Quantum Attacks on Sum of Even–Mansour Construction with Linear Key Schedules

Abstract

Shinagawa and Iwata are considered quantum security for the sum of Even–Mansour (SoEM) construction and provided quantum key recovery attacks by Simon’s algorithm and Grover’s algorithm. Furthermore, quantum key recovery attacks are also presented for natural generalizations of SoEM. For some variants of SoEM, they found that their quantum attacks are not obvious and left it as an open problem to discuss the security of such constructions. This paper focuses on this open problem and presents a positive response. We provide quantum key recovery attacks against such constructions by quantum algorithms. For natural generalizations of SoEM with linear key schedules, we also present similar quantum key recovery attacks by quantum algorithms (Simon’s algorithm, Grover’s algorithm, and Grover-meet-Simon algorithm).

1. Introduction

Since 1981, when Richard Feynman, winner of the Nobel Prize in Physics, proposed the concept of a quantum computer, the research of the quantum computer has deeply influenced the scientific research circle. Classical computers are often attacked by malicious viruses that crash the computer and can lead to personal information being stolen. However, in quantum computers, these problems will not exist because of the quantum no-cloning principle and Heisenberg’s uncertainty principle. Quantum computers have good properties, such as fast running speed, a strong information processing ability, and powerful parallel computing capability. Therefore, quantum computers have great applications in cryptanalysis and other fields. Quantum algorithms are the most important software components of quantum computers to realize quantum computation.

The importance of information security is self-evident. In 2021, there were multiple breaches of sensitive information and cyber attacks, causing a large number of property losses and even endangering personal security and social stability. Modern cryptography is one of the core technologies to protect information security.

The design and analysis of cryptographic schemes that resist quantum computing have become increasingly important. Among them, the public key cryptographic scheme is the typical representative. Difficult mathematical problems of public key cryptography can be solved by efficient quantum algorithms. Therefore, public key cryptographic schemes, such as RSA and ECC, are insecure in the quantum scenario [1]. While, for symmetric cryptographic schemes (such as AES and IDEA), the influence is limited and Grover’s algorithm [2] has been regarded for a long time as the best method to search for the secret key. It is only in recent years that quantum analyses of symmetric cryptographic schemes have made some progress.

Simon’s algorithm [3] is a vital quantum algorithm for the quantum analyses of symmetric cryptographic schemes. Its goal is to efficiently find a period of a period function. It was first utilized to the security analyses of the 3-round Feistel cipher [4] and then extended to the Even–Mansour cipher [5,6], Feistel and its variants [7,8,9,10,11], and the Luby–Rackoff construction [12]. Grover-meet-Simon algorithm [13] was first introduced by Leander and May, and combined Simon’s algorithm and Grover’s algorithm to achieve the key recovery attack against FX-construction. Currently, Simon’s algorithm, Grover’s algorithm, and Grover-meet-Simon algorithm have been extended to the Sum of Even–Mansour construction [14], encryption schemes [15,16,17,18,19,20], hash schemes [21,22,23], message authentication codes (MACs) [18,24], and authenticated encryption schemes [18,25,26]. There exist other quantum algorithms (such as HHL algorithm and BTH algorithm) and relevant quantum cryptanalysis. We will not go into the details here.

Problem Statement. The sum of Even–Mansour (SoEM) construction [14] is built by the exclusive or (XOR) of two instances of Even–Mansour cipher. According to whether the keys or permutations used in the two instances are equal, SoEM is divided into three variants: SoEM1 for the case where permutations used in the two instances are identical, SoEM21 for the case where permutations used in the two instances are independent but keys used in the two instances are identical, and SoEM22 for the case where permutations used in the two instances are independent and keys used in the two instances are independent. They are pseudorandom functions designed by random permutations and designers give security results in the classical scenario.

Shinagawa and Iwata considered the quantum security for SoEM construction, providing quantum key recovery attacks by Simon’s algorithm and Grover’s algorithm, and applied the similar quantum key recovery attacks to natural generalizations of SoEM in [27]. For some variants of SoEM, they found that their quantum attacks are not obvious and left it as an open problem to consider the security of such constructions.

Our Contributions. This paper focuses on the open problem and provides quantum key recovery attacks against such constructions by quantum algorithms. First, we consider a variant of SoEM21 given in Shinagawa and Iwata, which is described as:

$$\begin{array}{c}\hfill C=SoEM{21}_K^{P_1,P_2}\left(M\right)=P_1(M\oplus K)\oplus K\oplus P_2(M\oplus 2·K)\oplus 2·K,\end{array}$$

where $P_1$ and $P_2$ are two public n-bit random permutations, K is an n-bit key, M is a plaintext, and C is the corresponding ciphertext. Here SoEM21 is generated by the XOR-sum of two instances of Even–Mansour cipher with simple key schedules. We prove that this variant is insecure under the quantum scenario and recover its key by quantum algorithms.

Then we consider a generalized construction of SoEM21 with linear key schedules (a linear key schedule means that it is linear with respect to the key ) and rename it as SoEM21L, which is described as:

$$\begin{array}{c}\hfill C=SoEM21L_K^{P_1,P_2}\left(M\right)=P_1(M\oplus a·K)\oplus P_2(M\oplus b·K)\oplus c·K,\end{array}$$

where $a,b,c$ are three integers and $(a,b,c)\ne (0,0,0)$. We also achieve a quantum key recovery attack against SoEM21L by quantum algorithms.

Finally, we consider natural generalizations of SoEM with linear key schedules and present similar quantum key recovery attacks by quantum algorithms (Simon’s algorithm, Grover’s algorithm, and Grover-meet-Simon algorithm).

Organizations of This Paper. Notations and some preliminaries are presented in Section 2. Quantum algorithms are shown in Section 3. In Section 4, we describe quantum key recovery attacks for SoEM21 and SoEM21L. In Section 5, we present natural generalizations of SoEM with linear key schedules and their quantum key recovery attacks. Finally, we present a conclusion in Section 6.

2. Preliminaries

Notations. Given an integer $n\ge 1$, let ${\{0,1\}}^n$ be a set of all strings whose bit-lengths are n, and $Perm\left(n\right)$ be a set of all permutations over ${\{0,1\}}^n$. For any two finite strings $x\in {\{0,1\}}^n$ and $y\in {\{0,1\}}^n$, let $x\oplus y$ stand for their bit-wise XOR.

Finite Field. The finite field $GF\left(2^n\right)$ can be viewed as the set ${\{0,1\}}^n$ and $GF\left(2^n\right)=GF\left(2\right)/\left(f\left(x\right)\right)$, where $f\left(x\right)$ is an irreducible polynomial of degree n over $GF\left(2\right)$. For any integer $0\le a\le 2^n-1$, it can be seen as an n-bit string over $GF\left(2^n\right)$, i.e., $a=a_{n-1}\cdots a_1{a}_0\in {\{0,1\}}^n$, where $a_i\in \{0,1\}$ for $0\le i\le n-1$. It also corresponds to a polynomial with a degree of at most $n-1$ over $\{0,1\}$, i.e., $a\left(x\right)=a_{n-1}{x}^{n-1}+\cdots +a_{1}x+a_0$. For example, 2 (10) corresponds to x, 3 (11) corresponds to $x+1$, and 7 (111) corresponds to $x^2+x+1$. The addition over $GF\left(2^n\right)$ can be defined by the addition of polynomials over $\{0,1\}$ or the bit-wise XOR over ${\{0,1\}}^n$ and the multiplication over $GF\left(2^n\right)$ is defined by the polynomial multiplication over $\{0,1\}$ reduced modulo $f\left(x\right)$, i.e., for any $a,b\in GF\left(2^n\right)$, then $a+b=a\left(x\right)+b\left(x\right)mod2=a\oplus b$ and $a·b=a\left(x\right)·b\left(x\right)$ mod $f\left(x\right)$. Therefore, if $n=128$ and $f\left(x\right)=x^{128}+x^7+x^2+x+1$, then:

$$\begin{array}{cc}\hfill & 2·a=x·a\left(x\right)modf\left(x\right),3·a=(x+1)·a\left(x\right)modf\left(x\right)=2·a\oplus a,\hfill \\ \hfill & 4·a=x^2·a\left(x\right)modf\left(x\right)=2^2·a,5·a=(x^2+1)·a\left(x\right)modf\left(x\right)=2^2·a\oplus a,\hfill \\ \hfill & 6·a=(x^2+x)·a\left(x\right)modf\left(x\right)=2^2·a\oplus 2·a,\hfill \\ \hfill & 7·a=(x^2+x+1)·a\left(x\right)modf\left(x\right)=2^2·a\oplus 2·a\oplus a,\hfill \\ \hfill & 8·a=x^3·a\left(x\right)modf\left(x\right)=2^3·a,...\hfill \\ \hfill & 2^2·a=2·2·a=x^2·a\left(x\right)modf\left(x\right)=4·a,2·3·a=x(x+1)·a\left(x\right)modf\left(x\right)=6·a,...\hfill \\ \hfill & 3^2·a={(x+1)}^2·a\left(x\right)modf\left(x\right)=(x^2+1)·a\left(x\right)modf\left(x\right)=5·a,...\hfill \end{array}$$

Sum of Even–Mansour Construction (SoEM) [14]. SoEM introduced by Chen et al. is a provably secure pseudorandom function in the classical security model. It is built by the XOR of two distinct instances of the Even–Mansour cipher. The specification of SoEM is shown as follows. Let $P_1$ and $P_2$ be two public n-bit permutations. Let $K_1$ and $K_2$ be two n-bit keys. For a plaintext M and the corresponding ciphertext C, SoEM: ${\{0,1\}}^{2n}\times {\{0,1\}}^n\to {\{0,1\}}^n$ can be expressed as:

$$\begin{array}{c}\hfill C=SoE{M}_{K_1,K_2}^{P_1,P_2}\left(M\right)=P_1(M\oplus K_1)\oplus K_1\oplus P_2(M\oplus K_2)\oplus K_2.\end{array}$$

SoEM can be divided into three variants, SoEM1, SoEM21, and SoEM22, according to the number of underlying permutations and keys. SoEM1, SoEM21, and SoEM22 are respectively shown as follows.

SoEM1: The permutations used in the two instances are identical (two instances utilize the same permutation), i.e., $P_1=P_2=P$. Then SoEM1: ${\{0,1\}}^{2n}\times {\{0,1\}}^n\to {\{0,1\}}^n$ can be expressed as:

$$\begin{array}{c}\hfill C=SoEM{1}_{K_1,K_2}^P\left(M\right)=P(M\oplus K_1)\oplus K_1\oplus P(M\oplus K_2)\oplus K_2.\end{array}$$

Note that, in this case, it makes no sense to subdivide again as the same key will make SoEM1 zero.

SoEM21: The permutations used in the two instances are independent but keys used in the two instances are identical, i.e., $K_1=K_2=K$. Then SoEM21: ${\{0,1\}}^n\times {\{0,1\}}^n\to {\{0,1\}}^n$ can be expressed as:

$$\begin{array}{c}\hfill C=SoEM{21}_K^{P_1,P_2}\left(M\right)=P_1(M\oplus K)\oplus P_2(M\oplus K)\oplus K.\end{array}$$

SoEM22: The permutations used in the two instances are independent and keys used in the two instances are independent, i.e., SoEM22 is SoEM. Then SoEM22: ${\{0,1\}}^{2n}\times {\{0,1\}}^n\to {\{0,1\}}^n$ can be expressed as:

$$\begin{array}{c}\hfill C=SoEM{22}_{K_1,K_2}^{P_1,P_2}\left(M\right)=P_1(M\oplus K_1)\oplus K_1\oplus P_2(M\oplus K_2)\oplus K_2.\end{array}$$

3. Quantum Algorithms

This section presents brief descriptions of Simon’s algorithm [3], Grover’s algorithm [2], and the Grover-meet-Simon algorithm [13].

3.1. Simon’s Algorithm

Simon’s algorithm [3] is an algorithm that specializes in solving period finding problem efficiently. The period finding problem is called Simon’s problem which is described as follows:

Period Finding Problem. Given a boolean function $f:{\{0,1\}}^n\to {\{0,1\}}^n$, assume that there exists $s\in {\{0,1\}}^n\setminus \left\{0^n\right\}$, for any $x\ne y\in {\{0,1\}}^n$, such that $f\left(x\right)=f\left(y\right)\iff x\oplus y=s$. The goal is to find the period s.

In the classical algorithm, people solve this problem by searching and finding collisions. The optimal time complexity is $O\left(2^{n/2}\right)$. While, in the quantum algorithm, by Simon’s algorithm, it can be solved in a polynomial time of n (i.e., $O\left(n\right)$ quantum query complexity and $O\left(n\right)$ qubits memory complexity). The details of Simon’s algorithm are not introduced here. We just need to know that the period finding problem can be solved by Simon’s algorithm with $O\left(n\right)$ quantum query complexity and $O\left(n\right)$ qubits memory complexity.

3.2. Grover’s Algorithm

Grover’s algorithm [2] is a quantum search algorithm that specializes in solving a search problem efficiently. The search problem is described as follows:

The Search Problem. Given a function $g:{\{0,1\}}^n\to \{0,1\}$, if $x\in {\{0,1\}}^n$ is a solution of the search problem, then $g\left(x\right)=1$, otherwise $g\left(x\right)=0$. The goal is to find the solution x.

In the classical algorithm, people solve this problem by searching this solution. The time complexity is $O\left(2^n\right)$. While, in the quantum algorithm, by Grover’s algorithm, it can be solved in $O\left(2^{n/2}\right)$ quantum query complexity and $O\left(n\right)$ qubits memory complexity. Grover’s search algorithm improves search complexity exponentially. The details of Grover’s algorithm are not introduced here.

3.3. Grover-Meet-Simon Algorithm

The Grover-meet-Simon algorithm [13] is a quantum asymmetric search of a period algorithm. It combined Grover’s search algorithm with Simon’s algorithm to recover keys. The asymmetric search of a period problem is described as follows:

Grover-meet-Simon Problem. Let $m,n,l$ be three positive integers, $U\subseteq {\{0,1\}}^m$ be a finite set, and $f:{\{0,1\}}^m\times {\{0,1\}}^n\to {\{0,1\}}^l$ be a function which meets that 1) if $u\in U$, then $f(u,·)$ is a period function with period $s_u$; 2) if $u\notin U$, then $f(u,·)$ is an aperiodic function. The goal is to find the search-period pair $(u,s_u)$.

The idea of settling the Grover-meet-Simon problem is to first search $u\in U$ by Grover’s algorithm and then check whether $f(u,·)$ is a period function or not by Simon’s algorithm. If $f(u,·)$ is a period function with period $s_u$, then $(u,s_u)$ is what we need. Therefore, in the quantum algorithm, the Grover-meet-Simon problem can be solved in $O\left(n\right)\times O\left(2^{n/2}\right)=O(n·2^{n/2})$ quantum query complexity and $O\left(n\right)\times O\left(n\right)=O\left(n^2\right)$ qubits memory complexity. The details of the Grover-meet-Simon algorithm are not introduced here.

4. Quantum Attacks against SoEM with Linear Key Schedules

4.1. Quantum Attacks against SoEM21

Shinagawa and Iwata left it as an open problem for the analysis of the security of the following construction [27]:

$$\begin{array}{c}\hfill C=SoEM{21}_K^{P_1,P_2}\left(M\right)=P_1(M\oplus K)\oplus K\oplus P_2(M\oplus 2·K)\oplus 2·K.\end{array}$$

In particular, if $P_1=P_2=P$, then SoEM21 degrades to SoEM11, i.e.,

$$\begin{array}{c}\hfill C=SoEM{11}_K^P\left(M\right)=P(M\oplus K)\oplus K\oplus P(M\oplus 2·K)\oplus 2·K.\end{array}$$

For the above SoEM11 and SoEM21 constructions, we present quantum attacks in Theorems 1 and 2.

Theorem 1.

There exists a quantum key recovery attack against SoEM11 in $O\left(n\right)$ quantum query complexity and $O\left(n\right)$ qubits memory complexity.

Proof. 

Our proof utilizes Simon’s algorithm. By careful observation of SoEM11, we find that SoEM11 itself is a period function with period $3·K$. To be specific, let $f:{\{0,1\}}^n\to {\{0,1\}}^n$ be a function, which is defined as:

$$\begin{array}{c}\hfill f\left(x\right)=SoEM{11}_K^P\left(x\right)=P(x\oplus K)\oplus P(x\oplus 2·K)\oplus 3·K.\end{array}$$

It follows that,

$$\begin{array}{cc}\hfill f(x\oplus 3·K)& =P(x\oplus 3·K\oplus K)\oplus P(x\oplus 3·K\oplus 2·K)\oplus 3·K\hfill \\ \hfill & =P(x\oplus 2·K)\oplus P(x\oplus K)\oplus 3·K=f\left(x\right),\hfill \end{array}$$

where $K\oplus 2·K=3·K$, $K\oplus 3·K=2·K$, and $3·K\oplus 2·K=K$.

Therefore, f is a period function with period $3·K$. Then, $3·K$ can be derived in $O\left(n\right)$ quantum queries and $O\left(n\right)$ qubits memory complexity to f by Simon’s algorithm. It follows that, $K=3·K/3$ can be recovered. □

Theorem 2.

There exists a quantum key recovery attack against SoEM21 in $O\left(2^{n/2}\right)$ quantum query complexity and $O\left(n\right)$ qubits memory complexity.

Proof. 

Our proof utilizes Grover’s algorithm. First, we construct a new function $f:{\{0,1\}}^n\times {\{0,1\}}^n\to {\{0,1\}}^n$ as:

$$\begin{array}{cc}\hfill f(k,x)& =SoEM{21}_K^{P_1,P_2}\left(x\right)\oplus P_1\left(x\right)\oplus P_2(x\oplus k)\hfill \\ \hfill & =P_1(x\oplus K)\oplus K\oplus P_2(x\oplus 2·K)\oplus 2·K\oplus P_1\left(x\right)\oplus P_2(x\oplus k)\hfill \\ \hfill & =P_1(x\oplus K)\oplus P_1\left(x\right)\oplus P_2(x\oplus 2·K)\oplus P_2(x\oplus k)\oplus 3·K.\hfill \end{array}$$

By careful observation, we find that if $k=3·K$, then $f(3·K,·)$ is a period function with period K, as:

$$\begin{array}{cc}\hfill f(3·K,x\oplus K)=& P_1(x\oplus K\oplus K)\oplus P_1(x\oplus K)\hfill \\ \hfill & \oplus P_2(x\oplus K\oplus 2·K)\oplus P_2(x\oplus K\oplus 3·K)\oplus 3·K\hfill \\ \hfill =& P_1\left(x\right)\oplus P_1(x\oplus K)\oplus P_2(x\oplus 3·K)\oplus P_2(x\oplus 2·K)\oplus 3·K\hfill \\ \hfill =& f(3·K,x).\hfill \end{array}$$

Therefore, we first search $k=3·K$ by Grover’s algorithm and then verify whether $f(3·K,·)$ is a period function with a period $K=3·K/3$ or not. Therefore, K can be derived in a $O\left(2^{n/2}\right)$ quantum queries to f and $O\left(n\right)$ qubits memory complexity by Grover’s algorithm. □

4.2. Quantum Attacks against SoEM with Linear Key Schedules

We consider a generalized construction of SoEM21 with linear key schedules and rename it as SoEM21L, i.e.,

$$\begin{array}{c}\hfill C=SoEM21L_K^{P_1,P_2}\left(M\right)=P_1(M\oplus a·K)\oplus P_2(M\oplus b·K)\oplus c·K,\end{array}$$

where $a,b,c$ are three integers and $(a,b,c)\ne (0,0,0)$.

In particular, if $P_1=P_2=P$ and $a\ne b$, then SoEM21L degrades to SoEM11L, i.e.,

$$\begin{array}{c}\hfill C=SoEM11L_K^P\left(M\right)=P(M\oplus a·K)\oplus K\oplus P(M\oplus b·K)\oplus c·K.\end{array}$$

For the above SoEM21L and SoEM11L constructions, we present quantum attacks in Theorems 3 and 4.

Theorem 3.

There exists a quantum key recovery attack against SoEM11L in $O\left(n\right)$ quantum query complexity and $O\left(n\right)$ qubits memory complexity.

Proof. 

Our proof utilizes Simon’s algorithm. By careful observation of SoEM11L, we find that SoEM11L itself is a period function with period $(a\oplus b)·K$. To be specific, let $f:{\{0,1\}}^n\to {\{0,1\}}^n$ be a function, which is defined as:

$$\begin{array}{c}\hfill f\left(x\right)=SoEM11L_K^P\left(x\right)=P(x\oplus a·K)\oplus P(x\oplus b·K)\oplus c·K.\end{array}$$

It follows that,

$$\begin{array}{cc}\hfill f(x\oplus (a\oplus b)·K)& =P(x\oplus (a\oplus b)·K\oplus a·K)\oplus P(x\oplus (a\oplus b)·b\oplus 2·K)\oplus c·K\hfill \\ \hfill & =P(x\oplus b·K)\oplus P(x\oplus a·K)\oplus c·K=f\left(x\right),\hfill \end{array}$$

where $a·K\oplus b·K=(a\oplus b)·K$, $a·K\oplus (a\oplus b)·K=b·K$, and $(a\oplus b)·K\oplus b·K=a·K$.

Therefore, f is a period function with period $(a\oplus b)·K$. Then, $(a\oplus b)·K$ can be derived in polynomial time of n ($O\left(n\right)$ qubits and $O\left(n\right)$ quantum oracle queries to f) by Simon’s algorithm. It follows that, $K=(a\oplus b)·K/(a\oplus b)$ can be recovered. □

Theorem 4.

There exists a quantum key recovery attack against SoEM21L in $O\left(2^{n/2}\right)$ quantum query complexity and $O\left(n\right)$ qubits memory complexity.

Proof. 

Our proof utilizes Grover’s algorithm. We construct a new function $f:{\{0,1\}}^n\times {\{0,1\}}^n\to {\{0,1\}}^n$ as:

$$\begin{array}{cc}\hfill f(k,x)& =SoEM21L_K^{P_1,P_2}\left(x\right)\oplus P_1\left(x\right)\oplus P_2(x\oplus k)\hfill \\ \hfill & =P_1(x\oplus a·K)\oplus P_2(x\oplus b·K)\oplus P_1\left(x\right)\oplus P_2(x\oplus k)\oplus c·K.\hfill \end{array}$$

By careful observation, we find that if $k=(a\oplus b)·K$, then f is a period function with period $a·K$, i.e.,

$$\begin{array}{cc}\hfill f\left(\right(a\oplus b)·K,x\oplus a·K)=& P_1(x\oplus a·K\oplus a·K)\oplus P_2(x\oplus a·K\oplus b·K)\hfill \\ \hfill & \oplus P_1(x\oplus a·K)\oplus P_2(x\oplus a·K\oplus (a\oplus b)·K)\oplus c·K\hfill \\ \hfill =& P_1\left(x\right)\oplus P_2(x\oplus (a\oplus b)·K)\hfill \\ \hfill & \oplus P_1(x\oplus a·K)\oplus P_2(x\oplus b·K)\oplus c·K\hfill \\ \hfill =& f\left(\right(a\oplus b)·K,x).\hfill \end{array}$$

Therefore, for any SoEM21L, we first search $k=(a\oplus b)·K$ by Grover’s algorithm and then verify whether $f\left(\right(a\oplus b)·K,·)$ is a period function with a period $a·K$ or not. It follows that K can be derived in a $O\left(2^{n/2}\right)$ quantum queries to f and $O\left(n\right)$ qubits memory complexity by Grover’s algorithm. □

5. Generalizations and Attacks

Inspired by linear key schedules, this section considers natural generalizations of SoEM1, SoEM21, and SoEM22, and presents quantum key recovery attacks against these constructions.

5.1. Generalizations

We define SoEM1sL, SoEMs1L, and SoEMssL as natural generalizations of SoEM1, SoEM21, and SoEM22 with linear key schedules, respectively. The constructions of them are respectively shown as follows.

Let $s\ge 2$ and $(a_1,a_2,\cdots ,a_s)\ne (0,0,\cdots ,0)$ be integers. Let $P_1,\cdots ,P_s$ be s public n-bit permutations, $K_1,\cdots ,K_s$ be sn-bit keys, M be a plaintext, and C be a ciphertext, then SoEMssL (SoEM with s permutations and s linear keys) is defined as:

$$\begin{array}{cc}\hfill C& =SoEMss{L}_{K_1,\cdots ,K_s}^{P_1,\cdots ,P_s}\left(M\right)\hfill \\ \hfill & =P_1(M\oplus a_1·K_1)\oplus a_1·K_1\oplus \cdots \oplus P_s(M\oplus a_s·K_s)\oplus a_s·K_s.\hfill \end{array}$$

If $P_1=\cdots =P_s=P$, then SoEMssL will degrade to SoEM1sL which is defined as:

$$\begin{array}{cc}\hfill C& =SoEM1s{L}_{K_1,\cdots ,K_s}^P\left(M\right)\hfill \\ \hfill & =P(M\oplus a_1·K_1)\oplus a_1·K_1\oplus \cdots \oplus P(M\oplus a_s·K_s)\oplus a_s·K_s.\hfill \end{array}$$

If $K_1=\cdots =K_s=K$, then SoEMssL will degrade to SoEMs1L, which is defined as:

$$\begin{array}{cc}\hfill C& =SoEMs1L_K^{P_1,\cdots ,P_s}\left(M\right)\hfill \\ \hfill & =P_1(M\oplus a_1·K)\oplus \cdots \oplus P_s(M\oplus a_s·K)\oplus a_{s+1}·K,\hfill \end{array}$$

where $a_{s+1}$ is an arbitrary integer.

If $P_1=\cdots =P_s=P$, $K_1=\cdots =K_s=K$, and $a_1\ne a_2\ne \cdots \ne a_s$, then SoEMssL will degrade to SoEM11L, which is defined as:

$$\begin{array}{cc}\hfill C& =SoEM11L_K^P\left(M\right)\hfill \\ \hfill & =P(M\oplus a_1·K)\oplus \cdots \oplus P(M\oplus a_s·K)\oplus a_{s+1}·K,\hfill \end{array}$$

where $a_{s+1}$ is an arbitrary integer.

5.2. Quantum Key Recovery Attacks

Theorem 5.

There exists a quantum key recovery attack against SoEM1sL that obtains the secret key $K_1,\cdots ,K_s$ in $O(n^2+sn)$ qubits and $O(sn·2^{(s-1)n/2})$ quantum queries.

Proof. 

Our attack is based on the Grover-meet-Simon algorithm and is similar with the attack against SoEMss [27]. We consider two functions $g:{\{0,1\}}^{(s-1)n}\times {\{0,1\}}^n\to {\{0,1\}}^n$ and $f:{\{0,1\}}^{(s-1)n}\times {\{0,1\}}^n\to {\{0,1\}}^n$, which are defined as follows.

$$\begin{array}{cc}\hfill g(k_2,\cdots ,k_s,x)=& P\left(x\right)\oplus P(x\oplus a_2·k_2)\oplus \cdots \oplus P(x\oplus a_s·k_s),\hfill \\ \hfill f(k_2,\cdots ,k_s,x)=& SoEM1s{L}_{K_1,\cdots ,K_s}^P\left(x\right)\oplus g(k_2,\cdots ,k_s,x)\hfill \\ \hfill =& P(x\oplus a_1·K_1)\oplus a_1·K_1\oplus \cdots \oplus P(x\oplus a_s·K_s)\oplus a_s·K_s\hfill \\ \hfill & \oplus P\left(x\right)\oplus P(x\oplus a_2·k_2)\oplus \cdots \oplus P(x\oplus a_s·k_s).\hfill \end{array}$$

If $(k_2,\cdots ,k_s)=(K_2,\cdots ,K_s)$, then $f(K_2,\cdots ,K_s,x)=P(x\oplus a_1·K_1)\oplus a_1·K_1\oplus \cdots \oplus a_s·K_s\oplus P\left(x\right)$ and $f(K_2,\cdots ,K_s,x)$ is a period function with period $a_1·K_1$. Therefore, by Simon’s algorithm, we can obtain the period $a_1·K_1$. It follows that we recover $K_1=a_1·K_1/a_1$.

Then we utilize Grover’s algorithm to recover $K_2,\cdots ,K_s$. Similar with FX construction and SoEM22, we utilize the Grover-meet-Simon algorithm to find the value of $(k_2,\cdots ,k_s)$ that makes $f(k_2,\cdots ,k_s,x)$ period. If we find a period function, then, at this point, $(k_2,\cdots ,k_s)$ is the secret keys $(K_2,\cdots ,K_s)$ that we need to recover and the period is $a_1·K_1$.

Therefore, for any SoEM1sL, we can construct two functions f and g. By the Grover-meet-Simon algorithm, $(K_1,K_2,\cdots ,K_s)$ can be derived in $O(n^2+sn)$ qubits and $O(sn·2^{(s-1)n/2})$ quantum oracle queries to f and g. □

Theorem 6.

There exists a quantum key recovery attack against SoEMs1L that obtains the secret key K in $O\left(n\right)$ qubits and $O\left(2^{n/2}\right)$ quantum oracle queries.

Proof. 

Our attack is based on Grover’s algorithm and is a generalization of the quantum attack against SoEM21L. We consider a function $f:{\{0,1\}}^n\times {\{0,1\}}^n\to {\{0,1\}}^n$, which is defined as follows.

$$\begin{array}{cc}\hfill f(k,x)=& SoEMs1L_K^{P_1,\cdots ,P_s}\left(x\right)\oplus P_1\left(x\right)\oplus P_2(x\oplus a_2·k)\oplus \cdots \oplus P_s(x\oplus a_s·k)\hfill \\ \hfill =& P_1(x\oplus a_1·K)\oplus \cdots \oplus P_s(x\oplus a_s·K)\oplus a_{s+1}·K\hfill \\ \hfill & \oplus P_1\left(x\right)\oplus P_2(x\oplus a_2·k)\oplus \cdots \oplus P_s(x\oplus a_s·k).\hfill \end{array}$$

By careful observation, we find that if $k=K$, then f is a period function with period $a_1·K$, i.e., $f(K,x\oplus a_1·K)=f(K,x)$.

Therefore, for any SoEMs1L, we first search $k=K$ by Grover’s algorithm and then verify whether $f(K,·)$ is a period function with a period $a_1·K$ or not. It follows that K can be derived in the $O\left(2^{n/2}\right)$ quantum queries to f and $O\left(n\right)$ qubits memory complexity by Grover’s algorithm. □

Theorem 7.

There exists a quantum key recovery attack against SoEMssL that recovers the secret key $K_1,\cdots ,K_s$ in $O(n^2+sn)$ qubits and $O(sn·2^{(s-1)n/2})$ quantum queries.

Proof. 

Our attack is based on the Grover-meet-Simon algorithm and is similar with the attack against SoEMss [27]. We consider two functions $g:{\{0,1\}}^{(s-1)n}\times {\{0,1\}}^n\to {\{0,1\}}^n$ and $f:{\{0,1\}}^{(s-1)n}\times {\{0,1\}}^n\to {\{0,1\}}^n$, which are defined as follows:

$$\begin{array}{cc}\hfill g(k_2,\cdots ,k_s,x)=& P_1\left(x\right)\oplus P_2(x\oplus a_2·k_2)\oplus \cdots \oplus P_s(x\oplus a_s·k_s),\hfill \\ \hfill f(k_2,\cdots ,k_s,x)=& SoEM1s{L}_{K_1,\cdots ,K_s}^{P_1,\cdots ,P_s}\left(x\right)\oplus g(K_2,\cdots ,K_s,x)\hfill \\ \hfill =& P_1(x\oplus a_1·K_1)\oplus a_1·K_1\oplus \cdots \oplus P_s(x\oplus a_s·K_s)\oplus a_s·K_s\hfill \\ \hfill & \oplus P_1\left(x\right)\oplus P_2(x\oplus a_2·k_2)\oplus \cdots \oplus P_s(x\oplus a_s·k_s).\hfill \end{array}$$

If $(k_2,\cdots ,k_s)=(K_2,\cdots ,K_s)$, then $f(K_2,\cdots ,K_s,x)=P_1(x\oplus a_1·K_1)\oplus a_1·K_1\oplus \cdots \oplus a_s·K_s\oplus P_1\left(x\right)$ and $f(K_2,\cdots ,K_s,x)$ is a period function with period $a_1·K_1$. Therefore, by Simon’s algorithm, we can obtain the period $a_1·K_1$. It follows that we recover $K_1=a_1·K_1/a_1$.

Then we utilize Grover’s algorithm to recover $K_2,\cdots ,K_s$. Similar with FX construction and SoEM22, we utilize the Grover-meet-Simon algorithm to find the value of $(k_2,\cdots ,k_s)$ that makes $f(k_2,\cdots ,k_s,x)$ period. If we find a period function, then $(k_2,\cdots ,k_s)$ is the secret keys $(K_2,\cdots ,K_s)$ and the period is $a_1·K_1$.

Therefore, for any SoEMssL, we can construct two functions f and g. By the Grover-meet-Simon algorithm, $(K_1,K_2,\cdots ,K_s)$ can be derived in $O(n^2+sn)$ qubits and $O(sn·2^{(s-1)n/2})$ quantum oracle queries to f and g. □

6. Conclusions and Future Works

Shinagawa and Iwata left two open problems in their paper and this paper settles one of them. For variants of SoEM, we set up a generalized construction with linear key schedules and found their quantum attacks. This paper also considered natural generalizations of SoEM with linear key schedules and presents quantum key recovery attacks. For non-linear variants, quantum attacks could recover the intermediate state, and then use some new techniques to recover the key. This paper focuses on the intuitive consequences of quantum attacks, so there is no discussion of non-linear variants. Therefore, one of the future works is to discuss the quantum attacks for non-linear variants and to try make quantum attacks for other symmetric cryptographic schemes. Other future works is to settle another open problem.