The competition for lightweight cryptography (LWC) launched by the National Institute of Standards and Technology (NIST) is an ongoing project calling for the standardization of lightweight cryptographic algorithms. The Report on Lightweight Cryptography specifically asks that submissions be quantum safe when long-term security is needed. However, this was not included in the “Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process.” Consequently, most candidates, including sESTATE and Elephant, make no claim regarding security with respect to quantum attacks. We propose quantum key recovery attacks on those second-round candidates. sESTATE is an authenticated encryption mode inspired by SUNDAE, as proposed in ToSC 2018. It claims that the adversary can get no information regarding the simplified tweakable block cipher. However, we show that quantum adversaries could extract the internal values, leading to a key-recovery attack on the only recommended scheme, sESTATE_TweAES-128-6, with \(2^{42.3}\) Q2 queries and a time equivalent to \(2^{52}\) AES encryptions. Technically, the attack is based on the combination of a quantum extracting method and quantum square attack. For Elephant mode, which internally uses a permutation masked by linear feedback shift registers (LFSRs) similar to the masked Even-Mansour construction proposed in EUROCRYPT 2016, we launch the attack based on the quantum attack proposed by Bonnetain et al., which depends on Simon’s algorithm without superposition queries and Grover’s algorithm. Our attack is generic and independent of internal permutation; hence, we obtain the quantum attacks on all instances with a tradeoff of classical and quantum queries. Remarkably, the attack complexities of both recommended instances are lower than that of the generic quantum attack on key, i.e., in time \({\mathcal {O}}({2}^{|K|/{2}})\) with \({\mathcal {O}}(1)\) queries.

美国国家标准技术研究院（NIST）发起的轻量级密码（LWC）竞赛是一个正在进行的项目，要求轻量级密码算法的标准化。在轻量级加密报告特别要求在需要长期安全的情况下，提交内容应是量子安全的。但是，这未包含在“轻型密码术标准化过程的提交要求和评估标准”中。因此，包括sESTATE和Elephant在内的大多数候选人都没有对量子攻击的安全性提出任何要求。我们建议对那些第二轮候选者进行量子密钥恢复攻击。sESTATE是一种受SUNDAE启发的经过身份验证的加密模式，如ToSC 2018中提出的那样。它声称，对手无法获得有关简化的可调整块密码的信息。但是，我们表明，量子对手可以提取内部值，从而导致对唯一推荐的方案sESTATE_TweAES-128-6使用\（2 ^ {42.3} \）进行密钥恢复攻击Q2查询和等于\（2 ^ {52} \）的时间AES加密。从技术上讲，这种攻击是基于量子提取方法和量子平方攻击的结合。对于大象模式，该模式内部使用由线性反馈移位寄存器（LFSR）屏蔽的置换，类似于EUROCRYPT 2016中提出的屏蔽的偶数曼苏结构，我们根据Bonnetain等人提出的量子攻击发起攻击。没有重叠查询的Simon算法和Grover算法。我们的攻击是通用的，独立于内部排列；因此，我们通过经典查询和量子查询之间的权衡来获得所有实例上的量子攻击。值得注意的是，两个推荐实例的攻击复杂度均低于对密钥的通用量子攻击的复杂度，即在时间\（{\ mathcal {O}}（{2} ^ {| K | / {2}}）\ ）与\（{\ mathcal {O}}（1）\）查询。