Quantum attacks against iterated block ciphers

Abstract: We study the amplification of security against quantum attacks provided by iteration of block ciphers. In the classical case, the Meet-in-the-middle attack is a generic attack against those constructions. This attack reduces the time required to break double iterations to only twice the time it takes to attack a single block cipher, given that the attacker has access to a large amount of memory. More abstractly, it shows that security by composition does not achieve exact multiplicative amplification. We present a quantized version of this attack based on an optimal quantum algorithm for the Element Distinctness problem. We then use the generalized adversary method to prove the optimality of the attack. An interesting corollary is that the time-space tradeoff for quantum attacks is very different from what classical attacks allow. This first result seems to indicate that composition resists better to quantum attacks than to classical ones because it prevents the quadratic speedup achieved by quantizing an exhaustive search. We investigate security amplification by composition further by examining the case of four iterations. We quantize a recent technique called the dissection attack using the framework of quantum walks. Surprisingly, this leads to better gains over classical attacks than for double iterations, which seems to indicate that when the number of iterations grows, the resistance against quantum attacks decreases.