Quantum Cryptanalysis of Farfalle and (Generalised) Key-Alternating Feistel Networks

TL;DR

This paper analyzes the quantum security of Farfalle, a permutation-based construction, revealing vulnerabilities to quantum algorithms like Simon's, and demonstrates how to perform key extraction and forgery attacks on various modes.

Contribution

It introduces new quantum attack techniques on Farfalle and its modes, including key recovery and forgery, using periodic function constructions and Simon's algorithm.

Findings

Quantum attacks can recover secret keys in linear cases.

Forgery attacks are feasible on Farfalle modes under quantum models.

A quantum distinguisher is constructed for Farfalle-WBC.

Abstract

Farfalle is a permutation-based construction for building a pseudorandom function which has been proposed by G. Bertoni et al. in 2017. In this work, we show that by observing suitable inputs to Farfalle, one can derive various constructions of a periodic function with a period that involves a secret key. As this admits the application of Simon's algorithm in the so-called Q2 attack model, we further show that in the case when internal rolling function is linear, then the secret key can be extracted under feasible assumptions. Furthermore, using the provided constructions of periodic functions for Farfalle, we show that one can mount forgery attacks on the session-supporting mode for authenticated encryption (Farfalle-SAE) and the synthetic initial value AE mode (Farfalle-SIV). In addition, as the wide block cipher mode Farfalle-WBC is a 4-round Feistel scheme, a quantum distinguisher is constructed in the case when input branches are containing at last two blocks, where length of one block corresponds to the size of a permutation employed in Farfalle (a similar attack can be mounted to Farfalle-WBC-AE). And finally, we consider the problem of extracting a secret round key out of different periods obtained from a (Generalized) Feistel scheme (GFN), which has not been addressed in any of the previous works which consider the application of Simon's (or Simon-Grover) algorithm to round reduced versions of GFNs. By applying two different interpolation formulas, we show that one can extract the round key by utilizing amount of different periods which is closely related to the polynomial/algebraic degree of underlying inner function.