Periodic Reporting for period 4 - QUASYModo (Symmetric Cryptography in the Post-Quantum World)
Reporting period: 2022-03-01 to 2023-08-31
QUASYModo's aim was to prepare symmetric cryptography for the arrival of adversaries having access to Quantum computers. This was an emerging topic that was not yet studied in detail before, and thanks to QUASYModo has now gained a lot of attention from the community.
We have worked on understanding and identifying the tools that these adversaries could use, evaluating the security of existing primitives and proposing new ones when needed.
Conclusion: During the last 6 years, QUASYModo has considerably helped in developing the field of studying quantum-safe symmetric cryptography. During this project, we have produced many pioneering results. The main effect is that the field of quantum symmetric cryptanalysis has appeared and many more groups worldwide work now on this subject. Related papers are often published at the main major conferences, and both the Dagstuhl series of seminars on quantum cryptanalysis and on symmetric cryptography both usually tackle the topic. We have concluded that no major problem would appear in general with most of the symmetric used primitives, but that one should be very careful. It is common now, in newly proposed primitives, that designers also take into account the effect of quantum adversaries, and we know that attacks in potentially unrealistic settings, like superposition attacks, can have an effect on much more realistic ones, thanks to the off-line simon attacks.
Thanks to QUASYModo, we understand much better today what effect would quantum adversaries have on symmetric primitives, and we know how to prepare and protect ourselves against this. There is still much work to do and new techniques to discover, as it is always the case in cryptanalysis, but our reasoned confidence in symmetric primitives with respect to the quantum world has increased greatly.
We have worked on understanding and identifying the tools that these adversaries could use, evaluating the security of existing primitives and proposing new ones when needed.
Conclusion: During the last 6 years, QUASYModo has considerably helped in developing the field of studying quantum-safe symmetric cryptography. During this project, we have produced many pioneering results. The main effect is that the field of quantum symmetric cryptanalysis has appeared and many more groups worldwide work now on this subject. Related papers are often published at the main major conferences, and both the Dagstuhl series of seminars on quantum cryptanalysis and on symmetric cryptography both usually tackle the topic. We have concluded that no major problem would appear in general with most of the symmetric used primitives, but that one should be very careful. It is common now, in newly proposed primitives, that designers also take into account the effect of quantum adversaries, and we know that attacks in potentially unrealistic settings, like superposition attacks, can have an effect on much more realistic ones, thanks to the off-line simon attacks.
Thanks to QUASYModo, we understand much better today what effect would quantum adversaries have on symmetric primitives, and we know how to prepare and protect ourselves against this. There is still much work to do and new techniques to discover, as it is always the case in cryptanalysis, but our reasoned confidence in symmetric primitives with respect to the quantum world has increased greatly.
During the project we have been able to achieve several interesting results.
Some of our results have been unexpected and surprising, and they have been very encouraging for continuing our work and finding new interesting problems.
I will detail here some of our most important results produced during QUASYModo:
We proposed new, efficient quantum algorithms for solving some generic problems that are recurrent in cryptanalysis, as collision or K-xor solving algorithms (published at Asiacrypt 17 and 18); we have evaluated and improved Kuperberg’s (Asiacrypt 18), building efficient related attacks and detailed new application on some existing constructions, as Poly-1305 or some isogeny-based primitives, showing the close link between symmetric and asymmetric cryptanalysis.
We have also generalized, developed and proposed new quantum slide attacks, quantum boomerang attacks, as well as performed the first extensive analysis of the quantum security of AES, the block cipher standard. These results are published at SAC2019, SAC2021, DCC2023, TOSC 2019.
In addition, we have designed a family of primitives, Saturnin, including a block cipher, AE primitives and a hash function, that proposes post-quantum security in the superposition model. We submitted this family to the NIST lightweight competition.
At Asiacrypt 2019 we published a nice an surprising result ( that was later accepted for a plenary presentation at QIP 2020), in a collaboration resulting from Akinori Hosoyamada and Yu Sasaki's visit, where we showed how to use Simon's algorithm in symmetric cryptanalysis without needing to perform superposition queries. This had been an open problem for a while and a result that interested parts of both the cryptographic and the quantum theory communities. Also at Asiacrypt 19 a result on better understanding s-boxes and avoiding constructions that might have backdoors was proposed.
We had three accepted papers at Eurocrypt 2020: one on a quantum cryptanalysis on an isogenie-based construction, CSIDH, using kuperberg's algorithms, and showed the close link between symmetric and asymmetric cryptanalysis, and how some tools can be used in both scenarios. A second one on optimal merging quantum algorithms for the k-xor problems, where we analyzed more scenarios and improved our previous ones, and finally a third improving the key-recovery part of linear attacks, one of the two most important families of cryptanalysis.
We received the best paper award at Asiacrypt 2020 for our results on the full round permutation of the Gimli construction, showing some non-random and unexpected properties both in the classical and in the quantum setting. These results were later extended in a publication at the Journal of Cryptology.
We proposed an efficient AE construction in one-pass that would resist to all quantum attacks, QCB; a new type of quantum superposition attacks using other algorithms than Simon in linearization attacks, and a new generic framework for improving the key-guessing step of several types of cryptanalysis. These three results were published at Asiacrypt2021.
We proposed some improvements on differential linear attacks (published in CT-RSA 2022 and at Journal of Cryptology), a full break of a newly proposed primitive, SPEEDY (Eurocrypt 2023), and a new family of cryptanalysis: differential meet-in-the-middle attacks.
Finally, we have built a construction, QuEME, that allows us to safely double block ciphers in the post-quantum world, which we showed was needed when considering collision attacks on internal states. In this work, actually under submission, we analyze previous potential candidates, and propose a new quantum attack that combines BHT with Simon, as well as propose a new safe construction, with a classical proof, and a quantum proof not tight but showing that the security won't collapse with superposition attacks in the quantum setting.
A list of results and (invited) presentations can be found on the web of the project.
Some of our results have been unexpected and surprising, and they have been very encouraging for continuing our work and finding new interesting problems.
I will detail here some of our most important results produced during QUASYModo:
We proposed new, efficient quantum algorithms for solving some generic problems that are recurrent in cryptanalysis, as collision or K-xor solving algorithms (published at Asiacrypt 17 and 18); we have evaluated and improved Kuperberg’s (Asiacrypt 18), building efficient related attacks and detailed new application on some existing constructions, as Poly-1305 or some isogeny-based primitives, showing the close link between symmetric and asymmetric cryptanalysis.
We have also generalized, developed and proposed new quantum slide attacks, quantum boomerang attacks, as well as performed the first extensive analysis of the quantum security of AES, the block cipher standard. These results are published at SAC2019, SAC2021, DCC2023, TOSC 2019.
In addition, we have designed a family of primitives, Saturnin, including a block cipher, AE primitives and a hash function, that proposes post-quantum security in the superposition model. We submitted this family to the NIST lightweight competition.
At Asiacrypt 2019 we published a nice an surprising result ( that was later accepted for a plenary presentation at QIP 2020), in a collaboration resulting from Akinori Hosoyamada and Yu Sasaki's visit, where we showed how to use Simon's algorithm in symmetric cryptanalysis without needing to perform superposition queries. This had been an open problem for a while and a result that interested parts of both the cryptographic and the quantum theory communities. Also at Asiacrypt 19 a result on better understanding s-boxes and avoiding constructions that might have backdoors was proposed.
We had three accepted papers at Eurocrypt 2020: one on a quantum cryptanalysis on an isogenie-based construction, CSIDH, using kuperberg's algorithms, and showed the close link between symmetric and asymmetric cryptanalysis, and how some tools can be used in both scenarios. A second one on optimal merging quantum algorithms for the k-xor problems, where we analyzed more scenarios and improved our previous ones, and finally a third improving the key-recovery part of linear attacks, one of the two most important families of cryptanalysis.
We received the best paper award at Asiacrypt 2020 for our results on the full round permutation of the Gimli construction, showing some non-random and unexpected properties both in the classical and in the quantum setting. These results were later extended in a publication at the Journal of Cryptology.
We proposed an efficient AE construction in one-pass that would resist to all quantum attacks, QCB; a new type of quantum superposition attacks using other algorithms than Simon in linearization attacks, and a new generic framework for improving the key-guessing step of several types of cryptanalysis. These three results were published at Asiacrypt2021.
We proposed some improvements on differential linear attacks (published in CT-RSA 2022 and at Journal of Cryptology), a full break of a newly proposed primitive, SPEEDY (Eurocrypt 2023), and a new family of cryptanalysis: differential meet-in-the-middle attacks.
Finally, we have built a construction, QuEME, that allows us to safely double block ciphers in the post-quantum world, which we showed was needed when considering collision attacks on internal states. In this work, actually under submission, we analyze previous potential candidates, and propose a new quantum attack that combines BHT with Simon, as well as propose a new safe construction, with a classical proof, and a quantum proof not tight but showing that the security won't collapse with superposition attacks in the quantum setting.
A list of results and (invited) presentations can be found on the web of the project.
We have considerately progressed regarding all tasks.
We have improved the knowledge of the best generic attacks both in classical and quantum setting. We have used
this knowledge for evaluating the (quantum) security of the most important related primitives, and have proposed new
designs and constructions for covering the identified gaps.
We believe we have motivated the community to work in this field.
Several cryptographic groups have started to work on the subject motivated by our results, which has been extremely encouraging.
Surely due to the interest of the community in this new topic and our results, I was invited to give an invited talk at FSE 2019,
the invited talk at Eurocrypt 2022, and a tutorial at QCRYPT 2020, as well as to become part of the organization team of the Dagstuhl
seminar series in quantum cryptanalysis (2019, 2021, 2023) and symmetric cryptography (2022, 2024).
We have improved the knowledge of the best generic attacks both in classical and quantum setting. We have used
this knowledge for evaluating the (quantum) security of the most important related primitives, and have proposed new
designs and constructions for covering the identified gaps.
We believe we have motivated the community to work in this field.
Several cryptographic groups have started to work on the subject motivated by our results, which has been extremely encouraging.
Surely due to the interest of the community in this new topic and our results, I was invited to give an invited talk at FSE 2019,
the invited talk at Eurocrypt 2022, and a tutorial at QCRYPT 2020, as well as to become part of the organization team of the Dagstuhl
seminar series in quantum cryptanalysis (2019, 2021, 2023) and symmetric cryptography (2022, 2024).