In the classical world, the XOR of pseudorandom permutations Ek1 ⊕ · · · ⊕ Ekr for r ≥ 2 is a well-established way to design a pseudorandom function with “optimal” security: security up to approximately min{|K|, |X|} queries, where K and X are the key and state space of the block cipher E. We investigate security of this construction against adversaries who have access to quantum computers. We first present a key recovery attack in |K|r/(r+1) complexity. The attack relies on a clever application of a claw-finding algorithm and testifies of a significant gap with the classical setting where 2 pseudorandom permutations already yield optimal security. Next, we perform a quantum security analysis of the construction, and prove that it achieves security up to min{|K|1/2 /r, |X|} queries. The analysis relies on a generic characterization of classical and quantum distinguishers and a universal transformation of classical security proofs to the quantum setting that is of general interest.
CITATION STYLE
Mennink, B., & Szepieniec, A. (2017). XOR of PRPs in a quantum world. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 10346 LNCS, pp. 367–383). Springer Verlag. https://doi.org/10.1007/978-3-319-59879-6_21
Mendeley helps you to discover research relevant for your work.