Quantum Chosen-Ciphertext Attacks against Feistel Ciphers

Transcription

1 Quantum Chosen-Ciphertext Attacks against eistel Ciphers Gembu Ito 1, Akinori Hosoyamada 1,2, Ryutaroh Matsumoto 1,3, Yu Sasaki 2, and Tetsu Iwata 1 1 Nagoya University, Nagoya, Japan g itou@echo.nuee.nagoya-u.ac.jp, ryutaroh.matsumoto@nagoya-u.jp, tetsu.iwata@nagoya-u.jp 2 NTT Secure Platorm Laboratories, Tokyo, Japan hosoyamada.akinori@lab.ntt.co.jp, sasaki.yu@lab.ntt.co.jp 3 Aalborg University, Aalborg, Denmark Abstract. Seminal results by Luby and Racko show that the 3-round eistel cipher is secure against chosen-plaintext attacks (CPAs), and the 4-round version is secure against chosen-ciphertext attacks (CCAs). However, the security signiicantly changes when we consider attacks in the quantum setting, where the adversary can make superposition queries. By using Simon s algorithm that detects a secret cycle-period in polynomial-time, Kuwakado and Morii showed that the 3-round version is insecure against quantum CPA by presenting a polynomial-time distinguisher. Since then, Simon s algorithm has been heavily used against various symmetric-key constructions. However, its applications are still not ully explored. In this paper, based on Simon s algorithm, we irst ormalize a suicient condition o a quantum distinguisher against block ciphers so that it works even i there are multiple collisions other than the real period. This distinguisher is similar to the one proposed by Santoli and Schaner, and it does not recover the period. Instead, we ocus on the dimension o the space obtained rom Simon s quantum circuit. This eliminates the need to evaluate the probability o collisions, which was needed in the work by Kaplan et al. at CRYPTO Based on this, we continue the investigation o the security o eistel ciphers in the quantum setting. We show a quantum CCA distinguisher against the 4-round eistel cipher. This extends the result o Kuwakado and Morii by one round, and ollows the intuition o the result by Luby and Racko where the CCA setting can extend the number o rounds by one. We also consider more practical cases where the round unctions are composed o a public unction and XORing the subkeys. We show the results o both distinguishing and key recovery attacks against these constructions. Keywords: eistel cipher Quantum chosen-ciphertext attacks Simon s algorithm This is the ull version o the paper that appears in the proceedings o CT-RSA 2019.

2 1 Introduction A block cipher is an important cryptographic primitive that is widely adopted in various secure communication protocols and security products. A block cipher is a pseudo-random permutation (PRP), i.e. it takes a key as input and provides distinct permutations that cannot be distinguished rom a random permutation or distinct key inputs. Designing an eicient block cipher is a long-term challenge in symmetric-key cryptography. One o the most popular approaches is to use the eistel network, in which an n-bit state is divided into n/2-bit halves denoted by a i and b i, and the state is updated by iteratively applying the ollowing two operations; b i+1 a i Ki (b i ), a i+1 b i, where Ki is a keyed unction taking a subkey K i as input. The construction is known as the Luby-Racko construction. In this paper, we call it eistel- to make the name consistent with other constructions. The diagram o the construction is drawn in the let o ig. 1. Luby and Racko [18] proved that when Ki is a pseudo-random unction (PR), 3-round and 4-round eistel ciphers are PRPs up to O(2 n/4 ) queries against chosen-plaintext attacks (CPAs) and chosen-ciphertext attacks (CCAs), respectively. Luby and Racko also showed the tightness o the number o rounds by demonstrating eicient attacks against 2 and 3 rounds in the corresponding attack models. While the provable security bounds derived by Luby and Racko are attractive, using a PR or Ki requires signiicant implementation costs, and this is oten practically ineasible. To design a block cipher or practical usage, the subkey space is oten limited to {0, 1} n/2, and Ki (b i ) is deined as b i+1 a i (K i b i ), a i+1 b i, where is a public unction. In this paper, we call this construction eistel-k. See the middle igure o ig. 1. eistel-k includes a lot o practical designs, e.g. DES [19] and Camellia [1], where the unction x (K i x) is not a PR, and generic attacks on this construction have been widely studied, e.g. impossible dierential attacks [14], meet-in-the-middle attacks [12,10], dissection attacks [5] and division property [23]. It is also possible to inject a subkey K i {0, 1} n/2 outside the unction as b i+1 a i (b i ) K i, a i+1 b i. We call this construction eistel-k, which is illustrated on the right o ig. 1. This construction provides implementation advantages and can be seen in several lightweight designs e.g. Piccolo [21], Simon [2] and Simeck [24]. The discussion so ar is about the classical computation setting, while the security o symmetric-key schemes against quantum computers has become active recently. Owing to less mathematical structure in symmetric-key schemes than public-key schemes, there was a belie that simply doubling the key size in order 2

3 b i b i+1 b i+1 b i b i+1 b i K i K i a i a i+1 a i a i+1 a i a i+1 eistel- eistel-k eistel-k ig. 1. Our target constructions. K i to resist the exhaustive key search by Grover s algorithm [9] is suicient to protect symmetric-key schemes rom quantum computers. However, Kuwakado and Morii [15] demonstrated that, by exploiting Simon s algorithm [22], the eistel ciphers can be distinguished rom a random permutation only in polynomial-time o the output size under the assumption that the adversary can make quantum superposition queries. Since then, many polynomial-time attacks using Simon s algorithm have been proposed e.g. key recovery against Even-Mansour construction [16], orgery on various CBC-like MACs [13], and cryptanalysis o AEZ [3]. Moreover, Leander and May [17] showed a clever method to combine Grover s and Simon s algorithms to recover the key against the X construction. See also [20]. The attack model that adversaries can make quantum queries is worth investigating. This model is a natural extension o the classical attack models, and theoretically interesting. Any symmetric scheme broken in this model should not be implemented on a quantum computer. Moreover, the threat o this attack model becomes signiicant i an adversary has access to its white-box implementation. Because arbitrary classical circuit can be converted into quantum one, the adversary can construct a quantum circuit rom the classical source code given by the white-box implementation. There are several attacks on eistel ciphers in the quantum setting. Besides the irst work in [15], a meet-in-the-middle attack in the quantum setting was discussed in [11] and appending key-recovery rounds by applying the algorithm by Leander and May [17] was discussed in [11,8,7]. However, the ollowing important issues have not been discussed by the previous work. Security analysis o eistel ciphers against chosen-ciphertext adversaries is missing. In the classical setting, the tight bound o the number o rounds is known or the eistel- construction, and clariying the number o rounds that can be attacked in the quantum setting leads us a deeper understanding o the eistel- construction. urthermore, the quantum setting assumes strong power o adversaries, hence considering CCAs is more reasonable. We note that there are results in a CCA setting on eistel ciphers with a speciic key scheduling unction called 2 key- or 4 key-alternation eistel ciphers and their variants [6,4], however, we are considering more general constructions. 3

4 Discussion on practical constructions is missing. Although the Luby-Racko construction is a good object to study theoretical aspects o the eistel ciphers, in general, it cannot be implemented eiciently in practice. Thereore, the analyses o practical constructions like eistel-k and eistel-k are needed. Again, we are interested in general constructions that do not rely on a speciic key scheduling unction. Our Contributions. In this paper, we urther investigate the security o the eistel ciphers against quantum adversaries. In particular, we show CCA distinguishers that can distinguish more rounds than the previous CPA distinguishers. In addition, we extend the distinguishers to key recovery attacks or the practical constructions, i.e. eistel-k and eistel-k. We start with several undamental observations about Simon s algorithm that detects a secret cycle-period in polynomial-time. The usage o Simon s algorithm in the previous work can be classiied into two types; the irst type uses Simon s algorithm or key recovery attacks, namely, the recovered secret cycle-period corresponds to the key o the construction such as [16] and [13], whereas the second type uses Simon s algorithm or distinguishers, e.g. to distinguish the construction rom an ideal one [15,20] or to distinguish the right key guess rom wrong key guesses [17,11,8,7]. We observe that, or the second type, recovering the secret cycle-period is not necessary as long as a non-ideal behavior is detected. I we ollow [13] to recover the secret cycle-period by using Simon s algorithm, one has to derive the upper bound on the probability o a collision other than the period. However, there are cases where obtaining the upper bound is non-obvious, and it may be diicult to prove it in attacks on complicated constructions. This motivates us to relax the requirement o recovering the period in Simon s algorithm. Technically, we ocus on the property that the dimension o the space spanned by the vectors in Simon s algorithm, instead o the exact period s. Namely, the dimension o the space is at most l 1 i the target unction has a period s, where {0, 1} l is the domain o the unction evaluated by Simon s algorithm. This modiication eliminates the need to derive the upper bound on the probability o a collision other than the period s. Note that Santoli and Schaner pointed out a similar observation [20], and we are dealing with a general class o block ciphers, and we also ormalize a suicient condition so that the distinguisher works. We then apply the above observations to attack several eistel ciphers. or the eistel- construction, we show that a cycle-period can be ormed or 4 rounds in the CCA setting. This leads to a 4-round polynomial-time CCA distinguisher, which is 1-round longer than the CPA distinguisher by Kuwakado and Morii [15]. The attack is then extended to the practical constructions; eistel-k and eistel-k. or eistel-k, although the distinguisher is the same as the one or eistel-, we can now discuss the key recovery attack owing to the practical size o the secret key. We obtain 7-round key recovery attacks that recover 7n/2-bit key with O(2 3n/4 ) complexity. or eistel-k, the CCA distinguisher is extended to 6 rounds and we obtain 9-round key recovery attacks that recover 4

5 Table 1. Comparison o the number o attacked rounds in various settings. Dist. and KR denote distinguisher and key recovery attack, respectively. Superscript P denotes that the attack complexity is only a polynomial o the unction s output size, while the others require exponential complexity. Construction Classic-CPA Classic-CCA Quantum-CPA Quantum-CCA Dist. KR Dist. KR Dist. KR Dist. KR eistel- 2 [18] - 3 [18] - 3 P [15] - 4 P Ours - 5 [11] eistel-k 5 [10] 6 [10] 5 [10] 6 [10] 6 [11] 4 P Ours 7 Ours 3 P [15] eistel-k P Ours 8 Ours 6 P Ours 9 Ours 9n/2-bit key with O(2 3n/4 ) complexity. In addition, the CPA distinguisher is extended to 5 rounds and we obtain 8-round key recovery attacks that recover 8n/2-bit key with O(2 3n/4 ) complexity. A comparison o the number o attacked rounds is given in Table 1. Note that Table 1 ocuses on attacks with complexity at most O(2 n ), and it does not include attacks with higher complexities. Also, we consider only general constructions, so it does not include attacks against constructions with a particular key scheduling unction such as [6,4]. Paper Outline. This paper is organized as ollows. Section 2 describes preliminaries. Section 3 introduces previous works. Section 4 explains the ormalization o a distinguishing technique that relaxes Simon s algorithm. Section 5 presents our CCA distinguisher against the 4-round eistel- constructions. The attack is then applied to chosen-ciphertext key-recovery attacks on eistel-k constructions in Sect. 6. Section 7 explains distinguishing and key-recovery attacks against eistel-k constructions in both CCA and CPA settings. We conclude the paper in Sect Preliminaries 2.1 Notation or a positive integer n, let {0, 1} n be the set o all n-bit strings. Let Perm(n) be the set o all permutations on {0, 1} n, and let unc(n) be the set o all unctions rom {0, 1} n to {0, 1} n. or bit strings a and b, a b denotes their concatenation. We also regard a and b as binary vectors, and let a be the dimension o the vector a. When a = b, we denote their inner product as a b. In this paper, e denotes Napier s number. or a inite set X, we write X $ X or the process o sampling an element uniormly rom X and assigning the result to X. 2.2 Simon s Algorithm In this section, we describe Simon s algorithm [22] that is used in our quantum algorithms. Throughout this paper, we assume that readers have basic knowledge 5

6 about quantum computation. Simon s algorithm can solve the ollowing problem. Problem 1. Given a unction : {0, 1} n {0, 1} n, assume that there exists a period s {0, 1} n \{0 n } such that or any distinct x, x {0, 1} n, it holds that (x) = (x ) x = x s. The goal is to ind the period s. We assume that Simon s algorithm has access to the quantum oracle U, which is deined as U x z = x z (x). We use the Hadamard transorm H n that is applied on n-qubit state x and gives H n x = 1 2 n y {0,1} n( 1)x y y. Simon proposed a circuit S that computes vectors that are orthogonal to s by using the quantum oracle U. S is described as (H n I n ) U (H n I n ) and works as ollows: 1. We irst apply the Hadamard transorm H n on the irst n qubits o 2n-qubit state 0 n 0 n 1 to obtain the state 2 n x x 0n. 2. Then, we apply the unitary operator U to obtain the state 1 2 n x x (x). 3. inally, we apply the Hadamard transorm H n on the irst n qubits to obtain the state 1 2 n ( 1) x y y (x). (1) x,y As we assume that satisies (x) = (x ) x = x s, we have y (x) = y (x s) or each y and x. Thereore, equation (1) is described as 1 ( ( 1) x y 2 n + ( 1) (x s) y) y (x), x V,y where V is a linear subspace o {0, 1} n o dimension n 1 that partitions {0, 1} n into cosets V and V + s. The vector y such that y s 1 (mod 2) will satisy ( 1) x y + ( 1) (x s) y = 0. Thus, we will obtain a random vector y such that y s 0 (mod 2) by measuring the irst n qubits. By repeating this routine that obtains a random vector y or O(n) times, with a high probability, we obtain n 1 linearly independent such vectors, and then the period s can be recovered by solving the system o linear equations. We note that, in Simon s algorithm, we assume that the unction has a period s. In latter sections, we will use the circuit S to a unction that may not have any period, or may have multiple periods. 2.3 Kaplan et al. s Observation To apply Simon s algorithm, the unction has to satisy (x) = (x ) x = x s. We call this property Simon s promise. I does not satisy this property and has other collisions in addition to s, then there is no guarantee that Simon s algorithm works. However, Kaplan et al. showed that Simon s algorithm can ind 6

7 s even i has partial periods, where the partial period is deined as t s such that (x) = (x t) holds or some x [13]. More precisely, suppose that a unction : {0, 1} l {0, 1} m satisies only the condition that (x) = (x ) x = x s or any distinct x, x {0, 1} l. Since now the counter condition (x) = (x ) x = x s does not always hold, there may exist partial periods o. Intuitively, i there exist many partial periods t 1, t 2,... which are very close to complete periods (i.e., Pr x [(x) = (x t j )] is close to 1 or each j), then it becomes hard to recover s. To describe this intuition ormally, Kaplan et al. introduced the parameter ɛ(, s) deined as ɛ(, s) = max Pr [(x) = (x t)]. (2) t {0,1} l \{0 l,s} x This shows the maximum probability o partial periods o. Notice that i is a constant unction, then ɛ(, s) = 1 and s cannot be recovered. On the other hand, i satisies Simon s promise, then ɛ(, s) = 0. The ollowing theorem about the success probability o Kaplan et al. s observation was proved. Theorem 1 ([13]). I ɛ(, s) p 0 or some positive number p 0 < 1, the probability that Simon s algorithm returns s ater cl queries is at least 1 (2( 1+p0 2 ) c ) l. This theorem shows that we still obtain s with O(l) quantum queries and the complexity does not increase signiicantly. 3 Previous Works 3.1 Quantum Distinguisher against the 3-Round eistel Cipher Here we review the distinguishing algorithm o the 3-round eistel cipher by Kuwakado and Morii [15]. Kuwakado and Morii considered the case where Ki in ig. 1 is a random permutation, and we write P i or Ki. Let P 3 denote the encryption algorithm o the 3-round eistel cipher, where $ random permutations P 1, P 2, P 3 Perm(n/2) are used as internal unctions. P 3 takes a plaintext (a, b) ({0, 1} n/2 ) 2 as input and outputs a ciphertext (c, d) ({0, 1} n/2 ) 2, where c = b P 2 (a P 1 (b)), d = a P 1 (b) P 3 (b P 2 (a P 1 (b))). igure 2 illustrates P 3. Kuwakado and Morii considered the ollowing problem. Problem 2. Let O : {0, 1} n {0, 1} n be either P 3 or a random permutation Π $ Perm(n). Given access to the quantum oracle U O : x y x y O(x), where x, y {0, 1} n, the goal is to distinguish the two cases. 7

8 $ ig. 2. The 3-round eistel cipher with P i Perm(n/2) being used as the internal unction. α 0 /α 1 α 0 /α 1 x ig. 3. P 3(x, α β ) and the lower hal c o the ciphertext. x ig. 4. P 2(x P 1(α β )). Let α 0, α 1 {0, 1} n/2 be arbitrary distinct constants. or β {0, 1} and x {0, 1} n, Kuwakado and Morii used (x, α β ) as the plaintext (a, b). When O is P 3, the lower hal c o the ciphertext is described as c = α β P 2 (x P 1 (α β )). igure 3 illustrates c. Then, we see that c α β = P 2 (x P 1 (α β )) holds, which is illustrated in ig. 4. I we change the value o β, i.e., i we let β to β 1, we see that the input value o P 2 remains the same value by changing x to x P 1 (α 0 ) P 1 (α 1 ). Thus, we can construct a unction O (β x) that has the period 1 P 1 (α 0 ) P 1 (α 1 ) by deining O as O : {0, 1} {0, 1} n/2 {0, 1} n/2 (β x) c α β, where (c, d) = O(x, α β ). (3) Note that O can also be evaluated in quantum superpositions. We can realize the unitary operator U O : x y x y O (x) which makes O(1) quantum queries to U O. I O is P 3, then the unction O is described as and the ollowing lemma holds. O (β x) = α β P 2 (x P 1 (α β )) α β = P 2 (x P 1 (α β )), Lemma 1. I O is P 3, the unction O satisies O (β x) = O (β x ) β x = (β x) (1 P 1 (α 0 ) P 1 (α 1 )) or any x, x {0, 1} n/2 such that x x. That is, O has the period s = 1 (P 1 (α 0 ) P 1 (α 1 )). or completeness, we present a proo in Appendix A. 8

9 Lemma 1 guarantees that the unction O deined in equation (3) satisies Simon s promise i O is P 3, and we can recover the period s by applying Simon s algorithm to O. Deine a unitary operator S O by S O = (H n/2+1 I n/2 ) U O (H n/2+1 I n/2 ). The quantum distinguisher by Kuwakado and Morii works as ollows. 1. Measure the irst n/2 + 1 qubits o S O 0 n+1 to obtain the vector y {0, 1} n/ Repeat Step 1 until we obtain n/2 linearly independent vectors. I obtained, compute s by solving the system o linear equations. 3. Choose β {0, 1} and z {0, 1} n/2 randomly, and compute O (β z) and O ((β z) s). I O (β z) = O ((β z) s), then output O is P 3, otherwise output O is Π. I O is P 3, we obtain the period s in Step 2 with a high probability and it passes the test in Step 3. On the other hand, according to [15], i O is Π, with a high probability, Simon s algorithm returns a random string s, and the probability that O (β z) = O ((β z) s ) is about 2 n/2. Thereore, the distinguisher above returns a correct answer by making O(n) quantum queries. Remark 1. We need to truncate outputs o O or constructing the unction O, since we use only the lower n/2 bits o the output o O. However, the oracle may return outputs o which the lower and upper parts are entangled, and it is not trivial to truncate such outputs without destroying the entanglement, as pointed out by Kaplan et al. [13]. To solve this problem, Hosoyamada and Sasaki showed how to simulate truncation o outputs o the oracles without destroying quantum entanglements [11], and the same technique can be used in our case. 3.2 Key Recovery Attacks against the eistel-k Construction Next, we introduce the idea o the key recovery attacks against the eistel-k construction by Hosoyamada and Sasaki [11], and Dong and Wang [8]. They combined the quantum distinguisher against the 3-round eistel cipher (see Sect. 3.1) with the Grover search. The attack is a quantum chosen-plaintext attack, and recovers the keys o the r-round eistel cipher in time Õ(2(r 3)n/4 ). Attack Idea. Given the quantum encryption oracle o the r-round eistel-k construction, run the ollowing procedures (on a quantum circuit). 1. Implement a quantum circuit which takes the intermediate state value ater the irst (r 3) rounds and the subkeys or the irst (r 3) rounds as input, computes the plaintext by decrypting the irst (r 3) rounds, makes a quantum query o the computed plaintext to the oracle, and returns the oracle output. The input and output o this circuit correspond to those o the last 3 rounds. We denote this circuit by E, which is depicted in ig. 5. 9

10 plaintext K 1 (guess) K r 3 (guess) α β corresponds to the last 3 rounds apply the 3-round distinguisher x decrypt with (r 3)-round subkeys guess query encryption oracle K 1 K r 3 K r 2 K r 1 K r ciphertext ig. 5. Construction o E in the key recovery attack against the r-round eistel-k construction. The ciphertext corresponds to the output o the 3-round eistel-k construction which takes (K r 2, K r 1, K r) as subkeys and (x, α β ) as input. 2. Guess the subkeys o the irst (r 3) rounds. 3. or each guess, check its correctness with the ollowing procedure. (a) Apply the 3-round distinguisher to E. (b) I the distinguisher returns that this is a random permutation, then judge that the guess is wrong. Otherwise judge that the guess is correct. Attack Complexity. The total length o the subkeys o the irst (r 3) rounds is ((r 3)n/2) bits. Thus the exhaustive search o the irst (r 3) rounds can be done in time O( 2 (r 3)n/2 ) by using the Grover search. Moreover, the 3-round distinguisher in the third step runs in time O(n) or each subkeys guess. The running time o the attack is O( 2 (r 3)n/2 ) O(poly(n)) = Õ(2(r 3)n/4 ). Although how to ormally combine the Grover search and the 3-round distinguisher is non-trivial, the technique developed by Leander and May [17] guarantees that those can be combined. See the previous papers [11,8] or details. 4 Relaxing Simon s Algorithm This section presents quantum distinguishers that are based on the relaxed version o Simon s algorithm [22]. In a nutshell, we discuss that it is enough to obtain several vectors that are orthogonal to the period, and thus we eliminate the need to recover the actual period. This is similar to the one by Santoli and Schaner [20], while we are dealing with a general class o block ciphers, and we also ormalize a suicient condition so that the distinguisher works. In more detail, instead o using the period or the basis o the distinguisher, we ocus on the dimension o the space spanned by the vectors y 1, y 2,... that are obtained by using S (recall that S is deined in Sect. 2.2). I has the non-zero period s, then the dimension is at most s 1, since the vectors y 1, y 2,... are all 10

11 orthogonal to the period s. On the other hand, as we prove in Theorem 2 below, i the unction does not have any period, the dimension o the space spanned by the vectors y 1, y 2,... can reach s with a high probability. In other words, we can distinguish by checking the dimension o the space spanned by the vectors y 1, y 2,... without computing the actual period s. Thus, there will not be a problem i there are several partial periods or periods other than s because our distinguisher does not need the period s. Note that this technique works only i we do not need the value o s. This technique cannot be applied to the key recovery attacks on Even-Mansour construction and orgery attacks on authentication and authenticated encryption schemes since the goal o these attacks needs s [13]. Below we ormally explain how our distinguisher works. Let O : {0, 1} n {0, 1} n be either an encryption scheme E K or a random permutation Π $ Perm(n), and suppose that the quantum oracles o O and O 1 are given. Our goal is to distinguish whether O = E K or O = Π. In what ollows, when we use the symbol π or a permutation, we consider that π is a ixed (or constant) permutation. Settings. Our distinguisher can be applied when there is a unction amily { π : {0, 1} l {0, 1} m } π Perm(n) that satisies the ollowing conditions: 1. There is a (classical) algorithm A that makes black-box access to π, π 1, and computes π. That is, or each permutation π, A π,π 1 computes π (x) i x is given as input. We assume that A makes O(1) queries and runs in time O(poly(l, m)). 2. or the encryption scheme E and any key K, E K has a period, i.e., there exists s {0, 1} l such that E K (x s) = E K (x) holds or all x (note that s depends on K). Moreover, inormally we expect that Π has no period with a high probability when Π is a random permutation. Note that the irst condition implies that we can make a quantum circuit that realizes the unitary operator U O : x z x z O (x) by making O(1) quantum queries to O and O 1, since any classical deterministic algorithm can be converted to a corresponding quantum algorithm. Description o the Distinguisher. Let S O be the unitary operator that is deined as in Sect. 2. Recall that S O = (H l I m ) U O (H l I m ). Our distinguisher is described in Algorithm 1. Analysis o the Distinguisher. Our distinguisher always returns the correct answer i O = E K, since by assumption, E K has a period or any K, and thus the dimension o the space spanned by Y becomes strictly less than l. Our distinguisher ails only i O = Π and the dimension o the space spanned by Y becomes less than l. Below we analyze the ailure probability, assuming that η (the number o iterations in Step 2) is suiciently large. 11

12 Algorithm 1 Distinguisher without recovering the period 1. Prepare an empty set Y. 2. or 1 i η, do: 3. Measure the irst l qubits o S O 0 l+m and add the obtained vector y to Y. 4. End or 5. Calculate the dimension d o the vector space spanned by Y. 6. I d = l, then output O is Π. I d < l, output O is E K. The ailure probability increases i the distribution o y in Step 3 is highly biased. Moreover, we obtain a vector y which is orthogonal [ to a partial period t o Π with a high probability in Step 3 i Pr x Π (x) = Π (x t) ] is large (i.e., t is close to a complete period) by deinition o S O. To capture how much the distribution o y is biased under the condition that random permutation Π matches a ixed permutation π, we introduce a parameter ɛ π deined as ɛ π = max Pr [ π (x) = π (x t)]. (4) t {0,1} l \{0 l } x We expect that, i π is chosen uniormly at random, this parameter ɛ π is small on average. Now take a small constant 0 δ < 1 arbitrarily and say that a permutation π is irregular i ɛ π > 1 δ, i.e., ɛπ is relatively large. In addition, deine the set o irregular permutations irr δ as irr δ = {π Perm(n) ɛ π > 1 δ}. (5) Our intuition is that the ailure probability becomes small i Pr Π [Π irr δ ] is suiciently small, and actually the ollowing theorem holds. Theorem 2. Let l and m be positive integers that are O(n). Assume that we have a quantum circuit with O(poly(l, m)) qubits which computes O by making O(1) queries to O, and runs in time T = T (l, m). Then, our distinguisher makes O(η) quantum queries, runs in time O(ηT + l 3 ), and distinguishes E K rom Π with probability at least 1 2 l /e δη/2 Pr Π [Π irrδ ]. (6) A proo is presented in Appendix B. This theorem guarantees that we can distinguish E K rom Π i 2 l /e δη/2 and Pr Π [Π irr δ ] are small. In later sections, we apply the above theorem with η = 2l/δ, in which case we have 2 l /e δη/2 = (2/e) l. I we use the technique by Kaplan et al. (Theorem 1) to analyze a success probability o a distinguisher, we have to upper bound the parameter ɛ( E K, s) that depends on the real construction E K, which may become hard i E K has a complex structure. On the other hand, our technique (Theorem 2) requires only upper bounds o the terms that are not related to the real construction. Thus our technique makes analysis o a distinguisher easier than the technique by Kaplan et al. We remark that the probability evaluation in the ideal case that is similar to the last term o equation (6) is needed in the previous works [15,13,7] as well. 12

13 ig. 6. The 4-round eistel- construction. i unc(n/2). 5 Quantum Distinguishing Attacks against eistel- In this section, we present our distinguisher against the 4-round eistel- construction with quantum chosen-ciphertext attacks. Based on this, we present in Sect. 6 quantum distinguishing attacks and key recovery attacks against the eistel-k construction. We write Ki as i. Note that i is still a keyed unction and the absence o K i does not imply that it is a keyless unction. Let 4 denote the encryption algorithm o the 4-round eistel- construction, and 1 4 denote its decryption algorithm. igure 6 illustrates 4. Let 1,..., 4 unc(n/2) be the round unctions o eistel-. 4 takes a plaintext (a, b) ({0, 1} n/2 ) 2 as input and outputs a ciphertext (c, d) ({0, 1} n/2 ) 2, where 4 : (a, b) (c, d) is c = a 1 (b) 3 (b 2 (a 1 (b))), ) d = b 2 (a 1 (b)) 4 (a 1 (b) 3 (b 2 (a 1 (b))). The decryption 1 4 : (c, d) (a, b) is deined as ) a = c 3 (d 4 (c)) 1 (d 4 (c) 2 (c 3 (d 4 (c))), b = d 4 (c) 2 (c 3 (d 4 (c))). Let Π $ Perm(n) be a random permutation and Π 1 be the inverse permutation o Π. Π takes a plaintext (a, b) ({0, 1} n/2 ) 2 as input and outputs a ciphertext (c, d) ({0, 1} n/2 ) 2, and Π 1 takes a ciphertext (c, d) as input and outputs a plaintext (a, b). Given the quantum oracles o O and O 1, where O is either the 4-round eistel- 4 or a random permutation Π $ Perm(n), our goal is to distinguish the two cases. We now construct the unction O to use Algorithm 1. We irst ix two arbitrary distinct constants α 0, α 1 {0, 1} n/2, and we deine the unction O as O : {0, 1} {0, 1} n/2 {0, 1} n/2 (β x) b α β, where (c, d) = O(x, α β ), (a, b) = O 1 (c, d α 0 α 1 ). That is, O is obtained by irst encrypting (x, α β ) to obtain the ciphertext (c, d), then decrypting (c, d α 0 α 1 ) to obtain the plaintext (a, b), and we deine O as b α β. 13

14 O (β x) ig. 7. The unction O with 4 and 1 4, where O is 4. Z β x O (β x) ig. 8. A circuit that is equivalent to O. I O is 4, then by connecting 4 and 1 4, our unction O can be illustrated as in ig. 7. We observe that 4 has no eect on the computation o O, and 1 in 1 4 does not contribute to O. They are shown in gray in ig. 7. We see that ig. 7 is equivalent to ig. 8, and the unction O is described as O (β x) = α 0 α 1 2 (x 1 (α β )) 2 (x 1 (α β ) 3 (α β 2 (x 1 (α β ))) ) 3 (α β α 0 α 1 2 (x 1 (α β ))). (7) Our main observation is the ollowing lemma. Lemma 2. I O = 4, O satisies O (β x) = O (β 1 x 1 (α 0 ) 1 (α 1 )). That is, O has the period s = 1 1 (α 0 ) 1 (α 1 ). Proo. Let Z β x = x 1 (α β ) (See ig. 8). We prove the lemma based on two claims. The irst claim is that Z β x already has the period s = 1 1 (α 0 ) 1 (α 1 ), and the second claim is that the subsequent computation o O does not depend on β nor x. irst, Z β x has the period s, since Z (β x) s = x 1 (α 0 ) 1 (α 1 ) 1 (α β 1 ) = x 1 (α β ) = Z β x. We next show that the subsequent computation o O does not depend on β nor x. I we describe O in equation (7) by using Z β x, then we obtain O (β x) = α 0 α 1 2 (Z β x ) 14

15 Now this is equivalent to ) 2 (Z β x 3 (α β 2 (Z β x )) 3 (α β α 0 α 1 2 (Z β x )). O (β x) = α 0 α 1 2 (Z β x ) ) 2 (Z β x 3 (α 0 2 (Z β x )) 3 (α 1 2 (Z β x )) (8) since {α β, α β α 0 α 1 } = {α 0, α 1 }. We see that O depends on Z β x that has the period s = 1 1 (α 0 ) 1 (α 1 ), and hence the lemma ollows. Thereore, we can construct a distinguisher against the 4-round eistel- construction by using the unction O. rom Theorem 2, the success probability o the distinguisher with measuring (2n + 4) times is 1 (2/e) n/2+1 Pr Π [Π irr 1/2 ], where we use δ = 1/2 and η = 2n + 4. It is clear that Pr Π [Π irr 1/2 ] is a small value, since it is highly unlikely that O obtained rom a random permutation has periods. In Appendix C, we present experimental results or small values o n to show that Pr Π [Π irr 1/2 ] is indeed a small value. 6 Quantum Attacks against eistel-k The distinguisher in the previous section can obviously be applied to the 4-round eistel-k construction, and we can distinguish it rom random permutations in polynomial time. Similarly to the previous key recovery attacks against the eistel-k [11,8] construction (see Sect. 3.2), our 4-round distinguisher can be combined with the Grover search to develop key recovery attacks. Our new key recovery attack recovers the keys o the r-round eistel-k construction in time Õ(2 (r 4)n/4 ) in the quantum CCA setting. Attack Idea. Our attack idea is almost the same as that o the previous attacks [11,8], except that our attack uses not only the encryption oracle but also the decryption oracle. Given the quantum encryption and decryption oracles o the r-round eistel-k construction, run the ollowing procedures (on a quantum circuit). 1. Implement a quantum circuit E that takes the intermediate state value ater the irst (r 4) rounds and the subkeys or the irst (r 4) rounds as input, and computes the last 4 rounds, in the same way as the irst step o the attack idea in Sect Implement a quantum circuit D that computes the inverse o E. That is, implement a quantum circuit which takes the ciphertext and the subkeys or the irst (r 4) rounds as input, makes a quantum decryption query o the ciphertext to the oracle to obtain the plaintext, 15

16 computes the intermediate state value ater the irst (r 4) rounds rom the plaintext and the subkeys or the irst (r 4) rounds, and returns the intermediate state. 3. Guess the subkeys o the irst (r 4) rounds. 4. or each guess, check its correctness with the ollowing procedure. (a) Apply the 4-round distinguisher to E and D. (b) I the distinguisher returns that this is a random permutation, then judge that the guess is wrong. Otherwise judge that the guess is correct. Attack Complexity. The length o the irst (r 4)-round subkeys is ((r 4)n/2) bits in total. Thus the exhaustive search on the irst (r 4) rounds can be done in time O( 2 (r 4)n/2 ) by using the Grover search. Moreover, the 4-round distinguisher in the ourth step runs in time O(n) or each candidate subkeys. Thereore the running time o the attack becomes O( 2 (r 4)n/2 ) O(poly(n)) = Õ(2 (r 4)n/4 ). Our new attack reduces the time complexity Õ(2(r 3)n/4 ) o the previous attacks to Õ(2(r 4)n/4 ), by using our new CCA 4-round distinguisher instead o the previous CPA 3-round distinguisher by Kuwakado and Morii. Our attack is a chosen-ciphertext attack unlike that the previous attacks are chosen-plaintext attacks, since our 4-round distinguisher is a CCA distinguisher. 7 Quantum Attacks against eistel-k In Sect. 7.1, we show a quantum distinguishing attack against eistel-k. Based on this, we present in Sect. 7.2 a key recovery attack. The main dierence rom the previous sections is that the number o the distinguishable rounds increases. In Sect. 7.3, we present a quantum chosen-plaintext attack. 7.1 Distinguishers against eistel-k We present our distinguisher against the 6-round eistel-k construction with quantum chosen-ciphertext attacks. This attack is based on the distinguisher against the 4-round eistel- construction described in Sect. 5. We increase the number o rounds by adding the irst and last rounds, and this is possible because we can compute the output o the irst unction and the last unction in encryption (or decryption) without knowing the subkeys. Let (a, b) ({1, 0} n/2 ) 2 denote a plaintext and (c, d) ({1, 0} n/2 ) 2 denote a ciphertext. Let K 6 : (a, b) (c, d) denote the encryption algorithm o the 6- round eistel-k construction, and K 1 6 : (c, d) (a, b) denote its decryption algorithm. igure 9 illustrates the 6-round eistel-k construction. Given the quantum oracles o O and O 1, we deine the unction O as O : {0, 1} {0, 1} n/2 {0, 1} n/2 (β x) a (b) α β where (c, d) = O(α β (x), x), 16

17 b a K 1 K 2 K 3 K 4 K 5 K 6 ig. 9. The 6-round eistel-k construction. α β K 1 d (c) α β (x) K 1 K 2 K 3 K 4 K 5 K 6 b d (c) O (β x) K 6 K 5 K 4 K 3 K 2 K 1 a ig. 10. The unction O with K 6 and K 1 6, where O is K6. c = c α 0 α 1 and d = d (c) (c α 0 α 1). (a, b) = O 1 (c α 0 α 1, d (c) (c α 0 α 1 )). I O is K 6, then our unction O can be illustrated as in ig. 10. We observe that the unctions shown in gray in ig. 10 and the subkeys K 6 have no eect on the computation o O. By connecting K 6 and K 1 6, we obtain ig. 11 that is equivalent to ig. 10. I we replace α β with α β K 1 and i (x) with (x) K i+1 in ig. 7, we see that ig. 7 is equivalent to ig. 11. Thereore, rom equation (7) and equation (8), the unction O is described as O (β x) = α 0 α 1 (x (α β K 1 ) K 2 ) (x (α β K 1 ) K 2 ( ) α 0 (x (α β K 1 ) K 2 ) K 3 ( ) ) α 1 (x (α β K 1 ) K 2 ) K 3 and it has the period s = 1 (α 0 K 1 ) (α 1 K 1 ). Thereore, we can construct a distinguisher against the 6-round eistel-k construction by using the unction O. rom Theorem 2, the success probability 17

18 K 1 O (β x) K 1 b K 2 K 3 K 4 K 5 K 5 K 4 K 3 K 2 ig. 11. A circuit that is equivalent to ig. 10. o the distinguisher with measuring (2n + 4) times is 1 (2/e) n/2+1 Pr Π [Π irr 1/2 ], where we set δ = 1/2 and η = 2n + 4. Note that Pr Π [Π irr 1/2 ] is a small value, as it is unlikely that O obtained rom a random permutation has periods. 7.2 Key Recovery Attacks against eistel-k Similarly to the key recovery attacks against the eistel-k construction in Sect. 6, the distinguisher introduced above can be combined with the Grover search to develop key recovery attacks. We can recover keys o the r-round eistel-k construction in time Õ(2(r 6)n/4 ) in the quantum CCA setting. Our attack idea ollows the attack against the eistel-k construction in Sect. 6. Recall that the attack in Sect. 6 guesses the irst (r 4)-round subkeys since a 4-round distinguisher is available. On the other hand, as or the eistel- K construction, we can use the 6-round distinguisher in Sect. 7.1 instead o the 4-round distinguisher. Hence it is suicient to guess only the irst (r 6)-round subkeys (instead o the irst (r 4)-round subkeys) when we attack the eistel- K construction. The time complexity o our attack becomes Õ(2(r 6)n/4 ), since the Grover search on the irst (r 6)-round subkeys ( (r 6)n 2 bits in total) requires O( 2 (r 6)n/2 ) = O(2 (r 6)n/4 ) evaluations. 7.3 Quantum CPA Attacks against eistel-k We can also construct a distinguisher and recover the key o the eistel-k construction in the quantum CPA setting. As in Sect. 7.1, we can construct a 5-round distinguisher by ollowing the 3-round distinguisher in Sect. 3.1 and by computing the output o the irst unction and the last unction in encryption. Speciically, we use (α β (x), x) as the input o the oracle O and use d (c) α β as the output o the unction O (β x), where (c, d) = O (α β (x), x). This unction has the period s = 1 (α 0 K 1 ) (α 1 K 1 ). Combined with the 5-round distinguisher, we can recover the subkeys o the r-round eistel-k construction as in Sect. 6. The time complexity o our key recovery attack is Õ(2(r 5)n/4 ), since the Grover search on the irst (r 5)-round subkeys ( (r 5)n 2 bits in total) requires O( 2 (r 5)n/2 ) = O(2 (r 5)n/4 ) evaluations. 18

19 8 Concluding Remarks In this paper, we irst ormalized a distinguishing algorithm against block ciphers that does not recover the period. We then considered quantum chosenciphertext attacks against eistel ciphers. We gave a new quantum CCA distinguisher against eistel ciphers that can distinguish more rounds than the previous CPA distinguishers. Our quantum CCA distinguishers can distinguish the 4-round eistel- and eistel-k constructions, and the 6-round eistel- K construction, rom random permutations in polynomial-time o the output size. Moreover, we extended the distinguishers to key recovery attacks or the eistel-k and eistel-k constructions. Our quantum CCA key recovery attacks against the r-round eistel-k and eistel-k constructions recover keys in time Õ(2(r 4)n/4 ) and Õ(2(r 6)n/4 ), and quantum CPA key recovery attacks against the r-round eistel-k constructions recover keys in time Õ(2(r 5)n/4 ), respectively. There are interesting open questions. irst, we still do not know the tight bound on the number o rounds that we can distinguish the eistel- construction. rom the result o Kuwakado and Morii, we know that the 3-round construction can be distinguished with quantum CPA, and this paper shows that the 4-round construction can be distinguished with quantum CCA. However, there is a possibility that these rounds can be extended, and deriving the tight number o rounds remains as a challenging question. Improving the complexity or extending the number o rounds o the attacks against eistel-k and eistel-k constructions is also an interesting question. Acknowledgments. The authors would like to thank participants o Dagstuhl seminar 18021, Symmetric Cryptography, or insightul eedback. We also would like to thank the anonymous reviewers o CT-RSA 2019 or helpul comments. Reerences 1. Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., Moriai, S., Nakajima, J., Tokita, T.: Camellia: A 128-bit block cipher suitable or multiple platorms - design and analysis. In: Stinson, D.R., Tavares, S.E. (eds.) SAC LNCS, vol. 2012, pp Springer (2000), 2. Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK lightweight block ciphers. In: Proceedings o the 52nd Annual Design Automation Conerence. pp. 175:1 175:6. ACM (2015), doi.acm.org/ / Bonnetain, X.: Quantum Key-Recovery on ull AEZ. In: Adams, C., Camenisch, J. (eds.) SAC LNCS, vol , pp Springer (2017), org/ / _20 4. Bonnetain, X., Naya-Plasencia, M., Schrottenloher, A.: On Quantum Slide Attacks. IACR Cryptology eprint Archive 2018, 1067 (2018), /

20 5. Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: New attacks on eistel structures with improved memory complexities. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp Springer (2015), https: //doi.org/ / _21 6. Dong, X., Dong, B., Wang, X.: Quantum attacks on some eistel block ciphers. IACR Cryptology eprint Archive 2018, 504 (2018), / Dong, X., Li, Z., Wang, X.: Quantum cryptanalysis on some generalized eistel schemes. IACR Cryptology eprint Archive 2017, 1249 (2017), iacr.org/2017/ Dong, X., Wang, X.: Quantum key-recovery attack on eistel structures. IACR Cryptology eprint Archive 2017, 1199 (2017), Grover, L.K.: A ast quantum mechanical algorithm or database search. In: Miller, G.L. (ed.) STOC pp ACM (1996), Guo, J., Jean, J., Nikolic, I., Sasaki, Y.: Meet-in-the-middle attacks on generic eistel constructions. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part I. LNCS, vol. 8873, pp Springer (2014), _ Hosoyamada, A., Sasaki, Y.: Quantum Demiric-Selçuk meet-in-the-middle attacks: Applications to 6-round generic eistel constructions. In: Catalano, D., Prisco, R.D. (eds.) SCN LNCS, vol , pp Springer (2018), https: //doi.org/ / _ Isobe, T., Shibutani, K.: Generic key recovery attack on eistel scheme. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp Springer (2013), Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Breaking symmetric cryptosystems using quantum period inding. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp Springer (2016), https: //doi.org/ / _8 14. Knudsen, L.R.: The security o eistel ciphers with six rounds or less. J. Cryptology 15(3), (2002), Kuwakado, H., Morii, M.: Quantum distinguisher between the 3-round eistel cipher and the random permutation. In: ISIT pp IEEE (2010), Kuwakado, H., Morii, M.: Security on the quantum-type Even-Mansour cipher. In: ISITA pp IEEE (2012), / 17. Leander, G., May, A.: Grover meets Simon - Quantumly attacking the Xconstruction. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part II. LNCS, vol , pp Springer (2017), _6 18. Luby, M., Racko, C.: How to construct pseudorandom permutations rom pseudorandom unctions. SIAM J. Comput. 17(2), (1988), / National Bureau o Standards: Data encryption standard. IPS 46 (January 1977) 20. Santoli, T., Schaner, C.: Using Simon s algorithm to attack symmetric-key cryptographic primitives. Quantum Inormation & Computation 17(1&2), (2017), 20

21 21. Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., Shirai, T.: Piccolo: An ultra-lightweight blockcipher. In: Preneel, B., Takagi, T. (eds.) CHES LNCS, vol. 6917, pp Springer (2011), _ Simon, D.R.: On the power o quantum computation. SIAM J. Comput. 26(5), (1997), Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., ischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp Springer (2015), Yang, G., Zhu, B., Suder, V., Aagaard, M.D., Gong, G.: The Simeck amily o lightweight block ciphers. In: Güneysu, T., Handschuh, H. (eds.) CHES LNCS, vol. 9293, pp Springer (2015), _16 A Proo o Lemma 1 Proo. Suppose that β = β. Then we have O (β x) = O (β x ) P 2 (x P 1 (α β )) = P 2 (x P 1 (α β )) x = x since P 2 is a permutation. That is, in this case, we have β x = β x. Next, suppose that β = β 1. We have O (β x) = O (β x ) P 2 (x P 1 (α β )) = P 2 (x P 1 (α β 1 )) x = x P 1 (α β ) P 1 (α β 1 ) x = x P 1 (α 0 ) P 1 (α 1 ), where the last equivalence ollows rom {α β, α β α 0 α 1 } = {α 0, α 1 }. That is, β x = (β x) s. The other direction easily ollows as we have O ((β x) (1 P 1 (α 0 ) P 1 (α 1 ))) = P 2 (x P 1 (α 0 ) P 1 (α 1 ) P 1 (α β 1 )) = P 2 (x P 1 (α β )) = O (β x). Thereore, the lemma ollows. B Proo o Theorem 2 Proo. Remember that our distinguisher ails i and only i O = Π and the dimension o the space spanned by Y is less than l. Thus the ailure probability equals to [ Pr Π $ Perm(n), (y i, w i ) (measure S Π 0 l+m ) or 1 i η : ] dim(span(y 1,..., y η )) l 1 21

22 [ = Pr Π $ Perm(n), (y i, w i ) (measure S Π 0 l+m ) or 1 i η : ] dim(span(y 1,..., y η )) l 1 Π / irr δ [ + Pr Π $ Perm(n), (y i, w i ) (measure S Π 0 l+m ) or 1 i η : ] dim(span(y 1,..., y η )) l 1 Π irr δ [ Pr Π $ Perm(n), (y i, w i ) (measure S Π 0 l+m ) or 1 i η : ] dim(span(y 1,..., y η )) l 1 Π / irr δ [ ] + Pr Π $ Perm(n) : Π irr δ (9) The irst term o the right hand side o equation (9) is upper bounded as [ Pr Π $ Perm(n), (y i, w i ) (measure S Π 0 l+m ) or 1 i η : ] dim(span(y 1,..., y η )) l 1 Π / irr δ [ Pr Π $ Perm(n), (y i, w i ) (measure S Π 0 l+m ) or 1 i η : ] t {0, 1} l \{0 l Π } s.t. t y 1 t y η / irr δ [ Pr Π $ Perm(n), (y i, w i ) (measure S Π 0 l+m ) or 1 i η : t {0,1} l \{0 l } t {0,1} l \{0 l } 2 l max t {0,1} l \{0 l } t y 1 t y η Π / irr δ ] ( [ Pr Π $ Perm(n), (y, w) (measure S Π 0 l+m ) : ]) η t y Π / irr δ ( [ Pr Π $ Perm(n), (y, w) (measure S Π 0 l+m ) : ]) η t y Π / irr δ. Now we introduce the ollowing lemma, which is proven as a subordinate result in the proo o Theorem 1 in [13]. Lemma 3 (Kaplan et al. [13]). Let : {0, 1} l {0, 1} m be a ixed unction, and U : x y x y (x) be the corresponding unitary operator. Then, Pr [ (x, y) (measure S 0 l+m ) : x t ] = 1 2 holds or any t {0, 1} l. ( 1 + Pr [ x $ {0, 1} l : (x t) = (x) ]) 22

23 rom the above lemma it ollows that ( Pr 2 l max t {0,1} l \{0 l } [ Π $ Perm(n), (y, w) (measure S Π 0 l+m ) : ]) η t y Π / irr δ ( 1 ( [ = 2 l max 1 + Pr Π $ Perm(n), x $ {0, 1} l : t {0,1} l \{0 l } 2 ]) Π (x t) = Π ) η (x) Π / irr δ. (10) In addition, by assumption, or any ixed permutation π / irr δ it holds that [ ] Pr x $ {0, 1} l : π (x t) = π (x) = ɛ π 1 δ. Hence the right hand side o equation (10) is upper bounded by 2 l ( 1 2 (1 + (1 δ))) η = 2 l η (2 δ) η. Moreover, rom the act that (1 x) 1/x e holds or 0 < x < 1, we have 2 l η (2 δ) η 2 l ( (1 δ/2) 2/δ) δη/2 2l e δη/2. (11) Thereore, rom equations (9) and (11), the ailure probability o our algorithm is upper bounded by which completes the proo. 2 l + Pr e [Π δη/2 Π irrδ ], (12) C Experimental Results on Pr Π [Π irr 1/2 ] We present our experimental results about Pr Π [Π irr 1/2 ] where we use that is described in Sect. 5. or n = 4, 6, 8, we are interested in the number o permutations that belong to irr 1/2. or n = 4, there are (2 4 )! permutations, and it is possible to precisely derive the value o Pr Π [Π irr 1/2 ]. or n 6, it is not possible to exhaustively evaluate all the permutations. We thus generated permutations randomly and see i they belong to irr 1/2 or not. Our results are represented in Table 2 and Table 3. The exponent o the ratio is rounded o to the second decimal place. We see that Pr Π [Π irr 1/2 ] is already suiciently small or n = 4, and as n becomes larger, the ratio becomes even smaller. Note that or instance Pr Π [Π irr 1/2 ] = 0.8 is suiciently small or our distinguishing attack to practically succeed. In act, in this case, the success probability o our distinguisher is at least 0.2 (2/e) n/2+1 with δ = 1/2 and η = 2n + 4, which is suiciently large. 23