CryptoDB

Paper: Quantum Linearization Attacks

Authors: Xavier Bonnetain , University of Waterloo Gaëtan Leurent , Inria María Naya-Plasencia , Inria André Schrottenloher , Cryptology Group, CWI DOI: 10.1007/978-3-030-92062-3_15 Search ePrint Search Google Slides ASIACRYPT 2021 Recent works have shown that quantum period-finding can be used to break many popular constructions (some block ciphers such as Even-Mansour, multiple MACs and AEs...) in the superposition query model. So far, all the constructions broken exhibited a strong algebraic structure, which enables to craft a periodic function of a single input block. The recovery of the secret period allows to recover a key, distinguish, break the confidentiality or authenticity of these modes. In this paper, we introduce the \emph{quantum linearization attack}, a new way of using Simon's algorithm to target MACs in the superposition query model. Specifically, we use inputs of multiple blocks as an interface to a function hiding a linear structure. The recovery of this structure allows to perform forgeries. We also present some variants of this attack that use other quantum algorithms, which are much less common in quantum symmetric cryptanalysis: Deutsch's, Bernstein-Vazirani's, and Shor's. To the best of our knowledge, this is the first time these algorithms have been used in quantum forgery or key-recovery attacks. Our attack breaks many parallelizable MACs such as {\sf LightMac}, {\sf PMAC}, and numerous variants with (classical) beyond-birthday-bound security ({\sf LightMAC+}, {\sf PMAC+}) or using tweakable block ciphers ({\sf ZMAC}). More generally, it shows that constructing parallelizable quantum-secure PRFs might be a challenging task.
BibTeX
@inproceedings{asiacrypt-2021-31384,
title={Quantum Linearization Attacks},
publisher={Springer-Verlag},
doi={10.1007/978-3-030-92062-3_15},
author={Xavier Bonnetain and Gaëtan Leurent and María Naya-Plasencia and André Schrottenloher},
year=2021
}