Quantum cryptanalysis of Farfalle and (generalised) key-alternating Feistel networks. (English) Zbl 1536.94023
Summary: Farfalle is a permutation-based construction for building a pseudorandom function which has been proposed by G. Bertoni et al. [IACR Trans. Symmetric Cryptol., 2017, No. 4, 1–38 (2017; doi.org/10.13154/tosc.v2017.i4.1-38 )]. In this work, we show that by observing suitable inputs to Farfalle, one can derive various constructions of a periodic function with a period that involves a secret key. As this admits the application of Simon’s algorithm in the so-called \(\mathcal{Q}2\) attack model, we further show that in the case when internal rolling function is linear, then the secret key can be extracted under feasible assumptions. Furthermore, using the provided constructions of periodic functions for Farfalle, we show that one can mount forgery attacks on the session-supporting mode for authenticated encryption (Farfalle-SAE) and the synthetic initial value AE mode (Farfalle-SIV). In addition, as the wide block cipher mode Farfalle-WBC is a 4-round Feistel scheme, a quantum distinguisher is constructed in the case when input branches are containing at last two blocks, where length of one block corresponds to the size of a permutation employed in Farfalle (a similar attack can be mounted to Farfalle-WBC-AE). And finally, we consider the problem of extracting a secret round key out of different periods obtained from a (Generalized) Feistel scheme (GFN), which has not been addressed in any of the previous works which consider the application of Simon’s (or Simon-Grover) algorithm to round reduced versions of GFNs. In this part, we assume that the key is added to an input of an inner function utilized in the round function of a given GFN. By applying two different interpolation formulas, we show that one can extract the round key by utilizing amount of different periods which is closely related to the polynomial/algebraic degree of underlying inner function. Our methods can be seen as an extension of existing quantum attacks on key-alternating GFNs based on Simon’s or Simon-Grover algorithms.
MSC:
| 94A60 | Cryptography |
| 94D10 | Boolean functions |
| 68Q12 | Quantum algorithms and complexity in the theory of computing |
| 81P94 | Quantum cryptography (quantum-theoretic aspects) |
References:
| [1] | Bernstein D.J.: Some challenges in heavyweight cipher design. Presented at Dagstuhl seminar on Symmetric Cryptography, Schloss Dagstuhl (2016). |
| [2] | Bertoni G., Daemen J., Peeters M., Van Assche G.: The Keccak reference. http://keccak.noekeon.org/ , Available at: https://keccak.team/files/Keccak-reference-3.0.pdf. |
| [3] | Bertoni, G.; Daemen, J.; Hoffert, S.; Peeters, M.; Van Assche, G.; Keer, RV, Farfalle: parallel permutation-based cryptography, IACR Trans. Symmetric Cryptol., 2017, 4, 1-38, 2017 · doi:10.46586/tosc.v2017.i4.1-38 |
| [4] | Bogdanov A., Knudsen L.R., Leander G., Paar C., Poschmann A., Robshaw M.J.B., Seurin Y., Vikkelsoe C.: PRESENT: An ultra-lightweight block cipher. Cryptographic Hardware and Embedded Systems—CHES, LNSC, Vol. 4727, pp. 450-466 (2007). · Zbl 1142.94334 |
| [5] | Bonnetain X., Hosoyamada A., Plasencia M.N., Sasaki Y., Schrottenloher A.: Quantum Attacks without superposition queries: The offline Simon algorithm. In: Advances in Cryptology—ASIACRYPT 2019, LNCS, Vol. 11921, pp. 552-583 (2019). · Zbl 1456.94052 |
| [6] | Bonnetain X., Leurent G., Plasencia M.N., Schrottenloher A.: Quantum linearization attacks. Advances in Cryptology—ASIACRYPT 2021, LNCS, Vol. 13090, pp. 422-452 (2021). · Zbl 1522.81069 |
| [7] | Bonnetain X.: Quantum key-recovery on full AEZ. Security and Cryptology, Selected Areas in Cryptography—SAC,: 24th International Conference. Ottawa, ON, Canada 2017, (2017). doi:10.1007/978-3-319-72565-9, 16-18, pp. 3941-406. |
| [8] | Carlet C.: Boolean functions for cryptography and coding theory. Cambridge University Press, New York (2020). doi:10.1017/9781108606806. · Zbl 1512.94001 |
| [9] | Carlet, C.; Charpin, P.; Zinoviev, V., Codes, bent functions and permutations suitable for DES-like cryptosystems, Des. Codes Cryptogr., 15, 125-156, 1998 · Zbl 0938.94011 · doi:10.1023/A:1008344232130 |
| [10] | Childs A.M., van Dam W., Hung S.-H., Shparlinski I.E.: Optimal quantum algorithm for polynomial interpolation. In: 43rd International Colloquium on Automata, Languages, and Programming, ICALP 2016—Rome, Italy, LIPIcs Vol. 55, pp. 1-13 (2016). · Zbl 1388.68065 |
| [11] | Cid C., Hosoyamada A., Liu Y., Sim S.M.: Quantum cryptanalysis on contracting Feistel structures and observation on related-key settings. In: Progress in Cryptology—INDOCRYPT 2020: 21st International Conference on Cryptology in India, Bangalore, India, December 13-16, pp. 373-394 (2020). · Zbl 1500.81022 |
| [12] | Daemen J., Hoffert S., Assche G.V., Keer R.V.: Xoodoo cookbook. In: IACR Cryptology ePrint Archive (2018). https://eprint.iacr.org/2018/767. |
| [13] | Daemen, J.; Hoffert, S.; Assche, GV; Keer, RV, The design of Xoodoo and Xoofff, IACR Trans. Symmetric Cryptol., 2018, 4, 1-38, 2018 · doi:10.46586/tosc.v2018.i4.1-38 |
| [14] | Dong, X.; Li, Z.; Wang, X., Quantum cryptanalysis on some generalized Feistel schemes, Sci. China Inf. Sci., 62, 22501, 2019 · doi:10.1007/s11432-017-9436-7 |
| [15] | Dong, X.; Dong, B.; Wang, X., Quantum attacks on some Feistel block ciphers, Des. Codes Cryptogr., 88, 6, 1179-1203, 2020 · Zbl 1448.94195 · doi:10.1007/s10623-020-00741-y |
| [16] | Feistel, H.; Notz, WA; Smith, JL, Some cryptographic techniques for machine-to-machine data communications, Proc. IEEE, 63, 11, 1545-1554, 1975 · doi:10.1109/PROC.1975.10005 |
| [17] | Ghosh, S.; Sarkar, P., Breaking tweakable enciphering schemes using Simon’s algorithm, Des. Codes Cryptogr., 89, 1907-1926, 2021 · Zbl 1469.94097 · doi:10.1007/s10623-021-00893-5 |
| [18] | Grover L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, Philadelphia, Pennsylvania, USA, May 22-24, pp. 212-219 (1996). · Zbl 0922.68044 |
| [19] | Hodžić S., Knudsen L.R., Kidmose A.B.: On quantum distinguishers for Type-3 Generalized Feistel Network based on separability. In: International Conference on Post-Quantum Cryptography, PQCrypto 2020, LNCS vol. 12100, pp. 461-480 (2020). · Zbl 1513.81032 |
| [20] | Hodžić, S.; Knudsen, LR, A quantum distinguisher for 7/8-round SMS4 block cipher, Quant. Inf. Process., 19, 11, 411, 2020 · Zbl 1509.81375 · doi:10.1007/s11128-020-02929-6 |
| [21] | Ito G., Hosoyamada A., Matsumoto R., Sasaki Y., Iwata T.: Quantum chosen-ciphertext attacks against Feistel ciphers. In: Cryptographers’ Track at the RSA Conference, CT-RSA 2019: Topics in Cryptology—CT-RSA 2019, LNCS vol. 11405, pp. 391-411 (2019). · Zbl 1453.94091 |
| [22] | Jérémy Jean TikZ for Cryptographers https://www.iacr.org/authors/tikz/. |
| [23] | Kaplan M., Leurent G., Leverrier A., -Plasencia M.N.: Breaking symmetric cryptosystems using quantum period finding. In: CRYPTO 2016: Advances in Cryptology—CRYPTO 2016, Springer, Berlin, Heidelberg, LNCS Vol. 9815, pp. 207-237 (2016). · Zbl 1391.94766 |
| [24] | Kuwakado H., Morii M.: Security on the quantum-type Even-Mansour cipher. In: International Symposium on Information Theory and its Applications, October 28-31, Honolulu, HI, USA (2012). |
| [25] | Kuwakado, H.; Morii, M., Quantum distinguisher between the 3-round Feistel cipher and the random permutation, IEEE Int. Symp. Inf. Theory, 2010 · doi:10.1109/ISIT.2010.5513654 |
| [26] | Lai, X., Higher order derivatives and differential cryptanalysis, Commun. Cryptogr. SECS, 276, 227-233, 1994 · Zbl 0840.94017 · doi:10.1007/978-1-4615-2694-0_23 |
| [27] | Leander G., May A.: Grover meets Simon—quantumly attacking the FX-construction. In: Advances in Cryptology—ASIACRYPT 2017, International Conference on the Theory and Application of Cryptology and Information Security, LNCS, Vol. 10625, pp. 161-178 (2017). · Zbl 1380.94109 |
| [28] | Liskov, M.; Rivest, RL; Wagner, D., Tweakable block ciphers, J. Cryptol., 24, 3, 588-613, 2011 · Zbl 1258.94040 · doi:10.1007/s00145-010-9073-y |
| [29] | Miller, KS, On the inverse of the sum of matrices, Math. Mag., 54, 2, 67-72, 1981 · Zbl 0462.15004 · doi:10.1080/0025570X.1981.11976898 |
| [30] | Mullen G.L., Panario, D.: Handbook of finite fields. Published by Chapman and Hall/CRC, ISBN 9781439873786, July 18 (2013). |
| [31] | National Institute of Standards and Technology (NIST).: SHA-3 Standard: Permutation-based hash and extendable-output functions. In: Federal Information Processing Standards Publication 202. doi:10.6028/NIST.FIPS.202. |
| [32] | Simon, DR, On the power of quantum computation, SIAM J. Comput., 26, 5, 1474-1483, 1997 · Zbl 0883.03024 · doi:10.1137/S0097539796298637 |
| [33] | Stoss, HJ, The complexity of evaluating interpolation polynomials, Theor. Comput. Sci., 41, 319-323, 1985 · Zbl 0601.65006 · doi:10.1016/0304-3975(85)90078-7 |
| [34] | Wu C.-K., Feng D.: Boolean functions and their applications in cryptography. In: Advances in Computer Science and Technology. Springer, Berlin (2016). · Zbl 1364.94010 |
| [35] | Xu, L.; Guo, J.; Cui, J.; Li, M., Key-recovery attacks on LED-like block ciphers, Tsinghua Sci. Technol., 24, 5, 585-595, 2019 · doi:10.26599/TST.2018.9010130 |
| [36] | Xu, Y.; Liu, W.; Yu, W., Quantum forgery attacks on COPA, AES-COPA and marble authenticated encryption algorithms, Quant. Inf. Process., 20, 4, 1-21, 2021 · Zbl 1509.81434 · doi:10.1007/s11128-021-03036-w |
| [37] | Youssef A.M., Gong G.: On the interpolation attacks on block ciphers. In: Proceedings of the 7th International Workshop on Fast Software Encryption, pp. 109-120 (2000). · Zbl 0999.94546 |
| [38] | Zhongya, Z.; Wenling, W.; Han, S.; Bolin, W., Quantum attacks on Type-3 generalized Feistel scheme and unbalanced Feistel scheme with expanding functions, Chin. J. Electron., 31, 4, 1-9, 2022 |
| [39] | Zhou, B-M; Yuan, Z., Quantum key-recovery attack on Feistel constructions: Bernstein-Vazirani meet Grover algorithm, Quant. Inf. Process., 20, 330, 1-14, 2021 · Zbl 1509.81454 |
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.
