9/10-round Deoxys-BC-256 and 12/13/14-round Deoxys-BC-384. The results show that our attack has some improvements than classical attacks and Grover search.

Tairong Shi,Wenling Wu,Bin Hu,Jie Guan,Han Sui,Senpeng Wang,Mengyuan Zhang

DOI: https://doi.org/10.1109/tifs.2024.3402970

IF: 7.231

2024-06-07

IEEE Transactions on Information Forensics and Security

Abstract:A lot of work in the field of quantum cryptanalysis is currently devoted to finding applications of Grover-meets-Simon algorithm and its complexity is given in the form of , but research on how to implement the attack efficiently is still insufficient. After all, it is crucial to study quantum attacks in resource-limited situations, according to NIST's guidance on circuit depth. This work first evaluates the parallelization of Grover-meets-Simon by drawing on the Grover's parallel approach and shows that as the width increases by , the depth decreases by a factor of . Further, the first dedicated quantum attack on a class of functions that appear in cryptographic scheme applications (so-called XOR-type function) is proposed. The depth, width, and the number of gates required for the attack are greatly reduced compared to the general parallelization. Then we apply the attack to various Beyond-Birthday-Bound (BBB) MACs, where the XOR function can be constructed, including SUM-ECBC and its variants (2K-SUM-ECBC, 2K-ECBC_Plus), and GCM-SIV2. In the typical case where SUM-ECBC is based on AES-128, our attack saves at least 62.3% in depth, 19.5% in width and 22.2% in gate count simultaneously. The impact on some lightweight ciphers is further explored, and it is interesting to note that the lighter the quantum circuit implementation of the cipher is, the greater the possible impact of an attack will be. This observation may provide new insights into quantum cryptanalysis.

computer science, theory & methods,engineering, electrical & electronic