Superposition Attacks on Pseudorandom Schemes Based on Two or Less Permutations

We study quantum superposition attacks against permutation-based pseudorandom cryptographic schemes. We first extend Kuwakado and Morii’s attack against the Even–Mansour cipher and exhibit key recovery attacks against a large class of pseudorandom schemes based on a single call to an n-bit permutation, with polynomial O(n) (or O(n²), if the concrete cost of Hadamard transform is also taken in) quantum steps. We then consider $$ schemes, namely, two permutation-based pseudorandom cryptographic schemes. Using the improved Grover-meet-Simon method, we show that the keys of a wide class of $$ schemes can be recovered with O(n) superposition queries (the complexity of the original is O(n2^n/2)) and O(n2^n/2) quantum steps. We also exhibit subclasses of “degenerated” $$ schemes that lack certain internal operations and exhibit more efficient key recovery attacks using either the Simon’s algorithm or collision searching algorithm. Further, using the all-subkeys-recovery idea of Isobe and Shibutani, our results give rise to key recovery attacks against several recently proposed permutation-based PRFs, as well as the two-round Even–Mansour ciphers with generic key schedule functions and their tweakable variants. From a constructive perspective, our results establish new quantum Q2 security upper bounds for two permutation-based pseudorandom schemes as well as sound design choices.