QCB is Blindly Unforgeable

Abstract

QCB is a proposal for a post-quantum secure, rate-one authenticated encryption with associated data scheme (AEAD) based on classical OCB3 and \(\varTheta \)CB, which are vulnerable against a quantum adversary in the Q2 setting. The authors of QCB prove integrity under plus-one unforgeability, whereas the proof of the stronger definition of blind unforgeability has been left as an open problem. After a short overview of QCB and the current state of security definitions for authentication, this work proves blind unforgeability of QCB. Finally, the strategy of using tweakable block ciphers in authenticated encryption is generalised to a generic blindly unforgeable AEAD model.

Appendices

A Quantum Attacks Against Symmetric Cryptography

Simon’s Algorithm for Period-Finding. Given a black-box function \(f:\{0,1\}^n \rightarrow \{0,1\}^n\) with some unknown period \(s \in \{0,1\}^n\) and \(f(x) = f(y) \Leftrightarrow ((x=y) \vee (x=y\oplus s))\) for all \(x,y \in \{0,1\}^n\). I.e., there exist two distinct values \(x,y\) for which \(f\) produces the same result. The difference \(x \oplus y\) between these values is \(s\). In the context of this chapter, a function that satisfies this property is also described as satisfying Simon’s promise. Finding \(s\) on a classical computer takes \(\varTheta (2^{n/2})\) queries to \(f\). Simon’s algorithm [28] can find \(s\) with \(\mathcal {O}(n)\) queries to the black-box function on a quantum computer. The following paragraphs highlight some of the impactful attacks presented from Kaplan et al. against CBC-MAC, LRW, PMAC and OCB [16].

CBC-MAC. Consider some adversary \(\mathcal {A}\) who has access to the encryption oracle \(E_k:\{0,1\}^n\rightarrow \{0,1\}^n\) and a function \(f\) satisfying Simon’s promise. Furthermore, \(\mathcal {A}\) can query \(f\) in superposition if they have quantum oracle access to \(E_k\). If \(\mathcal {A}\) can find the hidden difference \(s\), it is sufficient to break the cryptographic scheme. In this attack, \(s = E(M_1) \oplus E(M_2)\) for two distinct messages \(M_1, M_2\).

Fig. 3.

Encrypted CBC-MAC [16, Fig. 9]. Here, \(k, k'\) denote two independent keys, \(M = m_1 || \dots || m_\ell \) is the message divided into \(\ell \) blocks and \(\tau \) the resulting authentication tag.

Figure 3 shows the standardized encrypted CBC-MAC. Classically, it is considered secure (up to the birthday bound) [4]. According to the attack strategy described above, \(f\) is defined as

$$\begin{aligned} f:\{0,1\} \times \{0,1\}^n&\rightarrow \{0,1\}^n \\ b,x&\mapsto \text {CBC-MAC}(\alpha _b || x) = E_k'(E_k(x\oplus E_k(\alpha _b))) \end{aligned}$$

with \(\alpha _0, \alpha _1\) representing two distinct message blocks [16, p. 15]. This function \(f\) satisfies Simon’s promise with \(s=1 || E_k(\alpha _0) \oplus E_k(\alpha _1)\). Consequently, applying Simon’s algorithm will return \(E_k(\alpha _0)\oplus E_k(\alpha _1)\) which allows for the forgery of messages. Query the oracle to receive tag \(\tau _0 = \text {CBC-MAC}(\alpha _0 || m_1)\) for an arbitrary \(m_1\). Next, query the oracle for tag \(\tau _1 = \text {CBC-MAC}(\alpha _1 || m_1 \oplus \ E_k(\alpha _0) \oplus \ E_k(\alpha _1))\). It holds that \(\tau _1 = \tau _2\) and a valid tag has been forged successfully [16, pp. 15-16]. This attack directly violates plus-one unforgeability as well as blind unforgeability, which are examined in Sect. 2. If adversary \(\mathcal {A}\) repeats the forgery step \(q+1\) times making \(2q + 1\) classical and quantum queries to the oracle, they can produce \(2(q+1)\) messages with valid tags.

Liskov-Rivest-Wagner (LRW) Construction. By employing the LRW construction, a block cipher \(E\) is transformed into a tweakable block cipher \(E^*\), whereas \(E^*\) is a family of unrelated block ciphers. The construction is defined as

$$\begin{aligned} E^*_{t,k}(x) = E_k(x\oplus h(t)) \oplus h(t) \end{aligned}$$

with \(h\) being an (almost) universal hash function [18, 19]. Here, \(h\) and \(k\) are both part of the joint key. Furthermore, for two arbitrary tweaks \(t_0 \ne t_1\), the function \(f\) is defined as [16, p. 13]

$$\begin{aligned} f : \{0,1\}^{n}&\rightarrow \{0,1\}^n \\ x&\mapsto E^*_{t_0,k}(x)\oplus E^*_{t_1, k}(x) \\ f(x)&= E_k(x\oplus h(t_0))\oplus h(t_0) \oplus E_k(x\oplus h(t_1)) \oplus h(t_1). \end{aligned}$$

This function satisfies Simon’s promise with \(f(x) = f(x \oplus s) = f(x \oplus h(t_0) \oplus h(t_1))\). Therefore, by running Simon’s algorithm \(\mathcal {O}(n)\) times, an attacker can recover \(s = h(t_0 \oplus h(t_1))\). The difference \(s\) is orthogonal to all the values measured in Simon’s algorithm and therefore appears \(\mathcal {O}(n)\) times during the computation. As this structure would not occur when \(f\) is a random function, it allows for an efficient distinguisher between an ideal random tweakable permutation and the LRW construction for defining tweakable block ciphers [16, pp. 13-14].

PMAC. The attack on CBC-MAC can be used to attack other message authentication codes as well. PMAC [25], for example, works as follows:

$$\begin{aligned} c_i = E_k(m_i \oplus \varDelta _i) \qquad \qquad \text {PMAC}(M) = E^*_k(m_\ell \oplus \sum _i{c_i}) \end{aligned}$$

with \(E^*\) being a tweakable block cipher derived from \(E\). PMAC has the same internal structure as CBC-MAC when only messages consisting of two blocks are considered: \(\text {PMAC}(m_1 || m_2) = E^*_k(m_2\oplus E_k(m_1\oplus \varDelta _0))\). \(\mathcal {A}\) can therefore execute the identical attack as used to break CBC-MAC. Query the tag \(\tau _0 = \text {PMAC}(\alpha _0 || m_1 || m_2)\) for arbitrary message blocks \(m_1, m_2\). Consequently, \(\tau _1 = \text {PMAC}(\alpha _1 || m_1 || m_2 \oplus E_k(\alpha _0) \oplus E_k(\alpha _1)) = \tau _0\) and a valid forgery has been achieved [16, pp. 16-17].

A different attack can be carried out by utilizing the vulnerabilities of LRW to gain knowledge of the differences \(\varDelta _i\). First, the function fulfilling Simon’s promise is defined as

$$\begin{aligned} f : \{0,1\}^{n}&\rightarrow \{0,1\}^n \\ m&\mapsto \text {PMAC}(m || m || 0^n) = E^*_k(E_k(m\oplus \varDelta _0) \oplus E_k(m\oplus \varDelta _1)). \end{aligned}$$

The hidden difference \(s\) is given with \(f(m) = f(m \oplus s) = f(m \oplus \varDelta _0 \oplus \varDelta _1)\). Therefore, \(s=\varDelta _0 \oplus \varDelta _1\) can be recovered by an adversary efficiently using Simon’s Algorithm in \(\mathcal {O}(n)\) iterations. The adversary queries tag \(\tau _1 = \text {PMAC}(m_1 || m_1)\) for an arbitrary message block \(m_1\). It holds that \(\tau _1\) is equal to \(\tau _2 = \text {PMAC}(m_1\oplus \varDelta _0 \oplus \varDelta _1 || m_1 \oplus \varDelta _0 \oplus \varDelta _1)\) and therefore a valid forgery was generated.

PMAC is based on the XE construction, which is an instantiation of LRW. In PMAC, the offsets are calculated with \(\varDelta _i = \gamma (i)\cdot L\) with \(\gamma (i)\) being the Gray encoding of \(i\) and \(L=E_k(0)\) [25, p. 21]. This leads to an adversary being able to learn \(L\) from the hidden period \(s=\varDelta _0 \oplus \varDelta _1\) with \(L = (\varDelta _0 \oplus \varDelta _1)\cdot (\gamma (0)\oplus \gamma (1))^{-1}\). With this knowledge, the adversary can compute each \(\varDelta _i\) and forge any arbitrary message.

OCB. Finally, to attack the authenticated encryption mode OCB, it can be observed that OCB reduces to a randomized variant of PMAC when the message is empty [16, p. 20]. Encrypted ciphertexts \(c_i\) and authentication tag \(\tau \) are generated by OCB as

$$\begin{aligned} c_i&= E_k(m_i\oplus \varDelta ^N_i) \oplus \varDelta ^N_i, \\ \tau&= E_k\left( \varDelta '^N_\ell \oplus \sum _i{m_i}\right) \oplus \sum _i{E_k(a_i\oplus \varDelta _i)} \end{aligned}$$

with nonce \(N\), message \(M = m_1 || \dots || m_\ell \) and associated data \(A=a_i || \dots || a_\ell \). Using an empty message \(\epsilon \), OCB generates the tag \(\tau \) with

$$\begin{aligned} \text {PMAC}_k(N, \varepsilon , A) = \phi _k (N) \oplus \sum _i E_k(a_i \oplus \varDelta _i). \end{aligned}$$

Note that \(\phi _k(N)\) denotes a permutation under key \(k\) whose specific description is of no interest to us. This construction can be attacked as described by the second attack on PMAC based on the LRW vulnerabilities. Consider a family of functions \(f_N\) with

$$\begin{aligned} f_N : \{0,1\}^n&\rightarrow \{0,1\}^n \\ x&\mapsto \text {PMAC}_k(N, \epsilon , x || x) \\ f_N(x)&= E_k(x\oplus \varDelta _0) \oplus E_k (x\oplus \varDelta _1) \oplus \phi _k(N). \end{aligned}$$

Each function \(f_N\) for any \(N\) satisfies Simon’s promise: \(f_N(a) = f_N(a\oplus s) = f_N(a\oplus \varDelta _0 \oplus \varDelta _1)\). This allows for the recovery of the hidden period \(s=\varDelta _0 \oplus \varDelta _1\). An adversary can now query the authenticated encryption with ciphertext and tag pair \(C_1, \tau _1 = \text {OCB}(N, M, a||a)\) for arbitrary message \(M\), an arbitrary block \(a\) and random Nonce \(N\). \(C_1, \tau _1\) is also a valid authenticated encryption of \(\text {OCB}(N,M, a\oplus \varDelta _0 \oplus \varDelta _1 || a\oplus \varDelta _0\oplus \varDelta _1)\) with the same nonce \(N\) [16, p. 20].

B Instantiation of QCB with TRAX and Pholkos

When using Saturnin as the TBC for QCB, due to the key-tweak-insertion construction, each message or associated data block is encrypted with a separate block-key based on the key \(k\) which is modified by a distinct tweak for each block cipher call. For an adversary \(\mathcal {A}\), it is therefore sufficient to find only one of these block-keys to break the TBC and thus QCB. Consequently, there are more chances of \(\mathcal {A}\) breaking one of the TBC iterations than there would be for a block cipher that uses the same key for each block. Keep in mind that the latter construction would then be structurally vulnerable to quantum attacks like quantum linearization.

However, the authors of QCB mention the scarcity of usable 256-bit block ciphers. They do suggest to alternatively use the dedicated TBC TRAX-L-17 [3] which is based on 256-bit message blocks and keys but a smaller tweak than Saturnin with 128 bits. This would allow for \(IV\)s of 80 bits and at most \(2^{45}~-~1\) blocks of plaintext and associated data [5, p. 17]. An alternative that may provide a better trade-off between security and efficiency is the TBC Pholkos [11]. Pholkos is a recent proposal for a post-quantum-secure TBC with a tweak size of 128 bits, block sizes of 256 or 512 bits and keys of size 256 bit. It is a substitution-permutation network (SPN) inspired by AESQ [7] and Haraka [17]. Any input plaintext block is encrypted in 8–14 steps depending on the configuration of block and key size. Initially, the \(n\)-bit plaintext block is split into \(\frac{n}{128}\) 128-bit blocks which are then split into four 32-bit words each. Subsequently, each step performs the similar rounds as found in the classical block cipher AES [23]. A tweakey is used for the AddRoundKey step of AES, whereas a round tweakey is generated by a schedule from the secret key and the tweak. An advantage of Pholkos is that the block cipher AES is well researched in terms of cryptanalysis and security. Furthermore, efficient implementations in soft- and hardware already exist. Pholkos-QCB provides a larger security margin than Saturnin-QCB due to the larger tweak space.