Quantum Linear Key-Recovery Attacks Using the QFT

Abstract

The Quantum Fourier Transform is a fundamental tool in quantum cryptanalysis. In symmetric cryptanalysis, hidden shift algorithms such as Simon’s, which rely on the QFT, have been used to obtain structural attacks on some very specific block ciphers. The Fourier Transform is also used in classical cryptanalysis, for example in FFT-based linear key-recovery attacks introduced by Collard et al. (ICISC 2007). Whether such techniques can be adapted to the quantum setting has remained so far an open question.

In this paper, we introduce a new framework for quantum linear key-recovery attacks using the QFT. These attacks loosely follow the classical method of Collard et al., in that they rely on the fast computation of a correlation state in which experimental correlations, rather than being directly accessible, are encoded in the amplitudes of a quantum state. The experimental correlation is a statistic that is expected to be higher for the good key, and on some conditions, the increased amplitude creates a speedup with respect to an exhaustive search of the key. The same method also yields a new family of structural attacks, and new examples of quantum speedups beyond quadratic using classical known-plaintext queries.

A Appendix: Bounding Fourier Coefficients

Lemma 10

Let \(f_i~: \{0,1\}^n \rightarrow \{-1,1\}\), \(1 \le i \le M\) be a family of independent random functions. With probability at least 0.99, it holds that:

$$\begin{aligned} \forall z, \forall i, |\widehat{f_i}(z)| \le 2^{n/2} \sqrt{6 (\ln 100 + (n+1) \ln 2 + \ln M )} . \end{aligned}$$

(40)

Proof

Let \(f~: \{0,1\}^n \rightarrow \{-1,1\}\) be a random function. We want to bound the maximum of its Fourier coefficients: \(\max _z |\widehat{f}(z)|\).

We consider each coefficient separately, although they are not independent. For each z, \(\widehat{f}(z)\) is a random variable over f equal to: \(2 \textrm{Bin}(2^n, 1/2) - 2^n = 2\left( \textrm{Bin}(2^n, 1/2) - 2^{n-1} \right) \). We use a Chernoff bound:

$$\begin{aligned} \forall \delta , \forall z, \textrm{Pr}_f( | \textrm{Bin}(2^n, 1/2) - 2^{n-1} | \ge \delta 2^{n-1})&\le 2 \exp \left( \frac{-\delta ^2 2^n }{6} \right) \\ \textrm{Pr}_f( |\widehat{f}(z)| \ge \delta 2^n )&\le 2 \exp \left( \frac{-\delta ^2 2^n }{6} \right) \\ \implies \forall \delta , \forall z, \textrm{Pr}_f( |\hat{f}(z)| \ge \delta \sqrt{2^n })&\le 2 \exp \left( \frac{-\delta ^2}{6} \right) \\ \implies \forall \delta , \textrm{Pr}_f( \exists z, |\hat{f}(z)| \ge \delta \sqrt{2^n })&\le 2^{n+1} \exp \left( \frac{-\delta ^2}{6} \right) . \end{aligned}$$

We find a value of \(\delta \) for which this probability is smaller than 1/100:

$$\begin{aligned} \ln (2^{n+1}) - \frac{\delta ^2}{6} \le - \ln 100 \implies \delta \ge \sqrt{6 (\ln 100 + (n+1) \ln 2) } . \end{aligned}$$