Quantum Algorithms for the k -xor Problem Lorenzo Grassi 1 , Mara - - PowerPoint PPT Presentation

Context Low-qubits k-xor algorithms k-xor algorithms with qRAM

Quantum Algorithms for the k-xor Problem

Lorenzo Grassi1, María Naya-Plasencia2, André Schrottenloher2

1 IAIK, Graz University of Technology, Austria 2 Inria, France

December 3, 2018

• L. Grassi, M. Naya-Plasencia, A. Schrottenloher

Quantum Algorithms for k-xor 1/23

Context Low-qubits k-xor algorithms k-xor algorithms with qRAM

Outline

1

Context

2

Low-qubits k-xor algorithms

3

k-xor algorithms with qRAM

• L. Grassi, M. Naya-Plasencia, A. Schrottenloher

Quantum Algorithms for k-xor 2/23

Context Low-qubits k-xor algorithms k-xor algorithms with qRAM

Context

• L. Grassi, M. Naya-Plasencia, A. Schrottenloher

Quantum Algorithms for k-xor 3/23

Context Low-qubits k-xor algorithms k-xor algorithms with qRAM

The Birthday Problem

Collision search Let H : {0, 1}n → {0, 1}n be a random function, find a collision of H, i.e a pair x1, x2 ∈ {0, 1}n such that H(x1) = H(x2). Classical queries (to L1, L2 or H) O

• 2n/2

, time O

• 2n/2

and memory O (1) (Pollard’s rho method). Ω(2n/2) is a query lower bound.

• L. Grassi, M. Naya-Plasencia, A. Schrottenloher

Quantum Algorithms for k-xor 4/23

Context Low-qubits k-xor algorithms k-xor algorithms with qRAM

The Generalized Birthday problem

k-xor for a random function Let H : {0, 1}n → {0, 1}n be a random function, find x1, . . . , xk such that H(x1) ⊕ . . . ⊕ H(xk) = 0. Many applications in cryptanalysis: (R)FSB, SWIFFT. . . Applications for k-sums: ⊕ is replaced by modular +

Wagner, “A Generalized Birthday Problem”, 2002

• L. Grassi, M. Naya-Plasencia, A. Schrottenloher

Quantum Algorithms for k-xor 5/23

Context Low-qubits k-xor algorithms k-xor algorithms with qRAM

Classical Results

To get a k-xor on n bits: The query complexity is Ω(2n/k) The time complexity is O

• 2n/(1+⌊log2(k)⌋)

The memory complexity is O

• 2n/(1+⌊log2(k)⌋)

. . . unless k = 2, in which case memory is O (1) . . . when k = 3, logarithmic improvements are available . . . many time-memory-query tradeoffs. n/2 k = 2 n/3 k = 3 n/4 k = 4

. . .

n/2 k = 2 n/3 {4, 5, 6, 7} n/4 {8, 9, . . . }

. . .

• L. Grassi, M. Naya-Plasencia, A. Schrottenloher

Quantum Algorithms for k-xor 6/23

Context Low-qubits k-xor algorithms k-xor algorithms with qRAM

Wagner’s Algorithm

Generic method for the k-xor or k-sum with a general k: works at best when k is a power of 2. L1 L2 L3 L4 2

n 3

elements 2

n 3

n 3-bit collisions

1 n-bit collision

n 3 n 3 2n 3 2n 3

• L. Grassi, M. Naya-Plasencia, A. Schrottenloher

Quantum Algorithms for k-xor 7/23

Context Low-qubits k-xor algorithms k-xor algorithms with qRAM

Quantum results

To get a k-xor on n bits: The query complexity is Ω(2n/(k+1)) With O (n) qubits, the time complexity for k = 2 is O

• 22n/5

With qRAM, the time complexity for k = 2 is O

• 2n/3

. n/3 k = 2 n/4 k = 3 n/5 k = 4 n/2

. . .

2n/5

?

k = 2

?

n/3

Brassard, Høyer, and Tapp, “Quantum Cryptanalysis of Hash and Claw-Free Functions”, 1998 Belovs and Spalek, “Adversary lower bound for the k-sum problem”, 2013

• L. Grassi, M. Naya-Plasencia, A. Schrottenloher

Quantum Algorithms for k-xor 8/23

Context Low-qubits k-xor algorithms k-xor algorithms with qRAM

This work

We propose time-efficient quantum algorithms in two scenarios:

1

Using O (n) qubits;

2

Allowing read-write quantum memory in the qRAM model. Formalization All elements are produced by a random function H and we access the superposition oracle OH. A query to OH costs O (1) time.

• L. Grassi, M. Naya-Plasencia, A. Schrottenloher

Quantum Algorithms for k-xor 9/23

Context Low-qubits k-xor algorithms k-xor algorithms with qRAM

Results

Low-qubits scenario 3-xor is exponentially faster than collision search; A quantum time speedup (or memory improvement) over Wagner exists for k ≤ 7. qRAM scenario 3-xor is exponentially faster than collision search; k-xor can be solved in time O

• 2n/(2+⌊log2(k)⌋)

, using

• O
• 2n/(2+⌊log2(k)⌋)

qRAM (instead of O

• 2n/(1+⌊log2(k)⌋)

).

• L. Grassi, M. Naya-Plasencia, A. Schrottenloher

Quantum Algorithms for k-xor 10/23

Context Low-qubits k-xor algorithms k-xor algorithms with qRAM

Low-qubits k-xor algorithms

• L. Grassi, M. Naya-Plasencia, A. Schrottenloher

Quantum Algorithms for k-xor 11/23

Context Low-qubits k-xor algorithms k-xor algorithms with qRAM

Quantum toolbox

Grover’s algorithm f : {0, 1}n → {0, 1} is a test function. We look for x such that f (x) = 1 (there are 2t solutions). We implement f as a quantum circuit. With Grover: O

• 2(n−t)/2

calls to f instead of 2n−t classically. Grover improves exhaustive search by a quadratic factor when the oracle f is fast.

• L. Grassi, M. Naya-Plasencia, A. Schrottenloher

Quantum Algorithms for k-xor 12/23

Context Low-qubits k-xor algorithms k-xor algorithms with qRAM

• 1. Testing membership with few qubits

Assume that L1 and L2 of sizes ℓ each are given classically. We search x such that ∃z1, z2 ∈ L1 × L2, H(z1) ⊕ H(z2) ⊕ H(x) = 0. Grover requires

• 2n/ℓ2 iterations.

How to test if x is good? Grover’s test The lists are known classically. But the oracle question is asked for a superposition of x. A solution is to compare sequentially: ℓ2 n-bit comparisons.

Chailloux, Naya-Plasencia, and Schrottenloher, “An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography”, 2017

• L. Grassi, M. Naya-Plasencia, A. Schrottenloher

Quantum Algorithms for k-xor 13/23

Context Low-qubits k-xor algorithms k-xor algorithms with qRAM

• 2. Distinguished solution strategy

We take specific L1 and L2: images are prefixed by n

2 zeroes.

n/2 n/2 2n/8 α1 . . . . . . α2n/8 n/2 n/2 2n/8 β1 . . . . . . β2n/8

We only need to search for a “distinguished solution” (with the same prefix): we compare pairs less often; Producing the lists costs 2n/4 × 2n/8 = 23n/8 queries and as much for searching x. Collision: 2

1 2· 2n 5 + n 5 +2 n 5

• 2

1 2· 2n 5 + 2 n 5

• and 3-xor: 2

1 2· n 2 + n 8 +2 n 8

• 2

1 2· n 2 + 2 n 4

• L. Grassi, M. Naya-Plasencia, A. Schrottenloher

Quantum Algorithms for k-xor 14/23

Context Low-qubits k-xor algorithms k-xor algorithms with qRAM

• 3. Merging technique

We take more specific L1 and L2 to reduce the checking cost.

2n/7 n/7 n/7 3n/7 ℓ = 2n/7 y1 α1 . . . . . . . . . . . . y2n/7 α2n/7 2n/7 n/7 n/7 3n/7 2n/7 z1 β1 . . . . . . . . . . . . z2n/7 β2n/7

Now to test a distinguished point x: Find a partially colliding element from L1; Find a partially colliding element from L2; Compute the xor of the three values; The test costs O (ℓ) comparisons instead of O

• ℓ2

.

• L. Grassi, M. Naya-Plasencia, A. Schrottenloher

Quantum Algorithms for k-xor 15/23

Context Low-qubits k-xor algorithms k-xor algorithms with qRAM

Optimization and results

Optimizing the lists / prefix sizes leads to O

• 25n/14

time for k = 3. General k The same merging method can be extended to the k-xor. Time speedup over Wagner for k = 3, 5, 6, 7 and memory improvement for k = 4. Quantum low-qubits:

5n 14

3

2n 5

2

n 2

4 5 6 7 Classical:

n 2

k = 2, 3

n 3

{4, 5, 6, 7}

n 4

8

. . .

• L. Grassi, M. Naya-Plasencia, A. Schrottenloher

Quantum Algorithms for k-xor 16/23

Context Low-qubits k-xor algorithms k-xor algorithms with qRAM

k-xor algorithms with qRAM

• L. Grassi, M. Naya-Plasencia, A. Schrottenloher

Quantum Algorithms for k-xor 17/23

Context Low-qubits k-xor algorithms k-xor algorithms with qRAM

3-xor with qRAM

qRAM is now available. No need for a distinguished solution (testing membership is efficient) but the merging technique still applies. ⇒ O

• 23n/10

time with 2 lists of size 2n/5: better than quantum collision search.

3n 10

3

n 3

2

n 2

• L. Grassi, M. Naya-Plasencia, A. Schrottenloher

Quantum Algorithms for k-xor 18/23

Context Low-qubits k-xor algorithms k-xor algorithms with qRAM

General k

Combining: Wagner’s method (successive lists of i-collisions with increasing zero prefixes) A quantum walk on the Johnson graph We obtain a general time speedup.

• L. Grassi, M. Naya-Plasencia, A. Schrottenloher

Quantum Algorithms for k-xor 19/23

Context Low-qubits k-xor algorithms k-xor algorithms with qRAM

Results

Classical time (using classical memory) Quantum time (O (n) qubits and classical memory) Quantum time (unbounded qRAM)

• L. Grassi, M. Naya-Plasencia, A. Schrottenloher

Quantum Algorithms for k-xor 20/23

Context Low-qubits k-xor algorithms k-xor algorithms with qRAM

Memory

Classical (using classical memory) Quantum low-qubits (O (n) qubits and classical memory) Quantum (qRAM)

• L. Grassi, M. Naya-Plasencia, A. Schrottenloher

Quantum Algorithms for k-xor 21/23

Context Low-qubits k-xor algorithms k-xor algorithms with qRAM

Conclusion and perspectives

• L. Grassi, M. Naya-Plasencia, A. Schrottenloher

Quantum Algorithms for k-xor 22/23

Context Low-qubits k-xor algorithms k-xor algorithms with qRAM

Conclusion

Settled An exponential separation between quantum collision and 3-xor (with qRAM, it goes below the quantum collision lower bound) With O (n) qubits, quantum time speedups for some k. With any k, a quantum time speedup using qRAM. This applies to k-sum modulo 2n (ePrint version). Open questions Can we improve the time complexity of k-xor with O (n) qubits, for general k? Are there other improvements when k is not a power of 2?

• L. Grassi, M. Naya-Plasencia, A. Schrottenloher

Quantum Algorithms for k-xor 23/23

Thank you.

• L. Grassi, M. Naya-Plasencia, A. Schrottenloher

Quantum Algorithms for k-xor