Quantum Chosen-Ciphertext Attacks against Feistel Ciphers

Transcription

1 SESSION ID: CRYP-R09 Quantum Chosen-Ciphertext Attacks against Feistel Ciphers Gembu Ito Nagoya University Joint work with Akinori Hosoyamada, Ryutaroh Matsumoto, Yu Sasaki and Tetsu Iwata

2 Overview 3-round Feistel construction is a PRP, 4-round is an SPRP [LR88] Rounds Classic CPA insecure CPA secure [LR88] CCA insecure CCA secure [LR88] insecure: efficient distinguishing attacks secure: indistinguishable from a random permutation [LR88] Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput /49

3 Overview 3-round Feistel construction is not secure against quantum CPAs [KM10] Rounds Classic Quantum CPA insecure CPA secure [LR88] CCA insecure QCPA insecure [KM10] insecure: efficient distinguishing attacks secure: indistinguishable from a random permutation CCA secure [LR88] [KM10] Kuwakado, H., Morii, M.: Quantum distinguisher between the 3-round Feistel cipher and the random permutation. ISIT /49

4 Overview 4-round Feistel construction is not secure against quantum CCAs Rounds Classic CPA insecure CPA secure [LR88] CCA insecure CCA secure [LR88] Quantum QCPA insecure [KM10] QCCA insecure 3/49

5 Overview 4-round Feistel construction is not secure against quantum CCAs Rounds Classic CPA insecure CPA secure [LR88] CCA insecure CCA secure [LR88] Quantum QCPA insecure [KM10] QCCA insecure Extend to practical designs of Feistel ciphers (including key recovery attacks) 4/49

6 Outline 1. Introduction 2. Previous Quantum Distinguisher 3. Quantum CCAs against Feistel Constructions Quantum Distinguisher against 4-round Feistel Constructions Formalization of Quantum Distinguishers Quantum CCAs against Practical Designs of Feistel Constructions 4. Concluding Remarks

7 Outline 1. Introduction 2. Previous Quantum Distinguisher 3. Quantum CCAs against Feistel Constructions Quantum Distinguisher against 4-round Feistel Constructions Formalization of Quantum Distinguishers Quantum CCAs against Practical Designs of Feistel Constructions 4. Concluding Remarks

8 Feistel Ciphers Feistel-F Construction nn-bit state is divided into nn/2-bit halves aa ii and bb ii, then bb ii+1 aa ii FF KKii bb ii, aa ii+1 bb ii FF KKii is a keyed function taking a subkey KK ii as input 7/49

9 Practical Designs of Feistel Ciphers Feistel-KF Construction DES, Camellia Feistel-FK Construction Piccolo, SIMON, Simeck Feistel-KF 8/49 Feistel-FK

10 Main Tool: Simon s algorithm [Sim97] Problem Given ff: {0,1} nn {0,1} nn such that there exists a non-zero period ss with ff xx = ff xx xx = xx ss for any distinct xx, xx {0,1} nn, the goal is to find ss OO 2 nn/2 queries in the classical setting Simon s algorithm [Sim97] can find ss with OO nn quantum queries [Sim97] Simon, D.R.: On the power of quantum computation. SIAM J. Comput. 26(5), (1997) 9/49

11 Main Tool: Simon s algorithm [Sim97] Many polynomial-time attacks using Simon s algorithm 3-round Feistel construction [KM10] Even-Mansour [KM12] LRW, various MACs, and CAESAR candidates [KLL+16] AEZ [Bon17] [KM12] H. Kuwakado and M. Morii. Security on the Quantum-Type Even-Mansour Cipher. ISITA [KLL+16] M. Kaplan, G. Leurent, A. Leverrier, and M. Naya-Plasencia. Breaking Symmetric Cryptosystems using Quantum Period Finding. CRYPTO [Bon17] Bonnetain, X.: Quantum Key-Recovery on Full AEZ. SAC /49

12 Outline 1. Introduction 2. Previous Quantum Distinguisher 3. Quantum CCAs against Feistel Constructions Quantum Distinguisher against 4-round Feistel Constructions Formalization of Quantum Distinguishers Quantum CCAs against Practical Designs of Feistel Constructions 4. Concluding Remarks

13 Overview of the Distinguisher Given an oracle OO which is OO = EE KK or a random permutation Π Perm(nn), distinguish the two cases The adversary can make superposition queries to OO Distinguisher 1. Construct a function ff OO that has a period ss when OO is EE KK, and does not have any period when OO is Π 2. Check if ff OO has a period or not by using Simon s algorithm 12/49

14 Quantum Distinguisher against 3-round Feistel-F [KM10] αα 0, αα 1 0,1 nn/2 : arbitrary distinct constants ff OO : 0,1 0,1 nn/2 0,1 nn/2 ββ xx cc αα ββ 13/49

15 Quantum Distinguisher against 3-round Feistel-F [KM10] FF 3 does not contribute to ff OO Orange line and αα ββ cancel each other 14/49

16 Quantum Distinguisher against 3-round Feistel-F [KM10] 15/49

17 Quantum Distinguisher against 3-round Feistel-F [KM10] ff OO has a period ss = 11 FF 11 αα 00 FF 11 αα 11 ff OO ββ xx = FF 2 xx FF 1 αα ββ = FF 2 xx FF 1 αα 0 FF 1 αα 1 FF 1 αα ββ 1 = ff OO ββ 1 xx FF 1 αα 0 FF 1 αα 1 16/49

18 Key Recovery Attacks Distinguisher can be extended to key recovery attacks Key recovery attacks against Feistel-KF [HS18,DW17] Combining Grover search [Gro96] and the distinguisher Leander and May developed this technique [LM17] [HS18] Hosoyamada, A., Sasaki, Y.: Quantum Demiric-Selçuk meet-in-the-middle attacks: Applications to 6-round generic Feistel constructions. SCN [DW17] Dong, X., Wang, X.: Quantum key-recovery attack on Feistel structures. IACR Cryptology eprint Archive [Gro96] Grover, L.K.: A fast quantum mechanical algorithm for database search. STOC [LM17] Leander, G., May, A.: Grover meets Simon - Quantumly attacking the FX-construction. ASIACRYPT /49

19 Outline 1. Introduction 2. Previous Quantum Distinguisher 3. Quantum CCAs against Feistel Constructions Quantum Distinguisher against 4-round Feistel Constructions Formalization of Quantum Distinguishers Quantum CCAs against Practical Designs of Feistel Constructions 4. Concluding Remarks

20 Quantum Distinguisher against 4-round Feistel-F αα 0, αα 1 0,1 nn/2 : arbitrary distinct constants ff OO : 0,1 0,1 nn/2 0,1 nn/2 ββ xx bb αα ββ 19/49

21 Quantum Distinguisher against 4-round Feistel-F FF 4 has no effect Last FF 1 does not contribute to ff OO 20/49

22 Quantum Distinguisher against 4-round Feistel-F 21/49

23 Quantum Distinguisher against 4-round Feistel-F 22/49

24 Quantum Distinguisher against 4-round Feistel-F 23/49

25 Quantum Distinguisher against 4-round Feistel-F Computation after ZZ ββ xx does not depend on ββ, xx ZZ ββ xx has a period ss = 1 FF 1 αα 0 FF 1 αα 1 24/49

26 Quantum Distinguisher against 4-round Feistel-F αα ββ cancels each other αα 0, αα 0 αα 0 αα 1 = αα 1, αα 1 αα 0 αα 1 = {αα 0, αα 1 } 25/49

27 Quantum Distinguisher against 4-round Feistel-F αα ββ cancels each other αα 0, αα 0 αα 0 αα 1 = αα 1, αα 1 αα 0 αα 1 = {αα 0, αα 1 } Computation after ZZ ββ xx does not depend on ββ, xx 26/49

28 Quantum Distinguisher against 4-round Feistel-F ZZ ββ xx has a period ss = 1 FF 1 αα 0 FF 1 αα 1 since ZZ 0 xx ss = xx FF 1 αα 0 FF 1 αα 1 FF 1 αα 1 = xx FF 1 αα 0 = ZZ 0 xx 27/49

29 Relaxing Simon s Algorithm We know that ff(xx) = ff(xx ) xx = xx ss ff(xx) = ff(xx ) xx = xx ss may or may not hold We formalize a sufficient condition to eliminate the need to prove it 28/49

30 Relaxing Simon s Algorithm Simon s Algorithm uses the circuit SS ff that returns a vector yy ii that is orthogonal to all periods ss 1, ss 2, To recover ss from yy 1, yy 2,, ff has to satisfy ff xx = ff xx xx = xx ss 29/49

31 Relaxing Simon s Algorithm In distinguisher If ff has a period ss, we obtain yy ii ss 0 (mod 2) (other periods can exist) dimension of the space spanned by yy 1, yy 2, is at most nn 11 If ff doesn t have a period, yy ii can take any value of 0,1 nn dimension can reach nn [SS17] Santoli, T., Schaffner, C.: Using Simon s algorithm to attack symmetric-key cryptographic primitives. Quantum Information & Computation /49

32 Relaxing Simon s Algorithm In distinguisher If ff has a period ss, we obtain yy ii ss 0 (mod 2) (other periods can exist) dimension of the space spanned by yy 1, yy 2, is at most nn 11 If ff doesn t have a period, yy ii can take any value of 0,1 nn dimension can reach nn Checking the dimension of the space spanned by yy 1, yy 2, Similar observation is pointed out in [SS17] We formalized a sufficient condition [SS17] Santoli, T., Schaffner, C.: Using Simon s algorithm to attack symmetric-key cryptographic primitives. Quantum Information & Computation /49

33 Relaxing Simon s Algorithm εε ff ππ = max Pr tt 0,1 ll {0 ll } xx [ffππ xx = ff ππ (xx xx)] (ππ is a fixed permutation) irr ff δδ = ππ Perm nn εε ff ππ > 1 δδ (δδ is a small constant 0 δδ < 1) Checking the dimension of the space spanned by yy 1, yy 2,, yy ηη Success probability is at least 1 2ll Pr eeδδδδ/2 [Π irr Π ff δδ ] [SS17] Santoli, T., Schaffner, C.: Using Simon s algorithm to attack symmetric-key cryptographic primitives. Quantum Information & Computation /49

34 Outline 1. Introduction 2. Previous Quantum Distinguisher 3. Quantum CCAs against Feistel Constructions Quantum Distinguisher against 4-round Feistel Constructions Formalization of Quantum Distinguishers Quantum CCAs against Practical Designs of Feistel Constructions 4. Concluding Remarks

35 Quantum Attacks against Practical Designs The same distinguishing attack against Feistel-F can be used against Feistel-KF Extend to quantum distinguishing attacks against 6-round Feistel-FK Key recovery attacks against 7-round Feistel-KF and 9-round Feistel-FK 34/49

36 Quantum Distinguisher against 6-round Feistel-FK ff OO : 0,1 0,1 nn/2 0,1 nn/2 ββ xx aa FF bb αα ββ 35/49

37 Quantum Distinguisher against 6-round Feistel-FK ff OO : 0,1 0,1 nn/2 0,1 nn/2 ββ xx aa FF bb αα ββ 36/49

38 Quantum Distinguisher against 6-round Feistel-FK FF in gray and KK 6 has no effect 37/49

39 Quantum Distinguisher against 6-round Feistel-FK Connect 2 figures 38/49

40 Quantum Distinguisher against 6-round Feistel-FK Almost the same as the 4-round distinguisher 39/49

41 Quantum Distinguisher against 6-round Feistel-FK 40/49

42 Quantum Distinguisher against 6-round Feistel-FK 41/49

43 Quantum Distinguisher against 6-round Feistel-FK Almost the same as the 4-round distinguisher Replace αα ββ with αα ββ KK 1 Replace FF ii xx with FF xx KK ii+1 ss = 1 FF αα 0 KK 1 FF αα 1 KK 1 42/49

44 Key Recovery Attacks 1. Implement a quantum circuit E that takes the subkey for the first (rr 3) round and the value after the first (rr 3) round as input, and returns the oracle output 43/49

45 Key Recovery Attacks If the guess is correct = 44/49

46 Key Recovery Attacks 2. For each guess, apply the distinguisher to E 3. If the distinguisher returns that this is a random permutation, then judge the guess is wrong, otherwise the guess is correct. If the guess is correct = 45/49

47 Key Recovery Attacks Exhaustive search of the first (rr 3) round : OO by Grover search 2 rr 3 nn/2 3-round distinguisher : OO nn for each subkeys guess If the guess is correct = 46/49

48 Key Recovery Attacks Combining Grover search and the distinguisher 7-round Feistel-KF Construction Recover 7nn/2-bit key with OO 2 9-round Feistel-FK Construction Recover 9nn/2-bit key with OO 2 8-round Feistel-FK Construction Recover 8nn/2-bit key with OO 2 rr 4 nn/4 = rr 6 nn/4 = rr 5 nn/4 = OO(2 3nn/4 ) (CCAs) OO(2 3nn/4 ) (CCAs) OO(2 3nn/4 ) (CPAs) 47/49

49 Outline 1. Introduction 2. Previous Quantum Distinguisher 3. Quantum CCAs against Feistel Constructions Quantum Distinguisher against 4-round Feistel Constructions Formalization of Quantum Distinguishers Quantum CCAs against Practical Designs of Feistel Constructions 4. Concluding Remarks

50 Concluding Remarks Rounds 3 4 Classic CPA secure [LR88] CCA secure [LR88] Quantum QCPA insecure [KM10] QCCA insecure Construction Feistel-KF Feistel-FK Distinguish 4-round 6-round Key Recovery 7-round 9-round (and 8-round QCPA) Open Questions Tight bound on the number of rounds that we can attack Feistel-F Improving the complexity or extending the number of rounds of the attacks against Feistel-KF and Feistel-FK 49/49