Breaking Symmetric Cryptosystems using Quantum Period Finding (1602.05973v3)

Abstract: Due to Shor's algorithm, quantum computers are a severe threat for public key cryptography. This motivated the cryptographic community to search for quantum-safe solutions. On the other hand, the impact of quantum computing on secret key cryptography is much less understood. In this paper, we consider attacks where an adversary can query an oracle implementing a cryptographic primitive in a quantum superposition of different states. This model gives a lot of power to the adversary, but recent results show that it is nonetheless possible to build secure cryptosystems in it. We study applications of a quantum procedure called Simon's algorithm (the simplest quantum period finding algorithm) in order to attack symmetric cryptosystems in this model. Following previous works in this direction, we show that several classical attacks based on finding collisions can be dramatically sped up using Simon's algorithm: finding a collision requires $\Omega(2^{n/2})$ queries in the classical setting, but when collisions happen with some hidden periodicity, they can be found with only $O(n)$ queries in the quantum model. We obtain attacks with very strong implications. First, we show that the most widely used modes of operation for authentication and authenticated encryption e.g. CBC-MAC, PMAC, GMAC, GCM, and OCB) are completely broken in this security model. Our attacks are also applicable to many CAESAR candidates: CLOC, AEZ, COPA, OTR, POET, OMD, and Minalpher. This is quite surprising compared to the situation with encryption modes: Anand et al. show that standard modes are secure with a quantum-secure PRF. Second, we show that Simon's algorithm can also be applied to slide attacks, leading to an exponential speed-up of a classical symmetric cryptanalysis technique in the quantum model.

• The paper demonstrates a breakthrough by applying Simon's algorithm to achieve an exponential quantum speed-up, reducing attack complexity from O(2^(n/2)) to O(n).
• The paper uncovers weaknesses in popular cryptographic modes like CBC-MAC, PMAC, GMAC, GCM, and OCB when exposed to quantum superposition queries.
• The findings stress that merely expanding key lengths is insufficient against quantum attacks, urging the development of truly quantum-resistant cryptographic designs.

Quantum Period Finding in Symmetric Cryptosystems

Introduction

This paper explores the impact of quantum computing on symmetric cryptosystems, particularly through the lens of Simon's algorithm, a quantum algorithm pivotal in period finding. While Shor's algorithm's devastating effect on public key cryptography is well-documented, the quantum threat landscape for symmetric key cryptography remains underexplored. This research paper investigates how Simon's algorithm can be leveraged to break symmetric cryptographic primitives, create attacks with exponential speed improvements over classical approaches, and uncover vulnerabilities in widely deployed cryptographic modes.

Key Contributions

The paper makes several critical contributions to the field of post-quantum cryptography by extending classical cryptanalysis techniques into the quantum domain:

1. Quantum Attacks on Cryptographic Constructions: The authors systematically analyze how Simon's algorithm, initially proposed for quantum period finding, can be applied to attack symmetric cryptographic systems. This extends previous work on the Even-Mansour construction and three-round Feistel networks, showing that classical collision-based attacks can become more potent with quantum resources.
2. Mode of Operation Vulnerabilities: The paper reveals profound weaknesses in some of the most utilized modes of operation in message authentication and encryption when faced with quantum adversarial models. It asserts that modes like CBC-MAC, PMAC, GMAC, GCM, and OCB are completely broken in this field. The paper explicitly demonstrates that these classical modes, when exposed to quantum attacks that allow superposition queries to cryptographic oracles, succumb with significantly reduced complexity requirements—dropping to $O(n)$ from $\Omega(2^{n/2})$ in classical settings.
3. Implications for Symmetric Cryptanalysis: One significant theoretical advancement in this work involves demonstrating that not only are classical primitives insufficient against quantum attacks, but that the rapid acquisition of information about secret keys via quantum methods undermines the assumption that simply expanding key lengths will offer security.
4. Slide Attacks with Quantum Speed-up: The research introduces the first exponential quantum speedup of a classical symmetric cryptanalysis technique—slide attacks—by reducing their complexity from $O(2^{n/2})$ to $O(n)$. This marks a new class of cryptographic vulnerabilities that open further avenues for quantum-based analyses.

Theoretical and Practical Implications

The consequences of this research are multifaceted, influencing both theoretical and practical domains in post-quantum cryptography:

• Theoretical Frameworks: By extending Simon's algorithm to handle approximate promise, the paper expands our understanding of potential quantum cryptanalysis applications. It establishes that the existing cryptographic notions must be reevaluated to accommodate quantum computational models, creating a rich area for developing quantum-resistant algorithmic strategies.
• Practical Cryptography: On a practical note, the findings stress the urgency for the cryptographic community to pivot towards designs that inherently resist quantum attacks, as existing systems fall apart under quantum scrutiny.

Future Directions

The insights provided by this research prompt several directions for future paper:

• Developing Robust Quantum-Resistant Cryptosystems: The findings insist upon robust frameworks that are resilient to both classical and quantum attacks. This necessitates innovating new encryption schemes that remain secure even when quantum general-purpose computers are realized.
• Further Exploration of Quantum Speed-ups: The exploration of additional classical cryptanalysis techniques for potential quantum speed-ups could uncover further vulnerabilities in existing systems.
• Secure Implementation Considerations: Beyond theoretical vulnerability, ensuring that cryptosystems can be securely implemented in real-world quantum contexts poses another layer of complexity that must be investigated, particularly given the high sensitivity of quantum operations to environmental noise.

In conclusion, this paper strongly articulates the urgent need for revised cryptographic strategies in the face of quantum advancements, fundamentally challenging the current assumptions and necessitating a leap toward secure cryptographic protocols within the field of quantum computing. Dissecting and understanding the nuances of these quantum attacks will be essential as we approach a future intertwined with quantum technologies.