On Quantum Slide Attacks

Abstract

At Crypto 2016, Kaplan et al. proposed the first quantum exponential acceleration of a classical symmetric cryptanalysis technique: they showed that, in the superposition query model, Simon’s algorithm could be applied to accelerate the slide attack on the alternate-key cipher. This allows to recover an n-bit key with \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( n\right) \) queries.

In this paper we propose many other types of quantum slide attacks, inspired by classical techniques including sliding with a twist, complementation slide and mirror slidex. We also propose four-round self-similarity attacks for Feistel ciphers when using XOR operations. Some of these variants combined with whitening keys (FX construction) can also be successfully attacked. We present a surprising new result involving composition of quantum algorithms, that allows to combine some quantum slide attacks with a quantum attack on the round function, allowing an efficient key-recovery even if this function is strong classically.

Finally, we analyze the case of quantum slide attacks exploiting cycle-finding, whose possibility was mentioned in a paper by Bar-On et al. in 2015, where these attacks were introduced. We show that the speed-up is smaller than expected and less impressive than the above variants, but nevertheless provide improved complexities on the previous known quantum attacks in the superposition model for some self-similar SPN and Feistel constructions.

Appendices

A Summary of Classical Slide Attacks

We provide in Tables 3 and 4 a (certainly non exhaustive) list of classical slide attacks that we studied for quantum improvements. They are not ordered by efficiency. We refer to the corresponding source for a presentation of the attack principle. Table 3 contains attacks on specific constructions, while Table 4 contains attacks on generic constructions (n is the block size of the cipher attacked; for a Feistel network, round keys have size n/2). Note that memory usage and required access to a decryption device play a role in the usefulness of these slide attacks.

Table 3. Classical slide attacks on specific constructions

Table 4. Classical slide attacks on generic constructions. We omit \(\mathcal {O}\) notations.

B Quantum Cycle-Based Slide Attacks

We are inspired by [2] and the attacks against the SA construction and weak variants of AES. In the classical as in the quantum versions, most of the computation time required is due to finding the actual slide pairs (via the cycle).

Two Keys and Two Permutations. Consider a cipher with alternating keys \(k_0, k_1\), xored or modularly added, and two permutations \(\varPi _1, \varPi _2\) (Fig. 5). In the case of a SPN, \(\varPi _1 = \varPi _2 = \varPi \) are the same.

Fig. 5.

Slide attack against a key- and permutation-alternating cipher

This scheme resists to the basic slide attack, but we can write \(E_k \circ \varPi _2 = f_k^r(x)\) where \(f_k(x) = \varPi _2( k_1 \oplus \varPi _1(k_0 \oplus x))\), and apply the cycle-finding technique. In \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( 2^{n/2}\right) \) superposition queries to \(E_k\) and computations, we can recover a small number of slide pairs, say two, from small cycles of \(E_k \circ \varPi _2\). Recall that n is the block size here; the key length is 2n. Therefore we obtain two equations:

$$\begin{aligned} y&= \varPi _2( k_1 \oplus \varPi _1(k_0 \oplus x)) \\ y'&= \varPi _2( k_1 \oplus \varPi _1(k_0 \oplus x')) \end{aligned}$$

Since the permutations can be inverted, we find:

$$ \varPi _2^{-1}(y) \oplus \varPi _2^{-1}(y') = \varPi _1(k_0 \oplus x) \oplus \varPi _1(k_0 \oplus x') $$

Solving this equation on \(k_0\), if \(\varPi _1\) has no specific property, can be done in \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( 2^{n/2}\right) \) time using Grover’s algorithm, the same complexity as the first stage. This improves on the Grover-meets-Simon technique of [29], which would perform in \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( n2^{n/2}\right) \) queries and more time (the Grover oracle requires to solve linear systems in superposition).

Attacking 3k-SPN. Cycle-finding can further be applied on a 3k-SPN construction, where there is a unique permutation \(\varPi = A \circ S\), with A a linear layer and S a non-linear layer of S-Boxes. Still using \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( 2^{n/2}\right) \) queries, we now write the slide equations as:

$$\begin{aligned} y&= \varPi (k_2 \oplus \varPi ( k_1 \oplus \varPi (k_0 \oplus x))) \\ y'&= \varPi (k_2 \oplus \varPi ( k_1 \oplus \varPi (k_0 \oplus x'))) \\ \implies \varPi ^{-1}(y) \oplus \varPi ^{-1}(y')&= \varPi ( k_1 \oplus \varPi (k_0 \oplus x)) \oplus \varPi ( k_1 \oplus \varPi (k_0 \oplus x')) \end{aligned}$$

To solve efficiently this equation in \(k_0\) and \(k_1\), we first guess \(k_0\) using Grover’s algorithm. The equation on \(k_1\) becomes:

$$\begin{aligned} A^{-1}( \varPi ^{-1}(y) \oplus \varPi ^{-1}(y') ) = S( k_1 \oplus \varPi (k_0 \oplus x)) \oplus S( k_1 \oplus \varPi (k_0 \oplus x')) \end{aligned}$$

Furthermore, we may consider each S-Box separately and solve the equation on \(k_1\), S-Box by S-Box. if s is the bit size of an S-Box, the final complexity of this attack is \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( 2^{(n+s)/2}\right) \) computations, with \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( 2^{n / 2}\right) \) oracle queries.

Attacking 4k-AES. In the case of AES, we can add one more round. Suppose that, by the cycle, we obtain four equations of the form:

$$\begin{aligned}&A^{-1}( \varPi ^{-1}(y) \oplus \varPi ^{-1}(y') ) = \\&\qquad \qquad \qquad \quad \; S(k_2 \oplus \varPi ( k_1 \oplus \varPi (k_0 \oplus x))) \oplus S(k_2 \oplus \varPi ( k_1 \oplus \varPi (k_0 \oplus x'))) \end{aligned}$$

We use the fact that a column of \(\varPi (x)\) does only depend on a diagonal of x. Since we need only to guess \(k_2\) byte per byte, we need also only to guess \(k_1\) column by column, assuming that the full \(k_0\) is guessed. The cycle step has a complexity of approximately \(2^{64}\) queries (usually, queries to an AES-like black-box should cost a non-negligible quantum time). The equation step has a complexity of approximately \(2^{64} \times \left( 2^{16} (2^4 \times 4) \times 4 \right) \simeq 2^{84}\) calls to \(\varPi \): each guess of \(k_0\) is tested by searching the good \(k_1\) (column by column) and \(k_2\) (byte per byte).

Against 3k-Feistel. A Feistel scheme with a mixing function f, alternating three keys \(k_0, k_1, k_2\), xored or modularly added, is immune to the complementation slide and sliding with a twist techniques. It seems difficult to write a slide shift property for this cipher. Let us write the round function g as:

$$\begin{aligned}&L, R \mapsto R + f( k_1 + L + f(k_0 + R)),\\&\qquad \qquad \qquad \qquad \qquad \qquad L + f(k_0 + R) + f(k_2 + f( k_1 + L + f(k_0 + R))) \end{aligned}$$

and suppose that we can invert f. In \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( 2^{n/2}\right) \) queries, we can find two slide equations \(g(L,R) = L',R'\), which imply \(f( k_1 + L + f(k_0 + R)) = L' - R\). Regardless of the function f, we can invert it in time \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( 2^{n/4}\right) \) using Grover and recover two equations \(k_1 + L + f(k_0 + R) = X\). We take the difference (or sum if we replace \(+\) by \(\oplus \)) to eliminate \(k_1\), and we can solve the remaining equation on \(k_0\) using Grover in \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( 2^{n/4}\right) \) time. Once this is done, \(k_1\) can be found via the relation \(k_1 = f^{-1}(L' - R) - L - f(k_0 + R)\) and \(k_2\) via \(L + f(k_0 + R) + f(k_2 + f( k_1 + L + f(k_0 + R))) = R'\).

The whole attack requires \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( 2^{n / 2}\right) \) time and queries due to the cycle finding, with any function f.

Against 4k-Feistel. If we append one more round key \(k_3\), the round function g becomes:

$$\begin{aligned}&\;\;\;\; L, R \mapsto L + f(k_0 + R) + f(k_2 + f( k_1 + L + f(k_0 + R))),\\&R + f( k_1 + L + f(k_0 + R)) + f(k_3 + L + f(k_0 + R) + f(k_2 + f( k_1 + L + f(k_0 + R)))) \end{aligned}$$

Again, we can find some slide equations \(g(L,R) = L',R'\) from a cycle in \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( 2^{n/2}\right) \) queries. We guess the subkey \(k_0\). For each guess, we can rewrite the equations as if there were only 3 subkeys, and solve them in time \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( 2^{n/4}\right) \) using multiple Grover instances, as seen above, regardless of the properties of f. The whole attack requires \(\mathop {}\mathopen {}\mathcal {O}\mathopen {}\left( 2^{n / 2}\right) \) time and queries, the two steps (cycle finding and solving equations) are now balanced. The time complexity is greater than the other 4k-Feistel attacks seen above, but there is no restriction on the function f and the operations used; furthermore, we only use encryption queries, not decryption queries (which is the case of the twist).

C Slide Attack on a Four-Round Self-similar Feistel

Fig. 6.

Complementation and twist combined on a 4k-Feistel scheme