Improved BV-based quantum attack on block ciphers

Abstract

Due to the powerful computing capability of quantum computers, cryptographic researchers have applied quantum algorithms to cryptanalysis and obtained many interesting results. Finding the linear structure of a vector function is an important task in cryptography. In this work, we study how to reduce the complexity of finding linear structure using the Bernstein–Vazirani (BV) algorithm and give a new quantum linear structure finding algorithm with complexity O(n). Our result realizes a quadratic speedup compared with the previous algorithm (with complexity \(O(n^{2})\)). This leads to a more efficient analysis of symmetric cryptography, that is, the complexity of some previous BV-based attacks reduces from \(O(n^{2})\) to O(n). Besides, we find two new applications for this kind of BV-based attack, i.e., related-key attacks on iterated Even–Mansour ciphers and i-round Feistel ciphers with independent round keys.

Appendices

A Proof of Theorem 3

Theorem 3

If \(\delta _{F}'\le p_{0}<1\), then algorithms 3 and 4 return \((a,i_{1}i_{2}\cdots i_{n})\) with cn queries, with probability at least \(1-(2p^{c}_{0})^{n}\).

Proof

The proof of Theorem 3 is based on the lemma as shown in [6]. This lemma shows that let \(f\in B_{n}\), then \(\forall a\in F^{n}_{2}\), \(\forall i\in F_{2}\), it holds that

$$\begin{aligned} \sum _{\omega \cdot a=i}S^{2}_{f}(\omega )=\frac{|\{x\in F^{n}_{2}|f(x\oplus a)\oplus f(x)=0\}|}{2^{n}}. \end{aligned}$$

(30)

Now we give the proof of Theorem 3, which is similar to Ref. [19, 38]. Without loss of generality, we prove the case that i is not known. The case with known i can be proved in a similar way. Then, according to the above lemma, the probability of getting an \(\omega \) satisfying \(\omega \cdot a=0\) after running the BV algorithm on \(\phi ^{j}_{s}\) is

$$\begin{aligned} Pr[\omega \cdot a=0]=\sum _{\omega \cdot a=0}S^{2}_{f}(\omega )=\frac{|\{x\in F^{n}_{2}|\phi ^{j}_{s}(x\oplus a)\oplus \phi ^{j}_{s}(x)=0\}|}{2^{n}}. \end{aligned}$$

(31)

Notice that the parameter \(\delta _{\phi }'\) satisfies

$$\begin{aligned} \delta _{\phi }'= & {} \frac{1}{2^{n}} \max \limits _{1\le j\le n}\max \limits _{t\in F^{n}_{2}\backslash U_{f}}|\{x\in F^{n}_{2}|\phi ^{j}_{s}(x\oplus t)\oplus \phi ^{j}_{s}(x)=0\}| \nonumber \\= & {} \max \limits _{1\le j\le n}\max \limits _{t\in F^{n}_{2}\backslash U_{f}}Pr[\omega \cdot t=0]\le p_{0}. \end{aligned}$$

(32)

Let \(\omega _{1},\omega _{2},\cdots ,\omega _{cn}\in \{0,1\}^{n}\) be the vectors that are obtained by operating the subroutine (steps 1-4) of algorithm c times. Note that each \(\omega _{1},\omega _{2},\cdots ,\omega _{cn}\) is orthogonal to \(\sigma \), since \(Pr_{x}[\phi _{s}(x\oplus \sigma )=\phi _{s}(x)]=1\), and thus, outputs of the subroutine of algorithm 4 are always orthogonal to \(\sigma \) due to Lemma 1.

Then, we can determine \(\sigma \) if and only if \(dim(Span(\omega _{1},\omega _{2},\cdots ,\omega _{cn}))=dim(\sigma ^{\perp })\), and the probability that we cannot determine \(\sigma \) is equal to the probability that there exists \(t\notin \sigma ^{\perp }\) such that \(Span(\omega _{1},\omega _{2},\cdots ,\omega _{cn})\perp t\). Therefore,

$$\begin{aligned} p_{fail}= & {} Pr[\exists t\in F^{n}_{2}\backslash \{0,\sigma \} s.t., \omega _{1}\cdot t=\omega _{2}\cdot t= \cdots =\omega _{cn}\cdot t=0] \nonumber \\\le & {} \Sigma _{t\in F^{n}_{2}\backslash \{0,\sigma \}}Pr[\omega _{1} \cdot t= \omega _{2} \cdot t= \cdots =\omega _{cn}\cdot t=0] \nonumber \\\le & {} \Sigma _{t\in F^{n}_{2}\backslash \{0,\sigma \}}(Pr[\omega _{1}\cdot t=0]\cdot Pr[\omega _{2}\cdot t=0]\cdot \cdots \cdot Pr[\omega _{cn}\cdot t=0]) \nonumber \\\le & {} 2^{n}\max \limits _{t\in F^{n}_{2}\backslash \{0,\sigma \}}(Pr[\omega \cdot t]=0)^{cn} \nonumber \\\le & {} (2p^{c}_{0})^{n}, \end{aligned}$$

(33)

where the first inequality results from the union bound and the second inequality follows from the fact that cn queries are independent.

After cn calls to the subroutine of our algorithm, the probability of obtaining the period \(\sigma \) is

$$\begin{aligned} p_{succ}=1-p_{fail}\ge 1-(2p^{c}_{0})^{n}. \end{aligned}$$

(34)

Find a from \(\sigma \), and calculate \(i_{1}i_{2}\cdots i_{n}=F(x\oplus a)\oplus F(x)\). Then, we can obtain \((a,i_{1}i_{2}\cdots i_{n})\). Thus, the conclusion holds. \(\square \)

B Proof of Theorem 4

Theorem 4

If running algorithms 3 and 4 on a function \(F\in C_{n,n}\) return \((a,i_{1}i_{2}\cdots i_{n})\), then for all \(\epsilon \) satisfying \(0<\epsilon <1\), we have

$$\begin{aligned} Pr[\frac{|\{x\in F^{n}_{2}|F(x\oplus a)\oplus F(x)=i_{1}i_{2}\cdots i_{n}\}|}{2^{n}}>1-n\epsilon ]>(1-e^{-2c\epsilon ^{2}})^{n}. \end{aligned}$$

(35)

Proof

Now we give the proof of Theorem 4, which is similar to Ref. [26, 38]. For the output vector \((a,i_{1}i_{2}\cdots i_{n})\), let the probability of getting an \(\omega \) satisfying \(\omega \cdot a=i_{j}\) after running the BV algorithm on \(F_{j}\) is

$$\begin{aligned} Pr[\omega \cdot a=i_{j}]=\frac{|\{x\in F^{n}_{2}|F_{j}(x\oplus a)\oplus F_{j}(x)=i_{j}\}|}{2^{n}}=p_{j}. \end{aligned}$$

(36)

Then,

$$\begin{aligned} Pr[\omega \cdot a=\overline{i_{j}}]=\frac{|\{x\in F^{n}_{2}|F_{j}(x\oplus a)\oplus F_{j}(x)=\overline{i_{j}}\}|}{2^{n}}=1-p_{j}=q_{j}, \end{aligned}$$

(37)

where \(1\le j\le n\), and \(p,q\in [0,1]\). Let Y be a random variable

$$\begin{aligned} Y(\omega )=\left\{ \begin{array}{ll} 0, &{} \omega \cdot a=i_{j} \\ 1, &{} \omega \cdot a=\overline{i_{j}}, \end{array} \right. \end{aligned}$$

(38)

where \(\omega \) is the output of the BV algorithm. Then, the expectation of Y is \(E(Y)=1\cdot q_{j}=q_{j}=1-p_{j}\). In addition, c runs of the BV algorithm on \(F_{j}\) correspond to c independent identical random variables \(Y_{1},Y_{2},\cdots ,Y_{c}\). Next, we prove that \(Pr[q_{j}\ge \epsilon ]\le e^{-2c\epsilon ^{2}}\), for which we first introduce Hoeffding’s inequality [18]. Consider a set of n independent random variables, such that \(X_{i}\in [a,b]\), \(i=1,2,\cdots ,n.\) Let \({\overline{X}}=\frac{X_{1}+\cdots +X_{n}}{n}\). Then, it follows that for \(\forall t>0\),

$$\begin{aligned} P(|{\overline{X}}-E[{\overline{X}}]|\ge t)\le e^{-\frac{2n^{2}t^{2}}{\sum ^{n}_{i=1}(b_{i}-a_{i})^{2}}}. \end{aligned}$$

(39)

Thus, by Hoeffding’s inequality, we obtain

$$\begin{aligned} Pr[q_{j}-\frac{1}{c}\Sigma ^{c}_{l=1}Y_{l}\ge \epsilon ]\le e^{-2c\epsilon ^{2}} \end{aligned}$$

(40)

Now that we have obtained \((a,i_{1}i_{2}\cdots i_{n})\), \(\frac{1}{c}\Sigma ^{c}_{l=1}Y_{l}\) in Eq. 37 must equal 0 (because if there exists some \(Y_{l}=1\), we cannot obtain \((a,i_{1}i_{2}\cdots i_{n})\)). Hence,

$$\begin{aligned} Pr[q_{j}\ge \epsilon ]\le e^{-2c\epsilon ^{2}}. \end{aligned}$$

(41)

From Eq. 38, it follows

$$\begin{aligned} Pr[1-p_{j}<\epsilon ]=Pr(1-\epsilon <p_{j}\le 1)>1-e^{-2c\epsilon ^{2}}. \end{aligned}$$

(42)

Thus, the probability that

$$\begin{aligned} Pr[\omega \cdot a=i_{j}]=\frac{\{x\in F^{n}_{2}|F_{j}(x\oplus a)\oplus F_{j}(x)=i_{j}\}}{2^{n}}>1-\epsilon \end{aligned}$$

(43)

holds is greater than \(1-e^{-2c\epsilon ^{2}}\). Then, there are at least \(2^{n}[2(1-\epsilon )-1]=2^{m}(1-2\epsilon )\) x that satisfy \(F_{j}(x\oplus a)\oplus F_{j}(x)=i_{j}\) for both \(j=1\) and \(j=2\). That is, for all \(j=1,2,\cdots ,n\), we have

$$\begin{aligned} Pr[\frac{\{x\in F^{n}_{2}|F(x\oplus a)\oplus F(x)=i_{1}i_{2}\cdots i_{n}\}}{2^{n}}>1-n\epsilon ]>(1-e^{-2c\epsilon ^{2}})^{n}. \end{aligned}$$

(44)

Thus, the conclusion holds. \(\square \)

Data sharing is not applicable to this article as no datasets were generated or analyzed during the current study.