Quantum attacks against iterated block ciphers

TL;DR

This paper analyzes how quantum algorithms impact the security of iterated block ciphers, revealing that quantum attacks can diminish the security benefits of multiple iterations more than classical attacks.

Contribution

It introduces a quantum version of the Meet-in-the-middle attack, proves its optimality, and explores how quantum attacks affect security amplification through multiple cipher iterations.

Findings

Quantum Meet-in-the-middle attack is optimal for double iterations.

Quantum attacks have different time-space tradeoffs than classical attacks.

Security resistance decreases with more iterations under quantum attacks.

Abstract

We study the amplification of security against quantum attacks provided by iteration of block ciphers. In the classical case, the Meet-in-the-middle attack is a generic attack against those constructions. This attack reduces the time required to break double iterations to only twice the time it takes to attack a single block cipher, given that the attacker has access to a large amount of memory. More abstractly, it shows that security by composition does not achieve exact multiplicative amplification. We present a quantized version of this attack based on an optimal quantum algorithm for the Element Distinctness problem. We then use the generalized adversary method to prove the optimality of the attack. An interesting corollary is that the time-space tradeoff for quantum attacks is very different from what classical attacks allow. This first result seems to indicate that composition resists better to quantum attacks than to classical ones because it prevents the quadratic speedup achieved by quantizing an exhaustive search. We investigate security amplification by composition further by examining the case of four iterations. We quantize a recent technique called the dissection attack using the framework of quantum walks. Surprisingly, this leads to better gains over classical attacks than for double iterations, which seems to indicate that when the number of iterations grows, the resistance against quantum attacks decreases.