Low-Communication Parallel Quantum Multi-Target Preimage Search
نویسندگان
چکیده
The most important pre-quantum threat to AES-128 is the 1994 van Oorschot–Wiener “parallel rho method”, a low-communication parallel pre-quantum multi-target preimage-search algorithm. This algorithm uses a mesh of p small processors, each running for approximately 2/pt fast steps, to find one of t independent AES keys k1, . . . , kt, given the ciphertexts AESk1(0), . . . ,AESkt(0) for a shared plaintext 0. NIST has claimed a high post-quantum security level for AES-128, starting from the following rationale: “Grover’s algorithm requires a longrunning serial computation, which is difficult to implement in practice. In a realistic attack, one has to run many smaller instances of the algorithm in parallel, which makes the quantum speedup less dramatic.” NIST has also stated that resistance to multi-key attacks is desirable; but, in a realistic parallel setting, a straightforward multi-key application of Grover’s algorithm costs more than targeting one key at a time. This paper introduces a different quantum algorithm for multi-target preimage search. This algorithm shows, in the same realistic parallel setting, that quantum preimage search benefits asymptotically from having multiple targets. The new algorithm requires a revision of NIST’s AES128, AES-192, and AES-256 security claims.
منابع مشابه
An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography
The cryptographic community has widely acknowledged that the emergence of large quantum computers will pose a threat to most current public-key cryptography. Primitives that rely on order-finding problems, such as factoring and computing Discrete Logarithms, can be broken by Shor’s algorithm ([50]). Symmetric primitives, at first sight, seem less impacted by the arrival of quantum computers: Gr...
متن کاملOn quantum preimage attacks
We propose a preimage attack against cryptographic hash functions based on the speedup enabled by quantum computing. Preimage resistance is a fundamental property cryptographic hash functions must possess. The motivation behind this work relies in the lack of conventional attacks against newly introduced hash schemes such as the recently elected SHA-3 standard. The proposed algorithm consists o...
متن کامل(Chosen-multi-target) preimage attacks on reduced Grøstl-0
The cryptographic hash function Grøstl is a finalist in the NIST’s SHA-3 hash function competition and it is a tweaked variant of its predecessor called Grøstl-0, a second round SHA-3 candidate. In this article, we consider 256-bit Grøstl-0 and its 512-bit compression function. We show that internal differential trails built between the two almost similar looking permutations of the compression...
متن کاملPreimage Attack on Parallel FFT-Hashing
Parallel FFT-Hashing was designed by C. P. Schnorr and S. Vaudenay in 1993. The function is a simple and light weight hash algorithm with 128-bit digest. Its basic component is a multi-permutation which helps in proving its resistance to collision attacks. In this work we show a preimage attack on Parallel FFT-Hashing with complexity 2 + 2 and memory 2 which is less than the generic complexity ...
متن کاملCommunication Issues in Designing Cooperative Multi-Thread Parallel Searches
Roughly speaking, parallel local search techniques can be divided into three categories: low-level parallelization strategies (e.g., master-slave schemes), solution-space partitioning methods and multi-thread procedures in which several processes explore concurrently the same search space. The multi-thread technique can be further subdivided into independent and cooperative search thread algori...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2017 شماره
صفحات -
تاریخ انتشار 2017