Post-quantum security of symmetric-key cryptosystems

Abstract

Post-quantum cryptography is a branch of cryptography aimed at designing secure conventional cryptographic systems against an adversary having access to quantum computers. Works in this area span from theoretical analysis of security definitions and protocols to the research of classical and quantum cryptanalytic algorithms to developing cryptographic schemes that can be deployed for real-world usage. Symmetric cryptography studies a range of techniques in which data’s confidentiality and/or authenticity are protected based on a shared secret or by condensing inputs to short strings with a public hash function. The goal of cryptanalysis is to identify weaknesses in generic and specific constructions. The introduction of quantum computers has resulted in the need to re-evaluate the security of all the existing primitives. In this thesis, we focus on the study of existing symmetric-key cryptosystems in the quantum paradigm. First, we study how Grover’s search algorithm affects the cost of running key search attacks against the ARIA block cipher. Such attacks have been suggested by the National Institute of Standards and Technology as reference points for defining quantum security and, therefore, their cost should be well understood. Furthermore, Grover speedups are a component of many quantum attacks, making the study of these trade-offs of independent interest. Second, we implement Grover’s algorithm for lightweight block ciphers in Q#, a quantum programming kit developed by Microsoft. Their implementation could provide a precise estimate of quantum resources and be automated for various time-space trade-offs. Under the NIST’s maximum circuit-depth constraint, we give the precise cost estimates of Grover-based key search attacks on lightweight block ciphers such as GIFT, SKINNY, and SATURNIN. Third, we study the double block-length hash functions built from block ciphers against the quantum attacker who can only make classical queries to hash functions but performs offline quantum calculations. We mount a 10-round free-start collision attack on Hirose’s compression function when the underlying block cipher is instantiated with AES-256. We provide various time-memory trade-offs for our attacks depending on quantum random access memory availability. Finally, we investigate the security of the FOX construction based on the Lai-Massey scheme against the quantum attackers who can make superposition queries to the cryptographic oracle. We show that the 3-round FOX construction is not a pseudorandom permutation against quantum chosen-plaintext attacks. We also show that the 4-round FOX construction is not a strong pseudorandom permutation against quantum chosen-ciphertext attacks. In addition, we prove that the 4-round FOX construction is a secure PRP against quantum chosen-plaintext attacks.