Shor’ algorithm Sho94 indicates that once scalable quantum computers are available, many widely used asymmetric cryptosystems, such as RSA, will be broken. This has sparked a upsurge of research on post-quantum cryptography, which studies classical systems that are secure against quantum adversaries. In response to the threat of quantum computing, NIST has initiated the process of standardizing post-quantum public-key algorithms NIST .
On the other hand, although less attention is paid than public-key cryptography, symmetric cryptosystems are also suffering the threat from quantum attacks. For example, due to Grover’s algorithm Gro96 general exhaustive search attacks can obtain a quadratic speedup. More strikingly, some symmetric systems that have been proved to be secure against classical adversaries have been broken by polynomial-time quantum algorithms. Kuwakado and Morii made use of Simon’s algorithm Sim97 to distinguish the three-round Feistel construction KM10 and recover the key in Even-Mansour cipher KM12 . Santoli et al. SS17 and Kaplan et al. KLLNP16 subsequently extended their results independently and applied Simon’s algorithm to other symmetric primitives. All these attacks are executed in the model of quantum chosen-plaintext attack DOM11 ; BZ13 ; GHS16 , where the attacker can query the encryption oracle with superpositions.
When quantum chosen-plaintext attack has been widely studied, quantum related-key attack has also started to draw attention. Classical related-key attacks were first introduced by Biham Bih94 , and has been applied to Rijndael NJS00 , KASUMI JBD96 and other schemes. In such attacks, the attacker can query the encryptions or decryptions of messages under the keys that have some known mathematical relation with the target key. Roetteler and Steinwandt first study related-key model in the quantum setting MR15 . They showed that, under the assumption that the key of the block cipher can be uniquely determined by a small amount of accessible plaintext-ciphertext pairs, a quantum attacker can efficiently extract the key by using a quantum related-key attack. Afterwards, Hosoyamada and Aoki proposed a polynomial-time quantum algorithm that recovers the key of two-round iterated Even-Mansour scheme with only two queries to the related-key oracle AK17 . These two results show that related-key attack is powerful for quantum attackers.
In this paper, we further study the applications of quantum related-key attack to block ciphers. Based on Bernstein-Vazirani (BV) algorithm BV97 , we propose a quantum attack for recovering the key of general block ciphers. We prove that, if not requiring the time complexity to be polynomial, our attack can find out the key of an arbitrary unrestricted block cipher. Afterwards, we give two specific conditions, and demonstrate that, as long as the block cipher satisfies one of them, then our attack can effectively extract the secret key in polynomial time. Like the attack model of MR15 , we allow the attacker to query the encryption oracle with superpositions of keys. This makes the attack less practical because the ability to query with superpositions of keys is a strong requirement even for quantum adversaries. However, from the perspective of constructing ciphers, our results helps to establish criterions that a secure block cipher should meet in the post-quantum world.
Throughout this paper, we let , representing the finite field with characteristic 2. denotes an arbitrary block cipher with blocksize and key length . When fix a secret key , is a permutation from to . We assume that can be efficiently implemented by a quantum circuit. That is, there exists a polynomial-time quantum circuit that takes as input a secret key along with a plaintext and output the corresponding ciphertext. The quantum circuit implements the following unitary operator:
For the block ciphers used in practice, this assumption holds undoubtedly. Since the quantum circuit of does not involve the secret key , the attacker can perform the unitary operator by himself.
Because the unitary quantum gates form a universal gate set NC00 , we can assume that the quantum circuit implementing is composed of gates in this set. Here, is the Hadamard gate, is the controlled-NOT gate, is the phase gate and is the gate (Fig.1). Let be the number of universal gates in the quantum circuit implementing . is a polynomial of and . The attacker can integrate into his circuits as in Fig.2
2.1 Related-key attack
We first recall the related-key attack model proposed in RM87 , where the key relation is restricted to bit-flips. In this model, after a secret key is determined, the attacker can query following two oracles:
: On input a plaintext and a bitmask , returns the encryption .
: On input a ciphertext and a bitmask , returns the decryption .
After querying these oracles, the attacker needs to output a vectoras a guess of . He succeeds if and only if .
The attacks presented in this paper do not require the access to the decryption oracle , but the attacker is allowed to query the encryption oracle with superpositions of keys. That is, the attacker can query the quantum oracle which operates as follows:
The attacker can integrate the oracle into his circuits as in Fig.3. Furthermore, we allow the attacker to query the oracle that returns solely a bit of the cipher with superpositions of keys. That is, supposing , for each , the attacker can query the quantum oracle
The scenario where quantum attackers can query cryptographic primitives with quantum superpositions has been considered in a significant amount research DOM11 ; BZ13 ; GHS16 ; IJB13 ; Unr12 ; Zha12 ; Wat09 . The access to the oracle implies that the attacker can query the encryption oracle equipped the target key . That is, the attacker can query the following oracle:
To do this, he only needs to query with the state and discard the first register. Therefore, quantum related-key attack model can be viewed as an extension of the quantum chosen-plaintext attack model.
2.2 Linear structure
Let denote the set of maps from to . The notion of linear structure is defined as following:
Definition 1 (Ok94 )
. A vector is said to be a linear structure of if there exist such that
Let denote the set of all linear structures of , and , then .
. A vector is said to be a -close linear structure of if there exist such that
Suppose , then obviously, is a linear structure of if and only if it is a linear structure of for each . To find a linear structure of , we only need to find linear structures of every first, and then select a common linear structure. Therefore, in order to find linear structures of functions in for a general parameter , we only need to focus on the case of .
Linear structures of the functions in are determined by their Walsh spectrum, which is defined as following:
Suppose is a function in . The Walsh spectrum of is defined as
which is also a function in .
Let be the set of the linear structures of , and for . We have . Following lemma shows how to determine the linear structures by Walsh spectrum:
Lemma 1 (Dub01 )
For any , let . Then for , it holds that
According to the above lemma, if one has a large enough subset of , he can solve the linear equation group to obtain the linear structures of . As discussed previously, by applying this method to find each ’s linear structures, one is expected to get the linear structures of . (Here solving the linear equation group means seeking vectors such that for .)
2.3 Bernstein-Vazirani algorithm
Given the quantum oracle access of a function , where is a secret string, BV algorithm’s BV97 original goal is to find . However, Li and Yang observed that, when BV algorithm is applied to a general Boolean function in , it will always return a vector in LY18 . BV algorithm is executed as following:
Perform Hadamard operator on the initial state to get
Query the oracle of , obtaining
When applying BV algorithm to a function , it always returns a vector in . In light of this fact and Lemma 1, one can use BV algorithm to find linear structures of an arbitrary function in . Executing BV algorithm needs a total of Hadamard gates and one quantum query. The number of qubits required is . The quantum circuit of BV algorithm is presented in Fig.4.
3 Quantum algorithm for finding linear structures
A quantum algorithm for finding nonzero linear structures of functions in was proposed by Xie and Yang XY17 . Suppose . For each , their algorithm first calls BV algorithm to get a subset of , then uses the subset to compute linear structures of according to Lemma 1. Afterwards, the algorithm selects an nonzero common linear structure of and outputs it. The output vector has a high probability of being a linear structure of . We make a minor modification to the algorithm in XY17 so that it outputs a set containing all linear structures of , instead of only a random linear structure. The modified algorithm is as following:
In the above algorithm, when the attacker computes in Step 2, he actually needs to attach a tag to each vector in . Specifically, if , then a tag is attached to when it is put into the set ; if , then a tag is attached to when it is put into the set . Subsequently, when the attacker computes the intersection , for each , he attaches the corresponding tags to when puts it into . Therefore, when calculating the set , the attacker can easily obtain corresponding of each by tracking these tags. Using these tags is for avoiding the attacker needing to compute the intersection of sets for exponential times. With these tags, the attacker only need to compute the intersection once to obtain the set . If without these tags, then the attacker needs to compute the intersections to obtain the linear structures in for each , so he needs to compute intersection for times.
The following three theorems demonstrate the feasibility of the algorithm FindStruct. Theorems 2 and 3 have been proved in XY17 and we therefore omit the proofs.
Suppose and is an arbitrary linear structure of . Let be the vector such that . If running the algorithm FindStruct on returns a set , then must be in the set .
Proof. Suppose . Since , we have that for each . According to Lemma 1, for any vector , it holds that . By the properties of BV algorithm, we know that the set , so is a solution of the linear equation group for each . Therefore, we have that and are the superscripts such that , which means .
Theorem 2 (Xy17 )
If running the algorithm FindStruct on returns a set , then for any , any , it holds that
Moreover, for any , any and any vector , it holds that
Before stating Theorem 3, we need to define a parameter. For any function , let
For any function , we define , where is defined as Eq.(1). Obviously . The larger is, the more difficult for excluding the vectors that are not linear structure of when applying the algorithm FindStruct on .
Theorem 3 (Xy17 )
Suppose and for some constant . If running the algorithm FindStruct on returns a set , then for any , it holds that
That is, except for a probability of , the vectors in must be the linear structures of .
Theorem 1 indicates that all linear structures of must be in the output set . Noting that the vector is a trivial linear structure of , the set is always nonempty. Theorem 2 states that every vector in has a high probability of being an approximate linear structure of . Theorem 3 shows that, except for a negligible probability, the vectors in the set output by the algoithm FindStruct with must be linear structures of , under the condition that for some constant .
By regarding each itself as a vector function that has only one component and applying Theorem 3 to , we have following corollary:
Suppose and for some constant . The sets (), generated during running the algorithm FindStruct on , satisfy that for any ,
That is, except for a probability of , the vectors in must be the linear structures of .
4 Attack strategy
In this section, we present a strategy for attacking general block ciphers using BV algorithm in the context of quantum related-key attack. We first describe the attack, then analyze under what conditions the attack will work and corresponding complexity of it.
4.1 Description of the attack
A general way to attack a symmetric cryptosystem using BV algorithm includes the following two steps:
1. Construct a new function based on the cipher so that satisfies two conditions: (I) the attacker has quantum oracle access to ; (II) has a nontrivial linear structure that reveals the information of the secret key. Sometimes the linear structure itself is just the secret key.
2. Apply the algorithm FindStruct to obtain the linear structure of , and use it to recover the secret key.
We now confine to the Electronic Codebook mode and give a specific attack strategy for block ciphers. Suppose is a block cipher with a secret key . Let be an arbitrary plaintext in the plaintext space. Define the function
Then for any , we have . Therefore, the key is a nonzero linear structure of . More precisely, . Thus, we can find by applying the algorithm FindStruct to . Since we have already know that is in , when running FindStruct, we only need to solve the linear equation group for in Step 2. The attack algorithm based on the simplified FindStruct algorithm is as follows:
The algorithm RecoverKey requires the quantum oracle access of . The attacker can obtain this oracle by first querying the oracle to compute , then implementing the unitary operator by himself. The quantum circuit to implement is presented in Fig.5. Note that RecoverKey actually requires the quantum oracle access of for each . Since we have assumed the attacker can query that returns solely - bit of , this requirement can be satisfied.
4.2 Analysis of the attack
We now analyze the performance of the algorithm RecoverKey, including the conditions under which the attack will work and the complexity. We first consider the case where RecoverKey is applied to a general block cipher without any restrictions. According to Theorem 1, the secret key , as a linear structure of , must be in the set . Therefore, by verifying all vectors in the set , the attacker must be able to find the target key . However, since there is no restriction on the block cipher , the complexity of the algorithm RecoverKey may exceed the attacker’s computational power.
To accurately compute the complexity of the algorithm RecoverKey, we separate it into three parts:
(1) executing BV algorithm for times;
(2) solving linear equation groups;
(3) finding the intersection of , and .
For the first part, running BV algorithm once needs to execute Hadamard gates, one unitary operator and one quantum query on . Thus, a total of universal gates and quantum queries are needed. We assume a query requires one unit of time, then the complexity of this part is . For the second part, the attacker needs to solve linear equation groups, and each one has variables and equations. Solving a linear equation group with variables and equations via Gaussian elimination method needs calculations. Thus, the complexity of this part is , which is a polynomial of and . For the third part, the attacker needs to compute the intersection . Let . Finding the intersection of these sets using sort method requires calculations. The value of relies on the properties of and the value of . Since is the solution of a linear system with equations, the size of should decrease rapidly as increases. The larger the attacker chooses, the smaller will be, so the attacker can choose a larger to reduce . (Even though this will increase the amount of unitary gates and queries required in the other two parts, the complexity of these two parts is still polynomial as long as is still a polynomial.)
To sum up, the complexity of RecoverKey is . It may be possible to choose a large so that the parameter is a polynomial, but in the most general case we cannot guarantee that the algorithm RecoverKey can be efficiently executed.
Since we cannot bound the computational complexity of the algorithm RecoverKey when it is applied to a general block cipher, we consider the block ciphers with some restrictions. Specifically, we give two conditions. As long as satisfies one of them, then the algorithm RecoverKey can be executed efficiently with a high probability.
Condition 1: for some constant .
Suppose for some constant . By Corollary 1, if running the algorithm RecoverKey on with , the set , except for a negligible probability, will only contain the linear structures of . In this situation, the complexity of RecoverKey is and the value of is small. So as long as Condition 1 holds, the attack is valid and efficient with a high probability.
Condition 1 is a little abstract. To understand its cryptographic meaning, we compute the parameter .
Thus, Condition 1 means that there exist a constant such that, for any , any and any , it holds that
Since , Eq.(3) is equivalent to
where is the -th component of . Because , we have that and , so , , and are always four different keys. Eq.(4) means that when averaging over all possible values of , the exclusive value of the ciphertexts of under these four keys is not too biased. Generally speaking, a well constructed block cipher will not have obvious linearity, so Condition 1 is likely to be satisfied.
Condition 2: For each , does not have many approximate linear structures.
More formally, Condition 2 requires that: there exists a sufficiently large polynomial such that the amount of -close linear structures of each is small (at least smaller than some polynomial of ). Suppose Condition 2 holds. There exists such a polynomial . According to Theorem 2, any vector in the set , which is generated during the execution of algorithm RecoverKey, satisfies that
Let , , we have
That is, except for a negligible probability, is a -close linear structure of . Therefore, if we run the algorithm RecoverKey with , then except for a negligible probability, the size of the set will not be greater than the amount of -close linear structures of . According to Condition 2, this amount is small, so the value of the parameter is small. Therefore, if Condition 2 holds, the complexity of RecoverKey with is , where the parameter is a small number. This demonstrates that the algorithm RecoverKey is valid and efficient under Condition 2.
In fact, we can also analyze Condition 2 from the perspective of differential. If a vector is a -close linear structure of , then is a differential of whose differential probability is greater than . If Condition 2 does not hold, it means has many high-probability differentials. . We can treat as a new cipher, and make chosen-plaintext query to by making related-key query to the original block cipher . Thus, one can attack the original cipher by using to attack . Based on above analysis, for a general well-constructed block cipher , the amount of -close linear structures of each should be small, so Condition 2 is a reasonable requirement.
The above two conditions are mild and should be satisfied by an well constructed block cipher. As long as the block cipher satisfies one of them, the algorithm RecoverKey can efficiently recover its key with a high probability.
There remains many directions worth further studying. For example, there may exist other ways to construct a function that has a linear structure associated with the key based on the block cipher . For the function constructed in this paper, the key is actually a special linear structure, i.e. a period. It may be possible to construct other functions that have a more general linear structure. For instance, consider the case , namely, the case where the key length is equal to the blocksize. We can define the function . Then for each , we have . Therefore, is a linear structure of and . Follow the usual attack strategy, the attacker can run the algorithm FindStruct on . The vector must be in the output set . Moreover, when the attacker compute the set in the step 2 of FindStruct, for any , if the -th bit of is not equal to , the attacker can discard it directly. This helps determine the target key faster. Whether there exists a construction of the function that can be proved to be optimal is also an interesting question. In addition, how to apply the algorithms proposed in this paper to specific practical block cipher worth investigating, too.
We apply Bernstein-Vazirani algorithm to related-key attack and propose a quantum attack for recovering the key of general block ciphers. We analyze under what conditions the attack will work, and rigorously compute its computational complexity. Our works show the power of relate-key attack in the quantum setting, and provides guidance for designing quantum-secure block ciphers.
This work was supported by National Natural Science Foundation of China (Grant No.61672517), National Cryptography Development Fund (Grant No. MMJJ201 70108) and the Fundamental theory and cutting edge technology Research Program of Institute of Information Engineering, CAS (Grant No. Y7Z0301103).
- (1) Shor P W. Algorithms for quantum computation: Discrete logarithms and factoring. In: Proceedings of Foundations of Computer Science, Santa Fe, NM, 1994. 124-134
- (2) NIST: Submission requirements and evaluation criteria for the post-quantum cryptography standardization process, 2016.
Grover L K. A fast quantum mechanical algorithm for database search. In: Proceedings of the twenty-eighth annual ACM symposium on Theory of computing, Philadelphia, PA, 1996. 212-219
- (4) Simon D R. On the power of quantum computation. SIAM journal on computing, 1997, 26(5): 1474-1483
- (5) Kuwakado H, Morii M. Quantum distinguisher between the 3-round feistel cipher and the random permutation. In: IEEE International Symposium on Information Theory, Austin, TX, 2010. 41 (3): 2682-2685
- (6) Kuwakado H, Morii M. Security on the quantum-type even-mansour cipher. In: IEEE International Symposium on Information Theory and its Applications (ISITA), Honolulu, HI, 2012. 312-316
- (7) Santoli T, Schaffner C. Using simon s algorithm to attack symmetric-key cryptographic primitives. Quantum Information Computation, 2017, 17(12): 65-78
- (8) Kaplan M, Leurent G, Leverrier A, et al. Breaking symmetric cryptosystems using quantum period finding. In: Advances in Cryptology CCRYPTO 2016, Santa Barbara, CA, 2016. 207-237
- (9) Boneh D, Dagdelen , Fischlin M, et al. Random oracles in a quantum world. In: ASIACRYPT 2011, Seoul, South Korea, 2011. 41-69
- (10) Boneh D, Zhandry M. Secure signatures and chosen ciphertext security in a quantum computing world. In: Advances in Cryptology–CRYPTO 2013, Santa Barbara, California, 2013. 361-379
- (11) Gagliardoni T, Hlsing A, Schaffner C. Semantic security and indistinguishability in the quantum world. In: Advances in Cryptology–CRYPTO 2016, Santa Barbara, CA, 2016. 60-89
- (12) Biham E. New types of cryptanalytic attacks using related keys. Journal of Cryptology, 1994, 7(4): 229-246
- (13) Ferguson N, Kelsey J, Lucks S, et al. Improved cryptanalysis of Rijndael. In: Fast Software Encryption–FSE 2000, New York, NY, USA, 2001. 213-230
- (14) Kelsey J, Schneier B, Wagner D. Key-schedule cryptanalysis of idea, g-des, gost, safer, and triple-des. In: Advances in Cryptology–CRYPTO 1996, Santa Barbara, California, 1996. 237-251
- (15) Roetteler M, Steinwandt R. A note on quantum related-key attacks. Information Processing Letters, 2015, 115(1): 40-44
- (16) Hosoyamada A, Aoki K. On quantum related-key attacks on iterated Even-Mansour ciphers. In: International Workshop on Security, Hiroshima, Japan, 2017. 3-18
- (17) Bernstein E, Vazirani U. Quantum complexity theory. SIAM Journal on Computing, 1997, 26(5): 1411-1473
- (18) Nielsen M, Chuang I. Quantum Computation and Quantum Information. Cambridg: Cambridge University Press, 2000
- (19) Winternitz R, Hellman M. Chosen-key attacks on a block cipher. Cryptologia, 1987, 11(1): 16-20
- (20) Damgård I, Funder J, Nielsen J B, et al. Superposition attacks on cryptographic protocols. In: International Conference on Information Theoretic Security, Springer, 2013. 142-161
- (21) Unruh D. Quantum Proofs of Knowledge. In: EUROCRYPT 2012, Cambridge, United Kingdom, 2012. 135-152
- (22) Zhandry M. How to Construct Quantum Random Functions. In: FOCS 2012, New Brunswick, NJ, USA,, 2012. 679-687
- (23) Watrous J. Zero-Knowledge against Quantum Attacks. SIAM Journal on Computing, 2009, 39(1): 25-58
- (24) O’connor L, Klapper A. Algebraic nonlinearity and its applications to cryptography. Journal of Cryptology, 1994, 7(4): 213-227
- (25) Dubuc S. Characterization of linear structures. Designs, Codes and Cryptography, 2001, 22(1): 33-45
- (26) Li H, Yang L. A quantum algorithm to approximate the linear structures of Boolean functions. Math. Struct. Comput, 2018, 28: 1-13
- (27) Xie H, Yang L. Using Bernstein-Vazirani algorithm to attack block ciphers. Designs, Codes and Cryptography, 2018. doi:10.1007/s10623-018-0510-5.