Low-Gate Quantum Golden Collision Finding

Jaques, Samuel; Schrottenloher, André

doi:10.1007/978-3-030-81652-0_13

Cited by 11 publications

(10 citation statements)

References 31 publications

(75 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It has already been remarked that Kuperberg algorithm doesn't appear to work when the oracle is only used to evaluate the action for a small fraction of the group elements [14], and thus wouldn't apply to this variant of OSIDH. The next best quantum against OSIDH would be, again, a meet-in-the-middle strategy, possibly applying some Grover-style accelerations [29], which has exponential complexity, putting OSIDH in a much better place than CSIDH regarding quantum security.…”

Section: Osidh and Cryptographic Group Actionsmentioning

confidence: 99%

On the Security of OSIDH

Dartois

Feo

2022

Public-Key Cryptography – PKC 2022

View full text Add to dashboard Cite

The Oriented Supersingular Isogeny Diffie-Hellman is a postquantum key exchange scheme recently introduced by Colò and Kohel. It is based on the group action of an ideal class group of a quadratic imaginary order on a subset of supersingular elliptic curves, and in this sense it can be viewed as a generalization of the popular isogeny based key exchange CSIDH. From an algorithmic standpoint, however, OSIDH is quite different from CSIDH. In a sense, OSIDH uses class groups which are more structured than in CSIDH, creating a potential weakness that was already recognized by Colò and Kohel. To circumvent the weakness, they proposed an ingenious way to realize a key exchange by exchanging partial information on how the class group acts in the neighborhood of the public curves, and conjectured that this additional information would not impact security. In this work we revisit the security of OSIDH by presenting a new attack, building upon previous work of Onuki. Our attack has exponential complexity, but it practically breaks Colò and Kohel's parameters unlike Onuki's attack. We also discuss countermeasures to our attack, and analyze their impact on OSIDH, both from an efficiency and a functionality point of view.

show abstract

Section: Osidh and Cryptographic Group Actionsmentioning

confidence: 99%

On the Security of OSIDH

Dartois

Feo

2022

Public-Key Cryptography – PKC 2022

View full text Add to dashboard Cite

show abstract

“…Another interesting question is whether one can get rid of quantum random access, and use only plain quantum circuits. In this setting, the best algorithm for Single-solution 2-XOR runs in time O 2 3n/7 using O 2 n/7 qubits [20]. We can propose an improved complexity for 4-XOR with the following: we use Schroeppel and Shamir's merging tree.…”

Section: Theorem 3 (New Trees For Single-solution K-xor)mentioning

confidence: 99%

Improved Quantum Algorithms for the k-XOR Problem

Schrottenloher

2022

Selected Areas in Cryptography

View full text Add to dashboard Cite

The k-XOR problem can be generically formulated as the following: given many n-bit strings generated uniformly at random, find k distinct of them which XOR to zero. This generalizes collision search (two equal elements) to a k-tuple of inputs. This problem has become ubiquitous in cryptanalytic algorithms, including variants in which the XOR operation is replaced by a modular addition (k-SUM) or other non-commutative operations (e.g., the composition of permutations). The case where a single solution exists on average is of special importance. At EUROCRYPT 2020, Naya-Plasencia and Schrottenloher defined a class of quantum merging algorithms for the k-XOR problem, obtained by combining quantum search. They represented these algorithms by a set of merging trees and obtained the best ones through linear optimization of their parameters. In this paper, we give a simplified representation of merging trees that makes their analysis easier. We give better quantum algorithms for the Single-solution k-XOR problem by relaxing one of the previous constraints, and making use of quantum walks. Our algorithms subsume or improve over all previous quantum algorithms for Single-solution k-XOR. For example, we give an algorithm for 4-XOR (or 4-SUM) in quantum time O(2 7n/24 ).

show abstract

“…For m = n, the complexity rises from O 2 m/3 to O 2 2m/5 [9]. For m = 2n, the complexity rises to O 2 3m/7 [17]. These algorithms can also be adapted for multiple collision finding, where they will outperform the classical ones for some parameter ranges (but not all).…”

Section: Quantum Algorithmsmentioning

confidence: 99%

Finding many Collisions via Reusable Quantum Walks

Bonnetain¹,

Chailloux²,

Schrottenloher³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

Given a random function f with domain [2 n ] and codomain [2 m ], with m ≥ n, a collision of f is a pair of distinct inputs with the same image. Collision finding is an ubiquitous problem in cryptanalysis, and it has been well studied using both classical and quantum algorithms. Indeed, the quantum query complexity of the problem is well known to be Θ(2 m/3 ), and matching algorithms are known for any value of m. The situation becomes different when one is looking for multiple collision pairs. Here, for 2 k collisions, a query lower bound of Θ(2 (2k+m)/3 ) was shown by Liu and Zhandry (EUROCRYPT 2019). A matching algorithm is known, but only for relatively small values of m, when many collisions exist. In this paper, we improve the algorithms for this problem and, in particular, extend the range of admissible parameters where the lower bound is met. Our new method relies on a chained quantum walk algorithm, which might be of independent interest. It allows to extract multiple solutions of an MNRS-style quantum walk, without having to recompute it entirely: after finding and outputting a solution, the current state is reused as the initial state of another walk. As an application, we improve the quantum sieving algorithms for the shortest vector problem (SVP), with a complexity of 2 0.2563d+o(d) instead of the previous 2 0.2570d+o(d) .

show abstract

Low-Gate Quantum Golden Collision Finding

Cited by 11 publications

References 31 publications

On the Security of OSIDH

On the Security of OSIDH

Improved Quantum Algorithms for the k-XOR Problem

Finding many Collisions via Reusable Quantum Walks

Contact Info

Product

Resources

About