Attack Beyond-Birthday-Bound MACs in Quantum Setting

The security in the quantum setting of a series of message authentication codes (MACs) with provable beyond-birthday-bound (BBB) security is analyzed in this paper, including SUM-ECBC, PolyMAC, PMAC Plus, 3kf9 and some variants (2K-ECBC Plus, GCM-SIV2, 1kPMAC Plus, 2K-PMAC Plus and PMAC TBC3k). All these MACs have a security proof up to 2 (even 2) queries assuming the block size of the underlying (tweakable) block cipher is n bits. Given that the adversary can make quantum queries, we consider secret state recovery and partial key recovery attacks against these MACs. Both attacks lead to successful forgeries. For the first one, we apply Grover-meetSimon algorithm to recover some secret states of SUM-ECBC, PolyMAC, PMAC Plus, 3kf9 and so on. Our research shows this forgery attack costs at most O(2n) quantum queries using at most O(n) qubits. For the second one, we apply Grover’s algorithm to recover partial keys of PMAC Plus, 3kf9, PMAC TBC3k and so on. Our research shows this forgery attack costs O(2) quantum queries and O(m + n) qubits assuming the size of one key is m bits. As far as we know, these are the first quantum attacks against BBB MACs. Our results show that in the quantum setting their securities go back to birthday bounds.

[1]  Joe Kilian,et al.  How to Protect DES Against Exhaustive Key Search , 1996, CRYPTO.

[2]  Goutam Paul,et al.  Building Single-Key Beyond Birthday Bound Message Authentication Code , 2016 .

[3]  Daniel R. Simon On the power of quantum computation , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[4]  Gregor Leander,et al.  Grover Meets Simon - Quantumly Attacking the FX-construction , 2017, ASIACRYPT.

[5]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[6]  Yusuke Naito,et al.  Blockcipher-Based MACs: Beyond the Birthday Bound Without Message Length , 2017, ASIACRYPT.

[7]  Xavier Bonnetain,et al.  Quantum Key-Recovery on Full AEZ , 2017, SAC.

[8]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[9]  Kan Yasuda,et al.  A New Variant of PMAC: Beyond the Birthday Bound , 2011, CRYPTO.

[10]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.

[11]  Goutam Paul,et al.  Single Key Variant of PMAC_Plus , 2017, IACR Trans. Symmetric Cryptol..

[12]  Karthikeyan Bhargavan,et al.  On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN , 2016, CCS.

[13]  Samir Hodzic,et al.  On Quantum Distinguishers for Type-3 Generalized Feistel Network Based on Separability , 2020, PQCrypto.

[14]  Mridul Nandi,et al.  Generic Attacks against Beyond-Birthday-Bound MACs , 2018, IACR Cryptol. ePrint Arch..

[15]  Hidenori Kuwakado,et al.  Security on the quantum-type Even-Mansour cipher , 2012, 2012 International Symposium on Information Theory and its Applications.

[16]  Lei Wang,et al.  Revisiting the Security of DbHtS MACs: Beyond-Birthday-Bound in the Multi-User Setting , 2020, IACR Cryptol. ePrint Arch..

[17]  Joe Kilian,et al.  How to Protect DES Against Exhaustive Key Search (an Analysis of DESX) , 2015, Journal of Cryptology.

[18]  Hidenori Kuwakado,et al.  Quantum distinguisher between the 3-round Feistel cipher and the random permutation , 2010, 2010 IEEE International Symposium on Information Theory.

[19]  Peng Wang,et al.  3kf9: Enhancing 3GPP-MAC beyond the Birthday Bound , 2012, ASIACRYPT.

[20]  Mihir Bellare,et al.  The Security of the Cipher Block Chaining Message Authentication Code , 2000, J. Comput. Syst. Sci..

[21]  Xavier Bonnetain,et al.  Tight Bounds for Simon's Algorithm , 2020, IACR Cryptol. ePrint Arch..

[22]  Samuel Jaques,et al.  Quantum Period Finding against Symmetric Primitives in Practice , 2020, IACR Cryptol. ePrint Arch..

[23]  ByeongHak Lee,et al.  Tight Security Bounds for Double-Block Hash-then-Sum MACs , 2020, EUROCRYPT.

[24]  Yusuke Naito,et al.  Full PRF-Secure Message Authentication Code Based on Tweakable Block Cipher , 2015, ProvSec.

[25]  María Naya-Plasencia,et al.  Breaking Symmetric Cryptosystems Using Quantum Period Finding , 2016, CRYPTO.

[26]  Mark Zhandry,et al.  Quantum-Secure Message Authentication Codes , 2013, IACR Cryptol. ePrint Arch..

[27]  Tetsu Iwata,et al.  Stronger Security Variants of GCM-SIV , 2016, IACR Trans. Symmetric Cryptol..

[28]  Benoit Cogliati,et al.  How to Build Optimally Secure PRFs Using Block Ciphers , 2020, IACR Cryptol. ePrint Arch..

[29]  G. Brassard,et al.  Quantum Amplitude Amplification and Estimation , 2000, quant-ph/0005055.

[30]  Stefan Lucks,et al.  Pipelineable On-line Encryption , 2014, FSE.

[31]  Peng Wang,et al.  HCTR: A Variable-Input-Length Enciphering Mode , 2005, CISC.

[32]  Goutam Paul,et al.  Double-block Hash-then-Sum: A Paradigm for Constructing BBB Secure PRF , 2018, IACR Cryptol. ePrint Arch..

[33]  内藤 祐介,et al.  Blockcipher-Based MACs: Beyond the Birthday Bound Without Message Length , 2018 .

[34]  Palash Sarkar,et al.  Breaking tweakable enciphering schemes using Simon’s algorithm , 2021, Designs, Codes and Cryptography.

[35]  Kan Yasuda,et al.  The Sum of CBC MACs Is a Secure PRF , 2010, CT-RSA.

[36]  Yu Sasaki,et al.  Quantum Chosen-Ciphertext Attacks against Feistel Ciphers , 2019, IACR Cryptol. ePrint Arch..