Quantum Period Finding against Symmetric Primitives in Practice

Bonnetain, Xavier; Jaques, Samuel

doi:10.46586/tches.v2022.i1.1-27

Cited by 9 publications

(3 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…GMS uses a Grover search of the right k, which calls Simon's algorithm as a test. Its quantum complexity has been analyzed in detail in [Bon21,BJ22]. As for Simon's algorithm, the constant in the O(n) is close to 1 if we assume the functions to be random, and the gate count in O n 3 is usually smaller than the cost of n function computations.…”

Section: Grover-meet-simon As a Pmitm Attackmentioning

confidence: 99%

Simplified Modeling of MITM Attacks for Block Ciphers: New (Quantum) Attacks

Schrottenloher,

Stevens

2023

ToSC

View full text Add to dashboard Cite

The meet-in-the-middle (MITM) technique has led to many key-recovery attacks on block ciphers and preimage attacks on hash functions. Nowadays, cryptographers use automatic tools that reduce the search of MITM attacks to an optimization problem. Bao et al. (EUROCRYPT 2021) introduced a low-level modeling based on Mixed Integer Linear Programming (MILP) for MITM attacks on hash functions, which was extended to key-recovery attacks by Dong et al. (CRYPTO 2021). However, the modeling only covers AES-like designs. Schrottenloher and Stevens (CRYPTO 2022) proposed a different approach aiming at higher-level simplified models. However, this modeling was limited to cryptographic permutations.In this paper, we extend the latter simplified modeling to also cover block ciphers with simple key schedules. The resulting modeling enables us to target a large array of primitives, typically lightweight SPN ciphers where the key schedule has a slow diffusion, or none at all. We give several applications such as full breaks of the PIPO-256 and FUTURE block ciphers, and reduced-round classical and quantum attacks on SATURNIN-Hash.

show abstract

Section: Grover-meet-simon As a Pmitm Attackmentioning

confidence: 99%

Simplified Modeling of MITM Attacks for Block Ciphers: New (Quantum) Attacks

Schrottenloher,

Stevens

2023

ToSC

View full text Add to dashboard Cite

show abstract

“…The presentation of offline-Simon in [12,11,13], which we followed in the previous section, constructs an exact starting database, that is, a superposition of tuples (x, f (x)) with all xes forming an affine space. Note that to construct such a vector space, there are some constraints on the queries.…”

Section: Attack With Known-plaintext Queriesmentioning

confidence: 99%

Beyond quadratic speedups in quantum attacks on symmetric schemes

Bonnetain¹,

Schrottenloher²,

Sibleyras³

2021

Preprint

Self Cite

View full text Add to dashboard Cite

In this paper, we report the first quantum key-recovery attack on a symmetric block cipher design, using classical queries only, with a more than quadratic time speedup compared to the best classical attack. We study the 2XOR-Cascade construction of Gaži and Tessaro (EURO-CRYPT 2012). It is a key length extension technique which provides an n-bit block cipher with 5n 2 bits of security out of an n-bit block cipher with 2n bits of key, with a security proof in the ideal model. We show that the offline-Simon algorithm of Bonnetain et al. (ASIACRYPT 2019) can be extended to, in particular, attack this construction in quantum time O(2 n ), providing a 2.5 quantum speedup over the best classical attack. Regarding post-quantum security of symmetric ciphers, it is commonly assumed that doubling the key sizes is a sufficient precaution. This is because Grover's quantum search algorithm, and its derivatives, can only reach a quadratic speedup at most. Our attack shows that the structure of some symmetric constructions can be exploited to overcome this limit. In particular, the 2XOR-Cascade cannot be used to generically strengthen block ciphers against quantum adversaries, as it would offer only the same security as the block cipher itself.

show abstract

“…The quantum security of symmetric primitives has attracted an increasing interest in the last few years. Some works have targeted the security of generic constructions, for example [21,22,20], while others have studied the security of actual designs [7,19,5]. Many have proposed quantum versions of popular classical attacks, like for instance [20,6].…”

Section: Introductionmentioning

confidence: 99%

Quantum Boomerang Attacks and Some Applications

Frixons

Naya-Plasencia

Schrottenloher

2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

In this paper, we study quantum key-recovery attacks on block ciphers. While it is well known that a quantum adversary can generically speed up an exhaustive search of the key, much less is known on how to use specific vulnerabilities of the cipher to accelerate this procedure. In this context, we show how to convert classical boomerang and mixing boomerang attacks into efficient quantum key-recovery attacks.In some cases, we can even obtain a quadratic speedup, the same as simple differential attacks. We apply this technique to a 5-round attack on SAFER++.

show abstract

Quantum Period Finding against Symmetric Primitives in Practice

Cited by 9 publications

References 20 publications

Simplified Modeling of MITM Attacks for Block Ciphers: New (Quantum) Attacks

Simplified Modeling of MITM Attacks for Block Ciphers: New (Quantum) Attacks

Beyond quadratic speedups in quantum attacks on symmetric schemes

Quantum Boomerang Attacks and Some Applications

Contact Info

Product

Resources

About