Quantum Cryptanalysis of Symmetric Primitives by Improving Relaxed Variants of Simon's Algorithm

Computing the period of the periodic functions is the main reason of using Simon & rsquo;s algorithm to attack symmetric-key cryptographic primitives. However, if the target function does not satisfy Simon & rsquo;s promise completely or if the number of superposition queries of the adversary is limited, Simon & rsquo;s algorithm cannot compute the actual target period, unambiguously. These problems may lead to the failure of period-finding-based quantum attacks.Our main aim in this paper is to relax Simon & rsquo;s algorithm so that quantum adversaries can still carry out the mentioned attacks without any assumptions (Simon & rsquo;s promise) on the target function. To that end, we use two different methods, each of which is suitable for some of the period-finding-based quantum attacks. In the first method, as a complement to Kaplan & rsquo;s suggestion, we first show that using Simon & rsquo;s algorithm, one can find the proper partial periods of Boolean vector functions so that the probability of their establishment, independent of the target function, is directly related to the number of the attacker & rsquo;s quantum queries. Next, we examine how one can use the partial period instead of the actual one. The advantage of this method is twofold: It enables the attackers to perform the quantum period-finding-based distinguishers with a smaller number of quantum queries than those of the previous relaxation method. On the other hand, it generalizes the previous forgery attacks on modes of operation for message authentication codes. In the second method, we use Grover & rsquo;s algorithm to complement Simon & rsquo;s algorithm in quantum key recovery attacks. This ensures that the time complexity of the mentioned attacks is less than that of a quantum brute-force attack. (c) 2020 ISC. All rights reserved.