Abstract
Aaram Yun et al. considered that Lai-Massey structure has the same security as Feistel structure. However, Luo et al. showed that 3-round Lai-Massey structure can resist quantum attacks of Simon’s algorithm, which is different from Feistel structure. We give quantum attacks against a typical Lai-Massey structure. The result shows that there exists a quantum CPA distinguisher against 3-round Lai-Massey structure and a quantum CCA distinguisher against 4-round Lai-Massey Structure, which is the same as Feistel structure. We extend the attack on Lai-Massey structure to quasi-Feistel structure. We show that if the combiner of quasi-Feistel structure is linear, there exists a quantum CPA distinguisher against 3-round balanced quasi-Feistel structure and a quantum CCA distinguisher against 4-round balanced quasi-Feistel Structure.
Supported by the NSFC of China (61732021) and the National Key R &D Program of China (2018YFB0803801 and 2018YFA0704704).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Skipjack and kea algorithm specifications. Technical report, May 1998
Alagic, G., Russell, A.: Quantum-secure symmetric-key cryptography based on hidden shifts. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part III. LNCS, vol. 10212, pp. 65–93. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_3
Aragona, R., Civino, R.: On invariant subspaces in the Lai-Massey scheme and a primitivity reduction. Mediterr. J. Math. 18(4), 1–14 (2021)
Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK families of lightweight block ciphers. IACR Cryptol. ePrint Arch. 404 (2013). http://eprint.iacr.org/2013/404
Bonnetain, X., Hosoyamada, A., Naya-Plasencia, M., Sasaki, Yu., Schrottenloher, A.: Quantum attacks without superposition queries: the offline Simon’s algorithm. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 552–583. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_20
Brassard, G., Høyer, P., Mosca, M., Tapp, A.: Quantum amplitude amplification and estimation. arXiv Quantum Physics (2000)
Derbez, P.: Note on impossible differential attacks. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 416–427. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_21
Dong, X., Wang, X.: Quantum key-recovery attack on Feistel structures. Sci. China Inf. Sci. 61(10), 1–7 (2018). https://doi.org/10.1007/s11432-017-9468-y
Feistel, H.: Cryptography and computer privacy. Sci. Am. 228(5), 15–23 (1973)
Fu, L., Jin, C.: Differential and linear provable security of Lai-Massey scheme (in chinese) (2013)
Fu, L., Jin, C.: Practical security evaluation against differential and linear cryptanalyses for the Lai-Massey scheme with an SPS f-function. KSII Trans. Internet Inf. Syst. 8(10), 3624–3637 (2014). https://doi.org/10.3837/tiis.2014.10.020
Grover, L.K.: A fast quantum mechanical algorithm for database search. In: 1996 Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, pp. 212–219. ACM (1996). https://doi.org/10.1145/237814.237866
Guo, R., Jin, C.: Impossible differential cryptanalysis on Lai-Massey scheme. ETRI J. 36(6), 1032–1040 (2014)
Guo, T., Wang, P., Hu, L., Ye, D.: Attacks on beyond-birthday-bound MACs in the quantum setting. In: Cheon, J.H., Tillich, J.-P. (eds.) PQCrypto 2021 2021. LNCS, vol. 12841, pp. 421–441. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81293-5_22
Hosoyamada, A., Iwata, T.: 4-round Luby-Rackoff construction is a qPRP: tight quantum security bound. Cryptology ePrint Archive, Report 2019/243 (2019). https://ia.cr/2019/243
Isobe, T., Shibutani, K.: Improved all-subkeys recovery attacks on FOX, KATAN and SHACAL-2 block ciphers. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 104–126. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46706-0_6
Ito, G., Hosoyamada, A., Matsumoto, R., Sasaki, Yu., Iwata, T.: Quantum chosen-ciphertext attacks against feistel ciphers. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 391–411. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12612-4_20
Junod, P., Vaudenay, S.: FOX: a new family of block ciphers. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 114–129. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30564-4_8
Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Breaking symmetric cryptosystems using quantum period finding. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 207–237. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_8
Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 252–267. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_20
Kuwakado, H., Morii, M.: Quantum distinguisher between the 3-round Feistel cipher and the random permutation. In: Proceedings of the ISIT 2010, pp. 2682–2685. IEEE (2010). https://doi.org/10.1109/ISIT.2010.5513654
Lai, X.: On the design and security of block ciphers. Ph.D. thesis, ETH Zurich, Zürich, Switzerland (1992). https://d-nb.info/920912710
Lai, X., Massey, J.L.: A proposal for a new block encryption standard. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 389–404. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46877-3_35
Leander, G., May, A.: Grover meets Simon – quantumly attacking the FX-construction. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part II. LNCS, vol. 10625, pp. 161–178. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_6
Li, R., You, J., Sun, B., Li, C.: Fault analysis study of the block cipher FOX64. Multim. Tools Appl. 63(3), 691–708 (2013). https://doi.org/10.1007/s11042-011-0895-x
Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988). https://doi.org/10.1137/0217022
Luo, Y., Lai, X., Gong, Z.: Pseudorandomness analysis of the (extended) Lai-Massey scheme. Inf. Process. Lett. 111(2), 90–96 (2010). https://doi.org/10.1016/j.ipl.2010.10.012
Luo, Y., Lai, X., Hu, J.: The pseudorandomness of many-round Lai-Massey scheme. J. Inf. Sci. Eng. 31(3), 1085–1096 (2015). http://www.iis.sinica.edu.tw/page/jise/2015/201505_17.html
Luo, Y., Yan, H., Wang, L., Hu, H., Lai, X.: Study on block cipher structures against Simon’s quantum algorithm (in Chinese). J. Cryptol. Res. 6(5), 561–573 (2019)
Miyaguchi, S.: The FEAL-8 cryptosystem and a call for attack. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 624–627. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_59
Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 1994 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE Computer Society (1994). https://doi.org/10.1109/SFCS.1994.365700
Simon, D.R.: On the power of quantum computation. SIAM J. Comput. 26(5), 1474–1483 (1997). https://doi.org/10.1137/S0097539796298637
U.S. Department of Commerce/National Institute of Standards, Technology: Data encryption standard (DES) (1977)
Sui, H., Wu, W., Zhang, L.: Round security of the Lai-Massey structure (in Chinese). J. Cryptol. Res. 1, 28–40 (2014)
Vaudenay, S.: On the Lai-Massey scheme. In: Lam, K.-Y., Okamoto, E., Xing, C. (eds.) ASIACRYPT 1999. LNCS, vol. 1716, pp. 8–19. Springer, Heidelberg (1999). https://doi.org/10.1007/978-3-540-48000-6_2
Wu, W., Wei, H.: Collision-integral attack of reduced-round FOX (in Chinese). Acta Electron. Sinica 33, 1307 (2005)
Wu, W., Zhang, W., Feng, D.: Improved integral cryptanalysis of FOX block cipher. IACR Cryptol. ePrint Arch. 292 (2005). http://eprint.iacr.org/2005/292
Wu, W., Zhang, W., Feng, D.: Integral cryptanalysis of reduced FOX block cipher. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 229–241. Springer, Heidelberg (2006). https://doi.org/10.1007/11734727_20
Wu, Z., Lai, X., Zhu, B., Luo, Y.: Impossible differential cryptanalysis of FOX. IACR Cryptol. ePrint Arch. 357 (2009). http://eprint.iacr.org/2009/357
Yun, A., Park, J.H., Lee, J.: On Lai-Massey and quasi-Feistel ciphers. Des. Codes Cryptogr. 58(1), 45–72 (2011). https://doi.org/10.1007/s10623-010-9386-8
Zhang, L., Wu, W.: Pseudorandomness and super pseudorandomness on the unbalanced Feistel networks with contracting functions (in chinese). Chin. J. Comput. 32(7), 1320–1330 (2009)
Acknowledgement
Many thanks to the reviewers for their constructive comments during the review process. One of reviewers pointed out that the combiner \(\varGamma \) of balanced quasi-Feistel structure in Sect. 5 does not need to be all linear. After our verification, only \(L_1\) needs to be linear. Specifically, if the combiner of quasi-Feistel structure is like \(\varGamma (x,y,z)= L_1(x)\oplus F(y,z)\), where \(L_1\) is linear and F is a function, there exists a quantum CPA distinguisher against 3-round balanced quasi-Feistel structure and a quantum CCA distinguisher against 4-round balanced quasi-Feistel Structure.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A A Intermediate Parameters in the Decryption Process of 4-round Lai-Massey Structure in Sect. 3.2
For the decryption process of 4-round Lai-Massey structure shown in the Fig. 3, we write the inputs as \([z_{1},z_{2}], [z_{3},z_{4}]\) and the outputs as \([x'_{1},x'_{2}], [x'_{3},x'_{4}]\). Intermediate parameters are as follows.
where
Proof
Let \(a'_{4} = [z_{1},z_{2}],b'_{4} = [z_{3},z_{4}]\). Intermediate parameters \(a_i,b_i,\varDelta _j,i=1,2,3,4\) are the same as Sect. 3.1 and Sect. 3.2.
Lemma 8
For the fourth round of the decryption progress of 4-round Lai-Massey structure (Fig. 10), intermediate parameters \(\varDelta '_{4},a'_{3},b'_3 \) can be expressed as:
Proof
According to the decryption progress of 4-round Lai-Massey structure, we can get the following system of equations
Solving the system of equations gives the result.
Lemma 9
For the third round of the decryption progress of 4-round Lai-Massey structure (Fig. 11), intermediate parameters \(\varDelta '_{3},a'_{2},b'_2 \) can be expressed as:
Proof
According to the decryption progress of 4-round Lai-Massey structure, we can get the following system of equations
From Lemma 8 we can get:
Solving the system of equations gives the result.
Lemma 10
For the second round of the decryption progress of 4-round Lai-Massey structure, intermediate parameters \(\varDelta '_{2},a'_{1},b'_1 \) can be expressed as:
Proof
According to the decryption progress of 4-round Lai-Massey structure, we can get the following system of equations
From Lemma 9 we have:
Solving the system of equations gives the result.
Lemma 11
For the first round of the decryption progress of 4-round Lai-Massey structure, intermediate parameters \(\varDelta '_{1},[x'_{1},x'_{2}],[x'_{3},x'_{4}]\) can be expressed as:
Proof
According to the decryption progress of 4-round Lai-Massey structure, we can get the following system of equations
From Lemma 11 we have
Solving the system of equations gives the result.
B B Proof of Theorem 4
Proof
First, we introduce a Theorem and a Lemma for subsequent proofs.
Theorem 8
[6] (Brassard, Hoyer, Mosca and Tapp). Let \(\mathcal A\) be any quantum algorithm on q qubits that uses no measurement. Let \(\mathcal B: \mathbb F^q_2\rightarrow \{0,1\}\) be a function that classifies outcomes of \(\mathcal A\) as good or bad. Let \(p > 0\) be the initial success probability that a measurement of \(\mathcal A|0\rangle \) is good. Set \(t =\lceil \frac{\pi }{4\theta }\rceil \), where \(\theta \) is defined via \(sin^2(\theta )= p\). Moreover, define the unitary operator \(Q = -\mathcal AS_0\mathcal A^{-1}S_{\mathcal B}\), where the operator \(S_{\mathcal B}\) changes the sign of the good state:
while \(S_0\) changes the sign of the amplitude only for the zero state \(|0\rangle \). Then after the computation of \(Q^t\mathcal A|0\rangle \), a measurement yields well with probability a least \(\max \{1-p,p\}\).
Lemma 12
[24]. Any state \(| z_i\rangle =(-1)^{\langle u_i,x_i\rangle }| u_i\rangle \) is proper with probability at least \(\frac{1}{2}\). Any set of \(\ell = 2(n+\sqrt{n})\) states contains at least \(n-1\) proper states with probability greater than \(\frac{4}{5}\).
Let \(U_h\) be a quantum oracle as \(|x_1,...,x_l,0\rangle \mapsto |x_1,...,x_l,h(x_1,...,x_l)\rangle \). If \(k_4\) guessed right, then \(g_{3}(k_4,[x,x']) = g_{3}(k_4,[x,x'] \oplus s)\). Let \(h: \mathbb F^{m}_2 \times \mathbb F^{n^l}_2\rightarrow \mathbb F^{(n/2)^l}_2\) with: \((k,[x_1,x'_1],...,[x_l,x'_l])\mapsto g_{3}(k,[x_1,x'_1])||...||g_{3}(k,[x_l,x'_l])\). Then we can construct the following quantum algorithm \(\mathcal A\) :
-
1.
Initializing a \(m+nl+nl/2\)-qubit register \(|0\rangle ^{\otimes m+nl+nl/2}\).
-
2.
Apply Hadamard transformation \( H ^ {\otimes (m+nl)} \) to the first \(m+nl \) qubits to obtain quantum superposition
$$\begin{aligned} H ^ {\otimes (m+nl)}|0\rangle =\frac{1}{\sqrt{2^{m+nl}}} \sum _{k \in \mathbb F^m_2,[x_1,x'_1],...,[x_l,x'_l] \in \mathbb F^n_2 } | k \rangle | [x_1,x'_1] \rangle ...| [x_l,x'_l] \rangle | 0,...,0\rangle . \end{aligned}$$ -
3.
Applying \(U_h\):
$$\begin{aligned} \frac{1}{\sqrt{2^{m+nl}}} \sum _{k \in \mathbb F^m_2,[x_1,x'_1],...,[x_l,x'_l] \in \mathbb F^n_2 } | k\rangle | [x_1,x'_1] \rangle ...| [x_l,x'_l] \rangle | h(k,[x_1,x'_1],...,[x_l,x'_l])\rangle . \end{aligned}$$ -
4.
Apply Hadamard transformation to the qubits \(| [x_1,x'_1] \rangle ...| [x_l,x'_l] \rangle \):
$$\begin{aligned} |\varphi \rangle =\,&\frac{1}{\sqrt{2^{m+2nl}}} \sum _{k \in \mathbb F^m_2,u_1,...,u_l,[x_1,x'_1],...,[x_l,x'_l] \in \mathbb F^n_2 } | k \rangle (-1)^{\langle u_1,[x_1,x'_1]\rangle }| u_1\rangle \cdot \cdot \cdot (-1)^{\langle u_1,[x_l,x'_l]\rangle }\\&| u_l \rangle | h(k,[x_1,x'_1],...,[x_l,x'_l])\rangle . \end{aligned}$$
If \(k_4\) is guessed right, the period s will orthogonal to all the \(u_i,i=1...l\). From Lemma 12, we choose \(l=2(n+\sqrt{n})\). Then we can construct a classifier \(\mathcal B:\mathbb F^{m+nl}_2\rightarrow \{0,1\}\) with a good subspace \(|\varphi _1\rangle \) and a bad subspace \(|\varphi _0\rangle \) as Definition 5. \(|x\rangle \) in the good subspace if \(\mathcal B(x)=1\). Let \(|\varphi \rangle =|\varphi _1\rangle +|\varphi _0\rangle \). \(|\varphi _1\rangle \) is the sum of basis states for which the right \(k_4\). We can check it by whether \(g_{3}(k,[x,x'])=g_{3}(k,[x,x']\oplus s)\):
Definition 5
Let \(\tilde{U}=\langle u_1,...,u_l\rangle \) be the linear span of all \(u_i \). We define Classifier \(\mathcal B:\mathbb F^{m+nl}_2\mapsto \{0,1\}\) which maps \((k,u_1,...,u_l)\mapsto \{0,1\}\).
-
1.
If \(\dim (\tilde{U}) \ne n-1\), output 0. Otherwise compute the unique period s by using Lemma 2 in [24].
-
2.
For random \([x,x']\), if \(g_{3}(k,[x,x'])=g_{3}(k,[x,x']\oplus s)\), then output 1, otherwise output 0.
Mearsure \(|\varphi \rangle \) and the initial probability of the good state is:
Set \(t =\lceil \frac{\pi }{4\theta }\rceil \), where \(\theta \) is defined via \(sin^2(\theta )= p\). Then \(\theta \approx \arcsin ({2^{-m/2}})\approx {2^{-m/2}}\), \(t \approx \lceil \frac{\pi }{4\times {2^{-m/2}}}\rceil \approx 2^{m/2} \). We define the unitary operator \(Q = -\mathcal AS_0\mathcal A^{-1}S_{\mathcal B}\), where the operator \(S_{\mathcal B}\) changes the sign of the good state:
\(S_0\) changes the sign of the amplitude only for the zero state \(|0\rangle \). Then after the computation of \(Q^t\mathcal A|0\rangle \), according to the Theorem 8, a measurement yields good with probability a least \(\max \{1-p,p\}\approx 1-\frac{1}{2^m}\).
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Mao, S., Guo, T., Wang, P., Hu, L. (2022). Quantum Attacks on Lai-Massey Structure. In: Cheon, J.H., Johansson, T. (eds) Post-Quantum Cryptography. PQCrypto 2022. Lecture Notes in Computer Science, vol 13512. Springer, Cham. https://doi.org/10.1007/978-3-031-17234-2_11
Download citation
DOI: https://doi.org/10.1007/978-3-031-17234-2_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17233-5
Online ISBN: 978-3-031-17234-2
eBook Packages: Computer ScienceComputer Science (R0)