こんにちは、私はアティノリホソヤマダです。NTTセキュアプラットフォームラブラトリースとNagoya UniversityのNTTセキュアプラットフォームラブラトリースです。これはコンクリートハッシュファンクションのデリキュリティットコンタムコリジョンのアタックです。これはユーサーサティのアジョントワークです。最近、多くのパブリックチースクリームのハッシュファンクションはポストコンタムセキュアを使用しています。このハッシュファンクションは、この哲学を作っていることです。ここでモチベーションの演出もありますが、カプタルHのハッシュファンクションというアクリートハッシュファンクションは、こちらのHはクラスカル回復であるかもしれません。これがこのハッシュファンクションのバストコンタムセキュアのハッシュファンクションのマッシュアクリートサティのコモンのあいたものです。次に、クラスカルコリジョンのアタックを解説することを説明します。HBをコンコリートハッシュファンションでNを取り出します。次に、クラスカルジェネギックコリジョンのアタックは、Hのコンコリジョンと2のコンプレクスティーでNを取り出します。クラスカルのアタックは、Hのコンコリジョンのアタックは、2のコンプレクスティーでNを取り出します。普通に、クラスカルコリプトのアナディシストのコンコリジョンのアタックを解説することは、Nを取り出して、Dのアタックは、Nを取り出して、DのアウトプレクスティーでNを取り出したことができます。下手に、HのコンプレクスティーでNを取り出して2のコンプレクスティーでNを取り出すことができます。1.コントロールドパートの部分は、コンプレックスのトレイルが自由に使っても良いです。2.コントロールドパートの部分は、トレイルが多分良くなります。通常、コントロールドパートはネブリゼブルのコストを使っても良いです。このため、コンプレックスのトレイルはコンプレックスのトレイルで最も上乗せのトレイルでウォンプレックスのトレイルで能力があって、このようにトレイルと一緒にコントロールドパートはこのように問題が there is a Hz f of the uncontrolled part.That is, t is equal to 1 over p.So, in the classical setting, a dedicated collision attackon a concrete hash functionbased on differential-cryptanalysis is considered to be valid.If and only if the differential-probability p私たちは3コントムセッティングを考えます。コンピューテーショナルリソーシスを使用しています。最初のセッティングは、小さなコントムコンピューターのポルノミアルサイズと大きなコントムラムのエクスポニューシャルサイズを使用しています。このセッティングは、ベストコントムコルジョンのアタックはDHTアルゴリズムのコルジョンが2-3のパワーで2-3のパワーでアクスポニューシャルサイズを使用しています。このセッティングは、非常に簡単です。しかし、コントムラムの大きなコントムコルジョンは未来の場所にあるのではないかもしれません。通常、コントムコルジョンの記憶は非常に大きなコントムセッティングです。次のセッティングは、アクスポニューシャルサイズのアルゴリズムのコントムコルジョンの記憶は非常に大きなコントムセッティングです。このセッティングは、ベストコントムコルジョンのアタックはクラスカルパラリルローを使用しています。DHTアルゴリズムは2-2のパワーで2-3のパワーでアクスポニューシャルサイズを使用しています。ここでは、ユニットの空気はトラッドプリミティブに要素が必要です。そのため、コンプレクシティアナリシスはプリミティブのインプレミンテーションについて3つのコンタムセッティングは小さなコンタムコンピュータのポルノミアルサイズと大きなクラシカルメモリーのエクスポニーシャルサイズがあってこのセッティングで最高のコンタムコリジョンのアタックはCNSのアルゴリズムでコリジョンを2-2-2-2-n-5でクラシカルメモリーを1-2-2-2-n-5でこの3つのコンタムセッティングを技術について思考していますコンタムコリジョンのアタックを金融的な攻撃は2-6-7-4でこれは次はコンタムデファレミアルクリプトアナリシスのコンタムデファレミアルクリプトアナリシスをですカプレンコンプレミアルだけはDX and DVYのデファレミアルプロバブルとデファレミアルプロバブルでコンタムデファレミアルスの現在はA message x that satisfies the differences in time the square root of 1 over P with quantum computers.In the classical setting, we have to spend time 1 over P in the classical setting.So, with quantum computers, we can obtain a quadratic speed-up for differential cryptanalysis compared to classical differential cryptanalysis.ここでなくて容覧時計があります。Generic collision attacksの時計は世界中的に全て大きく、全て大きい場所でユニーザークリプタの時計を測定しました。Generic collision attacksはクロントマンのコンピュータの上限点がはいつも不足現場ではありません。他に、クロントマンのアラビの下限点ではクロントマンの上限点を測定しました。この状況を見てみましょう。このアイデアの意味で。コウンタム アプリアクション クリプト アナリシスはクラシカルの一つにも変化できる。クラシカルのアプリアクション クリプト アナリシスペーストアタックはその時、弊社のコンプレーションのプロバビーPは比べるべきなのか。コウンタム アプリアクション クリプト アナリシスペーストアタックはそれぞれの非と非のつまり、このスクエアは公表的に減っている。その分離の1を2-3かもしれません。そしてこれは、2-2nを2-3に減らしています。もし、この場合、さらに小さなかもしれません。2nd quantum setting differential cryptanalysis based attack is valid if and only if the attack requires size S and the time complexity, the square root of 1 over P is less than 2 to the power n over 2 over S and this is equivalent to the condition that the differential probability P is greater than S square times 2 to the power minus n.and here note that if size S is very small then the differential probability P can be very close to 2 to the power minus n.similarly in the third quantum setting the condition for the differential probability P changes and now the condition is P is greater than 2 to the power minus 4n over 5.so again we can use smaller probability than the birthday bound in this setting.in summary the condition for the differential probability changes depending on the settings like this.actually this analysis is very rough because here I am ignoring the cost of the controlled part.later when I will explain about our dedicated quantum attacks I will also explain details on the cost of the controlled part.this analysis is very rough but we can obtain the next very important observations.first differential probabilities that were smaller than the birthday bound cannot be used in the classical setting but may be used in the quantum settings.and even if a hash function is secure in the classical setting if there exists a differential trial with probability in between 2 to the power minus n over 2 and 2 to the power minus 2n over 3 it may be broken in the quantum settings.we developed dedicated quantum attacks based on these observations.our quantum attacks are quantum versions of the classical rebound attack.so next I will explain about the classical rebound attack.the rebound attack is an attack technique for AES like permutations such as AES and whirlpool based on differential crypt analysis.often concrete hash functions are defined like the hash value of a message m is equal to message m plus e of m.here e is a block cipher like AES and the goal of the rebound attack is to find message pair m and m prime such that the difference of messages is equal to the difference of ciphertext.if we find such message pair then this gives a collision for h.and the rebound attack divides the cipher into three parts the first outer part inner part and the second outer part.the rebound attack assumes that there exists a differential trail like this.there exists truncated differential delta x and truncated differential delta y.that properties to another truncated differential delta 0 with probability p1 and probability p2.and the difference delta 0 exactly matches with probability p0.here the differential probability of this trail is p1 times p2 times p0.based on this assumption the rebound attack works like this.first we fix difference delta x and delta y.then we compute x x prime and y and y prime that satisfies the differential.this phase is called the inbound phase.and next we compute m c m prime and c prime.and finally we check if the difference of messages is equal to the difference of ciphertext.this equation holds with probability p0 times p1 times p2.so if we try this procedure one over pout times by changing the difference delta x and difference delta y.we will obtain a message pair m and m prime that satisfies this equation.this is how the rebound attack works.for example this is the differential trail used in the classical rebound attack on 6th round AES.the differential probability is 2 to the power minus 56.the rebound attack is valid in the classical setting because the differential probability is greater than the birthday bound 2 to the power minus 64.for the inbound phase we use a technique which is called super s box technique.here I don't explain details but the important point is this technique requires a memory of size 2 to the power 32 in the classical setting.next I will explain our new attacks.recall that the classical rebound attack procedure looks like this.we repeat this procedure for one over pout times.in our attacks we use a quantum version of the rebound attack.by using the global search the number of repetition decreases to the square root of one over pout.we developed quantum attacks on reduced round versions of AES-MMO and whirlpool.AES-MMO is a hash function standardized by ZigBee and previously by IETF.the output length is 128.whirlpool is a hash function recommended by Nessie and standardized by ISO ICE.the output length is 512.in the classical setting the best collision attacks are 6 rounds for AES-MMO and 5 rounds for whirlpool.in our paper our attack targets are 7 round AES-MMO and 6 round whirlpool.recall that the classical trail for 6 round AES looks like this.now this is the new trail we found for 7 round AES.the differential probability is 2 to the power minus 80 which is too small to be used in the classical setting.however the probability is still greater than 2 to the power minus 2 over 3 times 128.so we can use this trail in the quantum setting with 2 round.next suppose that we are in the quantum setting with time space tradeoff.then we also have to clear about the space complexity of the attack.now suppose that the inbound phase can be done with average time complexity xwith space complexity s.then the total time complexity of our attack becomes x times the square root of 1 over pwhich is equal to x times 2 to the power 40.so our attack is valid with respect to time space tradeoffonly if x times 2 to the power 40 is less than 2 to the power 64 over s.and here we call that in the classical settingthe inbound phase uses space complexity of 2 to the power 32.however in the quantum setting of time space tradeoffif we use such large memory the attack becomes invalid.so we have to change the inbound phase.so here we use the global search to find the value of the super s boxinstead of using large memory of size 2 to the power 32.then the average cost to find the solution x becomes about 2 to the power 16but the space complexity becomes negligible.and the total time complexity of our attack becomes 2 to the power 56and the genetic attack complexity becomes about 2 to the power 64so our attack becomes valid in the quantum setting of time space tradeoff.this is a summary of rebound attacks on 7 round AES MMOR.in the classical setting our differential trail is invalidbecause the differential probability is too small to be used in the classical setting.in the first quantum setting where a small quantum computer of polynomial sizeand the large quantum ram of exponential size are availablea precise analysis shows that the time complexity of our attack becomes2 to the power 41 or 2 to the power 42which is just slightly lower than the genetic attack complexity.never the less our attack is valid in this setting.in the second quantum setting of time space tradeoff a precise analysis shows thatthe time complexity of our attack becomes 2 to the power 59.5over the square root of s over 2 to the power 3.when we have a large quantum computer we can decrease the time complexityby parallelizing the global search.our attack is valid if the size s is in between 2 to the power 3and 2 to the power 6.finally in the third quantum setting where a small quantum computerand a large classical memory is available our attack becomes invalid.next I explain about attacks on whirlpool.this is the classical trail used in the classical rebound attackon 5 round whirlpool.the differential probability is 2 to the power minus 120and the inbound phase or inner part consists of two rounds.and in the quantum setting we change this differential trail like this.now the outer part and the differential probability is the same as the classical ones.however now the inbound phase or inner part consists of three rounds.the three round inbound phase requires time complexity 2 to the power 160but it requires negligible quantum space.and the total time complexity of the attack becomes 2 to the power 220.now 2 to the power 220 is bigger than 2 to the power 1 third times 512.so this attack is unfortunately invalid in the quantum setting of TURAM.however the space complexity is relatively small.so this attack is valid in the quantum setting of time space trade-off.for three round inbound phase again we use a memoryless variant of a classical technique.I don't explain details but in the previous technique we have to do some pre-computationswhich requires space of 2 to the power 64.however in the quantum setting we cannot useor we do not want to use such large quantum memory.so in the quantum setting instead of doing such pre-computationwe just run the global search.this increases the time complexity by the factor of 2 to the power 32but the global search requires negligible memory.by using such memoryless variantour attack becomes valid in the quantum setting of time space trade-off.this is a summary on rebound attacks of six round whirlpool.in the classical setting and in the first quantum settingwith small quantum computer and large quantum RAMour attack is invalid.however in the second quantum setting of time space trade-offour attack becomes valid.a precise analysis shows that when a quantum computer of size s is availablethe time complexity of our attack becomes 2 to the power 228over the square root of s over 2 to the power 8.our attack is valid if s is in between 2 to the power 8and 2 to the power 48.finally,in the third quantum settingwhose small quantum computer plus large classical memoryour attack becomes invalid.concluding remarks,we showed thatclassical residual does not imply quantum residualand differential trails with too small probabilityin the classical setting can still be meaningfulfor quantum computers.and we improved correlation rounds for AESMMO and whirlpool.finally,I want to claim thatdifferential trails such should not stop with probabilitybirthday bound but should consider upto 2 to the power minus 2N over 3 or more.we should revisit differential trails such activitiesbecause there will be many differential trailsthat can not be used in the classical settingbut can be used in the quantum settings.that's all.thank you for your attention.