 Okay. Hello everybody. My name is Kwang-Guk Kim from Korea. We have four talks in content every session. The first one is globally silent content attacking effects construction by currently near and far less, but many currently in key talks. Thank you very much. Yes, so welcome back after lunch. So I'll talk about quantum attacks on block surface. I'm not going to explain a lot how quantum computers works. Maybe some of the other people in the session will do, but I don't know. So quantum attacks on block surface, there are basically two things known and you will see other applications later in the session. But the main known thing certainly is Grover's algorithm which tells you that basically on a quantum computer you will get a converted suite up for root force and also known by now and used in several papers is science algorithm which is used for example to break evenments through in linear. So I'll go through the applications briefly of those. So what is Grover's algorithm? What does it do? So basically it's a very generic search algorithm. So given a function, so this is supposed to be a vector space of dimension n, so just n bit screens. A Boolean function mapping n bit screens to a bit with a promise that there exists a unique x0 vector, an input vector which evaluates to 1. So it's function evaluates to 0 at the time except for this one value of x0 that you are supposed to find and you have access to this function f as a black box. So what would you do? Classically just take an input and check if you get a 1 and not, then you continue until you finally find this x0. And so in the quantum computer the nice thing is you can do this in square root of the time that you would use on a traditional computer. Grover's algorithm tells you you can find this x0 using f as an oracle in time at the end of the clock. And later this was generalized to a more general setup where there is maybe not a unique x0 but a set of good states and sling. You have to find it with a product experiment. We'll come back to this later. So I'll be applying this to block cipher, breaking block cipher. So if you have given a block cipher and which takes a message m and encrypts it under some key k and you get the ciphertext, then you can easily convert the problem of finding the product key k to this Grover's problem by defining a function f of x where x is not the key. If you say this evaluates to 1, if it's going to map your given messages to the given ciphertext. So you will use maybe one or maybe more message ciphertext pairs and use them to define the product. And using this, plug it into Grover's algorithm you see that basically on the quantum computer AES 128 can be broken in 64 steps. To do the 64 steps. So what is the other algorithm I mentioned? Simon's algorithm, what does this do? This is basically finding periods of a function f which now takes as input and output and bit string and you are given the promise that they exist in vector s so f of x is always equal to f of x plus s. So where the plus is now and this is short of my talk the plus is x of. So you know that it's like a period but it's not so interesting the period because it's all monolotour so but it's still. And then using Simon's algorithm you can recover this s in linear time and so originally the requirement was stronger then you need the kind of this mapping the mapping f is 2 to 1. So every year they always come to pass. But it's enough that you index it to they exist such a period and then you'll be able to find it. And this was used to break even the true siphon and explain in the second how and then it was also I think last year it was extended to many modes of operation which is basically the same idea you make sure that your secret is the period. So how do we apply this to break even the true siphon and what is even the true siphon again? So even the true siphon is if you want the easiest the simplest clock cycle you can imagine so you just have a public permutation p and two whitening keys, a positive pre-whitening key. So this is how the true siphon works and classically you can prove that it's secure up to the versable. So that's the definition of my clock cycle now. And now you can convert this into Simon's problem by defining your function f of x which should have this period by defining f of x as the encryption of some x so the clock cycle applied to x plus p of x so p of x is this public permutation. And then you use some calculations and they actually stop you. There's only a break missing. So it's not... So if you plug in things then you see that f of x plus k0 is the same thing as f of x basically because it's modulo 2 until you get the key k0 twice. So that means you now define the function f which has k0 of the key you are looking for as a period and this means you can actually find it using Simon's algorithm in linear time. The big drawback is you will be quite curious for this. I mean compared to the gloves I wrote them a big difference. Okay, two big differences. It's actually linear time so it's completely broken but then because you have to use quite a few queries on the encryption function using the secret key that you are actually looking for and it's debatable how practical this is. One good example by this could actually happen is white box program. If you have a white box implementation of AS it would certainly be implemented on a quantum computer and then free it in superpositions. But this already is like we don't have white box implementation of AS and we don't have quantum computers so it does get more realistic. This is how it works again. Okay, so we can break this into an ensuer in linear time. So what's on the right hand side? Just a closing frame. Ah, okay. Yeah, it's nothing hidden. The obvious missing signal. So now I'm going to come to this. And the motivation is relatively simple. So what I just explained is we can break this one using quantum computers faster and we can break this one using quantum computers faster and then the question is what about combining this. And then what we're combining those to be will be just this, just replace P by this block sign and then you have white keys. That's what you use for DS for example. I mean an easy way to get rid of the two small keys size for DS is just to use pre and post white keys and then this is the construction that you come up with. And again, classically we know this is secure and we can go back to some data and time complexity and bounds. So that's a sound cycle. And the question is can we break this? Can we also take this with quantum computers faster than we can usually? Okay. And basically because of the two things I just explained, so for one, there will be new assignments algorithm to break it for the other one, new scrolls algorithm, so what we have to do is combine those two algorithms. Now we have to have a slightly more detailed look into these quantum algorithms to see if this is possible or if it's possible, otherwise this would not have been accepted, but I mean to see how it works. So what are the sound cycles? I'm not going to go into any details of quantum computers, but just the high level way of what happens. So as I said you will have to implement this encryption of x plus p of x. So for the elements who again, you will have to implement this function in the quantum way. So it's a unitary circuit. And then what happens is you run this algorithm which is depicted here, but I'm not going to explain what it means. And then you're going to measure. Measuring whatever this means, it means basically that your quantum moment stops and it becomes classical. And then what you're going to get after basically one evaluation of this, you're going to get a vector x, an n bit vector x, a binary vector x, which is orthogonal on the period. So this is just a linear product. So you get one vector which is orthogonal to the secret k0 you're looking for. So this is one linear equation in your secret and actually you can show that this x is uniformly chosen from all the values that are also not to k0. And that's some additional basically it's not unique. So what do you do? Just repeat this until you have enough linear equations to solve linear system for k0. That's all you need. Of course n plus a little bit plus a constant and you'll get it with very high probability fully defined system so this is how science algorithm works in a bit more detail and the important thing is this measuring. So how does Grover's algorithm work? Again here's the picture and I'm not going to explain the picture just to have a picture on the slide. So the key feature is that you need some, I mean this is more general so that's a generalization of Grover's algorithm. What you need is a quantum algorithm that has some initial success probability. It could be just a uniform distribution of the results so this doesn't have to be vague. It's good if it's vague but it's not important. And then you will have to define an efficient quantum algorithm that decides if it's a good state or a bad state. So if you're looking for what you try to do is you want to amplify the probability that you measure an interesting result. So if you don't know what I'm talking about so this is what we need. We need some efficient algorithm to identify the state we're interested in because we have to flip the phases and then what happens at the end is you make running time one over a square root of p and repetitions of this algorithm and you will measure a good state with what I mean by probability. So this is the basic and the outcome. So now I'm explaining this because I want to explain how we can combine these two states. So one problem is that we're back and so we have two problems or maybe one problem is that we're not allowed to measure during all these repetitions of this algorithm. So one initial idea would be to use Simon's algorithm for this algorithm. The problem is Simon's algorithm normally measures and then the whole thing collapses to a classical state and it's broken. So we have to find a way to avoid this measuring while doing this Simon's algorithm for finding the two. I mean the idea is also relatively straightforward. I think you don't do what happens at Simon's and remember you run once and you get one linear equation in the key. So you have to repeat it n times to get n plus something times to get enough linear equations to solve it and so instead of doing this sequentially as traditional in Simon you just do it in parallel and then again you use a large amount to compute this key K0 and then you can check against the message surface and flip the distance. So the basic idea is run it in parallel and then you can combine. How much time do you have there? A lot like a time. It's a question if I should do one. Seven minutes. Okay so this is important. This is the main result is you can combine these things and actually we can time for breaking this at x constructions is the same as if there would not be the whitening keys. So the whitening keys do not have at all against this type of reversals. Which is interesting because one of the things we try to do is because of quantum, if you want to make sure you have a good n-boxer and you want to make sure it has the same security against quantum, you would like to increase the key size and one obvious way would be the keys and this result shows this is not the reason because it doesn't help against these type of reversals. Are you interested in more details on the quantum computer? I will briefly explain that. Big point. I think this is seven minutes. So I said you run Sam's algorithm in parallel. So the next two slides if you don't know anything about quantum computers it might be a bit hard but it's all you do slides. So what happens if you run Sam's algorithm in parallel you're going to get some quantum state like this where this is some coefficient which corresponds to the probability of measuring the probability. You have all possible keys K2 which is the key in the middle all possible guesses for this key if you want and then you have this S repetitions and you know that if this first part of your state is the correct one corresponds to the correct key then all these values will be orthogonal to the value K0. So if K is K2 prime equals K2 then you know they're all going to be orthogonal to K0. So then what do we do next? We just compute the space which is orthogonal to all of them. So if you're in the right K2 prime equals K2 then you know they're all going to be orthogonal to at least our key K0. While in the case where this is a wrong key they're just going to be randomly distributed and so depending on the choice of S it's very unlikely that there's any vector which is orthogonal to all of them. So we just compute the dimension of this thing and if the dimension is 0 then this key is wrong because otherwise there would be the K0 which is orthogonal to all those. If the dimension is larger than 1 then we also say it's a bad state that might be a mistake but it's just for simplification we ignore the ones where this is not dimensioned where this is not dimensioned. If it has dimension 1 then actually there's one unique element which with good probability is our correct key K0. So and then you have both keys I mean you have key 0 and K2 anyway so you mentioned there's good probability to get the correct key and then you check against the message ciphertext as before maybe you're missing K1 here of course there's a K1 but you can easily avoid just instead of matching against ciphertext plaintext pairs and the message ciphertext you look at differences and then this last key just vanishes from the equation immediately and so it's enough to pass those two keys to check against the message ciphertext pairs so you do this and if this fits then you say yes it's good and you flip the face and if no you just say the same and then you have to work out all the details to see that actually running time is okay but the basic idea is okay so the main message is this thing in front of the computer is sqs so whiting keys do not biomex and now the interesting part is let's look at the key alternating ciphertext so what is the key alternating ciphertext like the ex exos of keys and public functions so this would be like this so I just said that this thing the whiting keys are not going to help in a quantum way they don't provide any additional security so basically if I take this point of me I'm going to the same thing as taking this but then now this starts with public limitations so they actually don't buy you any security so I can avoid those and then look at this whiting keys don't buy you any additional security so and then you basically have a polynomial attack on AS which is just not true it doesn't work like this but it looks like I think it looks like it's up to you to quite a bit okay so that doesn't work like this okay to conclude to get further the topic that it's worth working on so I think the most interesting way to continue is to look at this key alternating ciphertext and I don't know I even know what I should expect so either this is a tech not this one which doesn't work but correct the tech so it's a good topic to search for correct the tech or try to prove as we also know classically we can prove that in a generic setting so it's also worth trying to prove that it's not true but prove that that was a secret or look at other applications of this time and grow of a combination and that's all I want to say secret or not we have plenty of time can you elaborate on why it doesn't work as I said this is up to you to find out the attack is completely I guess close where we implement right that's the first point where so maybe why I think I think it's a natural model to consider it's quantum CPAs if you want this is basically but nobody dares to ask questions okay yes there are those simplified versions of the two round elements yesterday the case in which you have the same permutation twice or the case in which you have k permutation of k and k did you look at those simplified versions of round elements no I didn't look at I tried to look at I mean the basically now I'm going to say why it doesn't work I guess I mean the basic problem is that you have to just continue like you have to go over which keys you go over and then the resulting things should be periodic and I don't see directly but I think it's a good idea to start with as simple as possible all keys to the same different permutations I guess this doesn't matter too much yeah that's it any other this is not okay that's it thank you