Quantum Attacks on Lai-Massey Structure

Abstract

Aaram Yun et al. considered that Lai-Massey structure has the same security as Feistel structure. However, Luo et al. showed that 3-round Lai-Massey structure can resist quantum attacks of Simon’s algorithm, which is different from Feistel structure. We give quantum attacks against a typical Lai-Massey structure. The result shows that there exists a quantum CPA distinguisher against 3-round Lai-Massey structure and a quantum CCA distinguisher against 4-round Lai-Massey Structure, which is the same as Feistel structure. We extend the attack on Lai-Massey structure to quasi-Feistel structure. We show that if the combiner of quasi-Feistel structure is linear, there exists a quantum CPA distinguisher against 3-round balanced quasi-Feistel structure and a quantum CCA distinguisher against 4-round balanced quasi-Feistel Structure.

Supported by the NSFC of China (61732021) and the National Key R &D Program of China (2018YFB0803801 and 2018YFA0704704).

Appendices

A A Intermediate Parameters in the Decryption Process of 4-round Lai-Massey Structure in Sect. 3.2

For the decryption process of 4-round Lai-Massey structure shown in the Fig. 3, we write the inputs as \([z_{1},z_{2}], [z_{3},z_{4}]\) and the outputs as \([x'_{1},x'_{2}], [x'_{3},x'_{4}]\). Intermediate parameters are as follows.

$$\begin{aligned} a'_{4} =\,&[z_{1},z_{2}],b'_{4} = [z_{3},z_{4}],\\ a'_{3} =\,&[z_{1} \oplus f_{4L}(\varDelta '_{4}),z_{2} \oplus f_{4R}(\varDelta '_{4})], b'_{3} = [z_{3} \oplus f_{4L}(\varDelta '_{4}),z_{4} \oplus f_{4R}(\varDelta '_{4})],\\ a'_{2} =\,&[z_{1} \oplus z_{2} \oplus f_{3L}(\varDelta '_{3}) \oplus f_{4L}(\varDelta '_{4}) \oplus f_{4R}(\varDelta '_{4}),z_{1} \oplus f_{3R}(\varDelta '_{3}) \oplus f_{4L}(\varDelta '_{4})],\\ b'_{2} =\,&[z_{3} \oplus f_{3L}(\varDelta '_{3}) \oplus f_{4L}(\varDelta '_{4}),z_{4} \oplus f_{3R}(\varDelta '_{3}) \oplus f_{4R}(\varDelta '_{4})],\\ a'_{1} =\,&[z_{2} \oplus f_{2L}(\varDelta '_{2}) \oplus f_{3L}(\varDelta '_{3}) \oplus f_{3R}(\varDelta '_{3}) \oplus f_{4R}(\varDelta '_{4}),\\&z_{1} \oplus z_{2} \oplus f_{2R}(\varDelta '_{2}) \oplus f_{3L}(\varDelta '_{3}) \oplus f_{4L}(\varDelta '_{4}) \oplus f_{4R}(\varDelta '_{4})],\\ b'_{1} =\,&[z_{3} \oplus f_{2L}(\varDelta '_{2}) \oplus f_{3L}(\varDelta '_{3}) \oplus f_{4L}(\varDelta '_{4}), z_{4} \oplus f_{2R}(\varDelta '_{2}) \oplus f_{3R}(\varDelta '_{3}) \oplus f_{4R}(\varDelta '_{4})], \end{aligned}$$

where

$$\begin{aligned} \varDelta '_{4} =\,&[z_{1} \oplus z_{3},z_{2} \oplus z_{4}],\\ \varDelta '_{3} =\,&[z_{1} \oplus z_{2} \oplus z_{3} \oplus f_{4R}(\varDelta '_{4}),z_{1} \oplus z_{4} \oplus f_{4L}(\varDelta '_{4}) \oplus f_{4R}(\varDelta '_{4})],\\ \varDelta '_{2} =\,&[z_{2} \oplus z_{3} \oplus f_{3R}(\varDelta '_{3}) \oplus f_{4L}(\varDelta '_{4}) \oplus f_{4R}(\varDelta '_{4}),\\&z_{1} \oplus z_{2} \oplus z_{4} \oplus f_{3L}(\varDelta '_{3}) \oplus f_{3R}(\varDelta '_{3}) \oplus f_{4L}(\varDelta '_{4})],\\ \varDelta '_{1} =\,&[z_{1} \oplus z_{3} \oplus f_{2R}(\varDelta '_{2}) \oplus f_{3L}(\varDelta '_{3}) \oplus f_{3R}(\varDelta '_{3}),\\&z_{2} \oplus z_{4} \oplus f_{2L}(\varDelta '_{2}) \oplus f_{2R}(\varDelta '_{2}) \oplus f_{3L}(\varDelta '_{3})]. \end{aligned}$$

Proof

Let \(a'_{4} = [z_{1},z_{2}],b'_{4} = [z_{3},z_{4}]\). Intermediate parameters \(a_i,b_i,\varDelta _j,i=1,2,3,4\) are the same as Sect. 3.1 and Sect. 3.2.

Fig. 10.

The fourth round of the decryption progress of 4-round Lai-Massey structure

Lemma 8

For the fourth round of the decryption progress of 4-round Lai-Massey structure (Fig. 10), intermediate parameters \(\varDelta '_{4},a'_{3},b'_3 \) can be expressed as:

$$\begin{aligned} \varDelta '_{4} =\,&[z_{1} \oplus z_{3},z_{2} \oplus z_{4}], \\ a'_{3}=\,&[z_{1} \oplus f_{4L}(\varDelta '_{4}),z_{2} \oplus f_{4R}(\varDelta '_{4})], \\ b'_{3}=\,&[z_{3} \oplus f_{4L}(\varDelta '_{4}),z_{4} \oplus f_{4R}(\varDelta '_{4})]. \end{aligned}$$

Proof

According to the decryption progress of 4-round Lai-Massey structure, we can get the following system of equations

$$\begin{aligned} {\left\{ \begin{array}{ll} \varDelta '_{4} = a'_{3} \oplus b'_{3}, \\ a'_{3} \oplus f_{4}(\varDelta '_{4}) = a'_{4} ,\\ b'_{3} \oplus f_{4}(\varDelta '_{4}) = b'_{4}. \end{array}\right. } \end{aligned}$$

Solving the system of equations gives the result.

Fig. 11.

The third round of the decryption progress of 4-round Lai-Massey structure

Lemma 9

For the third round of the decryption progress of 4-round Lai-Massey structure (Fig. 11), intermediate parameters \(\varDelta '_{3},a'_{2},b'_2 \) can be expressed as:

$$\begin{aligned} \varDelta '_{3}&= a'_{2} \oplus b'_{2} = [z_{1} \oplus z_{2} \oplus z_{3} \oplus f_{4R}(\varDelta '_{4}),z_{1} \oplus z_{4} \oplus f_{4L}(\varDelta '_{4}) \oplus f_{4R}(\varDelta '_{4})],\\ a'_{2}&= [z_{1} \oplus z_{2} \oplus f_{3L}(\varDelta '_{3}) \oplus f_{4L}(\varDelta '_{4}) \oplus f_{4R}(\varDelta '_{4}),z_{1} \oplus f_{3R}(\varDelta '_{3}) \oplus f_{4L}(\varDelta '_{4})],\\ b'_{2}&= [z_{3} \oplus f_{3L}(\varDelta '_{3}) \oplus f_{4L}(\varDelta '_{4}),z_{4} \oplus f_{3R}(\varDelta '_{3}) \oplus f_{4R}(\varDelta '_{4})]. \end{aligned}$$

Proof

According to the decryption progress of 4-round Lai-Massey structure, we can get the following system of equations

$$\begin{aligned} {\left\{ \begin{array}{ll} \varDelta '_{3} = a'_{2} \oplus b'_{2}, \\ a'_{3} = [a'_{2R} \oplus f_{3R}(\varDelta '_{3}),a'_{2L} \oplus a'_{2R} \oplus f_{3L}(\varDelta '_{3}) \oplus f_{3R}(\varDelta '_{3})],\\ b'_{3} = [b'_{2L} \oplus f_{3L}(\varDelta '_{3}),b'_{2R} \oplus f_{3R}(\varDelta '_{3})]. \end{array}\right. } \end{aligned}$$

From Lemma 8 we can get:

$$\begin{aligned} {\left\{ \begin{array}{ll} a'_{2R} \oplus f_{3R}(\varDelta '_{3}) = z_{1} \oplus f_{4L}(\varDelta '_{4}), \\ a'_{2L} \oplus a'_{2R} \oplus f_{3L}(\varDelta '_{3}) \oplus f_{3R}(\varDelta '_{3}) = z_{2} \oplus f_{4R}(\varDelta '_{4}), \\ b'_{2L} \oplus f_{3L}(\varDelta '_{3}) = z_{3} \oplus f_{4L}(\varDelta '_{4}), \\ b'_{2R} \oplus f_{3R}(\varDelta '_{3}) = z_{4} \oplus f_{4R}(\varDelta '_{4}). \\ \end{array}\right. } \end{aligned}$$

Solving the system of equations gives the result.

Lemma 10

For the second round of the decryption progress of 4-round Lai-Massey structure, intermediate parameters \(\varDelta '_{2},a'_{1},b'_1 \) can be expressed as:

$$\begin{aligned} \varDelta '_{2} =\,&[z_{2} \oplus z_{3} \oplus f_{3R}(\varDelta '_{3}) \oplus f_{4L}(\varDelta '_{4}) \oplus f_{4R}(\varDelta '_{4}),\\&z_{1} \oplus z_{2} \oplus z_{4} \oplus f_{3L}(\varDelta '_{3}) \oplus f_{3R}(\varDelta '_{3}) \oplus f_{4L}(\varDelta '_{4})],\\ a'_{1} =\,&[z_{2} \oplus f_{2L}(\varDelta '_{2}) \oplus f_{3L}(\varDelta '_{3}) \oplus f_{3R}(\varDelta '_{3}) \oplus f_{4R}(\varDelta '_{4}),\\&z_{1} \oplus z_{2} \oplus f_{2R}(\varDelta '_{2}) \oplus f_{3L}(\varDelta '_{3}) \oplus f_{4L}(\varDelta '_{4}) \oplus f_{4R}(\varDelta '_{4})],\\ b'_{1} =\,&[z_{3} \oplus f_{2L}(\varDelta '_{2}) \oplus f_{3L}(\varDelta '_{3}) \oplus f_{4L}(\varDelta '_{4}),z_{4} \oplus f_{2R}(\varDelta '_{2}) \oplus f_{3R}(\varDelta '_{3}) \oplus f_{4R}(\varDelta '_{4})]. \end{aligned}$$

Proof

According to the decryption progress of 4-round Lai-Massey structure, we can get the following system of equations

$$\begin{aligned} {\left\{ \begin{array}{ll} \varDelta '_{2} = a'_{1} \oplus b'_{1}, \\ a'_{2} = [a'_{1R} \oplus f_{2R}(\varDelta '_{2}),a'_{1L} \oplus a'_{1R} \oplus f_{2L}(\varDelta '_{2}) \oplus f_{2R}(\varDelta '_{2})], \\ b'_{2} = [b'_{1L} \oplus f_{2L}(\varDelta '_{2}),b_{1R} \oplus f_{2R}(\varDelta '_{2})]. \\ \end{array}\right. } \end{aligned}$$

From Lemma 9 we have:

$$\begin{aligned} {\left\{ \begin{array}{ll} a'_{1R} \oplus f_{2R}(\varDelta '_{2}) = z_{1} \oplus z_{2} \oplus f_{3L}(\varDelta '_{3}) \oplus f_{4L}(\varDelta '_{4}) \oplus f_{4R}(\varDelta '_{4}), \\ a'_{1L} \oplus a'_{1R} \oplus f_{2L}(\varDelta '_{2}) \oplus f_{2R}(\varDelta '_{2}) = z_{1} \oplus f_{3R}(\varDelta '_{3}) \oplus f_{4L}(\varDelta '_{4}), \\ b'_{1L} \oplus f_{2L}(\varDelta '_{2}) = z_{3} \oplus f_{3L}(\varDelta '_{3}) \oplus f_{4L}(\varDelta '_{4}), \\ b'_{1R} \oplus f_{2R}(\varDelta '_{2}) = z_{4} \oplus f_{3R}(\varDelta '_{3}) \oplus f_{4R}(\varDelta '_{4}). \\ \end{array}\right. } \end{aligned}$$

Solving the system of equations gives the result.

Lemma 11

For the first round of the decryption progress of 4-round Lai-Massey structure, intermediate parameters \(\varDelta '_{1},[x'_{1},x'_{2}],[x'_{3},x'_{4}]\) can be expressed as:

$$\begin{aligned} \varDelta '_{1} =\,&[z_{1} \oplus z_{3} \oplus f_{2R}(\varDelta '_{2}) \oplus f_{3L}(\varDelta '_{3}) \oplus f_{3R}(\varDelta '_{3}),\\&z_{2} \oplus z_{4} \oplus f_{2L}(\varDelta '_{2}) \oplus f_{2R}(\varDelta '_{2}) \oplus f_{3L}(\varDelta '_{3})],\\ [x'_{1},x'_{2}]=\,&[z_{1} \oplus f_{1L}(\varDelta '_{1}) \oplus f_{2L}(\varDelta '_{2}) \oplus f_{2R}(\varDelta '_{2}) \oplus f_{3R}(\varDelta '_{3}) \oplus f_{4L}(\varDelta '_{4}),\\&z_{2} \oplus f_{1R}(\varDelta '_{1}) \oplus f_{2L}(\varDelta '_{2}) \oplus f_{3L}(\varDelta '_{3}) \oplus f_{3R}(\varDelta '_{3}) \oplus f_{4R}(\varDelta '_{4}),\\ [x'_{3},x'_{4}]=\,&[z_{3} \oplus f_{1L}(\varDelta '_{1}) \oplus f_{2L}(\varDelta '_{2}) \oplus f_{3L}(\varDelta '_{3}) \oplus f_{4L}(\varDelta '_{4}),\\&z_{4} \oplus f_{1R}(\varDelta '_{1}) \oplus f_{2R}(\varDelta '_{2}) \oplus f_{3R}(\varDelta '_{3}) \oplus f_{4R}(\varDelta '_{4})]. \end{aligned}$$

Proof

According to the decryption progress of 4-round Lai-Massey structure, we can get the following system of equations

$$\begin{aligned} {\left\{ \begin{array}{ll} \varDelta '_{1} = [x'_{1},x'_{2}]\oplus [x'_{3},x'_{4}], \\ a'_{1} = [x'_{2} \oplus f_{1R}(\varDelta '_{1}),x'_{1} \oplus x'_{2} \oplus f_{1L}(\varDelta '_{1}) \oplus f_{1R}(\varDelta '_{1})], \\ b'_{1} = b'_{0} \oplus f_{1}(\varDelta '_{1}) = [x'_{3} \oplus f_{1L}(\varDelta '_{1}),x'_{4} \oplus f_{1R}(\varDelta '_{1})]. \end{array}\right. } \end{aligned}$$

From Lemma 11 we have

$$\begin{aligned} {\left\{ \begin{array}{ll} x'_{2} \oplus f_{1R}(\varDelta '_{1}) = z_{2} \oplus f_{2L}(\varDelta '_{2}) \oplus f_{3L}(\varDelta '_{3}) \oplus f_{3R}(\varDelta '_{3}) \oplus f_{4R}(\varDelta '_{4}), \\ x'_{1} \oplus x'_{2} \oplus f_{1L}(\varDelta '_{1}) \oplus f_{1R}(\varDelta '_{1}) = z_{1} \oplus z_{2} \oplus f_{2R}(\varDelta '_{2}) \oplus f_{3L}(\varDelta '_{3}) \oplus f_{4L}(\varDelta '_{4}) \oplus f_{4R}(\varDelta '_{4}), \\ x'_{3} \oplus f_{1L}(\varDelta '_{1}) = z_{3} \oplus f_{2L}(\varDelta '_{2}) \oplus f_{3L}(\varDelta '_{3}) \oplus f_{4L}(\varDelta '_{4}), \\ x'_{4} \oplus f_{1R}(\varDelta '_{1}) = z_{4} \oplus f_{2R}(\varDelta '_{2}) \oplus f_{3R}(\varDelta '_{3}) \oplus f_{4R}(\varDelta '_{4}). \\ \end{array}\right. } \end{aligned}$$

Solving the system of equations gives the result.

B B Proof of Theorem 4

Proof

First, we introduce a Theorem and a Lemma for subsequent proofs.

Theorem 8

 [6] (Brassard, Hoyer, Mosca and Tapp). Let \(\mathcal A\) be any quantum algorithm on q qubits that uses no measurement. Let \(\mathcal B: \mathbb F^q_2\rightarrow \{0,1\}\) be a function that classifies outcomes of \(\mathcal A\) as good or bad. Let \(p > 0\) be the initial success probability that a measurement of \(\mathcal A|0\rangle \) is good. Set \(t =\lceil \frac{\pi }{4\theta }\rceil \), where \(\theta \) is defined via \(sin^2(\theta )= p\). Moreover, define the unitary operator \(Q = -\mathcal AS_0\mathcal A^{-1}S_{\mathcal B}\), where the operator \(S_{\mathcal B}\) changes the sign of the good state:

$$ |x\rangle \mapsto \left\{ \begin{array}{rcl} -|x\rangle &{} \text{ if }&{}\mathcal B(x)=1 \\ |x\rangle &{} \text{ if }&{}\mathcal B(x)=0 \end{array}\right. $$

while \(S_0\) changes the sign of the amplitude only for the zero state \(|0\rangle \). Then after the computation of \(Q^t\mathcal A|0\rangle \), a measurement yields well with probability a least \(\max \{1-p,p\}\).

Lemma 12

 [24]. Any state \(| z_i\rangle =(-1)^{\langle u_i,x_i\rangle }| u_i\rangle \) is proper with probability at least \(\frac{1}{2}\). Any set of \(\ell = 2(n+\sqrt{n})\) states contains at least \(n-1\) proper states with probability greater than \(\frac{4}{5}\).

Let \(U_h\) be a quantum oracle as \(|x_1,...,x_l,0\rangle \mapsto |x_1,...,x_l,h(x_1,...,x_l)\rangle \). If \(k_4\) guessed right, then \(g_{3}(k_4,[x,x']) = g_{3}(k_4,[x,x'] \oplus s)\). Let \(h: \mathbb F^{m}_2 \times \mathbb F^{n^l}_2\rightarrow \mathbb F^{(n/2)^l}_2\) with: \((k,[x_1,x'_1],...,[x_l,x'_l])\mapsto g_{3}(k,[x_1,x'_1])||...||g_{3}(k,[x_l,x'_l])\). Then we can construct the following quantum algorithm \(\mathcal A\) :

1. 1.

   Initializing a \(m+nl+nl/2\)-qubit register \(|0\rangle ^{\otimes m+nl+nl/2}\).

2. 2.

   Apply Hadamard transformation \( H ^ {\otimes (m+nl)} \) to the first \(m+nl \) qubits to obtain quantum superposition

   $$\begin{aligned} H ^ {\otimes (m+nl)}|0\rangle =\frac{1}{\sqrt{2^{m+nl}}} \sum _{k \in \mathbb F^m_2,[x_1,x'_1],...,[x_l,x'_l] \in \mathbb F^n_2 } | k \rangle | [x_1,x'_1] \rangle ...| [x_l,x'_l] \rangle | 0,...,0\rangle . \end{aligned}$$
3. 3.

   Applying \(U_h\):

   $$\begin{aligned} \frac{1}{\sqrt{2^{m+nl}}} \sum _{k \in \mathbb F^m_2,[x_1,x'_1],...,[x_l,x'_l] \in \mathbb F^n_2 } | k\rangle | [x_1,x'_1] \rangle ...| [x_l,x'_l] \rangle | h(k,[x_1,x'_1],...,[x_l,x'_l])\rangle . \end{aligned}$$
4. 4.

   Apply Hadamard transformation to the qubits \(| [x_1,x'_1] \rangle ...| [x_l,x'_l] \rangle \):

   $$\begin{aligned} |\varphi \rangle =\,&\frac{1}{\sqrt{2^{m+2nl}}} \sum _{k \in \mathbb F^m_2,u_1,...,u_l,[x_1,x'_1],...,[x_l,x'_l] \in \mathbb F^n_2 } | k \rangle (-1)^{\langle u_1,[x_1,x'_1]\rangle }| u_1\rangle \cdot \cdot \cdot (-1)^{\langle u_1,[x_l,x'_l]\rangle }\\&| u_l \rangle | h(k,[x_1,x'_1],...,[x_l,x'_l])\rangle . \end{aligned}$$

If \(k_4\) is guessed right, the period s will orthogonal to all the \(u_i,i=1...l\). From Lemma 12, we choose \(l=2(n+\sqrt{n})\). Then we can construct a classifier \(\mathcal B:\mathbb F^{m+nl}_2\rightarrow \{0,1\}\) with a good subspace \(|\varphi _1\rangle \) and a bad subspace \(|\varphi _0\rangle \) as Definition 5. \(|x\rangle \) in the good subspace if \(\mathcal B(x)=1\). Let \(|\varphi \rangle =|\varphi _1\rangle +|\varphi _0\rangle \). \(|\varphi _1\rangle \) is the sum of basis states for which the right \(k_4\). We can check it by whether \(g_{3}(k,[x,x'])=g_{3}(k,[x,x']\oplus s)\):

Definition 5

Let \(\tilde{U}=\langle u_1,...,u_l\rangle \) be the linear span of all \(u_i \). We define Classifier \(\mathcal B:\mathbb F^{m+nl}_2\mapsto \{0,1\}\) which maps \((k,u_1,...,u_l)\mapsto \{0,1\}\).

1. 1.

   If \(\dim (\tilde{U}) \ne n-1\), output 0. Otherwise compute the unique period s by using Lemma 2 in [24].

2. 2.

   For random \([x,x']\), if \(g_{3}(k,[x,x'])=g_{3}(k,[x,x']\oplus s)\), then output 1, otherwise output 0.

Mearsure \(|\varphi \rangle \) and the initial probability of the good state is:

$$\begin{aligned} p=\Pr [|k\rangle |u_1\rangle ...|u_l\rangle \text { is good}] =\Pr [k=k_4]\cdot \Pr [\mathcal B(k,u_1,...,u_l)=1|k=k_4]\approx \frac{1}{2^m}. \end{aligned}$$

Set \(t =\lceil \frac{\pi }{4\theta }\rceil \), where \(\theta \) is defined via \(sin^2(\theta )= p\). Then \(\theta \approx \arcsin ({2^{-m/2}})\approx {2^{-m/2}}\), \(t \approx \lceil \frac{\pi }{4\times {2^{-m/2}}}\rceil \approx 2^{m/2} \). We define the unitary operator \(Q = -\mathcal AS_0\mathcal A^{-1}S_{\mathcal B}\), where the operator \(S_{\mathcal B}\) changes the sign of the good state:

$$ |k\rangle |u_1\rangle ...|u_l\rangle \mapsto \left\{ \begin{array}{rcl} -|k\rangle |u_1\rangle ...|u_l\rangle &{}\text { if }&{}B(k,u_1,...,u_l)=1 \\ |k\rangle |u_1\rangle ...|u_l\rangle &{}\text { if }&{}B(k,u_1,...,u_l)=0. \end{array}\right. $$

\(S_0\) changes the sign of the amplitude only for the zero state \(|0\rangle \). Then after the computation of \(Q^t\mathcal A|0\rangle \), according to the Theorem 8, a measurement yields good with probability a least \(\max \{1-p,p\}\approx 1-\frac{1}{2^m}\).