Abstract
At Crypto 2016, Kaplan et al. proposed the first quantum exponential acceleration of a classical symmetric cryptanalysis technique: they showed that, in the superposition query model, Simon’s algorithm could be applied to accelerate the slide attack on the alternate-key cipher. This allows to recover an n-bit key with \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( n\right) \) queries.
In this paper we propose many other types of quantum slide attacks, inspired by classical techniques including sliding with a twist, complementation slide and mirror slidex. We also propose four-round self-similarity attacks for Feistel ciphers when using XOR operations. Some of these variants combined with whitening keys (FX construction) can also be successfully attacked. We present a surprising new result involving composition of quantum algorithms, that allows to combine some quantum slide attacks with a quantum attack on the round function, allowing an efficient key-recovery even if this function is strong classically.
Finally, we analyze the case of quantum slide attacks exploiting cycle-finding, whose possibility was mentioned in a paper by Bar-On et al. in 2015, where these attacks were introduced. We show that the speed-up is smaller than expected and less impressive than the above variants, but nevertheless provide improved complexities on the previous known quantum attacks in the superposition model for some self-similar SPN and Feistel constructions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Alagic, G., Russell, A.: Quantum-secure symmetric-key cryptography based on hidden shifts. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 65–93. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_3
Bar-On, A., Biham, E., Dunkelman, O., Keller, N.: Efficient slide attacks. J. Cryptol. 31(3), 641–670 (2018). https://doi.org/10.1007/s00145-017-9266-8
Biryukov, A., Wagner, D.: Slide attacks. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 245–259. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48519-8_18
Biryukov, A., Wagner, D.: Advanced slide attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 589–606. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_41
Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum computing world. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 361–379. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_21
Bonnetain, X.: Quantum key-recovery on full AEZ. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 394–406. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_20
Bonnetain, X.: Improved low-qubit hidden shift algorithms. CoRR (2019). http://arxiv.org/abs/1901.11428
Bonnetain, X., Naya-Plasencia, M.: Hidden shift quantum cryptanalysis and implications. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 560–592. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_19
Chailloux, A., Naya-Plasencia, M., Schrottenloher, A.: An efficient quantum collision search algorithm and implications on symmetric cryptography. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 211–240. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_8
Childs, A.M., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptol. 8(1), 1–29 (2014). https://doi.org/10.1515/jmc-2012-0016
Damgård, I., Funder, J., Nielsen, J.B., Salvail, L.: Superposition attacks on cryptographic protocols. In: Padró, C. (ed.) ICITS 2013. LNCS, vol. 8317, pp. 142–161. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04268-8_9
Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: Reflections on slide with a twist attacks. Des. Codes Crypt. 77(2–3), 633–651 (2015). https://doi.org/10.1007/s10623-015-0098-y
Dong, X., Dong, B., Wang, X.: Quantum attacks on some Feistel block ciphers. Cryptol. ePrint Arch. Rep. 2018, 504 (2018). https://eprint.iacr.org/2018/504
Dong, X., Wang, X.: Quantum key-recovery attack on Feistel structures. Sci. China Inf. Sci. 61(10), 102501:1–102501:7 (2018). https://doi.org/10.1007/s11432-017-9468-y
Dunkelman, O., Keller, N., Shamir, A.: Slidex attacks on the Even-Mansour encryption scheme. J. Cryptol. 28(1), 1–28 (2015). https://doi.org/10.1007/s00145-013-9164-7
Gagliardoni, T.: Quantum security of cryptographic primitives. Ph. D. thesis, Darmstadt University of Technology, Germany (2017). http://tuprints.ulb.tu-darmstadt.de/6019/
Gagliardoni, T., Hülsing, A., Schaffner, C.: Semantic security and indistinguishability in the quantum world. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 60–89. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_3
Hosoyamada, A., Iwata, T.: Tight quantum security bound of the 4-round luby-rackoff construction. IACR Cryptol. ePrint Arch. 2019, 243 (2019). https://eprint.iacr.org/2019/243
Hosoyamada, A., Sasaki, Y.: Quantum Demiric-Selçuk meet-in-the-middle attacks: applications to 6-round generic Feistel constructions. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 386–403. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_21
Hosoyamada, A., Sasaki, Y., Xagawa, K.: Quantum multicollision-finding algorithm. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 179–210. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_7
Ito, G., Hosoyamada, A., Matsumoto, R., Sasaki, Y., Iwata, T.: Quantum chosen-ciphertext attacks against Feistel ciphers. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 391–411. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12612-4_20
Kaplan, M.: Quantum attacks against iterated block ciphers. CoRR (2014). http://arxiv.org/abs/1410.1434
Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Breaking symmetric cryptosystems using quantum period finding. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 207–237. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_8
Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Quantum differential and linear cryptanalysis. IACR Trans. Symmetric Cryptol. 2016(1), 71–94 (2016). http://tosc.iacr.org/index.php/ToSC/article/view/536
Kuperberg, G.: A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35(1), 170–188 (2005). https://doi.org/10.1137/S0097539703436345. http://dblp.uni-trier.de/rec/bib/journals/siamcomp/Kuperberg05
Kuperberg, G.: Another subexponential-time quantum algorithm for the dihedral hidden subgroup problem. In: Severini, S., Brandão, F.G.S.L. (eds.) 8th Conference on the Theory of Quantum Computation, Communication and Cryptography, TQC 2013, May 21–23, 2013, Guelph, Canada. LIPIcs, vol. 22, pp. 20–34. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik (2013). https://doi.org/10.4230/LIPIcs.TQC.2013.20
Kuwakado, H., Morii, M.: Quantum distinguisher between the 3-round Feistel cipher and the random permutation. In: 2010 IEEE International Symposium on Information Theory Proceedings (ISIT), pp. 2682–2685 (June 2010)
Kuwakado, H., Morii, M.: Security on the quantum-type Even-Mansour cipher. In: 2012 International Symposium on Information Theory and its Applications (ISITA), pp. 312–316 (October 2012)
Leander, G., May, A.: Grover Meets Simon – quantumly attacking the FX-construction. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 161–178. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_6
Regev, O.: A subexponential time algorithm for the dihedral hidden subgroup problem with polynomial space. CoRR (2004). http://arxiv.org/abs/quant-ph/0406151
Santoli, T., Schaffner, C.: Using Simon’s algorithm to attack symmetric-key cryptographic primitives. Quantum Inf. Comput. 17(1&2), 65–78 (2017). http://www.rintonpress.com/xxqic17/qic-17-12/0065-0078.pdf
Simon, D.R.: On the power of quantum computation. In: 35th Annual Symposium on Foundations of Computer Science, Santa Fe, New Mexico, USA, 20–22 November 1994, pp. 116–123. IEEE Computer Society (1994). https://doi.org/10.1109/SFCS.1994.365701
Takagi, T., Peyrin, T. (eds.): ASIACRYPT 2017. LNCS, vol. 10625. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9
Zhandry, M.: How to construct quantum random functions. In: 53rd Annual IEEE Symposium on Foundations of Computer Science, FOCS 2012, New Brunswick, NJ, USA, October 20–23, 2012, pp. 679–687 (2012)
Acknowledgments
We thank Xiaoyang Dong for communicating some independent work on the 4-round Feistel quantum slide attack to us. This project has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement \(\text{n}^o\) 714294 - acronym QUASYModo).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Summary of Classical Slide Attacks
We provide in Tables 3 and 4 a (certainly non exhaustive) list of classical slide attacks that we studied for quantum improvements. They are not ordered by efficiency. We refer to the corresponding source for a presentation of the attack principle. Table 3 contains attacks on specific constructions, while Table 4 contains attacks on generic constructions (n is the block size of the cipher attacked; for a Feistel network, round keys have size n/2). Note that memory usage and required access to a decryption device play a role in the usefulness of these slide attacks.
B Quantum Cycle-Based Slide Attacks
We are inspired by [2] and the attacks against the SA construction and weak variants of AES. In the classical as in the quantum versions, most of the computation time required is due to finding the actual slide pairs (via the cycle).
Two Keys and Two Permutations. Consider a cipher with alternating keys \(k_0, k_1\), xored or modularly added, and two permutations \(\varPi _1, \varPi _2\) (Fig. 5). In the case of a SPN, \(\varPi _1 = \varPi _2 = \varPi \) are the same.
This scheme resists to the basic slide attack, but we can write \(E_k \circ \varPi _2 = f_k^r(x)\) where \(f_k(x) = \varPi _2( k_1 \oplus \varPi _1(k_0 \oplus x))\), and apply the cycle-finding technique. In \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( 2^{n/2}\right) \) superposition queries to \(E_k\) and computations, we can recover a small number of slide pairs, say two, from small cycles of \(E_k \circ \varPi _2\). Recall that n is the block size here; the key length is 2n. Therefore we obtain two equations:
Since the permutations can be inverted, we find:
Solving this equation on \(k_0\), if \(\varPi _1\) has no specific property, can be done in \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( 2^{n/2}\right) \) time using Grover’s algorithm, the same complexity as the first stage. This improves on the Grover-meets-Simon technique of [29], which would perform in \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( n2^{n/2}\right) \) queries and more time (the Grover oracle requires to solve linear systems in superposition).
Attacking 3k-SPN. Cycle-finding can further be applied on a 3k-SPN construction, where there is a unique permutation \(\varPi = A \circ S\), with A a linear layer and S a non-linear layer of S-Boxes. Still using \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( 2^{n/2}\right) \) queries, we now write the slide equations as:
To solve efficiently this equation in \(k_0\) and \(k_1\), we first guess \(k_0\) using Grover’s algorithm. The equation on \(k_1\) becomes:
Furthermore, we may consider each S-Box separately and solve the equation on \(k_1\), S-Box by S-Box. if s is the bit size of an S-Box, the final complexity of this attack is \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( 2^{(n+s)/2}\right) \) computations, with \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( 2^{n / 2}\right) \) oracle queries.
Attacking 4k-AES. In the case of AES, we can add one more round. Suppose that, by the cycle, we obtain four equations of the form:
We use the fact that a column of \(\varPi (x)\) does only depend on a diagonal of x. Since we need only to guess \(k_2\) byte per byte, we need also only to guess \(k_1\) column by column, assuming that the full \(k_0\) is guessed. The cycle step has a complexity of approximately \(2^{64}\) queries (usually, queries to an AES-like black-box should cost a non-negligible quantum time). The equation step has a complexity of approximately \(2^{64} \times \left( 2^{16} (2^4 \times 4) \times 4 \right) \simeq 2^{84}\) calls to \(\varPi \): each guess of \(k_0\) is tested by searching the good \(k_1\) (column by column) and \(k_2\) (byte per byte).
Against 3k-Feistel. A Feistel scheme with a mixing function f, alternating three keys \(k_0, k_1, k_2\), xored or modularly added, is immune to the complementation slide and sliding with a twist techniques. It seems difficult to write a slide shift property for this cipher. Let us write the round function g as:
and suppose that we can invert f. In \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( 2^{n/2}\right) \) queries, we can find two slide equations \(g(L,R) = L',R'\), which imply \(f( k_1 + L + f(k_0 + R)) = L' - R\). Regardless of the function f, we can invert it in time \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( 2^{n/4}\right) \) using Grover and recover two equations \(k_1 + L + f(k_0 + R) = X\). We take the difference (or sum if we replace \(+\) by \(\oplus \)) to eliminate \(k_1\), and we can solve the remaining equation on \(k_0\) using Grover in \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( 2^{n/4}\right) \) time. Once this is done, \(k_1\) can be found via the relation \(k_1 = f^{-1}(L' - R) - L - f(k_0 + R)\) and \(k_2\) via \(L + f(k_0 + R) + f(k_2 + f( k_1 + L + f(k_0 + R))) = R'\).
The whole attack requires \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( 2^{n / 2}\right) \) time and queries due to the cycle finding, with any function f.
Against 4k-Feistel. If we append one more round key \(k_3\), the round function g becomes:
Again, we can find some slide equations \(g(L,R) = L',R'\) from a cycle in \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( 2^{n/2}\right) \) queries. We guess the subkey \(k_0\). For each guess, we can rewrite the equations as if there were only 3 subkeys, and solve them in time \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( 2^{n/4}\right) \) using multiple Grover instances, as seen above, regardless of the properties of f. The whole attack requires \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( 2^{n / 2}\right) \) time and queries, the two steps (cycle finding and solving equations) are now balanced. The time complexity is greater than the other 4k-Feistel attacks seen above, but there is no restriction on the function f and the operations used; furthermore, we only use encryption queries, not decryption queries (which is the case of the twist).
C Slide Attack on a Four-Round Self-similar Feistel
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Bonnetain, X., Naya-Plasencia, M., Schrottenloher, A. (2020). On Quantum Slide Attacks. In: Paterson, K., Stebila, D. (eds) Selected Areas in Cryptography – SAC 2019. SAC 2019. Lecture Notes in Computer Science(), vol 11959. Springer, Cham. https://doi.org/10.1007/978-3-030-38471-5_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-38471-5_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-38470-8
Online ISBN: 978-3-030-38471-5
eBook Packages: Computer ScienceComputer Science (R0)