nach oben

Designs, Codes and Cryptography

Erschienen in:

30.04.2021

Breaking LWC candidates: sESTATE and Elephant in quantum setting

verfasst von: Tairong Shi, Wenling Wu, Bin Hu, Jie Guan, Sengpeng Wang

Erschienen in: Designs, Codes and Cryptography | Ausgabe 7/2021

Einloggen, um Zugang zu erhalten

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The competition for lightweight cryptography (LWC) launched by the National Institute of Standards and Technology (NIST) is an ongoing project calling for the standardization of lightweight cryptographic algorithms. The Report on Lightweight Cryptography specifically asks that submissions be quantum safe when long-term security is needed. However, this was not included in the “Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process.” Consequently, most candidates, including sESTATE and Elephant, make no claim regarding security with respect to quantum attacks. We propose quantum key recovery attacks on those second-round candidates. sESTATE is an authenticated encryption mode inspired by SUNDAE, as proposed in ToSC 2018. It claims that the adversary can get no information regarding the simplified tweakable block cipher. However, we show that quantum adversaries could extract the internal values, leading to a key-recovery attack on the only recommended scheme, sESTATE_TweAES-128-6, with \(2^{42.3}\) Q2 queries and a time equivalent to \(2^{52}\) AES encryptions. Technically, the attack is based on the combination of a quantum extracting method and quantum square attack. For Elephant mode, which internally uses a permutation masked by linear feedback shift registers (LFSRs) similar to the masked Even-Mansour construction proposed in EUROCRYPT 2016, we launch the attack based on the quantum attack proposed by Bonnetain et al., which depends on Simon’s algorithm without superposition queries and Grover’s algorithm. Our attack is generic and independent of internal permutation; hence, we obtain the quantum attacks on all instances with a tradeoff of classical and quantum queries. Remarkably, the attack complexities of both recommended instances are lower than that of the generic quantum attack on key, i.e., in time \({\mathcal {O}}({2}^{|K|/{2}})\) with \({\mathcal {O}}(1)\) queries.

Vorheriger Artikel The dual of an evaluation code

Nächster Artikel Construction of matrices from generalized Feistel structures

Nur mit Berechtigung zugänglich

Alagic G., Russell A.: Quantum-secure symmetric-key cryptography based on hidden shifts. In: Advances in Cryptology—EUROCRYPT 2017—36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30–May 4, 2017, Proceedings, Part III, pp. 65–93 (2017). https://doi.org/10.1007/978-3-319-56617-7_3.

Anand M.V., Targhi E.E., Tabia G.N., Unruh D.: Post-quantum security of the CBC, CFB, OFB, CTR, and XTS modes of operation. In: Post-Quantum Cryptography—7th International Workshop, PQCrypto 2016, Fukuoka, Japan, 24–26 February 2016, Proceedings, pp. 44–63 (2016). https://doi.org/10.1007/978-3-319-29360-8_4.

Andreeva E., Bogdanov A., Luykx A., Mennink B., Mouha N., Yasuda K.: How to securely release unverified plaintext in authenticated encryption. In: Advances in Cryptology - ASIACRYPT 2014—20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., 7–11 December 2014. Proceedings, Part I, pp. 105–125 (2014). https://doi.org/10.1007/978-3-662-45611-8_6.

Banik S., Bogdanov A., Luykx A., Tischhauser E.: SUNDAE: small universal deterministic authenticated encryption for the Internet of Things. IACR Trans. Symmetric Cryptol. 2018(3), 1–35 (2018). https://doi.org/10.13154/tosc.v2018.i3.1-35.

Bellare M., Namprempre C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. J. Cryptol. 21(4), 469–491 (2008). https://doi.org/10.1007/s00145-008-9026-x.MathSciNetCrossRefMATH

Bernstein D.J.: Stronger security bounds for Wegman–Carter–Shoup authenticators. In: Advances in Cryptology—EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, 22–26 May 2005, Proceedings, pp. 164–180 (2005). https://doi.org/10.1007/11426639_10.

Bertoni G., Daemen J., Peeters M., Assche G.V.: keccak. Cryptology ePrint Archive. Report 2015/389 (2015). http://eprint.iacr.org/2015/389.

Beyne T., Chen Y.L., DobraunigC., Mennink B.: Elephant v1.1. Submission to the Lightweight Cryptography competition (2019). https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/elephant-spec-round2.pdf.

Black J., Rogaway P.: CBC macs for arbitrary-length messages: the three-key constructions. J. Cryptol. 18(2), 111–131 (2005). https://doi.org/10.1007/s00145-004-0016-3.MathSciNetCrossRefMATH

10.

Bogdanov A., Knezevic M., Leander G., Toz D., Varici K., Verbauwhede I.: spongent: a lightweight hash function. In: Cryptographic Hardware and Embedded Systems - CHES 2011—13th International Workshop, Nara, Japan, September 28–October 1, 2011. Proceedings, pp. 312–325 (2011). https://doi.org/10.1007/978-3-642-23951-9_21.

11.

Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum computing world. In: Advances in Cryptology - CRYPTO 2013 - 33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2013. Proceedings, Part II, pp. 361–379 (2013). https://doi.org/10.1007/978-3-642-40084-1_21.

12.

Bonnetain, X.: Quantum key-recovery on full AEZ. In: Selected Areas in Cryptography-SAC 2017-24th International Conference, Ottawa, ON, Canada, August 16–18, 2017, Revised Selected Papers, pp. 394–406 (2017). https://doi.org/10.1007/978-3-319-72565-9_20.

13.

Bonnetain, X., Hosoyamada, A., Naya-Plasencia, M., Sasaki, Y., Schrottenloher, A.: Quantum attacks without superposition queries: The offline simon’s algorithm. In: Advances in Cryptology-ASIACRYPT 2019-25th International Conference on the Theory and Application of Cryptology and Information Security, Kobe, Japan, December 8-12, 2019, Proceedings, Part I, pp. 552–583 (2019). https://doi.org/10.1007/978-3-030-34578-5_20.

14.

Bonnetain X., Jaques S.: Quantum period finding against symmetric primitives in practice. IACR Cryptol. ePrint Arch. 2020, 1418. (2020). https://eprint.iacr.org/2020/1418.

15.

Bonnetain X., Naya-Plasencia M., Schrottenloher A.: Quantum security analysis of AES. IACR Trans. Symmetric Cryptol. 2019(2), 55–93 (2019). https://doi.org/10.13154/tosc.v2019.i2.55-93.

16.

Brassard G., Hoyer P., Mosca M., Tapp A.: Quantum amplitude amplification and estimation. AMS Contemp. Math. Ser. (2000). https://doi.org/10.1090/conm/305/05215.

17.

Canteaut A., Duval S., Leurent G., Naya-Plasencia M., Perrin L., Pornin T., Schrottenloher A.: Saturnin: a suite of lightweight symmetric algorithms for post-quantum security. Submission to the Lightweight Cryptography competition (2019). https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/saturnin-spec-round2.pdf.

18.

Chakraborti A., Datta N., Jha A., Lopez C.M., Nandi M., Sasaki Y.: Estate. Submission to the Lightweight Cryptography competition (2019). https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/estate-spec-round2.pdf.

19.

Daemen J., Rijmen V.: AES proposal: rijndael (1998)

20.

Daemen J., Rijmen V.: The Design of Rijndael: AES—The Advanced Encryption Standard. Information Security and Cryptography. Springer. (2002). https://doi.org/10.1007/978-3-662-04722-4.

21.

Ferguson N., Kelsey J., Lucks S., Schneier B., Stay M., Wagner D.A., Whiting D.: Improved cryptanalysis of rijndael. In: Fast Software Encryption, 7th International Workshop, FSE 2000, New York, NY, USA, April 10-12, 2000, Proceedings, pp. 213–230. (2000). https://doi.org/10.1007/3-540-44706-7_15.

22.

Granger R., Jovanovic P., Mennink B., Neves S.: Improved masking for tweakable blockciphers with applications to authenticated encryption. In: Advances in Cryptology-EUROCRYPT 2016 - 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8–12, 2016, Proceedings, Part I, pp. 263–293 (2016). https://doi.org/10.1007/978-3-662-49890-3_11.

23.

Grassl M., Langenberg B., Roetteler M., Steinwandt R.: Applying grover’s algorithm to AES: quantum resource estimates. In: Post-Quantum Cryptography - 7th International Workshop, PQCrypto 2016, Fukuoka, Japan, February 24–26, 2016, Proceedings, pp. 29–43 (2016). https://doi.org/10.1007/978-3-319-29360-8_3.

24.

Grover L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia, Pennsylvania, USA, May 22-24, 1996, pp. 212–219. (1996). https://doi.org/10.1145/237814.237866.

25.

Hosoyamada A., Sasaki Y.: Quantum demiric-selçuk meet-in-the-middle attacks: Applications to 6-round generic feistel constructions. In: Security and Cryptography for Networks - 11th International Conference, SCN 2018, Amalfi, Italy, September 5–7, 2018, Proceedings, pp. 386–403 (2018). https://doi.org/10.1007/978-3-319-98113-0_21.

26.

Kaplan M., Leurent G., Leverrier A., Naya-Plasencia M.: Breaking symmetric cryptosystems using quantum period finding. In: Advances in Cryptology-CRYPTO 2016-36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14–18, 2016, Proceedings, Part II, pp. 207–237 (2016). https://doi.org/10.1007/978-3-662-53008-5_8.

27.

Kaplan M., Leurent G., Leverrier A., Naya-Plasencia M.: Quantum differential and linear cryptanalysis. IACR Trans. Symmetric Cryptol. 2016(1), 71–94 (2016). https://doi.org/10.13154/tosc.v2016.i1.71-94.

28.

Kuwakado H., Morii M.: Quantum distinguisher between the 3-round feistel cipher and the random permutation. In: IEEE International Symposium on Information Theory, ISIT 2010, June 13-18, 2010, Austin, Texas, USA, Proceedings, pp. 2682–2685. (2010). https://doi.org/10.1109/ISIT.2010.5513654.

29.

Kuwakado H., Morii M.: Security on the quantum-type even-mansour cipher. In: Proceedings of the International Symposium on Information Theory and its Applications, ISITA 2012, Honolulu, HI, USA, October 28–31, 2012, pp. 312–316. (2012). http://ieeexplore.ieee.org/document/6400943/

30.

Leander G., May A.: Grover meets simon - quantumly attacking the fx-construction. In: Advances in Cryptology-ASIACRYPT 2017-23rd International Conference on the Theory and Applications of Cryptology and Information Security, Hong Kong, China, December 3–7, 2017, Proceedings, Part II, pp. 161–178 (2017). https://doi.org/10.1007/978-3-319-70697-9_6.

31.

McKay K.A., Bassham L., Turan M.S., Mouha N.: Nistir 8114 report on lightweight cryptography. In: Technical report, U.S. Department of Commerce, National Institute of Standards and Technology (2017)

32.

NIST: Recommendation for block cipher modes of operation: Methods and techniques. NIST Special Publication 800-38A (2001)

33.

NIST: Post-quantum cryptography. Post-Quantum Cryptography Standardization (2016). https://csrc.nist.gov/Projects/post-quantum-cryptography

34.

NIST: Lightweight cryptography. Submission to the Lightweight Cryptography competition (2017). https://www.nist.gov/programs-projects/lightweight-cryptography

35.

Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Advances in Cryptology-EUROCRYPT 2006, 25th Annual International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, May 28–June 1, 2006, Proceedings, pp. 373–390. (2006). https://doi.org/10.1007/11761679_23.

36.

Shor P.W.: Algorithms for quantum computation: Discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, Santa Fe, New Mexico, USA, 20–22 November 1994, pp. 124–134 (1994). https://doi.org/10.1109/SFCS.1994.365700.

37.

Shoup V.: On fast and provably secure message authentication based on universal hashing. In: Advances in Cryptology-CRYPTO ’96, 16th Annual International Cryptology Conference, Santa Barbara, California, USA, August 18–22, 1996, Proceedings, pp. 313–328 (1996). https://doi.org/10.1007/3-540-68697-5_24.

38.

Simon D.R.: On the power of quantum computation. In: 35th Annual Symposium on Foundations of Computer Science, Santa Fe, New Mexico, USA, 20–22 November 1994, pp. 116–123 (1994). https://doi.org/10.1109/SFCS.1994.365701.

39.

Wegman M.N., Carter L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981). https://doi.org/10.1016/0022-0000(81)90033-7.MathSciNetCrossRefMATH

Titel: Breaking LWC candidates: sESTATE and Elephant in quantum setting
verfasst von: Tairong Shi
Wenling Wu
Bin Hu
Jie Guan
Sengpeng Wang
Publikationsdatum: 30.04.2021
Verlag: Springer US
Erschienen in: Designs, Codes and Cryptography / Ausgabe 7/2021
Print ISSN: 0925-1022
Elektronische ISSN: 1573-7586
DOI: https://doi.org/10.1007/s10623-021-00875-7

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Weitere Artikel der Ausgabe 7/2021

Good polynomials for optimal LRC of low locality

Composite matrices from group rings, composite G-codes and constructions of self-dual codes

Wide minimal binary linear codes from the general Maiorana–McFarland class

Privacy-preserving data splitting: a combinatorial approach

Equivalence classes of Niho bent functions

On the properties of generalized cyclotomic binary sequences of period