Quantum Attacks on MIBS Block Cipher Based on Bernstein–Vazirani Algorithm

Abstract

Because of the substantial progress in quantum computing technology, the safety of traditional cryptologic schemes is facing serious challenges. In this study, we explore the quantum safety of the lightweight cipher MIBS and propose quantum key-recovery attacks on the MIBS cipher by utilizing Grover’s algorithm and Bernstein–Vazirani algorithm. We first construct linear-structure functions based on the 5-round MIBS cipher according to the characteristics of the linear transformations, and then we obtain a quantum distinguisher of the 5-round MIBS cipher by applying Bernstein–Vazirani algorithm to the constructed functions. Finally, utilizing this distinguisher and Grover’s algorithm, we realize a 7-round key-recovery attack on the MIBS cipher, and then we expand the attack to more rounds of MIBS based on a similar idea. The quantum attack on the 7-round MIBS requires 156 qubits and has a time complexity of $2^{10.5}$. An 8-round attack requires 179 qubits and has a time complexity of $2^{22}$. Compared with existing quantum attacks, our attacks have better time complexity when attacking the same number of rounds.

1. Introduction

There has been substantial progress in quantum computer development in recent years. Experts in physics, quantum computing, and computer architecture are committed to realizing quantum computers. While quantum computing may bring benefits to research in many fields, it also brings challenges, especially for cryptography.

The key difference in quantum computing from classical information computing and processing is parallelism, which comes from the principle of superposition. This parallelism superiority makes it possible to execute a great quantity of computational paths simultaneously on quantum computers, so that some computational problems that cannot be solved by electronic computers may be solved by quantum computers. For example, factoring large integers will be solvable on quantum computers by utilizing Shor’s algorithm [1]; however, the security of some widely used public key algorithms is built on it.

Apart from public key schemes, symmetric cryptography is under the threat of quantum attacks as well. Grover’s algorithm [2] is the most representative example. It can be used for any unstructured search and brings a quadratic speedup. Searching a specific marked target in an M-element database using Grover’s algorithm needs only $O\left(\sqrt{M}\right)$ complexity, while classical algorithms need at least $O\left(M\right)$ complexity. Another famous example is Simon’s algorithm [3], which was introduced to find periods. It is also frequently applied to cryptanalysis of symmetric ciphers. At first, Simon’s algorithm was exploited to distinguish between a Feistel structure and a random function [4,5,6]. Afterwards, it was also utilized to find the key of the Even-Mansour (EM) scheme [6,7]. Lender et al. then utilized Grover’s algorithm and Simon’s algorithm simultaneously to extract the keys of FX ciphers [8]. Dong and Wang applied a similar method to attack a Feistel cipher [9] and the generalized Feistel cipher [10]. As for the Substitution–Permutation Network (SPN) structure, quantum attacks on the Advanced Encryption Standard (AES) algorithm were investigated by Jaques et al. [11]. Halak et al. evaluated the computation costs and performance of several quantum-attack-resilient cryptographic algorithms [12]. Recently, the research on the cryptanalysis of symmetric schemes has begun to pay attention to the Bernstein–Vazirani (BV) algorithm [13] and has obtained some good results [14,15].

In addition to the specific attacks on certain symmetric ciphers, analytic tools for symmetric ciphers must also be investigated for accurate security evaluation. In this direction, Grover’s algorithm was used to accelerate the search involved in differential attacks [11,16], and it was also used in the search part of linear attacks and their variants [17]. Afterwards, the BV algorithm was exploited for finding differentials [14,18,19]. Zhou and Yuan combined the BV algorithm and Grover’s algorithm for attacking Feistel ciphers [15]. Their attack strategy was inspired by the attack presented in [8,9], the main innovation being that it uses BV algorithm to distinguish the functions with nonzero linear structures from random functions instead of using Simon’s algorithm to distinguish functions with nonzero periods from random functions. Quantum algorithms are also applied to the collision attack on Hash functions [20,21]. Quantum cryptanalysis under the related-key model has also been studied [22,23]. The attacks mentioned above all exhibit the acceleration superiority of quantum algorithms in symmetric cryptanalysis over classical algorithms.

In this study, we investigate quantum attacks on the MIBS cipher, which is a lightweight algorithm with a Feistel structure and designed specifically for constrained environments [24]. First, by analyzing the characteristics of the MIBS cipher, we construct linear-structure functions based on the 5-round encryption of the MIBS cipher. Then, we combine this function with the BV algorithm to construct a distinguisher of the 5-round MIBS cipher. Afterwards, we utilize Grover’s algorithm and this distinguisher to implement a 7-round key-recovery attack on the MIBS cipher. Based on a similar idea, we further use the same distinguisher to implement 8-round and 9-round key-recovery attacks on the MIBS cipher. The 7-round, 8-round, and 9-round attacks require 156, 179, and 194 qubits, respectively, and their complexity are $2^{10.5}$, $2^{22}$, and $2^{32}$, respectively. Compared with existing quantum attacks, the quantum attacks presented in this article have the minimum complexity when attacking the same number of rounds. Our work further explores the “BV-meet-Grover’’ attack strategy and helps to evaluate the security of the MIBS cipher.

We first construct a periodic function based on the 5-round encryption, and then we combine Simon’s algorithm with the found periodic function to obtain a 5-round quantum distinguisher. As the number of rounds increases, the encryption function becomes more complex, making it increasingly difficult to find periodic functions. The 5-round distinguisher is the longest distinguisher we can find. Using the constructed 5-round distinguisher to attack 7-round, 8-round, and 9-round MIBS requires guessing 21, 44, and 64 bits of subkeys, respectively. The complexity of the 10-round attack exceeds that of the key exhaustive attack. Therefore, we only provide 7-round, 8-round, and 9-round attacks on MIBS.

Organization. Section 2 recalls the the fundamental concepts of quantum computing and cryptography; Section 3 constructs a 5-round quantum distinguisher of the MIBS cipher; Section 4 presents key-recovery attacks on the MIBS cipher; Section 5 provides a summary.

2. Preliminaries

2.1. Mibs Block Cipher

Lightweight cipher MIBS applies a standard Feistel structure [24]. Each block has 64 bits, and the key length supports 80-bit and 64-bit. We only consider the 64-bit version in this paper. MIBS has 32 rounds. Figure 1 shows the encryption structure of one round. $L_{i-1}$ and $R_{i-1}$ are the left branch and right branch of the input of the i-th round, respectively. $L_i$ and $R_i$ are the left branch and right branch of the output of the i-th round, respectively. $K_i$ is the i-th subkey ($i=1,2,\cdots ,32$). In the i-th round, $L_{i-1}$ and $K_i$ are input to the function F, and the XOR of $R_{i-1}$ and the output of F is the left branch $L_i$ of the output. The right branch $R_i$ of the output directly takes the value of $L_{i-1}$. All operations appearing in MIBS are nibble-based. A nibble contains four bits.

Suppose the plaintext is $M\in {\mathbb{F}}_2^{64}$, then the encryption process of MIBS is as follows:

• Divide M into two 32-bit parts $M=L_0||R_0$.
• For $i=1,2,\cdots ,32$, compute

  $$\left\{\begin{array}{c}{L}_i=R_{i-1}\oplus F(L_{i-1}\oplus K_i)\hfill \\ R_i=L_{i-1},\hfill \end{array}\right.$$

  where $K_i$ is the subkey of the i-th round generated by the key scheduling, and function F is defined below.
• Output the ciphertext $C=R_{32}||L_{32}$. (The ciphertext is obtained by exchanging the left and right branches of the output $L_{32}||R_{32}$ of the last iteration.)

The function $F:{\mathbb{F}}_2^{32}\to {\mathbb{F}}_2^{32}$ maps eight nibbles to eight nibbles:

$$\begin{array}{cc}\hfill F:{\left({\mathbb{F}}_2^4\right)}^8& \to {\left({\mathbb{F}}_2^4\right)}^8\hfill \\ \hfill x& \to P\circ M\circ S\left(x\right),\hfill \end{array}$$

where S is the substitution transformation, M and P are the mixing layer and the permutation layer, respectively. The S layer implements 8 identical Sboxes of 4 bits, all denoted s.

$$\begin{array}{cc}\hfill S:{\left({\mathbb{F}}_2^4\right)}^8& \to {\left({\mathbb{F}}_2^4\right)}^8\hfill \\ \hfill (x_8,x_7,\cdots ,x_1)& \to (s\left(x_8\right),s\left(x_7\right),\cdots ,s\left(x_1\right)).\hfill \end{array}$$

The definition of the Sbox s is presented in

Table 1. SBox s.

x	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15
$s\left(x\right)$	5	15	3	8	13	10	12	0	11	5	7	14	2	6	1	9

.

The M layer mixes 8 nibbles using the XOR operation:

$$\begin{array}{cc}\hfill M:{\left({\mathbb{F}}_2^4\right)}^8& \to {\left({\mathbb{F}}_2^4\right)}^8\hfill \\ \hfill (y_8,y_7,\cdots ,y_1)& \to (u_8,u_7,\cdots ,u_1),\hfill \end{array}$$

where

$$\begin{array}{c}\hfill \begin{array}{c}{u}_1=y_2\oplus y_3\oplus y_4\oplus y_5\oplus y_6\oplus y_7\hfill \\ u_2=y_1\oplus y_3\oplus y_4\oplus y_6\oplus y_7\oplus y_8\hfill \\ u_3=y_1\oplus y_2\oplus y_4\oplus y_5\oplus y_7\oplus y_8\hfill \\ u_4=y_1\oplus y_2\oplus y_3\oplus y_5\oplus y_6\oplus y_8\hfill \\ u_5=y_1\oplus y_2\oplus y_4\oplus y_5\oplus y_6\hfill \\ u_6=y_1\oplus y_2\oplus y_3\oplus y_6\oplus y_7\hfill \\ u_7=y_2\oplus y_3\oplus y_4\oplus y_7\oplus y_8\hfill \\ u_8=y_1\oplus y_3\oplus y_4\oplus y_5\oplus y_8.\hfill \end{array}\end{array}$$

The P layer rearranges the input 8 nibbles in the order given in

Table 2. P transformation.

-	1	2	3	4	5	6	7	8
P	2	8	1	3	6	7	4	5

. That is, the P transformation is defined as

$$\begin{array}{cc}\hfill P:{\left({\mathbb{F}}_2^4\right)}^8& \to {\left({\mathbb{F}}_2^4\right)}^8\hfill \\ \hfill (u_8,u_7,\cdots ,u_1)& \to (z_8,z_7,\cdots ,z_1),\hfill \end{array}$$

where

$$\begin{array}{c}\hfill \begin{array}{cccc}{z}_1=u_3,\hfill & z_2=u_1,\hfill & z_3=u_4,\hfill & z_4=u_7,\hfill \\ z_5=u_8,\hfill & z_6=u_5,\hfill & z_7=u_6,\hfill & z_8=u_2.\hfill \end{array}\end{array}$$

For the convenience of cryptanalysis, we combine the transformations P and M. Let $PM=P\circ M$, which is a linear transformation and operates as follows:

$$\begin{array}{cc}\hfill PM:{\left({\mathbb{F}}_2^4\right)}^8& \to {\left({\mathbb{F}}_2^4\right)}^8\hfill \\ \hfill (y_8,y_7,\cdots ,y_1)& \to (z_8,z_7,\cdots ,z_1),\hfill \end{array}$$

(1)

where

$$\begin{array}{c}\hfill \begin{array}{c}{z}_1=y_1\oplus y_2\oplus y_4\oplus y_5\oplus y_7\oplus y_8\hfill \\ z_2=y_2\oplus y_3\oplus y_4\oplus y_5\oplus y_6\oplus y_7\hfill \\ z_3=y_1\oplus y_2\oplus y_3\oplus y_5\oplus y_6\oplus y_8\hfill \\ z_4=y_2\oplus y_3\oplus y_4\oplus y_7\oplus y_8\hfill \\ z_5=y_1\oplus y_3\oplus y_4\oplus y_5\oplus y_8\hfill \\ z_6=y_1\oplus y_2\oplus y_4\oplus y_5\oplus y_6\hfill \\ z_7=y_1\oplus y_2\oplus y_3\oplus y_6\oplus y_7\hfill \\ z_8=y_1\oplus y_3\oplus y_4\oplus y_6\oplus y_7\oplus y_8.\hfill \end{array}\end{array}$$

The construction of F is depicted in Figure 2. $x_8,x_7,\cdots ,x_1$ denotes the input of function F. First, the input is XORed with the 32-bit subkey $K_i$. Then, all nibbles are performed on 8 identical Sboxes s, respectively. The output of the Sboxes are denoted as $y_8,y_7,\cdots ,y_1$. Subsequently, F performs $PM$ transformation on these nibbles. $PM$ is composed of XOR operations and position permutations as defined in Equation (1). We mark the $PM$ transformation with a dashed box.

The attack on the MIBS cipher needs to use the inverse of $PM$.

$$\begin{array}{cc}\hfill P{M}^{-1}:{\left({\mathbb{F}}_2^4\right)}^8& \to {\left({\mathbb{F}}_2^4\right)}^8\hfill \\ \hfill (z_8,z_7,\cdots ,z_1)& \to (y_8,y_7,\cdots ,y_1),\hfill \end{array}$$

where

$$\begin{array}{c}\hfill \begin{array}{c}{y}_1=z_2\oplus z_4\oplus z_6\oplus z_7\oplus z_8\hfill \\ y_2=z_1\oplus z_4\oplus z_5\oplus z_7\oplus z_8\hfill \\ y_3=z_1\oplus z_3\oplus z_4\oplus z_5\oplus z_6\hfill \\ y_4=z_2\oplus z_3\oplus z_5\oplus z_6\oplus z_7\hfill \\ y_5=z_2\oplus z_3\oplus z_4\oplus z_5\oplus z_7\oplus z_8\hfill \\ y_6=z_1\oplus z_2\oplus z_4\oplus z_5\oplus z_6\oplus z_8\hfill \\ y_7=z_1\oplus z_3\oplus z_5\oplus z_6\oplus z_7\oplus z_8\hfill \\ y_8=z_1\oplus z_2\oplus z_3\oplus z_4\oplus z_6\oplus z_7.\hfill \end{array}\end{array}$$

The matrix forms of $PM$ and $P{M}^{-1}$ are

$$PM=\left[\begin{array}{cccccccc}1& 1& 1& 0& 1& 1& 0& 1\\ 0& 1& 1& 0& 0& 1& 1& 1\\ 0& 0& 1& 1& 1& 0& 1& 1\\ 1& 0& 0& 1& 1& 1& 0& 1\\ 1& 1& 0& 0& 1& 1& 1& 0\\ 1& 0& 1& 1& 0& 1& 1& 1\\ 0& 1& 1& 1& 1& 1& 1& 0\\ 1& 1& 0& 1& 1& 0& 1& 1\end{array}\right],P{M}^{-1}=\left[\begin{array}{cccccccc}0& 1& 1& 0& 1& 1& 1& 1\\ 1& 1& 1& 1& 0& 1& 0& 1\\ 1& 0& 1& 1& 1& 0& 1& 1\\ 1& 1& 0& 1& 1& 1& 1& 0\\ 0& 1& 1& 1& 0& 1& 1& 0\\ 0& 0& 1& 1& 1& 1& 0& 1\\ 1& 1& 0& 1& 1& 0& 0& 1\\ 1& 1& 1& 0& 1& 0& 1& 0\end{array}\right].$$

The key scheduling of MIBS generates 32 32-bit round keys $K_1,K_2,\cdots ,K_{32}$. Suppose the user key $K=(k_{63},k_{62},\cdots ,k_0)$. K is stored in a 64-bit key register $state$. Initialize the state of the register as $state=[k_{63},k_{62},\cdots ,k_0]$, i.e., $stat{e}_i=k_i$. The round key $K_i=k_{31}^i{k}_{30}^i\cdots k_0^i$ in the i-th round is equal to the leftmost 32 bits of the current register. Namely,

$$K_i=k_{31}^i{k}_{30}^i\cdots k_0^i=stat{e}_{63},stat{e}_{62},\cdots ,stat{e}_{32}.$$

After extracting the round key $K_i$, update the register as follows:

$$\begin{array}{cc}\hfill & state=state>>>15,\hfill \\ \hfill & state[63:60]=s\left(state\right[63:60\left]\right),\hfill \\ \hfill & state[15:11]=state[15:11]\oplus Round\text{-}Counter,\hfill \end{array}$$

where $>>>$ denotes rotation to the right, and $state[j:i]$ denotes the j-th to the i-th bits of the register. $s(·)$ is the Sbox defined in Table 1.

2.2. Bernstein–Vazirani Algorithm

The BV algorithm was introduced to find a secret vector $\rho \in {\mathbb{F}}_2^n$ when given the function $f\left(x\right)=\rho ·x={\sum }_{i=1}^n{\rho }_i{x}_i$ [13]. The steps of the BV algorithm are illustrated in Figure 3.

The notation H in Figure 3 denotes the Hadamard gate, which maps the state $|0\rangle$ to the state ${\displaystyle \frac{1}{\sqrt{2}}}(|0\rangle +|1\rangle )$ and maps the state $|1\rangle$ to the state ${\displaystyle \frac{1}{\sqrt{2}}}(|0\rangle -|1\rangle )$. The notation $H^{\otimes n}$ is a product of n Hadamard gates. Performing $H^{\otimes n}$ on ${|0\rangle }^{\otimes n}$ gives the state

$$\begin{array}{cc}\hfill H^{\otimes n}{|0\rangle }^{\otimes n}=& H|0\rangle \otimes H|0\rangle \otimes \cdots \otimes H|0\rangle \hfill \\ \hfill =& {\displaystyle \frac{1}{\sqrt{2^n}}}(|0\rangle \oplus {|1\rangle )}^{\otimes n}\hfill \\ \hfill =& {\displaystyle \frac{1}{\sqrt{2^n}}}\sum _{x\in {\mathbb{F}}_2^n}|x\rangle .\hfill \end{array}$$

The notation $U_f$ denotes the unitary operator of f, which operates as follows:

$$U_f:|x\rangle |y\rangle \to |x\rangle |y\oplus f\left(x\right)\rangle .$$

The symbol at the end of the first quantum wire in Figure 3 denotes a measurement. Suppose a quantum state ${\sum }_{x\in {\mathbb{F}}_2^n}{\alpha }_x|x\rangle$ is measured, where ${\alpha }_x$ is a complex number and called the amplitude of $|x\rangle$, then for any vector $x\in {\mathbb{F}}_2^n$, the probability of the measurement result being x is equal to $|{\alpha }_x{|}^2$. The quantum states in Figure 3 are defined as follows:

$$\begin{array}{cc}\hfill & |{\varphi }_0{\rangle =|0\rangle }^{\otimes n}|1\rangle ;\hfill \\ \hfill & |{\varphi }_1\rangle =\sum _{x\in {\mathbb{F}}_2^n}{\displaystyle \frac{|x\rangle }{\sqrt{2^n}}}·{\displaystyle \frac{|0\rangle -|1\rangle }{\sqrt{2}}};\hfill \\ \hfill & |{\varphi }_2\rangle =\sum _{x\in {\mathbb{F}}_2^n}{\displaystyle \frac{{(-1)}^{f\left(x\right)}|x\rangle }{\sqrt{2^n}}}{\displaystyle \frac{|0\rangle -|1\rangle }{\sqrt{2}}};\hfill \\ \hfill & |{\varphi }_3\rangle =\sum _{y\in {\mathbb{F}}_2^n}({\displaystyle \frac{1}{2^n}}\sum _{x\in {\mathbb{F}}_2^n}{(-1)}^{f\left(x\right)+y·x})|y\rangle {\displaystyle \frac{|0\rangle -|1\rangle }{\sqrt{2}}};\hfill \\ & |{\varphi }_4\rangle =|\rho \rangle {\displaystyle \frac{|0\rangle -|1\rangle }{\sqrt{2}}}.\hfill \end{array}$$

The last equation holds because

$$\begin{array}{c}\hfill {\displaystyle \frac{1}{2^n}}\sum _{x\in {\mathbb{F}}_2^n}{(-1)}^{f\left(x\right)+y·x}={\displaystyle \frac{1}{2^n}}\sum _{x\in {\mathbb{F}}_2^n}{(-1)}^{(\rho \oplus y)·x}s=\left\{\begin{array}{cc}1\hfill & y=\rho \hfill \\ 0\hfill & y\ne \rho .\hfill \end{array}\right.\end{array}$$

After measurement, the output is $\rho$ with a probability of 1.

2.3. Linear Structure

Definition 1. 

For a Boolean function $f:{\mathbb{F}}_2^m\to {\mathbb{F}}_2^n$, $\alpha \in {\mathbb{F}}_2^m$ is called a linear structure of f if

$$\begin{array}{c}\hfill f(x\oplus \alpha )\oplus f\left(x\right)=\beta ,\forall x\in {\mathbb{F}}_2^m\end{array}$$

(2)

holds for some $\beta \in {\mathbb{F}}_2^n$.

If $\beta$ in Equation (2) is the n-dimensional zero vector $0^n$, then $\alpha$ is also called a period of f. If a function has a nonzero period, we call it a periodic function. If a function has a nonzero linear structure, we call it a linear structure function. Particularly, for the case $n=1$, Li et al. presented a quantum algorithm that can determine whether f has a nonzero linear structure in polynomial time [19].

Theorem 1 

([19]). Any nonzero linear structure of $f:{\mathbb{F}}_2^m\to {\mathbb{F}}_2$ must be output by Algorithm 1. Conversely, taking $p\left(n\right)=n$, any vector output by Algorithm 1 is a linear structure of f except a negligible probability.

Algorithm 1 Algorithm for finding linear structures of single-output functions

Input: quantum oracle of $f:{\mathbb{F}}_2^m\to {\mathbb{F}}_2$, a polynomial $p\left(n\right)$.

Output: a linear structure of f.

1:  Define a set $T:=\mathsf{\varphi }$;

2:  for p = 1, 2, ⋯, p(n) do

3:   Execute BV algorithm on f, obtaining a vector ω;

4:   Let $T=T\cup \left\{\omega \right\}$;

5:  end for

6:  Solve the equation $\{x·\omega =i|\omega \in T\}$ and obtain two solution sets Ci for both i = 0, 1;

7:  if $C^0\cup C^1\subseteq \left\{0^m\right\}$ then

8:   Output “Not linear structure function”;

9:  else

10:   Output C0 and C1;

11:  end if

2.4. Grover’s Algorithm

Grover’s algorithm [2] was introduced for unstructured search. Suppose the set to be searched is ${\mathbb{F}}_2^n$, and $u\in {\mathbb{F}}_2^n$ is the target vector. In a classical setting, it takes a time of $2^n$ to find u, while in a quantum setting, using Grover’s algorithm only takes a time of $\sqrt{2^n}$. Grover’s algorithm has three steps:

• Prepare the quantum state

  $$H^{\left(n\right)}{|0\rangle }^{\otimes n}={\displaystyle \frac{1}{\sqrt{2^n}}}\sum _{x\in {\mathbb{F}}_2^n}|x\rangle \stackrel{\Delta }{=}|\varphi \rangle$$

  by applying Hadamard transform.
• Construct the quantum oracle ${\mathcal{O}}_u$ of function

  $$f_u\left(x\right)=\left\{\begin{array}{cc}1\hfill & x=u\hfill \\ 0\hfill & x\ne u.\hfill \end{array}\right.$$
  ${\mathcal{O}}_u$ operates as

  $${\mathcal{O}}_u:|x\rangle \to {(-1)}^{f_u\left(x\right)}|x\rangle .$$
• Let ${\mathcal{O}}_{\varphi }=2|\varphi \rangle \langle \varphi |-I$. Perform Grover’s iteration ${\mathcal{O}}_{\varphi }{\mathcal{O}}_u$ for $R\approx {\displaystyle \frac{\pi }{4}}\sqrt{2^n}$ times to obtain

  $${\left({\mathcal{O}}_{\varphi }{\mathcal{O}}_u\right)}^R|\varphi \rangle \approx |u\rangle .$$
• Return u.

When implementing Grover’s algorithm, the quantum oracle ${\mathcal{O}}_{f_u}$ of the function $f_u$ is given, which operates as follows:

$${\mathcal{O}}_{f_u}:|x\rangle |y\rangle \to |x\rangle |y\oplus f_u\left(y\right)\rangle .$$

The oracle ${\mathcal{O}}_u$ can be constructed based on ${\mathcal{O}}_{f_u}$ as in Figure 4. Given the input state $|x\rangle$, ${\mathcal{O}}_u$ performs ${\mathcal{O}}_{f_u}$ on $|x\rangle$ and the auxiliary state ${\displaystyle \frac{1}{\sqrt{2}}}(|0\rangle -|1\rangle )$. Then, the whole quantum state is

$$\begin{array}{cc}\hfill & {\mathcal{O}}_{f_u}\left(|x\rangle {\displaystyle \frac{|0\rangle -|1\rangle }{\sqrt{2}}}\right)\hfill \\ \hfill =& |x\rangle {\displaystyle \frac{|0\oplus f_u\left(x\right)\rangle -|1\oplus f_u\left(x\right)\rangle }{\sqrt{2}}}\hfill \\ \hfill =& {(-1)}^{f_u\left(x\right)}|x\rangle {\displaystyle \frac{|0\rangle -|1\rangle }{\sqrt{2}}}.\hfill \end{array}$$

The last equation holds because when $f_u\left(x\right)=0$, the state of the second register remains unchanged, while when $f_u\left(x\right)=1$, the state of the second register becomes ${\displaystyle \frac{1}{\sqrt{2}}}(|1\rangle -|0\rangle )$, which brings a negative sign. Then ${\mathcal{O}}_u$ discards the second register and outputs the state ${(-1)}^{f_u\left(x\right)}|x\rangle$ of the first register.

3. Quantum Distinguisher of MIBS

One of the common methods for attacking block ciphers by quantum algorithms is to first construct a quantum distinguisher by Simon’s algorithm or the BV algorithm, and then utilize Grover’s algorithm to extract the correct key based on the constructed distinguisher. Specifically, Simon’s algorithm can quickly determine whether a function is a periodic function. To obtain a distinguisher, the attacker first constructs a periodic function by using part of the encryption algorithm. Then, when the queried oracle is the block cipher, implementing Simon’s algorithm on the constructed function should output a period. When the queried oracle is a random function, applying Simon’s algorithm on the constructed function outputs a nonzero period with a negligible probability. Based on this significant difference, the attacker can distinguish between the block cipher and random function. In the phase of key recovery, the attacker guesses the round keys of several rounds after the distinguisher and uses the guessed keys to decrypt the ciphertexts obtained by querying. If the guessed round keys are correct, then the distinguisher performed on the partly decrypted ciphertexts should identify them as the outputs of a block cipher. If the round keys are incorrect, the partly decrypted ciphertexts are equivalent to the outputs of a random function. Thus, the distinguisher should identify them as outputs of a random function. By traversing all possible round keys, the attacker can recognize the correct key. In this process, Grover’s algorithm can provide speedup. This attack strategy is called “Grover-meet-Simon” [8,9,10].

Similar to Grover-meet-Simon, the strategy “Grover-meet-BV” is also used [15]. In a Grover-meet-BV attack, the attacker constructs a linear-structure function instead of a periodic function and uses the BV algorithm to distinguish functions with nonzero linear structures from random functions, instead of using Simon’s algorithm to distinguish functions with nonzero periods from random functions. Except for this point, other parts of these two attacks are the same. According to this attack strategy, we first construct a linear-structure function based on a 5-round encryption of MIBS; then, we present a 5-round quantum distinguisher of MIBS using this linear structure function and BV algorithm.

3.1. A Linear-Structure Function Based on 5-Round MIBS

In this subsection, we construct a linear-structure function based on 5-round MIBS. For the convenience of derivation, let $F_i$ be the F transformation in the i-th round, and let the S layer in the i-th round be $S_i$, as presented in Figure 5. All $F_i$s ($S_i$’s) operate in the same way. The left-branch input in the i-th round is $L_{i-1}$, and the right branch is $R_{i-1}$.

According to Figure 5, it holds that

$$\begin{array}{c}\hfill R_5=R_3\oplus F_4\left(L_3\right).\end{array}$$

(3)

Select two arbitrary constant vectors ${\delta }_0,{\delta }_1\in {\mathbb{F}}_2^4$ such that ${\delta }_0\ne {\delta }_1$. For any variables $d\in {\mathbb{F}}_2$ and $x=(x_4,x_3,x_2,x_1)\in {\mathbb{F}}_2^4$, let the input of the 5-round MIBS be

$$\begin{array}{cc}\hfill & L_0=(0^4,{\delta }_d,0^4,0^4,0^4,0^4,0^4,0^4),\hfill \\ \hfill & R_0=PM(0^4,x,0^4,0^4,0^4,0^4,0^4,0^4),\hfill \end{array}$$

where $0^4=(0,0,0,0)$, ${\delta }_d={\delta }_0$ when $d=0$, and ${\delta }_d={\delta }_1$ when $d=1$. $PM$ is defined as in Equation (1). We use $R_5$ to construct a linear-structure function. Due to Equation (3), for computing $R_5$, we should first compute $R_3$ and $L_3$. Let $K_i\left[j\right]$ be the j-th nibble of the i-th round key $K_i$. That is,

$$K_i=(K_i\left[8\right],K_i\left[7\right],K_i\left[6\right],K_i\left[5\right],K_i\left[4\right],K_i\left[3\right],K_i\left[2\right],K_i\left[1\right]),i=1,2,\cdots ,32.$$

It holds that

$$\begin{array}{cc}\hfill & F_1(L_0\oplus K_1)\hfill \\ \hfill =& F_1(K_1\left[8\right],{\delta }_d\oplus K_1\left[7\right],K_1\left[6\right],K_1\left[5\right],K_1\left[4\right],K_1\left[3\right],K_1\left[2\right],K_1\left[1\right])\hfill \\ \hfill =& PM\circ S_1(K_1\left[8\right],{\delta }_d\oplus K_1\left[7\right],K_1\left[6\right],K_1\left[5\right],K_1\left[4\right],K_1\left[3\right],K_1\left[2\right],K_1\left[1\right])\hfill \\ \hfill =& PM(s\left(K_1\left[8\right]\right),s({\delta }_d\oplus K_1\left[7\right]),s\left(K_1\left[6\right]\right),s\left(K_1\left[5\right]\right),s\left(K_1\left[4\right]\right),s\left(K_1\left[3\right]\right),s\left(K_1\left[2\right]\right),s\left(K_1\left[1\right]\right))\hfill \\ \hfill =& PM(\mathcal{C},{\Delta }_d,\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C}),\hfill \end{array}$$

where ${\Delta }_d=s({\delta }_d\oplus K_1\left[7\right])$, $K_1\left[7\right]$ is a constant, and the notation $\mathcal{C}$ indicates that the corresponding nibble is a constant. The values of different nibbles marked with $\mathcal{C}$ may be different, but they are all restricted to constants that do not depend on variables x and d. Then,

$$\begin{array}{cc}\hfill L_1& =F_1(L_0\oplus K_1)\oplus R_0\hfill \\ \hfill & =PM(\mathcal{C},{\Delta }_d,\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C})\oplus PM(0^4,x,0^4,0^4,0^4,0^4,0^4,0^4)\hfill \\ \hfill & =PM(\mathcal{C},{\Delta }_d\oplus x,\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C}).\hfill \end{array}$$

Therefore,

$$\begin{array}{cc}\hfill R_3& =L_2=R_1\oplus F_2(L_1\oplus K_2)\hfill \\ \hfill & =L_0\oplus F_2(L_1\oplus K_2)\hfill \\ \hfill & =L_0\oplus F_2\left(PM(\mathcal{C},{\Delta }_d\oplus x,\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C})\oplus K_2\right)\hfill \\ \hfill & =L_0\oplus F_2\left(PM(\mathcal{C},\ast ,\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C})\oplus K_2\right),\hfill \end{array}$$

(4)

where $\ast ={\Delta }_d\oplus x$. Since

$$\begin{array}{cc}\hfill L_2& =F_2(L_1\oplus K_2)\oplus R_1\hfill \\ \hfill & =F_2\left(PM(\mathcal{C},\ast ,\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C})\oplus K_2\right)\oplus R_1\hfill \\ \hfill & =F_2\left(PM(\mathcal{C},\ast ,\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C})\oplus K_2\right)\oplus L_0,\hfill \end{array}$$

we have

$$\begin{array}{cc}\hfill L_3& =F_3(L_2\oplus K_3)\oplus L_1\hfill \\ \hfill & =F_3\left(F_2\left(PM(\mathcal{C},\ast ,\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C})\oplus K_2\right)\oplus L_0\oplus K_3\right)\oplus L_1.\hfill \end{array}$$

Before further deriving the linear-structure function, we first give Lemma 1.

Lemma 1. 

Let $g(\ast ,{\delta }_d)=F_3\left(F_2(PM(\mathcal{C},\ast ,\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C})\oplus K_2)\oplus L_0\oplus K_3\right)$, where $L_0=(0^4,{\delta }_d,0^4,0^4,0^4,0^4,0^4,0^4)$ and $\ast =s({\delta }_d\oplus K_1\left[7\right])\oplus x$; then, the value of the 5th nibble $g(\ast ,{\delta }_d)\left[5\right]$ of $g(\ast ,{\delta }_d)$ is only related to the value of ∗.

Proof. 

According to the construction of the $PM$ transformation,

$$\begin{array}{cc}& PM(\mathcal{C},\ast ,\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C})\oplus K_2\hfill \\ \hfill =& (\hslash (\ast ),\hslash (\ast ),\mathcal{C},\mathcal{C},\hslash (\ast ),\mathcal{C},\hslash (\ast ),\hslash (\ast ))\oplus K_2\hfill \\ \hfill =& (\hslash (\ast ),\hslash (\ast ),\mathcal{C},\mathcal{C},\hslash (\ast ),\mathcal{C},\hslash (\ast ),\hslash (\ast \left)\right),\hfill \end{array}$$

where $\mathcal{C}$ indicates that the corresponding nibble is a constant, and $\hslash (\ast )$ indicates that the value of the corresponding nibble is a function of ∗. Different nibbles marked with $\hslash (\ast )$ may be different functions of ∗, but their values are all restricted to only depend on the variable ∗. Notations $\mathcal{C}$ and $\hslash (\ast )$ are used to indicate the state of the corresponding nibbles, not a specific vector or function. The last equality holds since $K_2$ is a constant. Then,

$$\begin{array}{cc}\hfill & F_2(PM(\mathcal{C},\ast ,\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C})\oplus K_2)\hfill \\ \hfill =& PM\circ S_2(\hslash (\ast ),\hslash (\ast ),\mathcal{C},\mathcal{C},\hslash (\ast ),\mathcal{C},\hslash (\ast ),\hslash (\ast ))\hfill \\ \hfill =& PM(\hslash (\ast ),\hslash (\ast ),\mathcal{C},\mathcal{C},\hslash (\ast ),\mathcal{C},\hslash (\ast ),\hslash (\ast \left)\right)\hfill \\ \hfill =& (\hslash (\ast ),\hslash (\ast ),\hslash (\ast ),\hslash (\ast ),\hslash (\ast ),\hslash (\ast ),\hslash (\ast ),\hslash (\ast \left)\right).\hfill \end{array}$$

Then,

$$\begin{array}{cc}\hfill & F_2(PM(\mathcal{C},\ast ,\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C})\oplus K_2)\oplus L_0\oplus K_3\hfill \\ \hfill =& (\hslash (\ast ),\hslash (\ast )\oplus {\delta }_d,\hslash (\ast ),\hslash (\ast ),\hslash (\ast ),\hslash (\ast ),\hslash (\ast ),\hslash (\ast ))\hfill \end{array}$$

Therefore,

$$\begin{array}{cc}\hfill g(\ast ,{\delta }_d)=& \left(g(\ast ,{\delta }_d)\left[8\right],g(\ast ,{\delta }_d)\left[7\right],\cdots ,g(\ast ,{\delta }_d)\left[2\right],g(\ast ,{\delta }_d)\left[1\right]\right)\hfill \\ \hfill =& F_3(\hslash (\ast ),\hslash (\ast )\oplus {\delta }_d,\hslash (\ast ),\hslash (\ast ),\hslash (\ast ),\hslash (\ast ),\hslash (\ast ),\hslash (\ast ))\hfill \\ \hfill =& PM\circ S_3(\hslash (\ast ),\hslash (\ast )\oplus {\delta }_d,\hslash (\ast ),\hslash (\ast ),\hslash (\ast ),\hslash (\ast ),\hslash (\ast ),\hslash (\ast ))\hfill \\ \hfill =& PM(\hslash (\ast ),?,\hslash (\ast ),\hslash (\ast ),\hslash (\ast ),\hslash (\ast ),\hslash (\ast ),\hslash (\ast \left)\right)\hfill \\ \hfill =& (?,?,\hslash (\ast ),\hslash (\ast ),?,\hslash (\ast ),?,?),\hfill \end{array}$$

where “?” means that the state of corresponding nibbles is uncertain. Due to the above equation, the 5th nibble $g(\ast ,{\delta }_d)\left[5\right]$ of $g(\ast ,{\delta }_d)$ is in the state $\hslash (\ast )$; thus, its values are only related to ∗. The notation $\hslash (\ast )$ means that every nibble marked with $\hslash (\ast )$ is a function of ∗. The $\hslash (\ast )$ does not refer to a specific function, but rather indicates that the values of the corresponding nibbles depend only on the value of ∗. It represents a kind of state of nibbles rather than a specific function. The $\hslash (\ast )$ symbols in the 2nd, 3rd, and 5th nibbles of $g(\ast ,{\delta }_d)$ indicate that these three nibbles are all functions of ∗, and their values depend only on ∗, but they are not necessarily the same function.    □

According to Lemma 1, we define the function

$$\begin{array}{cc}\hfill G:{\mathbb{F}}_2\times {\mathbb{F}}_2^4& \to {\mathbb{F}}_2^4\hfill \\ \hfill (d,x)& \to P{M}^{-1}(L_0\oplus R_5)\left[5\right]\oplus d^4,\hfill \end{array}$$

where

$$\begin{array}{cc}\hfill & L_0=(0^4,{\delta }_d,0^4,0^4,0^4,0^4,0^4,0^4),\hfill \\ \hfill & R_0=PM(0^4,x,0^4,0^4,0^4,0^4,0^4,0^4),\hfill \end{array}$$

and $(L_5,R_5)=MIB{S}^5(L_0,R_0)$, i.e., the ciphertext after a 5-round encryption of MIBS. $P{M}^{-1}$ is the inverse function of $PM$. $P{M}^{-1}(L_0\oplus R_5)\left[5\right]$ is the 5th nibble of $P{M}^{-1}(L_0\oplus R_5)$. $d^4=\left(dddd\right)$.

Theorem 2. 

Function $G(d,x)$ is a linear-structure function, and $(1,{\Delta }_0\oplus {\Delta }_1)$ is its linear structure. Specifically,

$$G(d,x)\oplus G(d\oplus 1,x\oplus {\Delta }_0\oplus {\Delta }_1)=\left(1111\right),$$

where ${\Delta }_0=s({\delta }_0\oplus K_1\left[7\right])$ and ${\Delta }_1=s({\delta }_1\oplus K_1\left[7\right])$ are constants.

Proof. 

According to Equation (3), it holds that

$$\begin{array}{c}\hfill P{M}^{-1}(L_0\oplus R_5)=P{M}^{-1}\left(L_0\right)\oplus P{M}^{-1}\left(R_3\right)\oplus P{M}^{-1}\left(F_4\left(L_3\right)\right).\end{array}$$

Due to Equation (4), we have

$$\begin{array}{c}\hfill P{M}^{-1}\left(R_3\right)=P{M}^{-1}\left(L_0\right)\oplus P{M}^{-1}\left(F_2(PM(\mathcal{C},\ast ,\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C})\oplus K_2)\right).\end{array}$$

Therefore,

$$\begin{array}{c}\hfill P{M}^{-1}(L_0\oplus R_5)=P{M}^{-1}\left(F_2(PM(\mathcal{C},\ast ,\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C})\oplus K_2)\right)\oplus P{M}^{-1}\left(F_4\left(L_3\right)\right).\end{array}$$

(5)

We compute the first part:

$$\begin{array}{cc}\hfill & P{M}^{-1}\left(F_2(PM(\mathcal{C},\ast ,\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C})\oplus K_2)\right)\hfill \\ \hfill =& S_2(PM(\mathcal{C},\ast ,\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C})\oplus K_2))\hfill \\ \hfill =& S_2(\hslash (\ast ),\hslash (\ast ),\mathcal{C},\mathcal{C},\hslash (\ast ),\mathcal{C},\hslash (\ast ),\hslash (\ast ))\hfill \\ \hfill =& (\hslash (\ast ),\hslash (\ast ),\mathcal{C},\mathcal{C},\hslash (\ast ),\mathcal{C},\hslash (\ast ),\hslash (\ast \left)\right).\hfill \end{array}$$

Then, we compute the second part:

$$\begin{array}{cc}\hfill & P{M}^{-1}\left(F_4\left(L_3\right)\right)\hfill \\ \hfill =& S_4(g(\ast ,{\delta }_d)\oplus L_1)\hfill \\ \hfill =& S_4\left(g(\ast ,{\delta }_d)\oplus PM(\mathcal{C},\ast ,\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C},\mathcal{C})\right)\hfill \\ \hfill =& S_4\left((?,?,\hslash (\ast ),\hslash (\ast ),?,\hslash (\ast ),?,?)\oplus (\hslash (\ast ),\hslash (\ast ),\mathcal{C},\mathcal{C},\hslash (\ast ),\mathcal{C},\hslash (\ast ),\hslash (\ast \left)\right)\right)\hfill \\ \hfill =& (?,?,\hslash (\ast ),\hslash (\ast ),?,\hslash (\ast ),?,?).\hfill \end{array}$$

Combining these two parts gives

$$\begin{array}{cc}\hfill & P{M}^{-1}(L_0\oplus R_5)\hfill \end{array}$$

(6)

$$\begin{array}{cc}\hfill =& (\hslash (\ast ),\hslash (\ast ),\mathcal{C},\mathcal{C},\hslash (\ast ),\mathcal{C},\hslash (\ast ),\hslash (\ast \left)\right)\oplus (?,?,\hslash (\ast ),\hslash (\ast ),?,\hslash (\ast ),?,?)\hfill \end{array}$$

(7)

$$\begin{array}{cc}\hfill =& (?,?,\hslash (\ast ),\hslash (\ast ),?,\hslash (\ast ),?,?).\hfill \end{array}$$

(8)

Thus, we have

$$\begin{array}{cc}\hfill & G(d,x)=P{M}^{-1}(L_0\oplus R_5)\left[5\right]\oplus d^4=\hslash (\ast )\oplus d^4=\hslash ({\Delta }_d\oplus x)\oplus d^4\hfill \end{array}$$

and

$$G(d\oplus 1,x\oplus {\Delta }_0\oplus {\Delta }_1)=\hslash ({\Delta }_d\oplus x)\oplus d^4\oplus \left(1111\right).$$

These two equations mean that

$$G(d,x)\oplus G(d\oplus 1,x\oplus {\Delta }_0\oplus {\Delta }_1)=\left(1111\right).$$

which indicates the conclusion.    □

3.2. 5-Round Quantum Distinguisher

We have constructed a linear-structure function based on the 5-round encryption of MIBS. Combining this with the quantum algorithm, which can determine whether a function is a linear-structure function, we can obtain a quantum distinguisher of 5-round MIBS.

Based on Algorithm 1, Xie and Yang constructed a quantum algorithm that can determine whether a function has linear structures [14]. We present this quantum algorithm below.

Theorem 3 

([14]). If $f:{\mathbb{F}}_2^m\to {\mathbb{F}}_2^n$ is a linear-structure function, then except with a negligible probability, Algorithm 2 on f with $p\left(n\right)=n$ will output a linear structure of f.

Algorithm 2 [14] Algorithm for finding linear structures of multiple-output functions

Input: quantum oracle of $f:{\mathbb{F}}_2^m\to {\mathbb{F}}_2^n$, a polynomial $p\left(n\right)$. ($f=(f_1,f_2,\cdots ,f_n)$.)

Output: a linear structure of f.

1:  for  $j=1,2,\cdots ,n$  do

2:   Run Algorithm 1 on  $f_j$ with $p\left(n\right)$;

3:   if Algorithm 1 returns “Not linear structure function” then

4:     Output “Not linear structure function”;

5:   else

6:     Let $C_j=C_j^0\cup C_j^1$, where $C_j^0$ and $C_j^1$ are the outputs of Algorithm 1;

7:   end if

8:  end for

9:  if  $C_1\cap C_2\cap \cdots \cap C_n\subseteq \left\{0^m\right\}$  then

10:   Return “Not linear structure function”;

11:  else

12:   Randomly choose a nonzero vector $\alpha \in C_1\cap \cdots \cap C_n$ and return $\alpha$;

13:  end if

In a quantum distinguishing attack on 5-round MIBS, a quantum oracle $\mathcal{O}$ is available, which implements either the encryption of 5-round MIBS $MIB{S}^5$ or a random function $RF$. Since the linear-structure function G is defined only using the right part $R_5$ of the output of $MIB{S}^5$, it is assumed that the attacker can query the oracle, which merely returns the right branch $R_5$. Such assumption is commonly used in quantum distinguishing attacks [4,5,6]. Moreover, in the following key-recovery attack, we show how to construct such oracle via the oracle of complete encryption. Thus, the attacker can query $\mathcal{O}$ by implementing either the operator

$$\mathcal{O}:\sum _{{\displaystyle \genfrac{}{}{0pt}{}{u\in {\mathbb{F}}_2^{64}}{v\in {\mathbb{F}}_2^{32}}}}|u\rangle |v\rangle \to \sum _{{\displaystyle \genfrac{}{}{0pt}{}{u\in {\mathbb{F}}_2^{64}}{v\in {\mathbb{F}}_2^{32}}}}|u\rangle |v\oplus MIB{S}_R^5\left(u\right)\rangle$$

or the operator

$$\mathcal{O}:\sum _{{\displaystyle \genfrac{}{}{0pt}{}{u\in {\mathbb{F}}_2^{64}}{v\in {\mathbb{F}}_2^{32}}}}|u\rangle |v\rangle \to \sum _{{\displaystyle \genfrac{}{}{0pt}{}{u\in {\mathbb{F}}_2^{64}}{v\in {\mathbb{F}}_2^{32}}}}|u\rangle |v\oplus PF\left(u\right)\rangle ,$$

where $MIB{S}_R^5:{\mathbb{F}}_2^{64}\to {\mathbb{F}}_2^{32}$ is the the encryption function of 5-round MIBS, which only returns the right 32 bits, and $PF:{\mathbb{F}}_2^{64}\to {\mathbb{F}}_2^{32}$ is a random function.

A quantum distinguisher of $\mathcal{O}$ is a quantum algorithm that can distinguish whether $\mathcal{O}$ implements $MIB{S}_R^5$ or a random function $PF$. In order to construct a quantum distinguisher, an intuitive idea is to construct the oracle ${\mathcal{O}}_G$ of function G based on $\mathcal{O}$

$${\mathcal{O}}_G:\sum _{{\displaystyle \genfrac{}{}{0pt}{}{(d,x)\in {\mathbb{F}}_2\times {\mathbb{F}}_2^4,}{y\in {\mathbb{F}}_2^4}}}|d\rangle |x\rangle |y\rangle \to \sum _{{\displaystyle \genfrac{}{}{0pt}{}{(d,x)\in {\mathbb{F}}_2\times {\mathbb{F}}_2^4,}{y\in {\mathbb{F}}_2^4}}}|d\rangle |x\rangle |y\oplus G(d,x)\rangle ,$$

and then run Algorithm 2 on ${\mathcal{O}}_G$ to determine whether it is the oracle of a linear-structure function, thereby determining whether $\mathcal{O}$ is the encryption of 5-round MIBS. If $\mathcal{O}$ implements $MIB{S}^5$, then Algorithm 2 will return a linear structure of G; otherwise, if $\mathcal{O}$ implements $RF$, then its probability of outputting a linear structure of G is negligible.

Figure 6 shows how to construct the oracle ${\mathcal{O}}_G$ of function G based on $\mathcal{O}$. The unitary operator $CNO{T}^{\left(32\right)}$ is composed of 32 $CNOT$ gates and works as follows:

$$CNO{T}^{\left(32\right)}:\sum _{u,v\in {\mathbb{F}}_2^{32}}|u\rangle |v\rangle \to \sum _{u,v\in {\mathbb{F}}_2^{32}}|u\rangle |v\oplus u\rangle .$$

Similarly, $CNO{T}^{\left(4\right)}$ is composed of 4 $CNOT$ gates and works as follows:

$$CNO{T}^{\left(4\right)}:\sum _{{\displaystyle \genfrac{}{}{0pt}{}{u_8,u_7,\cdots ,u_1\in {\mathbb{F}}_2^4}{v\in {\mathbb{F}}_2^4}}}|u_8,u_7,\cdots ,u_1\rangle |v\rangle \to \sum _{{\displaystyle \genfrac{}{}{0pt}{}{u_8,u_7,\cdots ,u_1\in {\mathbb{F}}_2^4}{v\in {\mathbb{F}}_2^4}}}|u_8,u_7,\cdots ,u_1\rangle |v\oplus u_5\rangle .$$

The unitary operator $U_{P{M}^{-1}}$ is defined as

$$U_{P{M}^{-1}}:\sum _{u\in {\mathbb{F}}_2^{32}}|u\rangle \to \sum _{u\in {\mathbb{F}}_2^{32}}|P{M}^{-1}\left(u\right)\rangle$$

and can be realized as shown in Figure 7. The input $|d\rangle$ of ${\mathcal{O}}_G$ is combined with 31 auxiliary states $|0\rangle$ to form the state $|L_0\rangle$, and the input $|x\rangle$ is combined with 28 auxiliary states $|0\rangle$ to form the state $|R_0\rangle$. The states in Figure 6 are defined as below.

$$\begin{array}{cc}\hfill \mathrm{Input}\mathrm{state}& =\sum _{{\displaystyle \genfrac{}{}{0pt}{}{(d,x)\in {\mathbb{F}}_2\times {\mathbb{F}}_2^4,}{y\in {\mathbb{F}}_2^4}}}|d\rangle |x\rangle |y\rangle ,\hfill \\ \hfill |{\phi }_0\rangle & =\sum _{{\displaystyle \genfrac{}{}{0pt}{}{(d,x)\in {\mathbb{F}}_2\times {\mathbb{F}}_2^4,}{y\in {\mathbb{F}}_2^4}}}|0^4\rangle |{\delta }_d\rangle |0^4\rangle \cdots |0^4\rangle |0^4\rangle |x\rangle |0^4\rangle \cdots |0^4\rangle |0^{32}\rangle |y\rangle \hfill \\ \hfill & =\sum _{{\displaystyle \genfrac{}{}{0pt}{}{(d,x)\in {\mathbb{F}}_2\times {\mathbb{F}}_2^4,}{y\in {\mathbb{F}}_2^4}}}|L_0\rangle |R_0\rangle |0^{32}\rangle |y\rangle ,\hfill \\ \hfill |{\phi }_1\rangle & =\left\{\begin{array}{cc}\sum _{d,x,y}|L_0\rangle |R_0\rangle |MIB{S}_R^5(L_0,R_0)\rangle |y\rangle ,\hfill & \mathrm{if}\mathcal{O}\mathrm{is}\mathrm{oracle}\mathrm{of}MIB{S}_R^5\hfill \\ \sum _{d,x,y}|L_0\rangle |R_0\rangle |RF(L_0,R_0)\rangle |y\rangle ,\hfill & \mathrm{if}\mathcal{O}\mathrm{is}\mathrm{oracle}\mathrm{of}RF\hfill \end{array}\right.\hfill \\ \hfill |{\phi }_2\rangle & =\left\{\begin{array}{cc}\sum _{d,x,y}|L_0\rangle |R_0\rangle |R_5\oplus L_0\rangle |y\rangle ,\hfill & \mathrm{if}\mathcal{O}\mathrm{is}\mathrm{oracle}\mathrm{of}MIB{S}_R^5\hfill \\ \sum _{d,x,y}|L_0\rangle |R_0\rangle |RF(L_0,R_0)\oplus L_0\rangle |y\rangle ,\hfill & \mathrm{if}\mathcal{O}\mathrm{is}\mathrm{oracle}\mathrm{of}RF\hfill \end{array}\right.\hfill \\ \hfill |{\phi }_3\rangle & =\left\{\begin{array}{cc}\sum _{d,x,y}|L_0\rangle |R_0\rangle |P{M}^{-1}(R_5\oplus L_0)\rangle |y\rangle ,\hfill & \mathrm{if}\mathcal{O}\mathrm{is}\mathrm{oracle}\mathrm{of}MIB{S}_R^5\hfill \\ \sum _{d,x,y}|L_0\rangle |R_0\rangle |P{M}^{-1}(RF(L_0,R_0)\oplus L_0)\rangle |y\rangle ,\hfill & \mathrm{if}\mathcal{O}\mathrm{is}\mathrm{oracle}\mathrm{of}RF\hfill \end{array}\right.\hfill \end{array}$$

Therefore, when $\mathcal{O}$ is the oracle of $MIB{S}_R^5$, it holds that

$$\begin{array}{cc}\hfill |{\phi }_4\rangle & =\sum _{d,x,y}|L_0\rangle |R_0\rangle |P{M}^{-1}(R_5\oplus L_0)\rangle |y\oplus P{M}^{-1}(R_5\oplus L_0)\left[5\right]\rangle \hfill \\ \hfill & =\sum _{d,x,y}|L_0\rangle |R_0\rangle |P{M}^{-1}(R_5\oplus L_0)\rangle |y\oplus G(d,x)\rangle .\hfill \end{array}$$

When $\mathcal{O}$ is the oracle of random function $RF$, it holds that

$$\begin{array}{c}\hfill |{\phi }_4\rangle =\sum _{d,x,y}|L_0\rangle |R_0\rangle |P{M}^{-1}(RF(L_0,R_0)\oplus L_0)\rangle |y\oplus P{M}^{-1}(RF(L_0,R_0)\oplus L_0)\left[5\right]\rangle .\end{array}$$

The disentanglement process is to disentangle the registers denoted $|d\rangle$, $|x\rangle$, and $|y\rangle$ from the registers of the auxiliary states. Thus, after this process, the state will be

$$\begin{array}{cc}\hfill |{\phi }_5\rangle & =\sum _{d,x,y}|L_0\rangle |R_0\rangle |0^{32}\rangle |y\oplus G(d,x)\rangle \hfill \end{array}$$

if $\mathcal{O}$ is the oracle of $MIB{S}_R^5$, or

$$\begin{array}{c}\hfill |{\phi }_5\rangle =\sum _{d,x,y}|L_0\rangle |R_0\rangle |0^{32}\rangle |y\oplus P{M}^{-1}(RF(L_0,R_0)\oplus L_0)\left[5\right]\rangle \end{array}$$

(9)

if $\mathcal{O}$ is the oracle of random function $RF$. Since $RF$ is a random function from 64 bits to 32 bits, $P{M}^{-1}(RF(L_0,R_0)\oplus L_0)\left[5\right]$ can also been seen as a random function mapping 5 bits to 4 bits given input $(d,x)$. Let $R{F}_{5,4}$ denote the random function from 5 bits to 4 bits; then, we have

$$\begin{array}{c}\hfill |{\phi }_5\rangle =\sum _{d,x,y}|L_0\rangle |R_0\rangle |0^{32}\rangle |y\oplus R{F}_{5,4}(d,x)\rangle \end{array}$$

(10)

when $\mathcal{O}$ is the oracle of $RF$. The output state of ${\mathcal{O}}_G$ shown in Figure 6 is

$$\begin{array}{c}\hfill \mathrm{output}\mathrm{state}=\left\{\begin{array}{cc}\sum _{d,x,y}|d\rangle |x\rangle |y\oplus G(d,x)\rangle ,\hfill & \mathrm{if}\mathcal{O}\mathrm{is}\mathrm{oracle}\mathrm{of}MIB{S}_R^5\hfill \\ \sum _{d,x,y}|d\rangle |x\rangle |y\oplus R{F}_{5,4}(d,x)\rangle ,\hfill & \mathrm{if}\mathcal{O}\mathrm{is}\mathrm{oracle}\mathrm{of}RF.\hfill \end{array}\right.\end{array}$$

The quantum oracle ${\mathcal{O}}_G$ has been constructed; then, we present the quantum distinguisher of 5-round MIBS. Given the access to the oracle $\mathcal{O}$, the distinguisher ${\mathcal{D}}^{\mathcal{O}}$ works as follows:

(1)

Construct the oracle ${\mathcal{O}}_G$ based on $\mathcal{O}$ as in Figure 6;

(2)

Implement Algorithm 2 using oracle ${\mathcal{O}}_G$;

(3)

If Algorithm 2 returns a linear structure, output $|1\rangle$; otherwise, output $|0\rangle$.

The output $|1\rangle$ indicates that $\mathcal{O}$ is the oracle of $MIB{S}_R^5$, and output $|0\rangle$ indicates that $\mathcal{O}$ is the oracle of random function $RF$. According to Theorem 2, ${\mathcal{D}}^{\mathcal{O}}$ can correctly distinguish the 5-round MIBS from a random function.

4. Key-Recovery Attack

We first give a 7-round key-recovery attack on MIBS utilizing the distinguisher proposed in Section 3.2. We consider a chosen plaintext attack, where the oracle of the 7-round MIBS is available. Namely, the oracle

$${\mathcal{O}}_{MIB{S}^7}:\sum _{u,v\in {\mathbb{F}}_2^{64}}|u\rangle |v\rangle \to \sum _{u,v\in {\mathbb{F}}_2^{64}}|u\rangle |v\oplus MIB{S}^7\left(u\right)\rangle$$

can be queried by an attacker. Through querying ${\mathcal{O}}_{MIB{S}^7}$, the attacker can obtain the superposition state of the ciphertexts after 7-round encryption; then, the attacker guesses the relevant bits of the 6th- and 7th-round keys and decrypts the ciphertexts for two rounds to obtain the ciphertexts of $MIB{S}_R^5$ ($R_5$). Therefore, for each guessed candidate round key of the 6th and 7th rounds, the attacker can use it to decrypt 2 rounds to obtain oracle $\mathcal{O}$, which is the oracle of $MIB{S}_R^5$ when the guessed key is right, and is the oracle of the random function $RF$ when the guessed key is wrong. Using the distinguisher ${\mathcal{D}}^{\mathcal{O}}$ defined in Section 3.2 with queries to $\mathcal{O}$ can determine whether the guessed round key bits are right. If the round key bits are right, ${\mathcal{D}}^{\mathcal{O}}$ will output $|1\rangle$; otherwise, it will output $|0\rangle$.

The key is how to compute $R_5$ using the least bits of $K_6$ and $K_7$ given the ciphertext $(L_7,R_7)$. Since

$$\begin{array}{cc}\hfill & g(d,x)\hfill \\ \hfill =& P{M}^{-1}(MIB{S}_R^5(L_0,R_0)\oplus L_0)\left[5\right]\hfill \\ \hfill =& P{M}^{-1}\left(R_5\right)\left[5\right]\oplus P{M}^{-1}\left(L_0\right)\left[5\right],\hfill \end{array}$$

to construct oracle ${\mathcal{O}}_G$, we actually only need to compute the 5th nibble of $P{M}^{-1}\left(R_5\right)$ instead of the entire $R_5$. Therefore, we can slightly change the way to generate ${\mathcal{O}}_G$ so that we do not need the entire $R_5$. ${\mathcal{O}}_G$ can still be constructed from $\mathcal{O}$ using the method in Section 3.2, except that $\mathcal{O}$ is no longer the oracle of the entire $R_5$, but only the part of $R_5$ required for computing $P{M}^{-1}\left(R_5\right)\left[5\right]$. This does not bring any essential differences but can void guessing the unnecessary key bits during key-recovery attack. As shown in Figure 8, it holds that

$$\begin{array}{cc}\hfill P{M}^{-1}\left(R_5\right)\left[5\right]& =P{M}^{-1}\left(F_6(L_5\oplus K_6)\right)\left[5\right]\oplus P{M}^{-1}\left(L_6\right)\left[5\right]\hfill \\ \hfill & =S_6(L_5\oplus K_6)\left[5\right]\oplus P{M}^{-1}\left(R_7\right)\left[5\right]\hfill \\ \hfill & =s(L_5\left[5\right]\oplus K_6\left[5\right])\oplus P{M}^{-1}\left(R_7\right)\left[5\right]\hfill \\ \hfill & =s(R_6\left[5\right]\oplus K_6\left[5\right])\oplus P{M}^{-1}\left(R_7\right)\left[5\right]\hfill \\ \hfill & =s\left(F_7(R_7\oplus K_7)\left[5\right]\oplus L_7\left[5\right]\oplus K_6\left[5\right]\right)\oplus P{M}^{-1}\left(R_7\right)\left[5\right]\hfill \\ \hfill & =s\left(PM\left(S_7(R_7\oplus K_7)\right)\left[5\right]\oplus L_7\left[5\right]\oplus K_6\left[5\right]\right)\oplus P{M}^{-1}\left(R_7\right)\left[5\right].\hfill \end{array}$$

Since $L_7$ and $R_7$ are known, according to the definition of $PM$, to compute $PM\left(S_7(R_7\oplus K_7)\right)\left[5\right]$, we only need to guess the 1st, 3rd, 4th, 5th, and 8th nibbles of $K_7$. Therefore, $K_6\left[5\right]$, $K_7[8,5,4,3,1]$ are enough for computing the value of $P{M}^{-1}\left(R_5\right)\left[5\right]$ or $g(d,x)$. There are 24 bits needed to be guessed. Considering the key scheduling, there may exist repetitive bits.

Table 3. Repetition of round key bits.

$K_6$	63	62	61	60	59	58	57	56	55	54	53	52	51	50	49	48
	47	46	45	44	43	42	41	40	39	38	37	36	35	34	33	32
$K_7$	14	13	12	11	10	9	8	7	6	5	4	3	2	1	0	63
	62	61	60	59	58	57	56	55	54	53	52	51	50	49	48	47
$K_8$	29	28	27	26	25	24	23	22	21	20	19	18	17	16	15	14
	13	12	11	10	9	8	7	6	5	4	3	2	1	0	63	62
$K_9$	44	43	42	41	40	39	38	37	36	35	34	33	32	31	30	29
	28	27	26	25	24	23	22	21	20	19	18	17	16	15	14	13
$K_{10}$	59	58	57	56	55	54	53	52	51	50	49	48	47	46	45	44
	43	42	41	40	39	38	37	36	35	34	33	32	31	30	29	28

shows the repetition bits of the subkeys in 7–10 rounds generated as the key scheduling. Suppose the state of the key register in the 6th round of key scheduling is

$$state=a_{63}{a}_{62}\cdots a_1{a}_0,$$

then, $K_6=a_{63}{a}_{62}\cdots a_{32}$ and $K_7=a_{14}{a}_{13}\cdots a_0{a}_{63}\cdots a_{47}$. Here, we omit the Sbox transformation since the determined transformation does not affect the amount of bits that is required to be guessed. According to Table 3, the 2nd, 3rd, and 4th bits of $K_7\left[1\right]$ are the same as the 1st, 2nd, and 3rd bits of $K_6\left[5\right]$. Thus, in fact, we only need to guess 21 key bits:

$$K_6\left[5\right],K_7[8,5,4,3,1\left(1\right)],$$

where $K_7[8,5,4,3,1\left(1\right)]$ denotes the 8th, 5th, 4th, and 3rd nibbles and the 1st bit of the 1st nibble of $K_7$.

Define

$$\begin{array}{cc}\hfill \overline{G}:{\mathbb{F}}_2^{21}\times {\mathbb{F}}_2\times {\mathbb{F}}_2^4& \to {\mathbb{F}}_2^4\hfill \\ \hfill (K^{6,7},d,x)& \to G(d,x)\mathrm{under}\mathrm{the}\mathrm{decryption}\mathrm{of}{K}^{6,7}.\hfill \end{array}$$

Given the oracle of $MIB{S}^7$, by decrypting under the relevant keys in the 6th and 7th rounds, it is easy to obtain the oracle of $P{M}^{-1}\left(R_5\right)\left[5\right]$. Then, we can construct the oracle of $\overline{G}$ using a similar method in Section 3.2. The oracle of $\overline{G}$ can play the role of ${\mathcal{O}}_G$ in the distinguisher $\mathcal{A}$. Thus, $\mathcal{A}$ will output $|1\rangle$ when $K^{6,7}$ is the correct 21-bit key and output $|0\rangle$ when $K^{6,7}$ is the wrong 21-bit subkey. Taking $\mathcal{A}$ as the oracle ${\mathcal{O}}_u$ in Grover’s algorithm, it will search for the right key bits: $K_6\left[5\right],K_7[8,5,4,3,1\left(1\right)]$.

According to [8], this key-recovery attack needs a total of

$$n_k+n_{in}\times l+n_{out}\times l$$

(11)

qubits, where $n_k$ is the number of bits of the subkeys to be recovered, $n_{in}$ is the input length of the linear structure function G, $n_{out}$ is the output length of G, and $l=2(n_{in}+\sqrt{n_{in}})$. $n_k=21$, $n_{in}=5$, $n_{out}=4$, and $l\approx 15$. Thus, this attack requires 156 qubits. The time complexity is $\sqrt{2^{21}}=2^{10.5}$.

Consider attacking 8-round MIBS using the same distinguisher. By similar derivation, to compute $P{M}^{-1}\left(R_5\right)\left[5\right]$ based on the ciphertext $(L_8,R_8)$, we need to guess the subkeys

$$K_6\left[5\right],K_7[8,5,4,3,1\left(1\right)],K_8.$$

According to Table 3, $K_8$ has 9 repetitive bits, so there are only 44 bits to be recovered. According to Equation (11), an 8-round key-recovery attack requires 179 qubits. The corresponding time complexity is $\sqrt{2^{44}}=2^{22}$.

By similar derivation, a 9-round attack requires 194 qubits, and the time complexity is $\sqrt{2^{59}}=2^{29.5}$. A 10-round attack requires 199 qubits, and the time complexity is $\sqrt{2^{64}}=2^{32}$. The authors in [25] also presented quantum attacks on MIBS. The time complexity of their 7-round, 8-round, and 9-round attacks is $2^{12}$, $2^{28}$, and $2^{44}$, respectively. The complexity of our attacks proposed in this article is lower.

5. Results and Discussion

In this article, we proposed quantum attacks on the MIBS cipher based on the BV algorithm. Specifically, we first fully utilize the characteristics of the linear transformations of the MIBS cipher to construct a linear-structure function. Then, we use the fact that the BV algorithm can quickly determine whether a function has nonzero linear structures to design a 5-round quantum distinguisher for the MIBS cipher, which can effectively distinguish the encryption of the 5-round MIBS cipher from a random function. Subsequently, by analyzing the key scheduling of the MIBS cipher, we find the repeated bits between round keys. Combined with Grover’s algorithm, we realize a 7-round key-recovery attack on MIBS and generalize the attack to more rounds. The quantum attack on 7-round MIBS requires 156 qubits and has a time complexity of $2^{10.5}$. The 8-round attack requires 179 qubits, and the time complexity is $2^{22}$. Compared with the existing quantum attacks, our attack has the smallest time complexity. We believe this study contributes to evaluating the safety of the MIBS cipher in the quantum world and helps to further explore the "BV-meet-Grover" attack strategy.

For further research, how to reduce the resource consumption and time complexity of the attacks on the MIBS cipher is worth studying. We can also study the applications of the BV algorithm and other quantum algorithms to key-recovery attacks on various block ciphers. Quantum attacks on other symmetric primitives, such as hash functions and stream ciphers, are also a meaningful direction. For example, we can apply the quantum attack strategies introduced in [20,21] to attack other hash functions [26,27]. We can also apply quantum algorithms to enhance the classical attacks on stream ciphers that have been proposed [28,29] or to attack other cryptographic schemes [30,31].