Post-quantum cryptography has attracted much attention from worldwide cryptologists. A growing number of symmetric cryptography algorithms have been analyzed in the quantum settings. Lai–Massey scheme was analysed by Vaudenay in Asiacrypt’99, based on the IDEA block cipher, and widely used in the design of symmetric cryptographic algorithms. In this work, we study the security on the Lai–Massey scheme in the quantum setting, and give a general technique to simulate the XOR of left and right parts of outputs of quantum oracles without destroying quantum entanglements. We show that the 3-round and 4-round Lai–Massey scheme are insecure, which can be distinguished from a random permutation in polynomial time in the quantum chosen-plaintext (qCPA) setting and quantum chosen ciphertext attack (qCCA) setting based on Simon’s algorithm, respectively. We also introduce quantum key-recovery attacks on the Lai–Massey scheme by applying the combination of Simon’s and Grover’s algorithms. For r-round Lai-Massey scheme, the key-recovery query complexity are \(O({2^{(r - 3)k/2}})\) and \(O({2^{(r - 4)k/2}})\) in the qCPA and qCCA setting respectively, where k is the bit length of a round sub-key. The query complexities are better than the quantum brute force search by factors \({2^{3k/2}}\) and \({2^{2k}}\) respectively.

后量子密码学引起了全球密码学家的广泛关注。在量子环境中分析了越来越多的对称密码算法。Lai-Massey 方案由 Vaudenay 在 Asiacrypt'99 中基于 IDEA 分组密码进行了分析，并广泛应用于对称密码算法的设计中。在这项工作中，我们研究了量子环境下莱-梅西方案的安全性，并给出了一种通用技术，可以在不破坏量子纠缠的情况下模拟量子预言机输出左右部分的异或。我们证明了 3 轮和 4 轮 Lai-Massey 方案是不安全的，这可以分别与基于 Simon 算法的量子选择明文（qCPA）设置和量子选择密文攻击（qCCA）设置中的多项式时间内的随机排列区分开来。我们还通过应用 Simon 和 Grover 算法的组合，引入了对 Lai-Massey 方案的量子密钥恢复攻击。为了r -round Lai-Massey 方案中，在 qCPA 和 qCCA 设置中，密钥恢复查询复杂度分别为\(O({2^{(r - 3)k/2}})\)和\(O({2^{(r - 4)k/2}})\)，其中k是轮次子密钥的位长。查询复杂度分别优于量子暴力搜索因子\({2^{3k/2}}\)和\({2^{2k}}\)。