Abstract
In this paper, quantum attacks against symmetric-key schemes are presented in which adversaries only make classical queries but use quantum computers for offline computations. Our attacks are not as efficient as polynomial-time attacks making quantum superposition queries, while our attacks use the realistic model and overwhelmingly improve the classical attacks. Our attacks convert a type of classical meet-in-the-middle attacks into quantum ones. The attack cost depends on the number of available qubits and the way to realize the quantum hardware. The tradeoffs between data complexity D and time complexity T against the problem of cardinality N are \(D^2 \cdot T^2 =N\) and \(D \cdot T^6 = N^3\) in the best and worst case scenarios to the adversary respectively, while the classic attack requires \(D\cdot T = N\). This improvement is meaningful from an engineering aspect because several existing schemes claim beyond-birthday-bound security for T by limiting the maximum D to be below \(2^{n/2}\) according to the classical tradeoff \(D\cdot T = N\). Those schemes are broken when quantum computations are available to the adversaries. The attack can be applied to many schemes such as a tweakable block-cipher construction TDR, a dedicated MAC scheme Chaskey, an on-line authenticated encryption scheme McOE-X, a hash function based MAC H \(^2\)-MAC and a permutation based MAC keyed-sponge. The idea is then applied to the FX-construction to discover new tradeoffs in the classical query model.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
Kaplan [Kap14] proposed another type of quantum MitM attack for multiple encryptions. It computes two independent parts offline, thus is different from ours.
References
Banegas, G., Bernstein, D.J.: Low-communication parallel quantum multi-target preimage search. Cryptology ePrint Archive, Report 2017/789 (2017). To appear at SAC 2017
Beals, R., Brierley, S., Gray, O., Harrow, A.W., Kutin, S., Linden, N., Shepherd, D., Stather, M.: Efficient distributed quantum computing. In: Proceedings of the Royal Society A, vol. 469, p. 20120686. The Royal Society (2013)
Boyer, M., Brassard, G., Høyer, P., Tapp, A.: Tight bounds on quantum searching. Fortsch. Phys. 46(4–5), 493–505 (1998). https://arxiv.org/abs/quant-ph/9605034
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_11
Bernstein, D.J.: Cost analysis of hash collisions: will quantum computers make SHARCS obsolete? In: SHARCS 2009 (2009)
Brassard, G., Høyer, P., Tapp, A.: Quantum algorithm for the collision problem. CoRR, quant-ph/9705002 (1997). Quantum Cryptanalysis of Hash and Claw-Free Functions. LATIN 1998, pp. 163–169
Bonnetain, X.: Quantum key-recovery on full AEZ. Cryptology ePrint Archive, Report 2017/767 (2017). To appear at SAC 2017
Chailloux, A., Naya-Plasencia, M., Schrottenloher, A.: An efficient quantum collision search algorithm and implications on symmetric cryptography. Cryptology ePrint Archive, Report 2017/847 (2017)
Fleischmann, E., Forler, C., Lucks, S.: McOE: a family of almost foolproof on-line authenticated encryption schemes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 196–215. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34047-5_12. Cryptology ePrint Archive, Report 2011/644
Lov, G., Rudolph, T.: How significant are the known collision and element distinctness quantum algorithms. Quantum Inf. Comput. 4(3), 201–206 (2004)
Grover, L.K.: A fast quantum mechanical algorithm for database search. In: STOC 1996, pp. 212–219 (1996). https://arxiv.org/abs/quant-ph/9605043
Hosoyamada, A., Aoki, K.: On quantum related-key attacks on iterated Even-Mansour ciphers. In: Obana, S., Chida, K. (eds.) IWSEC 2017. LNCS, vol. 10418, pp. 3–18. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-64200-0_1
Kaplan, M.: Quantum attacks against iterated block ciphers. arXiv preprint arXiv:1410.1434 (2014)
Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Breaking symmetric cryptosystems using quantum period finding. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 207–237. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_8
Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Quantum differential and linear cryptanalysis. IACR Trans. Symmetric Cryptol. 2016(1), 71–94 (2016)
Kuwakado, H., Morii, M.: Quantum distinguisher between the 3-round Feistel cipher and the random permutation. In: ISIT 2010, pp. 2682–2685. IEEE (2010)
Kuwakado, H., Morii, M.: Security on the quantum-type Even-Mansour cipher. In: ISITA 2012, pp. 312–316. IEEE (2012)
Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 252–267. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_20
Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search (an analysis of DESX). J. Cryptol. 14, 17–35 (2001)
Liu, F., Liu, F.: Universal forgery and key recovery attacks: application to FKS, FKD and Keyak. Cryptology ePrint Archive, Report 2017/691 (2017)
Liu, F., Liu, F.: Universal forgery with birthday paradox: application to blockcipher-based message authentication codes and authenticated encryptions. Cryptology ePrint Archive, Report 2017/653 (2017)
Leander, G., May, A.: Grover meets Simon - quantumly attacking the FX-construction. Cryptology ePrint Archive, Report 2017/427 (2017). To appear at Asiacrypt 2017
Liskov, M., Rivest, R.L., Wagner, D.A.: Tweakable block ciphers. J. Cryptol. 24(3), 588–613 (2011)
Liu, F., Xie, T., Shen, C.: Breaking \(H^2\)-MAC using birthday paradox. Cryptology ePrint Archive, Report 2011/647 (2011)
McKay, K.A., Bassham, L., Turan, M.S., Mouha, N.: NISTIR 8114 report on lightweight cryptography. Technical report, U.S. Department of Commerce, National Institute of Standards and Technology (2017). https://doi.org/10.6028/NIST.IR.8114
Minematsu, K.: Beyond-birthday-bound security based on tweakable block cipher. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 308–326. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03317-9_19
Mouha, N., Mennink, B., Van Herrewege, A., Watanabe, D., Preneel, B., Verbauwhede, I.: Chaskey: an efficient MAC algorithm for 32-bit microcontrollers. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 306–323. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13051-4_19
Mendel, F., Mennink, B., Rijmen, V., Tischhauser, E.: A simple key-recovery attack on McOE-X. In: Pieprzyk, J., Sadeghi, A.-R., Manulis, M. (eds.) CANS 2012. LNCS, vol. 7712, pp. 23–31. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-35404-5_3
Mouha, N.: Chaskey: a MAC algorithm for microcontrollers - status update and proposal of Chaskey-12. Cryptology ePrint Archive, Report 2015/1182 (2015)
Mennink, B., Szepieniec, A.: XOR of PRPs in a quantum world. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 367–383. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_21
NIST: SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash. Technical report, U.S. Department of Commerce, National Institute of Standards and Technology. NIST Special Publication (SP) 800–185 (2016)
Sasaki, Y.: Cryptanalyses on a Merkle-Damgård based MAC—almost universal forgery and distinguishing-H attacks. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 411–427. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_25
Simon, D.R.: On the power of quantum computation. SIAM J. Comput. 26(5), 1474–1483 (1997)
Tsudik, G.: Message authentication with one-way hash functions. In: ACM SIGCOMM Computer Communication Review, vol. 22, no. 5, pp. 29–38. ACM (1992)
Van Oorschot, P.C., Wiener, M.J.: Parallel collision search with application to hash functions and discrete logarithms. In: CCS 1994, pp. 210–218. ACM (1994)
Yasuda, K.: HMAC without the “Second” Key. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 443–458. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04474-8_35
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
A Further Discussion on Quantum Computation Models
A Further Discussion on Quantum Computation Models
Regarding attack models for quantum computations, we received several comments from other researchers. Below we introduce two issues which are pointed out by them.
1.1 A.1 Flying Qubits
As discussed in [BBG+13], if each qubit (or each small quantum processor) in a quantum hardware of size \(O(2^n\)) can communicate with O(n) qubits (or small quantum processors), then the hardware can simulate a hardware in free communicational model with the time overhead \(O(n^2)\). Thus, if we can modify a quantum hardware in realistic communication model so that each qubit in the hardware can communicate with a little more qubits (which is called “flying qubits” in [BBG+13]), then the hardware can simulate free communication model with a small overhead. However, realization of “flying qubits” fully depends on future development of quantum hardware, and here we give no argument about realizability of it.
1.2 A.2 Feasibility of Q2 Model
Q1 model is more realistic than Q2 model, though Q2 model should not be regarded as “non-realistic model.” In the main body of this paper, we described that Q2 model assumes that all the users implement algorithms on quantum computers and the network is communicated in the form of superposition. However, if an adversary attacks some kind of cryptosystems like “disk encryption” which is implemented on a quantum computer, then the notion of network becomes abstract. In addition, if white-box encryption algorithm is implemented on a quantum computer, then network becomes irrelevant.
Q2 model is simple and non-trivial. It ensures security in any intermediate scenario including hybrid ones like classical machines with quantum modules, where Q1 model could not really apply. We do not know how fast technologies on quantum computation and communication will develop, and using primitives not known to be secure in Q2 model would be challenging in the future.
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Hosoyamada, A., Sasaki, Y. (2018). Cryptanalysis Against Symmetric-Key Schemes with Online Classical Queries and Offline Quantum Computations. In: Smart, N. (eds) Topics in Cryptology – CT-RSA 2018. CT-RSA 2018. Lecture Notes in Computer Science(), vol 10808. Springer, Cham. https://doi.org/10.1007/978-3-319-76953-0_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-76953-0_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-76952-3
Online ISBN: 978-3-319-76953-0
eBook Packages: Computer ScienceComputer Science (R0)