quantum difgerential and linear cryptanalysis
play

Quantum Difgerential and Linear Cryptanalysis Truncated difgerential - PowerPoint PPT Presentation

May 23, 2023 •30 likes •410 views

Introduction Brute-force FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia 1 / 25 Conclusion Quantum Difgerential and Linear Cryptanalysis Truncated difgerential Difgerential Marc Kaplan

  1. Introduction Brute-force FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia 1 / 25 Conclusion Quantum Difgerential and Linear Cryptanalysis Truncated difgerential Difgerential Marc Kaplan 1 , 2 Gaëtan Leurent 3 Anthony Leverrier 3 María NayaPlasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria Paris FSE 2017

  2. Introduction Brute-force Difgerential Truncated difgerential Conclusion Motivation What would be the impact of quantum computers on symmetric cryptography? Kaplan, Leurent, Leverrier & Naya-Plasencia Quantum Difgerential and Linear Cryptanalysis FSE 2017 2 / 25 ▶ Some physicists think they can build quantum computers ▶ NSA thinks we need quantumresistant crypto (or do they?)

  3. Introduction Brute-force Difgerential Truncated difgerential Conclusion Motivation What would be the impact of quantum computers on symmetric cryptography? Kaplan, Leurent, Leverrier & Naya-Plasencia Quantum Difgerential and Linear Cryptanalysis FSE 2017 2 / 25 ▶ Some physicists think they can build quantum computers ▶ NSA thinks we need quantumresistant crypto (or do they?)

  4. Introduction Impact on public-key cryptography FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia Impact on symmetric cryptography Brute-force 3 / 25 Expected impact of quantum computers Conclusion Truncated difgerential Difgerential ▶ Some problems can be solved much faster with quantum computers ▶ Up to exponential gains ▶ But we don’t expect to solve all NP problems ▶ RSA, DH, ECC broken by Shor’s algorithm ▶ Breaks factoring and discrete log in polynomial time ▶ Large effort to develop quantumresistant algorithms ( e.g. NIST) ▶ Exhaustive search of a k bit key in time 2 k / 2 with Grover’s algorithm ▶ Common recommendation: double the key length (AES256) ▶ Encryption modes are secure [Unruh  al, PQC’16] ▶ Authentication modes broken w/ superposition queries [Crypto ’16]

  5. Introduction Impact on public-key cryptography FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia Impact on symmetric cryptography Brute-force 3 / 25 Expected impact of quantum computers Conclusion Truncated difgerential Difgerential ▶ Some problems can be solved much faster with quantum computers ▶ Up to exponential gains ▶ But we don’t expect to solve all NP problems ▶ RSA, DH, ECC broken by Shor’s algorithm ▶ Breaks factoring and discrete log in polynomial time ▶ Large effort to develop quantumresistant algorithms ( e.g. NIST) ▶ Exhaustive search of a k bit key in time 2 k / 2 with Grover’s algorithm ▶ Common recommendation: double the key length (AES256) ▶ Encryption modes are secure [Unruh  al, PQC’16] ▶ Authentication modes broken w/ superposition queries [Crypto ’16]

  6. Introduction Impact on public-key cryptography FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia Impact on symmetric cryptography Brute-force 3 / 25 Expected impact of quantum computers Conclusion Truncated difgerential Difgerential ▶ Some problems can be solved much faster with quantum computers ▶ Up to exponential gains ▶ But we don’t expect to solve all NP problems ▶ RSA, DH, ECC broken by Shor’s algorithm ▶ Breaks factoring and discrete log in polynomial time ▶ Large effort to develop quantumresistant algorithms ( e.g. NIST) ▶ Exhaustive search of a k bit key in time 2 k / 2 with Grover’s algorithm ▶ Common recommendation: double the key length (AES256) ▶ Encryption modes are secure [Unruh  al, PQC’16] ▶ Authentication modes broken w/ superposition queries [Crypto ’16]

  7. Introduction Impact on public-key cryptography FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia Impact on symmetric cryptography Brute-force 3 / 25 Expected impact of quantum computers Conclusion Truncated difgerential Difgerential ▶ Some problems can be solved much faster with quantum computers ▶ Up to exponential gains ▶ But we don’t expect to solve all NP problems ▶ RSA, DH, ECC broken by Shor’s algorithm ▶ Breaks factoring and discrete log in polynomial time ▶ Large effort to develop quantumresistant algorithms ( e.g. NIST) ▶ Exhaustive search of a k bit key in time 2 k / 2 with Grover’s algorithm ▶ Common recommendation: double the key length (AES256) ▶ Encryption modes are secure [Unruh  al, PQC’16] ▶ Authentication modes broken w/ superposition queries [Crypto ’16]

  8. Introduction Brute-force FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia 4 / 25 Main question Conclusion Overview of the talk Difgerential Truncated difgerential Is AES secure in a quantum setting? ▶ Symmetric design are evaluated with cryptanalysis: ▶ Differential (truncated, impossible, ...) ▶ Linear ▶ Integral ▶ Algebraic ▶ ... ▶ We should study quantum cryptanalysis! ▶ Start with classical techniques ▶ Do we get a quadratic speedup? ▶ Do we need a quantum encryption oracle? ▶ How are different cryptanalysis techniques affected?

  9. Introduction Brute-force FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia 5 / 25 Security notions: Classical Conclusion Truncated difgerential Difgerential ▶ PRF security: given access to P / P − 1 , distinguishing E from random ▶ Classical setting: classical computations ▶ Classical security: classical queries ▶ Cipher broken by adversary with ▶ data ≪ 2 n ▶ time ≪ 2 k P , P − 1 ▶ success > 3 / 4 y x cipher / random

  10. Introduction Brute-force FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia 6 / 25 Conclusion Security notions: Quantum Q1 Truncated difgerential Difgerential ▶ PRF security: given access to P / P − 1 , distinguishing E from random ▶ Quantum setting: quantum computations ▶ Classical security: classical queries ▶ Cipher broken by adversary with ▶ data ≪ 2 n ▶ time ≪ 2 k / 2 P , P − 1 ▶ success > 3 / 4 y x Q cipher / random

  11. Introduction Brute-force FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia 7 / 25 Conclusion Security notions: Quantum Q2 Truncated difgerential Difgerential ▶ PRF security: given access to P / P − 1 , distinguishing E from random ▶ Quantum setting: quantum computations ▶ Quantum security: quantum (superposition) queries ▶ Cipher broken by adversary with ▶ data ≪ 2 n ▶ time ≪ 2 k / 2 P , P − 1 ▶ success > 3 / 4 ∑ x 𝜔 x | x ⟩| 0 ⟩ ∑ x 𝜔 x | x ⟩| P ( x )⟩ Q cipher / random

  12. Introduction Q2 model: superposition queries FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia Brute-force 8 / 25 Q1 model: classical queries About the models Conclusion Truncated difgerential Difgerential ▶ Build a quantum circuit from classical values ▶ Example: breaking RSA with Shor’s algorithm ▶ Access quantum circuit implementing the primitive with a secret key ▶ Example: breaking CBCMAC with Simon’s algorithm ▶ The Q2 model is very strong for the adversary ▶ Simple and clean generalisation of classical oracle ▶ Aim for security in the strongest (nontrivial) model ▶ A Q2secure block cipher is useful for security proofs of modes

  13. Introduction Brute-force FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia Conclusion Truncated difgerential Difgerential Brute-force Introduction Outline Conclusion Truncated difgerential Difgerential 8 / 25 Quantum Computing Grover’s algorithm Distinguisher Lastround attack Distinguisher Lastround attack

  14. Introduction Classical algorithm FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia Brute-force 9 / 25 Difgerential Grover’s algorithm Truncated difgerential Conclusion ▶ Search for a marked element in a set X ▶ Set of marked elements M , with | M | ≥ 𝜁 ⋅ | X | 1: loop x ← Setup () ▷ Pick a random element in X , cost S 2: if Check( x ) then ▷ Check if it is marked, cost C 3: return x 4: ▶ 1 /𝜁 repetitions expected ▶ Complexity ( S + C )/𝜁

  15. Introduction Grover Algorithm (as a quantum walk) FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia Brute-force 9 / 25 Conclusion Grover’s algorithm Truncated difgerential Difgerential ▶ Search for a marked element in a set X ▶ Set of marked elements M , with | M | ≥ 𝜁 ⋅ | X | Quantum algorithm to find a marked element using: ▶ Setup: builds a uniform superposition of inputs in X ▶ Check: applies a controlphase gate to the marked elements ▶ Only 1 /√𝜁 repetitions needed ▶ Complexity ( S + C )/√𝜁 ▶ Can produce a uniform superposition of M ▶ Can provide an oracle without measuring (nesting) ▶ Variant to measure 𝜁 (quantum counting)

Recommend

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos

Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos

Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos Santha CNRS, IRIF, Universit Paris Diderot, France and Centre for Quantum Technologies, NUS, Singapore 1/36 Plan of the talk 1 Crash course on

543 views • 36 slides
New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr

New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr

Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr Schrottenloher 2 Joint work with Andr Chailloux 2 and Lorenzo Grassi

1.63k views • 65 slides
Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev FFI, Norway Univ. of Bergen, Norway 28 March 2019, FSE, Paris Briefly Matsuis Linear Cryptanalysis is based on the distribution of x 1 . .

331 views • 30 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended

Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended

FSE 2020 Multiple Linear Cryptanalysis Using Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended approach of multiple linear cryptanalysis[BCQ04] (exploit dominant statistically independent linear

714 views • 30 slides
The dual of non-extremal area: difgerential entropy in higher dimensions Charles Rabideau Vrije

The dual of non-extremal area: difgerential entropy in higher dimensions Charles Rabideau Vrije

The dual of non-extremal area: difgerential entropy in higher dimensions Charles Rabideau Vrije Universiteit Brussel / University of Pennsylvania June 24, 2019 YITP, Kyoto Quantum Information and String Theory 2019 1812.06985 w/ V.

468 views • 19 slides
Linear Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and

Linear Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and

Linear Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Linear Approximations and bias value Piling Up Lemma

540 views • 17 slides
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University FSE 2012 March 19, 2012 Introduction CRADIC Linear Hull SPN and Two Strategies Highly

757 views • 47 slides
Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent

Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent

Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent Inria, Paris Eurocrypt 2016 m 0 m 1 m 2 K K K Gatan

540 views • 36 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work with Stian Fauskanger 5 September 2017, MMC workshop Round Block Cipher Cryptanalysis PL-TEXT K1 K1 X K2..K15 Y K16 CH-TEXT Logarithmic

826 views • 41 slides
Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work with Jian Guo and Ling Song Asiacrypt 2016 1/28 Outline Introduction SHA-3 hash function Linear Structures Linear structures of Keccak-f

474 views • 43 slides
Robust Linear Quantum Systems Robust Linear Quantum Systems Theory Theory Ian R. Petersen

Robust Linear Quantum Systems Robust Linear Quantum Systems Theory Theory Ian R. Petersen

Workshop On Uncertain Dynamical Systems Udine 2011 1 Robust Linear Quantum Systems Robust Linear Quantum Systems Theory Theory Ian R. Petersen School of Engineering and Information Technology, University of New South Wales @ the

814 views • 40 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and Differential Cryptanalysis by Howard Heys.] Modern block ciphers (like DES and AES): - proceed in rounds - each round has its own round key or subkey

644 views • 21 slides
Dagstuhl Workshop Quantum Cryptanalysis Schloss Dagstuhl / Leibniz-Zentrum fr Informatik,

Dagstuhl Workshop Quantum Cryptanalysis Schloss Dagstuhl / Leibniz-Zentrum fr Informatik,

Dagstuhl Workshop Quantum Cryptanalysis Schloss Dagstuhl / Leibniz-Zentrum fr Informatik, October 2, 2017 5 [Shor94], [Kitaev95], [Brassard/Hyer97], [ Eker ert /Mosca98] 6 Shors algorithm for dlogs: Step 1: Create

612 views • 33 slides
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X.

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X.

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X. Standaert , J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL Belgium FSE 2008 Collard B. (UCL

448 views • 33 slides
On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis Dhiman Saha

On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis Dhiman Saha

On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis Dhiman Saha 1 Yu Sasaki 2 Danping Shi 3,4 Ferdinand Sibleyras 5 Siwei Sun 3,4 Yingjie Zhang 3,4 1 de.ci.phe.red Lab, Department of Electrical Engineering and

444 views • 40 slides
Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad Outline 2 Introduction Hash function Structure of KECCAK

752 views • 50 slides
A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

1. Preliminaries 2. Differential-Linear Cryptanalysis: Previous and Our Methodologies 3. Application to 13 Rounds of the DES Block Cipher 4. Application to 10 Rounds of the CTC2 Block Cipher 5. Application to 12 Rounds of the Serpent Block

1.18k views • 25 slides
Efgicient linear computation of the characteristic polynomials of the p -curvatures of a

Efgicient linear computation of the characteristic polynomials of the p -curvatures of a

. . . . . . . . . . . . Introduction . Mathematical theory Algorithm Efgicient linear computation of the characteristic polynomials of the p -curvatures of a difgerential operator with integer coefgicients. Seminar LFANT Raphal

1.77k views • 127 slides
Linear Cryptanalysis of MORUS Tomer Ashur, Maria Eichlseder, Martin M. Lauridsen, Ga etan

Linear Cryptanalysis of MORUS Tomer Ashur, Maria Eichlseder, Martin M. Lauridsen, Ga etan

Linear Cryptanalysis of MORUS Tomer Ashur, Maria Eichlseder, Martin M. Lauridsen, Ga etan Leurent, Brice Minaud, Yann Rotella, Yu Sasaki, Beno t Viguier Asiacrypt, December 4, 2018 1 / 16 Paper collision Yanbin Li and Meiqin Wang.

657 views • 36 slides

More recommend