Quantum-Secure Symmetric-Key Cryptography Based on Hidden Shifts

Recent results of Kaplan et al., building on previous work by Kuwakado and Morii, have shown that a wide variety of classically-secure symmetric-key cryptosystems are completely broken when exposed to quantum CPA attacks. In such an attack, the quantum adversary has the ability to query the cryptographic functionality in superposition. The vulnerable cryptosystems include the Even-Mansour block cipher, the three-round Feistel network, the Encrypted-CBC-MAC, and many others. In this work, we study simple algebraic adaptations of such schemes that replace (Z/2)n addition with operations over alternate finite groups— such as Z/2n—and provide evidence that these adaptations are secure against quantum CPA attacks. These adaptations furthermore retain the classical security properties (and basic structural features) enjoyed by the original schemes. We establish security by treating the (quantum) hardness of the wellstudied Hidden Shift problem as a basic cryptographic assumption. We observe that this problem has a number of attractive features in this cryptographic context, including random self-reducibility, hardness amplification, and—in many cases of interest—a reduction from the “search version” to the “decisional version.” We then establish, under this assumption, the security of several such hidden-shift adaptations of symmetrickey constructions against quantum CPA attack. We show that a Hidden Shift version of the Even-Mansour block cipher yields a quantumsecure pseudorandom function, and that a Hidden Shift version of the Encrypted CBC-MAC yields a collision-resistant hash function. Finally, we observe that such adaptations frustrate the direct Simon’s algorithmbased attacks in more general circumstances, e.g., Feistel networks and slide attacks.