new algorithms for quantum symmetric cryptanalysis
play

New Algorithms for Quantum (Symmetric) Cryptanalysis Mara - PowerPoint PPT Presentation

Jan 16, 2023 •970 likes •1.63k views

Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr Schrottenloher 2 Joint work with Andr Chailloux 2 and Lorenzo Grassi

  1. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms New Algorithms for Quantum (Symmetric) Cryptanalysis María Naya-Plasencia 2 , André Schrottenloher 2 Joint work with André Chailloux 2 and Lorenzo Grassi 1 1 IAIK, Graz University of Technology, Austria 2 Inria, France May 19, 2019 M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 1/59

  2. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Outline Quantum-safe (Symmetric) Cryptography 1 Quantum Collision Search 2 Quantum k-xor Algorithms 3 M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 2/59

  3. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Quantum-safe (Symmetric) Cryptography M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 3/59

  4. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms (Pre-quantum) cryptography Enable secure communications even in the presence of malicious adversaries. Asymmetric (e.g. RSA) No shared secret / computationally costly Security based on well-known hard mathematical problems (e.g. factorization) Symmetric (e.g. AES) Shared secret / computationally efficient Ideal security defined by generic attacks (e.g. 2 | K | ) Need of continuous security evaluation (cryptanalysis) M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 4/59

  5. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms A typical symmetric primitive Ideal block cipher E K is a family of permutations of { 0 , 1 } n parameterized by K . Real block cipher: Typically built by iterating a round function Select a key K Decompose the message into n -bit blocks and use E K with a mode of operation M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 5/59

  6. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Generic attacks on ciphers The security provided by an ideal block cipher is defined by the best generic attack: exhaustive search for the key in 2 | K | Recovering the key from a secure cipher must be infeasible. Typical key sizes range from | K | = 128 to 256 bits. M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 6/59

  7. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Symmetric cryptanalysis The ideal security is defined by generic attacks (2 | K | ) Does real security meet this ideal security? We won’t know . . . without a continuous security evaluation. Any attack better than the generic one is considered a “break”. Cryptanalysis is an empirical measure of security. M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 7/59

  8. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms The security margin The security of a cipher is not a 1-bit information: e.g. round-reduced attacks. ⇒ determine and adapt the security margin. The best attacks find the highest number of rounds reached (regardless of the complexity) Allows to compare primitives M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 8/59

  9. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Quantum-safe (Symmetric) Cryptography M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 9/59

  10. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Post-quantum cryptography Asymmetric (e.g. RSA) Shor’s algorithm factorizes in polynomial time: this is not secure anymore. Actively looking for replacements (NIST call) Symmetric (e.g. AES) Exhaustive search in 2 | K | / 2 with Grover’s algorithm. Double the key length for equivalent ideal security. In both cases, lots of work regarding quantum attacks. M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 10/59

  11. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Many new results Breaking some classically secure constructions in some quantum adversary models Extending cryptanalysis studies to quantum adversaries Solving recurrent generic problems M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 11/59

  12. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Quantum search Find in S (of size 2 n ) an element x (2 t solutions) such that x satisfies some condition. � � 2 ( n − t ) / 2 Sampling + Checking � �� � � �� � � �� � 2 t solutions Produce the Test a among 2 n superposition of search space S in superposition x ∈ S M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 12/59

  13. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Two settings “Low-qubits” Only O ( n ) qubits, no qRAM access. ⇒ A quantum adversary from tomorrow. Exponential qRAM Read and write access in quantum superposition: � � | i � | 0 � → | i � | a i � i i M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 13/59

  14. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Quantum Collision Search with A. Chailloux, M. Naya-Plasencia M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 14/59

  15. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms The birthday problem Collision search Let H : { 0 , 1 } n → { 0 , 1 } n be a random function, find a collision of H , i.e. a pair x 1 , x 2 ∈ { 0 , 1 } n such that H ( x 1 ) = H ( x 2 ) . Numerous applications, e.g. generic attacks on hash functions. Classical time and queries: Θ( 2 n / 2 ) With 2 n / 2 queries, we can form 2 n pairs, an n -bit collision occurs w.h.p. We can do this in O ( n ) memory (Pollard’s rho) M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 15/59

  16. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Quantum algorithms for collisions Time Queries Qubits / Classical qRAM memory 2 n / 2 2 n / 2 Pollard 0 O ( n ) 2 n / 2 2 n / 2 Grover O ( n ) 0 2 n / 3 2 n / 3 2 n / 3 2 n / 3 Brassard, Høyer, Tapp 2 2 n / 3 2 n / 3 2 n / 3 BHT (*) O ( n ) M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 16/59

  17. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Collision search in a low-qubits setting Single-processor Only O ( n ) qubits No qRAM lookups M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 17/59

  18. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms A naive collision algorithm Perform ℓ arbitrary classical queries to H : H ( x 1 ) , . . . , H ( x ℓ ) . Search x ∈ { 0 , 1 } n such that: H ( x ) ∈ { H ( x 1 ) , . . . , H ( x ℓ ) } Optimal ℓ = 2 n / 2 : 2 n / 2 + 2 n 2 n / 2 M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 18/59

  19. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms A quantum collision algorithm Naive classical: Quantum (BHT): Perform ℓ arbitrary Perform ℓ arbitrary classical classical queries to H : queries to H : H ( x 1 ) , . . . , H ( x ℓ ) . H ( x 1 ) , . . . , H ( x ℓ ) . With Grover , search Search x ∈ { 0 , 1 } n such x ∈ { 0 , 1 } n such that that: H ( x ) ∈ { H ( x 1 ) , . . . , H ( x ℓ ) } . Optimal ℓ = 2 n / 3 : H ( x ) ∈ { H ( x 1 ) , . . . , H ( x ℓ ) } � � � 2 n Optimal ℓ = 2 n / 2 : n 2 + 1 + 1 3 ���� ���� 2 n / 3 � �� � 2 n / 2 + 2 n List qRAM Iterations lookup 2 n / 2 M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 19/59

  20. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Removing qRAM We have a list L = { H ( x 1 ) , . . . , H ( x ℓ ) } , known classically, and want to compute: | y � | 0 � �→ | y � | y ∈ L � . With qRAM: build a data structure for L , compute membership in O ( log ℓ ) qRAM gates; Without qRAM: compare sequentially against elements of L . We compute: | y � | 0 � �→ | y � | ( y = H ( x 1 )) ∨ ( y = H ( x 2 )) . . . ∨ ( y = H ( x ℓ )) � in time � O ( ℓ ) . M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 20/59

  21. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms BHT without quantum memory Queries: � 2 n / 3 + 2 n / 2 n / 3 ( 1 + 0 ) Time: 2 n / 3 + 2 n / 3 � 1 + 2 n / 3 � M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 21/59

Recommend

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin CSC & SnT, University of Luxembourg CryptoLUX Team ; supervised by Alex Biryukov July 5th 2018 Introduction What is cryptography?

1.14k views • 71 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

1.76k views • 137 slides
Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1

Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1

Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1 Sbastien Duval 2 Gatan Leurent 1 Mara Naya-Plasencia 1 Lo Perrin 1 Thomas Pornin 3 Andr Schrottenloher 1 1 Inria, France 2 UCL Crypto Group,

750 views • 26 slides
Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos

Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos

Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos Santha CNRS, IRIF, Universit Paris Diderot, France and Centre for Quantum Technologies, NUS, Singapore 1/36 Plan of the talk 1 Crash course on

543 views • 36 slides
Quantum Algorithms for Quantum Algorithms for Evaluating M IN Evaluating M IN -M -M AX AX Trees

Quantum Algorithms for Quantum Algorithms for Evaluating M IN Evaluating M IN -M -M AX AX Trees

Quantum Algorithms for Quantum Algorithms for Evaluating M IN Evaluating M IN -M -M AX AX Trees Trees Richard Cleve Dmitry Gavinsky D. L. Yonge-Mallo Institute for Quantum Computing, University of Waterloo January 30, 2008 TQC Tokyo,

842 views • 34 slides
Quantum Difgerential and Linear Cryptanalysis Truncated difgerential Difgerential Marc Kaplan 1 ,

Quantum Difgerential and Linear Cryptanalysis Truncated difgerential Difgerential Marc Kaplan 1 ,

Introduction Brute-force FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia 1 / 25 Conclusion Quantum Difgerential and Linear Cryptanalysis Truncated difgerential Difgerential Marc Kaplan

410 views • 38 slides
Quantum Computation (Lecture QC-3: Quantum Algorithms) Lu s Soares Barbosa MFES -

Quantum Computation (Lecture QC-3: Quantum Algorithms) Lu s Soares Barbosa MFES -

Quantum Computation (Lecture QC-3: Quantum Algorithms) Lu s Soares Barbosa MFES - Arquitectura e C alculo May 2019 Quantum Algorithms The Deutsch-Jozsa Algorithm Quantum Search: Grover A quantum machine Structure of a quantum

1.08k views • 29 slides
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and Differential Cryptanalysis by Howard Heys.] Modern block ciphers (like DES and AES): - proceed in rounds - each round has its own round key or subkey

644 views • 21 slides
(post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya

(post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya

Towards a better understanding of (post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya University) Akinori Hosoyamada @ASK 2019 (2019.12.13) Introduction Quantum Attacks against Symmetric

738 views • 56 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 20th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do? Authentication

711 views • 47 slides
Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem Jean-Sbastien Coron and Agnese

Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem Jean-Sbastien Coron and Agnese

Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem Jean-Sbastien Coron and Agnese Gini University of Luxembourg June 27, 2019 NutMiC 1 / 20 Timeline 2016 NIST calling for quantum-resistant cryptographic algorithms for new

341 views • 31 slides
Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU

Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU

Introduction Three Easy, Automated Techniques Tools for Cryptography Conclusion Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU Leuven, Belgium IBBT, Belgium Summer School on Tools, Mykonos

886 views • 77 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Scattering in PT-symmetric Quantum Mechanics Francesco Cannata Dipartimento di Fisica

Scattering in PT-symmetric Quantum Mechanics Francesco Cannata Dipartimento di Fisica

Scattering in PT-symmetric Quantum Mechanics Francesco Cannata Dipartimento di Fisica dellUniversita di Bologna e Istituto Nazionale di Fisica Nucleare, Sezione di Bologna Scattering in PT-symmetric Quantum Mechanics 2 Summary

1.05k views • 77 slides
Dagstuhl Workshop Quantum Cryptanalysis Schloss Dagstuhl / Leibniz-Zentrum fr Informatik,

Dagstuhl Workshop Quantum Cryptanalysis Schloss Dagstuhl / Leibniz-Zentrum fr Informatik,

Dagstuhl Workshop Quantum Cryptanalysis Schloss Dagstuhl / Leibniz-Zentrum fr Informatik, October 2, 2017 5 [Shor94], [Kitaev95], [Brassard/Hyer97], [ Eker ert /Mosca98] 6 Shors algorithm for dlogs: Step 1: Create

612 views • 33 slides
Quantum Algorithms for Topological Invariants Stephen Jordan Wed Feb. 3, 2010 What is a quantum

Quantum Algorithms for Topological Invariants Stephen Jordan Wed Feb. 3, 2010 What is a quantum

Quantum Algorithms for Topological Invariants Stephen Jordan Wed Feb. 3, 2010 What is a quantum algorithm? Classical Quantum 0101101 the rules: solve problem using sequence of local quantum gates the goal: use fewer gates than

1.11k views • 37 slides
Quantum Attacks on Symmetric Cryptography Gregor Leander (joint work with Alex May) MMC 2017

Quantum Attacks on Symmetric Cryptography Gregor Leander (joint work with Alex May) MMC 2017

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Quantum Attacks on Symmetric Cryptography Gregor Leander (joint work with Alex May) MMC 2017 Introduction Quantum Basics Grover Grover

1.45k views • 97 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
Universal K-matrices for quantum symmetric pairs Martina Balagovi c (joint work with Stefan

Universal K-matrices for quantum symmetric pairs Martina Balagovi c (joint work with Stefan

Motto U q g and universal R-matrices Quantum symmetric pairs Universal K-matrices Universal K-matrices for quantum symmetric pairs Martina Balagovi c (joint work with Stefan Kolb) School of Mathematics and Statistics Newcastle University

575 views • 39 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 19th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security fail?

758 views • 72 slides
Preparing Symmetric Crypto for the Quantum World Mar a Naya-Plasencia Inria, France ERC

Preparing Symmetric Crypto for the Quantum World Mar a Naya-Plasencia Inria, France ERC

Preparing Symmetric Crypto for the Quantum World Mar a Naya-Plasencia Inria, France ERC project QUASYModo FSE 2019 Paris - March 26 2019 Preliminaries... No quantum knowledge needed for following this talk Outline Introduction

882 views • 72 slides
From quantum hardware to quantum AI School of Electrical and Electronic Engineering University

From quantum hardware to quantum AI School of Electrical and Electronic Engineering University

CLASSICAL BIT vs QUBIT Computation as physical process Concept of programmable matter Classical neural network Distance between quantum states Quantum algorithms Quantum Neural Networks From quantum hardware to quantum AI School of

322 views • 31 slides
6. The Symmetric Eigenvalue Problem A must for engineers . . . 6. The Symmetric Eigenvalue

6. The Symmetric Eigenvalue Problem A must for engineers . . . 6. The Symmetric Eigenvalue

Motivation Condition Vector Iteration QR Iteration Reduction Algorithms 6. The Symmetric Eigenvalue Problem A must for engineers . . . 6. The Symmetric Eigenvalue Problem Numerical Programming I (for CSE), Hans-Joachim Bungartz page 1

430 views • 28 slides
Quantum Quantum Computing Sensing Algorithms Hybrid computing Compilers

Quantum Quantum Computing Sensing Algorithms Hybrid computing Compilers

QIS Workshop: Welcome Argonne PSE/CELS QIS Working Group Salman Habib CPS/HEP Divisions September 23, 2019 Quantum Quantum Computing Sensing Algorithms Hybrid computing Compilers Error correction Precision metrology

285 views • 6 slides

More recommend