Skip to main content
SpringerLink
Log in

Breaking LWC candidates: sESTATE and Elephant in quantum setting

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

The competition for lightweight cryptography (LWC) launched by the National Institute of Standards and Technology (NIST) is an ongoing project calling for the standardization of lightweight cryptographic algorithms. The Report on Lightweight Cryptography specifically asks that submissions be quantum safe when long-term security is needed. However, this was not included in the “Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process.” Consequently, most candidates, including sESTATE and Elephant, make no claim regarding security with respect to quantum attacks. We propose quantum key recovery attacks on those second-round candidates. sESTATE is an authenticated encryption mode inspired by SUNDAE, as proposed in ToSC 2018. It claims that the adversary can get no information regarding the simplified tweakable block cipher. However, we show that quantum adversaries could extract the internal values, leading to a key-recovery attack on the only recommended scheme, sESTATE_TweAES-128-6, with \(2^{42.3}\) Q2 queries and a time equivalent to \(2^{52}\) AES encryptions. Technically, the attack is based on the combination of a quantum extracting method and quantum square attack. For Elephant mode, which internally uses a permutation masked by linear feedback shift registers (LFSRs) similar to the masked Even-Mansour construction proposed in EUROCRYPT 2016, we launch the attack based on the quantum attack proposed by Bonnetain et al., which depends on Simon’s algorithm without superposition queries and Grover’s algorithm. Our attack is generic and independent of internal permutation; hence, we obtain the quantum attacks on all instances with a tradeoff of classical and quantum queries. Remarkably, the attack complexities of both recommended instances are lower than that of the generic quantum attack on key, i.e., in time \({\mathcal {O}}({2}^{|K|/{2}})\) with \({\mathcal {O}}(1)\) queries.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

References

  1. Alagic G., Russell A.: Quantum-secure symmetric-key cryptography based on hidden shifts. In: Advances in Cryptology—EUROCRYPT 2017—36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30–May 4, 2017, Proceedings, Part III, pp. 65–93 (2017). https://doi.org/10.1007/978-3-319-56617-7_3.

  2. Anand M.V., Targhi E.E., Tabia G.N., Unruh D.: Post-quantum security of the CBC, CFB, OFB, CTR, and XTS modes of operation. In: Post-Quantum Cryptography—7th International Workshop, PQCrypto 2016, Fukuoka, Japan, 24–26 February 2016, Proceedings, pp. 44–63 (2016). https://doi.org/10.1007/978-3-319-29360-8_4.

  3. Andreeva E., Bogdanov A., Luykx A., Mennink B., Mouha N., Yasuda K.: How to securely release unverified plaintext in authenticated encryption. In: Advances in Cryptology - ASIACRYPT 2014—20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., 7–11 December 2014. Proceedings, Part I, pp. 105–125 (2014). https://doi.org/10.1007/978-3-662-45611-8_6.

  4. Banik S., Bogdanov A., Luykx A., Tischhauser E.: SUNDAE: small universal deterministic authenticated encryption for the Internet of Things. IACR Trans. Symmetric Cryptol. 2018(3), 1–35 (2018). https://doi.org/10.13154/tosc.v2018.i3.1-35.

  5. Bellare M., Namprempre C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. J. Cryptol. 21(4), 469–491 (2008). https://doi.org/10.1007/s00145-008-9026-x.

    Article  MathSciNet  MATH  Google Scholar 

  6. Bernstein D.J.: Stronger security bounds for Wegman–Carter–Shoup authenticators. In: Advances in Cryptology—EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, 22–26 May 2005, Proceedings, pp. 164–180 (2005). https://doi.org/10.1007/11426639_10.

  7. Bertoni G., Daemen J., Peeters M., Assche G.V.: keccak. Cryptology ePrint Archive. Report 2015/389 (2015). http://eprint.iacr.org/2015/389.

  8. Beyne T., Chen Y.L., DobraunigC., Mennink B.: Elephant v1.1. Submission to the Lightweight Cryptography competition (2019). https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/elephant-spec-round2.pdf.

  9. Black J., Rogaway P.: CBC macs for arbitrary-length messages: the three-key constructions. J. Cryptol. 18(2), 111–131 (2005). https://doi.org/10.1007/s00145-004-0016-3.

    Article  MathSciNet  MATH  Google Scholar 

  10. Bogdanov A., Knezevic M., Leander G., Toz D., Varici K., Verbauwhede I.: spongent: a lightweight hash function. In: Cryptographic Hardware and Embedded Systems - CHES 2011—13th International Workshop, Nara, Japan, September 28–October 1, 2011. Proceedings, pp. 312–325 (2011). https://doi.org/10.1007/978-3-642-23951-9_21.

  11. Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum computing world. In: Advances in Cryptology - CRYPTO 2013 - 33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2013. Proceedings, Part II, pp. 361–379 (2013). https://doi.org/10.1007/978-3-642-40084-1_21.

  12. Bonnetain, X.: Quantum key-recovery on full AEZ. In: Selected Areas in Cryptography-SAC 2017-24th International Conference, Ottawa, ON, Canada, August 16–18, 2017, Revised Selected Papers, pp. 394–406 (2017). https://doi.org/10.1007/978-3-319-72565-9_20.

  13. Bonnetain, X., Hosoyamada, A., Naya-Plasencia, M., Sasaki, Y., Schrottenloher, A.: Quantum attacks without superposition queries: The offline simon’s algorithm. In: Advances in Cryptology-ASIACRYPT 2019-25th International Conference on the Theory and Application of Cryptology and Information Security, Kobe, Japan, December 8-12, 2019, Proceedings, Part I, pp. 552–583 (2019). https://doi.org/10.1007/978-3-030-34578-5_20.

  14. Bonnetain X., Jaques S.: Quantum period finding against symmetric primitives in practice. IACR Cryptol. ePrint Arch. 2020, 1418. (2020). https://eprint.iacr.org/2020/1418.

  15. Bonnetain X., Naya-Plasencia M., Schrottenloher A.: Quantum security analysis of AES. IACR Trans. Symmetric Cryptol. 2019(2), 55–93 (2019). https://doi.org/10.13154/tosc.v2019.i2.55-93.

  16. Brassard G., Hoyer P., Mosca M., Tapp A.: Quantum amplitude amplification and estimation. AMS Contemp. Math. Ser. (2000). https://doi.org/10.1090/conm/305/05215.

  17. Canteaut A., Duval S., Leurent G., Naya-Plasencia M., Perrin L., Pornin T., Schrottenloher A.: Saturnin: a suite of lightweight symmetric algorithms for post-quantum security. Submission to the Lightweight Cryptography competition (2019). https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/saturnin-spec-round2.pdf.

  18. Chakraborti A., Datta N., Jha A., Lopez C.M., Nandi M., Sasaki Y.: Estate. Submission to the Lightweight Cryptography competition (2019). https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/estate-spec-round2.pdf.

  19. Daemen J., Rijmen V.: AES proposal: rijndael (1998)

  20. Daemen J., Rijmen V.: The Design of Rijndael: AES—The Advanced Encryption Standard. Information Security and Cryptography. Springer. (2002). https://doi.org/10.1007/978-3-662-04722-4.

  21. Ferguson N., Kelsey J., Lucks S., Schneier B., Stay M., Wagner D.A., Whiting D.: Improved cryptanalysis of rijndael. In: Fast Software Encryption, 7th International Workshop, FSE 2000, New York, NY, USA, April 10-12, 2000, Proceedings, pp. 213–230. (2000). https://doi.org/10.1007/3-540-44706-7_15.

  22. Granger R., Jovanovic P., Mennink B., Neves S.: Improved masking for tweakable blockciphers with applications to authenticated encryption. In: Advances in Cryptology-EUROCRYPT 2016 - 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8–12, 2016, Proceedings, Part I, pp. 263–293 (2016). https://doi.org/10.1007/978-3-662-49890-3_11.

  23. Grassl M., Langenberg B., Roetteler M., Steinwandt R.: Applying grover’s algorithm to AES: quantum resource estimates. In: Post-Quantum Cryptography - 7th International Workshop, PQCrypto 2016, Fukuoka, Japan, February 24–26, 2016, Proceedings, pp. 29–43 (2016). https://doi.org/10.1007/978-3-319-29360-8_3.

  24. Grover L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia, Pennsylvania, USA, May 22-24, 1996, pp. 212–219. (1996). https://doi.org/10.1145/237814.237866.

  25. Hosoyamada A., Sasaki Y.: Quantum demiric-selçuk meet-in-the-middle attacks: Applications to 6-round generic feistel constructions. In: Security and Cryptography for Networks - 11th International Conference, SCN 2018, Amalfi, Italy, September 5–7, 2018, Proceedings, pp. 386–403 (2018). https://doi.org/10.1007/978-3-319-98113-0_21.

  26. Kaplan M., Leurent G., Leverrier A., Naya-Plasencia M.: Breaking symmetric cryptosystems using quantum period finding. In: Advances in Cryptology-CRYPTO 2016-36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14–18, 2016, Proceedings, Part II, pp. 207–237 (2016). https://doi.org/10.1007/978-3-662-53008-5_8.

  27. Kaplan M., Leurent G., Leverrier A., Naya-Plasencia M.: Quantum differential and linear cryptanalysis. IACR Trans. Symmetric Cryptol. 2016(1), 71–94 (2016). https://doi.org/10.13154/tosc.v2016.i1.71-94.

  28. Kuwakado H., Morii M.: Quantum distinguisher between the 3-round feistel cipher and the random permutation. In: IEEE International Symposium on Information Theory, ISIT 2010, June 13-18, 2010, Austin, Texas, USA, Proceedings, pp. 2682–2685. (2010). https://doi.org/10.1109/ISIT.2010.5513654.

  29. Kuwakado H., Morii M.: Security on the quantum-type even-mansour cipher. In: Proceedings of the International Symposium on Information Theory and its Applications, ISITA 2012, Honolulu, HI, USA, October 28–31, 2012, pp. 312–316. (2012). http://ieeexplore.ieee.org/document/6400943/

  30. Leander G., May A.: Grover meets simon - quantumly attacking the fx-construction. In: Advances in Cryptology-ASIACRYPT 2017-23rd International Conference on the Theory and Applications of Cryptology and Information Security, Hong Kong, China, December 3–7, 2017, Proceedings, Part II, pp. 161–178 (2017). https://doi.org/10.1007/978-3-319-70697-9_6.

  31. McKay K.A., Bassham L., Turan M.S., Mouha N.: Nistir 8114 report on lightweight cryptography. In: Technical report, U.S. Department of Commerce, National Institute of Standards and Technology (2017)

  32. NIST: Recommendation for block cipher modes of operation: Methods and techniques. NIST Special Publication 800-38A (2001)

  33. NIST: Post-quantum cryptography. Post-Quantum Cryptography Standardization (2016). https://csrc.nist.gov/Projects/post-quantum-cryptography

  34. NIST: Lightweight cryptography. Submission to the Lightweight Cryptography competition (2017). https://www.nist.gov/programs-projects/lightweight-cryptography

  35. Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Advances in Cryptology-EUROCRYPT 2006, 25th Annual International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, May 28–June 1, 2006, Proceedings, pp. 373–390. (2006). https://doi.org/10.1007/11761679_23.

  36. Shor P.W.: Algorithms for quantum computation: Discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, Santa Fe, New Mexico, USA, 20–22 November 1994, pp. 124–134 (1994). https://doi.org/10.1109/SFCS.1994.365700.

  37. Shoup V.: On fast and provably secure message authentication based on universal hashing. In: Advances in Cryptology-CRYPTO ’96, 16th Annual International Cryptology Conference, Santa Barbara, California, USA, August 18–22, 1996, Proceedings, pp. 313–328 (1996). https://doi.org/10.1007/3-540-68697-5_24.

  38. Simon D.R.: On the power of quantum computation. In: 35th Annual Symposium on Foundations of Computer Science, Santa Fe, New Mexico, USA, 20–22 November 1994, pp. 116–123 (1994). https://doi.org/10.1109/SFCS.1994.365701.

  39. Wegman M.N., Carter L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981). https://doi.org/10.1016/0022-0000(81)90033-7.

    Article  MathSciNet  MATH  Google Scholar 

Download references

Acknowledgements

We would like to first extend our heartfelt thanks to all the reviewers and editors. We are glad that their comments help us clarify the limitation of the original version, particularly the complexity analysis and the attack on Elephant, so that we can continue to improve our paper.

Author information

Authors and Affiliations

  1. PLA SSF Information Engineering University, Zhengzhou, 450001, China

    Tairong Shi, Bin Hu, Jie Guan & Sengpeng Wang

  2. Institute of Software Chinese Academy of Sciences, Beijing, 100190, China

    Tairong Shi & Wenling Wu

Authors
  1. Tairong Shi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wenling Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bin Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jie Guan
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Sengpeng Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tairong Shi.

Additional information

Communicated by M. Naya-Plasencia.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This work supported by National Natural Science Foundation of China (Grant Nos. 61572516, 61602514, 61802437, 61802438, 61672509).

Appendix A: The procedure \(\texttt {test}\) that judge whether \(\texttt {Enc}\oplus g_j\) has a period

Appendix A: The procedure \(\texttt {test}\) that judge whether \(\texttt {Enc}\oplus g_j\) has a period

figure f

A detailed description and the analyse of \(\texttt {test}\) can be found in [13].

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Shi, T., Wu, W., Hu, B. et al. Breaking LWC candidates: sESTATE and Elephant in quantum setting. Des. Codes Cryptogr. 89, 1405–1432 (2021). https://doi.org/10.1007/s10623-021-00875-7

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-021-00875-7

Keywords

Mathematics Subject Classification

Search

Navigation