# Cryptanalysis against Symmetric-Key Schemes with Online Classical Queries and Offline Quantum Computations

@inproceedings{Hosoyamada2017CryptanalysisAS, title={Cryptanalysis against Symmetric-Key Schemes with Online Classical Queries and Offline Quantum Computations}, author={Akinori Hosoyamada and Yu Sasaki}, booktitle={IACR Cryptol. ePrint Arch.}, year={2017} }

In this paper, quantum attacks against symmetric-key schemes are presented in which adversaries only make classical queries but use quantum computers for offline computations. Our attacks are not as efficient as polynomial-time attacks making quantum superposition queries, while our attacks use the realistic model and overwhelmingly improve the classical attacks. Our attacks convert a type of classical meet-in-the-middle attacks into quantum ones. The attack cost depends on the number of…

## 24 Citations

Quantum Attacks without Superposition Queries: the Offline Simon Algorithm

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2019

A new quantum algorithm which uses Simon's subroutines in a novel way to leverage the algebraic structure of cryptosystems in the context of a quantum attacker limited to classical queries and offline quantum computations is introduced.

Quantum Meet-in-the-Middle Attacks: Applications to Generic Feistel Constructions

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2017

This paper shows that quantum computers can significantly speed-up a type of meet-in-the-middle attacks initiated by Demiric and Selçuk (DS-MITM attacks), which is currently one of the most powerful…

Quantum Demiric-Selçuk Meet-in-the-Middle Attacks: Applications to 6-Round Generic Feistel Constructions

- Computer Science, MathematicsSCN
- 2018

This paper shows that quantum computers can significantly speed-up a type of meet-in-the-middle attacks initiated by Demiric and Selcuk (DS-MITM attacks), which is currently one of the most powerful…

Beyond quadratic speedups in quantum attacks on symmetric schemes

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

. In this paper, we report the ﬁrst quantum key-recovery attack on a symmetric block cipher design, using classical queries only, with a more than quadratic time speedup compared to the best…

Post-Quantum Security of the Even-Mansour Cipher

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

This work resolves the question as to whether the Even-Mansour cipher can still be proven secure in this natural, “post-quantum” setting, showing that any attack in that setting requires qE · q P + qP · q E ≈ 2.

Quantum Period Finding against Symmetric Primitives in Practice

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

An optimized quantum circuit for boolean linear algebra as well as complete reversible implementations of PRINCE, Chaskey, spongent and Keccak which are of independent interest for quantum cryptanalysis are proposed.

Quantum attacks on some feistel block ciphers

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2018

This paper converts the classical advanced slide attacks to a quantum one, that gains an exponential speed-up in time complexity, and gives a new quantum key-recovery attack on full-round GOST, which is a Russian standard.

Quantum Collision Attacks on AES-like Hashing with Low Quantum Random Access Memories

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

This work reduces or even avoids the use of qRAMs by performing a quantum rebound attack based on differentials with non-full-active super S-boxes, and improves attacks on AES-MMO, AES-MP, and the first classical collision attacks on 4and 5-round Grøstl-512.

Automatic Classical and Quantum Rebound Attacks on AES-like Hashing by Exploiting Related-key Differentials

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

This work automates the process of searching for the configurations of rebound attacks by taking related-key differentials of the underlying block cipher into account with the MILPbased approach and guides the search towards characteristics that minimize the resources and complexities of the resulting rebound attacks.

Quantum Key-length Extension

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

Positive results are provided, with concrete and tight bounds, for the security of FX and double encryption against quantum attackers in ideal models and techniques for partially-quantum proofs without relying on analyzing the classical and quantum oracles separately are introduced.

## References

SHOWING 1-10 OF 45 REFERENCES

Breaking Symmetric Cryptosystems Using Quantum Period Finding

- Computer Science, MathematicsCRYPTO
- 2016

This paper considers attacks where an adversary can query an oracle implementing a cryptographic primitive in a quantum superposition of different states, and shows that the most widely used modes of operation for authentication and authenticated encryption are completely broken in this security model.

Quantum Differential and Linear Cryptanalysis

- Computer Science, MathematicsIACR Trans. Symmetric Cryptol.
- 2016

This work examines more closely the security of symmetric ciphers against quantum attacks, and investigates quantum versions of differential and linear cryptanalysis techniques, showing that it is usually possible to use quantum computations to obtain a quadratic speed-up for these attack techniques, but the situation must be nuanced.

Quantum attacks against iterated block ciphers

- Computer Science, MathematicsArXiv
- 2014

This work quantizes a recent technique called the dissection attack using the framework of quantum walks, which seems to indicate that composition resists better to quantum attacks than to classical ones because it prevents the quadratic speedup achieved by quantizing an exhaustive search.

On Quantum Related-Key Attacks on Iterated Even-Mansour Ciphers

- MathematicsIEICE Trans. Fundam. Electron. Commun. Comput. Sci.
- 2019

XOR of PRPs in a Quantum World

- Computer Science, MathematicsPQCrypto
- 2017

This work presents a key recovery attack in \(|K|^{r/(r+1)}\) complexity, performs a quantum security analysis of the construction, and proves that it achieves security up to \(\min \{|K |^{1/2}/r,|X|\}\) queries.

Grover Meets Simon - Quantumly Attacking the FX-construction

- Computer Science, MathematicsASIACRYPT
- 2017

A quantum algorithm is presented that breaks the construction with whitening keys in essentially the same time complexity as Grover’s original algorithm breaks the underlying block cipher.

Cryptanalyses on a Merkle-Damgård Based MAC - Almost Universal Forgery and Distinguishing-H Attacks

- Computer Science, MathematicsEUROCRYPT
- 2012

Two types of cryptanalysis are presented on a Merkle-Damgard hash based MAC, which computes a MAC value of a message M by Hash(K||l||M) with a shared key K and the message length l, and it is shown that the length prepending scheme is not enough to achieve a secure MAC.

Universal Forgery with Birthday Paradox: Application to Blockcipher-based Message Authentication Codes and Authenticated Encryptions

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2017

This paper launches a general universal forgery attack to some blockcipher-based MACs and authenticated encryptions (AEs) using birthday attack, whose complexity is about O(2) queries in the classic setting, and shows that suchMACs and AEs are totally insecure.

Security on the quantum-type Even-Mansour cipher

- Computer Science, Mathematics2012 International Symposium on Information Theory and its Applications
- 2012

It is shown that the quantum version of the Even-Mansour cipher is insecure, that is, a key can be found in polynomial time in the key length, an example that the Quantum version of a secure classical cipher is not always secure.

Quantum distinguisher between the 3-round Feistel cipher and the random permutation

- Computer Science, Mathematics2010 IEEE International Symposium on Information Theory
- 2010

The 3-round Feistel cipher with internal permutations may be insecure against a chosen plaintext attack on a quantum computer because there exists a polynomial quantum algorithm for distinguishing them.