Beyond quadratic speedups in quantum attacks on symmetric schemes

by   Xavier Bonnetain, et al.

In this paper, we report the first quantum key-recovery attack on a symmetric block cipher design, using classical queries only, with a more than quadratic time speedup compared to the best classical attack. We study the 2XOR-Cascade construction of Gaži and Tessaro (EUROCRYPT 2012). It is a key length extension technique which provides an n-bit block cipher with 5n/2 bits of security out of an n-bit block cipher with 2n bits of key, with a security proof in the ideal model. We show that the offline-Simon algorithm of Bonnetain et al. (ASIACRYPT 2019) can be extended to, in particular, attack this construction in quantum time Õ(2^n), providing a 2.5 quantum speedup over the best classical attack. Regarding post-quantum security of symmetric ciphers, it is commonly assumed that doubling the key sizes is a sufficient precaution. This is because Grover's quantum search algorithm, and its derivatives, can only reach a quadratic speedup at most. Our attack shows that the structure of some symmetric constructions can be exploited to overcome this limit. In particular, the 2XOR-Cascade cannot be used to generically strengthen block ciphers against quantum adversaries, as it would offer only the same security as the block cipher itself.


page 1

page 2

page 3

page 4


Quantum Query Lower Bounds for Key Recovery Attacks on the Even-Mansour Cipher

The Even-Mansour (EM) cipher is one of the famous constructions for a bl...

Some group-theoretical results on Feistel Networks in a long-key scenario

The study of the trapdoors that can be hidden in a block cipher is and h...

Quantum Period Finding against Symmetric Primitives in Practice

We present the first complete implementation of the offline Simon's algo...

HybridRAM: The first quantum approach for key recovery attacks on Rainbow

A rectangular MinRank attack, proposed by Ward Beullens in 2021, reduced...

A quantum related-key attack based on Bernstein-Vazirani algorithm

Due to the powerful computing capability of quantum computers, cryptogra...

Quantum Attacks without Superposition Queries: the Offline Simon's Algorithm

In symmetric cryptanalysis, the model of superposition queries has led t...

A note on the security of CSIDH

We propose an algorithm for computing an isogeny between two elliptic cu...

Please sign up or login with your details

Forgot password? Click here to reset