Quantum Differential and Linear Cryptanalysis

Leurent, Gaëtan; Kaplan, Marc; Leverrier, Anthony; Naya-Plasencia, Maŕıa

doi:10.46586/tosc.v2016.i1.71-94

Cited by 89 publications

(41 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This is a strange tendency especially considering the fact that there are many attempts to speed up dedicated cryptanalysis against block ciphers e.g. differential and linear cryptanalysis [ 25 ], impossible differential cryptanalysis [ 44 ], meet-in-the-middle attacks [ 8 , 20 ], slide attacks [ 7 ], and so on. In this paper, we explore dedicated collision attacks against hash functions to find collisions faster than generic quantum attacks.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Finding Hash Collisions with Quantum Computers by Using Differential Trails with Smaller Probability than Birthday Bound

Hosoyamada

Sasaki

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

In this paper we spot light on dedicated quantum collision attacks on concrete hash functions, which has not received much attention so far. In the classical setting, the generic complexity to find collisions of an n -bit hash function is , thus classical collision attacks based on differential cryptanalysis such as rebound attacks build differential trails with probability higher than . By the same analogy, generic quantum algorithms such as the BHT algorithm find collisions with complexity . With quantum algorithms, a pair of messages satisfying a differential trail with probability p can be generated with complexity . Hence, in the quantum setting, some differential trails with probability up to that cannot be exploited in the classical setting may be exploited to mount a collision attack in the quantum setting. In particular, the number of attacked rounds may increase. In this paper, we attack two international hash function standards: AES-MMO and Whirlpool. For AES-MMO, we present a 7-round differential trail with probability and use it to find collisions with a quantum version of the rebound attack, while only 6 rounds can be attacked in the classical setting. For Whirlpool, we mount a collision attack based on a 6-round differential trail from a classical rebound distinguisher with a complexity higher than the birthday bound. This improves the best classical attack on 5 rounds by 1. We also show that those trails are optimal in our approach. Our results have two important implications. First, there seems to exist a common belief that classically secure hash functions will remain secure against quantum adversaries. Indeed, several second-round candidates in the NIST post-quantum competition use existing hash functions, say SHA-3, as quantum secure ones. Our results disprove this common belief. Second, our observation suggests that differential trail search should not stop with probability but should consider up to . Hence it deserves to revisit the previous differential trail search activities.

show abstract

Section: Introductionmentioning

confidence: 99%

“…Thus, the trail cannot be used to find hash collisions if . On the other hand, in the quantum setting, Kaplan et al [ 25 ] showed that we can find a message pair that satisfies the differential in time around . Thus, if we have a differential trail with probability p , we can mount a collision attack in time around .…”

Section: Introductionmentioning

confidence: 99%

Finding Hash Collisions with Quantum Computers by Using Differential Trails with Smaller Probability than Birthday Bound

Hosoyamada

Sasaki

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Generic quantum cryptanalysis has also been proposed in the last years focusing on different constructions [16,31,33]. Besides quantum acceleration on exhaustive search, new lines of research emerged, focusing on dedicated cryptanalysis of block ciphers [13], hash functions [25], and on the several attacks relying on Simon's algorithm ( [9][10][11][12]32,35,37]).…”

Section: Related Workmentioning

confidence: 99%

Quantum search for scaled hash function preimages

Ramos-Calderer

Bellini

Latorre

et al. 2021

Quantum Inf Process

View full text Add to dashboard Cite

We present the implementation of Grover’s algorithm in a quantum simulator to perform a quantum search for preimages of two scaled hash functions, whose design only uses modular addition, word rotation and bitwise exclusive or. Our implementation provides the means to assess with precision the scaling of the number of gates and depth of a full-fledged quantum circuit designed to find the preimages of a given hash digest. The detailed construction of the quantum oracle shows that the presence of AND gates, OR gates, shifts of bits and the reuse of the initial state along the computation require extra quantum resources as compared with other hash functions based on modular additions, XOR gates and rotations. We also track the entanglement entropy present in the quantum register at every step along the computation, showing that it becomes maximal at the inner core of the first action of the quantum oracle, which implies that no classical simulation based on tensor networks would be of relevance. Finally, we show that strategies that suggest a shortcut based on sampling the quantum register after a few steps of Grover’s algorithm can only provide some marginal practical advantage in terms of error mitigation.

show abstract

“…If the underlying BC is an n-bit BC with k-bit keys, then LRWQ becomes an n-bit TBC with 3k-bit keys and n-bit tweaks. We show that LRWQ is indistinguishable from tweakable random permutations up to O(2 n/6 ) quantum queries 5 in the setting that adversaries can query arbitrary superpositions of 1 The security model that adversaries with quantum computers have access to only classical keyed oracles is called Q1 model, and the model that they have access to quantum keyed oracles is called Q2 model [KLLN16b].…”

Section: Our Contributionsmentioning

confidence: 99%

“…Post-quantum security attracts significant attention not only in the context of public key cryptography but also in the context of symmetric key cryptography, from the view point of both cryptanalysis [BN18, BNS19a, BNS19b, CNS17, GNS18, HSX17, KLLN16b,KLLN16a] and provable security for modes of operations [BZ13, CHS19, HI19, HY18, SY17, Zha19]. Recent results on symmetric key schemes show that some of the schemes that are proven to be secure in the classical setting are completely broken by adversaries with quantum computers in some specific situations [KM10, KM12,KLLN16a], which implies that simple remedies such as "doubling the length of secret keys" would not be sufficient to prepare for the threat of quantum computers, especially if it needs to be run on a quantum computer.…”

Section: Introductionmentioning

confidence: 99%

Provably Quantum-Secure Tweakable Block Ciphers

Hosoyamada

Iwata

2021

ToSC

View full text Add to dashboard Cite

Recent results on quantum cryptanalysis show that some symmetric key schemes can be broken in polynomial time even if they are proven to be secure in the classical setting. Liskov, Rivest, and Wagner showed that secure tweakable block ciphers can be constructed from secure block ciphers in the classical setting. However, Kaplan et al. showed that their scheme can be broken by polynomial time quantum superposition attacks, even if underlying block ciphers are quantum-secure. Since then, it remains open if there exists a mode of block ciphers to build quantum-secure tweakable block ciphers. This paper settles the problem in the reduction-based provable security paradigm. We show the first design of quantum-secure tweakable block ciphers based on quantum-secure block ciphers, and present a provable security bound. Our construction is simple, and when instantiated with a quantum-secure n-bit block cipher, it is secure against attacks that query arbitrary quantum superpositions of plaintexts and tweaks up to O(2n/6) quantum queries. Our security proofs use the compressed oracle technique introduced by Zhandry. More precisely, we use an alternative formalization of the technique introduced by Hosoyamada and Iwata.

show abstract

Quantum Differential and Linear Cryptanalysis

Cited by 89 publications

References 22 publications

Finding Hash Collisions with Quantum Computers by Using Differential Trails with Smaller Probability than Birthday Bound

Finding Hash Collisions with Quantum Computers by Using Differential Trails with Smaller Probability than Birthday Bound

Quantum search for scaled hash function preimages

Provably Quantum-Secure Tweakable Block Ciphers

Contact Info

Product

Resources

About