AA note on quantum related-key attacks
Martin R¨otteler ∗ Microsoft ResearchOne Microsoft WayRedmond, WA 98052, U.S.A. [email protected]
Rainer SteinwandtFlorida Atlantic UniversityDepartment of Mathematical SciencesBoca Raton, FL 33431 [email protected]
November 11, 2018
Abstract
In a basic related-key attack against a block cipher, the adversary has access to encryptions under keysthat differ from the target key by bit-flips. In this short note we show that for a quantum adversary suchattacks are quite powerful: if the secret key is (i) uniquely determined by a small number of plaintext-ciphertext pairs, (ii) the block cipher can be evaluated efficiently, and (iii) a superposition of related keyscan be queried, then the key can be extracted efficiently.
The availability of scalable quantum computers would jeopardize the security of many currently deployedasymmetric cryptographic schemes [1]. For symmetric cryptography the expectations for a post-quantumsetting tend to be more optimistic, see e.g. [2], from which we quote “quantum computers seem to have verylittle effect on secret-key cryptography, hash functions, etc. Grover’s algorithm forces somewhat larger keysizes for secret-key ciphers, but this effect is essentially uniform across ciphers; today’s fastest pre-quantum256-bit ciphers are also the fastest candidates for post-quantum ciphers at a reasonable security level.”
Related-key attacks are a powerful cryptanalytic tool when exploring block ciphers. In such attacks,the adversary is granted access to encryptions and/or decryptions of messages under secret keys which arerelated to the target key in a known or chosen way. As argued in [3], this type of attack is of practicalinterest, despite the assumptions made. When Winternitz and Hellman described this attack model morethan 25 years ago, they focused on key relations given by bit-flips [4]. An illustrative example for anapplication of this attack model is an attack against 9 rounds of Rijndael with a 256-bit key, invoking 256related keys with a particular choice of the bit-flips [5].Current approaches to formalize related-key attacks allow more general key relations [6, 7], and restrict-ing to bit-flips can be considered to be a rather conservative choice. Below we show that for a quantumadversary such a basic form of related-key attack is quite powerful. We show that the possibility to querya superposition of related keys to a block cipher enables the efficient extraction of the secret key, if somerather mild conditions are met:1. the block cipher can be implemented efficiently as a quantum circuit, and ∗ This work was carried out while MR was with NEC Laboratories America, Inc., Princeton, NJ 08540, USA. a r X i v : . [ qu a n t - ph ] N ov . the secret key is uniquely determined by a small number of available plaintext-ciphertext pairs.The attack we describe is unlikely to pose a practical threat as querying a superposition of secret keys maynot be feasible for a typical implementation. Notwithstanding this, from the structural point of view ourobservation indicates an interesting limitation for the security guarantees of a block cipher that one can hopeto prove in a post-quantum scenario. A block cipher with key length k and block length n is a family of 2 k permutations { E K : { , } n −→{ , } n } K ∈{ , } k on bitstrings of length n . Popular block ciphers limit the possible choices of the key length k —e. g., for the Advanced Encryption Standard [8] we have n =
128 and k ∈ { , , } . To character-ize the efficiency of certain types of attacks, it can nonetheless be convenient to consider families of blockciphers, interpreting the key length k as a scalable security parameter. Measuring the running time of anadversary as a function of k , it is meaningful to speak of an expected polynomial time attack. The attack model we consider goes back to [4]. After a key K ∈ { , } k has been chosen uniformly atrandom, the adversary has access to two oracles: E : On input a bitmask L ∈ { , } k and a bitstring m ∈ { , } n , this oracle returns the encryption E K ⊕ L ( m ) of m under the key K ⊕ L . E − : On input a bitmask L ∈ { , } k and a bitstring c ∈ { , } n , this oracle returns the decryption E − K ⊕ L ( c ) of c under the key K ⊕ L .After interacting with these oracles, the adversary has to output a guess K (cid:48) for K , and it is consideredsuccessful if and only if K = K (cid:48) . For our attack we will also assume that the block cipher at hand can beevaluated efficiently, i. e., with a polynomial-size quantum circuit that has the secret key and a plaintext asinput. For block ciphers that are actually used this condition is of no concern.The quantum attack below will not involve E − , but we will allow the adversary to query the blockcipher and also the oracle E with a superposition of keys. Finally, we require that the adversary has accessto a polynomial number of plaintext-ciphertext pairs ( m , c ) , . . . , ( m r , c r ) such that there exists exactly onesecret key K ∈ { , } k satisfying ( c , . . . , c r ) = ( E K ( m ) , . . . , E K ( m r )) . It is easy to come up with a pathological block cipher where the secret key cannot be uniquely determinedby any number of plaintext-ciphertext pairs , but for typical block ciphers we do not think this to be aconcern. In [9, Definition 7.34] the known plaintext unicity distance is defined as a measure for the numberof (known) plaintext-ciphertext pairs that are needed to determine the secret key of a block cipher uniquely,and with [9, Fact 7.35] it seems plausible to estimate that for an n -bit block cipher with key length k having r > (cid:100) k / n (cid:101) (1) Encryption and decryption can simply ignore parts of the secret key. n = k = r -value as small as 2. Throughout we will assume that r satisfies Inequality (1). Then the main ideato mount a quantum related-key attack is a reduction to a quantum algorithm described in [10] which wedescribe next. Let f : { , } k −→ { , } k (cid:48) with k ≤ k (cid:48) be a function such that one of the following two conditions holds: (a) f is injective; (b) there exists a bitstring s ∈ { , } k \ { k } such that for every two distinct x , x (cid:48) ∈ { , } k we have f ( x ) = f ( x (cid:48) ) ⇐⇒ x = x (cid:48) ⊕ s . Simon’s problem asks to decide for such a function f which of the two conditions holds, and in the case (b)to find s . Allowing the function f to be evaluated at a superposition of inputs, [10] establishes the followingresult: Theorem 1
Let g ( k ) be an upper bound for the time needed to solve a k × k linear system of equationsover the binary field F , and let t f ( k ) be an upper bound for the time needed to evaluate the functionf on (a superposition of) inputs from { , } k . Then the above problem can be solved in expected time O ( k · t f ( k ) + g ( k )) . In particular, for t f = t f ( k ) being polynomial, the above problem can be solved inexpected polynomial time. Alluding to the Electronic Code Book mode of operation [9, Section 7.2.2], subsequently we will simplywrite E K ( (cid:126) m ) for the tuple of ciphertext blocks ( E K ( m ) , . . . , E K ( m r )) ∈ { , } rn . For a fixed, unknown secretkey s ∈ { , } k \ { k } and messages (cid:126) m ∈ { , } rn that characterize the s uniquely as described in Section 2,we define the function f s : { , } k −→ { , } rn x (cid:55)−→ { E x ( (cid:126) m ) , E s ⊕ x ( (cid:126) m ) } . We remark that for each x in the domain of f s , the image is comprised of two different ciphertexts, i. e.,it does not collapse to a singleton set. Indeed, this is the case due to the choice of the plaintexts m , . . . , m r as the condition s (cid:54) = k implies that E x ( (cid:126) m ) (cid:54) = E s ⊕ x ( (cid:126) m ) . We next describe our core result, namely a reductionfrom the problem of finding the secret key s to an instance of Simon’s problem which can then be solvedefficiently on a quantum computer. Meeting the conditions of Simon’s problem
To argue that f s meets the conditions of Theorem 1, let usfirst clarify how to encode the images as elements of { , } k (cid:48) for some k (cid:48) ≥ k . As we impose condition (1),with k (cid:48) =( rn + rn )= rn we clearly have k (cid:48) ≥ k as desired. By interpreting elements in { , } rn as (unsigned)integers, we can impose a linear order on { , } rn . Then, to store an element { c , c (cid:48) } in the image of f s , wesimply store the ordered pair ( min ( c , c (cid:48) ) , max ( c , c (cid:48) )) as its unique k (cid:48) -bit representation.Next, consider two different k -bit strings x (cid:54) = x (cid:48) that satisfy f s ( x ) = f s ( x (cid:48) ) :3igure 1: Quantum circuit to implement a quantum related-key attack on a block cipher via a reduction to aninstance of Simon’s problem. The basic building blocks of this circuit are described in more detail in the text.The circuit makes use of calls to the block cipher for keys x to obtain encryptions E x ( (cid:126) m ) and of calls to therelated-key oracle to obtain the corresponding encryptions E x ⊕ s ( (cid:126) m ) with respect to the related keys x ⊕ s thatare obtained from the secret key s via exclusive-OR (XOR) masks. Further detail on the comparison circuitsis given in Figure 3. In the center of the circuit is a sequence of four copy operations via CNOTs to pickout the desired register and copy it into the target registers holding min ( c , c (cid:48) ) and max ( c , c (cid:48) ) , respectively.We make use of a graphical notation that employs control knobs of different sizes which is described furtherin Figure 4. Together, the comparison and copy operations realize the data structure of an unordered setwhich we use in our reduction to Simon’s problem. Upon measurement of the first register, a k -bit vector y ∈ { , } k is obtained which due to our construction is perpendicular to the secret key s ∈ { , } k . AfterO ( k ) iterations, with constant probability the secret key can be reconstructed from the measurement data. • If E x ( (cid:126) m ) = E x (cid:48) ( (cid:126) m ) then the choice of the plaintexts m , . . . , m r implies x = x (cid:48) , so this cannot happen. • If E x ( (cid:126) m ) (cid:54) = E x (cid:48) ( (cid:126) m ) , then E x ( (cid:126) m ) = E s ⊕ x (cid:48) ( (cid:126) m ) , which by the choice of the plaintexts m , . . . , m r meansthat x = s ⊕ x (cid:48) .So we have the implication f s ( x ) = f s ( x (cid:48) ) = ⇒ x = x (cid:48) ⊕ s . The converse follows trivially from s ⊕ ( x (cid:48) ⊕ s ) = x (cid:48) .Next, let us check that the function f s ( · ) can be evaluated efficiently. Evaluating f s ( · ) in polynomial time By assumption the underlying block cipher can be evaluated with apolynomial-size quantum circuit, so computing the two values E x ( (cid:126) m ) and E s ⊕ x ( (cid:126) m ) for a given x can certainlybe done in polynomial time. In the actual attack, the value E s ⊕ x ( (cid:126) m ) is obtained by invoking the encryptionoracle E for each of the plaintexts m , . . . , m r , i. e., with a polynomial number of queries to E . This meanswe can obtain the pair ( E x ( (cid:126) m ) , E s ⊕ x ( (cid:126) m )) in polynomial time, and we are left to distill our unique k (cid:48) -bitrepresentation of the set comprised by these two elements.As indicated in the previous paragraph, such a representation can be implemented by interpreting the twociphertexts as integers and by then sorting them. A quantum circuit to determine this unique representationof a pair of bitvectors consists of swapping E x ( (cid:126) m ) and E s ⊕ x ( (cid:126) m ) conditioned on the the latter value beingsmaller than the former. For instance with a reversible circuit to perform addition [13, 14, 15] one can4ompute the difference of the binary numbers represented by E x ( (cid:126) m ) and E s ⊕ x ( (cid:126) m ) in polynomial time. Themost significant bit of the result then reveals the result of the comparison. The swap operation can beconditioned on this bit, followed by an uncomputation of the garbage introduced by the adder [16].Figure 2: Quantum oracle to implement the encryption of a tuple (cid:126) m of messages under an encryption key x ⊕ s that is related to the secret key s via addition of an XOR mask x . Note that the circuit for s = n bit integers. An efficient implementation can, e. g.,be obtained by computing the difference i − j in one’s complement form and then keeping only the highestorder bit (see [13, 14]).In Figure 1 we display the resulting quantum circuit. Note that each computation of an intermediateresult has to be uncomputed or else interference between the various computational paths could not takeplace. The overall structure of the circuit is that of a Fourier sampling circuit, i.e., a circuit type that arisesin the solution of abelian hidden subgroup problems [11, 12].The implementation of the hiding function f s is decomposed into several subroutines to make the circuitmore readable: in a first stage, the classical k -bit vector x is fanned out into two copies using a CNOTgate (note that a line with a tick denotes a quantum register holding two or more qubits). The value x isthen passed to a subroutine computing E x ( (cid:126) m ) , respectively E x ⊕ s ( (cid:126) m ) in superposition. These subroutinesare carried out by circuits as in Figure 2. An efficient cirucit for E x ( (cid:126) m ) can be synthesized by making theefficient circuit (which by assumption exists) reversible. For the implementation of E x ⊕ s ( (cid:126) m ) we make useof the related-key oracle E . Throughout, it should be noted that (cid:126) m is a vector that uniquely characterizes s as in Section 2.1.The “COMP” operation is shown in Figure 3 and can be realized similarly to addition of integers. Seealso [13, 14] for implementations of comparison circuits that optimize circuit width, respectively circuitdepth. The result of the comparison is then used to copy the smaller of the two registers (when interpreted5igure 4: Quantum circuit to implement a controlled copy operation from one quantum register to anotherquantum register. In the figure, the source register consists of the upper n qubits, the target register of thelower n qubits, and the control qubit sits in the middle.as integers) into the uppermost of the last two registers and the larger one into the lower one. Finally, inFigure 4 one of the operations is shown that allow to select one of the two registers holding an rn -bit integer,depending on the value of the comparison operation. The other type which picks a register controlled by thenegated value of the comparison bit is implemented analogously. Overall we have established the followingresult. Theorem 2
For every s ∈ { , } k \ { k } the function f s defined above satisfies the conditions needed toapply Theorem 1, and the bound t f s can be chosen to be polynomial. By combining Theorems 1 and 2 we now obtain the following quantum related-key attack which runs inexpected polynomial time:1. Check if the secret target key s is the all-zero key s = k by computing E k ( (cid:126) m ) and comparing theseciphertexts with the given ciphertexts E s ( (cid:126) m ) .2. If s (cid:54) = k then apply Simon’s algorithm—which constitutes the proof of Theorem 1—to recover s . This note shows that in a quantum setting even a basic related-key attack is very powerful: under rather mildassumptions on the attacked block cipher the secret key can be extracted efficiently.6
CKNOWLEDGMENTS
RS was supported by the Spanish
Ministerio de Econom´ıa y Competitividad through the project grant MTM-2012-15167 and by NATO’s Public Diplomacy Division in the framework of “Science for Peace”, ProjectMD.SFPP 984520. This work was carried out while MR was with NEC Laboratories America, Princeton,NJ 08540, U.S.A. We thank Schloss Dagstuhl, Germany, for providing an excellent research environment inwhich part of this research was carried out during a
Quantum Cryptanalysis seminar.
References [1] P. W. Shor, Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quan-tum Computer, SIAM Journal on Computing 26 (1997) 1484–1509.[2] D. J. Bernstein, Introduction to post-quantum cryptography, in: Post-Quantum Cryptography,D. J. Bernstein, J. Buchmann, E. Dahmen (eds.), Springer, 2009, pp. 1–14.[3] J. Kelsey, B. Schneier, D. Wagner, Key-Schedule Cryptoanalysis of IDEA, G-DES, GOST, SAFER,and Triple-DES, in: N. Koblitz (Ed.), Advances in Cryptology – CRYPTO 1996, volume 1109 of
Lecture Notes in Computer Science , Springer, 1996, pp. 237–251.[4] R. Winternitz, M. Hellman, Chosen-key attacks on a block cipher, Cryptologia XI (1987) 16–20.[5] N. Ferguson, J. Kelsey, S. Lucks, B. Schneier, M. Stay, D. Wagner, D. Whiting, Improved Cryptanal-ysis of Rijndael, in: B. Schneier (Ed.), Fast Software Encryption – FSE 2000, volume 1978 of
LectureNotes in Computer Science , Springer, 2001, pp. 213–230.[6] M. Bellare, T. Kohno, A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs,and Applications, in: E. Biham (Ed.), Advances in Cryptology – EUROCRYPT 2003, volume 2656of
Lecture Notes in Computer Science , International Association for Cryptologic Research, Springer,2003, pp. 491–506.[7] M. R. Albrecht, P. Farshim, K. G. Paterson, G. J. Watson, On Cipher-Dependent Related-Key Attacksin the Ideal-Cipher Model, in: Fast Software Encryption – FSE 2011, volume 6733 of
Lecture Notes inComputer Science , International Association for Cryptologic Research, Springer, 2011, pp. 128–145.[8] NIST, Specification for the ADVANCED ENCRYPTION STANDARD (AES), Federal InformationProcessing Standards Publication 197, 2001.[9] A. J. Menezes, P. C. van Oorschot, S. A. Vanstone, Handbook of Applied Cryptography, CRC Press,2001. Sample chapters available at http://cacr.uwaterloo.ca/hac/ .[10] D. R. Simon, On the Power of Quantum Computation, in: 35th Annual Symposium on Foundationsof Computer Science – FOCS 1994, IEEE Computer Society, 1994, pp. 116–123.[11] G. Brassard, P. Høyer. An exact polynomial–time algorithm for Simon’s problem, in: Proceedingsof Fifth Israeli Symposium on Theory of Computing and Systems – ISTCS 1997, IEEE ComputerSociety, 1997, pp. 12–23. 712] M. Mosca, A. Ekert. The hidden subgroup problem and eigenvalue estimation on a quantum computer,in: Quantum Computing and Quantum Communications – QCQC 1998, volume 1509 of