Quantum Differential and Linear Cryptanalysis

Quantum computers, that may become available one day, will impact many scientific fields. Cryptography is certainly one of them since many asymmetric primitives would become insecure against an adversary with quantum capabilities. Cryptographers are already anticipating this threat by proposing and studying a number of potentially quantum-safe alternatives for those primitives. On the other hand, the situation of symmetric primitives which seem less vulnerable against quantum computing, has received much less attention. We need to prepare symmetric cryptography for the eventual arrival of the post-quantum world, as it is done with other cryptography branches. Cryptanalysis and security analysis are the only proper way to evaluate the security of symmetric primitives: our trust in specific ciphers relies on their ability to resist all known cryptanalysis tools. This requires a proper investigation of the toolkit of quantum cryptanalysis, that might include radically new attacks. This toolkit has not been much developed so far. In this paper, we study how some of the main cryptanalytic attacks behave in the post-quantum world. More specifically, we consider here quantum versions of differential and linear cryptanalysis. While running Grover's search algorithm on a quantum computer brings a quadratic speedup for brute-force attacks, we show that the situation is more subtle when considering specific cryptanalysis techniques. In particular, we give the quantum version of various classes of differential and linear attacks and show that the best attacks in the classical world do not necessarily lead to the best quantum ones. Some non-intuitive examples of application on ciphers LAC and KLEIN are provided.