An Efficient Quantum Collision Search Algorithm and Implications on - - PowerPoint PPT Presentation

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography

André Chailloux, María Naya-Plasencia, André Schrottenloher

Inria Paris, France

December 5, 2017

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 1/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

Outline

1

Cryptographic context

2

Quantum collision search: a brief state of the art

3

Our collision algorithm

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 2/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

Cryptographic context

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 3/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

Cryptographic context

Symmetric cryptography: Ideal security defined by generic attacks Cryptanalysis searches for faults of the primitives Cryptanalysis increases confidence

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 4/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

Post-quantum cryptography

Suppose an adversary has access to a universal, scalable quantum computer: RSA (factorization) and ECC (discrete logarithms) could be broken in polynomial time (Shor). This is why the community is actively working on efficient post-quantum primitives (codes, lattices, isogenies. . . ) that will be standardized. In symmetric cryptography Grover’s generic attacks. . . . What about quantum cryptanalysis? What about other generic attacks?

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 5/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

Quantum collision search: a brief state of the art

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 6/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

Studied problem(s)

If we consider generic attacks, keeping in mind a black-box random function H : {0, 1}n → {0, 1}n: Collision search: find x, y such that H(x) = H(y), classical time O

• 2n/2

with poly(n) memory, using Pollard’s rho method. Muti-target preimage search: given {h1, . . . , h2t−1} (the targets), find m such that H(m) ∈ {h1, . . . , h2t−1}: classical time O (2n−t) using O(2t) memory, by exhaustive search. The precise complexity for solving these problems defines ideal security bounds, e.g for hash functions.

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 7/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

Collisions: state of the art

Time Queries Memory Processors Note Pollard’s rho 2n/2 2n/2 poly(n) 1

• Opt. in time / queries

Time Queries Qubits Processors Note Grovera 2n/2 2n/2 poly(n) 1 BHTb ? 2n/3 ? 1

• Opt. in queries

Ambainisc 2n/3 2n/3 2n/3 1

• Opt. in time / queries

aGrover, 1996 bBrassard, Høyer, and Tapp, 1998 cAmbainis, 2007

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 8/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

In short

The quantum query lower bound for collisions has been reached. All the available quantum algorithms have a common point: if we want to outperform the classical 2n/2, we need more than poly(n) qubits. Challenge (Grover and Rudolph, 2004) Find an algorithm for collision and/or element distinctness which gives a searching speedup greater than merely a square-root factor over the number of available processing qubits.

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 9/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

Our model

We restrict the qubits available to poly(n): this is a "reasonable" computer. Quantum resources needed are those of Grover’s algorithm. We focus on the theoretical algorithm (in the circuit model) and not on implementation details.

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 10/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

Result

Time Queries Memory Processors Pollard’s rho method 2n/2 2n/2 poly(n) 1 Time Queries Qubits Classical memory Grover 2n/2 2n/2 poly(n) BHT 22n/3 2n/3 poly(n) 2n/3 Ambainis 2n/3 2n/3 2n/3 Our result 22n/5 22n/5 poly(n) 2n/5

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 11/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

Our collision algorithm

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 12/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

Grover search

Given oracle access to the (efficiently computable) function f : {0, 1}n → {0, 1}, the oracle Of acts on superpositions of quantum states: Of (|x |0) = |x |f (x) and Of

• i

αi |xi |0

• =
• i

αi |xi |f (xi) . We look for x such that f (x) = 1. One solution among 2n: quantum time O(2n/2); With 2t solutions among 2n: quantum time O(2(n−t)/2).

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 13/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

BHT algorithm (Brassard, Høyer, Tapp, 1998)

Using Grover, we can find a collision of H in O(2n/3) quantum queries, in two steps: Perform ℓ = 2n/3 arbitrary classical queries to H : H(x1), . . . , H(xℓ). Grover : search x ∈ {0, 1}n such that f (x) = 1. The oracle f : f (x) = 1 ⇐ ⇒ x / ∈ {x1, . . . xℓ} and H(x) ∈ {H(x1), . . . , H(xℓ)} . Queries: 2

n 3

• Initial list

+

• 2n

2n/3

2n/3 solutions among 2n

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 14/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

The oracle

f (x) = 1 ⇐ ⇒ x / ∈ {x1, . . . xℓ} and H(x) ∈ {H(x1), . . . , H(xℓ)} . Needs a superposition query to H (which is implemented). Needs to answer a query of the form y ∈ {H(x1), . . . , H(xℓ)}, in superposition. This is easy if 2n/3 quantum memory is available. Without any quantum data structure, how do we do?

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 15/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

BHT cost

Queries: 2n/3 +

• 2n/2n/3 (1 + 0)

Time: 2n/3 + 2n/3 (1 + (?)) Superposition membership query: Testing if H(x) ∈ {H(x1), . . . , H(xℓ)} is done sequentially in time O(2n/3).

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 16/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

Improving

The cost is unbalanced:

2

n 3

• Initial list

+ 2

n 3

• 2n/3 solutions among 2n

  1

• Querying H

+ 2

n 3

• Membership

 

Because we are computing: 2n/3 iterations; A query to OH with each iteration; 2n/3 operations with each iteration. Ideas Use distinguished points; Take a smaller list: membership testing will be faster (but there will be more iterations); Balance the cost.

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 17/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

Step 1: distinguished points

Definition (Distinguished points) All the x whose image starts with u zeroes. We generate a list of distinguished points. We are now searching only among the distinguished points (2n−u) for the same number of solutions (2n/3). Total cost:

2

n 3

• List size

× 2

u 2

• Grover search
• f a DP
• First step: constructing the list

+ 2

n 3− u 2

• Less iterations

    2

u 2

• Building

all the DPs

+ 2

n 3

• Membership

   

• Second step: searching a collision
• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 18/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

Step 2: optimize the list size

The list now contains 2v distinguished points. Total cost:

2v

• List size

× 2

u 2

• Grover search
• f a DP
• First step: constructing the list

+ 2

n−v−u 2

Less iterations

    2

u 2

• Building

all the DPs

+ 2v

• Membership

   

• Second step: searching a collision
• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 19/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

Our algorithm

Distinguished points: all the x whose image starts with u zeroes.

1

Build a list L of 2v distinguished points: time 2v × 2

u 2 . 2

Look for a collision on one of them.

Search space of size 2n−u; 2v targets: 2(n−v−u)/2 iterations;

At each iteration:

Construct the search space: 2

u 2 ;

Test membership: 2v.

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 20/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

Balancing the computing time

Total cost:

2v

• List size

× 2

u 2

• Grover search
• f a DP
• First step: constructing the list

+ 2

n−v−u 2

Less iterations

    2

u 2

• Building

all the DPs

+ 2v

• Membership

   

• Second step: searching a collision

Optimization: v = n

5, u = 2n 5 ;

Time: O(22n/5); Qubits: poly(n); Classical memory: 2n/5.

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 21/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

Parallelization

What if we add more processors?

10 20 30 40 20 30 40 50 60 s, with 2s processors and n = 128 Time complexity (log2)

2n 5 − 3s 5 (our algorithm) n 2 − s 2 (Grover’s algorithm) n 2 − s (classical parallelization)

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 22/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

Multi-target preimage search

A list L of 2t targets is given. We search x such that H(x) ∈ L. We only search among distinguished points, having a prefix of r zeroes: the list L′ of size 2t−r. Total time:

2t

• Build the sublist

+ 2

n−t 2

• 2t−r targets

among 2n−r

    2r/2

• Building

all the DPs

+ 2t−r

• Membership

    .

We get r = 2t

3 and a complexity 2t + 2n/2−t/6.

With ≥ 23n/7 targets, total time becomes O

• 23n/7

.

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 23/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

Applications in cryptography

Collisions Time Queries Qubits Classical memory Grover 2n/2 2n/2 poly(n) BHT 22n/3 2n/3 poly(n) 2n/3 Ambainis 2n/3 2n/3 2n/3 Our result 22n/5 22n/5 poly(n) 2n/5 Hash functions: searching for a collision in time 22n/5, searching for a preimage among ≥ 23n/7 targets in time 23n/7.

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 24/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

Concrete parameters

Let us consider 128 (e.g, SHA-1) to 256-bit (e.g, SHA-256) hash functions. Collision search: n Classical time Quantum time

• C. mem.

Storage needed 128 64 51.2 25.6 Around 810MB 160 80 64 32 Around 86GB 256 128 102.4 51.2 Around 83PB Multi-target preimage search: n Targets

• C. time
• Q. time

Classical mem. Storage needed 128 54.8 73.1 54.8 18.2 Around 5MB 160 68.6 91.4 68.6 22.6 Around 160MB 256 109.7 146.3 109.7 36.6 Around 3.3TB

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 25/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

Applications in cryptography (2)

Multi-user setting: multiple users encrypt the same known message m with their secret keys k1, . . . , k2r . From Ek1(m), . . . , Ek2r (m), we want to retrieve one of the keys. This corresponds to multi-target preimage search on the function k → Ek(m). Collisions on operation modes with frequent rekeying or with superposition queries. For unknown k, given a list Ek(m1), . . . Ek(m2r ) and superposition query access to x → Ek(x), we want to retrieve one of the messages. Both are instances of multi-target preimage search and benefit of a quantum speedup.

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 26/27

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm

Conclusion

Even with poly(n) quantum memory, we can accelerate collision search. Open question Can we improve and reach the lower bound 2n/3? (Using perhaps more advanced techniques) Future work Use this as a building block for quantum attacks. Reduce quantum memory requirements for other quantum attacks.

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 27/27

Thank you.

• A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria)

Quantum Coll. Search and Implications 1/1