-
Quantum Attacks without Superposition Queries: the Offline Simon's Algorithm
Authors:
Xavier Bonnetain,
Akinori Hosoyamada,
María Naya-Plasencia,
Yu Sasaki,
André Schrottenloher
Abstract:
In symmetric cryptanalysis, the model of superposition queries has led to surprising results, with many constructions being broken in polynomial time thanks to Simon's period-finding algorithm. But the practical implications of these attacks remain blurry. In contrast, the results obtained so far for a quantum adversary making classical queries only are less impressive. In this paper, we introduce…
▽ More
In symmetric cryptanalysis, the model of superposition queries has led to surprising results, with many constructions being broken in polynomial time thanks to Simon's period-finding algorithm. But the practical implications of these attacks remain blurry. In contrast, the results obtained so far for a quantum adversary making classical queries only are less impressive. In this paper, we introduce a new quantum algorithm which uses Simon's subroutines in a novel way. We manage to leverage the algebraic structure of cryptosystems in the context of a quantum attacker limited to classical queries and offline quantum computations. We obtain improved quantum-time/classical-data tradeoffs with respect to the current literature, while using only as much hardware requirements (quantum and classical) as a standard exhaustive search with Grover's algorithm. In particular, we are able to break the Even-Mansour construction in quantum time $\tilde{O}(2^{n/3})$, with $O(2^{n/3})$ classical queries and $O(n^2)$ qubits only. In addition, we improve some previous superposition attacks by reducing the data complexity from exponential to polynomial, with the same time complexity. Our approach can be seen in two complementary ways: \emph{reusing} superposition queries during the iteration of a search using Grover's algorithm, or alternatively, removing the memory requirement in some quantum attacks based on a collision search, thanks to their algebraic structure. We provide a list of cryptographic applications, including the Even-Mansour construction, the FX construction, some Sponge authenticated modes of encryption, and many more.
△ Less
Submitted 27 February, 2020;
originally announced February 2020.
-
Quantum Algorithm for the Multicollision Problem
Authors:
Akinori Hosoyamada,
Yu Sasaki,
Seiichiro Tani,
Keita Xagawa
Abstract:
The current paper presents a new quantum algorithm for finding multicollisions, often denoted by $\ell$-collisions, where an $\ell$-collision for a function is a set of $\ell$ distinct inputs that are mapped by the function to the same value. The tight bound of quantum query complexity for finding a $2$-collisions of a random function has been revealed to be $Θ(N^{1/3})$, where $N$ is the size of…
▽ More
The current paper presents a new quantum algorithm for finding multicollisions, often denoted by $\ell$-collisions, where an $\ell$-collision for a function is a set of $\ell$ distinct inputs that are mapped by the function to the same value. The tight bound of quantum query complexity for finding a $2$-collisions of a random function has been revealed to be $Θ(N^{1/3})$, where $N$ is the size of the range of the function, but neither the lower nor upper bounds are known for general $\ell$-collisions. The paper first integrates the results from existing research to derive several new observations, e.g.,~$\ell$-collisions can be generated only with $O(N^{1/2})$ quantum queries for any integer constant $\ell$. It then provides a quantum algorithm that finds an $\ell$-collision for a random function with the average quantum query complexity of $O(N^{(2^{\ell-1}-1) / (2^{\ell}-1)})$, which matches the tight bound of $Θ(N^{1/3})$ for $\ell=2$ and improves upon the known bounds, including the above simple bound of $O(N^{1/2})$. More generally, the algorithm achieves the average quantum query complexity of $O\big(c_N \cdot N^{({2^{\ell-1}-1})/({ 2^{\ell}-1})}\big)$ and runs over $\tilde{O}\big(c_N \cdot N^{({2^{\ell-1}-1})/({ 2^{\ell}-1})}\big)$ qubits in $\tilde{O}\big(c_N \cdot N^{({2^{\ell-1}-1})/({ 2^{\ell}-1})}\big)$ expected time for a random function $F\colon X\to Y$ such that $|X| \geq \ell \cdot |Y| / c_N$ for any $1\le c_N \in o(N^{{1}/({2^\ell - 1})})$. With the same complexities, it is actually able to find a multiclaw for random functions, which is harder to find than a multicollision.
△ Less
Submitted 7 November, 2019;
originally announced November 2019.
-
Improved Quantum Multicollision-Finding Algorithm
Authors:
Akinori Hosoyamada,
Yu Sasaki,
Seiichiro Tani,
Keita Xagawa
Abstract:
The current paper improves the number of queries of the previous quantum multi-collision finding algorithms presented by Hosoyamada et al. at Asiacrypt 2017. Let an $l$-collision be a tuple of $l$ distinct inputs that result in the same output of a target function. In cryptology, it is important to study how many queries are required to find $l$-collisions for random functions of which domains are…
▽ More
The current paper improves the number of queries of the previous quantum multi-collision finding algorithms presented by Hosoyamada et al. at Asiacrypt 2017. Let an $l$-collision be a tuple of $l$ distinct inputs that result in the same output of a target function. In cryptology, it is important to study how many queries are required to find $l$-collisions for random functions of which domains are larger than ranges. The previous algorithm finds an $l$-collision for a random function by recursively calling the algorithm for finding $(l-1)$-collisions, and it achieves the average quantum query complexity of $O(N^{(3^{l-1}-1) / (2 \cdot 3^{l-1})})$, where $N$ is the range size of target functions. The new algorithm removes the redundancy of the previous recursive algorithm so that different recursive calls can share a part of computations. The new algorithm finds an $l$-collision for random functions with the average quantum query complexity of $O(N^{(2^{l-1}-1) / (2^{l}-1)})$, which improves the previous bound for all $l\ge 3$ (the new and previous algorithms achieve the optimal bound for $l=2$). More generally, the new algorithm achieves the average quantum query complexity of $O\left(c^{3/2}_N N^{\frac{2^{l-1}-1}{ 2^{l}-1}}\right)$ for a random function $f\colon X\to Y$ such that $|X| \geq l \cdot |Y| / c_N$ for any $1\le c_N \in o(N^{\frac{1}{2^l - 1}})$. With the same query complexity, it also finds a multiclaw for random functions, which is harder to find than a multicollision.
△ Less
Submitted 28 January, 2019; v1 submitted 20 November, 2018;
originally announced November 2018.
