Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Security of Key-Alternating Ciphers: Quantum Lower Bounds and Quantum Walk Attacks

Chen Bai, Mehdi Esmaili, Atul Mantri

TL;DR

This paper analyzes the quantum security of t-round key-alternating ciphers (KAC) in the Random Permutation Model, focusing on non-adaptive adversaries under two threat models: Q1 (quantum access to public permutations, classical key oracle) and Q2 (fully quantum access). It establishes tight non-adaptive quantum lower bounds: a lower bound of $Ω(2^{\frac{t n}{2t+1}})$ queries in Q1 and a derived $Ω(2^{\frac{(t-1)n}{2t}})$ bound in Q2, with the latter indicating a collapse of the Q1–Q2 gap for $t≥2$ in the non-adaptive setting. Complementing these limitations, the authors present the first non-trivial quantum key-recovery attack for arbitrary $t$-round KAC in Q1, using a MNRS-style quantum walk to achieve a query exponent $α=\frac{t(t+1)}{(t+1)^2+1}$, surpassing the classical $O(2^{\frac{tn}{t+1}})$ bound. The results give a comprehensive view of post-quantum security for KACs, showing both intrinsic quantum hardness in distinguishing and a concrete quantum advantage for key recovery in realistic model settings. Together with a discussion of mixed-access models and special-case constructions, the work informs design considerations and future directions for post-quantum symmetric primitives.

Abstract

We study the quantum security of key-alternating ciphers (KAC), a natural multi-round generalization of the Even--Mansour construction. KAC abstracts the round structure of practical block ciphers as public permutations interleaved with key XORs. The $1$-round KAC or EM setting already highlights the power of quantum superposition access: EM is secure against classical and Q1 adversaries (quantum access to the public permutation), but insecure in the Q2 model. The security of multi-round KACs remain largely unexplored; in particular, whether the quantum-classical separation extends beyond a single round had remained open. 1) Quantum Lower Bounds. We prove security of the $t$-round KAC against a non-adaptive adversary in both the Q1 and Q2 models. In the Q1 model, any distinguiser requires $Ω(2^{\frac{tn}{2t+1}})$ oracle queries to distinguish the cipher from a random permutation, whereas classically any distinguisher needs $Ω(2^{\frac{tn}{t+1}})$ queries. As a corollary, we obtain a Q2 lower bound of $Ω(2^{\frac{(t-1)n}{2t}})$ quantum queries. Thus, for $t \geq 2$, the exponential Q1-Q2 gap collapses in the non-adaptive setting, partially resolving an open problem posed by Kuwakado and Morii (2012). Our proofs develop a controlled-reprogramming framework within a quantum hybrid argument, sidestepping the lack of quantum recording techniques for permutation-based ciphers; we expect this framework to be useful for analyzing other post-quantum symmetric primitives. 2) Quantum Key-Recovery Attack. We give the first non-trivial quantum key-recovery algorithm for $t$-round KAC in the Q1 model. It makes $O(2^{αn})$ queries with $α= \frac{t(t+1)}{(t+1)^2 + 1}$, improving on the best known classical bound of $O(2^{α' n})$ with $α' = \frac{t}{t+1}$. The algorithm adapts quantum walk techniques to the KAC structure.

Security of Key-Alternating Ciphers: Quantum Lower Bounds and Quantum Walk Attacks

TL;DR

This paper analyzes the quantum security of t-round key-alternating ciphers (KAC) in the Random Permutation Model, focusing on non-adaptive adversaries under two threat models: Q1 (quantum access to public permutations, classical key oracle) and Q2 (fully quantum access). It establishes tight non-adaptive quantum lower bounds: a lower bound of queries in Q1 and a derived bound in Q2, with the latter indicating a collapse of the Q1–Q2 gap for in the non-adaptive setting. Complementing these limitations, the authors present the first non-trivial quantum key-recovery attack for arbitrary -round KAC in Q1, using a MNRS-style quantum walk to achieve a query exponent , surpassing the classical bound. The results give a comprehensive view of post-quantum security for KACs, showing both intrinsic quantum hardness in distinguishing and a concrete quantum advantage for key recovery in realistic model settings. Together with a discussion of mixed-access models and special-case constructions, the work informs design considerations and future directions for post-quantum symmetric primitives.

Abstract

We study the quantum security of key-alternating ciphers (KAC), a natural multi-round generalization of the Even--Mansour construction. KAC abstracts the round structure of practical block ciphers as public permutations interleaved with key XORs. The -round KAC or EM setting already highlights the power of quantum superposition access: EM is secure against classical and Q1 adversaries (quantum access to the public permutation), but insecure in the Q2 model. The security of multi-round KACs remain largely unexplored; in particular, whether the quantum-classical separation extends beyond a single round had remained open. 1) Quantum Lower Bounds. We prove security of the -round KAC against a non-adaptive adversary in both the Q1 and Q2 models. In the Q1 model, any distinguiser requires oracle queries to distinguish the cipher from a random permutation, whereas classically any distinguisher needs queries. As a corollary, we obtain a Q2 lower bound of quantum queries. Thus, for , the exponential Q1-Q2 gap collapses in the non-adaptive setting, partially resolving an open problem posed by Kuwakado and Morii (2012). Our proofs develop a controlled-reprogramming framework within a quantum hybrid argument, sidestepping the lack of quantum recording techniques for permutation-based ciphers; we expect this framework to be useful for analyzing other post-quantum symmetric primitives. 2) Quantum Key-Recovery Attack. We give the first non-trivial quantum key-recovery algorithm for -round KAC in the Q1 model. It makes queries with , improving on the best known classical bound of with . The algorithm adapts quantum walk techniques to the KAC structure.

Paper Structure

This paper contains 23 sections, 21 theorems, 103 equations, 2 figures, 1 table.

Table of Contents

  1. Introduction
  2. Our Contributions
  3. Technical Overview
  4. Lower bound for t-KAC in Q1 model
  5. Lower bound for t-KAC in Q2 model
  6. Key-Recovery Attack on t-KAC via Quantum Walk.
  7. Related Work
  8. Discussion and Future work
  9. Preliminary
  10. Quantum Walk Algorithm
  11. Useful Lemmas
  12. Post-Quantum Security of KAC in Q1 model
  13. Quantum lower bound for 2-KAC
  14. Distance bound.
  15. Extending to t-KAC
  16. ...and 8 more sections

Key Result

Theorem 2.1

Let $\delta$ be the spectral gap of a graph $G=(V,E)$ and let $\epsilon=\frac{|M|}{|V|}$, where $M$ is the set of marked vertices. Let $\eta=\arcsin(\sqrt{\epsilon})$. There exists a quantum algorithm that can find an element of $M$ with probability at least $1-4\eta^2$. The cost is ${\sf S} +\frac{

Figures (2)

  • Figure 1: A key-alternating cipher, where Boxes represent public permutations $P_i$'s and $\oplus$ is XOR of the input from left with the keys $k_i$'s.
  • Figure 2: Generating potential key candidates from specific inputs to $E$, $P_1$, and $P_2$. The key candidate $\kappa_0 = (\kappa_{00}, \kappa_{01}, \kappa_{02})$ is generated as $(x_{0,1} \oplus x_{1,1}, P_1(x_{1,1}) \oplus x_{2,1}, P_2(x_{2,1}) \oplus E(x_{0,1}))$. Similarly, $\kappa_1 = (\kappa_{10}, \kappa_{11}, \kappa_{12})$ and $\kappa_2 = (\kappa_{20}, \kappa_{21}, \kappa_{22})$ are generated using other sets of inputs. If $\kappa_0 = \kappa_1 = \kappa_2$, the true key $(k_0, k_1, k_2)$ is highly likely.

Theorems & Definitions (46)

  • Definition 2.1
  • Definition 2.2
  • Theorem 2.1: Quantum walk (For more details, see magniez2007searchbonnetain2023finding)
  • Lemma 2.2
  • Lemma 2.3
  • Lemma 2.4: Trace distance between pure states, single query
  • proof
  • Lemma 2.5: Trace distance between mixed states, single query.
  • proof
  • Lemma 2.6: Triangle Inequality for Multiple Queries
  • ...and 36 more