Quantum key recovery attacks on tweakable Even-Mansour ciphers.

As tweakable block ciphers from public permutations, tweakable Even-Mansour ciphers are widely used in disk sector encryption and data storage encryption. With the rapid improvement of computing power, especially the development of quantum computing technology and quantum computers, the quantum security of tweakable Even-Mansour ciphers should be concerned and studied. This paper focuses on the security of tweakable Even-Mansour ciphers in the quantum setting. For one -round tweakable Even-Mansour cipher, we give its quantum circuit, present a quantum key recovery attack in polynomial time by Simon's algorithm and show the concrete resource estimation. For two -round tweakable Even-Mansour cipher, we present a better quantum key recovery attack by BHT -meets -Simon algorithm than that by Grover -meets -Simon algorithm from a new perspective of variable tweaks and show the concrete resource estimation. Finally, we generalize to r -round tweakable Even-Mansour cipher and present a quantum key recovery attack by combining Grover's algorithm and Simon's algorithm. Our work is of great importance. We use BHT -meets -Simon algorithm to achieve better quantum key recovery attacks than Grover -meets -Simon algorithm for the first time.