quantum difgerential and linear cryptanalysis
play

Quantum Difgerential and Linear Cryptanalysis Truncated difgerential - PowerPoint PPT Presentation

May 23, 2023 •30 likes •410 views

Introduction Brute-force FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia 1 / 25 Conclusion Quantum Difgerential and Linear Cryptanalysis Truncated difgerential Difgerential Marc Kaplan

  1. Introduction Brute-force FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia 1 / 25 Conclusion Quantum Difgerential and Linear Cryptanalysis Truncated difgerential Difgerential Marc Kaplan 1 , 2 Gaëtan Leurent 3 Anthony Leverrier 3 María NayaPlasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria Paris FSE 2017

  2. Introduction Brute-force Difgerential Truncated difgerential Conclusion Motivation What would be the impact of quantum computers on symmetric cryptography? Kaplan, Leurent, Leverrier & Naya-Plasencia Quantum Difgerential and Linear Cryptanalysis FSE 2017 2 / 25 ▶ Some physicists think they can build quantum computers ▶ NSA thinks we need quantumresistant crypto (or do they?)

  3. Introduction Brute-force Difgerential Truncated difgerential Conclusion Motivation What would be the impact of quantum computers on symmetric cryptography? Kaplan, Leurent, Leverrier & Naya-Plasencia Quantum Difgerential and Linear Cryptanalysis FSE 2017 2 / 25 ▶ Some physicists think they can build quantum computers ▶ NSA thinks we need quantumresistant crypto (or do they?)

  4. Introduction Impact on public-key cryptography FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia Impact on symmetric cryptography Brute-force 3 / 25 Expected impact of quantum computers Conclusion Truncated difgerential Difgerential ▶ Some problems can be solved much faster with quantum computers ▶ Up to exponential gains ▶ But we don’t expect to solve all NP problems ▶ RSA, DH, ECC broken by Shor’s algorithm ▶ Breaks factoring and discrete log in polynomial time ▶ Large effort to develop quantumresistant algorithms ( e.g. NIST) ▶ Exhaustive search of a k bit key in time 2 k / 2 with Grover’s algorithm ▶ Common recommendation: double the key length (AES256) ▶ Encryption modes are secure [Unruh  al, PQC’16] ▶ Authentication modes broken w/ superposition queries [Crypto ’16]

  5. Introduction Impact on public-key cryptography FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia Impact on symmetric cryptography Brute-force 3 / 25 Expected impact of quantum computers Conclusion Truncated difgerential Difgerential ▶ Some problems can be solved much faster with quantum computers ▶ Up to exponential gains ▶ But we don’t expect to solve all NP problems ▶ RSA, DH, ECC broken by Shor’s algorithm ▶ Breaks factoring and discrete log in polynomial time ▶ Large effort to develop quantumresistant algorithms ( e.g. NIST) ▶ Exhaustive search of a k bit key in time 2 k / 2 with Grover’s algorithm ▶ Common recommendation: double the key length (AES256) ▶ Encryption modes are secure [Unruh  al, PQC’16] ▶ Authentication modes broken w/ superposition queries [Crypto ’16]

  6. Introduction Impact on public-key cryptography FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia Impact on symmetric cryptography Brute-force 3 / 25 Expected impact of quantum computers Conclusion Truncated difgerential Difgerential ▶ Some problems can be solved much faster with quantum computers ▶ Up to exponential gains ▶ But we don’t expect to solve all NP problems ▶ RSA, DH, ECC broken by Shor’s algorithm ▶ Breaks factoring and discrete log in polynomial time ▶ Large effort to develop quantumresistant algorithms ( e.g. NIST) ▶ Exhaustive search of a k bit key in time 2 k / 2 with Grover’s algorithm ▶ Common recommendation: double the key length (AES256) ▶ Encryption modes are secure [Unruh  al, PQC’16] ▶ Authentication modes broken w/ superposition queries [Crypto ’16]

  7. Introduction Impact on public-key cryptography FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia Impact on symmetric cryptography Brute-force 3 / 25 Expected impact of quantum computers Conclusion Truncated difgerential Difgerential ▶ Some problems can be solved much faster with quantum computers ▶ Up to exponential gains ▶ But we don’t expect to solve all NP problems ▶ RSA, DH, ECC broken by Shor’s algorithm ▶ Breaks factoring and discrete log in polynomial time ▶ Large effort to develop quantumresistant algorithms ( e.g. NIST) ▶ Exhaustive search of a k bit key in time 2 k / 2 with Grover’s algorithm ▶ Common recommendation: double the key length (AES256) ▶ Encryption modes are secure [Unruh  al, PQC’16] ▶ Authentication modes broken w/ superposition queries [Crypto ’16]

  8. Introduction Brute-force FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia 4 / 25 Main question Conclusion Overview of the talk Difgerential Truncated difgerential Is AES secure in a quantum setting? ▶ Symmetric design are evaluated with cryptanalysis: ▶ Differential (truncated, impossible, ...) ▶ Linear ▶ Integral ▶ Algebraic ▶ ... ▶ We should study quantum cryptanalysis! ▶ Start with classical techniques ▶ Do we get a quadratic speedup? ▶ Do we need a quantum encryption oracle? ▶ How are different cryptanalysis techniques affected?

  9. Introduction Brute-force FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia 5 / 25 Security notions: Classical Conclusion Truncated difgerential Difgerential ▶ PRF security: given access to P / P − 1 , distinguishing E from random ▶ Classical setting: classical computations ▶ Classical security: classical queries ▶ Cipher broken by adversary with ▶ data ≪ 2 n ▶ time ≪ 2 k P , P − 1 ▶ success > 3 / 4 y x cipher / random

  10. Introduction Brute-force FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia 6 / 25 Conclusion Security notions: Quantum Q1 Truncated difgerential Difgerential ▶ PRF security: given access to P / P − 1 , distinguishing E from random ▶ Quantum setting: quantum computations ▶ Classical security: classical queries ▶ Cipher broken by adversary with ▶ data ≪ 2 n ▶ time ≪ 2 k / 2 P , P − 1 ▶ success > 3 / 4 y x Q cipher / random

  11. Introduction Brute-force FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia 7 / 25 Conclusion Security notions: Quantum Q2 Truncated difgerential Difgerential ▶ PRF security: given access to P / P − 1 , distinguishing E from random ▶ Quantum setting: quantum computations ▶ Quantum security: quantum (superposition) queries ▶ Cipher broken by adversary with ▶ data ≪ 2 n ▶ time ≪ 2 k / 2 P , P − 1 ▶ success > 3 / 4 ∑ x 𝜔 x | x ⟩| 0 ⟩ ∑ x 𝜔 x | x ⟩| P ( x )⟩ Q cipher / random

  12. Introduction Q2 model: superposition queries FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia Brute-force 8 / 25 Q1 model: classical queries About the models Conclusion Truncated difgerential Difgerential ▶ Build a quantum circuit from classical values ▶ Example: breaking RSA with Shor’s algorithm ▶ Access quantum circuit implementing the primitive with a secret key ▶ Example: breaking CBCMAC with Simon’s algorithm ▶ The Q2 model is very strong for the adversary ▶ Simple and clean generalisation of classical oracle ▶ Aim for security in the strongest (nontrivial) model ▶ A Q2secure block cipher is useful for security proofs of modes

  13. Introduction Brute-force FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia Conclusion Truncated difgerential Difgerential Brute-force Introduction Outline Conclusion Truncated difgerential Difgerential 8 / 25 Quantum Computing Grover’s algorithm Distinguisher Lastround attack Distinguisher Lastround attack

  14. Introduction Classical algorithm FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia Brute-force 9 / 25 Difgerential Grover’s algorithm Truncated difgerential Conclusion ▶ Search for a marked element in a set X ▶ Set of marked elements M , with | M | ≥ 𝜁 ⋅ | X | 1: loop x ← Setup () ▷ Pick a random element in X , cost S 2: if Check( x ) then ▷ Check if it is marked, cost C 3: return x 4: ▶ 1 /𝜁 repetitions expected ▶ Complexity ( S + C )/𝜁

  15. Introduction Grover Algorithm (as a quantum walk) FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia Brute-force 9 / 25 Conclusion Grover’s algorithm Truncated difgerential Difgerential ▶ Search for a marked element in a set X ▶ Set of marked elements M , with | M | ≥ 𝜁 ⋅ | X | Quantum algorithm to find a marked element using: ▶ Setup: builds a uniform superposition of inputs in X ▶ Check: applies a controlphase gate to the marked elements ▶ Only 1 /√𝜁 repetitions needed ▶ Complexity ( S + C )/√𝜁 ▶ Can produce a uniform superposition of M ▶ Can provide an oracle without measuring (nesting) ▶ Variant to measure 𝜁 (quantum counting)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos

Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos

Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos Santha CNRS, IRIF, Universit Paris Diderot, France and Centre for Quantum Technologies, NUS, Singapore 1/36 Plan of the talk 1 Crash course on

543 views • 36 slides
New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr

New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr

Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr Schrottenloher 2 Joint work with Andr Chailloux 2 and Lorenzo Grassi

1.63k views • 65 slides
Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev FFI, Norway Univ. of Bergen, Norway 28 March 2019, FSE, Paris Briefly Matsuis Linear Cryptanalysis is based on the distribution of x 1 . .

331 views • 30 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended

Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended

FSE 2020 Multiple Linear Cryptanalysis Using Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended approach of multiple linear cryptanalysis[BCQ04] (exploit dominant statistically independent linear

714 views • 30 slides
The dual of non-extremal area: difgerential entropy in higher dimensions Charles Rabideau Vrije

The dual of non-extremal area: difgerential entropy in higher dimensions Charles Rabideau Vrije

The dual of non-extremal area: difgerential entropy in higher dimensions Charles Rabideau Vrije Universiteit Brussel / University of Pennsylvania June 24, 2019 YITP, Kyoto Quantum Information and String Theory 2019 1812.06985 w/ V.

468 views • 19 slides
Linear Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and

Linear Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and

Linear Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Linear Approximations and bias value Piling Up Lemma

540 views • 17 slides
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University FSE 2012 March 19, 2012 Introduction CRADIC Linear Hull SPN and Two Strategies Highly

757 views • 47 slides
Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent

Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent

Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent Inria, Paris Eurocrypt 2016 m 0 m 1 m 2 K K K Gatan

540 views • 36 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work with Stian Fauskanger 5 September 2017, MMC workshop Round Block Cipher Cryptanalysis PL-TEXT K1 K1 X K2..K15 Y K16 CH-TEXT Logarithmic

826 views • 41 slides
Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work with Jian Guo and Ling Song Asiacrypt 2016 1/28 Outline Introduction SHA-3 hash function Linear Structures Linear structures of Keccak-f

474 views • 43 slides
Robust Linear Quantum Systems Robust Linear Quantum Systems Theory Theory Ian R. Petersen

Robust Linear Quantum Systems Robust Linear Quantum Systems Theory Theory Ian R. Petersen

Workshop On Uncertain Dynamical Systems Udine 2011 1 Robust Linear Quantum Systems Robust Linear Quantum Systems Theory Theory Ian R. Petersen School of Engineering and Information Technology, University of New South Wales @ the

814 views • 40 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
from Raw Choice Data ARJUN SESHADRI, STANFORD UNIVERSITY ALEX PEYSAKHOVICH, FACEBOOK ARTIFICIAL

from Raw Choice Data ARJUN SESHADRI, STANFORD UNIVERSITY ALEX PEYSAKHOVICH, FACEBOOK ARTIFICIAL

Discovering Context Effects from Raw Choice Data ARJUN SESHADRI, STANFORD UNIVERSITY ALEX PEYSAKHOVICH, FACEBOOK ARTIFICIAL INTELLIGENCE RESEARCH JOHAN UGANDER, STANFORD UNIVERSITY ICML 2019 Modelling in Discrete Choice Data of the form

747 views • 23 slides
The SXS Catalog of Simulations The SXS Catalog of Simulations Mike Boyle Mike Boyle Outline

The SXS Catalog of Simulations The SXS Catalog of Simulations Mike Boyle Mike Boyle Outline

The SXS Catalog of Simulations The SXS Catalog of Simulations Mike Boyle Mike Boyle Outline Outline Simulations SpEC The numbers Post-processing The data What's included How to get it Formats Problems Solutions Software Backwards

382 views • 27 slides
Data Mining and Matrices 03 Singular Value Decomposition Rainer Gemulla, Pauli Miettinen

Data Mining and Matrices 03 Singular Value Decomposition Rainer Gemulla, Pauli Miettinen

Data Mining and Matrices 03 Singular Value Decomposition Rainer Gemulla, Pauli Miettinen April 25, 2013 The SVD is the Swiss Army knife of matrix decompositions Diane OLeary, 2006 2 / 35 Outline The Definition 1 Properties of the

527 views • 35 slides
Introd u cing time based q u eries MAN IP U L ATIN G TIME SE R IE S DATA W ITH XTS AN D ZOO IN

Introd u cing time based q u eries MAN IP U L ATIN G TIME SE R IE S DATA W ITH XTS AN D ZOO IN

Introd u cing time based q u eries MAN IP U L ATIN G TIME SE R IE S DATA W ITH XTS AN D ZOO IN R Je re y R y an Creator of x ts and q u antmod ISO 8601:2004 International standard for date and time Le to right from most to least signi

250 views • 24 slides
Meet in the Middle Attack Using Output Truncation in 3 Pass HAVAL Yu Sasaki NTT

Meet in the Middle Attack Using Output Truncation in 3 Pass HAVAL Yu Sasaki NTT

Meet in the Middle Attack Using Output Truncation in 3 Pass HAVAL Yu Sasaki NTT Corporation 07/Sep/2009 ISC2009@Pisa 1/22 Yu Sasaki, MitM using output truncation of 3 Haval Summary HAVAL is a hash function that can produce

507 views • 23 slides
CSE543 - Introduction to Computer and Network Security Module: Safe Programming Professor Trent

CSE543 - Introduction to Computer and Network Security Module: Safe Programming Professor Trent

519 views • 20 slides
Reduced Aggregate Jan Novk Scattering Operators Ralf Habel s s Derek Nowrouzezahrai for

Reduced Aggregate Jan Novk Scattering Operators Ralf Habel s s Derek Nowrouzezahrai for

Adrian Blumer Reduced Aggregate Jan Novk Scattering Operators Ralf Habel s s Derek Nowrouzezahrai for Path Tracing Wojciech Jarosz Overview Reduced Aggregate Scattering Operators for Path Tracing 2 Overview Reduced Aggregate

641 views • 50 slides
Interacting with Jrg Steffens, Bareos GmbH & Co. KG Agenda Bareos Overview Interaction

Interacting with Jrg Steffens, Bareos GmbH & Co. KG Agenda Bareos Overview Interaction

- Interacting with Bareos Interacting with Jrg Steffens, Bareos GmbH & Co. KG Agenda Bareos Overview Interaction Methods Configuration Files Run-Time Control of Bareos Triggered by Bareos Run Scripts Plugins Roadmap Bareos

574 views • 42 slides

More recommend