Cryptanalysis Against Symmetric-Key Schemes with Online Classical Queries and Offline Quantum Computations [chapter]

Akinori Hosoyamada, Yu Sasaki
2018 Lecture Notes in Computer Science  
In this paper, quantum attacks against symmetric-key schemes are presented in which adversaries only make classical queries but use quantum computers for offline computations. Our attacks are not as efficient as polynomial-time attacks making quantum superposition queries, while our attacks use the realistic model and overwhelmingly improve the classical attacks. Our attacks convert a type of classical meet-inthe-middle attacks into quantum ones. The attack cost depends on the number of
more » ... e qubits and the way to realize the quantum hardware. The tradeoffs between data complexity D and time complexity T against the problem of cardinality N are D 2 · T 2 = N and D · T 6 = N 3 in the best and worst case scenarios to the adversary respectively, while the classic attack requires D · T = N . This improvement is meaningful from an engineering aspect because several existing schemes claim beyond-birthday-bound security for T by limiting the maximum D to be below 2 n/2 according to the classical tradeoff D · T = N . Those schemes are broken when quantum computations are available to the adversaries. The attack can be applied to many schemes such as a tweakable blockcipher construction TDR, a dedicated MAC scheme Chaskey, an on-line authenticated encryption scheme McOE-X, a hash function based MAC H 2 -MAC and a permutation based MAC keyed-sponge. The idea is then applied to the FX-construction to discover new tradeoffs in the classical query model. keywords: post-quantum cryptography, classical query model, meet-inthe-middle, tradeoff, Chaskey, TDR, keyed sponge, KMAC, FX communication model, where O(Q) ≥ D. Banegas and Bernstein [BB17] showed that the computational cost T of the multi-target preimage search in the free communication model is T =Õ N Q·D . By setting Q = D, the tradeoff for Case 1a becomes where D and T are balanced when D = T = N 1/4 . Q and M are also N 1/4 . Tradeoff for Case 1b. It assumes that Q qubits are available in the realisticcommunication model, where O(Q) ≥ D. Banegas and Bernstein [BB17] showed that the computational cost T of the multi-target preimage search in the realistic communication model is T =Õ N Q·D 1/2 . By setting Q = D, the tradeoff for Case 1b becomes
doi:10.1007/978-3-319-76953-0_11 fatcat:5zpkumcntzdkxnnbep6in5sr6m