Quantum (Generalized) Collisions Quantum Merging Extended Quantum Merging Quantum Merging Algorithms María Naya-Plasencia 2 , André Schrottenloher 2 Joint work with André Chailloux 2 and Lorenzo Grassi 1 1 IAIK, Graz University of Technology, Austria 2 Inria, France M. Naya-Plasencia, A. Schrottenloher Quantum Merging 1/44
Quantum (Generalized) Collisions Quantum Merging Extended Quantum Merging Outline Quantum (Generalized) Collisions 1 Quantum Merging 2 Extended Quantum Merging 3 M. Naya-Plasencia, A. Schrottenloher Quantum Merging 2/44
Quantum (Generalized) Collisions Quantum Merging Extended Quantum Merging Quantum (Generalized) Collisions M. Naya-Plasencia, A. Schrottenloher Quantum Merging 3/44
Quantum (Generalized) Collisions Quantum Merging Extended Quantum Merging Generalized Birthday Problem(s) Problem 1: “original” Given L 1 , . . . L k classical lists of random n -bit strings, find x 1 , . . . x k ∈ L 1 × . . . L k such that x 1 ⊕ . . . ⊕ x k = 0. Problem 2: “oracle” Given oracle access to a random n -bit to n -bit function H , find x 1 , . . . x k such that H ( x 1 ) ⊕ . . . ⊕ H ( x k ) = 0. Problem 3: “unique solution” Given oracle access to a random n / k -bit to n -bit function H , find the single k -tuple x 1 , . . . x k such that H ( x 1 ) ⊕ . . . H ( x k ) = 0. M. Naya-Plasencia, A. Schrottenloher Quantum Merging 4/44
Quantum (Generalized) Collisions Quantum Merging Extended Quantum Merging Applications Parity check problem: given P ( X ) of degree n , find a low-weight multiple of P Multiple-encryption: given a few plaintext-ciphertext pairs ( x , E k 1 ◦ . . . ◦ E k r ( x )) , find the independent keys k 1 , . . . k r Subset-sum: given n integers a 0 , . . . a n − 1 on poly ( n ) bits, find a binary ¯ e such that ¯ e = 0 a · ¯ LPN: given samples a , a · s + e with n -bit uniform random a and Bernoulli noise e , find s Except LPN, we have quantum oracle access. M. Naya-Plasencia, A. Schrottenloher Quantum Merging 5/44
Quantum (Generalized) Collisions Quantum Merging Extended Quantum Merging Focus on Problem 2 (with oracle) Problem 2: The “oracle” k-xor Let H : { 0 , 1 } n → { 0 , 1 } n be a random function, find x 1 , . . . , x k such that H ( x 1 ) ⊕ . . . ⊕ H ( x k ) = 0. We suppose that quantum oracle access to H is given We focus on the exponent in the time complexity � O ( 2 α k n ) All the results apply with + instead of ⊕ M. Naya-Plasencia, A. Schrottenloher Quantum Merging 6/44
Quantum (Generalized) Collisions Quantum Merging Extended Quantum Merging The 1-xor problem: exhaustive search Classically: look for a preimage of 0. Since H is random, we need to query it O ( 2 n ) times. � 2 n / 2 � Quantumly: use Grover’s algorithm. O quantum queries and time. Grover search / amplitude amplification Find in S (of size 2 n ) an element x (2 t solutions) such that x satisfies some condition. � � 2 ( n − t ) / 2 Sampling + Checking � �� � � �� � � �� � Produce � 2 t solutions s ∈ S | s � Test | x � among 2 n M. Naya-Plasencia, A. Schrottenloher Quantum Merging 7/44
Quantum (Generalized) Collisions Quantum Merging Extended Quantum Merging Interlude: Quantum Memory M. Naya-Plasencia, A. Schrottenloher Quantum Merging 8/44
Quantum (Generalized) Collisions Quantum Merging Extended Quantum Merging The “quantum memory” landscape Quantum Sequential access random access Classical memory Classical memory Classical sequential access quantum random access write SAM QACM (or qRAM) Quantum memory Quantum memory Quantum sequential access quantum random access write Qubits QAQM M. Naya-Plasencia, A. Schrottenloher Quantum Merging 9/44
Quantum (Generalized) Collisions Quantum Merging Extended Quantum Merging The “quantum memory” landscape (ctd.) In our work, we consider that answering a query “ x ∈ L ”, for a superposition of x , costs: (C)SAM: � O ( | L | ) QACM: poly ( log | L | ) Qubits: � O ( | L | ) QAQM: poly ( log | L | ) M. Naya-Plasencia, A. Schrottenloher Quantum Merging 10/44
Quantum (Generalized) Collisions Quantum Merging Extended Quantum Merging Converting QACM to SAM We can emulate QACM queries with classical sequential memory accesses: perform a sequence of comparisons. Converting QACM to SAM On input x , to compute if x ∈ L : Read L sequentially; Run a sequence of | L | comparison circuits; Aggregate the comparison results. We can make the memory in some quantum algorithms classical (however, no guarantee of a quantum speedup) M. Naya-Plasencia, A. Schrottenloher Quantum Merging 11/44
Quantum (Generalized) Collisions Quantum Merging Extended Quantum Merging Quantum Collisions without qRAM Joint work with André Chailloux M. Naya-Plasencia, A. Schrottenloher Quantum Merging 12/44
Quantum (Generalized) Collisions Quantum Merging Extended Quantum Merging The 2-xor problem: collision search � 2 n / 2 � � 2 n / 2 � Classical (naive): O computations and O memory. � 2 n / 2 � Classical (Pollard’s rho): O computations and O ( 1 ) memory. � 2 n / 3 � � 2 n / 3 � Quantum (BHT*): � O computations and O QACM. BHT Store 2 n / 3 arbitrary queries x , H ( x ) in a list L Search { 0 , 1 } n with the predicate: f ( x ) = ( ∃ y � = x , ( y , H ( x )) ∈ L ) (needs QACM) * Brassard, Høyer, and Tapp, “Quantum Cryptanalysis of Hash and Claw-Free Functions” , LATIN 98 M. Naya-Plasencia, A. Schrottenloher Quantum Merging 13/44
Quantum (Generalized) Collisions Quantum Merging Extended Quantum Merging Quantum collisions without qRAM In BHT, we perform 2 n / 3 membership queries to a list L of size 2 n / 3 : the conversion increases the time up to 2 2 n / 3 ! Let’s try again, with: A smaller list Less membership queries To do this, we put a constraint on L , and search for a collision in a smaller subspace. Chailloux, Naya-Plasencia, and S., “An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography” , ASIACRYPT 17 M. Naya-Plasencia, A. Schrottenloher Quantum Merging 14/44
Quantum (Generalized) Collisions Quantum Merging Extended Quantum Merging Quantum collisions without qRAM (ctd.) We search only for a collision among distinguished points , e.g. x such that H ( x ) = 0 2 n / 5 || z for z ∈ { 0 , 1 } 3 n / 5 . Create a list L of distinguished y , H ( y ) 1 Grover search among distinguished points for a match on L 2 � � 2 n / 5 + n / 5 2 n / 5 2 n / 5 2 n / 5 = 2 2 n / 5 + + � �� � � �� � � �� � � �� � Build L 2 − 2 n / 5 Sample Match L distinguished probability points of a match We do 2 n / 5 accesses to a 2 n / 5 -sized memory. Chailloux, Naya-Plasencia, and S., “An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography” , ASIACRYPT 17 M. Naya-Plasencia, A. Schrottenloher Quantum Merging 15/44
Quantum (Generalized) Collisions Quantum Merging Extended Quantum Merging Quantum Algorithms for the (Many-solutions) k-xor Problem Joint work with Lorenzo Grassi M. Naya-Plasencia, A. Schrottenloher Quantum Merging 16/44
Quantum (Generalized) Collisions Quantum Merging Extended Quantum Merging Classical results for general k To get a k -xor on n bits: The optimal query complexity is Θ( 2 n / k ) � 2 n / ( 1 + ⌊ log 2 ( k ) ⌋ ) � The time complexity is O * Logarithmic improvements in time (but we focus on exponents ) * Wagner, “A Generalized Birthday Problem” , CRYPTO 02 M. Naya-Plasencia, A. Schrottenloher Quantum Merging 17/44
Quantum (Generalized) Collisions Quantum Merging Extended Quantum Merging Wagner’s algorithm in a single slide Merging From two lists L 1 , L 2 , compute the “join” L 1 ⊲ ⊳ u L 2 : the pairs x 1 , x 2 ∈ L 1 × L 2 with x 1 ⊕ x 2 | u = 0 (partial collision on u bits). All lists are presumed sorted, the time is: MAX ( | L 1 ⊲ ⊳ u L 2 | , MIN ( | L 1 | , | L 2 | )) Wagner’s algorithm is a sequence of pairwise joins The strategy (optimal u ) depends on ⌊ log 2 ( k ) ⌋ ; we merge 2 ⌊ log 2 ( k ) ⌋ lists M. Naya-Plasencia, A. Schrottenloher Quantum Merging 18/44
Quantum (Generalized) Collisions Quantum Merging Extended Quantum Merging An example with k = 4 1. Query 4 lists of x , H ( x ) : L 1 , L 2 , L 3 , L 4 of size 2 n / 3 L 1 of size L 2 of size L 3 of size L 4 of size 2 n / 3 2 n / 3 2 n / 3 2 n / 3 M. Naya-Plasencia, A. Schrottenloher Quantum Merging 19/44
Quantum (Generalized) Collisions Quantum Merging Extended Quantum Merging An example with k = 4 1. Query 4 lists of x , H ( x ) : L 1 , L 2 , L 3 , L 4 of size 2 n / 3 ⊳ n / 3 L 4 of size 2 n / 3 2. Compute the joins L 1 ⊲ ⊳ n / 3 L 2 and L 3 ⊲ L 1 ⊲ ⊳ n / 3 L 2 L 3 ⊲ ⊳ n / 3 L 4 of size 2 n / 3 of size 2 n / 3 L 2 of size L 1 of size L 4 of size L 3 of size 2 n / 3 2 n / 3 2 n / 3 2 n / 3 M. Naya-Plasencia, A. Schrottenloher Quantum Merging 19/44
Recommend
More recommend