Few quantum cryptanalysis techniques

Abstract

Quantum algorithms like Shor’s and Grover’s algorithms have proven to break several cryptographic schemes theoretically. Shor’s algorithm, which can factor numbers exponentially faster than classical computers, can break asymmetric cryptosystems like RSA. Grover’s algorithm compromises symmetric key ciphers, as it provides asymptotic quadratic speedup for unordered search. However, given the current resource limitations, whether these techniques will be practically realizable is debatable. In this thesis, we aim to show some evidence that quantum can aid cryptanalysis practically. Several studies have been conducted on quantum cryptanalysis of block ciphers like AES etc., but not enough on stream ciphers. ChaCha cipher is a stream cipher with gaining popularity. It has been included in TLS 1.3. We designed a quantum version of the ChaCha cipher with reduced depth. The best classical attack on ChaCha7 is a 2214 operation attack. Most classical attacks on ChaCha use the notion of Input Difference (ID), Output Difference (OD), and Probabilistic Neutral Bits (PNBs). We proposed two quantum algorithms, one to get the best ID-OD pair and the other to get the PNBs. However, the oracle used for PNBs is massive, and amplitude estimation on it would severely blow up the circuit. For a workaround to this, we started exploring other techniques like linear cryptanalysis. Linear cryptanalysis uses linear expressions between input or plaintext (n bits) and output or ciphertext (m bits) bits to attack ciphers. Classically, a linear approximation table of size 2n×2m is used to count the probability of occurrence of each linear expression exhaustively. We developed a quantum algorithm to reduce space and time for the same. Our circuit generates a superposition of all possible linear combinations with amplitudes proportional to respective linear probability biases. Applying multi-distribution amplitude estimation to these states, followed by marking states above a predefined threshold, and retrieving all the marked states, gives us a list of high-probability linear expressions of the cipher. These linear expressions could then be used to launch attacks on the ciphers.