Using Simon's Algorithm to Attack Symmetric-Key Cryptographic Primitives

TL;DR

This paper demonstrates how Simon's quantum algorithm can be used to identify vulnerabilities in symmetric-key cryptographic primitives, highlighting the need to reassess their security in a quantum context.

Contribution

It introduces novel quantum attacks on classical cryptographic schemes, specifically a quantum distinguisher for Feistel networks and a forgery method for CBC-MAC, emphasizing the importance of post-quantum security analysis.

Findings

Quantum distinguisher for 3-round Feistel network

Forgery attack on CBC-MAC for chosen-prefix messages

Classical security proofs need revision for quantum adversaries

Abstract

We present new connections between quantum information and the field of classical cryptography. In particular, we provide examples where Simon's algorithm can be used to show insecurity of commonly used cryptographic symmetric-key primitives. Specifically, these examples consist of a quantum distinguisher for the 3-round Feistel network and a forgery attack on CBC-MAC which forges a tag for a chosen-prefix message querying only other messages (of the same length). We assume that an adversary has quantum-oracle access to the respective classical primitives. Similar results have been achieved recently in independent work by Kaplan et al. Our findings shed new light on the post-quantum security of cryptographic schemes and underline that classical security proofs of cryptographic constructions need to be revisited in light of quantum attackers.