Quantum Related-Key Attack Based on Simon’s Algorithm and Its Applications

Abstract

With the development of quantum technology, quantum computing has an increasingly significant impact on cryptanalysis. Several quantum algorithms, such as Simon’s algorithm, Grover’s algorithm, the Bernstein–Vazirani algorithm, Shor’s algorithm, and the Grover-meets-Simon algorithm, have been proposed successively. However, almost all cryptanalysis is based on the quantum chosen-plaintext attack (qCPA) model. This paper focuses on a powerful cryptanalytic model, quantum related-key attack (qRKA), and proposes a strategy of qRKAs against symmetric ciphers using Simon’s algorithm. We construct a periodic function to efficiently recover the secret key of symmetric ciphers if the attacked symmetric ciphers satisfy Simon’s promise, and present the complexity analysis on specific symmetric ciphers. Then, we apply qRKA to the Even–Mansour cipher and SoEM construction, recover their secret keys, and show their complexity comparison in the distinct attack models. This work is of great significance for the qRKA cryptanalysis of existing provably secure cryptographic schemes and the design of future quantum secure cryptographic schemes.

1. Introduction

In recent years, countries all over the world have been vigorously promoting the research and development of quantum computing and quantum computers. This has brought great security threats to existing cryptosystems. Compared with classical computing (classical computers), quantum computing (quantum computers) has shown great advantages in solving the large integer factorization problem, the discrete logarithm problem, the key brute force search problem and other problems. For example, Shor’s algorithm can break RSA and ECC ciphers in polynomial time [1]. In order to resist the security threats brought by quantum computing and quantum computers, countries around the world are accelerating the research, development, and standardization of post-quantum cryptography. Currently, the standardization of post-quantum cryptography carried out by National Institute of Standards and Technology (NIST) has entered the fourth round. Therefore, the quantum cryptanalysis of existing cryptographic schemes becomes increasingly important.

Quantum algorithms are important tools for achieving quantum cryptanalysis of cryptographic schemes. There exist many quantum algorithms in symmetric-key ciphers, such as Grover’s algorithm [2], Simon’s algorithm [3], Bernstein–Vazirani (BV) algorithm [4], HHL algorithm [5], and their generalization and hybrid algorithms [6,7]. Grover’s algorithm is a widely used quantum search algorithm which provides a quadratic speed-up for searching the secret key from a key space [2,8,9]. This threatens the security of symmetric cryptography. For example, in 2021, Bathe et al. presented key-recovery attacks against ChaCha by Grover’s search algorithm [10]. Simon’s algorithm is a period finding algorithm in polynomial time and has been widely used in cryptanalysis of symmetric ciphers [6,11,12,13,14,15,16,17,18,19,20,21,22,23]. For example, Kuwakado and Morii used Simon’s algorithm to distinguish a three-round Feistel structure with a random permutation in 2010 [19], and then recovered the key of the Even–Mansour cipher in 2012 [24]. In 2020, Dong et al. presented quantum analyses on Feistel structure and generalized Feistel structure based on Simon’s algorithm [14,25]. In 2021, Cui et al. used Simon’s algorithm to launch quantum attacks on Feistel variant schemes [13]. In 2022, Mao et al. used Simon’s algorithm to launch quantum attacks on Lai–Massey structure [26]. The Bernstein–Vazirani algorithm can be used to find the linear structures of a Boolean function, which enables quantum attacks against block ciphers. Xie and Yang proposed new quantum distinguishers for the three-round Feistel scheme, recovered a partial key of the Even–Mansour construction, and found high-probability differentials by the Bernstein–Vazirani algorithm [4]. The Bernstein–Vazirani algorithm can be utilized to find the period of the function [27]. Therefore, it also has the capability of Simon’s algorithm. The HHL algorithm can be used to solve linear systems of equations quickly and achieve exponential acceleration [28]. Liu and Gao utilized the HHL algorithm to analysis quantum security of Grain-128/Grain-128a stream cipher [5]. For some constructions, such as FX and SoEM22, a single quantum algorithm does not work. Leander and May proposed a Grover-meets-Simon algorithm and presented a quantum key-recovery attack on FX construction [29]. Grover-meets-Simon algorithm was later used in SoEM22 [6] and 5-round Feistel structure [15]. Recently, Guo et al. introduced three general frameworks—F1, F2, and F3—for n-to-n-bit pseudorandom functions (PRFs) based on public random permutations, and showed that F1 is not secure with $O(n)$ quantum queries by Simon’s algorithm while its PRFs achieve $n/2$-bit security in the classical setting, and F2 and F3 are not secure with $O(n·2^{n/2})$ quantum queries by Grover-meets-Simon algorithm while their PRFs, such as SoEM22, PDMMAC, and pEDM, achieve $2n/3$-bit security in the classical setting [30]. Nan et al. presented quantum key recovery attack against pEDM and pPMAC-plus by the Grover-meets-Simon algorithm [31]. The Grover-meets-BV algorithm proposed by Zhou and Yuan combined the Bernstein–Vazirani algorithm and Grover’s algorithm to achieve quantum key-recovery attacks on 5 or more rounds Feistel structures [7]. Variational quantum algorithms (VQAs) use a classical optimizer to train a parameterized quantum circuit. Wang et al. used VQA to study the security of symmetric encryption algorithm S-DES under VQA attacks and obtained the encrypted key.

However, all of the attacks described above are based on the quantum chosen-plaintext attack (qCPA) model. If we give an adversary more ability than qCPA, can we utilize Simon’s algorithm to recover the secret key of cryptographic schemes? Further, can we recover the secret key of cryptographic schemes that provide enough security under the qCPA model by Simon’s algorithm?

Our contributions. This paper focuses on the quantum related-key attack (qRKA) model and presents positive responses for the above problems. The qRKA model was first introduced by Roetteler and Steinwandt [32] and had already made some progress in quantum cryptanalysis [33,34]. In this paper, based on Simon’s algorithm, we propose a strategy of quantum key recovery attacks against symmetric ciphers under the qRKA model. We first construct a periodic function based on the attacked symmetric cipher and then apply Simon’s algorithm to recover the secret key. The complexity of the attack is polynomial in terms of the key bits and the complexity comparison on specific symmetric ciphers is presented. Finally, we apply qRKA to two instances of symmetric ciphers: the Even–Mansour cipher and the SoEM construction (including all variants of SoEM: SoEM1, SoEM21, and SoEM22), present their key recovery attacks under the qRKA model, and show their complexity comparison under the distinct attack models. SoEM22 enjoys enough security against $O(n·2^{n/2})$ quantum queries under the qCPA model, but its secret key can be recovered in $O(n)$ quantum queries under the qRKA model, which is the greatest significance of our work.

Related works. The classical RKA is a powerful attack model, which gives the adversary more ability than the classical CPA. In classical RKA, the adversary can query encryption and decryption oracles under different keys derived from the target key by a known mathematical relationship. The bit-flip is a common mathematical relationship. The qRKA is a more powerful attack model than RKA, which gives the adversary to query the encryption and decryption oracles with a quantum superposition. Roetteler and Steinwandt first recovered the key of block ciphers under the qRKA model [32]. In 2017, Hosoyamada and Aoki introduced qRKA and proposed a quantum algorithm that recovers the key of the two-round iterated Even–Mansour cipher [33]. In 2020, Xie and Yang focused on the qRKA based on the BV algorithm, described a strategy for attacking general block ciphers using the BV algorithm, and applied it to the Even–Mansour cipher [34]. Later, Malviya et al. concluded several latest quantum cryptanalysis techniques including qRKA for attacking symmetric cryptography [21]. In 2023, Sun et al. introduced an improved BV-based algorithm to realize a quadratic speedup and presented qRKAs on iterated Even–Mansour ciphers and i-round Feistel ciphers with independent round keys [35].

Organizations of this paper. The preliminaries are presented in Section 2. The strategy of qRKAs against block ciphers is shown in Section 3. In Section 4, we describe two applications under the qRKA model. Section 5 presents the conclusions.

2. Preliminaries

2.1. Notations

Let ⊕ denote the XOR operation. Let $E:{\{0,1\}}^k\times {\{0,1\}}^n\to {\{0,1\}}^n$ be a block cipher with block size n and key size k. Given a key $K\in {\{0,1\}}^k$, $E_K$ is a permutation from ${\{0,1\}}^n$ to ${\{0,1\}}^n$ and $D_K=E_K^{-1}$. We assume that there exists a polynomial-time quantum circuit to efficiently implement E. Define the following unitary operator $U_E$:

$$\begin{array}{c}\hfill U_E:{\displaystyle \sum _{m,x,y}}|x\rangle |m\rangle |y\rangle \to {\displaystyle \sum _{m,x,y}}|x\rangle |m\rangle |y\oplus E_x(m)\rangle \end{array}$$

(1)

Equation (1) shows that the quantum circuit of $U_E$ does not include the key K. Therefore, it can be queried by anyone, including malicious adversaries. The malicious adversary can integrate $U_E$ into its circuits.

Let ${|E|}_Q$ be the number of universal gates (including Hadamard gate H, controlled-NOT gate $CNOT$, phase gate $Phase$, etc.) in the quantum circuit implementing E, that is, ${|E|}_Q$ is a polynomial of parameter n [34].

2.2. Quantum Related-Key Attack Model [32,34]

The so-called related-key attack is that the adversary does not know the key K, but knows that the key K satisfies a mathematical relationship $\Phi (K)$. To adapt Simon’s algorithm to achieve exponential acceleration, here, we restrict the relationship $\Phi (K)$ as bit-flips, i.e., $\Phi (K)=K\oplus x$, where x is a bitmask.

In the classical related-key attack model, with a fixed secret key K, the adversary can query encryption and decryption oracles:

• $\mathcal{E}$: It takes a plaintext $m\in {\{0,1\}}^n$ and a bitmask $x\in {\{0,1\}}^k$ as input, and outputs $E_{K\oplus x}(m)$.
• $\mathcal{D}$: It takes a ciphertext $c\in {\{0,1\}}^n$ and a bitmask $x\in {\{0,1\}}^k$ as input and outputs $D_{K\oplus x}(c)$.

After querying these oracles, the adversary obtains a guess key $K^{\prime }$. If $K^{\prime }=K$, the adversary succeeds in obtaining the correct key.

In the quantum related-key attack model, wirh a fixed secret key K, the adversary is allowed to query the quantum encryption oracle $O_{\mathcal{E}}$ and the quantum decryption oracle $O_{\mathcal{D}}$ with superpositions of keys, i.e.,

$$\begin{array}{cc}\hfill & O_{\mathcal{E}}:{\displaystyle \sum _{m,x,y}}|x\rangle |m\rangle |y\rangle \to {\displaystyle \sum _{m,x,y}}|x\rangle |m\rangle |y\oplus E_{K\oplus x}(m)\rangle \hfill \end{array}$$

(2)

$$\begin{array}{cc}\hfill & O_{\mathcal{D}}:{\displaystyle \sum _{c,x,y}}|x\rangle |c\rangle |y\rangle \to {\displaystyle \sum _{c,x,y}}|x\rangle |c\rangle |y\oplus D_{K\oplus x}(c)\rangle .\hfill \end{array}$$

(3)

In particular, if the adversary is just allowed to query the quantum encryption oracle $O_{\mathcal{E}}$ with the superposition state ${\sum }_{m,y}|0^k\rangle |m\rangle |y\rangle$ and discard the first register, then $O_{\mathcal{E}}$ will correspond to cryptographic primitive $O_{E_K}$, i.e.,    

$$\begin{array}{c}\hfill O_{E_K}:{\displaystyle \sum _{m,y}}|m\rangle |y\rangle \to {\displaystyle \sum _{m,y}}|m\rangle |y\oplus E_K(m)\rangle .\end{array}$$

(4)

Furthermore, if the adversary is also allowed to query the quantum decryption oracle $O_{\mathcal{D}}$ with the superposition state ${\sum }_{m,y}|0^k\rangle |c\rangle |y\rangle$ and discard the first register, then $O_{\mathcal{D}}$ will correspond to the cryptographic inverse primitive $O_{D_K}$, i.e.,

$$\begin{array}{c}\hfill O_{D_K}:{\displaystyle \sum _{c,y}}|c\rangle |y\rangle \to {\displaystyle \sum _{c,y}}|c\rangle |y\oplus D_K(c)\rangle .\end{array}$$

(5)

Therefore, the quantum related-key attack model can be seen as an extension of the quantum chosen-plaintext and chosen-ciphertext attack models.

As quantum attacks in this paper do not involve quantum decryption oracle $O_{\mathcal{D}}$ queries, the quantum related-key attack model we consider is just in the quantum encryption oracle $O_{\mathcal{E}}$. The adversary can integrate the quantum encryption oracle $O_{\mathcal{E}}$ into its circuits.

2.3. Simon’s Algorithm [3,18,21,33]

Simon’s algorithm is a quantum algorithm that efficiently solves the period finding problem of a function in polynomial times.

Definition 1

(Period finding problem). Given a Boolean function $f:{\{0,1\}}^k\to {\{0,1\}}^n$, assume that there exists some non-zero $s\in {\{0,1\}}^k\setminus \{0^k\}$ such that $f(x\oplus s)=f(x)$ holds for any $x\in {\{0,1\}}^k$. The goal is to find s.

Simon’s algorithm finds s with high probability by performing polynomial quantum queries ($O(k)$) and quantum bit memory ($O(k)$). The details of Simon’s algorithm are shown in Algorithm 1.

Algorithm 1 Simon’s Algorithm.

1: Initialize $2k$ qubits state $|0^k\rangle |0^k\rangle$. 2: Apply Hadamard transform $H^{\otimes k}$ to the first k qubits to obtain quantum superposition ${\displaystyle \frac{1}{\sqrt{2^k}}}{\sum }_{x\in {\{0,1\}}^k}|x\rangle |0^n\rangle$. 3: A quantum query to the function f maps this to the state ${\displaystyle \frac{1}{\sqrt{2^k}}}{\sum }_{x\in {\{0,1\}}^k}|x\rangle |f(x)\rangle$. 4: Measuring the second register in the computational basis yields a value $f(z)$ and collapses the first register to the state: ${\displaystyle \frac{1}{\sqrt{2}}}(|z\rangle +|z\oplus s\rangle )$. 5: Applying again the Hadamard transform $H^{\otimes k}$ to the first register gives: ${\displaystyle \frac{1}{\sqrt{2}}}{\displaystyle \frac{1}{\sqrt{2^k}}}{\sum }_{y\in {\{0,1\}}^k}{|(-1)}^{y·z}(1+{(-1)}^{y·s})\rangle |y\rangle$. 6: The vectors y such that $y·s=1$ have amplitude 0. Therefore, measuring the state in the computational basis yields a random vector y such that $y·s=0$. 7: By repeating the above steps $O(k)$ times, one obtains $k-1$ independent vectors orthogonal to s with high probability, and s can be recovered using basic linear algebra.

To resolve unwanted collisions, Kaplan et al. introduced the following index [18]:

$$\begin{array}{c}\hfill ϵ(f,s)={\displaystyle \underset{t\in {\{0,1\}}^k\setminus \{0,s\}}{max}}P{r}_x[f(x)=f(x\oplus t)].\end{array}$$

(6)

It represents the maximum probability of unwanted additional collisions.

Proposition 1

(Simon [3], Kaplan et al. [18], Guo et al. [16]). Let $p_0$ and c be positive integers. If $ϵ(f,s)\le p_0<1$, then Simon’s algorithm finds s with $ck$ queries, with probability of at least $1-{(2{(\frac{1+p_0}{2})}^c)}^k$.

Later, Hosoyamada and Aoki further considered the period finding problem of a function with constant addition [33].

Definition 2

(Period finding problem with constant addition). Given a Boolean function $f:{\{0,1\}}^k\to {\{0,1\}}^n$, assume that there exists some non-zero $s\in {\{0,1\}}^k\setminus \{0^k\}$ and $r\in {\{0,1\}}^n$ such that $f(x\oplus s)=f(x)\oplus r$ for any $x\in {\{0,1\}}^k$. The goal is to find s and r.

Hosoyamada and Aoki considered the difference of f [33]:

$$\begin{array}{c}\hfill ({\Delta }_{u}f)(x)=f(x)\oplus f(x\oplus u).\end{array}$$

(7)

Take $u\in {\{0,1\}}^k$ arbitrarily, for $\forall x\in {\{0,1\}}^k$, there exist $w\in {\{0,1\}}^k$ such that

$$\begin{array}{c}\hfill ({\Delta }_{u}f)(x\oplus w)=({\Delta }_{u}f)(x).\end{array}$$

(8)

Then, $({\Delta }_{u}f)(x)$ is a double-period function with a double period $w=\{s,u\}$. After performing Simon’s algorithm, they finds s with high probability. Then, $r=f(x\oplus s)\oplus f(x)$ is also recovered.

Proposition 2

(Hosoyamada and Aoki [33]). Let $p_0$ and c be positive integers. If $ϵ({\Delta }_{u}f,w)\le p_0<1$, then, after performing Simon’s algorithm, $(s,r)$ can be found by $ck$ queries, with probability of at least $1-{(2{(\frac{1+p_0}{2})}^c)}^k$.

3. Strategy of Quantum Related-Key Attacks

3.1. Description of Quantum Related-Key Attacks

The strategy of quantum attacks against symmetric ciphers using Simon’s algorithm usually consists of two steps:

• Construct a periodic function F with/without constant addition based on the cipher E so that F meets (1) the adversary has quantum oracle access to F; (2) the period of F with/without constant addition includes the information of the secret key or even the secret key itself;
• Apply Simon’s algorithm to F or the differential of F, obtain the period of F with/without constant addition, and then recover the secret key.

The traditional quantum attacks against symmetric ciphers are achieved by constructing a periodic function with/without constant addition that takes plaintexts or tweaks as input and the secret key or its partial information as period. In other words, they are based on the quantum chosen-plaintext attack model (qCPA). However, it is a little different under the quantum related-key attack model (qRKA). We construct a periodic function with/without constant addition that takes a bit-mask of the key as input and the secret key or its partial information as period.

Let $E:{\{0,1\}}^k\times {\{0,1\}}^n\to {\{0,1\}}^n$ be a symmetric cipher, $K\in {\{0,1\}}^k$ be the secret key, and $m\in {\{0,1\}}^n$ be an arbitrary plaintext, then, for any $x\in {\{0,1\}}^k$, we construct a function

$$\begin{array}{c}\hfill F_K^m(x)=E_x(m)\oplus E_{x\oplus K}(m).\end{array}$$

(9)

We find that: (1) For any $x\in {\{0,1\}}^k$, $F_K^m(x)$ is a periodic function with period K, i.e.,

$$\begin{array}{c}\hfill F_K^m(x\oplus K)=F_K^m(x).\end{array}$$

(10)

(2) The adversary has quantum oracle access to $F_K^m$, which can be obtained by first querying $Q_{\mathcal{E}}:|x,m,y\rangle \to |x,m,y\oplus E_{K\oplus x}(m)\rangle$ and then computing $U_E:|x,m,y\rangle \to |x,m,y\oplus E_x(m)\rangle$.

Therefore, according to Proposition 1, under the condition $ϵ(F_K^m,K)\le p_0<1$, the secret key K is recovered. Similarly, we can also construct a periodic function with constant addition and recover the secret key using Proposition 2.

3.2. Simon’s Promise

To use Simon’s algorithm, we need to verify the Simon’s promise $ϵ(F_K^m,K)\le p_0<1$. Simon presented a simple distinguishing attack if this Simon’s promise is not satisfied [18]. For a specific symmetric cipher, we can verify whether it meets the Simon’s promise. Bounding $p_0$ usually utilize the Hoeffding inequality. Here, we present a simple analysis if the Simon’s promise is not satisfied.

$$\begin{array}{cc}\hfill & ϵ(F_K^m,K)={\displaystyle \underset{t\in {\{0,1\}}^k\setminus \{0,K\}}{max}}P{r}_x[F_K^m(x)=F_K^m(x\oplus t)]\hfill \end{array}$$

(11)

$$\begin{array}{cc}\hfill =& {\displaystyle \underset{t\in {\{0,1\}}^k\setminus \{0,K\}}{max}}P{r}_x[E_x(m)\oplus E_{x\oplus K}(m)\oplus E_{x\oplus t}(m)\oplus E_{x\oplus t\oplus K}(m)=0].\hfill \end{array}$$

(12)

According to Equation (12), as $t\in {\{0,1\}}^k\setminus \{0,K\}$, therefore x, $x\oplus t$, $x\oplus K$, and $x\oplus t\oplus K$ are always four distinct keys. After going through all possible values of x, the exclusive value of the ciphertexts of m under these four distinct keys is 0 with a probability close to 1, which should not exist for a well-constructed symmetric cipher. If Simon’s promise is not satisfied, we can construct a polynomial-time distinguisher of the symmetric cipher.

For any constant $\epsilon (\epsilon \ll 1)$, there exists $t\in {\{0,1\}}^k\setminus \{0,K\}$ such that

$$\begin{array}{c}\hfill P{r}_x[E_x(m)\oplus E_{x\oplus K}(m)\oplus E_{x\oplus t}(m)\oplus E_{x\oplus t\oplus K}(m)=0]\ge 1-\epsilon ,\end{array}$$

(13)

i.e.,

$$\begin{array}{c}\hfill {\displaystyle \frac{\mid \{x\in {\{0,1\}}^k\mid E_x(m)\oplus E_{x\oplus K}(m)\oplus E_{x\oplus t}(m)\oplus E_{x\oplus t\oplus K}(m)=0\}\mid }{2^k}}\ge 1-\epsilon .\end{array}$$

(14)

Similar to [34], according to Equation (14), we choose a constant $\epsilon (\epsilon \ll 1)$ and then show a simple distinguish attack against the symmetric cipher E as follows:

• Randomly choose $x_1,x_2,\cdots ,x_p$ from ${\{0,1\}}^k$, where $p=O(k)$. Then, using the quantum circuit of $U_E$, we compute $E_{x_1}(m),\cdots ,E_{x_p}(m)$, $E_{x_1\oplus t}(m),\cdots ,E_{x_p\oplus t}(m)$;
• Query $E_{x_1\oplus K}(m),\cdots ,E_{x_p\oplus K}(m)$, $E_{x_1\oplus t\oplus K}(m),\cdots ,E_{x_p\oplus t\oplus K}(m)$ using the quantum encryption circuit of $O_{\mathcal{E}}$. Then, using the quantum encryption circuits of $U_E$ and $O_{\mathcal{E}}$, we compute $Z_i=E_{x_i}(m)\oplus E_{x_i\oplus K}(m)\oplus E_{x_i\oplus t}(m)\oplus E_{x_i\oplus t\oplus K}(m)$ for $i=1,\cdots ,p$. From Equation (14), the probability that $Z_i=0$ is greater than $1-\epsilon$;
• According to the Hoeffding inequality, except for a negligible probability, the probability of random variable $Z=E_x(m)\oplus E_{x\oplus K}(m)\oplus E_{x\oplus t}(m)\oplus E_{x\oplus t\oplus K}(m)$ whose value is equal to 0 in the set $\{Z_i\mid i=1,\cdots ,p\}$ is greater than $1-2\epsilon$.

While, for a random permutation, the probability that $Z=0$ in the set $\{Z_i\mid i=1,\cdots ,p\}$ is greater than $1-2\epsilon$ is negligible. Therefore, the above attack can distinguish the symmetric cipher from a random permutation.

3.3. Complexity Analysis

Under the qRKA model, the quantum gate of $F_K^m(x)$ runs Simon’s algorithm once to execute $2k$ Hadamard gates, one unitary operator $U_E$, and one quantum encryption oracle $O_{\mathcal{E}}$. Thus, $F_K^m(x)$ needs $2k$ qubits, $(2k+|E{|}_Q)O(k)$ universal gates, and $O(k)$ quantum queries. To visually demonstrate the advantages of exponential acceleration of our strategy, the comparison of previous attacks and our attacks on specific symmetric ciphers is shown in

Table 1. Complexity comparison on specific symmetric ciphers.

Scheme	Classical Attack	Bernstein–Vazirani Algorithm	Simon’s Algorithm
AES-128	$2^{126}$ [36]	${128}^2$ [34]	128
DES	$2^{39}$–$2^{41}$ [37]	${64}^2$ [34]	56
PRESENT-80	$2^{79.34}$ [38]	${64}^2$ [34]	80
SIMON 128/256	$2^{248}$ [39]	${128}^2$ [34]	256

. Table 1 shows that qRKA based on Simon’s algorithm is the best.

4. Applications

In this section, we present two applications and prove that the secret keys of the Even–Mansour cipher and SoEM construction can be efficiently extracted under the quantum related-key attack model.

4.1. Application to the Even–Mansour Cipher

Let $K=(K_1,K_2)$ be a tuple of two n-bit keys. Let P be a public n-bit random permutation. Given a plaintext m, the Even–Mansour cipher is defined as

$$\begin{array}{c}\hfill E_K(m)=P(m\oplus K_1)\oplus K_2.\end{array}$$

(15)

Theorem 1.

There exists a quantum related-key attack against the Even–Mansour cipher that recovers the secret keys $K_1$ and $K_2$ with $O(n)$ qubits and $O(n)$ quantum queries.

Proof. 

For an arbitrary plaintext $m\in {\{0,1\}}^n$, let $x=(x_1,x_2)\in {\{0,1\}}^{2n}$, we construct a function

$$\begin{array}{cc}\hfill F_K^m(x)=& E_x(m)\oplus E_{x\oplus K}(m)\hfill \end{array}$$

(16)

$$\begin{array}{cc}\hfill =& P(m\oplus x_1)\oplus P(m\oplus x_1\oplus K_1)\oplus K_2.\hfill \end{array}$$

(17)

As $F_K^m(x)$ is a function independent of $x_2$, then, for any $x\in {\{0,1\}}^{2n}$, one has

$$\begin{array}{c}\hfill F_K^m(x\oplus K)=F_K^m(x)⟺F_K^m(x_1\oplus K_1,*)=F_K^m(x_1,*).\end{array}$$

(18)

Therefore, $F_K^m(x)$ is a periodic function with period K (or, more precisely, $K_1$).

Next, we need to verify the condition $ϵ(F_K^m;K)\le p_0<1$ for some constant $p_0$. For $t=(t_1,t_2)\in {\{0,1\}}^k\setminus \{0,K\}$ and any $m\in {\{0,1\}}^n$, we consider the following probability:

$$\begin{array}{cc}\hfill & P{r}_x[F_K^m(x)=F_K^m(x\oplus t)]\hfill \end{array}$$

(19)

$$\begin{array}{cc}\hfill =& P{r}_x[E_x(m)\oplus E_{x\oplus K}(m)\oplus E_{x\oplus t}(m)\oplus E_{x\oplus t\oplus K}(m)=0]\hfill \\ \hfill =& P{r}_{x_1}[P(m\oplus x_1)\oplus P(m\oplus x_1\oplus K_1)\oplus P(m\oplus x_1\oplus t_1)\hfill \end{array}$$

(20)

$$\begin{array}{cc}\hfill & \oplus P(m\oplus x_1\oplus K_1\oplus t_1)=0]\hfill \end{array}$$

(21)

$$\begin{array}{cc}\hfill \stackrel{m=0}{=}& P{r}_{x_1}[P(x_1)\oplus P(x_1\oplus K_1)\oplus P(x_1\oplus t_1)\oplus P(x_1\oplus K_1\oplus t_1)=0]\hfill \end{array}$$

(22)

$$\begin{array}{cc}\hfill =& {\displaystyle \frac{\mid \{x_1\mid P(x_1)\oplus P(x_1\oplus K_1)\oplus P(x_1\oplus t_1)\oplus P(x_1\oplus K_1\oplus t_1)=0\}\mid }{2^n}}\hfill \end{array}$$

(23)

$$\begin{array}{cc}\hfill \le & {\displaystyle \frac{5}{6}},\hfill \end{array}$$

(24)

where the last inequality comes from the works of Xie and Yang [34].

Therefore, the condition $ϵ(F_K^m;K)\le {\displaystyle \frac{5}{6}}<1$ is satisfied. According to Proposition 1, we can find $K_1$ with overwhelming probability by Simon’s algorithm and then compute $K_2=F_K^m(x)\oplus P(m\oplus x_1)\oplus P(m\oplus x_1\oplus K_1)$. □

To summarize, the Even–Mansour cipher enjoys $n/2$-bit security in the classical setting [40], however, its secret keys can be recovered by $O(n)$ quantum queries in the quantum setting (the qCPA and qRKA models).

4.2. Application to SoEM

Let $K=(K_1,K_2)$ be a tuple of two n-bit keys. Let $P_1$ and $P_2$ be two public n-bit random permutations. Given a plaintext m, SoEM is defined as

$$\begin{array}{c}\hfill E_K(m)=P_1(m\oplus K_1)\oplus K_1\oplus P_2(m\oplus K_2)\oplus K_2.\end{array}$$

(25)

Theorem 2.

There exists a quantum related-key attack against SoEM that recovers the secret keys $K_1$ and $K_2$ with $O(n)$ qubits and $O(n)$ quantum queries.

Proof. 

For an arbitrary plaintext $m\in {\{0,1\}}^n$, let $x=(x_1,x_2)\in {\{0,1\}}^{2n}$, we construct a function

$$\begin{array}{cc}\hfill F_K^m(x)=& E_x(m)\oplus E_{x\oplus K}(m)\hfill \\ \hfill =& P_1(m\oplus x_1)\oplus P_2(m\oplus x_2)\oplus P_1(m\oplus x_1\oplus K_1)\oplus P_2(m\oplus x_2\oplus K_2)\hfill \end{array}$$

(26)

$$\begin{array}{cc}\hfill & \oplus K_1\oplus K_2.\hfill \end{array}$$

(27)

Then, for any $x\in {\{0,1\}}^{2n}$, it holds that

$$\begin{array}{c}\hfill F_K^m(x\oplus K)=F_K^m(x).\end{array}$$

(28)

Therefore, $F_K^m(x)$ is a periodic function with period $K=(K_1,K_2)$.

Next, we need to verify the condition $ϵ(F_K^m;K)\le p_0<1$ for some constant $p_0$. For $t=(t_1,t_2)\in {\{0,1\}}^{2n}\setminus \{0,K\}$ and any $m\in {\{0,1\}}^n$, we consider the following probability:

$$\begin{array}{cc}\hfill & P{r}_x[F_K^m(x)=F_K^m(x\oplus t)]\hfill \end{array}$$

(29)

$$\begin{array}{cc}\hfill =& P{r}_x[E_x(m)\oplus E_{x\oplus K}(m)\oplus E_{x\oplus t}(m)\oplus E_{x\oplus t\oplus K}(m)=0]\hfill \\ \hfill =& P{r}_x[P_1(m\oplus x_1)\oplus P_1(m\oplus x_1\oplus K_1)\oplus P_1(m\oplus x_1\oplus t_1)\hfill \\ \hfill & \oplus P_1(m\oplus x_1\oplus K_1\oplus t_1)=P_2(m\oplus x_2)\oplus P_2(m\oplus x_2\oplus K_2)\hfill \end{array}$$

(30)

$$\begin{array}{cc}\hfill & \oplus P_2(m\oplus x_2\oplus t_2)\oplus P_2(m\oplus x_2\oplus K_2\oplus t_2)]\hfill \\ \hfill \stackrel{m=0}{=}& P{r}_x[P_1(x_1)\oplus P_1(x_1\oplus K_1)\oplus P_1(x_1\oplus t_1)\oplus P_1(x_1\oplus K_1\oplus t_1)\hfill \end{array}$$

(31)

$$\begin{array}{cc}\hfill & =P_2(x_2)\oplus P_2(x_2\oplus K_2)\oplus P_2(x_2\oplus t_2)\oplus P_2(x_2\oplus K_2\oplus t_2)]\hfill \\ \hfill =& {\displaystyle \sum _{a\in {\{0,1\}}^n}}P{r}_{x_1}[P_1(x_1)\oplus P_1(x_1\oplus K_1)\oplus P_1(x_1\oplus t_1)\oplus P_1(x_1\oplus K_1\oplus t_1)=a]\hfill \end{array}$$

(32)

$$\begin{array}{cc}\hfill & ·P{r}_{x_2}[P_2(x_2)\oplus P_2(x_2\oplus K_2)\oplus P_2(x_2\oplus t_2)\oplus P_2(x_2\oplus K_2\oplus t_2)=a]\hfill \end{array}$$

(33)

$$\begin{array}{cc}\hfill \le & {\displaystyle \frac{5}{6}}\times {\displaystyle \frac{5}{6}}+{\displaystyle \frac{1}{6}}\times {\displaystyle \frac{1}{6}}={\displaystyle \frac{13}{18}},\hfill \end{array}$$

(34)

where the penultimate equation comes from the fact that $P_1$ and $P_2$ are two random and independent permutations, and the last inequality is bounded by the extreme cases that a is equal to 0 and a is not equal to 0.

Therefore, the condition $ϵ(F_K^m;K)\le {\displaystyle \frac{13}{18}}<1$ is satisfied. According to Proposition 1, we can find $K=(K_1,K_2)$ with overwhelming probability by Simon’s algorithm, performing polynomial quantum queries and quantum bit memory. □

Note: this attack can be applied to all variants of SoEM, including SoEM1, SoEM21, and SoEM22. SoEM22 enjoys $2n/3$-bit security in the classical setting [41]. However, the keys of SoEM22 can be recovered with $O(n·2^{\frac{n}{2}})$ quantum queries by the Grover-meets-Simon algorithm under the qCPA model [6]. Theorem 2 shows that we can recover the keys of SoEM with $O(n)$ quantum queries and quantum bit memory under the qRKA model. The complexity comparison of the Even–Mansour cipher (EM for short), SoEM1, SoEM21, and SoEM22 in the different attack models is concluded in

Table 2. Complexity comparison of the Even–Mansour cipher (EM for short), SoEM1, SoEM21, and SoEM22 in the classical setting (classical CPA and RKA models) and quantum setting (qCPA and qRKA models).

Scheme	Classical Setting		Quantum Setting
	CPA	RKA	qCPA	qRKA
EM	$O(2^{n/2})$ [40]	$O(2^{n/2})$ [42]	$O(n)$ [18]	$O(n)$
SoEM1	$O(2^{n/2})$ [41]	-	$O(n)$ [6]	$O(n)$
SoEM21	$O(2^{n/2})$ [41]	-	$O(n)$ [6]	$O(n)$
SoEM22	$O(2^{2n/3})$ [41]	-	$O(n·2^{n/2})$ [6]	$O(n)$

.

Table 2 shows that: (1) In the quantum setting, the adversary has stronger attack capabilities and can break these cryptographic schemes in polynomial time, compared with the classical setting; (2) Cryptographic schemes that can be broken in polynomial time under the qCPA model can also be broken in polynomial time under the qRKA model, such as EM, SoEM1, and SoEM21; (3) Cryptographic schemes that cannot be broken in polynomial time under the qCPA model may be broken in polynomial time under the qRKA model, such as SoEM22.

5. Conclusions

This paper focuses on the quantum related-key attack model, proposes a strategy of quantum related-key attacks based on Simon’s algorithm, and presents two applications. This work is of great significance. Quantum related-key attacks have more ability than quantum chosen-plaintext attacks. SoEM22 ensures enough security in the quantum chosen-plaintext attack model but is broken in the quantum related-key attack model. In other words, quantum related-key attacks may threaten existing cryptographic schemes that have proven security in the classical setting or even in the quantum chosen-plaintext attack model. One of the future goals is to cryptanalyze existing cryptographic schemes in the quantum related-key attack model. The classical related-key security of SoEM is still an open problem. Another future work direction is to research its classical related key security. This research is cutting-edge and targeted and has significant theoretical value and practical guidance for promoting the design of future quantum secure cryptographic schemes, advancing China’s quantum computing technology, and standardizing post-quantum cryptographics.