Xavier Bonnetain
Université de Lorraine, CNRS, Inria, LORIA, France

André Schrottenloher
Univ Rennes, Inria, CNRS, IRISA, France

Keywords: Quantum cryptanalysis, Quantum Fourier Transform, Authenticated encryption, Boolean hidden shift, Rocca, Tiaoxin, AEGIS

Abstract

Quantum attacks using superposition queries are known to break many classically secure modes of operation. While these attacks do not necessarily threaten the security of the modes themselves, since they rely on a strong adversary model, they help us to draw limits on their provable security. Typically these attacks use the structure of the mode (stream cipher, MAC or authenticated encryption scheme) to embed a period-finding problem, which can be solved with a dedicated quantum algorithm. The hidden period can be recovered with a few superposition queries (e.g., $O(n)$ for Simon's algorithm), leading to state or key-recovery attacks. However, this strategy breaks down if the period changes \emph{at each query}, e.g., if it depends on a nonce. In this paper, we focus on this case and give dedicated state-recovery attacks on the authenticated encryption schemes Rocca, Rocca-S, Tiaoxin-346 and AEGIS-128L. These attacks rely on a procedure to find a Boolean hidden shift with a \emph{single} superposition query, which overcomes the change of nonce at each query. This approach has the drawback of a lower success probability, meaning multiple independent (and parallelizable) runs are needed. We stress that these attacks do not break any security claim of the authors, and do not threaten the schemes if the adversary only makes classical queries.