Quantum Attacks on Symmetric Cryptography Gregor Leander (joint work - PowerPoint PPT Presentation

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Quantum Attacks on Symmetric Cryptography Gregor Leander (joint work with Alex May) MMC 2017

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Outline Introduction 1 Quantum Basics 2 Grover 3 Grover and Simon on Symmetric Crypto 4 The FX Construction 5 Conclusion 6

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Main Message Quantum attacks on symmetric schemes understudied. Basic conclusion is: double the key-length. Two most popular generic ways of doing so: Multiple-encryption FX-construction Both not as good as you might think. Multiple encryption: Kaplan 2014 FX construction: This talk

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion My Master Thesis (I/II)

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion My Master Thesis(II/II)

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Outline Introduction 1 Quantum Basics 2 Grover 3 Grover and Simon on Symmetric Crypto 4 The FX Construction 5 Conclusion 6

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion From Bits to Qubits One Qubit The state x of one Qubit is a unit vector in C 2 . Just notation: � 1 � 0 � � | 0 � = and | 1 � = 0 1 Examples for states: x 0 = | 0 � ≈ 0 x 1 = | 1 � ≈ 1 x 2 = α 0 | 0 � + α 1 | 1 � ≈ ? where || α 0 || 2 + || α 1 || 2 = 1

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Two Qubits Two Qubits The state x of two Qubits is a unit vector in C 2 ⊗ C 2 ∼ = C 4 . (Not) just notation:     1 0 0 1     | 0 � | 0 � = | 00 � = and | 0 � | 1 � = | 01 � =     0 0     0 0     0 0 0 0     | 1 � | 0 � = | 10 � = and | 1 � | 1 � = | 11 � =     1 0     0 1

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Two Qubits Two Qubits The state x of two Qubits is a unit vector in C 2 ⊗ C 2 ∼ = C 4 . Examples for states: x 0 = | 00 � ≈ 00 x 1 = | 10 � ≈ 10 x 2 = α 00 | 00 � + α 01 | 01 � + α 10 | 10 � + α 11 | 11 � ≈ ? where || α 00 || 2 + || α 01 || 2 + || α 10 || 2 + || α 11 || 2 = 1

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion n Qubits n Qubits C 2 � ⊗ n ∼ = C 2 n . � The state x of n Qubits is a unit vector in Notation For x ∈ F n 2 we denote | x � = | x 1 , . . . , x n � = | x 1 � . . . | x n � = e x Examples: � φ 1 = | x � ≈ x or φ 2 = α x | x � ≈ ? x ∈ F n 2 where || α x || 2 = 1 � x ∈ F n 2

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Computation: The principle Given a quantum computer with n Qubits. � φ = α x | x � x ∈ F n 2 How do we conpute on that? How does the state change?

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Computation: The principle Given a quantum computer with n Qubits. � φ = α x | x � x ∈ F n 2 How do we conpute on that? How does the state change? Computation = Unitary Matrices Any computation on a Quantum Computer corresponds to applying an unitary matrix. Evolution of the state: φ ⇒ U φ As U is unitary: || φ || 2 = ||U φ || 2 = 1

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Example: XOR Two Qubit XOR: XOR Find U such that | ab � = | a � | b � �→ | a � | a ⊕ b �

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Example: XOR Two Qubit XOR: XOR Find U such that | ab � = | a � | b � �→ | a � | a ⊕ b � On the basis we get: U | 00 � = | 00 � U | 01 � = | 01 � U | 10 � = | 11 � U | 11 � = | 10 �

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Example: XOR Two Qubit XOR: XOR Find U such that | ab � = | a � | b � �→ | a � | a ⊕ b �

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Example: XOR Two Qubit XOR: XOR Find U such that | ab � = | a � | b � �→ | a � | a ⊕ b � A permutation matrix:  1 0 0 0  0 1 0 0   U =   0 0 0 1   0 0 1 0

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion More general: Boolean Function n Qubit Boolean Function: f : F n 2 → F 2 U f on ( n + 1 ) Qubits Find U f such that for all a ∈ F n 2 and b ∈ F 2 : | ab � = | a � | b � �→ | a � | f ( a ) ⊕ b � U f is quantum version of f Again a permutation matrix Efficient if f is efficient on classical computers.

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Non classical: Conditional Flip One Qubit, no classical equivalent: Phase flipping Consider U such that | a � �→ ( − 1 ) a | a � U | 0 � = | 0 � U | 1 � = − | 1 � As a matrix: � 1 � 0 U = − 1 0

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Last but not least: Hadamard One one Qubit, again no classical equivalent: Hadamard (ignoring scaling) Consider U such that | a � �→ | 0 � + ( − 1 ) a | 1 � U | 0 � = | 0 � + | 1 � U | 1 � = | 0 � − | 1 � As a matrix: � 1 � 1 U = 1 − 1

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Last but not least: Hadamard Generalization to n Qubits: Hadamard on n Qubits Consider H ⊗ n such that ( − 1 ) � a , x � | x � � | a � �→ x H ⊗ n is H applied to each Qubit. Thus, it is efficient if H is. Special case: H ⊗ n | 0 � = � | x � x ∈ F n 2

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion All Executions at Once A small example Putting things together: First H , then U f . � | 0 � | 0 � �→ | x � | 0 � x ∈ F n 2 � �→ | x � | f ( x ) � x ∈ F n 2 We evaluated a function on all inputs at once! Invisible We cannot classicaly use the result w/o measuring.

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Measurement Make it classical In order to use the output of a QC classically, we have to measure the state. Consider an n -Qubit state: � φ = α x | x � x ∈ F n 2 Measurement The measurement M ( φ ) of φ results in x with probability || α x || 2 .

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Measurement Example on two Qubits 1 | 00 � − 1 x = √ √ | 11 � 2 2 M ( φ ) = 00 with probability 1 / 2 M ( φ ) = 11 with probability 1 / 2 M ( φ ) = 10 with probability 0 M ( φ ) = 00 with probability 0 Task of Quantum Computing Make the correct/interessting result appear with overwhelming probability.

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Outline Introduction 1 Quantum Basics 2 Grover 3 Grover and Simon on Symmetric Crypto 4 The FX Construction 5 Conclusion 6

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion The Setting Generic Search Problem Given f : F n 2 → F 2 such that � 1 if x = x 0 f ( x ) = 0 if x � = x 0 find x 0 . Classically: We need O ( 2 n ) evaluations of f . Grover’s Solution On a quantum computer, we get away with running time O ( 2 n / 2 ) !

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion The Components Hadamard H ⊗ n ( − 1 ) � a , x � | x � � | a � �→ x U f as phase flipping | x � �→ ( − 1 ) f ( x ) | x � Missing piece: Reflection across the mean of α x .

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Reflection Across the Mean Unitary Reflection Map We consider the mapping R = 2 P − I where � 1 � P = 2 n i , j ∈{ 1 .. 2 n } Applied to φ = � x α x | x � we get ( R φ ) j = ( P − ( I − P ) φ ) j = α − ( α j − α ) where α = 1 � α x 2 n x Not discussed here: R is efficient if H is.

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Grover’s Algorithm Grover’s Algorithm Start with | 0 � 1 Apply H ⊗ n 2 Repeat t times 3 Apply U f as phase flipping 1 Apply reflection R 2 Measure the state. 4 If t ≈ 2 n / 2 then result is x 0 with high probability. Proof No. But pictures.