Quantum Attacks without Superposition Queries: the Offline Simon's Algorithm

TL;DR

This paper introduces a novel quantum algorithm that leverages Simon's subroutines with classical queries and offline quantum computations to improve cryptanalysis, notably breaking the Even-Mansour construction with limited quantum resources.

Contribution

The paper presents a new quantum attack method that reduces quantum hardware needs and improves data complexity, expanding the scope of practical quantum cryptanalysis.

Findings

Breaks Even-Mansour in quantum time $ ilde{O}(2^{n/3})$ with $O(2^{n/3})$ classical queries

Reduces data complexity of superposition attacks from exponential to polynomial

Provides cryptanalytic applications for multiple cryptographic constructions

Abstract

In symmetric cryptanalysis, the model of superposition queries has led to surprising results, with many constructions being broken in polynomial time thanks to Simon's period-finding algorithm. But the practical implications of these attacks remain blurry. In contrast, the results obtained so far for a quantum adversary making classical queries only are less impressive. In this paper, we introduce a new quantum algorithm which uses Simon's subroutines in a novel way. We manage to leverage the algebraic structure of cryptosystems in the context of a quantum attacker limited to classical queries and offline quantum computations. We obtain improved quantum-time/classical-data tradeoffs with respect to the current literature, while using only as much hardware requirements (quantum and classical) as a standard exhaustive search with Grover's algorithm. In particular, we are able to break the Even-Mansour construction in quantum time $\tilde{O}(2^{n/3})$, with $O(2^{n/3})$ classical queries and $O(n^2)$ qubits only. In addition, we improve some previous superposition attacks by reducing the data complexity from exponential to polynomial, with the same time complexity. Our approach can be seen in two complementary ways: \emph{reusing} superposition queries during the iteration of a search using Grover's algorithm, or alternatively, removing the memory requirement in some quantum attacks based on a collision search, thanks to their algebraic structure. We provide a list of cryptographic applications, including the Even-Mansour construction, the FX construction, some Sponge authenticated modes of encryption, and many more.