Post-quantum security on the Lai–Massey scheme

Post-quantum cryptography has attracted much attention from worldwide cryptologists. A growing number of symmetric cryptography algorithms have been analyzed in the quantum settings. Lai–Massey scheme was analysed by Vaudenay in Asiacrypt’99, based on the IDEA block cipher, and widely used in the design of symmetric cryptographic algorithms. In this work, we study the security on the Lai–Massey scheme in the quantum setting, and give a general technique to simulate the XOR of left and right parts of outputs of quantum oracles without destroying quantum entanglements. We show that the 3-round and 4-round Lai–Massey scheme are insecure, which can be distinguished from a random permutation in polynomial time in the quantum chosen-plaintext (qCPA) setting and quantum chosen ciphertext attack (qCCA) setting based on Simon’s algorithm, respectively. We also introduce quantum key-recovery attacks on the Lai–Massey scheme by applying the combination of Simon’s and Grover’s algorithms. For r-round Lai-Massey scheme, the key-recovery query complexity are O(2(r-3)k/2)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$O({2^{(r - 3)k/2}})$$\end{document} and O(2(r-4)k/2)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$O({2^{(r - 4)k/2}})$$\end{document} in the qCPA and qCCA setting respectively, where k is the bit length of a round sub-key. The query complexities are better than the quantum brute force search by factors 23k/2\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${2^{3k/2}}$$\end{document} and 22k\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${2^{2k}}$$\end{document} respectively.