We study the security of key-alternating ciphers (KAC), a generalization of Even-Mansour ciphers over multiple rounds, which serve as abstractions for many block cipher constructions, particularly AES. While the classical security of KAC has been extensively studied, little is known about its security against quantum adversaries. In this paper, we introduce the first nontrivial quantum key-recovery attack on multi-round KAC in a model where the adversary has quantum access to only one of the public permutations. Our attack applies to any $t$-round KAC, achieving quantum query complexity of $O(2^{\frac{t(t+1)n}{(t+1)^2+1}})$, where $n$ is the size of each individual key, in a realistic quantum threat model, compared to the classical bound of $O(2^{\frac{tn}{(t+1)}})$ queries given by Bogdanev et al. (EUROCRYPT 2012). Our quantum attack leverages a novel approach based on quantum walk algorithms. Additionally, using the quantum hybrid method in our new threat model, we extend the Even-Mansour lower bound of $\Omega(2^{\frac{n}{3}})$ given by Alagic et al. (EUROCRYPT 2022) to $\Omega(2^{\frac{(t-1)n}{t}})$ for the $t$-round KAC (for $t \geq 2$).

翻译：本文研究密钥交替密码（KAC）的安全性。KAC是Even-Mansour密码在多轮情况下的推广，可作为许多分组密码结构（特别是AES）的抽象模型。尽管KAC的经典安全性已得到广泛研究，但其在量子敌手攻击下的安全性尚不明确。本文首次在敌手仅能量子访问单个公开置换的模型中，提出针对多轮KAC的非平凡量子密钥恢复攻击。该攻击适用于任意$t$轮KAC，在现实的量子威胁模型下达到$O(2^{\frac{t(t+1)n}{(t+1)^2+1}})$的量子查询复杂度（其中$n$为每个独立密钥的位宽），而Bogdanev等人（EUROCRYPT 2012）给出的经典查询复杂度下界为$O(2^{\frac{tn}{(t+1)}})$。我们的量子攻击采用了一种基于量子行走算法的新方法。此外，在新威胁模型下运用量子混合方法，我们将Alagic等人（EUROCRYPT 2022）给出的Even-Mansour下界$\Omega(2^{\frac{n}{3}})$推广至$t$轮KAC（$t \geq 2$）的$\Omega(2^{\frac{(t-1)n}{t}})$。