An Economic Model for Quantum Key-Recovery Attacks against Ideal Ciphers

by   Benjamin Harsha, et al.

It has been established that quantum algorithms can solve several key cryptographic problems more efficiently than classical computers. As progress continues in the field of quantum computing it is important to understand the risks they pose to deployed cryptographic systems. Here we focus on one of these risks - quantum key-recovery attacks against ideal ciphers. Specifically, we seek to model the risk posed by an economically motivated quantum attacker who will choose to run a quantum key-recovery attack against an ideal cipher if the cost to recover the secret key is less than the value of the information at the time when the key-recovery attack is complete. In our analysis we introduce the concept of a quantum cipher circuit year to measure the cost of a quantum attack. This concept can be used to model the inherent tradeoff between the total time to run a quantum key recovery attack and the total work required to run said attack. Our model incorporates the time value of the encrypted information to predict whether any time/work tradeoff results in a key-recovery attack with positive utility for the attacker. We make these predictions under various projections of advances in quantum computing. We use these predictions to make recommendations for the future use and deployment of symmetric key ciphers to secure information against these quantum key-recovery attacks. We argue that, even with optimistic predictions for advances in quantum computing, 128 bit keys (as used in common cipher implementations like AES-128) provide adequate security against quantum attacks in almost all use cases.


HybridRAM: The first quantum approach for key recovery attacks on Rainbow

A rectangular MinRank attack, proposed by Ward Beullens in 2021, reduced...

A quantum related-key attack based on Bernstein-Vazirani algorithm

Due to the powerful computing capability of quantum computers, cryptogra...

Machine-Learning Side-Channel Attacks on the GALACTICS Constant-Time Implementation of BLISS

Due to the advancing development of quantum computers, practical attacks...

Quantum Query Lower Bounds for Key Recovery Attacks on the Even-Mansour Cipher

The Even-Mansour (EM) cipher is one of the famous constructions for a bl...

Analysis of Y00 Protocol under Quantum Generalization of a Fast Correlation Attack: Toward Information-Theoretic Security

In our previous work, it was demonstrated that the attacker could not pi...

Quantum Period Finding against Symmetric Primitives in Practice

We present the first complete implementation of the offline Simon's algo...

Parallel Quantum Pebbling: Analyzing the Post-Quantum Security of iMHFs

The classical (parallel) black pebbling game is a useful abstraction whi...

Please sign up or login with your details

Forgot password? Click here to reset