XOR of PRPs in a Quantum World

In the classical world, the XOR of pseudorandom permutations Ek1 ⊕ · · · ⊕ Ekr for r ≥ 2 is a well-established way to design a pseudorandom function with “optimal” security: security up to approximately min{|K|, |X|} queries, where K and X are the key and state space of the block cipher E. We investigate security of this construction against adversaries who have access to quantum computers. We first present a key recovery attack in |K| complexity. The attack relies on a clever application of a claw-finding algorithm and testifies of a significant gap with the classical setting where 2 pseudorandom permutations already yield optimal security. Next, we perform a quantum security analysis of the construction, and prove that it achieves security up to min{|K|/r, |X|} queries. The analysis relies on a generic characterization of classical and quantum distinguishers and a universal transformation of classical security proofs to the quantum setting that is of general interest.