nach oben

Erschienen in:

2017 | OriginalPaper | Buchkapitel

An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography

verfasst von : André Chailloux, María Naya-Plasencia, André Schrottenloher

Erschienen in: Advances in Cryptology – ASIACRYPT 2017

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The cryptographic community has widely acknowledged that the emergence of large quantum computers will pose a threat to most current public-key cryptography. Primitives that rely on order-finding problems, such as factoring and computing Discrete Logarithms, can be broken by Shor’s algorithm ([49]).

Symmetric primitives, at first sight, seem less impacted by the arrival of quantum computers: Grover’s algorithm [31] for searching in an unstructured database finds a marked element among \(2^{n}\) in time \(\widetilde{O}(2^{n / 2})\), providing a quadratic speedup compared to the classical exhaustive search, essentially optimal. Cryptographers then commonly consider that doubling the length of the keys used will be enough to maintain the same level of security.

From similar techniques, quantum collision search is known to attain \(\widetilde{O}(2^{n / 3})\) query complexity [20], compared to the classical \(O(2^{n / 2})\). However this quantum speedup is illusory: the actual quantum computation performed is actually more expensive than in the classical algorithm.

In this paper, we investigate quantum collision and multi-target preimage search and present a new algorithm, that uses the amplitude amplification technique. As such, it relies on the same principle as Grover’s search. Our algorithm is the first to propose a time complexity that improves upon \(O(2^{n/2})\), in a simple setting with a single processor. This time complexity is \(\widetilde{O}(2^{2n/5})\) (equal to its query complexity), with a polynomial quantum memory needed (O(n)), and a small classical memory complexity of \(\widetilde{O}(2^{n/5})\). For multi-target preimage attacks, these complexities become \(\widetilde{O}(2^{3n/7})\), O(n) and \(\widetilde{O}(2^{n/7})\) respectively. To the best of our knowledge, this is the first proof of an actual quantum time speedup for collision search. We also propose a parallelization of these algorithms. This result has an impact on several symmetric cryptography scenarios: we detail how to improve upon previous attacks for hash function collisions and multi-target preimages, how to perform an improved key recovery in the multi-user setting, how to improve the collision attacks on operation modes, and point out that these improved algorithms can serve as basic tools for some families of cryptanalytic techniques.

In the end, we discuss the implications of these new attacks on post-quantum security.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Quantum Multicollision-Finding Algorithm

Nächstes Kapitel Quantum Resource Estimates for Computing Elliptic Curve Discrete Logarithms

Computing f makes use of ancillary (additional) qubits. Properly initialized to \(\left| 0 \right\rangle \), those end up in a state \(\left| g(x) \right\rangle \) that cannot be simply dismissed: instead, by uncomputing, we can restore these qubits to their initial state \(\left| 0 \right\rangle \) and make sure that the oracle has no side-effects.

For single pipe constructions this is reduced by the blocks of length of the message M.

Some blocks fixed to a random value can be considered previously for randomization.

See Sect. 2.2 for a justification of the Q2 model.

A structure is a set of plaintexts of size \(2^{|\varDelta _{in}|}\) belonging to the same truncated difference \(\varDelta _{in}\), which means that they allow to build \(2^{2|\varDelta _{in}|-1}\) pairs.

Aaronson, S., Shi, Y.: Quantum lower bounds for the collision and the element distinctness problems. J. ACM 51(4), 595–605 (2004)MathSciNetCrossRefMATH

Ambainis, A.: Polynomial degree and lower bounds in quantum complexity: collision and element distinctness with small range. Theor. Comput. 1(1), 37–46 (2005). http://dx.doi.org/10.4086/toc.2005.v001a003 MathSciNetCrossRefMATH

Ambainis, A.: Quantum walk algorithm for element distinctness. SIAM J. Comput. 37(1), 210–239 (2007). http://dx.doi.org/10.1137/S0097539705447311 MathSciNetCrossRefMATH

Amy, M., Di Matteo, O., Gheorghiu, V., Mosca, M., Parent, A., Schanck, J.M.: Estimating the cost of generic quantum pre-image attacks on SHA-2 and SHA-3. In: IACR Cryptology ePrint Archive, p. 992 (2016)

Anand, M.V., Targhi, E.E., Tabia, G.N., Unruh, D.: Post-quantum security of the CBC, CFB, OFB, CTR, and XTS modes of operation. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 44–63. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29360-8_4 CrossRef

Andreeva, E., Bouillaguet, C., Fouque, P.-A., Hoch, J.J., Kelsey, J., Shamir, A., Zimmer, S.: Second preimage attacks on dithered hash functions. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 270–288. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_16 CrossRef

Banegas, G., Bernstein, D.J.: Low-communication parallel quantum multi-target preimage search. In: SAC 2017 (2017)

Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: FOCS, pp. 394–403. IEEE Computer Society (1997)

Bernstein, D.J.: Cost analysis of hash collisions: will quantum computers make SHARCS obsolete? In: SHARCS 2009 Special-Purpose Hardware for Attacking Cryptographic Systems, p. 105 (2009)

10.

Bernstein, D.J., Hopwood, D., Hülsing, A., Lange, T., Niederhagen, R., Papachristodoulou, L., Schneider, M., Schwabe, P., Wilcox-O’Hearn, Z.: SPHINCS: practical stateless hash-based signatures. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 368–397. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_15

11.

Bhargavan, K., Leurent, G.: On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN. IACR Cryptology ePrint Archive 2016, 798 (2016). http://eprint.iacr.org/2016/798

12.

Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_2 CrossRef

13.

Biham, E.: How to decrypt or even substitute des-encrypted messages in 2\(^{\text{28 }}\) steps. Inf. Process. Lett. 84(3), 117–124 (2002). http://dx.doi.org/10.1016/S0020-0190(02)00269-7 MathSciNetCrossRefMATH

14.

Biryukov, A., Mukhopadhyay, S., Sarkar, P.: Improved time-memory trade-offs with multiple data. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 110–127. Springer, Heidelberg (2006). https://doi.org/10.1007/11693383_8 CrossRef

15.

Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3 CrossRef

16.

Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum computing world. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 361–379. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_21 CrossRef

17.

Borghoff, J., et al.: PRINCE – a low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_14 CrossRef

18.

Brassard, G., Høyer, P., Kalach, K., Kaplan, M., Laplante, S., Salvail, L.: Merkle puzzles in a quantum world. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 391–410. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_22 CrossRef

19.

Brassard, G., Hoyer, P., Mosca, M., Tapp, A.: Quantum amplitude amplification and estimation. Contemp. Math. 305, 53–74 (2002)MathSciNetCrossRefMATH

20.

Brassard, G., Høyer, P., Tapp, A.: Quantum cryptanalysis of hash and claw-free functions. In: Lucchesi, C.L., Moura, A.V. (eds.) LATIN 1998. LNCS, vol. 1380, pp. 163–169. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054319 CrossRef

21.

Chailloux, A., Naya-Plasencia, M., Schrottenloher, A.: An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography. IACR Cryptology ePrint Archive 2017, 847 (2017). http://eprint.iacr.org/2017/847

22.

Chatterjee, S., Menezes, A., Sarkar, P.: Another look at tightness. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 293–319. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28496-0_18 CrossRef

23.

Damgård, I., Funder, J., Nielsen, J.B., Salvail, L.: Superposition attacks on cryptographic protocols. In: Padró, C. (ed.) ICITS 2013. LNCS, vol. 8317, pp. 142–161. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04268-8_9 CrossRef

24.

Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.2. In: IETF RFC 5246 (2008)

25.

Diffie, W., Hellman, M.: Privacy and authentication: an introduction to cryptography. In: Proceedings of the IEEE, vol. 67, pp. 397–427 (1979)

26.

Ehrsam, W.R., Meyer, C.H., Smith, J.L., Tuchman, W.L.: Message verification and transmission error detection by block chaining. US Patent 4074066 (1976)

27.

Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–162 (1997). http://dx.doi.org/10.1007/s001459900025 MathSciNetCrossRefMATH

28.

Fouque, P.-A., Joux, A., Mavromati, C.: Multi-user collisions: applications to discrete logarithm, even-mansour and PRINCE. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 420–438. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_22

29.

Gagliardoni, T., Hülsing, A., Schaffner, C.: Semantic security and indistinguishability in the quantum world. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 60–89. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_3 CrossRef

30.

Grassl, M., Langenberg, B., Roetteler, M., Steinwandt, R.: Applying Grover’s algorithm to AES: quantum resource estimates. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 29–43. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29360-8_3 CrossRef

31.

Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Miller, G.L. (ed.) Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia, Pennsylvania, USA, 22–24 May 1996, pp. 212–219. ACM (1996). http://doi.acm.org/10.1145/237814.237866

32.

Grover, L.K.: Trade-offs in the quantum search algorithm. In: Physical Review A, vol. 66 (2002)

33.

Grover, L.K., Rudolph, T.: How significant are the known collision and element distinctness quantum algorithms? Quantum Inf. Comput. 4(3), 201–206 (2004). http://portal.acm.org/citation.cfm?id=2011622 MathSciNetMATH

34.

Kaplan, M.: Quantum attacks against iterated block ciphers. CoRR abs/1410.1434 (2014). http://arxiv.org/abs/1410.1434

35.

Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Breaking symmetric cryptosystems using quantum period finding. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 207–237. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_8 CrossRef

36.

Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Quantum differential and linear cryptanalysis. IACR Trans. Symmetric Cryptol. 2016(1), 71–94 (2016). http://tosc.iacr.org/index.php/ToSC/article/view/536 MATH

37.

Knudsen, L.R.: DEAL - A \(128\)-bit cipher. Technical Report, Department of Informatics, University of Bergen, Norway (1998)

38.

Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-60590-8_16 CrossRef

39.

Krovetz, T., Rogaway, P.: The software performance of authenticated-encryption modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 306–327. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21702-9_18 CrossRef

40.

Kutin, S.: Quantum lower bound for the collision problem with small range. Theor. Comput. 1(2), 29–36 (2005). http://www.theoryofcomputing.org/articles/v001a002 MathSciNetCrossRefMATH

41.

Kuwakado, H., Morii, M.: Quantum distinguisher between the 3-round feistel cipher and the random permutation. In: IEEE International Symposium on Information Theory, ISIT 2010, Austin, Texas, USA, Proceedings, pp. 2682–2685. IEEE, 13–18 June 2010. http://dx.doi.org/10.1109/ISIT.2010.5513654

42.

Kuwakado, H., Morii, M.: Security on the quantum-type even-mansour cipher. In: Proceedings of the International Symposium on Information Theory and its Applications, ISITA 2012, Honolulu, HI, USA, pp. 312–316. IEEE, 28–31 October 2012. http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=6400943

43.

Lipmaa, H., Rogaway, P., Wagner, D.: Comments to nist concerning aes modes of operations: Ctr-mode encryption (2000). http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/ctr/ctr-spec.pdf

44.

McGrew, D.A.: Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes. IACR Cryptology ePrint Archive 2012, 623 (2012). http://eprint.iacr.org/2012/623

45.

Menezes, A.: Another look at provable security. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, p. 8. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_2 CrossRef

46.

Nielsen, M.A., Chuang, I.: Quantum Computation and Quantum Information. Cambridge University Press, New York (2002)MATH

47.

van Oorschot, P.C., Wiener, M.J.: Parallel collision search with application to hash functions and discrete logarithms. In: CCS 1994, Proceedings of the 2nd ACM Conference on Computer and Communications Security, Fairfax, Virginia, USA, pp. 210–218. ACM, 2–4 November 1994

48.

Pollard, J.M.: A Monte Carlo method for factorization. BIT Numer. Math. 15(3), 331–334 (1975). http://dx.doi.org/10.1007/BF01933667 MathSciNetCrossRefMATH

49.

Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, Santa Fe, New Mexico, USA, pp. 124–134. IEEE Computer Society, 20–22 November 1994. http://dx.doi.org/10.1109/SFCS.1994.365700

50.

Simon, D.R.: On the power of quantum cryptography. In: 35th Annual Symposium on Foundations of Computer Science, Santa Fe, New Mexico, USA, pp. 116–123. IEEE Computer Society, 20–22 November 1994. http://dx.doi.org/10.1109/SFCS.1994.365701

51.

Unruh, D.: Non-interactive zero-knowledge proofs in the quantum random oracle model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 755–784. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_25. Preprint on IACR ePrint 2014/587

52.

Yuval, G.: How to swindle rabin. Cryptologia 3(3), 187–191 (1979). http://dx.doi.org/10.1080/0161-117991854025 CrossRef

53.

Zhandry, M.: A note on the quantum collision and set equality problems. Quantum Info. Comput. 15(7–8), 557–567 (2015). http://dl.acm.org/citation.cfm?id=2871411.2871413 MathSciNet

54.

Zhandry, M.: Secure identity-based encryption in the quantum random oracle model. Int. J. Quantum Inf. 13(04), 1550014 (2015)MathSciNetCrossRefMATH

Titel: An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography
verfasst von: André Chailloux
María Naya-Plasencia
André Schrottenloher
Verlag: Springer International Publishing
Buch: Advances in Cryptology – ASIACRYPT 2017
Print ISBN: 978-3-319-70696-2

Electronic ISBN: 978-3-319-70697-9

Copyright-Jahr: 2017
DOI: https://doi.org/10.1007/978-3-319-70697-9_8

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"