Quantum Chosen-Ciphertext Attacks against Feistel Ciphers

Similar documents
Quantum Chosen-Ciphertext Attacks against Feistel Ciphers

Breaking Symmetric Cryptosystems Using Quantum Algorithms

arxiv: v3 [quant-ph] 31 Jan 2017

Quantum Differential and Linear Cryptanalysis

Grover s algorithm. We want to find aa. Search in an unordered database. QC oracle (as usual) Usual trick

DD2448 Foundations of Cryptography Lecture 3

Quantum-secure symmetric-key cryptography based on Hidden Shifts

The Random Oracle Model and the Ideal Cipher Model are Equivalent

CPA-Security. Definition: A private-key encryption scheme

Building Secure Block Ciphers on Generic Attacks Assumptions

Table Of Contents. ! 1. Introduction to AES

A survey on quantum-secure cryptographic systems

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

On the Round Security of Symmetric-Key Cryptographic Primitives

Modern Cryptography Lecture 4

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

A Domain Extender for the Ideal Cipher

Quantum-Secure Symmetric-Key Cryptography Based on Hidden Shifts

Linear Hull Attack on Round-Reduced Simeck with Dynamic Key-guessing Techniques

The Pseudorandomness of Elastic Block Ciphers

Block Ciphers/Pseudorandom Permutations

Locality in Coding Theory

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

ZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls

General Strong Polarization

ECS 189A Final Cryptography Spring 2011

A Brief Comparison of Simon and Simeck

On the Design Rationale of Simon Block Cipher: Integral Attacks and Impossible Differential Attacks against Simon Variants

Benes and Butterfly schemes revisited

BEYOND POST QUANTUM CRYPTOGRAPHY

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Security of Random Feistel Schemes with 5 or more Rounds

Chapter 2 Balanced Feistel Ciphers, First Properties

Characterization of EME with Linear Mixing

On Quantum Indifferentiability

Computational security & Private key encryption

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography

On Post-Quantum Cryptography

Post-quantum Security of the CBC, CFB, OFB, CTR, and XTS Modes of Operation.

Enhancing the Signal to Noise Ratio

Cryptanalysis of block EnRUPT

III. Pseudorandom functions & encryption

Symmetric Encryption

Invariant Subspace Attack Against Full Midori64

CTR mode of operation

Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs

Public Key Cryptography

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

Lectures 2+3: Provable Security

Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs

Lecture 14: Cryptographic Hash Functions

On Stream Ciphers with Small State

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

General Strong Polarization

Eliminating Random Permutation Oracles in the Even-Mansour Cipher

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher

1 Cryptographic hash functions

Known and Chosen Key Differential Distinguishers for Block Ciphers

Modern symmetric-key Encryption

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Chosen Ciphertext Security with Optimal Ciphertext Overhead

The Random Oracle Model and the Ideal Cipher Model are Equivalent

The Indistinguishability of the XOR of k permutations

Improved Multiple Impossible Differential Cryptanalysis of Midori128

Towards Understanding the Known-Key Security of Block Ciphers

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

Algebraic Techniques in Differential Cryptanalysis

Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT

On the Counter Collision Probability of GCM*

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions

Symmetric key cryptography over non-binary algebraic structures

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited

Private-Key Encryption

Provable Security in Symmetric Key Cryptography

10.4 The Cross Product

The Random Oracle Model and the Ideal Cipher Model Are Equivalent

Efficient Identity-based Encryption Without Random Oracles

1 Number Theory Basics

Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers

Block encryption of quantum messages

EME : extending EME to handle arbitrary-length messages with associated data

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA

Similarities between encryption and decryption: how far can we go?

Cryptography CS 555. Topic 13: HMACs and Generic Attacks

Public Key Cryptography

Cryptanalysis of the SIMON Family of Block Ciphers

Block ciphers And modes of operation. Table of contents

A Note on Quantum-Secure PRPs

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC :2011 MACs

1 Cryptographic hash functions

Modes of Operations for Wide-Block Encryption

Transcription:

SESSION ID: CRYP-R09 Quantum Chosen-Ciphertext Attacks against Feistel Ciphers Gembu Ito Nagoya University Joint work with Akinori Hosoyamada, Ryutaroh Matsumoto, Yu Sasaki and Tetsu Iwata

Overview 3-round Feistel construction is a PRP, 4-round is an SPRP [LR88] Rounds 2 3 4 Classic CPA insecure CPA secure [LR88] CCA insecure CCA secure [LR88] insecure: efficient distinguishing attacks secure: indistinguishable from a random permutation [LR88] Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 1988. 1/49

Overview 3-round Feistel construction is not secure against quantum CPAs [KM10] Rounds 2 3 4 Classic Quantum CPA insecure CPA secure [LR88] CCA insecure QCPA insecure [KM10] insecure: efficient distinguishing attacks secure: indistinguishable from a random permutation CCA secure [LR88] [KM10] Kuwakado, H., Morii, M.: Quantum distinguisher between the 3-round Feistel cipher and the random permutation. ISIT 2010. 2/49

Overview 4-round Feistel construction is not secure against quantum CCAs Rounds 2 3 4 Classic CPA insecure CPA secure [LR88] CCA insecure CCA secure [LR88] Quantum QCPA insecure [KM10] QCCA insecure 3/49

Overview 4-round Feistel construction is not secure against quantum CCAs Rounds 2 3 4 Classic CPA insecure CPA secure [LR88] CCA insecure CCA secure [LR88] Quantum QCPA insecure [KM10] QCCA insecure Extend to practical designs of Feistel ciphers (including key recovery attacks) 4/49

Outline 1. Introduction 2. Previous Quantum Distinguisher 3. Quantum CCAs against Feistel Constructions Quantum Distinguisher against 4-round Feistel Constructions Formalization of Quantum Distinguishers Quantum CCAs against Practical Designs of Feistel Constructions 4. Concluding Remarks

Outline 1. Introduction 2. Previous Quantum Distinguisher 3. Quantum CCAs against Feistel Constructions Quantum Distinguisher against 4-round Feistel Constructions Formalization of Quantum Distinguishers Quantum CCAs against Practical Designs of Feistel Constructions 4. Concluding Remarks

Feistel Ciphers Feistel-F Construction nn-bit state is divided into nn/2-bit halves aa ii and bb ii, then bb ii+1 aa ii FF KKii bb ii, aa ii+1 bb ii FF KKii is a keyed function taking a subkey KK ii as input 7/49

Practical Designs of Feistel Ciphers Feistel-KF Construction DES, Camellia Feistel-FK Construction Piccolo, SIMON, Simeck Feistel-KF 8/49 Feistel-FK

Main Tool: Simon s algorithm [Sim97] Problem Given ff: {0,1} nn {0,1} nn such that there exists a non-zero period ss with ff xx = ff xx xx = xx ss for any distinct xx, xx {0,1} nn, the goal is to find ss OO 2 nn/2 queries in the classical setting Simon s algorithm [Sim97] can find ss with OO nn quantum queries [Sim97] Simon, D.R.: On the power of quantum computation. SIAM J. Comput. 26(5),1474 1483 (1997) 9/49

Main Tool: Simon s algorithm [Sim97] Many polynomial-time attacks using Simon s algorithm 3-round Feistel construction [KM10] Even-Mansour [KM12] LRW, various MACs, and CAESAR candidates [KLL+16] AEZ [Bon17] [KM12] H. Kuwakado and M. Morii. Security on the Quantum-Type Even-Mansour Cipher. ISITA 2012. [KLL+16] M. Kaplan, G. Leurent, A. Leverrier, and M. Naya-Plasencia. Breaking Symmetric Cryptosystems using Quantum Period Finding. CRYPTO 2016. [Bon17] Bonnetain, X.: Quantum Key-Recovery on Full AEZ. SAC 2017. 10/49

Outline 1. Introduction 2. Previous Quantum Distinguisher 3. Quantum CCAs against Feistel Constructions Quantum Distinguisher against 4-round Feistel Constructions Formalization of Quantum Distinguishers Quantum CCAs against Practical Designs of Feistel Constructions 4. Concluding Remarks

Overview of the Distinguisher Given an oracle OO which is OO = EE KK or a random permutation Π Perm(nn), distinguish the two cases The adversary can make superposition queries to OO Distinguisher 1. Construct a function ff OO that has a period ss when OO is EE KK, and does not have any period when OO is Π 2. Check if ff OO has a period or not by using Simon s algorithm 12/49

Quantum Distinguisher against 3-round Feistel-F [KM10] αα 0, αα 1 0,1 nn/2 : arbitrary distinct constants ff OO : 0,1 0,1 nn/2 0,1 nn/2 ββ xx cc αα ββ 13/49

Quantum Distinguisher against 3-round Feistel-F [KM10] FF 3 does not contribute to ff OO Orange line and αα ββ cancel each other 14/49

Quantum Distinguisher against 3-round Feistel-F [KM10] 15/49

Quantum Distinguisher against 3-round Feistel-F [KM10] ff OO has a period ss = 11 FF 11 αα 00 FF 11 αα 11 ff OO ββ xx = FF 2 xx FF 1 αα ββ = FF 2 xx FF 1 αα 0 FF 1 αα 1 FF 1 αα ββ 1 = ff OO ββ 1 xx FF 1 αα 0 FF 1 αα 1 16/49

Key Recovery Attacks Distinguisher can be extended to key recovery attacks Key recovery attacks against Feistel-KF [HS18,DW17] Combining Grover search [Gro96] and the distinguisher Leander and May developed this technique [LM17] [HS18] Hosoyamada, A., Sasaki, Y.: Quantum Demiric-Selçuk meet-in-the-middle attacks: Applications to 6-round generic Feistel constructions. SCN 2018. [DW17] Dong, X., Wang, X.: Quantum key-recovery attack on Feistel structures. IACR Cryptology eprint Archive 2017. [Gro96] Grover, L.K.: A fast quantum mechanical algorithm for database search. STOC 1996. [LM17] Leander, G., May, A.: Grover meets Simon - Quantumly attacking the FX-construction. ASIACRYPT 2017. 17/49

Outline 1. Introduction 2. Previous Quantum Distinguisher 3. Quantum CCAs against Feistel Constructions Quantum Distinguisher against 4-round Feistel Constructions Formalization of Quantum Distinguishers Quantum CCAs against Practical Designs of Feistel Constructions 4. Concluding Remarks

Quantum Distinguisher against 4-round Feistel-F αα 0, αα 1 0,1 nn/2 : arbitrary distinct constants ff OO : 0,1 0,1 nn/2 0,1 nn/2 ββ xx bb αα ββ 19/49

Quantum Distinguisher against 4-round Feistel-F FF 4 has no effect Last FF 1 does not contribute to ff OO 20/49

Quantum Distinguisher against 4-round Feistel-F 21/49

Quantum Distinguisher against 4-round Feistel-F 22/49

Quantum Distinguisher against 4-round Feistel-F 23/49

Quantum Distinguisher against 4-round Feistel-F Computation after ZZ ββ xx does not depend on ββ, xx ZZ ββ xx has a period ss = 1 FF 1 αα 0 FF 1 αα 1 24/49

Quantum Distinguisher against 4-round Feistel-F αα ββ cancels each other αα 0, αα 0 αα 0 αα 1 = αα 1, αα 1 αα 0 αα 1 = {αα 0, αα 1 } 25/49

Quantum Distinguisher against 4-round Feistel-F αα ββ cancels each other αα 0, αα 0 αα 0 αα 1 = αα 1, αα 1 αα 0 αα 1 = {αα 0, αα 1 } Computation after ZZ ββ xx does not depend on ββ, xx 26/49

Quantum Distinguisher against 4-round Feistel-F ZZ ββ xx has a period ss = 1 FF 1 αα 0 FF 1 αα 1 since ZZ 0 xx ss = xx FF 1 αα 0 FF 1 αα 1 FF 1 αα 1 = xx FF 1 αα 0 = ZZ 0 xx 27/49

Relaxing Simon s Algorithm We know that ff(xx) = ff(xx ) xx = xx ss ff(xx) = ff(xx ) xx = xx ss may or may not hold We formalize a sufficient condition to eliminate the need to prove it 28/49

Relaxing Simon s Algorithm Simon s Algorithm uses the circuit SS ff that returns a vector yy ii that is orthogonal to all periods ss 1, ss 2, To recover ss from yy 1, yy 2,, ff has to satisfy ff xx = ff xx xx = xx ss 29/49

Relaxing Simon s Algorithm In distinguisher If ff has a period ss, we obtain yy ii ss 0 (mod 2) (other periods can exist) dimension of the space spanned by yy 1, yy 2, is at most nn 11 If ff doesn t have a period, yy ii can take any value of 0,1 nn dimension can reach nn [SS17] Santoli, T., Schaffner, C.: Using Simon s algorithm to attack symmetric-key cryptographic primitives. Quantum Information & Computation 2017. 30/49

Relaxing Simon s Algorithm In distinguisher If ff has a period ss, we obtain yy ii ss 0 (mod 2) (other periods can exist) dimension of the space spanned by yy 1, yy 2, is at most nn 11 If ff doesn t have a period, yy ii can take any value of 0,1 nn dimension can reach nn Checking the dimension of the space spanned by yy 1, yy 2, Similar observation is pointed out in [SS17] We formalized a sufficient condition [SS17] Santoli, T., Schaffner, C.: Using Simon s algorithm to attack symmetric-key cryptographic primitives. Quantum Information & Computation 2017. 31/49

Relaxing Simon s Algorithm εε ff ππ = max Pr tt 0,1 ll {0 ll } xx [ffππ xx = ff ππ (xx xx)] (ππ is a fixed permutation) irr ff δδ = ππ Perm nn εε ff ππ > 1 δδ (δδ is a small constant 0 δδ < 1) Checking the dimension of the space spanned by yy 1, yy 2,, yy ηη Success probability is at least 1 2ll Pr eeδδδδ/2 [Π irr Π ff δδ ] [SS17] Santoli, T., Schaffner, C.: Using Simon s algorithm to attack symmetric-key cryptographic primitives. Quantum Information & Computation 2017. 32/49

Outline 1. Introduction 2. Previous Quantum Distinguisher 3. Quantum CCAs against Feistel Constructions Quantum Distinguisher against 4-round Feistel Constructions Formalization of Quantum Distinguishers Quantum CCAs against Practical Designs of Feistel Constructions 4. Concluding Remarks

Quantum Attacks against Practical Designs The same distinguishing attack against Feistel-F can be used against Feistel-KF Extend to quantum distinguishing attacks against 6-round Feistel-FK Key recovery attacks against 7-round Feistel-KF and 9-round Feistel-FK 34/49

Quantum Distinguisher against 6-round Feistel-FK ff OO : 0,1 0,1 nn/2 0,1 nn/2 ββ xx aa FF bb αα ββ 35/49

Quantum Distinguisher against 6-round Feistel-FK ff OO : 0,1 0,1 nn/2 0,1 nn/2 ββ xx aa FF bb αα ββ 36/49

Quantum Distinguisher against 6-round Feistel-FK FF in gray and KK 6 has no effect 37/49

Quantum Distinguisher against 6-round Feistel-FK Connect 2 figures 38/49

Quantum Distinguisher against 6-round Feistel-FK Almost the same as the 4-round distinguisher 39/49

Quantum Distinguisher against 6-round Feistel-FK 40/49

Quantum Distinguisher against 6-round Feistel-FK 41/49

Quantum Distinguisher against 6-round Feistel-FK Almost the same as the 4-round distinguisher Replace αα ββ with αα ββ KK 1 Replace FF ii xx with FF xx KK ii+1 ss = 1 FF αα 0 KK 1 FF αα 1 KK 1 42/49

Key Recovery Attacks 1. Implement a quantum circuit E that takes the subkey for the first (rr 3) round and the value after the first (rr 3) round as input, and returns the oracle output 43/49

Key Recovery Attacks If the guess is correct = 44/49

Key Recovery Attacks 2. For each guess, apply the distinguisher to E 3. If the distinguisher returns that this is a random permutation, then judge the guess is wrong, otherwise the guess is correct. If the guess is correct = 45/49

Key Recovery Attacks Exhaustive search of the first (rr 3) round : OO by Grover search 2 rr 3 nn/2 3-round distinguisher : OO nn for each subkeys guess If the guess is correct = 46/49

Key Recovery Attacks Combining Grover search and the distinguisher 7-round Feistel-KF Construction Recover 7nn/2-bit key with OO 2 9-round Feistel-FK Construction Recover 9nn/2-bit key with OO 2 8-round Feistel-FK Construction Recover 8nn/2-bit key with OO 2 rr 4 nn/4 = rr 6 nn/4 = rr 5 nn/4 = OO(2 3nn/4 ) (CCAs) OO(2 3nn/4 ) (CCAs) OO(2 3nn/4 ) (CPAs) 47/49

Outline 1. Introduction 2. Previous Quantum Distinguisher 3. Quantum CCAs against Feistel Constructions Quantum Distinguisher against 4-round Feistel Constructions Formalization of Quantum Distinguishers Quantum CCAs against Practical Designs of Feistel Constructions 4. Concluding Remarks

Concluding Remarks Rounds 3 4 Classic CPA secure [LR88] CCA secure [LR88] Quantum QCPA insecure [KM10] QCCA insecure Construction Feistel-KF Feistel-FK Distinguish 4-round 6-round Key Recovery 7-round 9-round (and 8-round QCPA) Open Questions Tight bound on the number of rounds that we can attack Feistel-F Improving the complexity or extending the number of rounds of the attacks against Feistel-KF and Feistel-FK 49/49

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback