Paper 2017/427

Grover Meets Simon - Quantumly Attacking the FX-construction

Gregor Leander and Alexander May


Using whitening keys is a well understood mean of increasing the key-length of any given cipher. Especially as it is known ever since Grover’s seminal work that the effective key-length is reduced by a factor of two when considering quantum adversaries, it seems tempting to use this simple and elegant way of extending the key-length of a given cipher to increase the resistance against quantum adversaries. However, as we show in this work, using whitening keys does not increase the security in the quantum-CPA setting significantly. For this we present a quantum algorithm that breaks the construction with whitening keys in essentially the same time complexity as Grover’s original algorithm breaks the underlying block cipher. Technically this result is based on the combination of the quantum algorithms of Grover and Simon for the first time in the cryptographic setting.

Available format(s)
Publication info
Published by the IACR in ASIACRYPT 2017
symmetric cryptographyquantum attacksGrover’s algorithmSimon’s algorithmFX-construction
Contact author(s)
alex may @ rub de
2017-09-08: last of 2 revisions
2017-05-22: received
See all versions
Short URL
Creative Commons Attribution


      author = {Gregor Leander and Alexander May},
      title = {Grover Meets Simon - Quantumly Attacking the FX-construction},
      howpublished = {Cryptology ePrint Archive, Paper 2017/427},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.