Abstract
We present the first complete descriptions of quantum circuits for the offline Simon’s algorithm, and estimate their cost to attack the MAC Chaskey, the block cipher PRINCE and the NIST lightweight finalist AEAD scheme Elephant. These attacks require a reasonable amount of qubits, comparable to the number of qubits required to break RSA-2048. They are faster than other collision algorithms, and the attacks against PRINCE and Chaskey are the most efficient known to date. As Elephant has a key smaller than its state size, the algorithm is less efficient and its cost ends up very close to or above the cost of exhaustive search.We also propose an optimized quantum circuit for boolean linear algebra as well as complete reversible implementations of PRINCE, Chaskey, spongent and Keccak which are of independent interest for quantum cryptanalysis. We stress that our attacks could be applied in the future against today’s communications, and recommend caution when choosing symmetric constructions for cases where long-term security is expected.
Highlights
Due to Shor’s algorithm [Sho94], quantum computing has significantly changed cryptography, despite its currently theoretical nature.In public-key cryptography, this has led to the thriving field of quantum-safe cryptography and an ongoing competition organized by the NIST [Nat16] will propose new standards for key exchange and signatures
We find that PRINCE and Chaskey are especially vulnerable to this attack, requiring only 265 qubit operations to recover the key
Since Grover-like algorithms parallelize badly [Zal99], attacks that finish quickly cost much more than attacks that are allowed to take a long time. While this affects our attack, our goal is to demonstrate another aspect of post-quantum security, rather than to compare to post-quantum asymmetric cryptography, so we do not account for depth limits
Summary
Due to Shor’s algorithm [Sho94], quantum computing has significantly changed cryptography, despite its currently theoretical nature. In public-key cryptography, this has led to the thriving field of quantum-safe cryptography and an ongoing competition organized by the NIST [Nat16] will propose new standards for key exchange and signatures. It has long been thought that the only threat was the quantum acceleration on exhaustive search. This has changed with works on dedicated cryptanalysis of block ciphers [BNS19b], hash functions [HS20], and the many cryptanalyses that rely on Simon’s algorithm [KM10, KLLN16, Bon, LM17, BNS19a, BHN+19]. Work on quantum circuits focuses mainly on exhaustive key search, and on AES key search [JNRV20, DP21, LPS20, ASAM18, GLRS16]. Many quantum attacks in symmetric cryptography are either only known asymptotically, or only with rough estimates
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: IACR Transactions on Cryptographic Hardware and Embedded Systems
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
