Optimal Merging Trees in Quantum k-xor Algorithms...MAX(sizeoftheoutputlist;MIN(sizeofL 1;sizeofL...

Classical k-xor AlgorithmsQuantum k-xor Algorithms

Merging Trees

Optimal Merging Trees in Quantum k-xorAlgorithms

María Naya-Plasencia2, André Schrottenloher2

Joint work with Lorenzo Grassi1

1 IAIK, Graz University of Technology, Austria2 Inria, France

March 1, 2019

M. Naya-Plasencia, A. Schrottenloher Quantum k-xor Algorithms 1/44


Merging Trees

Outline

1 Classical k-xor Algorithms

2 Quantum k-xor Algorithms

3 Merging Trees



Merging Trees

Classical k-xor Algorithms



Merging Trees

The Generalized Birthday Problem

k-xor for a random functionLet H : 0, 1n → 0, 1n be a random function, find x1, . . . , xksuch that H(x1)⊕ . . .⊕ H(xk) = 0.

Cryptanalysis: (R)FSB, SWIFFT. . .Applications for ⊕ (bitwise XOR) and modular +

Related: subset-sums, decoding random linear codes, latticeproblems. . .

Camion and Patarin, “The Knapsack Hash Function proposed at Crypto’89can be broken”, 1991

Wagner, “A Generalized Birthday Problem”, 2002M. Naya-Plasencia, A. Schrottenloher Quantum k-xor Algorithms 4/44


Merging Trees

The 1-xor problem: exhaustive search

Searching x such that H(x) = 0: a preimage of 0. Since H israndom, this requires to query it O (2n) times.

We note the best time complexity of k-xor as O (2αkn). Thenα1 = 1.

If ` > k , `-xor is easier than k-xor: one can fix some elements andrun a k-xor algorithm.



Merging Trees

The 2-xor problem: collision search

Collision searchLet H : 0, 1n → 0, 1n be a random function, find a collision ofH, i.e a pair x1, x2 ∈ 0, 1n such that H(x1) = H(x2).

Classical time and queries: Θ(2n/2)

With 2n/2 queries, we can form 2n pairs, an n-bit collisionoccurs w.h.p., hence α2 = 1

2 .



Merging Trees

The 3-xor problem: a problem

The optimal query complexity is Θ(2n/3): with 2n/3 queries,one forms 2n 3-tuples and expects a 3-xor to zero with highprobability.To date, the best classical time complexity of 3-xor is O

(2n/2

)(logarithmic improvement on collision search): α3 = α2 = 1

2 .



Merging Trees

Classical results for general k

To get a k-xor on n bits:The optimal query complexity is Θ(2n/k)

The time complexity is O(2n/(1+blog2(k)c)

): αk = 1

1+blog2(k)c

The memory complexity is O(2n/(1+blog2(k)c)

). . . with small improvements . . .

Wagner, “A Generalized Birthday Problem”, 2002M. Naya-Plasencia, A. Schrottenloher Quantum k-xor Algorithms 8/44


Merging Trees

Classical results

5 10 15 200

0.1

0.2

0.3

0.4

0.5

k

αk

αk depending on k

QueriesTime

The complexitiesare O (2αkn)



Merging Trees

The general merging idea

Let L1 and L2 be lists of 2u random values of H. Build L: amongall pairs x1, x2 ∈ L1 × L2, we take the partial collisions on the first ubits.Then:

L contains 2u elements (there are 22u pairs and a u-bitcondition)L can be built in time 2u if L1 and L2 are sorted

This works recursively: from two lists L1, L2 of partial k-xors, wecan obtain a list of 2k-xors on more bits in time:

MAX (size of the output list,MIN (size of L1, size of L2))



Merging Trees

An example with k = 4

1. Query 4 lists of 2n/3 single elements (values of H): time 2n/3

List of 2n/3

elementsList of 2n/3



elements



Merging Trees



2. Merge into two lists of 2n/3 collisions on n/3 bits: time 2n/3

List of 2n/3 collisionson n/3 bits

List of 2n/3


elements


List of 2n/3


elements



Merging Trees



2. Merge into two lists of 2n/3 collisions on n/3 bits: time 2n/3

3. Find a collision between these lists: a single 4-xor of H: time2n/3

Single 4-xoron n bits


List of 2n/3


elements


List of 2n/3


elements



Merging Trees

Classical Merging

Wagner’s algorithm for classical k-xor works in blog2 kc+ 1successive levels:

Level 0 contains lists of 1-xors (single elements)Level i contains lists of 2i -xors

Wagner’s method is optimal among all choices of merging.



Merging Trees

Quantum k-xor Algorithms



Merging Trees

Quantum computing in this talk

The revolting truth about this presentationWhen we have a search, we square-root the search time.

Grover’s algorithmf : 0, 1n → 0, 1 is a test function.We look for x such that f (x) = 1 (there are 2t solutions).We implement f as a quantum circuit.With Grover: O

(2(n−t)/2

)calls to f instead of 2n−t

classically.

Grover, “A Fast Quantum Mechanical Algorithm for Database Search”,1996



Merging Trees

Quantum computing: qRAM

Classical algorithms need often read-and-write access to a RandomAccess Memory.

Quantum algorithms need sometimes read- or write- access toquantum RAM.

Quantum-accessible memoryInstead of querying ai on input i , we query

∑i |i〉 |ai 〉 on input∑

i |i〉 |0〉.



Merging Trees

Previous quantum results on k-xor

To get a k-xor on n bits:The optimal query complexity is Ω(2n/(k+1))

Without qRAM (O (n) qubits), the time complexity for k = 2is O

(22n/5)

With qRAM, the time complexity for k = 2 is O(2n/3

).

For k > 2?

Brassard, Høyer, and Tapp, “Quantum Cryptanalysis of Hash andClaw-Free Functions”, 1998

Belovs and Spalek, “Adversary lower bound for the k-sum problem”, 2013Chailloux, Naya-Plasencia, and S., “An Efficient Quantum Collision Search

Algorithm and Implications on Symmetric Cryptography”, 2017M. Naya-Plasencia, A. Schrottenloher Quantum k-xor Algorithms 16/44


Merging Trees

Previous quantum results

5 10 15 200

0.1

0.2

0.3

0.4

k

αk

αk depending on k

Quantum queriesQuantum timewith qRAMQuantum timeqRAM-free




Merging Trees

New results (but not the latest!)

5 10 15 200

0.2

0.4

k

αk

Classical timeQuantum timewith qRAMQuantum timeqRAM-free


Grassi, Naya-Plasencia, and S., “Quantum Algorithms for the k -xorProblem” , 2018



Merging Trees

New results

qRAM-free3-xor is exponentially faster than collision search;

k-xor can be solved in time O(2

k+22(2k+1)n

): improvement over

Wagner for k ≤ 7.

With qRAM3-xor is exponentially faster than collision search;k-xor can be solved in time O

(2n/(2+blog2(k)c)

), using

O(2n/(2+blog2(k)c)

)qRAM (instead of O

(2n/(1+blog2(k)c)

)).



Merging Trees

A Naive 2-xor Algorithm

Perform ` arbitrary classicalqueries to H :H(x1), . . . ,H(x`).Search x ∈ 0, 1n such thatH(x) ∈ H(x1), . . . ,H(x`).

Optimal ` = 2n/2:

2n/2 +2n

2n/2



Merging Trees

A Quantum 2-xor Algorithm

Classical:Perform ` arbitrary classicalqueries to H :H(x1), . . . ,H(x`).Search x ∈ 0, 1n such thatH(x) ∈ H(x1), . . . ,H(x`).

Optimal ` = 2n/2:

2n/2 +2n

2n/2

Quantum (BHT):Perform ` arbitrary classicalqueries to H :H(x1), . . . ,H(x`).With Grover, searchx ∈ 0, 1n such thatH(x) ∈ H(x1), . . . ,H(x`).

Optimal ` = 2n/3:

2n3︸︷︷︸

Initial list

+

√2n

2n/3︸︷︷︸2n/3 solutions among 2n

Brassard, Høyer, and Tapp, “Quantum Cryptanalysis of Hash andClaw-Free Functions”, 1998



Merging Trees

Removing qRAM from k-xor algorithms

Assume that we have a list L = x1, . . . x`, known classically, andwant to compute:

|x〉 |0〉 7→ |x〉 |x ∈ L〉 .

With qRAM: build a data structure for L, computemembership in O (log `) qRAM gates;Without qRAM: compare sequentially against elements of L.

We compute:

|x〉 |0〉 7→ |x〉 |(x = x1) ∨ (x = x2) . . . ∨ (x = x`)〉

in time O (`).

Chailloux, Naya-Plasencia, and S., “An Efficient Quantum Collision SearchAlgorithm and Implications on Symmetric Cryptography”, 2017



Merging Trees

qRAM-free k-xor algorithms

Collision: we rewrite BHT (with distinguished points), usingAmplitude Amplification to perform the test lesstimes. The time complexity becomes O

(22n/5).

k-xor: we rewrite BHT, using k− 1 intermediate lists (withspecific form) instead of a single one. The time

complexity becomes O(2

k+22(2k+1)n

).

In particular, at k = 3, we obtain α3 = 514 < α2 = 2

5 : quantumqRAM-free 3-xor is exponentially faster than 2-xor.



Merging Trees

Quantum k-xor with qRAM

3-xor

We obtain O(23n/10): better than quantum collision search.

General kCombining:

Wagner’s method (successive lists of i-collisions withincreasing zero prefixes)A quantum walk on the Johnson graph

We obtain a general time speedup.



Merging Trees

(Previous) open questions

qRAM-free: is there a more general speedup to find for k-xor?With qRAM: the point k = 3 differ from the general,Wagner-like behavior. Are there other improvements for othervalues of k?



Merging Trees

(Previous) open questions

qRAM-free: is there a more general speedup to find for k-xor?

With qRAM: the point k = 3 differ from the general,Wagner-like behavior. Are there other improvements for other

values of k?



Merging Trees

Merging Trees



Merging Trees

Latest results (with qRAM)

5 10 15 200

0.1

0.2

0.3

0.4

0.5

k

αk

PreviousClassicalNew




Merging Trees

Latest results (qRAM-free)

5 10 15 200

0.1

0.2

0.3

0.4

0.5

k

αk





Merging Trees

Back to classical merging

Some lists in the tree never need to be stored in memory; they canbe made implicit.



List of 2n/3


elements


List of 2n/3


elements



Merging Trees

Rephrasing the classical 4-xor algorithm


Any collisionon n/3 bits

Any elementList of 2n/3

elements



elements



Merging Trees

Merging with implicit lists


List of 2n/3


elements

Before:Two lists of 2n/3 elements(random queries to H)

⇓22n/3 pairs⇓

2n/3 pairs with n/3-bit collision

In time 2n/3 (sorted lists).



Merging Trees

Merging with implicit lists



elements

After:A single list of 2n/3 elements

⇓Query H on the fly

⇓Each query yields 2n/3 pairs

⇓An n/3-bit collision

In time 2n/3 (sorted list).



Merging Trees

Implicit merging (ctd.)

In this tree, each explicit list is built in time 2n/3.




elements



elements



Merging Trees

Merging at the root


2n/3 collisionson n/3 bits


Before:Two lists of n/3-bit collisions

⇓22n/3 n/3-bit 4-xors

⇓One n-bit 4-xor

In time 2n/3 (sorted lists).



Merging Trees

Merging at the root




After:A single list of n/3-bit collisions

⇓Produce n/3-bit collisions on the fly

⇓Each yields 2n/3 4-tuples

⇓After 2n/3 trials, a n-bit 4-xor

In time 2n/3 (sorted list).



Merging Trees

Partial collisions on the fly



elements

A single list of 2n/3 elements⇓

Query H on the fly⇓

Each query yields 2n/3 pairs⇓

An n/3-bit collision

In time 1 (sorted list).



Merging Trees

In this example

Explicit (intermediate) lists are built in time 2n/3

The last 4-xor is built by trying 2n/3 partial collisions. . . or trying 2n/3 elementswe can use Grover in the last step: time 2n/6

. . . we should balance the tree: at total time 2n/4 in thisexampleNo quantum walk anymore!



Merging Trees

In this example


The last 4-xor is built by trying 2n/3 partial collisions

. . . or trying 2n/3 elementswe can use Grover in the last step: time 2n/6




Merging Trees

In this example


The last 4-xor is built by trying 2n/3 partial collisions. . . or trying 2n/3 elements

we can use Grover in the last step: time 2n/6




Merging Trees

In this example






Merging Trees

In this example



. . . we should balance the tree: at total time 2n/4 in thisexample

No quantum walk anymore!



Merging Trees

In this example






Merging Trees

Merging trees and MILP

Using MILP with the above tree:

Tree structure is givenVariables: sizes of the lists, their costs (in log2), prefixesLinear relations and constraints between themAn overall time complexity to minimize

The computation model (qRAM, low-qubits, classical . . . ) onlychanges the constraints.

MILP for k-xor is not new: Minder and Sinclair used it whenrestricting the domain size.

Minder and Sinclair, “The Extended k-tree Algorithm”, 2012M. Naya-Plasencia, A. Schrottenloher Quantum k-xor Algorithms 36/44


Merging Trees

Finding optimal trees: experiments

There are lots of choices, not only binary trees.

We wrote a linear program, used the SCIP solver, tried all possibletrees for k up to 20. At this point the pattern was becoming clear.

We improved 3-xor with qRAM (a better merging)We did not improve low-qubits 3-xor: the (small) tree wasalready optimal



Merging Trees

MILP results (with qRAM)

5 10 15 200

0.1

0.2

0.3

0.4

0.5

k

αk





Merging Trees

MILP results (qRAM-free)

5 10 15 200

0.1

0.2

0.3

0.4

0.5

k

αk





Merging Trees

Theorem – with qRAM

TheoremIf k ≥ 2 and κ = blog2(k)c, the best merging-tree quantum timeexponent is

αk =2κ

(1 + κ)2κ + k.

Many trees give this time complexity, but one is obtained by usingan “almost” binary tree.

It contains some 3-xors (3-way merge) at the second-to-lowestlevel.



Merging Trees

Theorem – qRAM-free

TheoremIf k > 2, k 6= 3, 5 and κ = blog2(k)c, the best merging-treequantum time exponent is:

αk = 1κ+1 if k < 2κ + 2κ−1 or αk = 2

2κ+1 if k ≥ 2κ + 2κ−1

Many trees give this time complexity, but one is obtained by usingan “almost” binary tree.



Merging Trees

Multicollisions

Orthogonal problem: looking for an `-tuple x1, . . . , x` suchthat H(x1) = . . . = H(x`).Build successive lists of i-collisionsClassical time: Θ

(2

`−1`

)Quantum time: Θ

(2

2`−1−12`−1

)

Liu and Zhandry, “On Finding Quantum Multi-collisions”, 2018Hosoyamada, Sasaki, and Xagawa, “Quantum Multicollision-Finding

Algorithm” , 2017M. Naya-Plasencia, A. Schrottenloher Quantum k-xor Algorithms 42/44


Merging Trees

Multicollisions (ctd.)

A hidden constraint: list i must contain at least (`−1)!(i−1)!

i-collisions.MILP also helps.

10 20 300

0.5

1

`

α`

ClassicalWith qRAMqRAM-free

The complexitiesare c2α`×128



Merging Trees

Conclusion

We found the optimal merging trees for quantum k-xorWe don’t use quantum walks anymore (analysis is easier)All of this works when replacing ⊕ by +

Future work (ongoing)

Find the best quantum (and classical?) time-memory tradeoffs;Extend to other crypto applications;Extend to approximate problems.


Thank you.

M. Naya-Plasencia, A. Schrottenloher Quantum k-xor Algorithms

Optimal Merging Trees in Quantum k-xor Algorithms...MAX(sizeoftheoutputlist;MIN(sizeofL 1;sizeofL...

Documents

Transcript of Optimal Merging Trees in Quantum k-xor Algorithms...MAX(sizeoftheoutputlist;MIN(sizeofL 1;sizeofL...