Cryptology ePrint Archive: Report 2018/432

Hidden Shift Quantum Cryptanalysis and Implications

Xavier Bonnetain and María Naya-Plasencia

Abstract: At Eurocrypt 2017 a tweak to counter Simon’s quantum attack was proposed: replace the common bitwise addition, with other operations, as a modular addition. The starting point of our paper is afollow up of these previous results:

First, we have developped new algorithms that improve and generalize Kuperberg’s algorithm for the hidden shift problem, which is the algorithm that applies instead of Simon when considering modular additions.

Thanks to our improved algorithm, we have been able to build a quantum attack in the superposition model on Poly1305, proposed at FSE 2005,largely used and claimed to be quantumly secure. We also answer an open problem by analyzing the effect of the tweak to the FX construction.

We have also generalized the algorithm. We propose for the first time a quantum algorithm for solving the problem with parallel modular additions, with a complexity that matches both Simon and Kuperberg in its extremes. We also propose a generic algorithm to solve the hidden shift problem in non-abelian groups.

In order to verify the theoretical analysis we performed, and to get concrete estimates of the cost of the algorithms, we have simulated them, and were able to validate our estimated complexities.

Finally, we analyze the security of some classical symmetric constructions with concrete parameters, to evaluate the impact and practicality of the proposed tweak, concluding that it does not seem to be efficient.

Category / Keywords: secret-key cryptography / quantum cryptanalysis, hidden shift problem, Simon-meets- Kuperberg, Poly1305, symmetric cryptography, modular additions

Date: received 9 May 2018, last revised 28 May 2018

Contact author: xavier bonnetain at inria fr

Available format(s): PDF | BibTeX Citation

Note: Added Acknowledgements.

Version: 20180528:122650 (All versions of this report)

Short URL: ia.cr/2018/432


[ Cryptology ePrint archive ]