Cryptanalysis Against Symmetric-Key Schemes with Online Classical Queries and Offline Quantum Computations

Abstract

In this paper, quantum attacks against symmetric-key schemes are presented in which adversaries only make classical queries but use quantum computers for offline computations. Our attacks are not as efficient as polynomial-time attacks making quantum superposition queries, while our attacks use the realistic model and overwhelmingly improve the classical attacks. Our attacks convert a type of classical meet-in-the-middle attacks into quantum ones. The attack cost depends on the number of available qubits and the way to realize the quantum hardware. The tradeoffs between data complexity D and time complexity T against the problem of cardinality N are \(D^2 \cdot T^2 =N\) and \(D \cdot T^6 = N^3\) in the best and worst case scenarios to the adversary respectively, while the classic attack requires \(D\cdot T = N\). This improvement is meaningful from an engineering aspect because several existing schemes claim beyond-birthday-bound security for T by limiting the maximum D to be below \(2^{n/2}\) according to the classical tradeoff \(D\cdot T = N\). Those schemes are broken when quantum computations are available to the adversaries. The attack can be applied to many schemes such as a tweakable block-cipher construction TDR, a dedicated MAC scheme Chaskey, an on-line authenticated encryption scheme McOE-X, a hash function based MAC H \(^2\)-MAC and a permutation based MAC keyed-sponge. The idea is then applied to the FX-construction to discover new tradeoffs in the classical query model.

A Further Discussion on Quantum Computation Models

Regarding attack models for quantum computations, we received several comments from other researchers. Below we introduce two issues which are pointed out by them.

1.1 A.1 Flying Qubits

As discussed in [BBG+13], if each qubit (or each small quantum processor) in a quantum hardware of size \(O(2^n\)) can communicate with O(n) qubits (or small quantum processors), then the hardware can simulate a hardware in free communicational model with the time overhead \(O(n^2)\). Thus, if we can modify a quantum hardware in realistic communication model so that each qubit in the hardware can communicate with a little more qubits (which is called “flying qubits” in [BBG+13]), then the hardware can simulate free communication model with a small overhead. However, realization of “flying qubits” fully depends on future development of quantum hardware, and here we give no argument about realizability of it.

1.2 A.2 Feasibility of Q2 Model

Q1 model is more realistic than Q2 model, though Q2 model should not be regarded as “non-realistic model.” In the main body of this paper, we described that Q2 model assumes that all the users implement algorithms on quantum computers and the network is communicated in the form of superposition. However, if an adversary attacks some kind of cryptosystems like “disk encryption” which is implemented on a quantum computer, then the notion of network becomes abstract. In addition, if white-box encryption algorithm is implemented on a quantum computer, then network becomes irrelevant.

Q2 model is simple and non-trivial. It ensures security in any intermediate scenario including hybrid ones like classical machines with quantum modules, where Q1 model could not really apply. We do not know how fast technologies on quantum computation and communication will develop, and using primitives not known to be secure in Q2 model would be challenging in the future.