Paper 2021/1561

Quantum Time/Memory/Data Tradeoff Attacks

Abstract

One of the most celebrated and useful cryptanalytic algorithms is Hellman's time/memory tradeoff (and its Rainbow Table variant), which can be used to invert random-looking functions on $N$ possible values with time and space complexities satisfying $T{M}^2=N^2$. As a search problem, one can always transform it into the quantum setting by using Grover's algorithm, but this algorithm does not benefit from the possible availability of auxiliary advice obtained during a free preprocessing stage. However, at FOCS'20 it was rigorously shown that a small amount of quantum auxiliary advice (which can be stored in a quantum memory of size $$) cannot possibly yield an attack which is better than Grover's algorithm. In this paper we develop new quantum versions of Hellman's cryptanalytic attack which use large memories in the standard QACM (Quantum Accessible Classical Memory) model of computation. In particular, we improve Hellman's tradeoff curve to $$. When we generalize the cryptanalytic problem to a time/memory/data tradeoff attack (in which one has to invert $$ for at least one of $$ given values), we get the generalized curve $$. A typical point on this curve is $$, $$, and $$, whose time is strictly lower than both Grover's algorithm and the classical Hellman algorithm (both of which require $$ for these $$ and $$ parameters).