Abstract
QCB is a proposal for a post-quantum secure, rate-one authenticated encryption with associated data scheme (AEAD) based on classical OCB3 and \(\varTheta \)CB, which are vulnerable against a quantum adversary in the Q2 setting. The authors of QCB prove integrity under plus-one unforgeability, whereas the proof of the stronger definition of blind unforgeability has been left as an open problem. After a short overview of QCB and the current state of security definitions for authentication, this work proves blind unforgeability of QCB. Finally, the strategy of using tweakable block ciphers in authenticated encryption is generalised to a generic blindly unforgeable AEAD model.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alagic, G., Gagliardoni, T., Majenz, C.: Unforgeable quantum encryption. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 489–519. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_16
Alagic, G., Majenz, C., Russell, A., Song, F.: Quantum-access-secure message authentication via blind-unforgeability. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 788–817. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_27
Beierle, C., et al.: Alzette: a 64-bit ARX-box. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 419–448. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_15
Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci. 61(3), 362–399 (2000)
Bhaumik, R., Bonnetain, X., Chailloux, A., Leurent, G., Naya-Plasencia, M., Schrottenloher, A., Seurin, Y.: Qcb: Efficient quantum-secure authenticated encryption. IACR Cryptol. ePrint Arch. 2020, 1304 (2020)
Bhaumik, R., Nandi, M.: Improved security for OCB3, November 2017. https://doi.org/10.1007/978-3-319-70697-9_22, https://eprint.iacr.org/2017/845.pdf
Biryukov, A., Khovratovich, D.: PAEQ: parallelizable permutation-based authenticated encryption. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 72–89. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13257-0_5
Boneh, D., Zhandry, M.: Quantum-secure message authentication codes. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 592–608. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_35
Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum computing world. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 361–379. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_21
Bonnetain, X., Leurent, G., Naya-Plasencia, M., Schrottenloher, A.: Quantum linearization attacks. Cryptology ePrint Archive, Report 2021/1239 (2021)
Bossert, J., List, E., Lucks, S., Schmitz, S.: Pholkos – efficient large-state tweakable block ciphers from the AES round function. In: Galbraith, S.D. (ed.) CT-RSA 2022. LNCS, vol. 13161, pp. 511–536. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-95312-6_21
Canteaut, A., et al.: Saturnin: a suite of lightweight symmetric algorithms for post-quantum security. IACR Trans. Symmetric Cryptol. 2020(S1), 160–207 (2020). https://doi.org/10.13154/tosc.v2020.iS1.160-207, https://tosc.iacr.org/index.php/ToSC/article/view/8621
Doosti, M., Delavar, M., Kashefi, E., Arapinis, M.: A unified framework for quantum unforgeability (2021). https://doi.org/10.48550/ARXIV.2103.13994, https://arxiv.org/abs/2103.13994
Hosoyamada, A., Iwata, T.: Provably quantum-secure tweakable block ciphers. IACR Transactions on Symmetric Cryptology, pp. 337–377 (2021)
IEEE: IEEE standard specifications for public-key cryptography. IEEE Std. 1363–2000, pp. 1–228 (2000). https://doi.org/10.1109/IEEESTD.2000.92292
Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Breaking symmetric cryptosystems using quantum period finding (2016). https://arxiv.org/pdf/1602.05973.pdf
Kölbl, S., Lauridsen, M.M., Mendel, F., Rechberger, C.: Haraka v2-efficient short-input hashing for post-quantum applications. IACR Transactions on Symmetric Cryptology, pp. 1–29 (2016)
Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_3
Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. J. Cryptol. 24(3), 588–613 (2011)
Mavroeidis, V., Vishi, K., Zych, M.D., Jøsang, A.: The impact of quantum computing on present cryptography. Int. J. Adv. Comput. Sci. Appl. 9(3) (2018). https://doi.org/10.14569/ijacsa.2018.090354, http://dx.doi.org/10.14569/IJACSA.2018.090354
McKay, K., Bassham, L., Sönmez Turan, M., Mouha, N.: Report on lightweight cryptography. Technical report, National Institute of Standards and Technology (2016)
Moody, D., et al.: Nist report on post-quantum cryptography, April 2016. https://doi.org/10.6028/NIST.IR.8105
National Institute of Standards and Technology (NIST): Announcing the advanced encryption standard (AES), November 2001
Roetteler, M., Steinwandt, R.: A note on quantum related-key attacks. Inf. Process. Lett. 115(1), 40–44 (2015)
Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30539-2_2
Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings 35th Annual Symposium on Foundations of Computer Science, pp. 124–134 (1994). https://doi.org/10.1109/SFCS.1994.365700
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (Oct 1997). https://doi.org/10.1137/s0097539795293172, http://dx.doi.org/10.1137/S0097539795293172
Simon, D.: On the power of quantum computation. In: Proceedings 35th Annual Symposium on Foundations of Computer Science, pp. 116–123 (1994). https://doi.org/10.1109/SFCS.1994.365701
Sönmez Turan, M., et al.: Status report on the second round of the nist lightweight cryptography standardization process. Technical report, National Institute of Standards and Technology (2021)
Turan, M.S., McKay, K.A., Çalik, Ç., Chang, D., Bassham, L., et al.: Status report on the first round of the NIST lightweight cryptography standardization process. National Institute of Standards and Technology, Gaithersburg, MD, NIST Interagency/Internal Rep. (NISTIR) (2019)
Zhandry, M.: How to construct quantum random functions. Cryptology ePrint Archive, Report 2012/182 (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Quantum Attacks Against Symmetric Cryptography
Simon’s Algorithm for Period-Finding. Given a black-box function \(f:\{0,1\}^n \rightarrow \{0,1\}^n\) with some unknown period \(s \in \{0,1\}^n\) and \(f(x) = f(y) \Leftrightarrow ((x=y) \vee (x=y\oplus s))\) for all \(x,y \in \{0,1\}^n\). I.e., there exist two distinct values \(x,y\) for which \(f\) produces the same result. The difference \(x \oplus y\) between these values is \(s\). In the context of this chapter, a function that satisfies this property is also described as satisfying Simon’s promise. Finding \(s\) on a classical computer takes \(\varTheta (2^{n/2})\) queries to \(f\). Simon’s algorithm [28] can find \(s\) with \(\mathcal {O}(n)\) queries to the black-box function on a quantum computer. The following paragraphs highlight some of the impactful attacks presented from Kaplan et al. against CBC-MAC, LRW, PMAC and OCB [16].
CBC-MAC. Consider some adversary \(\mathcal {A}\) who has access to the encryption oracle \(E_k:\{0,1\}^n\rightarrow \{0,1\}^n\) and a function \(f\) satisfying Simon’s promise. Furthermore, \(\mathcal {A}\) can query \(f\) in superposition if they have quantum oracle access to \(E_k\). If \(\mathcal {A}\) can find the hidden difference \(s\), it is sufficient to break the cryptographic scheme. In this attack, \(s = E(M_1) \oplus E(M_2)\) for two distinct messages \(M_1, M_2\).
Figure 3 shows the standardized encrypted CBC-MAC. Classically, it is considered secure (up to the birthday bound) [4]. According to the attack strategy described above, \(f\) is defined as
with \(\alpha _0, \alpha _1\) representing two distinct message blocks [16, p. 15]. This function \(f\) satisfies Simon’s promise with \(s=1 || E_k(\alpha _0) \oplus E_k(\alpha _1)\). Consequently, applying Simon’s algorithm will return \(E_k(\alpha _0)\oplus E_k(\alpha _1)\) which allows for the forgery of messages. Query the oracle to receive tag \(\tau _0 = \text {CBC-MAC}(\alpha _0 || m_1)\) for an arbitrary \(m_1\). Next, query the oracle for tag \(\tau _1 = \text {CBC-MAC}(\alpha _1 || m_1 \oplus \ E_k(\alpha _0) \oplus \ E_k(\alpha _1))\). It holds that \(\tau _1 = \tau _2\) and a valid tag has been forged successfully [16, pp. 15-16]. This attack directly violates plus-one unforgeability as well as blind unforgeability, which are examined in Sect. 2. If adversary \(\mathcal {A}\) repeats the forgery step \(q+1\) times making \(2q + 1\) classical and quantum queries to the oracle, they can produce \(2(q+1)\) messages with valid tags.
Liskov-Rivest-Wagner (LRW) Construction. By employing the LRW construction, a block cipher \(E\) is transformed into a tweakable block cipher \(E^*\), whereas \(E^*\) is a family of unrelated block ciphers. The construction is defined as
with \(h\) being an (almost) universal hash function [18, 19]. Here, \(h\) and \(k\) are both part of the joint key. Furthermore, for two arbitrary tweaks \(t_0 \ne t_1\), the function \(f\) is defined as [16, p. 13]
This function satisfies Simon’s promise with \(f(x) = f(x \oplus s) = f(x \oplus h(t_0) \oplus h(t_1))\). Therefore, by running Simon’s algorithm \(\mathcal {O}(n)\) times, an attacker can recover \(s = h(t_0 \oplus h(t_1))\). The difference \(s\) is orthogonal to all the values measured in Simon’s algorithm and therefore appears \(\mathcal {O}(n)\) times during the computation. As this structure would not occur when \(f\) is a random function, it allows for an efficient distinguisher between an ideal random tweakable permutation and the LRW construction for defining tweakable block ciphers [16, pp. 13-14].
PMAC. The attack on CBC-MAC can be used to attack other message authentication codes as well. PMAC [25], for example, works as follows:
with \(E^*\) being a tweakable block cipher derived from \(E\). PMAC has the same internal structure as CBC-MAC when only messages consisting of two blocks are considered: \(\text {PMAC}(m_1 || m_2) = E^*_k(m_2\oplus E_k(m_1\oplus \varDelta _0))\). \(\mathcal {A}\) can therefore execute the identical attack as used to break CBC-MAC. Query the tag \(\tau _0 = \text {PMAC}(\alpha _0 || m_1 || m_2)\) for arbitrary message blocks \(m_1, m_2\). Consequently, \(\tau _1 = \text {PMAC}(\alpha _1 || m_1 || m_2 \oplus E_k(\alpha _0) \oplus E_k(\alpha _1)) = \tau _0\) and a valid forgery has been achieved [16, pp. 16-17].
A different attack can be carried out by utilizing the vulnerabilities of LRW to gain knowledge of the differences \(\varDelta _i\). First, the function fulfilling Simon’s promise is defined as
The hidden difference \(s\) is given with \(f(m) = f(m \oplus s) = f(m \oplus \varDelta _0 \oplus \varDelta _1)\). Therefore, \(s=\varDelta _0 \oplus \varDelta _1\) can be recovered by an adversary efficiently using Simon’s Algorithm in \(\mathcal {O}(n)\) iterations. The adversary queries tag \(\tau _1 = \text {PMAC}(m_1 || m_1)\) for an arbitrary message block \(m_1\). It holds that \(\tau _1\) is equal to \(\tau _2 = \text {PMAC}(m_1\oplus \varDelta _0 \oplus \varDelta _1 || m_1 \oplus \varDelta _0 \oplus \varDelta _1)\) and therefore a valid forgery was generated.
PMAC is based on the XE construction, which is an instantiation of LRW. In PMAC, the offsets are calculated with \(\varDelta _i = \gamma (i)\cdot L\) with \(\gamma (i)\) being the Gray encoding of \(i\) and \(L=E_k(0)\) [25, p. 21]. This leads to an adversary being able to learn \(L\) from the hidden period \(s=\varDelta _0 \oplus \varDelta _1\) with \(L = (\varDelta _0 \oplus \varDelta _1)\cdot (\gamma (0)\oplus \gamma (1))^{-1}\). With this knowledge, the adversary can compute each \(\varDelta _i\) and forge any arbitrary message.
OCB. Finally, to attack the authenticated encryption mode OCB, it can be observed that OCB reduces to a randomized variant of PMAC when the message is empty [16, p. 20]. Encrypted ciphertexts \(c_i\) and authentication tag \(\tau \) are generated by OCB as
with nonce \(N\), message \(M = m_1 || \dots || m_\ell \) and associated data \(A=a_i || \dots || a_\ell \). Using an empty message \(\epsilon \), OCB generates the tag \(\tau \) with
Note that \(\phi _k(N)\) denotes a permutation under key \(k\) whose specific description is of no interest to us. This construction can be attacked as described by the second attack on PMAC based on the LRW vulnerabilities. Consider a family of functions \(f_N\) with
Each function \(f_N\) for any \(N\) satisfies Simon’s promise: \(f_N(a) = f_N(a\oplus s) = f_N(a\oplus \varDelta _0 \oplus \varDelta _1)\). This allows for the recovery of the hidden period \(s=\varDelta _0 \oplus \varDelta _1\). An adversary can now query the authenticated encryption with ciphertext and tag pair \(C_1, \tau _1 = \text {OCB}(N, M, a||a)\) for arbitrary message \(M\), an arbitrary block \(a\) and random Nonce \(N\). \(C_1, \tau _1\) is also a valid authenticated encryption of \(\text {OCB}(N,M, a\oplus \varDelta _0 \oplus \varDelta _1 || a\oplus \varDelta _0\oplus \varDelta _1)\) with the same nonce \(N\) [16, p. 20].
B Instantiation of QCB with TRAX and Pholkos
When using Saturnin as the TBC for QCB, due to the key-tweak-insertion construction, each message or associated data block is encrypted with a separate block-key based on the key \(k\) which is modified by a distinct tweak for each block cipher call. For an adversary \(\mathcal {A}\), it is therefore sufficient to find only one of these block-keys to break the TBC and thus QCB. Consequently, there are more chances of \(\mathcal {A}\) breaking one of the TBC iterations than there would be for a block cipher that uses the same key for each block. Keep in mind that the latter construction would then be structurally vulnerable to quantum attacks like quantum linearization.
However, the authors of QCB mention the scarcity of usable 256-bit block ciphers. They do suggest to alternatively use the dedicated TBC TRAX-L-17 [3] which is based on 256-bit message blocks and keys but a smaller tweak than Saturnin with 128 bits. This would allow for \(IV\)s of 80 bits and at most \(2^{45}~-~1\) blocks of plaintext and associated data [5, p. 17]. An alternative that may provide a better trade-off between security and efficiency is the TBC Pholkos [11]. Pholkos is a recent proposal for a post-quantum-secure TBC with a tweak size of 128 bits, block sizes of 256 or 512 bits and keys of size 256 bit. It is a substitution-permutation network (SPN) inspired by AESQ [7] and Haraka [17]. Any input plaintext block is encrypted in 8–14 steps depending on the configuration of block and key size. Initially, the \(n\)-bit plaintext block is split into \(\frac{n}{128}\) 128-bit blocks which are then split into four 32-bit words each. Subsequently, each step performs the similar rounds as found in the classical block cipher AES [23]. A tweakey is used for the AddRoundKey step of AES, whereas a round tweakey is generated by a schedule from the secret key and the tweak. An advantage of Pholkos is that the block cipher AES is well researched in terms of cryptanalysis and security. Furthermore, efficient implementations in soft- and hardware already exist. Pholkos-QCB provides a larger security margin than Saturnin-QCB due to the larger tweak space.
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Leuther, J., Lucks, S. (2023). QCB is Blindly Unforgeable. In: El Hajji, S., Mesnager, S., Souidi, E.M. (eds) Codes, Cryptology and Information Security. C2SI 2023. Lecture Notes in Computer Science, vol 13874. Springer, Cham. https://doi.org/10.1007/978-3-031-33017-9_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-33017-9_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-33016-2
Online ISBN: 978-3-031-33017-9
eBook Packages: Computer ScienceComputer Science (R0)