new algorithms for quantum symmetric cryptanalysis
play

New Algorithms for Quantum (Symmetric) Cryptanalysis Mara - PowerPoint PPT Presentation

Jan 16, 2023 •970 likes •1.63k views

Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr Schrottenloher 2 Joint work with Andr Chailloux 2 and Lorenzo Grassi

  1. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms New Algorithms for Quantum (Symmetric) Cryptanalysis María Naya-Plasencia 2 , André Schrottenloher 2 Joint work with André Chailloux 2 and Lorenzo Grassi 1 1 IAIK, Graz University of Technology, Austria 2 Inria, France May 19, 2019 M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 1/59

  2. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Outline Quantum-safe (Symmetric) Cryptography 1 Quantum Collision Search 2 Quantum k-xor Algorithms 3 M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 2/59

  3. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Quantum-safe (Symmetric) Cryptography M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 3/59

  4. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms (Pre-quantum) cryptography Enable secure communications even in the presence of malicious adversaries. Asymmetric (e.g. RSA) No shared secret / computationally costly Security based on well-known hard mathematical problems (e.g. factorization) Symmetric (e.g. AES) Shared secret / computationally efficient Ideal security defined by generic attacks (e.g. 2 | K | ) Need of continuous security evaluation (cryptanalysis) M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 4/59

  5. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms A typical symmetric primitive Ideal block cipher E K is a family of permutations of { 0 , 1 } n parameterized by K . Real block cipher: Typically built by iterating a round function Select a key K Decompose the message into n -bit blocks and use E K with a mode of operation M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 5/59

  6. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Generic attacks on ciphers The security provided by an ideal block cipher is defined by the best generic attack: exhaustive search for the key in 2 | K | Recovering the key from a secure cipher must be infeasible. Typical key sizes range from | K | = 128 to 256 bits. M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 6/59

  7. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Symmetric cryptanalysis The ideal security is defined by generic attacks (2 | K | ) Does real security meet this ideal security? We won’t know . . . without a continuous security evaluation. Any attack better than the generic one is considered a “break”. Cryptanalysis is an empirical measure of security. M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 7/59

  8. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms The security margin The security of a cipher is not a 1-bit information: e.g. round-reduced attacks. ⇒ determine and adapt the security margin. The best attacks find the highest number of rounds reached (regardless of the complexity) Allows to compare primitives M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 8/59

  9. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Quantum-safe (Symmetric) Cryptography M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 9/59

  10. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Post-quantum cryptography Asymmetric (e.g. RSA) Shor’s algorithm factorizes in polynomial time: this is not secure anymore. Actively looking for replacements (NIST call) Symmetric (e.g. AES) Exhaustive search in 2 | K | / 2 with Grover’s algorithm. Double the key length for equivalent ideal security. In both cases, lots of work regarding quantum attacks. M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 10/59

  11. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Many new results Breaking some classically secure constructions in some quantum adversary models Extending cryptanalysis studies to quantum adversaries Solving recurrent generic problems M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 11/59

  12. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Quantum search Find in S (of size 2 n ) an element x (2 t solutions) such that x satisfies some condition. � � 2 ( n − t ) / 2 Sampling + Checking � �� � � �� � � �� � 2 t solutions Produce the Test a among 2 n superposition of search space S in superposition x ∈ S M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 12/59

  13. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Two settings “Low-qubits” Only O ( n ) qubits, no qRAM access. ⇒ A quantum adversary from tomorrow. Exponential qRAM Read and write access in quantum superposition: � � | i � | 0 � → | i � | a i � i i M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 13/59

  14. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Quantum Collision Search with A. Chailloux, M. Naya-Plasencia M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 14/59

  15. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms The birthday problem Collision search Let H : { 0 , 1 } n → { 0 , 1 } n be a random function, find a collision of H , i.e. a pair x 1 , x 2 ∈ { 0 , 1 } n such that H ( x 1 ) = H ( x 2 ) . Numerous applications, e.g. generic attacks on hash functions. Classical time and queries: Θ( 2 n / 2 ) With 2 n / 2 queries, we can form 2 n pairs, an n -bit collision occurs w.h.p. We can do this in O ( n ) memory (Pollard’s rho) M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 15/59

  16. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Quantum algorithms for collisions Time Queries Qubits / Classical qRAM memory 2 n / 2 2 n / 2 Pollard 0 O ( n ) 2 n / 2 2 n / 2 Grover O ( n ) 0 2 n / 3 2 n / 3 2 n / 3 2 n / 3 Brassard, Høyer, Tapp 2 2 n / 3 2 n / 3 2 n / 3 BHT (*) O ( n ) M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 16/59

  17. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Collision search in a low-qubits setting Single-processor Only O ( n ) qubits No qRAM lookups M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 17/59

  18. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms A naive collision algorithm Perform ℓ arbitrary classical queries to H : H ( x 1 ) , . . . , H ( x ℓ ) . Search x ∈ { 0 , 1 } n such that: H ( x ) ∈ { H ( x 1 ) , . . . , H ( x ℓ ) } Optimal ℓ = 2 n / 2 : 2 n / 2 + 2 n 2 n / 2 M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 18/59

  19. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms A quantum collision algorithm Naive classical: Quantum (BHT): Perform ℓ arbitrary Perform ℓ arbitrary classical classical queries to H : queries to H : H ( x 1 ) , . . . , H ( x ℓ ) . H ( x 1 ) , . . . , H ( x ℓ ) . With Grover , search Search x ∈ { 0 , 1 } n such x ∈ { 0 , 1 } n such that that: H ( x ) ∈ { H ( x 1 ) , . . . , H ( x ℓ ) } . Optimal ℓ = 2 n / 3 : H ( x ) ∈ { H ( x 1 ) , . . . , H ( x ℓ ) } � � � 2 n Optimal ℓ = 2 n / 2 : n 2 + 1 + 1 3 ���� ���� 2 n / 3 � �� � 2 n / 2 + 2 n List qRAM Iterations lookup 2 n / 2 M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 19/59

  20. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms Removing qRAM We have a list L = { H ( x 1 ) , . . . , H ( x ℓ ) } , known classically, and want to compute: | y � | 0 � �→ | y � | y ∈ L � . With qRAM: build a data structure for L , compute membership in O ( log ℓ ) qRAM gates; Without qRAM: compare sequentially against elements of L . We compute: | y � | 0 � �→ | y � | ( y = H ( x 1 )) ∨ ( y = H ( x 2 )) . . . ∨ ( y = H ( x ℓ )) � in time � O ( ℓ ) . M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 20/59

  21. Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms BHT without quantum memory Queries: � 2 n / 3 + 2 n / 2 n / 3 ( 1 + 0 ) Time: 2 n / 3 + 2 n / 3 � 1 + 2 n / 3 � M. Naya-Plasencia, A. Schrottenloher Quantum (Symmetric) Cryptanalysis 21/59

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin CSC & SnT, University of Luxembourg CryptoLUX Team ; supervised by Alex Biryukov July 5th 2018 Introduction What is cryptography?

1.14k views • 71 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

1.76k views • 137 slides
Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1

Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1

Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1 Sbastien Duval 2 Gatan Leurent 1 Mara Naya-Plasencia 1 Lo Perrin 1 Thomas Pornin 3 Andr Schrottenloher 1 1 Inria, France 2 UCL Crypto Group,

750 views • 26 slides
Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos

Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos

Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos Santha CNRS, IRIF, Universit Paris Diderot, France and Centre for Quantum Technologies, NUS, Singapore 1/36 Plan of the talk 1 Crash course on

543 views • 36 slides
Quantum Algorithms for Quantum Algorithms for Evaluating M IN Evaluating M IN -M -M AX AX Trees

Quantum Algorithms for Quantum Algorithms for Evaluating M IN Evaluating M IN -M -M AX AX Trees

Quantum Algorithms for Quantum Algorithms for Evaluating M IN Evaluating M IN -M -M AX AX Trees Trees Richard Cleve Dmitry Gavinsky D. L. Yonge-Mallo Institute for Quantum Computing, University of Waterloo January 30, 2008 TQC Tokyo,

842 views • 34 slides
Quantum Difgerential and Linear Cryptanalysis Truncated difgerential Difgerential Marc Kaplan 1 ,

Quantum Difgerential and Linear Cryptanalysis Truncated difgerential Difgerential Marc Kaplan 1 ,

Introduction Brute-force FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia 1 / 25 Conclusion Quantum Difgerential and Linear Cryptanalysis Truncated difgerential Difgerential Marc Kaplan

410 views • 38 slides
Quantum Computation (Lecture QC-3: Quantum Algorithms) Lu s Soares Barbosa MFES -

Quantum Computation (Lecture QC-3: Quantum Algorithms) Lu s Soares Barbosa MFES -

Quantum Computation (Lecture QC-3: Quantum Algorithms) Lu s Soares Barbosa MFES - Arquitectura e C alculo May 2019 Quantum Algorithms The Deutsch-Jozsa Algorithm Quantum Search: Grover A quantum machine Structure of a quantum

1.08k views • 29 slides
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and Differential Cryptanalysis by Howard Heys.] Modern block ciphers (like DES and AES): - proceed in rounds - each round has its own round key or subkey

644 views • 21 slides
(post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya

(post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya

Towards a better understanding of (post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya University) Akinori Hosoyamada @ASK 2019 (2019.12.13) Introduction Quantum Attacks against Symmetric

738 views • 56 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 20th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do? Authentication

711 views • 47 slides
Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem Jean-Sbastien Coron and Agnese

Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem Jean-Sbastien Coron and Agnese

Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem Jean-Sbastien Coron and Agnese Gini University of Luxembourg June 27, 2019 NutMiC 1 / 20 Timeline 2016 NIST calling for quantum-resistant cryptographic algorithms for new

341 views • 31 slides
Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU

Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU

Introduction Three Easy, Automated Techniques Tools for Cryptography Conclusion Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU Leuven, Belgium IBBT, Belgium Summer School on Tools, Mykonos

886 views • 77 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Scattering in PT-symmetric Quantum Mechanics Francesco Cannata Dipartimento di Fisica

Scattering in PT-symmetric Quantum Mechanics Francesco Cannata Dipartimento di Fisica

Scattering in PT-symmetric Quantum Mechanics Francesco Cannata Dipartimento di Fisica dellUniversita di Bologna e Istituto Nazionale di Fisica Nucleare, Sezione di Bologna Scattering in PT-symmetric Quantum Mechanics 2 Summary

1.05k views • 77 slides
Dagstuhl Workshop Quantum Cryptanalysis Schloss Dagstuhl / Leibniz-Zentrum fr Informatik,

Dagstuhl Workshop Quantum Cryptanalysis Schloss Dagstuhl / Leibniz-Zentrum fr Informatik,

Dagstuhl Workshop Quantum Cryptanalysis Schloss Dagstuhl / Leibniz-Zentrum fr Informatik, October 2, 2017 5 [Shor94], [Kitaev95], [Brassard/Hyer97], [ Eker ert /Mosca98] 6 Shors algorithm for dlogs: Step 1: Create

612 views • 33 slides
Quantum Algorithms for Topological Invariants Stephen Jordan Wed Feb. 3, 2010 What is a quantum

Quantum Algorithms for Topological Invariants Stephen Jordan Wed Feb. 3, 2010 What is a quantum

Quantum Algorithms for Topological Invariants Stephen Jordan Wed Feb. 3, 2010 What is a quantum algorithm? Classical Quantum 0101101 the rules: solve problem using sequence of local quantum gates the goal: use fewer gates than

1.11k views • 37 slides
Grover Search and Its Cryptographic Applications Henry Corrigan-Gibbs Qualifying Exam Talk 21

Grover Search and Its Cryptographic Applications Henry Corrigan-Gibbs Qualifying Exam Talk 21

Grover Search and Its Cryptographic Applications Henry Corrigan-Gibbs Qualifying Exam Talk 21 November 2016 Quantum Computing and Crypto Large-scale quantum computers could exist in our lifetimes. 2/40 Quantum Computing and Crypto

2.13k views • 192 slides
Introduction to Symmetric Cryptography Mar a Naya-Plasencia Inria, France Summer School on

Introduction to Symmetric Cryptography Mar a Naya-Plasencia Inria, France Summer School on

Introduction to Symmetric Cryptography Mar a Naya-Plasencia Inria, France Summer School on real-world crypto and privacy Sibenik, Croatia - June 11 2018 Outline Introduction One Time pad - Stream Ciphers Block Ciphers -

1.17k views • 82 slides
Pond: the OceanStore Prototype Sean Rhea, Patrick Eaton, Dennis Geels, Hakim Weatherspoon, Ben

Pond: the OceanStore Prototype Sean Rhea, Patrick Eaton, Dennis Geels, Hakim Weatherspoon, Ben

Pond: the OceanStore Prototype Sean Rhea, Patrick Eaton, Dennis Geels, Hakim Weatherspoon, Ben Zhao, and John Kubiatowicz 2nd USENIX Conference on File and Storage Technologies 2003 Presented By: Paul Timmins Objectives Universally

625 views • 25 slides
12

12

12 Network Security, Principles and Practice,2nd Ed. :

575 views • 20 slides
Attacks on the Mersenne-based AJPS cryptosystem Koen de Boer 1 , L. Ducas 1 , S. Jeffery 1 , 2 , R.

Attacks on the Mersenne-based AJPS cryptosystem Koen de Boer 1 , L. Ducas 1 , S. Jeffery 1 , 2 , R.

Attacks on the Mersenne-based AJPS cryptosystem Koen de Boer 1 , L. Ducas 1 , S. Jeffery 1 , 2 , R. de Wolf 1 , 2 , 3 1 Centrum Wiskunde en Informatica, Amsterdam 2 QuSoft, Amsterdam 3 University of Amsterdam April 9, 2018 April 9, PQCrypto, Fort

1.03k views • 76 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and

Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and

Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic Techniques Summer school 2007 1

706 views • 57 slides
G J Khn Ciphertec cc p gjkuhn@global.co.za Contents Contents Protex: First electronic

G J Khn Ciphertec cc p gjkuhn@global.co.za Contents Contents Protex: First electronic

AFRICACRYPT 2010 STIAS Stellenbosch Stellenbosch South Africa G J Khn Ciphertec cc p gjkuhn@global.co.za Contents Contents Protex: First electronic crypto device in designed in South Africa designed in South Africa Keeloq: A simple

659 views • 61 slides

More recommend