Quantum differential cryptanalysis to the block ciphers

Hong-Wei Li1,2,3,4 , Li Yang1,3∗

1.State Key Laboratory of Information Security, Institute of Information Engineering,
Chinese Academy of Sciences, Beijing 100093, China
arXiv:1511.08800v1 [quant-ph] 27 Nov 2015

2.School of Mathematics and Statistics, Henan Institute of Education,

Zhengzhou,450046,Henan, China
3.Data Assurance and Communication Security Research Center, Chinese Academy of
Sciences, Beijing 100093, China
4.University of Chinese Academy of Sciences, Beijing 100049, China

Abstract
Differential cryptanalysis is one of the most popular methods in attacking
block ciphers. However, there still some limitations in traditional differential
cryptanalysis. On the other hand, researches of quantum algorithms have
made great progress nowadays. This paper proposes two methods to apply
quantum algorithms in differential cryptanalysis, and analysis their efficien-
cies and success probabilities. One method is using quantum algorithm in
the high probability differential finding period for every S-Box. The second
method is taking the encryption as a whole, using quantum algorithm in this
process.
Keywords: differential cryptanalysis, quantum algorithm,
Bernstein–Vazirani algorithm

1. Introduction
Differential cryptanalysis plays a central role in attacking modern crypto
systems, especially in block ciphers [1]. Now, this method has been developed
to various forms, such as truncated differential attack [2] and impossible
differential attack [3]. However, current ciphers (such as AES) were designed
along the wide trail strategy to resist differential cryptanalysis. On the other
hand, quantum computation based on quantum mechanics has been built up,

∗
Corresponding author email: yangli@iie.ac.cn
and has shown great speedups over classical computation in some areas. It
is thus conceivable to use quantum algorithms in differential cryptanalysis.
Deutsch and Jozsa [4] presented a quantum algorithm to distinguish a
balanced Boolean function from a constant function efficiently without error,
which first show exponential speedup over classical algorithm. Using the
same network as the above algorithm, Bernstein and Vazirani [5] gave a
quantum algorithm to identity linear functions. Later, Simon [6] suggested
a quantum algorithm for finding the period of a Boolean function. Inspired
by Simon’s algorithm, Shor [7] discovered polynomial-time algorithms for
factoring integers and solving discrete logarithms. Different from the above
algorithms which rely on some promises of the problems, Grover’s algorithm
[8] searches a target element in an unsorted database and shows a quadratic
speedup over the classical one.
In recent years, researches of quantum algorithm mainly focus on devel-
opments of the above mentioned algorithms. For example, there are quantum
tests for whether a function has some properties or -far from it [9–11], and
there are also quantum algorithms for learning of Boolean functions [9, 12],
but still with a promise that the Boolean functions belong to a small special
set. Meanwhile, there are quantum polynomial algorithms to approximate
some problems [13–15]. Amongst these algorithms, [15] gave an efficient al-
gorithm to find some high probability differentials of a Boolean function. In
[16], the authors gave quantum related-key attacks based on Simon’s algo-
rithm.

Our contributions.. Inspired by [15, 16], using the result in [15], and com-
bining with the classical differential cryptanalysis approach, we investigated
the differential cryptanalysis based on quantum algorithm and gave quantum
algorithms to implement the differential cryptanalysis.

In contrast to previous works.. In [17], the authors gave properties of

an S-box and proposed a classical automatic approach to find (related-key)
differential characteristics. Regarding the quantum differential cryptanaly-
sis methods, one must mention [18], which presented a quantum differential
cryptanalysis based on the quantum counting and searching algorithms, and
obtained a quadratic speedup over classical one. Their quantum algorithm is
used after the time that the differential characteristics has been found. Con-
trary to the above works, our quantum algorithms are to find the differential
characteristics.

2
2. Preliminaries
In this section, we give some preliminaries and notations, which will be used
in the following sections.
Let F : {0, 1}m → {0, 1}n be a multi-output Boolean function with
input x = (x1 , x2 , · · · xm ) and output y = (y1 , y2 , · · · yn ), where m, n are
both positive integers. Let F (x0 ) = y 0 and F (x00 ) = y 00 , then 4x = x0 ⊕ x00
and 4y = y 0 ⊕ y 00 are called the input difference and output difference,
respectively, where ⊕ is the bit-wise exclusive-OR. Hence,

4x = (4x1 , 4x2 , · · · 4xm ),

and
4y = (4y1 , 4y2 , · · · 4yn ),
where 4xi = x0i ⊕ x00i and 4yi = yi0 ⊕ yi00 . The pair (4x, 4y) is called a
differential.
A differential characteristic is composed of input and output differences,
where the input difference to one round is determined by the output difference
of the last round.

2.1. Classical differential cryptanalysis

Differential cryptanalysis is a chosen-plaintext attack. It is usually used to
attack various block ciphers. Roughly speaking, differential cryptanalysis is
composed by two procedures:
1. Find some high probability differential characteristics.
2. According to the differential characteristics which have been found,
test possible candidate subkey, then recover the key of the cryptosystem.
In this paper, our quantum algorithm is used at the first process. While
in [18], their quantum algorithm was at the second stage.

2.2. The Bernstein–Vazirani algorithm

Before showing the Bernstein–Vazirani algorithm, we first give the following
definition:
Definition 1 For a Boolean function f : {0, 1}m → {0, 1}, the Walsh
transform of f is
1 X
Sf (w) = m (−1)f (x)+w·x (1)
2 x∈F m
2

for all w ∈ F2m .

3
Definition 2 For a Boolean function f : {0, 1}m → {0, 1}, define the
transform
Uf |xi|yi = |xi|y + f (x)i. (2)
note that Uf is unitary.
Now let us illustrate the Bernstein–Vazirani algorithm.
1. Input the initial state |ψ0 i = |0i⊗m |1i, then do the Hadamard transform
H ⊗(m+1) , the result is
X |xi |0i − |1i
|ψ1 i = √ · √ . (3)
x∈F m
2m 2
2

2. Evaluate f by using Uf , giving

X (−1)f (x) |xi |0i − |1i
|ψ2 i = √ · √ . (4)
2 m 2
x∈F m
2

3. Execute the Hadamard transform H ⊗(m) on the first qubit of |ψ2 i, we

have
X 1 X
f (x)+y·x |0i − |1i
|ψ3 i = m
(−1) |yi · √
y∈F m
2 x∈F n 2
2 2
X |0i − |1i
= Sf (y)|yi · √ . (5)
y∈F2m
2

If we measure the first m qubit in the computational basis, we will obtain y

with probability Sf2 (y).

2.3. Results after running the Bernstein–Vazirani algorithm

In this section, we show that we will get some high probability differentials
after running the Bernstein–Vazirani algorithm several times.
Theorem 1 [15] For a Boolean function f : {0, 1}m → {0, 1}, let p =
p(m) be a polynomial of m. Assuming one has run the Bernstein–Vazirani
algorithm p times, and has obtained a set S. Solving the linear systems of
equations S · X = 0 and S · X = 1 respectively gives two sets A0 and A1 .
Then ∀a ∈ Ai (i = 0, 1), ∀, 0 <  < 1,
|{x ∈ F2m |f (x ⊕ a) + f (x) = i}|
 
2
Pr 1 − m
<  > 1 − e−2p , (6)
2
where Pr(E) denotes the probability of the event E happens.

4
3. Quantum algorithm to execute differential cryptanalysis
Assume the plaintexts and the ciphertexts of the block cipher we would attack
are of length k = lm, and every S-box is a map F from {0, 1}m to {0, 1}n ,
where m, n, l are all positive integers. In the following we give two technics
to implement quantum differential cryptanalysis.

3.1. The first method

For every S-Box F , let F = (f1 , . . . , fn ), where each fj (j = 1, . . . , n) is a
Boolean function {0, 1}m to {0, 1}. For every fj , run the Bernstein–Vazirani
algorithm p = p(m) times, and laterTsolveTa linear T system of equations to get
A0j and A1j . If there exists a ∈ Ai11 Ai22 . . . Ainn , where ij ∈ {0, 1}, j =
1, 2, . . . , n, then (a, i1 i2 . . . in ) is a high probability differential.

Algorithm 1.
Input: An S-Box F = (f1 , . . . , fn ).
Output: Some high probability differentials of each fj (j = 1, 2, . . . , n).
1 Let H := ∅, A := ∅, where ∅ is the empty set.
2 for j = 1, 2, . . . , n do
3 for p = 1, 2, . . . , p(m) do
4 Run the Bernstein–Vazirani algorithm, and get an n-bit output
w;
5 Let H := H ∪ {w}
end
6 Solve the equations HX = 0 and HX = 1 to get A0j and A1j ,
respectively.
7 Output A0j and A1j .
end

After running the Algorithm 1, we obtain Aij (j = 1, 2, . . . , n; i = 0, 1).

In the following, we will analyse these sets to get some high probability
differentials of a S-Box F .
We may choose first the p(m) = cm (where c is a constant and c ≥ 2) in
Algorithm 1, since this can make every vector a in Aij (j = 1, 2, . . . , n; i =
0, 1) satisfy
|{x ∈ F2m |fj (x ⊕ a) + fj (x) = i}| 1
>
2m 2
with high probability according to [15].

5
 In other words, for any vector a in Aij (j = 1, 2, . . . , n; i = 0, 1), (a, i) is
a differential of fj with the probability more than uniform distribution.
If most of the Aij (j = 1, 2, . . . , n; i = 0, 1) have a great deal of vectors
(for example, a half of the whole), then we will choose p(m) to be more large
(for example, p(m) = m2 ). The purpose of doing this is to prevent |Aij |
(where |A| denotes the cardinality of a set A) from being too large.
Otherwise we execute the following algorithm to find some high proba-
bility differentials of F .

Algorithm 2.
Input: Aij (j = 1, 2, . . . , n; i = 0, 1).
Output: Some high probability differentials of F .
1 for each a ∈ Ai11 (i1 = 0, 1) do
2 for j = 2, . . . , n do
3 for ij = 0, 1 do
i
4 if a ∈ Ajj then
(xa , ya ) := (a, i1 . . . ij )
end
end
5 else if a ∈ / A0j and a ∈
/ A1j then
(xa , ya ) := (0, 0)
goto 6
end
6 Output (xa , ya )
end

The outputs of Algorithm 2 will be some vectors like (a, i1 . . . in ) or

(0, 0). Those non-zero vectors are the high probability differentials that we
are looking for, which will be used to construct differential characteristics.
For convenience, let A be the set of these non-zero vectors.
Next, complete the remaining works just as the classical differential crypt-
analysis do.

Analysis of the first method.. Now, let us see the efficiency of the first
method.
In Algorithm 1, the time of running the Bernstein–Vazirani algorithm (in
order to evaluate the function F ) is np(m), and the time needed to solve the

6
system of linear equations is nq(m) (where q(m) is another polynomial of
m). So the total time of Algorithm 1 is np(m) + nq(m).
The maximum time of running the Algorithm 2 is O(2n ). In fact, this
upper bound may be a little rough, because for some a ∈ Ai11 (i1 = 0, 1), they
may be not in A0j and A1j , where the j is much less than n.
Next, let us consider the success probability of the first method.
The vectors (a, i1 . . . in ) ∈ A obtained by Algorithm 2 all satisfy the in-
equality (6) for every ij and corresponding fj (j = 1, 2, . . . , n). The number
of x satisfying
|{x ∈ F2m |fj (x ⊕ a) + fj (x) = ij }|
=1− (7)
2m
for two different j = j1 and j = j2 is at least 2(1 − ) − 1 = 1 − 2. From (6)
and (7), we can know that
|{x ∈ F2m |F (x ⊕ a) + F (x) = i1 . . . in }|
 
2
Pr m
> 1 − n > (1 − e−2p )n . (8)
2
From the above inequality (8), we see that if  = c11n (where c1 ≥ 2 is a
constant), p = c22 = c2 c21 n2 (where c2 ≥ 1 + ln2n is also a constant), then
2 1
(1 − e−2p )n ≥ (1 − e−2c2 )n ≥ 1 − ne−2c2 ≥ 1 − (9)
e2
In summary, let p = max{p(m), c2 c21 n2 }, after a total time of np+nq(m)+
O(2n ), we will get a set A constituted by vectors like (a, i1 . . . in ), which
satisfy
|{x ∈ F2m |F (x ⊕ a) + F (x) = i1 . . . in }|
 
1 1
Pr m
>1− > 1 − 2 . (10)
2 c1 e
As compared to the above quantum algorithm, the classical algorithm
need 2m+n times computation to give the difference distribution table, from
which one can easily know some high probability differentials. Generally
speaking, the S-Box used in a block cipher is not large, i.e., m and n are
both small, so 2m+n is very small too. In other words, evaluation of the
difference distribution table is very efficient, our quantum algorithm does
not show much speedup over the classical algorithm. However, that provide
a new approach to the problem, and may throw light on some other questions.
The above method only focuses on each S-Box. In the following, we will
give another method. The difference is it will focus on the entire process of
the encryption.

7
3.2. The second method
Recall that the difficulty in the differential cryptanalysis is to construct
high probability differential characteristics. And in the classical differential
cryptanalysis, high probability differential characteristics are unambiguously
given, from which S-Box to which S-Box. In fact, the purpose of doing that is
to find which input differences will probably lead to which output differences.
In the following, we will give a quantum algorithm to complete this.
Assume G : {0, 1}k → {0, 1}k is a function which maps the plaintext
x to the input y of the last round under a secret key K. Certainly, G can
be written as G = (g1 , g2 , . . . , gk ). Assume also there is a polynomial-size
quantum circuit to evaluate G.

The Method 2. will be composed of the following procedures.

At first,. run an algorithm similar to Algorithm 1. Nevertheless, the input

to the algorithm is G instead of F , the outputs are some high probability
differentials Bj0 and Bj1 of each gj (j = 1, 2, . . . , k).

Secondly,. operate an algorithm similar to Algorithm 2. The differences

are the inputs, the procedures and the outputs. The inputs are Bj0 and Bj1
(j = 1, 2, . . . , k). The procedures do not include line 5. The outputs will be
some high probability differentials B = {(b, ij1 · · · ijt )}, where j1 , · · · , jt ∈
{1, 2, . . . , k} and j1 < · · · < jt .
The reason why we delete line 5 is that the purpose of Algorithm 2 is
to find out some shared differentials of all fj (j = 1, 2, . . . , n). If a ∈ / A0j
and a ∈ / A1j for a j, then a must not their shared differential. At this time,
breaking out of the loop is for saving time. what we do in the second method
is to find some differentials of part gj (j = 1, 2, . . . , k) sharing.

Thirdly,. determine the subkey in the last round according to the differen-
tials obtained.

Analysis of the second method.. Let us consider the time complexity. In

the first and second procedures, the running time are all polynomial of k. The
time of the last procedure is determined by the high probability differentials
we have obtained. If the probabilities of the differentials are very high, this
method would probably succeed by using much less time. The superiority of
this approach is that it avoid finding concrete high differential characteristics.

8
4. Discussions and Conclusions
Because high probability differential characteristics are independent of the
subkey of every round, we can construct an efficient quantum circuit to find
some of them. This paper proposes two methods for applying quantum
algorithms to differential cryptanalysis. Although the first method does not
show much speedup over classical method because the total number of the
differences of an S-Box is not very large in practice, and the analysis of the
second method is not very elaborate, these two methods give us a new clue
to resolute the problem. Maybe they can be used in some ciphers and show
much more speedups over classical approaches.

Acknowledgments.
This work was supported by the National Natural Science Foundation of
China under Grant No.61173157.

References
[1] Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosys-
tems. Journal of Cryptology 4(1), 3–72 (1991)

[2] Knudsen, L.R.: Truncated and higher order differentials. In: Preneel,
B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg
(1995)

[3] Biryukov, A.: Impossible differential attack. In: Encyclopedia of Cryp-

tography and Security, pp. 597–597. Springer (2011)

[4] Deutsch, D. and Jozsa, R.: Rapid solution of problems by quantum com-
putation. In Proceedings of the Royal Society of London, volume A 439,
553–558 (1992)

[5] Bernstein, E. and Vazirani, U.: Quantum complexity theory. In: Pro-
ceedings of the 25th Annual ACM Symposium on theory of computing,
ACM Press, New York, 11–20 (1993)

[6] Simon, D. R.: On the Power of Quantum Computation. SIAM Journal

on Computing 26, 1474–1483 (1997)

9
[7] Shor, P. W.: polynomial-time Algorithm for Prime Factorization and
Discrete logarithms on Quantum Computer. SIAM Journal on Comput-
ing 26, 1484–1509 (1997) A primary version appeared in FOCS 124–134
(1994)
[8] Grover, L. K.: Quantum mechanics helps in searching for a needle in a
haystack. Phys. Rev. Lett. 79(2), 325–328 (1997)
[9] Atici, A., Servedio., R.: Quantum algorithms for learning and testing
juntas. Quantum algorithms for learning and testing juntas. Quantum
Information Processing, 6(5): 323-348 (2009)
[10] Chakraborty, S., Fischer, E., Matsliah, A., Wolf., R. d.: New Results on
Quantum Property Testing. FSTTCS 145-156 (2010)
[11] Hillery, M., Anderson, E.: Quantum tests for the linearity and permu-
tation invariance of Boolean functions, Phys. Rev. A 84, 062326 (2011).
[12] Floess, D., Andersson, E., Hillery, M.: Quantum algorithms for testing
and learning Boolean functions, Math. Struct. Comp. Science vol.23, 386-
398 (2013)
[13] Aharonov, D., Jones, V., Landau, Z.: A Polynomial Quanum Algorithm
for Approximating the Jones Polynomial, Algorithmica 55:395-421 (2009)
preliminary version in Proc.38th Annual ACM Symp. on Theory of Com-
put. STOC 427-436 (2006)
[14] Nakajima, Y., Kawano, Y., Sekigawa, H.: Efficient quantum circuits for
approximating the Jones polynomial, Quantum Inf. and Comput., Vol.
8, No.5 pp. 489-500. (2008)
[15] Li, H. W. and Yang L.: A quantum algorithm to approximate the lin-
ear structures of Boolean functions. arXiv:1404.0611v2 [quant-ph] 20 Jan
(2015)
[16] Roetteler, M., Steinwandt, R.: A note on quantum related-key attacks,
Information Processing Letters 115, 40–44 (2015)
[17] Sun, S. W., Hu, L., Wang, P., Qiao, K. X., Ma, X. S., Song, L.: Auto-
matic Security Evaluation and (Related-key) Differential Characteristic
Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other
Bit-Oriented Block Ciphers, in: ASIACRYPT, 158–178 (2014)

10
[18] Zhou, Q., Lu, S. F., Zhang, Z. G., Sun, J.: Quantum differential crypt-
analysis. Quantum Inf Process. 14(6), 2101-2109 (2015)

11